Analysis
-
max time kernel
149s -
max time network
136s -
platform
windows7_x64 -
resource
win7-en-20210920 -
submitted
01-10-2021 07:22
Static task
static1
Behavioral task
behavioral1
Sample
fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
Resource
win7-en-20210920
General
-
Target
fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
-
Size
358KB
-
MD5
d952cb0acf14545d0e6da5509db9088d
-
SHA1
9e4c5b31c821cc46f8eba61d65442f0bdbe67b98
-
SHA256
fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98
-
SHA512
e66869cc859af82d4ad9db0c877d949905e3f28876e1022f434083e6f26492e3edac72624ce3143ca85446f4bce7ed208e41f846c5bcb13af7343047c7df8ebc
Malware Config
Extracted
xpertrat
3.0.10
Test
kapasky-antivirus.firewall-gateway.net:4000
L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0
Signatures
-
XpertRAT Core Payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/516-85-0x0000000000400000-0x0000000000443000-memory.dmp xpertrat behavioral1/memory/516-86-0x0000000000401364-mapping.dmp xpertrat -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" iexplore.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 672 notepad.exe -
Processes:
fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UACDisableNotify = "0" fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0 = "C:\\Users\\Admin\\AppData\\Roaming\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0\\L3Q7J4T2-J8A6-L6O4-W4G3-U5J7D0W2W5F0.exe" iexplore.exe -
Processes:
fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exefed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exedescription pid process target process PID 1544 set thread context of 744 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe PID 744 set thread context of 516 744 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exefed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exefed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exepid process 1700 powershell.exe 320 powershell.exe 892 powershell.exe 1084 powershell.exe 1836 powershell.exe 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 744 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 744 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 744 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 744 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1700 powershell.exe Token: SeIncreaseQuotaPrivilege 1700 powershell.exe Token: SeSecurityPrivilege 1700 powershell.exe Token: SeTakeOwnershipPrivilege 1700 powershell.exe Token: SeLoadDriverPrivilege 1700 powershell.exe Token: SeSystemProfilePrivilege 1700 powershell.exe Token: SeSystemtimePrivilege 1700 powershell.exe Token: SeProfSingleProcessPrivilege 1700 powershell.exe Token: SeIncBasePriorityPrivilege 1700 powershell.exe Token: SeCreatePagefilePrivilege 1700 powershell.exe Token: SeBackupPrivilege 1700 powershell.exe Token: SeRestorePrivilege 1700 powershell.exe Token: SeShutdownPrivilege 1700 powershell.exe Token: SeDebugPrivilege 1700 powershell.exe Token: SeSystemEnvironmentPrivilege 1700 powershell.exe Token: SeRemoteShutdownPrivilege 1700 powershell.exe Token: SeUndockPrivilege 1700 powershell.exe Token: SeManageVolumePrivilege 1700 powershell.exe Token: 33 1700 powershell.exe Token: 34 1700 powershell.exe Token: 35 1700 powershell.exe Token: SeDebugPrivilege 320 powershell.exe Token: SeIncreaseQuotaPrivilege 320 powershell.exe Token: SeSecurityPrivilege 320 powershell.exe Token: SeTakeOwnershipPrivilege 320 powershell.exe Token: SeLoadDriverPrivilege 320 powershell.exe Token: SeSystemProfilePrivilege 320 powershell.exe Token: SeSystemtimePrivilege 320 powershell.exe Token: SeProfSingleProcessPrivilege 320 powershell.exe Token: SeIncBasePriorityPrivilege 320 powershell.exe Token: SeCreatePagefilePrivilege 320 powershell.exe Token: SeBackupPrivilege 320 powershell.exe Token: SeRestorePrivilege 320 powershell.exe Token: SeShutdownPrivilege 320 powershell.exe Token: SeDebugPrivilege 320 powershell.exe Token: SeSystemEnvironmentPrivilege 320 powershell.exe Token: SeRemoteShutdownPrivilege 320 powershell.exe Token: SeUndockPrivilege 320 powershell.exe Token: SeManageVolumePrivilege 320 powershell.exe Token: 33 320 powershell.exe Token: 34 320 powershell.exe Token: 35 320 powershell.exe Token: SeDebugPrivilege 892 powershell.exe Token: SeIncreaseQuotaPrivilege 892 powershell.exe Token: SeSecurityPrivilege 892 powershell.exe Token: SeTakeOwnershipPrivilege 892 powershell.exe Token: SeLoadDriverPrivilege 892 powershell.exe Token: SeSystemProfilePrivilege 892 powershell.exe Token: SeSystemtimePrivilege 892 powershell.exe Token: SeProfSingleProcessPrivilege 892 powershell.exe Token: SeIncBasePriorityPrivilege 892 powershell.exe Token: SeCreatePagefilePrivilege 892 powershell.exe Token: SeBackupPrivilege 892 powershell.exe Token: SeRestorePrivilege 892 powershell.exe Token: SeShutdownPrivilege 892 powershell.exe Token: SeDebugPrivilege 892 powershell.exe Token: SeSystemEnvironmentPrivilege 892 powershell.exe Token: SeRemoteShutdownPrivilege 892 powershell.exe Token: SeUndockPrivilege 892 powershell.exe Token: SeManageVolumePrivilege 892 powershell.exe Token: 33 892 powershell.exe Token: 34 892 powershell.exe Token: 35 892 powershell.exe Token: SeDebugPrivilege 1084 powershell.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exeiexplore.exepid process 744 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe 516 iexplore.exe -
Suspicious use of WriteProcessMemory 42 IoCs
Processes:
fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exefed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exeiexplore.exedescription pid process target process PID 1544 wrote to memory of 1700 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 1700 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 1700 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 1700 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 320 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 320 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 320 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 320 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 892 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 892 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 892 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 892 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 1084 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 1084 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 1084 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 1084 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 1836 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 1836 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 1836 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 1836 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe powershell.exe PID 1544 wrote to memory of 744 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe PID 1544 wrote to memory of 744 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe PID 1544 wrote to memory of 744 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe PID 1544 wrote to memory of 744 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe PID 1544 wrote to memory of 744 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe PID 1544 wrote to memory of 744 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe PID 1544 wrote to memory of 744 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe PID 1544 wrote to memory of 744 1544 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe PID 744 wrote to memory of 516 744 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 744 wrote to memory of 516 744 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 744 wrote to memory of 516 744 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 744 wrote to memory of 516 744 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 744 wrote to memory of 516 744 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 744 wrote to memory of 516 744 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 744 wrote to memory of 516 744 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 744 wrote to memory of 516 744 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 744 wrote to memory of 516 744 fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe iexplore.exe PID 516 wrote to memory of 672 516 iexplore.exe notepad.exe PID 516 wrote to memory of 672 516 iexplore.exe notepad.exe PID 516 wrote to memory of 672 516 iexplore.exe notepad.exe PID 516 wrote to memory of 672 516 iexplore.exe notepad.exe PID 516 wrote to memory of 672 516 iexplore.exe notepad.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe"C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1544 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1700 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:320 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:892 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1084 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8, 8.8.4.4, time.google.com2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1836 -
C:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe2⤵
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:744 -
C:\Program Files (x86)\Internet Explorer\iexplore.exeC:\Users\Admin\AppData\Local\Temp\fed0dec9c86e3f1057e7cf1c7eb22c8d528da1f6a966de89587b41f7b78e2f98.bin.exe3⤵
- Adds policy Run key to start application
- Adds Run key to start application
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:516 -
C:\Windows\SysWOW64\notepad.exenotepad.exe4⤵
- Deletes itself
PID:672
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD551664d5229299fe0d5e213a4e9368bf9
SHA12c17f962e0c623267936bb08a7a0d88b35809ceb
SHA25634190fba1faaed501f4efa8ac443f408d625f4c72a5a2da37dd2aa998024787c
SHA5121b46144d4cdc51bec067cb2dbb8a04cdc65626fe21e8319cf95aff0c381d4d70dcbaf2fe196c103cdad396ab658eb9cc8f074db0913472a1c039f92de1cad9aa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD551664d5229299fe0d5e213a4e9368bf9
SHA12c17f962e0c623267936bb08a7a0d88b35809ceb
SHA25634190fba1faaed501f4efa8ac443f408d625f4c72a5a2da37dd2aa998024787c
SHA5121b46144d4cdc51bec067cb2dbb8a04cdc65626fe21e8319cf95aff0c381d4d70dcbaf2fe196c103cdad396ab658eb9cc8f074db0913472a1c039f92de1cad9aa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD551664d5229299fe0d5e213a4e9368bf9
SHA12c17f962e0c623267936bb08a7a0d88b35809ceb
SHA25634190fba1faaed501f4efa8ac443f408d625f4c72a5a2da37dd2aa998024787c
SHA5121b46144d4cdc51bec067cb2dbb8a04cdc65626fe21e8319cf95aff0c381d4d70dcbaf2fe196c103cdad396ab658eb9cc8f074db0913472a1c039f92de1cad9aa
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
MD551664d5229299fe0d5e213a4e9368bf9
SHA12c17f962e0c623267936bb08a7a0d88b35809ceb
SHA25634190fba1faaed501f4efa8ac443f408d625f4c72a5a2da37dd2aa998024787c
SHA5121b46144d4cdc51bec067cb2dbb8a04cdc65626fe21e8319cf95aff0c381d4d70dcbaf2fe196c103cdad396ab658eb9cc8f074db0913472a1c039f92de1cad9aa