Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
05-07-2024 01:08
General
-
Target
29772a95fb3ed50319dc74f8be52963ee621dc151ccd94b10ea14a7123c268f7.msi
-
Size
29.7MB
-
MD5
5421cd4bbb277efc5b163a75cac629ff
-
SHA1
0d20c0bb978dad6bbd9065ebfc20680c241ac1e0
-
SHA256
29772a95fb3ed50319dc74f8be52963ee621dc151ccd94b10ea14a7123c268f7
-
SHA512
c8446d76f4ec65bc3d6a3174407f88e377c8aa260ccbed083653d114271a81a91f166a7ab45ca3d1cbdf9917f8b5aebe87364da210b9160607f2fe59a76d893c
-
SSDEEP
786432:Ln1stHfbfy4zTE8R0BPtNg1LfjlszEJZ:GHfO4zTB8qF+zEJZ
Malware Config
Signatures
-
Creates new service(s) 2 TTPs
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Maps connected drives based on registry 3 TTPs 3 IoCs
Disk information is often read in order to detect sandboxing environments.
-
Drops file in Windows directory 14 IoCs
-
Executes dropped EXE 16 IoCs
-
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Loads dropped DLL 33 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 54 IoCs
-
Suspicious use of FindShellTrayWindow 27 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\29772a95fb3ed50319dc74f8be52963ee621dc151ccd94b10ea14a7123c268f7.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2B41D8F0F6195EDAF4E32F0B319F56322⤵
- Loads dropped DLL
-
C:\Windows\Installer\MSICC8D.tmp"C:\Windows\Installer\MSICC8D.tmp" /DontWait /HideWindow "C:\Users\Admin\Documents\Windows10.cmd" C:\Users\Admin\Documents\2⤵
- Executes dropped EXE
-
C:\Windows\Installer\MSICC8E.tmp"C:\Windows\Installer\MSICC8E.tmp" /DontWait /HideWindow "C:\Users\Admin\Pictures\fotosdaviagem\cont.cmd" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\2⤵
- Executes dropped EXE
-
C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe"C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe"C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe" /systemstartup3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe"C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe" -type:exit-monitor-method:collectupload-session-token3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe"C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe" --type=utility--utility-sub-type=network.mojom.3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe"C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe" --type=gpu-process--field-trial-handle=4305.4743⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe"C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe" --type=renderer--field-trial-handle=4304.7549583⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe"C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe" neto24⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Pictures\fotosdaviagem\cont.cmd" C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://45.90.123.184/clientes/inspecionando.php2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffb1a1e46f8,0x7ffb1a1e4708,0x7ffb1a1e47183⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,1143849156315058143,13335320523494134241,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:23⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,1143849156315058143,13335320523494134241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,1143849156315058143,13335320523494134241,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1143849156315058143,13335320523494134241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1143849156315058143,13335320523494134241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1143849156315058143,13335320523494134241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1143849156315058143,13335320523494134241,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1143849156315058143,13335320523494134241,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,1143849156315058143,13335320523494134241,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:13⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,1143849156315058143,13335320523494134241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:83⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,1143849156315058143,13335320523494134241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,1143849156315058143,13335320523494134241,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4240 /prefetch:23⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Documents\Windows10.cmd" C:\Users\Admin\Documents\"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc create MeuServico binPath= "C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe" start= auto2⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc start MeuServico2⤵
- Launches sc.exe
-
C:\Users\Admin\Pictures\fotosdaviagem\windows10.exeC:\Users\Admin\Pictures\fotosdaviagem\windows10.exe1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe"C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe" /systemstartup2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe"C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe" -type:exit-monitor-method:collectupload-session-token2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe"C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe" --type=utility--utility-sub-type=network.mojom.2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe"C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe" --type=gpu-process--field-trial-handle=4305.4742⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe"C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe" --type=renderer--field-trial-handle=4304.7549582⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe"C:\Users\Admin\Pictures\fotosdaviagem\windows10.exe" neto23⤵
- Maps connected drives based on registry
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Installer Packages
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Installer Packages
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Config.Msi\e57c556.rbsFilesize
8KB
MD5f8a550cee618043366281278a179e967
SHA11ededb43ee2cc7898549826e7ce32ad525488ca4
SHA256f6643225215a8287043fdc084a32744ac57c2dcd0a390f8d3c6c503fe2669d75
SHA512fbed668b784c02efae50f76adeda10bc939b8397249a0ed027034414fe5dce61174a6548ef2078b258701f7a8c03770c0a31fce08aa43c731a245fdd320d054d
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD55b6ff6669a863812dff3a9e76cb311e4
SHA1355f7587ad1759634a95ae191b48b8dbaa2f1631
SHA256c7fb7eea8bea4488bd4605df51aa560c0e1b11660e9228863eb4ad1be0a07906
SHA512d153b1412fadda28c0582984e135b819ba330e01d3299bb4887062ffd6d3303da4f2c4b64a3de277773f4756da361e7bc5885c226ae2a5cfdd16ee60512e2e5e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5fbc957a83b42f65c351e04ce810c1c11
SHA178dcdf88beec5a9c112c145f239aefb1203d55ad
SHA2567bb59b74f42792a15762a77ca69f52bf5cc4506261a67f78cd673a2d398e6128
SHA512efad54eb0bd521c30bc4a96b9d4cb474c4ca42b4c108e08983a60c880817f61bc19d97538cc09a54b2db95ab9c8996f790672e19fb3851a5d93f174acdfac0ce
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5a18b9a0f6dca6836e43899f8e1a9cdfb
SHA123f68d5244558039fd2180bb1fb5c1d303392efc
SHA256f115cbf82007ee1f273463bbc63500f140a3a3d3cc64e190768062e928516b9c
SHA512685ead80b9fbc57868e90355f05d0810ce26f6fa052b91b90c15e366dc3febec10f9d56ea046e5d0521aa06d503bbb4a3dcc1c00ecffc53d5f80b3493d8c151e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ac1695a8c1ecf47111f9d87eccc2a232
SHA1cd6892c13e2834b974d6632278fd51f680a612f9
SHA2564deeb0a034e3b03c75942fbb6b1ed223431a45ee35c410fbdd7ec71d3d3513b4
SHA512faf31cd0ebbc6d4482282b5da273ef1fe900341681cb28447e16f04284c8e4a03b61368e20fda1daf3bdf6ab99c6f031f23064dbf7964ee0bbc17c4797111c9f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5acc29b88b355f9b8b32973bd68211128
SHA1adfc6ddc76192e0aae50d3d44dd49ee914c6bc79
SHA25666177dd0dea9da6016f536d1c8b208d0b0e5060e473a1ba6873a7ad27225d9c1
SHA51227fdc7a3f8f430e2ff97d72ad8bb81316540e5267a786d6bf315648fd77adf2667a82e70330d2d755d01069dbf88fad75e550d6103ff0b397eb54eadbab4a025
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD51b7f88cbdcddceb305c7bcda4011e351
SHA150118503a207a2b219a287d1cb0236275b49cd98
SHA256899252d28361771798fc1018562e635b6cec4613592763d7f0435019a7175027
SHA512be36b77c331bc1135955e77c3deceefab88e42ef9d4f17f0c2fbaf00c685bccb465c8482781d5845be75ebed239cdd65aead0a89b21db29f8095cf1c2868ddff
-
C:\Users\Admin\AppData\Local\Temp\MSI7c3bd.LOGFilesize
21KB
MD56120c6596851c2a57766bba604b7d5c4
SHA110108ba7a6e353b4474ce75634a95b6712665eb1
SHA256aa1c6c0135ef9a018f4ed243143fa720ee925de94caf926f4e0f109e083b8055
SHA51201bd7f9c59ae8713a8540f61d26203f8eb5da5b4a0d0b0669b54a19045a109456bf1d67f70cf2b4ff4850a4a1265165513e64ab47e29904179875348422e5f32
-
C:\Users\Admin\Documents\Windows10.cmdFilesize
196B
MD51951a22dd00589b9d64f27075c96188b
SHA14cbedb39a682d217ea63693346d337e032b85a28
SHA256f1560195a61b8dfb6fdca79b328f2d221187efa8932dc9a4232c317bf8151292
SHA51241e39fee27a854c0f68cc70633f4cf51131e5eb15ce693db3e6ca90321e32b836e9497a111965ab20b65bfbf68cf5cceb28d14073ebb2dba7d1c9258bc55e084
-
C:\Users\Admin\Pictures\fotosdaviagem\STARBURN.DLLFilesize
12.5MB
MD51120f08674501ba801fc27ab40e4a25e
SHA16e98c6acaf47875996743a787cf763e163926c60
SHA25655efa31f8fcc414f08cb0b2f3598c05896315f956f1ecb7c61908a0b60100949
SHA512795c58da3cbe8944b086bdeb369978c9899e4aa924a9f7b10801e184005a581d84d0af14dfa0917be81d0be05ca0b3684c9909d228ecd788ba858d316e0d4d01
-
C:\Users\Admin\Pictures\fotosdaviagem\cont.cmdFilesize
53B
MD579f4017d8256fdfb1d7fa719a0cb4771
SHA173acd3cc6353ecff615bb8be2fb1b8d28bd0bf12
SHA256bdaa787d67f8b4b80b1d271c2d6ab4d6acc1c05df309d5efddfb3d0d4db93a0f
SHA512350ed557950074cad51412d05d755771137bbc83400b1c28997559f6023f91b0a3c953e6b6e52bb6264566ad078aa0b3a0b41b3d3caf9745513156138cb61e5b
-
C:\Users\Admin\Pictures\fotosdaviagem\windows10.exeFilesize
1.6MB
MD5bdc0cff1e6e3db489864041a623f0d1e
SHA1cf1beeec71abbfbe8a6f47abaaa6c1af2fee37dc
SHA256585741ca3c4041bb39d107f1f159d908650967fbccac3a491bca389cc4ba0769
SHA512aeaf1d2da43584ae91ea032c59a945ab91f721cc3b5bb98c2c7096dfd8c728b4ebf735491e06e934b4b1c9f1ccc719f950ad6f45e212f638b52c7af5efcc18db
-
C:\Windows\Installer\MSIC5FF.tmpFilesize
587KB
MD5cadbcf6f5a0199ecc0220ce23a860d89
SHA1073c149d68916520aea882e588ab9a5ae083d75a
SHA25642ef18c42fe06709f3c86157e2270358f3c93d14be2e173b8fae8edcefddfca0
SHA512cebb128bdc04e6b29df74bedcc375a340ac037563d828af3455de41f31d2e464f82f85c97ca9910a4a7c819efa906aa4a4560174f184cee316f53e3d2b5cdccc
-
C:\Windows\Installer\MSICC8D.tmpFilesize
414KB
MD5768b35409005592de2333371c6253bc8
SHA1e370b3cfd801fcdfdbeec90b0f7cbef5d2e6b69c
SHA25633b519696a7f4b5d4714e3a363b0f0f76e6ff576a05999e482ea484ad4acf5a5
SHA512bb8fae0fdce3d61dab48c1f79f3ce498159364d51fdfd2481cca3a60d009f6134194d48ea20de3e1f0c236bb9f6368f82d737a8153f7a1d492f44e197ea971ce
-
\??\pipe\LOCAL\crashpad_4668_XFQIKFLYTOQFABWBMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1172-175-0x00000000007C0000-0x00000000007C1000-memory.dmpFilesize
4KB
-
memory/1172-180-0x0000000003790000-0x0000000003791000-memory.dmpFilesize
4KB
-
memory/1172-179-0x0000000003780000-0x0000000003781000-memory.dmpFilesize
4KB
-
memory/1172-181-0x00000000037A0000-0x00000000037A1000-memory.dmpFilesize
4KB
-
memory/1172-177-0x00000000007F0000-0x00000000007F1000-memory.dmpFilesize
4KB
-
memory/1172-176-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/1172-178-0x0000000000800000-0x0000000000801000-memory.dmpFilesize
4KB
-
memory/1380-170-0x0000000003840000-0x0000000003841000-memory.dmpFilesize
4KB
-
memory/1380-160-0x00000000006E0000-0x00000000006E1000-memory.dmpFilesize
4KB
-
memory/1380-171-0x0000000003880000-0x0000000003881000-memory.dmpFilesize
4KB
-
memory/1380-159-0x00000000006C0000-0x00000000006C1000-memory.dmpFilesize
4KB
-
memory/1380-172-0x0000000003890000-0x0000000003891000-memory.dmpFilesize
4KB
-
memory/1380-173-0x00000000038A0000-0x00000000038A1000-memory.dmpFilesize
4KB
-
memory/1380-174-0x00000000038B0000-0x00000000038B1000-memory.dmpFilesize
4KB
-
memory/2052-190-0x0000000003890000-0x0000000003891000-memory.dmpFilesize
4KB
-
memory/2052-188-0x0000000003840000-0x0000000003841000-memory.dmpFilesize
4KB
-
memory/2052-187-0x0000000003830000-0x0000000003831000-memory.dmpFilesize
4KB
-
memory/2052-191-0x00000000039B0000-0x00000000039B1000-memory.dmpFilesize
4KB
-
memory/2052-189-0x0000000003850000-0x0000000003851000-memory.dmpFilesize
4KB
-
memory/2052-186-0x0000000000680000-0x0000000000681000-memory.dmpFilesize
4KB
-
memory/2052-192-0x00000000039C0000-0x00000000039C1000-memory.dmpFilesize
4KB
-
memory/2140-119-0x00000000008D0000-0x0000000001F40000-memory.dmpFilesize
22.4MB
-
memory/2140-139-0x0000000000400000-0x0000000000590000-memory.dmpFilesize
1.6MB
-
memory/2140-102-0x0000000002540000-0x0000000002541000-memory.dmpFilesize
4KB
-
memory/2140-99-0x00000000005B0000-0x00000000005B1000-memory.dmpFilesize
4KB
-
memory/2140-100-0x0000000002500000-0x0000000002501000-memory.dmpFilesize
4KB
-
memory/2140-104-0x0000000002560000-0x0000000002561000-memory.dmpFilesize
4KB
-
memory/2140-105-0x0000000002570000-0x0000000002571000-memory.dmpFilesize
4KB
-
memory/2140-103-0x0000000002550000-0x0000000002551000-memory.dmpFilesize
4KB
-
memory/2140-101-0x0000000002510000-0x0000000002511000-memory.dmpFilesize
4KB
-
memory/2604-162-0x0000000003840000-0x0000000003841000-memory.dmpFilesize
4KB
-
memory/2604-164-0x0000000003990000-0x0000000003991000-memory.dmpFilesize
4KB
-
memory/2604-158-0x00000000006C0000-0x00000000006C1000-memory.dmpFilesize
4KB
-
memory/2604-166-0x00000000039B0000-0x00000000039B1000-memory.dmpFilesize
4KB
-
memory/2604-165-0x00000000039A0000-0x00000000039A1000-memory.dmpFilesize
4KB
-
memory/2604-161-0x0000000003830000-0x0000000003831000-memory.dmpFilesize
4KB
-
memory/2604-163-0x0000000003980000-0x0000000003981000-memory.dmpFilesize
4KB
-
memory/2920-78-0x0000000000880000-0x0000000000881000-memory.dmpFilesize
4KB
-
memory/2920-138-0x0000000000400000-0x0000000000590000-memory.dmpFilesize
1.6MB
-
memory/2920-79-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/2920-80-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/2920-74-0x0000000000700000-0x0000000000701000-memory.dmpFilesize
4KB
-
memory/2920-77-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/2920-76-0x0000000000730000-0x0000000000731000-memory.dmpFilesize
4KB
-
memory/2920-75-0x0000000000720000-0x0000000000721000-memory.dmpFilesize
4KB
-
memory/2920-92-0x0000000000AB0000-0x0000000002120000-memory.dmpFilesize
22.4MB
-
memory/3952-201-0x00000000008A0000-0x00000000008A1000-memory.dmpFilesize
4KB
-
memory/3952-194-0x0000000000710000-0x0000000000711000-memory.dmpFilesize
4KB
-
memory/3952-193-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/3952-198-0x0000000000730000-0x0000000000731000-memory.dmpFilesize
4KB
-
memory/3952-199-0x0000000000880000-0x0000000000881000-memory.dmpFilesize
4KB
-
memory/3952-200-0x0000000000890000-0x0000000000891000-memory.dmpFilesize
4KB
-
memory/3952-195-0x0000000000720000-0x0000000000721000-memory.dmpFilesize
4KB
-
memory/4332-182-0x0000000000760000-0x0000000000761000-memory.dmpFilesize
4KB
-
memory/4332-169-0x0000000000730000-0x0000000000731000-memory.dmpFilesize
4KB
-
memory/4332-168-0x0000000000720000-0x0000000000721000-memory.dmpFilesize
4KB
-
memory/4332-184-0x0000000003790000-0x0000000003791000-memory.dmpFilesize
4KB
-
memory/4332-183-0x0000000003780000-0x0000000003781000-memory.dmpFilesize
4KB
-
memory/4332-167-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/4332-185-0x00000000037A0000-0x00000000037A1000-memory.dmpFilesize
4KB
-
memory/4444-203-0x0000000000820000-0x0000000000821000-memory.dmpFilesize
4KB
-
memory/4444-202-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB