Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-12-2024 21:32
Behavioral task
behavioral1
Sample
ac8c49cef98c9ba6667891694a81169222cb53feed5c22fbeac0afbf7c31208c.xls
Resource
win7-20240903-en
General
-
Target
ac8c49cef98c9ba6667891694a81169222cb53feed5c22fbeac0afbf7c31208c.xls
-
Size
192KB
-
MD5
84d6b509972268981bab9932386c549c
-
SHA1
dfa0dba8ae581f80e94dd5d69625e1b8b50ebfa9
-
SHA256
ac8c49cef98c9ba6667891694a81169222cb53feed5c22fbeac0afbf7c31208c
-
SHA512
d2a3c06bc33f6c0ac2f26c68b33a486d5ceb01e1e1f58cf8f72d63632e78e4f692bb0f10dc9680d36a14c212f6915d9ecc5927b601e1ddc7ea13babf10617c6d
-
SSDEEP
6144:BxEtjPOtioVjDGUU1qfDlavx+W2QnAu+Ly9ckwDwPq5XlsqhwxNNipu:s+VkGUqLsqyi
Malware Config
Extracted
xenorat
dns.stipamana.com
Xeno_rat_nd8912d
-
delay
12000
-
install_path
appdata
-
port
4567
-
startup_name
mrec
Signatures
-
Detect XenoRat Payload 1 IoCs
resource yara_rule behavioral2/memory/5076-134-0x0000000000400000-0x0000000000412000-memory.dmp family_xenorat -
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE is not expected to spawn this process 4888 1460 WScript.exe 82 -
Xenorat family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 33 4888 WScript.exe -
Downloads MZ/PE file
-
Office macro that triggers on suspicious action 1 IoCs
Office document macro which triggers in special circumstances - often malicious.
resource yara_rule behavioral2/files/0x0007000000023ca4-66.dat office_macro_on_action -
resource behavioral2/files/0x0007000000023ca4-66.dat -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation GFKMTE.exe -
Executes dropped EXE 8 IoCs
pid Process 1728 GFKMTE.exe 5076 GFKMTE.exe 2240 GFKMTE.exe 1796 GFKMTE.exe 1212 GFKMTE.exe 4316 GFKMTE.exe 2188 GFKMTE.exe 4604 GFKMTE.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 1728 set thread context of 5076 1728 GFKMTE.exe 93 PID 1728 set thread context of 2240 1728 GFKMTE.exe 94 PID 1728 set thread context of 1796 1728 GFKMTE.exe 95 PID 1212 set thread context of 4316 1212 GFKMTE.exe 97 PID 1212 set thread context of 2188 1212 GFKMTE.exe 98 PID 1212 set thread context of 4604 1212 GFKMTE.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GFKMTE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GFKMTE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GFKMTE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GFKMTE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GFKMTE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GFKMTE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GFKMTE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language GFKMTE.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WINWORD.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz EXCEL.EXE -
Enumerates system info in registry 2 TTPs 6 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily EXCEL.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU EXCEL.EXE Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily WINWORD.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WINWORD.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 64 schtasks.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
description flow ioc HTTP User-Agent header 33 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
pid Process 1460 EXCEL.EXE 3556 WINWORD.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1728 GFKMTE.exe Token: SeDebugPrivilege 1212 GFKMTE.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
pid Process 1460 EXCEL.EXE 1460 EXCEL.EXE 1460 EXCEL.EXE 1460 EXCEL.EXE 1460 EXCEL.EXE 1460 EXCEL.EXE 1460 EXCEL.EXE 1460 EXCEL.EXE 1460 EXCEL.EXE 1460 EXCEL.EXE 1460 EXCEL.EXE 1460 EXCEL.EXE 3556 WINWORD.EXE 3556 WINWORD.EXE 3556 WINWORD.EXE 3556 WINWORD.EXE 3556 WINWORD.EXE 3556 WINWORD.EXE 3556 WINWORD.EXE -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 1460 wrote to memory of 4888 1460 EXCEL.EXE 87 PID 1460 wrote to memory of 4888 1460 EXCEL.EXE 87 PID 3556 wrote to memory of 1728 3556 WINWORD.EXE 90 PID 3556 wrote to memory of 1728 3556 WINWORD.EXE 90 PID 3556 wrote to memory of 1728 3556 WINWORD.EXE 90 PID 1728 wrote to memory of 5076 1728 GFKMTE.exe 93 PID 1728 wrote to memory of 5076 1728 GFKMTE.exe 93 PID 1728 wrote to memory of 5076 1728 GFKMTE.exe 93 PID 1728 wrote to memory of 5076 1728 GFKMTE.exe 93 PID 1728 wrote to memory of 5076 1728 GFKMTE.exe 93 PID 1728 wrote to memory of 5076 1728 GFKMTE.exe 93 PID 1728 wrote to memory of 5076 1728 GFKMTE.exe 93 PID 1728 wrote to memory of 5076 1728 GFKMTE.exe 93 PID 1728 wrote to memory of 2240 1728 GFKMTE.exe 94 PID 1728 wrote to memory of 2240 1728 GFKMTE.exe 94 PID 1728 wrote to memory of 2240 1728 GFKMTE.exe 94 PID 1728 wrote to memory of 2240 1728 GFKMTE.exe 94 PID 1728 wrote to memory of 2240 1728 GFKMTE.exe 94 PID 1728 wrote to memory of 2240 1728 GFKMTE.exe 94 PID 1728 wrote to memory of 2240 1728 GFKMTE.exe 94 PID 1728 wrote to memory of 2240 1728 GFKMTE.exe 94 PID 1728 wrote to memory of 1796 1728 GFKMTE.exe 95 PID 1728 wrote to memory of 1796 1728 GFKMTE.exe 95 PID 1728 wrote to memory of 1796 1728 GFKMTE.exe 95 PID 1728 wrote to memory of 1796 1728 GFKMTE.exe 95 PID 1728 wrote to memory of 1796 1728 GFKMTE.exe 95 PID 1728 wrote to memory of 1796 1728 GFKMTE.exe 95 PID 1728 wrote to memory of 1796 1728 GFKMTE.exe 95 PID 1728 wrote to memory of 1796 1728 GFKMTE.exe 95 PID 5076 wrote to memory of 1212 5076 GFKMTE.exe 96 PID 5076 wrote to memory of 1212 5076 GFKMTE.exe 96 PID 5076 wrote to memory of 1212 5076 GFKMTE.exe 96 PID 1212 wrote to memory of 4316 1212 GFKMTE.exe 97 PID 1212 wrote to memory of 4316 1212 GFKMTE.exe 97 PID 1212 wrote to memory of 4316 1212 GFKMTE.exe 97 PID 1212 wrote to memory of 4316 1212 GFKMTE.exe 97 PID 1212 wrote to memory of 4316 1212 GFKMTE.exe 97 PID 1212 wrote to memory of 4316 1212 GFKMTE.exe 97 PID 1212 wrote to memory of 4316 1212 GFKMTE.exe 97 PID 1212 wrote to memory of 4316 1212 GFKMTE.exe 97 PID 1212 wrote to memory of 2188 1212 GFKMTE.exe 98 PID 1212 wrote to memory of 2188 1212 GFKMTE.exe 98 PID 1212 wrote to memory of 2188 1212 GFKMTE.exe 98 PID 1212 wrote to memory of 2188 1212 GFKMTE.exe 98 PID 1212 wrote to memory of 2188 1212 GFKMTE.exe 98 PID 1212 wrote to memory of 2188 1212 GFKMTE.exe 98 PID 1212 wrote to memory of 2188 1212 GFKMTE.exe 98 PID 1212 wrote to memory of 2188 1212 GFKMTE.exe 98 PID 1212 wrote to memory of 4604 1212 GFKMTE.exe 99 PID 1212 wrote to memory of 4604 1212 GFKMTE.exe 99 PID 1212 wrote to memory of 4604 1212 GFKMTE.exe 99 PID 1212 wrote to memory of 4604 1212 GFKMTE.exe 99 PID 1212 wrote to memory of 4604 1212 GFKMTE.exe 99 PID 1212 wrote to memory of 4604 1212 GFKMTE.exe 99 PID 1212 wrote to memory of 4604 1212 GFKMTE.exe 99 PID 1212 wrote to memory of 4604 1212 GFKMTE.exe 99 PID 2240 wrote to memory of 64 2240 GFKMTE.exe 111 PID 2240 wrote to memory of 64 2240 GFKMTE.exe 111 PID 2240 wrote to memory of 64 2240 GFKMTE.exe 111
Processes
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" "C:\Users\Admin\AppData\Local\Temp\ac8c49cef98c9ba6667891694a81169222cb53feed5c22fbeac0afbf7c31208c.xls"1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\TDCNX.vbs"2⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
PID:4888
-
-
C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212 -
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4316
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2188
-
-
C:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exeC:\Users\Admin\AppData\Roaming\UpdateManager\GFKMTE.exe5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4604
-
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "mrec" /XML "C:\Users\Admin\AppData\Local\Temp\tmp120C.tmp" /F4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:64
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\GFKMTE.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1796
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
717B
MD5822467b728b7a66b081c91795373789a
SHA1d8f2f02e1eef62485a9feffd59ce837511749865
SHA256af2343382b88335eea72251ad84949e244ff54b6995063e24459a7216e9576b9
SHA512bacea07d92c32078ca6a0161549b4e18edab745dd44947e5f181d28cc24468e07769d6835816cdfb944fd3d0099bde5e21b48f4966824c5c16c1801712303eb6
-
Filesize
504B
MD5468c10fe6e033605fdc3eb77dac1a0b9
SHA1f2afc12dc5c537c067334987f42d0e23457d50ae
SHA2566f1ccbff6df00d9812182caa9e98b2ceea1f056527efff69f28f38b1fac8b817
SHA5127e08a6d72c7d809edd92fe4560008f69fd98d2f0d802bea341acb6ef6fb7beb073e953b838a735761ea0d081749982bb16426e322923596feed78d08ad79e77d
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize471B
MD5e81d1a452656da5266f453cb1a0fbcd4
SHA1142b115501d7af306d8f887be66bc89e92e81521
SHA2560a36be52eebc55142cc433203364f79cbe29bef5a6d0ce4bbf04fa41656de368
SHA5124f782226101f3d628a7853c1ed828b16acd3fded03b3dc3329a68f3cf6f1c2c8a9748ff4abd5970c74244a7656eeafd2f3041743a8961ad0fced2843f2cbc987
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751
Filesize192B
MD5b6766639e4c30bc298ebcdf84c4b070d
SHA1934de75b20febb6d8728351cbbe3bad472a3786b
SHA256ea610445e54392a85111fc94a6d74dfa07e15184e5619d64cbd3ed4e01412427
SHA512ef90f2e041b411a0352e21ae16fb3c382130dcfc48c5aea0823203ce0f7dc28d16567d5db75109ac0288d07768c15beb495d9f26ceeeb1c758b7bde23123181e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5EC004B7FD8CB72D80A747F531B799BC
Filesize546B
MD5b9bd58919318043f9bc40c98282b24d7
SHA1da3c8d2f1dae37207a5101c9c3c649b7fa4ec51b
SHA256d868b1fd9f559c4b90c2c6fb3e7306bc59774383b5ebd77855bb541e1853b75a
SHA51292998b17b170d10709220e4b5503522f7372a652552867c95b15b40c54761402a21edf70798fb991b099e08715126dd4aa656de5ee2247f693e9eddc01d8c633
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A
Filesize412B
MD5e61d0fec7015e89f44e2c2a97d2dc6e3
SHA1878c61de3615fe7dfbc197748b370ffce3884b08
SHA256162533a8a2ba07cc15a9ff494026bdbdc16140fcacb94c5924d3270cb84130a0
SHA512066641c78f4bca2e76da8bdf7fd66a15c3cdd737cde53e80d39706857c4fae34c1eafc7defe3a891efb01c40a1761a283ddd891b58ed01151cb893920268d221
-
Filesize
706B
MD5d95c58e609838928f0f49837cab7dfd2
SHA155e7139a1e3899195b92ed8771d1ca2c7d53c916
SHA2560407c814aef0d62aec7fd39b7c2f614746f0d8ff41f8ef957736f520f14b0339
SHA512405310b29a833604c6627063bfdcf055a197e01f633ef21da238f1a6415a02e21315d689b4a6669db23e82152bed6f3492afb60963e6b2a0e9bb2ac09a480b5d
-
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\7DEFBBF5-8B86-4F8D-A21B-D23761AAA8A8
Filesize176KB
MD5de718629954828d9574f1de67a401967
SHA195c57c8170019d3c783ca520ed05c841d547b387
SHA2567b4d3daafa94542c322dc4bae58c969afab2b981a4a021443ae661192b2d1939
SHA5123614ee67815d23bd73aaa9a1b05e31231ca57df9b4b735616ff6841aca15d6afa4cdf3c91ededc47c4ac08af8db8d9a68e624d7cf56fe24256d1f0f883157fd6
-
Filesize
11KB
MD53526d950fba6b524d98087325efb89e8
SHA10f8c1bf835f690045170c17964d56904cad05221
SHA256cb23f31bacc74d347de7c9460019647fd28c860018b2b3b39a0beff2896e8221
SHA5122450482e7dd504571b95edfd156fa4e6a5aa78ed0a4178c55426d6bb41b51582ebe1bfe0bc2687cb80572a13d02c7a3fc79df088de5f8f626c0ffdda14606565
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\089d66ba04a8cec4bdc5267f42f39cf84278bb67.tbres
Filesize2KB
MD50b9489551d1e800cc775d479ce2e4799
SHA1457012ab223e0d296d7e39b5698b8f06714d9bef
SHA256ce21a3603101af2033fc176bbdd042f4a50b41154d7bd4b4a701b17b8f951e5e
SHA51236ff0702cae76c0f1fb95af70573c32a7b239fddccfca9e0abf72ac2d611a1b8cd8beaee2c47ae1d091e1482881b085fe45c970e47232aca0fb4e6f0f7dc8f95
-
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\49dbe2955480c7f6ef8cec9c4320c9868d9293fd.tbres
Filesize2KB
MD527cb8b6fafe97b8b4b8fb51f382f4541
SHA16149012cb504fbe498e9c3a9441b5e84f7e4f8e6
SHA256d16976b4e83dcc38278dd0d6ac4ef341c83f3eb024623e022fbf378d84caae8f
SHA512f564094fd1973e8a2c8463366a496a0d7945639567625d54a5812a8a1c8082805a1e374ea7f367cb72273c4bc5f159014a7a6c92112e7a6fd57b9a2182331b1c
-
Filesize
245KB
MD5f883b260a8d67082ea895c14bf56dd56
SHA17954565c1f243d46ad3b1e2f1baf3281451fc14b
SHA256ef4835db41a485b56c2ef0ff7094bc2350460573a686182bc45fd6613480e353
SHA512d95924a499f32d9b4d9a7d298502181f9e9048c21dbe0496fa3c3279b263d6f7d594b859111a99b1a53bd248ee69b867d7b1768c42e1e40934e0b990f0ce051e
-
Filesize
1KB
MD5dabe93a03c5560ab1670cf79b8d28566
SHA169738fe43d4550ece028ff2795a54bbad0985414
SHA256743e8b28a38e98ea27ef07f17b7529976979c7b01eab92586a6cb686c0d1f68d
SHA51215b3b49c46901e00a73def834225df28fd843af1e9ae594c7d061406209f6ce57277673c9c1ae3ed541f989fa499fd3e88929e00ebded6d23301f8d3680a6c57
-
Filesize
195KB
MD57ea9da3dd3db6f3fadf04ac76b54434b
SHA1b30b950191046d999e71aaa54fb2648c6655ce9b
SHA256947bce97211371e730a2b8b79c2ec4d154904e8faa7bed2583c5c6c420230170
SHA512f94eb382dedb8c3952dbc0f3b9040201455cec641c845bedf5765a2772aa98cb20d92b3e0edadcd92fd7cdb77e7c6f37d26bdd276cceea733237e28f04240f9d
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b8ab77100df80ab2.customDestinations-ms
Filesize682B
MD5de8d66e52d2f00b2b6f34395dd03822e
SHA115ef90142bb36032391094e2806fe80715062d7a
SHA2569b4423128a44b1297446831ebc70e47e2a387eb25079a5862c42a8bb2bd2510b
SHA51208dd0fdafff53184bb981277f7d18d1ae50610bc1acdfaf8365ad64ea69b87ad96e6259ecef755163aed69f927581e1a7fe40ce3f1bd2db33a6550f2af6731a0
-
Filesize
166KB
MD557fcc042b0f7783567878d217ae69e25
SHA183032ec361ea8b15ef956536999b754db6a12423
SHA25613bd3ee226114db8e18f2fe414a7e2c4e0937eda7d8a02b2efebaa2af8238564
SHA5124fe2ce713333d9a16d65ca5ccdc3a2e687b84a58b6b1e43b43c3f508edb2cc04478a5595efc43202decf7f86b50fd43382246fbc12553117a9177fb13d987b67
-
Filesize
10KB
MD5087bcef76143b81090deef4ee4679995
SHA16ebd4fd212d0583157ae03bb0eb5841c53e281fc
SHA25687334eb3f39cffdfeed453f67a7c338fe378b75c49946451ca1a0e4e151bba00
SHA512b2f93705760d4d1cf5fe0ac354100916d16b6c4fd62117254238a600aabe6257fc791f1ce498bd2d0cfdd47e19f304dc5a68a06b7958658f34859afaa582ed4d