Analysis

  • max time kernel
    60s
  • max time network
    52s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    09-08-2024 02:04

General

  • Target

    MediaCreationTool.bat

  • Size

    129KB

  • MD5

    998ca6b423965b3a357e57c27a4a850b

  • SHA1

    b18a2ad0999bf7a9f898d771503020eacb5d617d

  • SHA256

    4b1486451a42cfc8d1372026c91ac09ae47bd010ec88d0233b93c0f4f8113296

  • SHA512

    23b63cb6c0beca86bdbef612dbfe3150ed6295e5987843e3ead36b038133f17cbf0860aef28fc3b3021056afac2996bc2eca1d35186a4a9c934a995ecfaef6e8

  • SSDEEP

    3072:ISME2DYVQ2w33dFepssMCy6nMuumU6VxjuBxpro2A+N/Lhu:ISME2DYVQV33dFmDnMuumNuDprTw

Score
8/10

Malware Config

Signatures

  • Blocklisted process makes network request 8 IoCs
  • Download via BitsAdmin 1 TTPs 4 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 3 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\MediaCreationTool.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Windows\system32\chcp.com
      chcp 437
      2⤵
        PID:2708
      • C:\Windows\system32\reg.exe
        reg add HKCU\Console /v ForceV2 /d 0x01 /t reg_dword /f
        2⤵
        • Modifies registry key
        PID:2676
      • C:\Windows\system32\reg.exe
        reg add "HKCU\Console\MCT" /v ScreenColors /d 31 /t reg_dword /f
        2⤵
          PID:2560
        • C:\Windows\system32\reg.exe
          reg add "HKCU\Console\MCT" /v ColorTable00 /d 0x000000 /t reg_dword /f
          2⤵
            PID:2404
          • C:\Windows\system32\reg.exe
            reg add "HKCU\Console\MCT" /v ColorTable08 /d 0x767676 /t reg_dword /f
            2⤵
              PID:2976
            • C:\Windows\system32\reg.exe
              reg add "HKCU\Console\MCT" /v ColorTable01 /d 0x9e5a00 /t reg_dword /f
              2⤵
                PID:2840
              • C:\Windows\system32\reg.exe
                reg add "HKCU\Console\MCT" /v ColorTable09 /d 0xff783b /t reg_dword /f
                2⤵
                  PID:2712
                • C:\Windows\system32\reg.exe
                  reg add "HKCU\Console\MCT" /v ColorTable02 /d 0x0ea113 /t reg_dword /f
                  2⤵
                    PID:2816
                  • C:\Windows\system32\reg.exe
                    reg add "HKCU\Console\MCT" /v ColorTable10 /d 0x0cc616 /t reg_dword /f
                    2⤵
                      PID:2588
                    • C:\Windows\system32\reg.exe
                      reg add "HKCU\Console\MCT" /v ColorTable03 /d 0xdd963a /t reg_dword /f
                      2⤵
                        PID:2932
                      • C:\Windows\system32\reg.exe
                        reg add "HKCU\Console\MCT" /v ColorTable11 /d 0xd6d661 /t reg_dword /f
                        2⤵
                          PID:2940
                        • C:\Windows\system32\reg.exe
                          reg add "HKCU\Console\MCT" /v ColorTable04 /d 0x1f0fc5 /t reg_dword /f
                          2⤵
                            PID:2920
                          • C:\Windows\system32\reg.exe
                            reg add "HKCU\Console\MCT" /v ColorTable12 /d 0x5648e7 /t reg_dword /f
                            2⤵
                              PID:2576
                            • C:\Windows\system32\reg.exe
                              reg add "HKCU\Console\MCT" /v ColorTable05 /d 0x981788 /t reg_dword /f
                              2⤵
                                PID:2580
                              • C:\Windows\system32\reg.exe
                                reg add "HKCU\Console\MCT" /v ColorTable13 /d 0x9e00b4 /t reg_dword /f
                                2⤵
                                  PID:2688
                                • C:\Windows\system32\reg.exe
                                  reg add "HKCU\Console\MCT" /v ColorTable06 /d 0x009cc1 /t reg_dword /f
                                  2⤵
                                    PID:2600
                                  • C:\Windows\system32\reg.exe
                                    reg add "HKCU\Console\MCT" /v ColorTable14 /d 0xa5f1f9 /t reg_dword /f
                                    2⤵
                                      PID:696
                                    • C:\Windows\system32\reg.exe
                                      reg add "HKCU\Console\MCT" /v ColorTable07 /d 0xcccccc /t reg_dword /f
                                      2⤵
                                        PID:1768
                                      • C:\Windows\system32\reg.exe
                                        reg add "HKCU\Console\MCT" /v ColorTable15 /d 0xffffff /t reg_dword /f
                                        2⤵
                                          PID:2804
                                        • C:\Windows\system32\reg.exe
                                          reg add "HKCU\Console\MCT" /v QuickEdit /d 0x0000 /t reg_dword /f
                                          2⤵
                                            PID:2552
                                          • C:\Windows\system32\reg.exe
                                            reg add "HKCU\Console\MCT" /v LineWrap /d 0 /t reg_dword /f
                                            2⤵
                                              PID:2548
                                            • C:\Windows\system32\reg.exe
                                              reg add "HKCU\Console\MCT" /v LineSelection /d 0x0001 /t reg_dword /f
                                              2⤵
                                                PID:2572
                                              • C:\Windows\system32\reg.exe
                                                reg add "HKCU\Console\MCT" /v CtrlKeyShortcutsDisabled /d 0 /t reg_dword /f
                                                2⤵
                                                  PID:2584
                                                • C:\Windows\system32\reg.exe
                                                  reg add "HKCU\Console\MCT" /v WindowSize /d 2097272 /t reg_dword /f
                                                  2⤵
                                                    PID:2604
                                                  • C:\Windows\system32\reg.exe
                                                    reg add "HKCU\Console\MCT" /v ScreenBufferSize /d 655294584 /t reg_dword /f
                                                    2⤵
                                                      PID:2628
                                                    • C:\Windows\system32\reg.exe
                                                      reg add "HKCU\Console\MCT" /v FontSize /d 0x00100008 /t reg_dword /f
                                                      2⤵
                                                        PID:2516
                                                      • C:\Windows\system32\reg.exe
                                                        reg add "HKCU\Console\MCT" /v FaceName /d "Consolas" /t reg_sz /f
                                                        2⤵
                                                          PID:2228
                                                        • C:\Windows\System32\attrib.exe
                                                          attrib -R -S -H "C:\ESD"
                                                          2⤵
                                                          • Views/modifies file attributes
                                                          PID:2232
                                                        • C:\Windows\System32\Robocopy.exe
                                                          robocopy "C:\Users\Admin\AppData\Local\Temp\/" "C:\ESD/" "MediaCreationTool.bat"
                                                          2⤵
                                                          • Suspicious use of AdjustPrivilegeToken
                                                          PID:2500
                                                        • C:\Windows\System32\cmd.exe
                                                          cmd /d /x /c set "ROOT=C:\Users\Admin\AppData\Local\Temp" & call "C:\ESD\MediaCreationTool.bat" set
                                                          2⤵
                                                            PID:2236
                                                            • C:\Windows\System32\chcp.com
                                                              chcp 437
                                                              3⤵
                                                                PID:1096
                                                              • C:\Windows\System32\attrib.exe
                                                                attrib -R -S -H "C:\ESD"
                                                                3⤵
                                                                • Views/modifies file attributes
                                                                PID:2872
                                                              • C:\Windows\System32\Robocopy.exe
                                                                robocopy "C:\ESD\/" "C:\ESD/" "MediaCreationTool.bat"
                                                                3⤵
                                                                • Suspicious use of AdjustPrivilegeToken
                                                                PID:2784
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c echo prompt $h$s$h:|cmd /d
                                                                3⤵
                                                                  PID:1728
                                                                  • C:\Windows\system32\cmd.exe
                                                                    C:\Windows\system32\cmd.exe /S /D /c" echo prompt $h$s$h:"
                                                                    4⤵
                                                                      PID:1152
                                                                    • C:\Windows\System32\cmd.exe
                                                                      cmd /d
                                                                      4⤵
                                                                        PID:2020
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|" 2>nul
                                                                      3⤵
                                                                        PID:1884
                                                                        • C:\Windows\System32\reg.exe
                                                                          reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "CurrentBuildNumber" /se "|"
                                                                          4⤵
                                                                            PID:2344
                                                                        • C:\Windows\system32\cmd.exe
                                                                          C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|" 2>nul
                                                                          3⤵
                                                                            PID:2456
                                                                            • C:\Windows\System32\reg.exe
                                                                              reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "DisplayVersion" /se "|"
                                                                              4⤵
                                                                                PID:2476
                                                                            • C:\Windows\system32\cmd.exe
                                                                              C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|" 2>nul
                                                                              3⤵
                                                                                PID:1552
                                                                                • C:\Windows\System32\reg.exe
                                                                                  reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "EditionID" /se "|"
                                                                                  4⤵
                                                                                    PID:1880
                                                                                • C:\Windows\system32\cmd.exe
                                                                                  C:\Windows\system32\cmd.exe /c reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|" 2>nul
                                                                                  3⤵
                                                                                    PID:780
                                                                                    • C:\Windows\System32\reg.exe
                                                                                      reg query "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" /v "ProductName" /se "|"
                                                                                      4⤵
                                                                                        PID:2408
                                                                                    • C:\Windows\system32\cmd.exe
                                                                                      C:\Windows\system32\cmd.exe /c reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|" 2>nul
                                                                                      3⤵
                                                                                        PID:2536
                                                                                        • C:\Windows\System32\reg.exe
                                                                                          reg query "HKU\S-1-5-18\Control Panel\Desktop\MuiCached" /v "MachinePreferredUILanguages" /se "|"
                                                                                          4⤵
                                                                                            PID:2996
                                                                                        • C:\Windows\system32\cmd.exe
                                                                                          C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1!
                                                                                          3⤵
                                                                                            PID:912
                                                                                            • C:\Windows\System32\cmd.exe
                                                                                              cmd /q /v:on /c echo !.:~2,1!
                                                                                              4⤵
                                                                                                PID:2860
                                                                                            • C:\Windows\system32\cmd.exe
                                                                                              C:\Windows\system32\cmd.exe /c cmd /q /v:on /c echo !.:~2,1!
                                                                                              3⤵
                                                                                                PID:2988
                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                  cmd /q /v:on /c echo !.:~2,1!
                                                                                                  4⤵
                                                                                                    PID:2140
                                                                                                • C:\Windows\System32\findstr.exe
                                                                                                  findstr /c:\ /a:f0 " Detected Media "\..\c nul
                                                                                                  3⤵
                                                                                                    PID:2732
                                                                                                  • C:\Windows\System32\findstr.exe
                                                                                                    findstr /c:\ /a:6f " en-US "\..\c nul
                                                                                                    3⤵
                                                                                                      PID:2856
                                                                                                    • C:\Windows\System32\findstr.exe
                                                                                                      findstr /c:\ /a:9f " Ultimate "\..\c nul
                                                                                                      3⤵
                                                                                                        PID:2880
                                                                                                      • C:\Windows\System32\findstr.exe
                                                                                                        findstr /c:\ /a:2f " x64 "\..\c nul
                                                                                                        3⤵
                                                                                                          PID:2900
                                                                                                        • C:\Windows\System32\findstr.exe
                                                                                                          findstr /c:\ /a:1f "1 Auto Upgrade : MCT gets detected media, script assists setupprep for upgrading "\..\c nul
                                                                                                          3⤵
                                                                                                            PID:3064
                                                                                                          • C:\Windows\System32\findstr.exe
                                                                                                            findstr /c:\ /a:1f "2 Auto ISO : MCT gets detected media, script assists making ISO here | C:ESD "\..\c nul
                                                                                                            3⤵
                                                                                                              PID:2808
                                                                                                            • C:\Windows\System32\findstr.exe
                                                                                                              findstr /c:\ /a:1f "3 Auto USB : MCT gets detected media, script assists making USB stick target "\..\c nul
                                                                                                              3⤵
                                                                                                                PID:2908
                                                                                                              • C:\Windows\System32\findstr.exe
                                                                                                                findstr /c:\ /a:1f "4 Select : MCT gets selected Edition, Language, Arch onto specified target "\..\c nul
                                                                                                                3⤵
                                                                                                                  PID:2652
                                                                                                                • C:\Windows\System32\findstr.exe
                                                                                                                  findstr /c:\ /a:1f "5 MCT Defaults : MCT runs unassisted, creating media without script modification "\..\c nul
                                                                                                                  3⤵
                                                                                                                    PID:2904
                                                                                                                  • C:\Windows\System32\findstr.exe
                                                                                                                    findstr /c:\ /a:17 "1-4 adds to media: PID.txt, EI.cfg, $ISO$ dir, auto.cmd for upgrade and tpm checks "\..\c nul
                                                                                                                    3⤵
                                                                                                                      PID:2928
                                                                                                                    • C:\Windows\System32\findstr.exe
                                                                                                                      findstr /c:\ /a:17 "can rename script: "\..\c nul
                                                                                                                      3⤵
                                                                                                                        PID:2948
                                                                                                                      • C:\Windows\System32\findstr.exe
                                                                                                                        findstr /c:\ /a:1f "def MediaCreationTool.bat"\..\c nul
                                                                                                                        3⤵
                                                                                                                          PID:2944
                                                                                                                        • C:\Windows\System32\findstr.exe
                                                                                                                          findstr /c:\ /a:17 " to always create unmodified MCT media "\..\c nul
                                                                                                                          3⤵
                                                                                                                            PID:2960
                                                                                                                          • C:\Windows\system32\cmd.exe
                                                                                                                            C:\Windows\system32\cmd.exe /c powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
                                                                                                                            3⤵
                                                                                                                              PID:3048
                                                                                                                              • C:\Windows\System32\windowspowershell\v1.0\powershell.exe
                                                                                                                                powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:CHOICES2\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
                                                                                                                                4⤵
                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                PID:2084
                                                                                                                            • C:\Windows\System32\fltMC.exe
                                                                                                                              fltmc
                                                                                                                              3⤵
                                                                                                                                PID:1484
                                                                                                                              • C:\Windows\System32\attrib.exe
                                                                                                                                attrib -R -S -H "C:\ESD" /D
                                                                                                                                3⤵
                                                                                                                                • Views/modifies file attributes
                                                                                                                                PID:988
                                                                                                                              • C:\Windows\System32\findstr.exe
                                                                                                                                findstr /c:\ /a:f0 " Windows 10 Version "\..\c nul
                                                                                                                                3⤵
                                                                                                                                  PID:564
                                                                                                                                • C:\Windows\System32\findstr.exe
                                                                                                                                  findstr /c:\ /a:5f " 1809 "\..\c nul
                                                                                                                                  3⤵
                                                                                                                                    PID:1784
                                                                                                                                  • C:\Windows\System32\findstr.exe
                                                                                                                                    findstr /c:\ /a:f1 " 17763.379.190312-0539.rs5_release_svc_refresh "\..\c nul
                                                                                                                                    3⤵
                                                                                                                                      PID:1032
                                                                                                                                    • C:\Windows\System32\findstr.exe
                                                                                                                                      findstr /c:\ /a:6f " en-US "\..\c nul
                                                                                                                                      3⤵
                                                                                                                                        PID:2120
                                                                                                                                      • C:\Windows\System32\findstr.exe
                                                                                                                                        findstr /c:\ /a:9f " Consumer "\..\c nul
                                                                                                                                        3⤵
                                                                                                                                          PID:2352
                                                                                                                                        • C:\Windows\System32\findstr.exe
                                                                                                                                          findstr /c:\ /a:2f " x64 "\..\c nul
                                                                                                                                          3⤵
                                                                                                                                            PID:2376
                                                                                                                                          • C:\Windows\System32\windowspowershell\v1.0\powershell.exe
                                                                                                                                            powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
                                                                                                                                            3⤵
                                                                                                                                            • Blocklisted process makes network request
                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                            PID:2064
                                                                                                                                            • C:\Windows\System32\bitsadmin.exe
                                                                                                                                              "C:\Windows\System32\bitsadmin.exe" /transfer 638587659149588000 /priority foreground http://software-download.microsoft.com/download/pr/MediaCreationTool1809.exe C:\ESD\MCT\MediaCreationTool1809.exe
                                                                                                                                              4⤵
                                                                                                                                              • Download via BitsAdmin
                                                                                                                                              PID:2056
                                                                                                                                            • C:\Windows\System32\bitsadmin.exe
                                                                                                                                              "C:\Windows\System32\bitsadmin.exe" /transfer 638587659258764000 /priority foreground https://software-download.microsoft.com/download/pr/MediaCreationTool1809.exe C:\ESD\MCT\MediaCreationTool1809.exe
                                                                                                                                              4⤵
                                                                                                                                              • Download via BitsAdmin
                                                                                                                                              PID:2260
                                                                                                                                          • C:\Windows\System32\windowspowershell\v1.0\powershell.exe
                                                                                                                                            powershell -nop -c ";$f0=[io.file]::ReadAllText($env:0); $0=($f0-split '#\:DOWNLOAD\:' ,3)[1]; $1=$env:1-replace'([`@$])','`$1'; iex($0+$1)"
                                                                                                                                            3⤵
                                                                                                                                            • Blocklisted process makes network request
                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                            PID:1676
                                                                                                                                            • C:\Windows\System32\bitsadmin.exe
                                                                                                                                              "C:\Windows\System32\bitsadmin.exe" /transfer 638587659345500000 /priority foreground http://download.microsoft.com/download/8/E/8/8E852CBF-0BCC-454E-BDF5-60443569617C/products_20190314.cab C:\ESD\MCT\products1809.cab
                                                                                                                                              4⤵
                                                                                                                                              • Download via BitsAdmin
                                                                                                                                              PID:1936
                                                                                                                                            • C:\Windows\System32\bitsadmin.exe
                                                                                                                                              "C:\Windows\System32\bitsadmin.exe" /transfer 638587659463124000 /priority foreground https://download.microsoft.com/download/8/E/8/8E852CBF-0BCC-454E-BDF5-60443569617C/products_20190314.cab C:\ESD\MCT\products1809.cab
                                                                                                                                              4⤵
                                                                                                                                              • Download via BitsAdmin
                                                                                                                                              PID:2668
                                                                                                                                          • C:\Windows\System32\findstr.exe
                                                                                                                                            findstr /c:\ /a:4f " ERROR "\..\c nul
                                                                                                                                            3⤵
                                                                                                                                              PID:1728
                                                                                                                                            • C:\Windows\System32\findstr.exe
                                                                                                                                              findstr /c:\ /a:0f " Check urls in browser | del ESD dir | use powershell v3.0+ | unblock powershell | enable BITS serv "\..\c nul
                                                                                                                                              3⤵
                                                                                                                                                PID:1860
                                                                                                                                          • C:\Windows\explorer.exe
                                                                                                                                            "C:\Windows\explorer.exe"
                                                                                                                                            1⤵
                                                                                                                                              PID:536

                                                                                                                                            Network

                                                                                                                                            MITRE ATT&CK Enterprise v15

                                                                                                                                            Replay Monitor

                                                                                                                                            Loading Replay Monitor...

                                                                                                                                            Downloads

                                                                                                                                            • C:\ESD\MediaCreationTool.bat

                                                                                                                                              Filesize

                                                                                                                                              129KB

                                                                                                                                              MD5

                                                                                                                                              998ca6b423965b3a357e57c27a4a850b

                                                                                                                                              SHA1

                                                                                                                                              b18a2ad0999bf7a9f898d771503020eacb5d617d

                                                                                                                                              SHA256

                                                                                                                                              4b1486451a42cfc8d1372026c91ac09ae47bd010ec88d0233b93c0f4f8113296

                                                                                                                                              SHA512

                                                                                                                                              23b63cb6c0beca86bdbef612dbfe3150ed6295e5987843e3ead36b038133f17cbf0860aef28fc3b3021056afac2996bc2eca1d35186a4a9c934a995ecfaef6e8

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\CabA98A.tmp

                                                                                                                                              Filesize

                                                                                                                                              70KB

                                                                                                                                              MD5

                                                                                                                                              49aebf8cbd62d92ac215b2923fb1b9f5

                                                                                                                                              SHA1

                                                                                                                                              1723be06719828dda65ad804298d0431f6aff976

                                                                                                                                              SHA256

                                                                                                                                              b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

                                                                                                                                              SHA512

                                                                                                                                              bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\TarA99D.tmp

                                                                                                                                              Filesize

                                                                                                                                              181KB

                                                                                                                                              MD5

                                                                                                                                              4ea6026cf93ec6338144661bf1202cd1

                                                                                                                                              SHA1

                                                                                                                                              a1dec9044f750ad887935a01430bf49322fbdcb7

                                                                                                                                              SHA256

                                                                                                                                              8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

                                                                                                                                              SHA512

                                                                                                                                              6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

                                                                                                                                              Filesize

                                                                                                                                              7KB

                                                                                                                                              MD5

                                                                                                                                              cf8066f14821f1577ea6b7ca4130f0d7

                                                                                                                                              SHA1

                                                                                                                                              b9945591b92de31aaa03a39536cbd209897b6059

                                                                                                                                              SHA256

                                                                                                                                              b28eec137862442f50d9f5c2f2eae8cb26aee21b125e030e39bf170484c8fb69

                                                                                                                                              SHA512

                                                                                                                                              c0743b89d2c6a83d341c7cd1d2b3e773b59ceb87626bc352f358566b2e401badd48f8534883f93f4b00bc7a9b5233cf79cdf1e6f86d328871440d08c36cdba05

                                                                                                                                            • C:\Users\Admin\AppData\Roaming\c

                                                                                                                                              Filesize

                                                                                                                                              1B

                                                                                                                                              MD5

                                                                                                                                              28d397e87306b8631f3ed80d858d35f0

                                                                                                                                              SHA1

                                                                                                                                              08534f33c201a45017b502e90a800f1b708ebcb3

                                                                                                                                              SHA256

                                                                                                                                              a9253dc8529dd214e5f22397888e78d3390daa47593e26f68c18f97fd7a3876b

                                                                                                                                              SHA512

                                                                                                                                              0a0cd116c2c57fb125fd9ada131f6ca964587a9958a214814a623db1821ed5ce32daeec4085a14e31d900a357b1e2549319b2e0cc2c8cfbafc6a4a4aafebe203

                                                                                                                                            • memory/1676-29-0x0000000002AE0000-0x0000000002B02000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              136KB

                                                                                                                                            • memory/1676-30-0x0000000002D30000-0x0000000002D42000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              72KB

                                                                                                                                            • memory/2064-21-0x00000000021D0000-0x00000000021D8000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              32KB

                                                                                                                                            • memory/2064-23-0x00000000028C0000-0x00000000028D2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              72KB

                                                                                                                                            • memory/2064-22-0x000000001B4B0000-0x000000001B4D2000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              136KB

                                                                                                                                            • memory/2064-20-0x000000001B5B0000-0x000000001B892000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              2.9MB

                                                                                                                                            • memory/2084-13-0x0000000002340000-0x0000000002348000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              32KB

                                                                                                                                            • memory/2084-12-0x000000001B670000-0x000000001B952000-memory.dmp

                                                                                                                                              Filesize

                                                                                                                                              2.9MB