Analysis
-
max time kernel
151s -
max time network
121s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-05-2023 17:21
Static task
static1
Behavioral task
behavioral1
Sample
8A279783229E688A2324C224904473431CC5CAB7E6B85.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
8A279783229E688A2324C224904473431CC5CAB7E6B85.exe
Resource
win10v2004-20230220-en
General
-
Target
8A279783229E688A2324C224904473431CC5CAB7E6B85.exe
-
Size
466KB
-
MD5
2d8f60c9459f321d765ce1e50e49f41a
-
SHA1
15797084c07f8ce0ef427fd868a81ab95b10f549
-
SHA256
8a279783229e688a2324c224904473431cc5cab7e6b8538ac8256877cfd58384
-
SHA512
c076c9588d48ded127c753d8d5e9d321535111042f97c286dc41711af86d02beeeec28b6a08de1d413462d9a5c7b4d20981d1327a5ecc4a5e04dba7edbb72b70
-
SSDEEP
12288:jHZKdRVIZcXwxHr7ypW4eSs1k2s5YqK7:FumcXg7aeSsQY9
Malware Config
Extracted
pony
http://roadstar.comeze.com/chinedu/gate.php
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
8A279783229E688A2324C224904473431CC5CAB7E6B85.exedefragsvc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation defragsvc.exe -
Executes dropped EXE 3 IoCs
Processes:
defragsvc.exeAppReadiness.exeAppReadiness.exepid process 4768 defragsvc.exe 212 AppReadiness.exe 1668 AppReadiness.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 2 IoCs
Processes:
8A279783229E688A2324C224904473431CC5CAB7E6B85.exeAppReadiness.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts AppReadiness.exe -
Accesses Microsoft Outlook profiles 1 TTPs 2 IoCs
Processes:
8A279783229E688A2324C224904473431CC5CAB7E6B85.exeAppReadiness.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook AppReadiness.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
defragsvc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Application Readiness = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\defragsvc.exe" defragsvc.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
8A279783229E688A2324C224904473431CC5CAB7E6B85.exeAppReadiness.exedescription pid process target process PID 3248 set thread context of 2024 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe PID 212 set thread context of 1668 212 AppReadiness.exe AppReadiness.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8A279783229E688A2324C224904473431CC5CAB7E6B85.exepid process 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
8A279783229E688A2324C224904473431CC5CAB7E6B85.exe8A279783229E688A2324C224904473431CC5CAB7E6B85.exedefragsvc.exeAppReadiness.exeAppReadiness.exedescription pid process Token: SeDebugPrivilege 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeImpersonatePrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeTcbPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeChangeNotifyPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeCreateTokenPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeBackupPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeRestorePrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeIncreaseQuotaPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeAssignPrimaryTokenPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeDebugPrivilege 4768 defragsvc.exe Token: SeImpersonatePrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeTcbPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeChangeNotifyPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeCreateTokenPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeBackupPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeRestorePrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeIncreaseQuotaPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeAssignPrimaryTokenPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeImpersonatePrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeTcbPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeChangeNotifyPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeCreateTokenPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeBackupPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeRestorePrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeIncreaseQuotaPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeAssignPrimaryTokenPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeImpersonatePrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeTcbPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeChangeNotifyPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeCreateTokenPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeBackupPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeRestorePrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeIncreaseQuotaPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeAssignPrimaryTokenPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeImpersonatePrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeTcbPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeChangeNotifyPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeCreateTokenPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeBackupPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeRestorePrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeIncreaseQuotaPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeAssignPrimaryTokenPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeImpersonatePrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeTcbPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeChangeNotifyPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeCreateTokenPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeBackupPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeRestorePrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeIncreaseQuotaPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeAssignPrimaryTokenPrivilege 2024 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe Token: SeDebugPrivilege 212 AppReadiness.exe Token: SeImpersonatePrivilege 1668 AppReadiness.exe Token: SeTcbPrivilege 1668 AppReadiness.exe Token: SeChangeNotifyPrivilege 1668 AppReadiness.exe Token: SeCreateTokenPrivilege 1668 AppReadiness.exe Token: SeBackupPrivilege 1668 AppReadiness.exe Token: SeRestorePrivilege 1668 AppReadiness.exe Token: SeIncreaseQuotaPrivilege 1668 AppReadiness.exe Token: SeAssignPrimaryTokenPrivilege 1668 AppReadiness.exe Token: SeImpersonatePrivilege 1668 AppReadiness.exe Token: SeTcbPrivilege 1668 AppReadiness.exe Token: SeChangeNotifyPrivilege 1668 AppReadiness.exe Token: SeCreateTokenPrivilege 1668 AppReadiness.exe Token: SeBackupPrivilege 1668 AppReadiness.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
8A279783229E688A2324C224904473431CC5CAB7E6B85.exedefragsvc.exeAppReadiness.exedescription pid process target process PID 3248 wrote to memory of 2024 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe PID 3248 wrote to memory of 2024 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe PID 3248 wrote to memory of 2024 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe PID 3248 wrote to memory of 2024 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe PID 3248 wrote to memory of 2024 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe PID 3248 wrote to memory of 2024 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe PID 3248 wrote to memory of 2024 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe PID 3248 wrote to memory of 4768 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe defragsvc.exe PID 3248 wrote to memory of 4768 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe defragsvc.exe PID 3248 wrote to memory of 4768 3248 8A279783229E688A2324C224904473431CC5CAB7E6B85.exe defragsvc.exe PID 4768 wrote to memory of 212 4768 defragsvc.exe AppReadiness.exe PID 4768 wrote to memory of 212 4768 defragsvc.exe AppReadiness.exe PID 4768 wrote to memory of 212 4768 defragsvc.exe AppReadiness.exe PID 212 wrote to memory of 1668 212 AppReadiness.exe AppReadiness.exe PID 212 wrote to memory of 1668 212 AppReadiness.exe AppReadiness.exe PID 212 wrote to memory of 1668 212 AppReadiness.exe AppReadiness.exe PID 212 wrote to memory of 1668 212 AppReadiness.exe AppReadiness.exe PID 212 wrote to memory of 1668 212 AppReadiness.exe AppReadiness.exe PID 212 wrote to memory of 1668 212 AppReadiness.exe AppReadiness.exe PID 212 wrote to memory of 1668 212 AppReadiness.exe AppReadiness.exe -
outlook_win_path 1 IoCs
Processes:
AppReadiness.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook AppReadiness.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8A279783229E688A2324C224904473431CC5CAB7E6B85.exe"C:\Users\Admin\AppData\Local\Temp\8A279783229E688A2324C224904473431CC5CAB7E6B85.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\8A279783229E688A2324C224904473431CC5CAB7E6B85.exe"C:\Users\Admin\AppData\Local\Temp\8A279783229E688A2324C224904473431CC5CAB7E6B85.exe"2⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe"C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe"C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exe"4⤵
- Executes dropped EXE
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of AdjustPrivilegeToken
- outlook_win_path
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exeFilesize
466KB
MD52d8f60c9459f321d765ce1e50e49f41a
SHA115797084c07f8ce0ef427fd868a81ab95b10f549
SHA2568a279783229e688a2324c224904473431cc5cab7e6b8538ac8256877cfd58384
SHA512c076c9588d48ded127c753d8d5e9d321535111042f97c286dc41711af86d02beeeec28b6a08de1d413462d9a5c7b4d20981d1327a5ecc4a5e04dba7edbb72b70
-
C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exeFilesize
466KB
MD52d8f60c9459f321d765ce1e50e49f41a
SHA115797084c07f8ce0ef427fd868a81ab95b10f549
SHA2568a279783229e688a2324c224904473431cc5cab7e6b8538ac8256877cfd58384
SHA512c076c9588d48ded127c753d8d5e9d321535111042f97c286dc41711af86d02beeeec28b6a08de1d413462d9a5c7b4d20981d1327a5ecc4a5e04dba7edbb72b70
-
C:\Users\Admin\AppData\Roaming\Microsoft\AppReadiness.exeFilesize
466KB
MD52d8f60c9459f321d765ce1e50e49f41a
SHA115797084c07f8ce0ef427fd868a81ab95b10f549
SHA2568a279783229e688a2324c224904473431cc5cab7e6b8538ac8256877cfd58384
SHA512c076c9588d48ded127c753d8d5e9d321535111042f97c286dc41711af86d02beeeec28b6a08de1d413462d9a5c7b4d20981d1327a5ecc4a5e04dba7edbb72b70
-
C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exeFilesize
9KB
MD5261fc7ece0f6555f9632b1898f107f29
SHA1dd8dcc25e5a777c323ce0c745f31d427f17b184f
SHA25686be12e7a264ae36af435dad626138523614da93bb803c260890601bd617ec74
SHA5124fb6163e453202140d44aae22289aa80efa42c7d9214004ddc65400b1468145788b0331e8be6b78e1acbc9d197d3a51dc9e75809632ad4c204e49b835deda303
-
C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exeFilesize
9KB
MD5261fc7ece0f6555f9632b1898f107f29
SHA1dd8dcc25e5a777c323ce0c745f31d427f17b184f
SHA25686be12e7a264ae36af435dad626138523614da93bb803c260890601bd617ec74
SHA5124fb6163e453202140d44aae22289aa80efa42c7d9214004ddc65400b1468145788b0331e8be6b78e1acbc9d197d3a51dc9e75809632ad4c204e49b835deda303
-
C:\Users\Admin\AppData\Roaming\Microsoft\defragsvc.exeFilesize
9KB
MD5261fc7ece0f6555f9632b1898f107f29
SHA1dd8dcc25e5a777c323ce0c745f31d427f17b184f
SHA25686be12e7a264ae36af435dad626138523614da93bb803c260890601bd617ec74
SHA5124fb6163e453202140d44aae22289aa80efa42c7d9214004ddc65400b1468145788b0331e8be6b78e1acbc9d197d3a51dc9e75809632ad4c204e49b835deda303
-
memory/212-157-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/212-156-0x0000000001260000-0x0000000001270000-memory.dmpFilesize
64KB
-
memory/1668-163-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/1668-162-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/2024-140-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/2024-152-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/2024-139-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/2024-137-0x0000000000400000-0x0000000000416000-memory.dmpFilesize
88KB
-
memory/3248-133-0x00000000017C0000-0x00000000017D0000-memory.dmpFilesize
64KB
-
memory/3248-134-0x00000000017C0000-0x00000000017D0000-memory.dmpFilesize
64KB
-
memory/4768-153-0x00000000012B0000-0x00000000012C0000-memory.dmpFilesize
64KB
-
memory/4768-151-0x00000000012B0000-0x00000000012C0000-memory.dmpFilesize
64KB