xred | c4725acb89a78055d4f6115483ead7545dab60cfebc3193b0264b9c41e63b6a2

Analysis

max time kernel
133s
max time network
144s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
20-12-2024 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe
Size

8.6MB
MD5

1ca90ba487b5c8d6c88ec057c64d9234
SHA1

17dd50607690977d796952904a13113efba19219
SHA256

c4725acb89a78055d4f6115483ead7545dab60cfebc3193b0264b9c41e63b6a2
SHA512

b0abbff71ef81581490cf17e2b0e4398735e7ae6082fdcf75e864b23d96cd0acd5f4e9df9429cc8c71ab475ab7289bc10cbc4f8f073090576732f36294d4604d
SSDEEP

98304:uwIMFaSRowIMFaSRYwIMFaSRowIMFaSRwwIMFaSR6OU/jIEeQfoR/IuOFVjUu5:TJRNJR9JRNJRFJR6FIF0wu

Score

10^/10

xred xworm backdoor discovery execution persistence rat trojan

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

xworm

Version

3.1

23.26.201.172:8899

Mutex

REaMgxQu68UQguvi

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 4 IoCs

resource	yara_rule
behavioral1/memory/2708-34-0x0000000000400000-0x00000000004CB000-memory.dmp	family_xworm
behavioral1/memory/2708-35-0x0000000000400000-0x00000000004CB000-memory.dmp	family_xworm
behavioral1/files/0x000a00000001628b-42.dat	family_xworm
behavioral1/memory/920-60-0x0000000000980000-0x000000000098E000-memory.dmp	family_xworm

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2664	powershell.exe
2860	powershell.exe
1256	powershell.exe
1796	powershell.exe

Executes dropped EXE 7 IoCs

pid	Process
920	._cache_2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe
856	Synaptics.exe
3024	Synaptics.exe
2476	Synaptics.exe
1012	Synaptics.exe
544	Synaptics.exe
448	Synaptics.exe

Loads dropped DLL 2 IoCs

pid	Process
2708	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe
2708	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2392 set thread context of 2708	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	37

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2960	schtasks.exe
1816	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe
2860	powershell.exe
2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe
2664	powershell.exe
920	._cache_2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe
856	Synaptics.exe
1256	powershell.exe
856	Synaptics.exe
856	Synaptics.exe
1796	powershell.exe
856	Synaptics.exe
856	Synaptics.exe
856	Synaptics.exe
856	Synaptics.exe
856	Synaptics.exe
856	Synaptics.exe
856	Synaptics.exe
856	Synaptics.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	920	._cache_2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe
Token: SeDebugPrivilege	856	Synaptics.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
920	._cache_2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2664	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	31
PID 2392 wrote to memory of 2664	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	31
PID 2392 wrote to memory of 2664	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	31
PID 2392 wrote to memory of 2664	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	31
PID 2392 wrote to memory of 2860	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	33
PID 2392 wrote to memory of 2860	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	33
PID 2392 wrote to memory of 2860	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	33
PID 2392 wrote to memory of 2860	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	33
PID 2392 wrote to memory of 2960	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	35
PID 2392 wrote to memory of 2960	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	35
PID 2392 wrote to memory of 2960	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	35
PID 2392 wrote to memory of 2960	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	35
PID 2392 wrote to memory of 2708	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	37
PID 2392 wrote to memory of 2708	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	37
PID 2392 wrote to memory of 2708	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	37
PID 2392 wrote to memory of 2708	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	37
PID 2392 wrote to memory of 2708	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	37
PID 2392 wrote to memory of 2708	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	37
PID 2392 wrote to memory of 2708	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	37
PID 2392 wrote to memory of 2708	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	37
PID 2392 wrote to memory of 2708	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	37
PID 2392 wrote to memory of 2708	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	37
PID 2392 wrote to memory of 2708	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	37
PID 2392 wrote to memory of 2708	2392	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	37
PID 2708 wrote to memory of 920	2708	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	38
PID 2708 wrote to memory of 920	2708	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	38
PID 2708 wrote to memory of 920	2708	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	38
PID 2708 wrote to memory of 920	2708	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	38
PID 2708 wrote to memory of 856	2708	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	39
PID 2708 wrote to memory of 856	2708	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	39
PID 2708 wrote to memory of 856	2708	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	39
PID 2708 wrote to memory of 856	2708	2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe	39
PID 856 wrote to memory of 1796	856	Synaptics.exe	40
PID 856 wrote to memory of 1796	856	Synaptics.exe	40
PID 856 wrote to memory of 1796	856	Synaptics.exe	40
PID 856 wrote to memory of 1796	856	Synaptics.exe	40
PID 856 wrote to memory of 1256	856	Synaptics.exe	42
PID 856 wrote to memory of 1256	856	Synaptics.exe	42
PID 856 wrote to memory of 1256	856	Synaptics.exe	42
PID 856 wrote to memory of 1256	856	Synaptics.exe	42
PID 856 wrote to memory of 1816	856	Synaptics.exe	44
PID 856 wrote to memory of 1816	856	Synaptics.exe	44
PID 856 wrote to memory of 1816	856	Synaptics.exe	44
PID 856 wrote to memory of 1816	856	Synaptics.exe	44
PID 856 wrote to memory of 2476	856	Synaptics.exe	46
PID 856 wrote to memory of 2476	856	Synaptics.exe	46
PID 856 wrote to memory of 2476	856	Synaptics.exe	46
PID 856 wrote to memory of 2476	856	Synaptics.exe	46
PID 856 wrote to memory of 3024	856	Synaptics.exe	47
PID 856 wrote to memory of 3024	856	Synaptics.exe	47
PID 856 wrote to memory of 3024	856	Synaptics.exe	47
PID 856 wrote to memory of 3024	856	Synaptics.exe	47
PID 856 wrote to memory of 544	856	Synaptics.exe	48
PID 856 wrote to memory of 544	856	Synaptics.exe	48
PID 856 wrote to memory of 544	856	Synaptics.exe	48
PID 856 wrote to memory of 544	856	Synaptics.exe	48
PID 856 wrote to memory of 1012	856	Synaptics.exe	49
PID 856 wrote to memory of 1012	856	Synaptics.exe	49
PID 856 wrote to memory of 1012	856	Synaptics.exe	49
PID 856 wrote to memory of 1012	856	Synaptics.exe	49
PID 856 wrote to memory of 448	856	Synaptics.exe	50
PID 856 wrote to memory of 448	856	Synaptics.exe	50
PID 856 wrote to memory of 448	856	Synaptics.exe	50
PID 856 wrote to memory of 448	856	Synaptics.exe	50

C:\Users\Admin\AppData\Local\Temp\2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2664
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rgrkFqQ.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2860
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rgrkFqQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp751.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2960
- C:\Users\Admin\AppData\Local\Temp\2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:920
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:856
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1796
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\rgrkFqQ.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1256
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\rgrkFqQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F61.tmp"
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1816
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      PID:2476
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      PID:3024
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      PID:544
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      PID:1012
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Executes dropped EXE
      PID:448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
8.6MB

MD5
1ca90ba487b5c8d6c88ec057c64d9234

SHA1
17dd50607690977d796952904a13113efba19219

SHA256
c4725acb89a78055d4f6115483ead7545dab60cfebc3193b0264b9c41e63b6a2

SHA512
b0abbff71ef81581490cf17e2b0e4398735e7ae6082fdcf75e864b23d96cd0acd5f4e9df9429cc8c71ab475ab7289bc10cbc4f8f073090576732f36294d4604d

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2024-12-20_1ca90ba487b5c8d6c88ec057c64d9234_avoslocker_hijackloader_luca-stealer.exe

Filesize
33KB

MD5
0201f6d2fa823471b937234b7ea29d6b

SHA1
ee4e6d415a529e14381ebdf9a68347cdac57792d

SHA256
76a1329afd87d9c83bff12bb13f73917aaef94e5729f0ef460078d2876337fdb

SHA512
b9cad8c42d67b9854bfc8fe7b37fc6f7a39e59e556e8975eb26bd42de10c502fba8a848a04d8ef26679b6ffc8b7e22e1af1d46f1ddf85bda4fd35ef4c1cdfea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp751.tmp

Filesize
1KB

MD5
a41ecd0cdf39f1753e8ee30dd8baf84c

SHA1
e478e5209e8b67b4fcc50ec49cee1d8b83aaad7a

SHA256
5df4e065b8cf221d9ec29859bbd7246557a6563f52be3b58d6d872c5f42694e5

SHA512
d0574c97834e7a83b65e3fa91f09ca5100505fbe509f9abb34ff9c44807dbcc488a982d06ceb5e29213c04d5de82c8957ba6285485ccad70810b4d7a578d5a6f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\WACKP42Q5UGFUYNYTF6Z.temp

Filesize
7KB

MD5
7945d798cdbb7372d0a3ccfc3bcb8efb

SHA1
34d1b8e6a3e13fb3d314c89c411235d66382c3ea

SHA256
7092c4d5d095712d9c346101de17e7fb666499952a4b0ab30baa18fa406c518c

SHA512
2d4914017c4f8f43d711e471ecd2354971a7a5b28a87f0423bf291d1eedc811b9ce2deeb94649c668f245d643072fd86a84b2cfc6c3a28214652d6a28a823883

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
75497b93f0e5a2eff44bfc5bd0426077

SHA1
ebb241e6e34b71c80463d420c93fec67d76a8e29

SHA256
8b93a832d90f8149999e9c3192fef8e7e62990f14a04cd98e4156a4fe00da9de

SHA512
b688359c94d93a112abc0a2ed24b2959bd398a38c21a929f346ac20d6a1475610f8152ce37d3c211029514a918c2dabcf910c7a4cacebfd9537e60ef612d85dd

Download Submit
memory/856-59-0x00000000000F0000-0x0000000000988000-memory.dmp

Filesize
8.6MB

Download
memory/920-60-0x0000000000980000-0x000000000098E000-memory.dmp

Filesize
56KB

Download
memory/2392-3-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/2392-6-0x0000000005F60000-0x000000000606C000-memory.dmp

Filesize
1.0MB

Download
memory/2392-5-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2392-4-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/2392-36-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2392-0-0x00000000746FE000-0x00000000746FF000-memory.dmp

Filesize
4KB

Download
memory/2392-2-0x00000000746F0000-0x0000000074DDE000-memory.dmp

Filesize
6.9MB

Download
memory/2392-1-0x0000000001150000-0x00000000019E8000-memory.dmp

Filesize
8.6MB

Download
memory/2708-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2708-25-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2708-23-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2708-19-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2708-27-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2708-29-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2708-31-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2708-35-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2708-34-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2708-21-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download