zgrat | 4ec050b4dfd931ed6d30256b3ed1d042f313860da23e7ca064aaf95ad83e257e

Analysis

max time kernel
150s
max time network
147s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
28-04-2024 16:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

681ecd41ed50e6b0ae4470991cd4a0d6.exe
Size

36KB
MD5

681ecd41ed50e6b0ae4470991cd4a0d6
SHA1

0e5981933d18a50a8424700305420f492a71aafe
SHA256

4ec050b4dfd931ed6d30256b3ed1d042f313860da23e7ca064aaf95ad83e257e
SHA512

f0cb5e0adc627732c0e87b43173a7d0e14f3fe037505ca03f13b24b4d1fcc0a6085bb74d4b84c87c79caea264a6bf1991e9a43d9879737b8602e1179ef0e2769
SSDEEP

384:2QbMkYQbSKDQbkoKDVbJdpGKDGPGAttNyb8E9VF6IYinAM+oP9YkB/5OtMh:fIZA39EPGQJEpYinAMxhBTh

Score

10^/10

zgrat rat spyware stealer

Malware Config

Signatures

Detect ZGRat V1 37 IoCs

Processes:

resource	yara_rule
behavioral1/memory/360-3-0x0000000007540000-0x00000000077F8000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-4-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-29-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-5-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-7-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-9-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-11-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-13-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-15-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-17-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-19-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-21-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-23-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-25-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-27-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-31-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-57-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-67-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-65-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-63-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-61-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-60-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-55-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-53-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-51-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-49-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-47-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-45-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-43-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-41-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-39-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-37-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-35-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/360-33-0x0000000007540000-0x00000000077F2000-memory.dmp	family_zgrat_v1
behavioral1/memory/2516-4907-0x00000000006A0000-0x0000000000788000-memory.dmp	family_zgrat_v1
behavioral1/memory/7508-21354-0x00000000075D0000-0x00000000078C4000-memory.dmp	family_zgrat_v1
behavioral1/memory/7248-28560-0x00000000042B0000-0x0000000004320000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

KeySize.exeKeySize.exeomhba.exeomhba.exe

pid process

3972 KeySize.exe
3064 KeySize.exe
7508 omhba.exe
7248 omhba.exe
Loads dropped DLL 2 IoCs

Processes:

KeySize.exeomhba.exe

pid process

3972 KeySize.exe
7508 omhba.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
3972	KeySize.exe
3064	KeySize.exe
7508	omhba.exe
7248	omhba.exe

pid	process
3972	KeySize.exe
7508	omhba.exe

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 5 IoCs

Processes:

681ecd41ed50e6b0ae4470991cd4a0d6.exeKeySize.exeKeySize.exeInstallUtil.exeomhba.exe

description	pid	process	target process
PID 360 set thread context of 2516	360	681ecd41ed50e6b0ae4470991cd4a0d6.exe	681ecd41ed50e6b0ae4470991cd4a0d6.exe
PID 3972 set thread context of 3064	3972	KeySize.exe	KeySize.exe
PID 3064 set thread context of 7968	3064	KeySize.exe	InstallUtil.exe
PID 7968 set thread context of 7440	7968	InstallUtil.exe	InstallUtil.exe
PID 7508 set thread context of 7248	7508	omhba.exe	omhba.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exeKeySize.exepowershell.exeomhba.exe

pid process

1384 powershell.exe
3064 KeySize.exe
3064 KeySize.exe
8100 powershell.exe
7248 omhba.exe

pid	process
1384	powershell.exe
3064	KeySize.exe
3064	KeySize.exe
8100	powershell.exe
7248	omhba.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

681ecd41ed50e6b0ae4470991cd4a0d6.exe681ecd41ed50e6b0ae4470991cd4a0d6.exepowershell.exeKeySize.exeKeySize.exeInstallUtil.exepowershell.exeInstallUtil.exeomhba.exeomhba.exe

description	pid	process
Token: SeDebugPrivilege	360	681ecd41ed50e6b0ae4470991cd4a0d6.exe
Token: SeDebugPrivilege	360	681ecd41ed50e6b0ae4470991cd4a0d6.exe
Token: SeDebugPrivilege	2516	681ecd41ed50e6b0ae4470991cd4a0d6.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	3972	KeySize.exe
Token: SeDebugPrivilege	3972	KeySize.exe
Token: SeDebugPrivilege	3064	KeySize.exe
Token: SeDebugPrivilege	7968	InstallUtil.exe
Token: SeDebugPrivilege	8100	powershell.exe
Token: SeDebugPrivilege	7968	InstallUtil.exe
Token: SeDebugPrivilege	7440	InstallUtil.exe
Token: SeDebugPrivilege	7508	omhba.exe
Token: SeDebugPrivilege	7508	omhba.exe
Token: SeDebugPrivilege	7248	omhba.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

681ecd41ed50e6b0ae4470991cd4a0d6.exetaskeng.exetaskeng.exeKeySize.exeKeySize.exeInstallUtil.exe

description	pid	process	target process
PID 360 wrote to memory of 2516	360	681ecd41ed50e6b0ae4470991cd4a0d6.exe	681ecd41ed50e6b0ae4470991cd4a0d6.exe
PID 360 wrote to memory of 2516	360	681ecd41ed50e6b0ae4470991cd4a0d6.exe	681ecd41ed50e6b0ae4470991cd4a0d6.exe
PID 360 wrote to memory of 2516	360	681ecd41ed50e6b0ae4470991cd4a0d6.exe	681ecd41ed50e6b0ae4470991cd4a0d6.exe
PID 360 wrote to memory of 2516	360	681ecd41ed50e6b0ae4470991cd4a0d6.exe	681ecd41ed50e6b0ae4470991cd4a0d6.exe
PID 360 wrote to memory of 2516	360	681ecd41ed50e6b0ae4470991cd4a0d6.exe	681ecd41ed50e6b0ae4470991cd4a0d6.exe
PID 360 wrote to memory of 2516	360	681ecd41ed50e6b0ae4470991cd4a0d6.exe	681ecd41ed50e6b0ae4470991cd4a0d6.exe
PID 360 wrote to memory of 2516	360	681ecd41ed50e6b0ae4470991cd4a0d6.exe	681ecd41ed50e6b0ae4470991cd4a0d6.exe
PID 360 wrote to memory of 2516	360	681ecd41ed50e6b0ae4470991cd4a0d6.exe	681ecd41ed50e6b0ae4470991cd4a0d6.exe
PID 360 wrote to memory of 2516	360	681ecd41ed50e6b0ae4470991cd4a0d6.exe	681ecd41ed50e6b0ae4470991cd4a0d6.exe
PID 360 wrote to memory of 2516	360	681ecd41ed50e6b0ae4470991cd4a0d6.exe	681ecd41ed50e6b0ae4470991cd4a0d6.exe
PID 360 wrote to memory of 2516	360	681ecd41ed50e6b0ae4470991cd4a0d6.exe	681ecd41ed50e6b0ae4470991cd4a0d6.exe
PID 360 wrote to memory of 2516	360	681ecd41ed50e6b0ae4470991cd4a0d6.exe	681ecd41ed50e6b0ae4470991cd4a0d6.exe
PID 2680 wrote to memory of 1384	2680	taskeng.exe	powershell.exe
PID 2680 wrote to memory of 1384	2680	taskeng.exe	powershell.exe
PID 2680 wrote to memory of 1384	2680	taskeng.exe	powershell.exe
PID 1512 wrote to memory of 3972	1512	taskeng.exe	KeySize.exe
PID 1512 wrote to memory of 3972	1512	taskeng.exe	KeySize.exe
PID 1512 wrote to memory of 3972	1512	taskeng.exe	KeySize.exe
PID 1512 wrote to memory of 3972	1512	taskeng.exe	KeySize.exe
PID 1512 wrote to memory of 3972	1512	taskeng.exe	KeySize.exe
PID 1512 wrote to memory of 3972	1512	taskeng.exe	KeySize.exe
PID 1512 wrote to memory of 3972	1512	taskeng.exe	KeySize.exe
PID 3972 wrote to memory of 3064	3972	KeySize.exe	KeySize.exe
PID 3972 wrote to memory of 3064	3972	KeySize.exe	KeySize.exe
PID 3972 wrote to memory of 3064	3972	KeySize.exe	KeySize.exe
PID 3972 wrote to memory of 3064	3972	KeySize.exe	KeySize.exe
PID 3972 wrote to memory of 3064	3972	KeySize.exe	KeySize.exe
PID 3972 wrote to memory of 3064	3972	KeySize.exe	KeySize.exe
PID 3972 wrote to memory of 3064	3972	KeySize.exe	KeySize.exe
PID 3972 wrote to memory of 3064	3972	KeySize.exe	KeySize.exe
PID 3972 wrote to memory of 3064	3972	KeySize.exe	KeySize.exe
PID 3972 wrote to memory of 3064	3972	KeySize.exe	KeySize.exe
PID 3972 wrote to memory of 3064	3972	KeySize.exe	KeySize.exe
PID 3972 wrote to memory of 3064	3972	KeySize.exe	KeySize.exe
PID 3064 wrote to memory of 7968	3064	KeySize.exe	InstallUtil.exe
PID 3064 wrote to memory of 7968	3064	KeySize.exe	InstallUtil.exe
PID 3064 wrote to memory of 7968	3064	KeySize.exe	InstallUtil.exe
PID 3064 wrote to memory of 7968	3064	KeySize.exe	InstallUtil.exe
PID 3064 wrote to memory of 7968	3064	KeySize.exe	InstallUtil.exe
PID 3064 wrote to memory of 7968	3064	KeySize.exe	InstallUtil.exe
PID 3064 wrote to memory of 7968	3064	KeySize.exe	InstallUtil.exe
PID 3064 wrote to memory of 7968	3064	KeySize.exe	InstallUtil.exe
PID 3064 wrote to memory of 7968	3064	KeySize.exe	InstallUtil.exe
PID 3064 wrote to memory of 7968	3064	KeySize.exe	InstallUtil.exe
PID 3064 wrote to memory of 7968	3064	KeySize.exe	InstallUtil.exe
PID 3064 wrote to memory of 7968	3064	KeySize.exe	InstallUtil.exe
PID 2680 wrote to memory of 8100	2680	taskeng.exe	powershell.exe
PID 2680 wrote to memory of 8100	2680	taskeng.exe	powershell.exe
PID 2680 wrote to memory of 8100	2680	taskeng.exe	powershell.exe
PID 7968 wrote to memory of 7440	7968	InstallUtil.exe	InstallUtil.exe
PID 7968 wrote to memory of 7440	7968	InstallUtil.exe	InstallUtil.exe
PID 7968 wrote to memory of 7440	7968	InstallUtil.exe	InstallUtil.exe
PID 7968 wrote to memory of 7440	7968	InstallUtil.exe	InstallUtil.exe
PID 7968 wrote to memory of 7440	7968	InstallUtil.exe	InstallUtil.exe
PID 7968 wrote to memory of 7440	7968	InstallUtil.exe	InstallUtil.exe
PID 7968 wrote to memory of 7440	7968	InstallUtil.exe	InstallUtil.exe
PID 7968 wrote to memory of 7440	7968	InstallUtil.exe	InstallUtil.exe
PID 7968 wrote to memory of 7440	7968	InstallUtil.exe	InstallUtil.exe
PID 7968 wrote to memory of 7440	7968	InstallUtil.exe	InstallUtil.exe
PID 7968 wrote to memory of 7440	7968	InstallUtil.exe	InstallUtil.exe
PID 7968 wrote to memory of 7440	7968	InstallUtil.exe	InstallUtil.exe
PID 1512 wrote to memory of 7508	1512	taskeng.exe	omhba.exe
PID 1512 wrote to memory of 7508	1512	taskeng.exe	omhba.exe
PID 1512 wrote to memory of 7508	1512	taskeng.exe	omhba.exe

C:\Users\Admin\AppData\Local\Temp\681ecd41ed50e6b0ae4470991cd4a0d6.exe
"C:\Users\Admin\AppData\Local\Temp\681ecd41ed50e6b0ae4470991cd4a0d6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:360

C:\Users\Admin\AppData\Local\Temp\681ecd41ed50e6b0ae4470991cd4a0d6.exe
"C:\Users\Admin\AppData\Local\Temp\681ecd41ed50e6b0ae4470991cd4a0d6.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2516

C:\Windows\system32\taskeng.exe
taskeng.exe {7BC7AAFC-97DF-4BBB-B366-14EE17773363} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:S4U:
1⤵
- Suspicious use of WriteProcessMemory
PID:2680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAASwBlAHkAUwBpAHoAZQAuAGUAeABlADsA
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -enc QQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwALABDADoAXABVAHMAZQByAHMAXABBAGQAbQBpAG4AXABBAHAAcABEAGEAdABhAFwATABvAGMAYQBsAFwAVABlAG0AcABcADsAIABBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAHIAbwBjAGUAcwBzACAASwBlAHkAUwBpAHoAZQAuAGUAeABlADsA
2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:8100

C:\Windows\system32\taskeng.exe
taskeng.exe {F62ED4D5-1EF5-4DF0-B979-B7F68C1336C7} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1512

C:\Users\Admin\AppData\Local\HasCurrent\mqzcdzegs\KeySize.exe
C:\Users\Admin\AppData\Local\HasCurrent\mqzcdzegs\KeySize.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972

C:\Users\Admin\AppData\Local\HasCurrent\mqzcdzegs\KeySize.exe
"C:\Users\Admin\AppData\Local\HasCurrent\mqzcdzegs\KeySize.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
4⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:7968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:7440

C:\Users\Admin\AppData\Local\Temp\omhba.exe
C:\Users\Admin\AppData\Local\Temp\omhba.exe
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
PID:7508

C:\Users\Admin\AppData\Local\Temp\omhba.exe
"C:\Users\Admin\AppData\Local\Temp\omhba.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:7248

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HasCurrent\mqzcdzegs\KeySize.exe
Filesize
36KB

MD5
681ecd41ed50e6b0ae4470991cd4a0d6

SHA1
0e5981933d18a50a8424700305420f492a71aafe

SHA256
4ec050b4dfd931ed6d30256b3ed1d042f313860da23e7ca064aaf95ad83e257e

SHA512
f0cb5e0adc627732c0e87b43173a7d0e14f3fe037505ca03f13b24b4d1fcc0a6085bb74d4b84c87c79caea264a6bf1991e9a43d9879737b8602e1179ef0e2769

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zkood.tmpdb
Filesize
148KB

MD5
90a1d4b55edf36fa8b4cc6974ed7d4c4

SHA1
aba1b8d0e05421e7df5982899f626211c3c4b5c1

SHA256
7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c

SHA512
ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\omhba.exe
Filesize
36KB

MD5
50ee68942ea8bb92caec46f64d21c425

SHA1
6bf4dd3cf4c58a212473c819148ec2bd4710bae7

SHA256
46881e86cabd9d39cb7b57e9a85f2007c1c8fece41e3b5edd74c12f38c4acba9

SHA512
48967574b9577c81470ebe520ddd2beff40e4b2847e5e89a1eacb12d653fe1452826f18e40a6ec6328782827f0f9ba6f1eb23d295628632f2fee8c74c6c5c228

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
25b7694f4816db5070d66515f95b3ebe

SHA1
0afc8b328f9e9457f2fcc71ae9b6559942745bff

SHA256
bcea4f1644665813c5621d041c29331def2738fab26b7ee50110692d358e9aa4

SHA512
2b42c332f8221e8f58374ce51bc2dc585e111829189d55759604c02bd46d8e6a94ffab73dd3d5caf53cbd9505b5958ee7fd05faca500deb66d2f92b38adceddc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WMHG91JBBJAN7J9I1UXZ.temp
Filesize
7KB

MD5
2ab303543db27c93e91da947a7a23c46

SHA1
e3ce4055236d726387a6c74ba6b43568ec365bd8

SHA256
285f419d07abce7101cac4bcb3055f5b23f9e31525b388b464d56adb1e12159c

SHA512
cf15eb6d7cad4f2ebb1c751895e890a7561de546f89747e0d7642b4a1f058a5f792abd06cab4f340234ef70397437234d32f3aceaba9b172f3c4af3daab12816

Download Submit
memory/360-4888-0x0000000001F00000-0x0000000001F40000-memory.dmp

Filesize
256KB

Download
memory/360-55-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-7-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-9-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-11-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-13-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-15-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-17-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-19-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-21-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-23-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-25-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-27-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-39-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-57-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-67-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-4886-0x0000000004BA0000-0x0000000004BEC000-memory.dmp

Filesize
304KB

Download
memory/360-4885-0x0000000007800000-0x00000000078F4000-memory.dmp

Filesize
976KB

Download
memory/360-4884-0x0000000000550000-0x0000000000551000-memory.dmp

Filesize
4KB

Download
memory/360-65-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-4887-0x00000000050F0000-0x0000000005144000-memory.dmp

Filesize
336KB

Download
memory/360-63-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-61-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-60-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-37-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-53-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-51-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-49-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-47-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-45-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-43-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-0-0x0000000000050000-0x000000000005A000-memory.dmp

Filesize
40KB

Download
memory/360-1-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/360-31-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-5-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-35-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-33-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-2-0x0000000001F00000-0x0000000001F40000-memory.dmp

Filesize
256KB

Download
memory/360-3-0x0000000007540000-0x00000000077F8000-memory.dmp

Filesize
2.7MB

Download
memory/360-4-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-41-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-29-0x0000000007540000-0x00000000077F2000-memory.dmp

Filesize
2.7MB

Download
memory/360-4906-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/1384-7125-0x000000001A240000-0x000000001A522000-memory.dmp

Filesize
2.9MB

Download
memory/1384-7126-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

Filesize
32KB

Download
memory/2516-7117-0x00000000048D0000-0x0000000004926000-memory.dmp

Filesize
344KB

Download
memory/2516-7120-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-4907-0x00000000006A0000-0x0000000000788000-memory.dmp

Filesize
928KB

Download
memory/2516-7116-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/2516-4905-0x0000000000170000-0x000000000021C000-memory.dmp

Filesize
688KB

Download
memory/2516-7118-0x0000000005330000-0x0000000005384000-memory.dmp

Filesize
336KB

Download
memory/2516-4908-0x0000000074640000-0x0000000074D2E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-4909-0x0000000004950000-0x0000000004990000-memory.dmp

Filesize
256KB

Download
memory/3064-12024-0x0000000000400000-0x00000000004AC000-memory.dmp

Filesize
688KB

Download
memory/3972-7129-0x0000000000040000-0x000000000004A000-memory.dmp

Filesize
40KB

Download
memory/7248-28560-0x00000000042B0000-0x0000000004320000-memory.dmp

Filesize
448KB

Download
memory/7248-26250-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/7248-26251-0x0000000004700000-0x0000000004816000-memory.dmp

Filesize
1.1MB

Download
memory/7248-28558-0x0000000000540000-0x0000000000548000-memory.dmp

Filesize
32KB

Download
memory/7248-28559-0x0000000004810000-0x00000000048AE000-memory.dmp

Filesize
632KB

Download
memory/7248-28561-0x0000000001FD0000-0x0000000001FDA000-memory.dmp

Filesize
40KB

Download
memory/7248-28562-0x00000000052E0000-0x000000000535A000-memory.dmp

Filesize
488KB

Download
memory/7508-21353-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/7508-21354-0x00000000075D0000-0x00000000078C4000-memory.dmp

Filesize
3.0MB

Download
memory/7508-26235-0x0000000006070000-0x00000000061A0000-memory.dmp

Filesize
1.2MB

Download
memory/7968-14243-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/8100-14250-0x00000000013D0000-0x00000000013D8000-memory.dmp

Filesize
32KB

Download
memory/8100-14249-0x000000001A0A0000-0x000000001A382000-memory.dmp

Filesize
2.9MB

Download