Analysis
-
max time kernel
74s -
max time network
154s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
31-03-2024 16:20
General
-
Target
d8e7df897c535c5ae0b84f0eddab9711bc171ba21905f5b82026c233ba1983b5.exe
-
Size
276KB
-
MD5
a8f58a9434757e7b2ff022e0e1e670f5
-
SHA1
0aa5202dc6345aeba38d4305b3a0716d6d95e851
-
SHA256
d8e7df897c535c5ae0b84f0eddab9711bc171ba21905f5b82026c233ba1983b5
-
SHA512
3dd1ceb3d92c0ab0ce9d18003835c0d8440dabf7465a6fd2a78dad30fb445880ab844e736e8158e41b48699354229bad54774f502db747196d49532d5cf02520
-
SSDEEP
3072:l8GSu2dLtaC+JwZXhrXnEgFC/KOe+hIY788jerENkVTvGBlMTOa:l8PREC11ntFMKd+hIg8QeEkVTGBCT
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected Djvu ransomware 9 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 9 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 7 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 3 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 61 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 12 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 42 IoCs
-
Suspicious use of FindShellTrayWindow 36 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 49 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8e7df897c535c5ae0b84f0eddab9711bc171ba21905f5b82026c233ba1983b5.exe"C:\Users\Admin\AppData\Local\Temp\d8e7df897c535c5ae0b84f0eddab9711bc171ba21905f5b82026c233ba1983b5.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\25A4.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\39C9.exeC:\Users\Admin\AppData\Local\Temp\39C9.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\39C9.exeC:\Users\Admin\AppData\Local\Temp\39C9.exe2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\24cecf6b-9935-4be1-b04d-0a9c3660a6ee" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\39C9.exe"C:\Users\Admin\AppData\Local\Temp\39C9.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\39C9.exe"C:\Users\Admin\AppData\Local\Temp\39C9.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4104 -s 6005⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4104 -ip 41041⤵
-
C:\Users\Admin\AppData\Local\Temp\68E8.exeC:\Users\Admin\AppData\Local\Temp\68E8.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\750F.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\A382.exeC:\Users\Admin\AppData\Local\Temp\A382.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\A382.exe"C:\Users\Admin\AppData\Local\Temp\A382.exe"2⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
Modify Registry
3Impair Defenses
1Disable or Modify System Firewall
1File and Directory Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
14KB
MD585601b2b428dc78c99e8528b26ec3b16
SHA1bc30b5047775bcf032943f7a565589fc24661e46
SHA25656f3747be56715c8cf4c1f4ac3dd5e40d90c45bf92d90f8e93f72af20e9da314
SHA51286ccdee58409cbeb3312409b1b9631c3cbe31049f82eaa79cfa10d6b327baef0dc8a9c94b0ed4edc584b62b9db6a23db2f49674c05289672c1141b8d411ce794
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\CC70EBE0-68CD-4E50-8054-E45E06C06EF7\Zrtu2hQ08VU_1.bytecodeFilesize
62KB
MD50b25b1db865befd85c8dbb891606eb04
SHA15d20af2954fc5b48e375f5412146d2ae41724f1e
SHA2569094f9cd8e59a4be74f92439937bde4dd1667deb30f64f0ed5b10de5abeb2b96
SHA512e35e3528103977db2316dd12bac9b3a3032cdff0ff41c7393b07e92483c01cfc874e229f7a3c133a9cdd9eb7f67fca00bb1e29b304176bad93d93d93779fcd2b
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\ServiceWorkerFiles\CC70EBE0-68CD-4E50-8054-E45E06C06EF7\Zrtu2hQ08VU_1.metadataFilesize
192B
MD59a39d50d274ad6e711d1880e78f8ee0a
SHA11157dd8b65b8812a0d5295105e643ef6620eb2bb
SHA256917fad650e8b812b0fc4712a40227262fb32b97e89b991e198c7842e9b8734a3
SHA512e643ede9c9c48c7a7a70118d51c363f691a3212e5193ef864dba6710404d043c90030add6c6ab2335009685dcb20e5538b53d92f4ec9b8ff971a250742aba26d
-
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118AFilesize
313B
MD59e2894966f23deadb4f3dc16bd232322
SHA12271443489989974f804460fbf151acc783e3853
SHA2561fd75c18f6137dac09c56d8cc27d655a576860eea3405533f3334a230989d078
SHA5126c73acf7fb52fdb3b9bd96e5b509826e3ffc794227225f2d12c83b1cde830f4c889f34f68c17408da656745a06d1e77c0d94133dc575ce05462383ce3e991610
-
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118AFilesize
404B
MD5ea3725eb4ad88e7d9033222626bab5a4
SHA179cce0352452054d4e24730938fa43a99800db01
SHA256d92e793e6306d1fe3c99a5821f509239394db49638815b54ae0eafc4aeaf4f99
SHA512948087ff98c189d795c08f36a6dec70e5013131c4bd11c16de663dc8b6b1e7a0479af64d67f1fd3eff4b3951fc97f7dcd9c5b7212f98e5c9e5647a2314f36640
-
C:\Users\Admin\AppData\Local\Temp\25A4.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\39C9.exeFilesize
812KB
MD5e1c4f10677adcc136df799b235dbe4d8
SHA10b2df4e7438a4e1e0b3f50057b2d2ae21a71c258
SHA25642e0af781ac22fab976241ffc0475f76c514c90a60fd095533e867dd1c7d3e34
SHA51247c6e408ebfd4bc2906b8289392c9f79a696c08c6429523f4b48b0b0756c69ae9a7542b2ea996c13aa7200376a5ddd3947b752cfc697218e70ff690921a6f48c
-
C:\Users\Admin\AppData\Local\Temp\68E8.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\A382.exeFilesize
4.2MB
MD5736e63b1bc1ebcc7fd7d9e323933262f
SHA1c7eb7a7a3ea02141e00b3d3e1d6746bc516eafcb
SHA2562ff74f83996a6969aea1565692678ed04ff3204b8c6a448905116236cea9f80a
SHA5127fd7c71daed24ca4159fe8a78d327871aa8be05d411d2f94508c66c9d3a9e79f577014e920cdd9c0e1122f95e604d7640084d5f1e29a2599ac7180e7c4c2dd20
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_13qhtjw3.fso.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD56d4de127da2d556cd4a5ebf6e2e77545
SHA161df466a538421ee309a41ece08a3ab1e77a9106
SHA256691c6d8c62bcb5de85926aa97cf282ff1d3fe09e9e31f1ca31f19e4c6c15ed98
SHA512ebde96a681c0cab9a30e31becc6184d3cb01e6c67b7f9178e9a6ba61d84966f7150e56dd790b4e6b857232da8e347bacc2a4d20b5af22714719f734eca2ebc36
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD57f0216edd7ac38daa7ecb31f26b50292
SHA19ee48558dfd5a0fede6388db6786df0cd16284b3
SHA256c0f9ed1506843f1c4ea8a46946dd5112d9d1bedba80bd943a904abd76b3cb29a
SHA512bca3e64cfc57369ee06ec996d8b6fea24015b409cf5dc0e6cc4abbf1291a5e7ab321052241455006dea6aa906ca0362dfb5f2be531976562387a1a66586a6ae0
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5f7df3010ca9ba26977bbab1ae11bfaa8
SHA149cfb17e231d05e08c1ff67fc1083034794b9e03
SHA2562da2e21517be971ee335f9806901272cb1d6947bf4b68e85f4fbe886ec4ad2c2
SHA5126cff029845116cac6ba0739616415d1515f63caba8a089a9ea7dcbe219c8a6161c77aa374dbfa3b2209e44b4642a08acc0c7d30e79badb60835def2384de323b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD57c91446ef822d911da05f9b5610a155b
SHA19727f677d8cca5bf61276f5fd57101cbb996fe44
SHA256e60d6dd1f9f28fffd2999b5531cdf234a6407742fd1f163bcc7fe716c4cde1de
SHA51261286bf039b4d003606946ce4778b0b858086173a443c0b7d1c4f088199322ad6d0cf8d7cc33793cc70f4ee94e9da47d37465cb08f2ee3ed0a05c4c37afb4a08
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5fec306724dbba3f2e4c7c22833883ecb
SHA10abd5b6e8295c3a617c124557101516700a860c1
SHA2566d90f56548d9d91701da20c1cf4311b3b4b728a0e8cc96bdd9358dd9be089ea4
SHA5129a60097422f03c646966234f351f0f3d1c8fd9553c274da9aa864db2e62892e21897a612f43deb7545d1ac77706f1f702cfd0e00549af4f5d200b53d89bb15a1
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/244-425-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/244-414-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/244-370-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/244-300-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/716-575-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/904-44-0x00000000049C0000-0x0000000004A61000-memory.dmpFilesize
644KB
-
memory/1260-102-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-115-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-63-0x00000000005A0000-0x0000000001285000-memory.dmpFilesize
12.9MB
-
memory/1260-67-0x0000000003520000-0x0000000003521000-memory.dmpFilesize
4KB
-
memory/1260-68-0x0000000003520000-0x0000000003560000-memory.dmpFilesize
256KB
-
memory/1260-69-0x0000000003520000-0x0000000003560000-memory.dmpFilesize
256KB
-
memory/1260-70-0x0000000003520000-0x0000000003560000-memory.dmpFilesize
256KB
-
memory/1260-74-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-75-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-76-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-77-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-78-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-79-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-81-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-82-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-83-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-84-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-85-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-86-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-87-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-88-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-89-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-90-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-91-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-92-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-93-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-94-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-95-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-96-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-97-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-98-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-99-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-100-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-101-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-54-0x00000000005A0000-0x0000000001285000-memory.dmpFilesize
12.9MB
-
memory/1260-103-0x0000000004040000-0x0000000004140000-memory.dmpFilesize
1024KB
-
memory/1260-104-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-105-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-106-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-107-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-108-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-109-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-111-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-112-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-110-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-113-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-114-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-65-0x0000000003510000-0x0000000003511000-memory.dmpFilesize
4KB
-
memory/1260-117-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-116-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-118-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-119-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-120-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-121-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-123-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-122-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-124-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-125-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-126-0x0000000004140000-0x0000000004180000-memory.dmpFilesize
256KB
-
memory/1260-64-0x0000000003500000-0x0000000003501000-memory.dmpFilesize
4KB
-
memory/1260-62-0x00000000034F0000-0x00000000034F1000-memory.dmpFilesize
4KB
-
memory/1260-59-0x00000000019F0000-0x00000000019F1000-memory.dmpFilesize
4KB
-
memory/1260-60-0x0000000001A00000-0x0000000001A01000-memory.dmpFilesize
4KB
-
memory/1260-61-0x0000000001A20000-0x0000000001A21000-memory.dmpFilesize
4KB
-
memory/1724-238-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/1996-371-0x000002A7B5380000-0x000002A7B53A0000-memory.dmpFilesize
128KB
-
memory/2408-38-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2408-21-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2408-24-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2408-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2408-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/2500-5-0x0000000000400000-0x0000000002D44000-memory.dmpFilesize
41.3MB
-
memory/2500-2-0x0000000002FF0000-0x0000000002FFB000-memory.dmpFilesize
44KB
-
memory/2500-3-0x0000000000400000-0x0000000002D44000-memory.dmpFilesize
41.3MB
-
memory/2500-1-0x0000000003050000-0x0000000003150000-memory.dmpFilesize
1024KB
-
memory/3108-22-0x0000000004BE0000-0x0000000004CFB000-memory.dmpFilesize
1.1MB
-
memory/3108-20-0x0000000004990000-0x0000000004A2A000-memory.dmpFilesize
616KB
-
memory/3224-4-0x0000000000F30000-0x0000000000F46000-memory.dmpFilesize
88KB
-
memory/3224-242-0x0000000000EF0000-0x0000000000EF1000-memory.dmpFilesize
4KB
-
memory/3516-409-0x000001C321F90000-0x000001C321FB0000-memory.dmpFilesize
128KB
-
memory/3516-398-0x000001C311600000-0x000001C311620000-memory.dmpFilesize
128KB
-
memory/3516-412-0x000001C3117D0000-0x000001C3117F0000-memory.dmpFilesize
128KB
-
memory/3876-508-0x00000283FBD60000-0x00000283FBD80000-memory.dmpFilesize
128KB
-
memory/3884-479-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/3884-554-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/3884-570-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/3884-577-0x0000000000400000-0x0000000003130000-memory.dmpFilesize
45.2MB
-
memory/4068-459-0x000002D5F66F0000-0x000002D5F6710000-memory.dmpFilesize
128KB
-
memory/4104-47-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4104-45-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4104-43-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4152-295-0x0000023D53D90000-0x0000023D53DB0000-memory.dmpFilesize
128KB
-
memory/4504-579-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB