blacknet | ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35

Analysis

max time kernel
32s
max time network
28s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30-03-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
Size

131KB
MD5

40ba4ae347f750e4d71f06f7982c8c67
SHA1

5d6512146cbafb7d2545ca57fb4cbb2e7ec99c98
SHA256

ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35
SHA512

8967e67fa7b8d135036d719fa3fb0688da37336d4ec48b07442dbc123454f8c8540d161150ca571795562101c32b05cec061d782f921bcb04b73dea8dfca9240
SSDEEP

1536:6W27RutYPWEB9iefYRTCCaH2pw3bv4UFZL209s7MzhLbbATOX1A/Zkjn1Rr:qJwTC72pw3bvLFxEM8Rkj7

Score

10^/10

blacknet redengine evasion persistence trojan

Malware Config

Extracted

Family

blacknet

Version

v3.5.1 Public

Botnet

Redengine

http://boat.salvajesrp.com/

Mutex

BN[yfJZGMfn-6322239]

Attributes

antivm
true
elevate_uac
true
install_name
WindowsUpdate.exe
splitter
|BN|
start_name
a4f5fc179540a0b155d91b489e6811e2
startup
true
usb_spread
false

aes.plain

Signatures

BlackNET
BlackNET is an open source remote access tool written in VB.NET.
trojan blacknet

BlackNET payload 1 IoCs

resource	yara_rule
behavioral1/files/0x0033000000014b12-109.dat	family_blacknet

Contains code to disable Windows Defender 1 IoCs

A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

resource	yara_rule
behavioral1/files/0x0033000000014b12-109.dat	disable_win_def

Modifies Windows Defender Real-time Protection settings 3 TTPs 4 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1"	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1"	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1"	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe

Executes dropped EXE 5 IoCs

pid	Process
1456	WindowsUpdate.exe
2072	svchosts.exe
788	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
1960	WindowsUpdate.exe
2548	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe

Windows security modification 2 TTPs 3 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features	WindowsUpdate.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\a4f5fc179540a0b155d91b489e6811e2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe"	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\a4f5fc179540a0b155d91b489e6811e2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe"	WindowsUpdate.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\a4f5fc179540a0b155d91b489e6811e2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe"	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\a4f5fc179540a0b155d91b489e6811e2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe"	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\a4f5fc179540a0b155d91b489e6811e2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe"	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
Token: SeDebugPrivilege	2608	powershell.exe
Token: SeDebugPrivilege	1456	WindowsUpdate.exe
Token: SeDebugPrivilege	2072	svchosts.exe
Token: SeDebugPrivilege	788	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	1960	WindowsUpdate.exe
Token: SeDebugPrivilege	2548	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
Token: SeDebugPrivilege	2476	powershell.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
1456	WindowsUpdate.exe
1456	WindowsUpdate.exe
788	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
788	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
1960	WindowsUpdate.exe
1960	WindowsUpdate.exe
2548	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
2548	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2032 wrote to memory of 2608	2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe	29
PID 2032 wrote to memory of 2608	2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe	29
PID 2032 wrote to memory of 2608	2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe	29
PID 2032 wrote to memory of 1456	2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe	31
PID 2032 wrote to memory of 1456	2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe	31
PID 2032 wrote to memory of 1456	2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe	31
PID 2032 wrote to memory of 2072	2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe	32
PID 2032 wrote to memory of 2072	2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe	32
PID 2032 wrote to memory of 2072	2032	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe	32
PID 2072 wrote to memory of 788	2072	svchosts.exe	33
PID 2072 wrote to memory of 788	2072	svchosts.exe	33
PID 2072 wrote to memory of 788	2072	svchosts.exe	33
PID 788 wrote to memory of 2012	788	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe	34
PID 788 wrote to memory of 2012	788	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe	34
PID 788 wrote to memory of 2012	788	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe	34
PID 788 wrote to memory of 1960	788	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe	36
PID 788 wrote to memory of 1960	788	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe	36
PID 788 wrote to memory of 1960	788	40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe	36
PID 2072 wrote to memory of 2548	2072	svchosts.exe	37
PID 2072 wrote to memory of 2548	2072	svchosts.exe	37
PID 2072 wrote to memory of 2548	2072	svchosts.exe	37
PID 1960 wrote to memory of 2476	1960	WindowsUpdate.exe	38
PID 1960 wrote to memory of 2476	1960	WindowsUpdate.exe	38
PID 1960 wrote to memory of 2476	1960	WindowsUpdate.exe	38

C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe"
1⤵
- Modifies Windows Defender Real-time Protection settings
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" Get-MpPreference -verbose
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2608
- C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
  "C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1456
- C:\Users\Admin\AppData\Local\Temp\svchosts.exe
  "C:\Users\Admin\AppData\Local\Temp\svchosts.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Windows security modification
    - Adds Run key to start application
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "powershell" Get-MpPreference -verbose
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2012
  - - C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe
      "C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"
      4⤵
      Executes dropped EXE
      Windows security modification
      Adds Run key to start application
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" Get-MpPreference -verbose
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
- - C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2548
- - C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe"
    3⤵
    PID:2300
- - C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe"
    3⤵
    PID:2104
- - C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe"
    3⤵
    PID:2780
- - C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe"
    3⤵
    PID:3444
- - C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe"
    3⤵
    PID:7000
- - C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe"
    3⤵
    PID:2040
- - C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe"
    3⤵
    PID:3788
- - C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\40ba4ae347f750e4d71f06f7982c8c67_JaffaCakes118.exe"
    3⤵
    PID:10156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

Filesize
131KB

MD5
40ba4ae347f750e4d71f06f7982c8c67

SHA1
5d6512146cbafb7d2545ca57fb4cbb2e7ec99c98

SHA256
ce52605de786f0cc40c456b8de0742fe8d6f0b426de812033a901f08168d1d35

SHA512
8967e67fa7b8d135036d719fa3fb0688da37336d4ec48b07442dbc123454f8c8540d161150ca571795562101c32b05cec061d782f921bcb04b73dea8dfca9240

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchosts.exe

Filesize
17KB

MD5
89dd6e72358a669b7d6e2348307a7af7

SHA1
0db348f3c6114a45d71f4d218e0e088b71c7bb0a

SHA256
ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e

SHA512
93b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6CFHM7M9AYZGRSDYPKIN.temp

Filesize
7KB

MD5
3d5107a35969c2ba089ec5fcde21abe2

SHA1
d41810958f37d51adc64683465ff4695909ec147

SHA256
99cc66e0ac598e6ff4d64e1aac58e38f6d9867422dc22136ab69092e938688fe

SHA512
8057669338d66085cde49560d1961a046484f1819d1d0d179c843dc8f3781cac384e6e1a5d58e56f2c168c6d8b235827a58d78fb73b19a5be49533600b30ab99

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2032-44-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-67-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-5-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-7-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-8-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-10-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-14-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-15-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-16-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-17-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-1-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-19-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-20-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-21-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-22-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-23-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-24-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-25-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-26-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-27-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-28-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-29-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-30-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-31-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-32-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-33-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-35-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-37-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-2-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2032-4-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-3-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-6-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-18-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-41-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-42-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-43-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-46-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-45-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-49-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-51-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-66-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-53-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-55-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-54-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-56-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-65-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-64-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-47-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-0-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2032-57-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-58-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-59-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-60-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2032-62-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-61-0x0000000000230000-0x00000000002B0000-memory.dmp

Filesize
512KB

Download
memory/2032-63-0x000000001F440000-0x000000001F540000-memory.dmp

Filesize
1024KB

Download
memory/2608-48-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download
memory/2608-50-0x0000000002C74000-0x0000000002C77000-memory.dmp

Filesize
12KB

Download
memory/2608-52-0x0000000002C7B000-0x0000000002CE2000-memory.dmp

Filesize
412KB

Download
memory/2608-40-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2608-36-0x0000000001FE0000-0x0000000001FE8000-memory.dmp

Filesize
32KB

Download
memory/2608-34-0x000000001B720000-0x000000001BA02000-memory.dmp

Filesize
2.9MB

Download
memory/2608-38-0x0000000002C70000-0x0000000002CF0000-memory.dmp

Filesize
512KB

Download
memory/2608-39-0x000007FEF58B0000-0x000007FEF624D000-memory.dmp

Filesize
9.6MB

Download