Analysis
-
max time kernel
149s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-10-2024 04:29
Static task
static1
Behavioral task
behavioral1
Sample
2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe
-
Size
375KB
-
MD5
2ad561e9bb9f780f56d5e7a280574432
-
SHA1
e6bc833d62ef0ec1e08674a0a8707e3ce2f09007
-
SHA256
54f33fa555874b30e6045c4bfd467779b0683e1bcafb69d0987c59019203c9d3
-
SHA512
8b74c1f6df444ce101102e3b036e2f77c9e0b1ebb085db2de8e45905ab10b47c845040548901632c130c4db6b4403a5905d864c461cb9bed6cd5fe49fc0ce064
-
SSDEEP
6144:dOm2B8bwepKH3435zfwJyJLcE0NBY5yoFdJraQqZC6P1ylyiec3fE:dOm2BgpKHo3lUyh0azJCZdylZjfE
Malware Config
Extracted
njrat
0.7d
HacKed
212.192.241.42:5552
34adf4afddd35097c6bf7951c5baad3a
-
reg_key
34adf4afddd35097c6bf7951c5baad3a
-
splitter
|'|'|
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\putty.exe\"," 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe,\"C:\\Users\\Admin\\AppData\\Local\\putty.exe\"," server.exe -
Modifies Windows Firewall 2 TTPs 1 IoCs
pid Process 5864 netsh.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34adf4afddd35097c6bf7951c5baad3a.exe server.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\34adf4afddd35097c6bf7951c5baad3a.exe server.exe -
Executes dropped EXE 4 IoCs
pid Process 3036 server.exe 6940 server.exe 2044 server.exe 7148 server.exe -
Loads dropped DLL 4 IoCs
pid Process 10208 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 3036 server.exe 3036 server.exe 3036 server.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\34adf4afddd35097c6bf7951c5baad3a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\34adf4afddd35097c6bf7951c5baad3a = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .." server.exe -
pid Process 7536 powershell.exe 2304 powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 2104 set thread context of 10208 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 37 PID 3036 set thread context of 7148 3036 server.exe 48 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 2980 powershell.exe 2848 powershell.exe 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 2304 powershell.exe 2808 powershell.exe 1348 powershell.exe 3036 server.exe 3036 server.exe 3036 server.exe 3036 server.exe 3036 server.exe 3036 server.exe 3036 server.exe 3036 server.exe 3036 server.exe 3036 server.exe 3036 server.exe 3036 server.exe 3036 server.exe 3036 server.exe 3036 server.exe 3036 server.exe 7536 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2980 powershell.exe Token: SeIncreaseQuotaPrivilege 2980 powershell.exe Token: SeSecurityPrivilege 2980 powershell.exe Token: SeTakeOwnershipPrivilege 2980 powershell.exe Token: SeLoadDriverPrivilege 2980 powershell.exe Token: SeSystemProfilePrivilege 2980 powershell.exe Token: SeSystemtimePrivilege 2980 powershell.exe Token: SeProfSingleProcessPrivilege 2980 powershell.exe Token: SeIncBasePriorityPrivilege 2980 powershell.exe Token: SeCreatePagefilePrivilege 2980 powershell.exe Token: SeBackupPrivilege 2980 powershell.exe Token: SeRestorePrivilege 2980 powershell.exe Token: SeShutdownPrivilege 2980 powershell.exe Token: SeDebugPrivilege 2980 powershell.exe Token: SeSystemEnvironmentPrivilege 2980 powershell.exe Token: SeRemoteShutdownPrivilege 2980 powershell.exe Token: SeUndockPrivilege 2980 powershell.exe Token: SeManageVolumePrivilege 2980 powershell.exe Token: 33 2980 powershell.exe Token: 34 2980 powershell.exe Token: 35 2980 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeIncreaseQuotaPrivilege 2848 powershell.exe Token: SeSecurityPrivilege 2848 powershell.exe Token: SeTakeOwnershipPrivilege 2848 powershell.exe Token: SeLoadDriverPrivilege 2848 powershell.exe Token: SeSystemProfilePrivilege 2848 powershell.exe Token: SeSystemtimePrivilege 2848 powershell.exe Token: SeProfSingleProcessPrivilege 2848 powershell.exe Token: SeIncBasePriorityPrivilege 2848 powershell.exe Token: SeCreatePagefilePrivilege 2848 powershell.exe Token: SeBackupPrivilege 2848 powershell.exe Token: SeRestorePrivilege 2848 powershell.exe Token: SeShutdownPrivilege 2848 powershell.exe Token: SeDebugPrivilege 2848 powershell.exe Token: SeSystemEnvironmentPrivilege 2848 powershell.exe Token: SeRemoteShutdownPrivilege 2848 powershell.exe Token: SeUndockPrivilege 2848 powershell.exe Token: SeManageVolumePrivilege 2848 powershell.exe Token: 33 2848 powershell.exe Token: 34 2848 powershell.exe Token: 35 2848 powershell.exe Token: SeDebugPrivilege 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe Token: SeDebugPrivilege 2304 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeIncreaseQuotaPrivilege 2808 powershell.exe Token: SeSecurityPrivilege 2808 powershell.exe Token: SeTakeOwnershipPrivilege 2808 powershell.exe Token: SeLoadDriverPrivilege 2808 powershell.exe Token: SeSystemProfilePrivilege 2808 powershell.exe Token: SeSystemtimePrivilege 2808 powershell.exe Token: SeProfSingleProcessPrivilege 2808 powershell.exe Token: SeIncBasePriorityPrivilege 2808 powershell.exe Token: SeCreatePagefilePrivilege 2808 powershell.exe Token: SeBackupPrivilege 2808 powershell.exe Token: SeRestorePrivilege 2808 powershell.exe Token: SeShutdownPrivilege 2808 powershell.exe Token: SeDebugPrivilege 2808 powershell.exe Token: SeSystemEnvironmentPrivilege 2808 powershell.exe Token: SeRemoteShutdownPrivilege 2808 powershell.exe Token: SeUndockPrivilege 2808 powershell.exe Token: SeManageVolumePrivilege 2808 powershell.exe Token: 33 2808 powershell.exe Token: 34 2808 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2980 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 30 PID 2104 wrote to memory of 2980 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 30 PID 2104 wrote to memory of 2980 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 30 PID 2104 wrote to memory of 2980 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 30 PID 2104 wrote to memory of 2848 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 34 PID 2104 wrote to memory of 2848 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 34 PID 2104 wrote to memory of 2848 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 34 PID 2104 wrote to memory of 2848 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 34 PID 2104 wrote to memory of 10184 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 36 PID 2104 wrote to memory of 10184 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 36 PID 2104 wrote to memory of 10184 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 36 PID 2104 wrote to memory of 10184 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 36 PID 2104 wrote to memory of 10208 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 37 PID 2104 wrote to memory of 10208 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 37 PID 2104 wrote to memory of 10208 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 37 PID 2104 wrote to memory of 10208 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 37 PID 2104 wrote to memory of 10208 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 37 PID 2104 wrote to memory of 10208 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 37 PID 2104 wrote to memory of 10208 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 37 PID 2104 wrote to memory of 10208 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 37 PID 2104 wrote to memory of 10208 2104 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 37 PID 10184 wrote to memory of 2304 10184 WScript.exe 38 PID 10184 wrote to memory of 2304 10184 WScript.exe 38 PID 10184 wrote to memory of 2304 10184 WScript.exe 38 PID 10184 wrote to memory of 2304 10184 WScript.exe 38 PID 10208 wrote to memory of 3036 10208 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 40 PID 10208 wrote to memory of 3036 10208 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 40 PID 10208 wrote to memory of 3036 10208 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 40 PID 10208 wrote to memory of 3036 10208 2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe 40 PID 3036 wrote to memory of 2808 3036 server.exe 41 PID 3036 wrote to memory of 2808 3036 server.exe 41 PID 3036 wrote to memory of 2808 3036 server.exe 41 PID 3036 wrote to memory of 2808 3036 server.exe 41 PID 3036 wrote to memory of 1348 3036 server.exe 43 PID 3036 wrote to memory of 1348 3036 server.exe 43 PID 3036 wrote to memory of 1348 3036 server.exe 43 PID 3036 wrote to memory of 1348 3036 server.exe 43 PID 3036 wrote to memory of 6852 3036 server.exe 45 PID 3036 wrote to memory of 6852 3036 server.exe 45 PID 3036 wrote to memory of 6852 3036 server.exe 45 PID 3036 wrote to memory of 6852 3036 server.exe 45 PID 3036 wrote to memory of 6940 3036 server.exe 46 PID 3036 wrote to memory of 6940 3036 server.exe 46 PID 3036 wrote to memory of 6940 3036 server.exe 46 PID 3036 wrote to memory of 6940 3036 server.exe 46 PID 3036 wrote to memory of 2044 3036 server.exe 47 PID 3036 wrote to memory of 2044 3036 server.exe 47 PID 3036 wrote to memory of 2044 3036 server.exe 47 PID 3036 wrote to memory of 2044 3036 server.exe 47 PID 3036 wrote to memory of 7148 3036 server.exe 48 PID 3036 wrote to memory of 7148 3036 server.exe 48 PID 3036 wrote to memory of 7148 3036 server.exe 48 PID 3036 wrote to memory of 7148 3036 server.exe 48 PID 3036 wrote to memory of 7148 3036 server.exe 48 PID 3036 wrote to memory of 7148 3036 server.exe 48 PID 3036 wrote to memory of 7148 3036 server.exe 48 PID 3036 wrote to memory of 7148 3036 server.exe 48 PID 3036 wrote to memory of 7148 3036 server.exe 48 PID 6852 wrote to memory of 7536 6852 WScript.exe 49 PID 6852 wrote to memory of 7536 6852 WScript.exe 49 PID 6852 wrote to memory of 7536 6852 WScript.exe 49 PID 6852 wrote to memory of 7536 6852 WScript.exe 49 PID 7148 wrote to memory of 5864 7148 server.exe 51 PID 7148 wrote to memory of 5864 7148 server.exe 51
Processes
-
C:\Users\Admin\AppData\Local\Temp\2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.82⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2980
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.82⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2848
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ikjuwwswk.vbs"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:10184 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Local\putty.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2304
-
-
-
C:\Users\Admin\AppData\Local\Temp\2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\2ad561e9bb9f780f56d5e7a280574432_JaffaCakes118.exe2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:10208 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.84⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.84⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1348
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\_Ikjuwwswk.vbs"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6852 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\,'C:\Users\Admin\AppData\Local\putty.exe'5⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:7536
-
-
-
C:\Users\Admin\AppData\Local\Temp\server.exeC:\Users\Admin\AppData\Local\Temp\server.exe4⤵
- Executes dropped EXE
PID:6940
-
-
C:\Users\Admin\AppData\Local\Temp\server.exeC:\Users\Admin\AppData\Local\Temp\server.exe4⤵
- Executes dropped EXE
PID:2044
-
-
C:\Users\Admin\AppData\Local\Temp\server.exeC:\Users\Admin\AppData\Local\Temp\server.exe4⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:7148 -
C:\Windows\SysWOW64\netsh.exenetsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE5⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:5864
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
133B
MD53a35a8049e1d1c960d83727fcdc0e1b3
SHA141acf6abf00a160e0d4795bc080f540620525f76
SHA2569be0a227c73471c6797c07b45970b39954ee5715cee41d029c53239cac0578ee
SHA512256b222634a7acf9e69fe170d97236128f28aa11cb67d6a41e4cdbcfe8c982229801f0c77ae6075665ef4385f93fca00d3a7d5dbaf48e58aea966378c3ac1385
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\67AA0CE6ABXS1L8WSG35.temp
Filesize7KB
MD585ef4cf77880f4fc878beaafa9f8b8e6
SHA1feeba13e420e0607ac1184e8fe34d788e5fb00a0
SHA256a5d6bf1a4156afe11fb7734298557309378f9d3f6cc50c7768ed7bd8fd4920e6
SHA512cf3c8e952bfe2701e2123497bed4c29eacee884ad91b58d5aa4410c6951676dcbabdbacf83e7ffd886ee5c7a27cc1c4d179a0f9b46b25458a4309194e48810e7
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5042ea501534b5d4993a1fcbf2935b25f
SHA1975591511956a3132ed121d2641186a618769123
SHA256e5ce2ccfb2ced3629baf543dc2287b033fab5d62dfb63020a1d16d1ee228e775
SHA51213eb2a28e31da9104f4ca0db3456343eceffad9c53450691b03c833e3ea3b7eeb83e2abaf709c08025ef77dc6e0c14758ad13ad3fa7e6683dd7aa2abb434af70
-
Filesize
375KB
MD52ad561e9bb9f780f56d5e7a280574432
SHA1e6bc833d62ef0ec1e08674a0a8707e3ce2f09007
SHA25654f33fa555874b30e6045c4bfd467779b0683e1bcafb69d0987c59019203c9d3
SHA5128b74c1f6df444ce101102e3b036e2f77c9e0b1ebb085db2de8e45905ab10b47c845040548901632c130c4db6b4403a5905d864c461cb9bed6cd5fe49fc0ce064