Overview

overview

10

Static

static

3

winprofile

windows7-x64

10

winprofile

windows10-1703-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    299s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 23:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe

  • Size

    515KB

  • MD5

    148b2c38cf0726535d760a703f803c80

  • SHA1

    107503ca149f547d4745fe9b9a3fbae03d60126c

  • SHA256

    30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d

  • SHA512

    6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd

  • SSDEEP

    12288:EMbx504bFjsNfn8lmwaYy//2hWc8CYBMQI4aqNA:Lbw4bR689aYy//2hDPYBMQI4aqN

Score
10/10
redlinesectopratxwormdocxdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

beshomandotestbesnd.run.place:7000
Attributes
  • Install_directory

    %ProgramData%

  • install_file

    cmd.exe

  • telegram

    https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Extracted

Family

redline

Botnet

DOCX

C2

beshomandotestbesnd.run.place:1111

Signatures

  • Contains code to disable Windows Defender 1 IoCs

    A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

  • Detect Xworm Payload 5 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 16 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 10 IoCs
  • Suspicious use of SetThreadContext 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 7 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 29 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
    "C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1920
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2688
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2828
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp453A.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:2784
    • C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe
      "C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Adds Run key to start application
      • Modifies system certificate store
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2536
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1184
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:800
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\cmd.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:752
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2028
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "cmd" /tr "C:\ProgramData\cmd.exe"
        3⤵
        • Creates scheduled task(s)
        PID:3036
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {8B1A5ADF-62B4-4116-A6C1-CBAD28643C3E} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2900
    • C:\ProgramData\cmd.exe
      C:\ProgramData\cmd.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1616
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:328
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2036
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF4F9.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2920
      • C:\ProgramData\cmd.exe
        "C:\ProgramData\cmd.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1576
    • C:\ProgramData\cmd.exe
      C:\ProgramData\cmd.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1852
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2100
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2564
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDEFA.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1892
      • C:\ProgramData\cmd.exe
        "C:\ProgramData\cmd.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2496
    • C:\ProgramData\cmd.exe
      C:\ProgramData\cmd.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1368
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2276
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2208
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC958.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2308
      • C:\ProgramData\cmd.exe
        "C:\ProgramData\cmd.exe"
        3⤵
        • Executes dropped EXE
        PID:748
      • C:\ProgramData\cmd.exe
        "C:\ProgramData\cmd.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2164
    • C:\ProgramData\cmd.exe
      C:\ProgramData\cmd.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1788
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:936
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:776
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB358.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:320
      • C:\ProgramData\cmd.exe
        "C:\ProgramData\cmd.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1528
    • C:\ProgramData\cmd.exe
      C:\ProgramData\cmd.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2156
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\cmd.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:644
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DzmQEVPXhX.exe"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2700
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DzmQEVPXhX" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9DC5.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2692
      • C:\ProgramData\cmd.exe
        "C:\ProgramData\cmd.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1540

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

2
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Credential Access

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

2
T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\cmd.exe
    Filesize

    515KB

    MD5

    148b2c38cf0726535d760a703f803c80

    SHA1

    107503ca149f547d4745fe9b9a3fbae03d60126c

    SHA256

    30a110aa704b2beebbe56ad92cc4910defd943360d6bc10113e7fc17f9c31e7d

    SHA512

    6b9c13d80fb24924604245f9046c28df75d009c6cd6f819ef2ac6e99a592acfc84473b4fcc6e2c1ccafd6001bb4a931a8ced6a968bd874e2ebf81cd8c714bdbd

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    fdf2706c9d7b8f52fc016f9f25f914a3

    SHA1

    5c7bb3d869bfba037e60732d704f8f55c59678ed

    SHA256

    f9941bf75bb98f99b2d166dca795d3e3b535c05b77f7c04de7cdb65968ac701d

    SHA512

    ea0268f58011edc72db97151f7df96181fcff6e671b254447d2007bc20b99282049b848ddf3f4d067377119ff57d73e3ac5745cea780a93792422031e4e33a34

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cab9F0F.tmp
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Tar9F50.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp453A.tmp
    Filesize

    1KB

    MD5

    f430ab40a3bb1f201e062bf06549b348

    SHA1

    052966b892e2b4eed4ddaa52c4ad0ea2132a6f56

    SHA256

    b9228199161c3d59bbeb0bb8bbaa852b15e1190eefdb9a8648bb58862303df6b

    SHA512

    4d7b67d571ba43f9f8de7a3e8241085671e83879b50c35adb97e8a786e0774935f7a8218152127d8ebfca129a04b712a5d6c03e34fcd3e60dd3459fa1a473de3

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpA5B7.tmp
    Filesize

    46KB

    MD5

    02d2c46697e3714e49f46b680b9a6b83

    SHA1

    84f98b56d49f01e9b6b76a4e21accf64fd319140

    SHA256

    522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

    SHA512

    60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpA5CD.tmp
    Filesize

    92KB

    MD5

    adcceda5b6171365bbbc249a4820b94d

    SHA1

    856e4f3221096f3213c13b42ef5b9e6bd23473db

    SHA256

    57218eeb0d28da594ea490e055aa831eced6156d5dc68bfa3774d8ddb9a014de

    SHA512

    97536d2d9d1f096351758d427aa443579f0e9a4965ec56ae9d829554f8901203a6fcb798b5aaf98cd733ed670669e420af29097160ceab36b207ca75b582d711

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    11b7bdcc3fabbcdb177892ec7b92e6de

    SHA1

    a455d8158b15b55e89903f02d3038ba9c97bb9a7

    SHA256

    06dd0b167e036302b6874d4e7f4c731ceab6d68faeaee9f147e6ca71310da06e

    SHA512

    b290ff9d9abdd84030a8bee762a5b4e1dca278a6b3ebb84bedbe037b98394df2c11d9ec423f709772cfd22ef154954e5f365f217e5cacc6790eea21afd0ea33c

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    becc102cb041890d40ad60d84ab8d20d

    SHA1

    32ad063b9c38e0f056884b84fa227f08f8af4991

    SHA256

    c6bd4bdc909393219dc6b17d209efb2ac1426846b2659c3bfa51a9f3f71572ef

    SHA512

    6c9aa0efbca34fd93dba8bff921f646641bc4cddf25b1627e13e4039e1b97cbdef83ec4f793476166860a114c3b3d2d674fdd8e7570f96bc52f5f888563e3006

    Download Submit
  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • memory/1368-314-0x0000000000200000-0x0000000000288000-memory.dmp
    Filesize

    544KB

    Download
  • memory/1528-358-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1576-280-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1616-259-0x0000000001390000-0x0000000001418000-memory.dmp
    Filesize

    544KB

    Download
  • memory/1788-342-0x0000000000E30000-0x0000000000EB8000-memory.dmp
    Filesize

    544KB

    Download
  • memory/1920-5-0x0000000005B30000-0x0000000005B8A000-memory.dmp
    Filesize

    360KB

    Download
  • memory/1920-31-0x00000000742F0000-0x00000000749DE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1920-0-0x00000000742FE000-0x00000000742FF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1920-4-0x0000000000640000-0x0000000000650000-memory.dmp
    Filesize

    64KB

    Download
  • memory/1920-3-0x0000000001F10000-0x0000000001F2A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1920-2-0x00000000742F0000-0x00000000749DE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1920-1-0x0000000000240000-0x00000000002C8000-memory.dmp
    Filesize

    544KB

    Download
  • memory/2164-336-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2536-28-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2536-64-0x00000000021D0000-0x00000000021D8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2536-65-0x00000000070D0000-0x0000000007176000-memory.dmp
    Filesize

    664KB

    Download
  • memory/2536-66-0x0000000005A80000-0x0000000005AB4000-memory.dmp
    Filesize

    208KB

    Download
  • memory/2536-67-0x0000000006F40000-0x0000000006F8A000-memory.dmp
    Filesize

    296KB

    Download
  • memory/2536-68-0x0000000004860000-0x0000000004876000-memory.dmp
    Filesize

    88KB

    Download
  • memory/2536-63-0x0000000006E40000-0x0000000006E88000-memory.dmp
    Filesize

    288KB

    Download
  • memory/2536-62-0x0000000004620000-0x000000000463C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2536-61-0x0000000007AA0000-0x0000000007D82000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2536-60-0x0000000000980000-0x000000000098E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2536-59-0x0000000002040000-0x000000000205E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2536-20-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2536-22-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2536-24-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2536-26-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2536-27-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2536-30-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download
  • memory/2536-18-0x0000000000400000-0x0000000000418000-memory.dmp
    Filesize

    96KB

    Download