Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
31-03-2024 20:16
General
-
Target
d2f6356be2cc20d1abb41234ee8ab3263ee58bbd81d53b0300ca52a7c298733c.exe
-
Size
268KB
-
MD5
1295525e00ff284ccaadf0d5497896c8
-
SHA1
38d7ba3a9ef2a3f6a09190fcf9b2f28acadf83a7
-
SHA256
d2f6356be2cc20d1abb41234ee8ab3263ee58bbd81d53b0300ca52a7c298733c
-
SHA512
0d67c92e14169a6d01f5bcca93745d26880972db2412f30bf00256d38dab95b40810270ed165b69bdaaa8937a4b5c905ec5e02eda3bb06e3185655ade54b9ea2
-
SSDEEP
3072:FJGWnqpfqN6+RwZXhqEGbudQ5yyUmWx0gXDf2Ps+9JSOBlVa:FJEBE6FtGbudQcyaxDLCdJ5B
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected Djvu ransomware 9 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 10 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 61 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 12 IoCs
-
Modifies Internet Explorer settings 1 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 57 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 43 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d2f6356be2cc20d1abb41234ee8ab3263ee58bbd81d53b0300ca52a7c298733c.exe"C:\Users\Admin\AppData\Local\Temp\d2f6356be2cc20d1abb41234ee8ab3263ee58bbd81d53b0300ca52a7c298733c.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9BB3.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\B19E.exeC:\Users\Admin\AppData\Local\Temp\B19E.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B19E.exeC:\Users\Admin\AppData\Local\Temp\B19E.exe2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\a16ffaaf-e072-4870-b4a3-fd010f9db787" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\B19E.exe"C:\Users\Admin\AppData\Local\Temp\B19E.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\B19E.exe"C:\Users\Admin\AppData\Local\Temp\B19E.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1828 -s 6005⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1828 -ip 18281⤵
-
C:\Users\Admin\AppData\Local\Temp\D822.exeC:\Users\Admin\AppData\Local\Temp\D822.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DAD2.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\F224.exeC:\Users\Admin\AppData\Local\Temp\F224.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\F224.exe"C:\Users\Admin\AppData\Local\Temp\F224.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.dbFilesize
14KB
MD5d038d6f52ee4a3a9726c8ffc3980ec9d
SHA129b65982961b3a40e777c7b889863a5d442813ab
SHA256f5a9fb45b10b4235450ae4ca372d747c392eee93729ed5516c3620bac4b70716
SHA512c8184c2149b497e55c5684390f15b4bd45c21a32bd5937ac7580c869a45a1e24538cc177913eee380e63410ae5180959e968bddfc078229abc5ca04358bf8063
-
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\Content\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118AFilesize
313B
MD59e2894966f23deadb4f3dc16bd232322
SHA12271443489989974f804460fbf151acc783e3853
SHA2561fd75c18f6137dac09c56d8cc27d655a576860eea3405533f3334a230989d078
SHA5126c73acf7fb52fdb3b9bd96e5b509826e3ffc794227225f2d12c83b1cde830f4c889f34f68c17408da656745a06d1e77c0d94133dc575ce05462383ce3e991610
-
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\CryptnetUrlCache\MetaData\EAF8AA29A62AB29E614331747385D816_F9E4DC0B9D5C777357D7DB8DEF51118AFilesize
404B
MD5251b698d9ea6b7d5af290ad723303373
SHA19344d5ecb45894cc651834c2bfa1ac19fc224258
SHA256c60028dd8d3fc65723f3a309c8edfa60083deed2eeb2d1ea2a94c052568b2398
SHA512c37bc3a919acae83d07c198c5dc74df5e2cbf8790689ce5bc2ce865a3f7270fe6b0a2cd1a6d18181cc524b18a436b32129093c50b6717ad0893f94ec4f453d36
-
C:\Users\Admin\AppData\Local\Temp\9BB3.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\B19E.exeFilesize
774KB
MD5f62a3ad4d7efc44f53d3d9c3902dc870
SHA11df2ee2f5953702a1d4cbcc39ef0bf3f1d046656
SHA2566afdde50a1dcb548843dfe1fc32c3f087df2741715d1ba9608317f6fddf825fd
SHA512a99a5abcbc3b4633274f00c1390a03dc64cc20d71bba26c09c8326aaa03306ba0e866bed7a869f8b243e3461fae418075c6abf8293d6b91b7eea99d554c94aff
-
C:\Users\Admin\AppData\Local\Temp\D822.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\F224.exeFilesize
4.2MB
MD5e68b58b7ae8f8b11b1df370b38b6ced3
SHA1085730281c49d6e47599a56d35e1777923959d98
SHA25620c3548c4c692e43c3f97da3ad787a82566bcef9b86a5d4b2f7684f3dfe2ba35
SHA512980fcb298763ec01ec2dfedc8801615e3854470b21ae886235a80f9698bd0d5eac6068dfd332d1848fab1d28c92fbfbb195c28deb363d523ff7e8ab5b26a7afb
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3vgi3ntw.whe.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5d0c46cad6c0778401e21910bd6b56b70
SHA17be418951ea96326aca445b8dfe449b2bfa0dca6
SHA2569600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02
SHA512057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5b07faf462dd0507f2b7571277607da4e
SHA1f03f7380e2deede6660223f4d3904d044eb1fa0a
SHA2560456929784d4d374d5ae189d92ac37787f5c2d1c6dce824fc134f6dc05e0666b
SHA5129d1df463816a9a90cb2685390e1f7964333f4d24509a65093ce68acf1c1db4a130943a7634b4f38f7c613594913311031faba3857f08cf24b60dcf56a1bba6c1
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5a3c23196871d752cf1ffd6137625aad4
SHA1839baa04958229cd2744d726e6411aeb930429b6
SHA256487b935a2f7d16a618bb57ee4dabc72136fa8c0fa295e4630288bd4bf954348f
SHA512a81a608e675161c803c33c1e2ba771cfe576e76ff67435e4007b54acfd5c52709e510547f0dcd7938724bf7457838ac934b05f017d4abf4824bc1b980c1a3e03
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD57932f84470ee4c7c6444bc22f3162334
SHA12f942806e321668e92b894a1fb18a4fe4cb6f7f2
SHA25639a2c9df03967f8b0a4dc1903b9516c89f5ff1d76c7404ebed235ddcc727d676
SHA5124e530c29739bed2a0e7294e531b768bcce960cfc6649cfdf709b0f9a6ec2be988a947ccc94eae89bbbd6ead21283ecb8fe949fbd60b08d60dca1d3374131c73c
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD59aee55308e1f195da6b3620cccd4bea9
SHA128bf77e5ef0c1091a37bcf6b31805fefb1146087
SHA2561125dbf2758c9a9eef2b385af253437845609e0c428a903b9c27e785a6e2a2d6
SHA512f58178a623400617c074d64072ee4b36dbcb6167e72b86a893b3ba7fa6c13ffe895f9e1f75a3de0d8b14fef01e047ee9368a889611aa10b73552a7707fef8c32
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD50fd598c6da0b4c1a716f0ee7f225c816
SHA11ab7059a209c5599245bac864dc3c2ed339f367b
SHA2566bc2ff95cf4a947ef9c27d04ac910ddb2cb8f1b8abbc4484243fe27a91685826
SHA512f801e8f4444ebf4ac96e76f93708fbf7b1a970df242c9ed6eb339ecbe6bc03c072644c84038d692508d45ea7502b0dbaf9f27d85390387a639213688236250b1
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/400-5-0x0000000000400000-0x0000000002D42000-memory.dmpFilesize
41.3MB
-
memory/400-3-0x0000000000400000-0x0000000002D42000-memory.dmpFilesize
41.3MB
-
memory/400-2-0x0000000004B90000-0x0000000004B9B000-memory.dmpFilesize
44KB
-
memory/400-1-0x0000000002E00000-0x0000000002F00000-memory.dmpFilesize
1024KB
-
memory/468-101-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-112-0x0000000003E50000-0x0000000004050000-memory.dmpFilesize
2.0MB
-
memory/468-68-0x0000000002FD0000-0x0000000002FD1000-memory.dmpFilesize
4KB
-
memory/468-69-0x0000000002FE0000-0x0000000002FE1000-memory.dmpFilesize
4KB
-
memory/468-71-0x0000000002FF0000-0x0000000002FF1000-memory.dmpFilesize
4KB
-
memory/468-72-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-74-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-73-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-75-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-77-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-78-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-76-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-80-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-79-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-81-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-82-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-84-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-83-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-89-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-88-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-91-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-90-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-92-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-93-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-87-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-94-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-95-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-97-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-96-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-86-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-98-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-99-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-85-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-100-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-67-0x0000000002FB0000-0x0000000002FB1000-memory.dmpFilesize
4KB
-
memory/468-102-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-103-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-104-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-105-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-106-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-107-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-108-0x0000000003D50000-0x0000000003E50000-memory.dmpFilesize
1024KB
-
memory/468-109-0x0000000003E50000-0x0000000003E51000-memory.dmpFilesize
4KB
-
memory/468-110-0x0000000003E50000-0x0000000003E51000-memory.dmpFilesize
4KB
-
memory/468-111-0x0000000003E50000-0x0000000004050000-memory.dmpFilesize
2.0MB
-
memory/468-65-0x0000000002FA0000-0x0000000002FA1000-memory.dmpFilesize
4KB
-
memory/468-113-0x0000000003E50000-0x0000000004050000-memory.dmpFilesize
2.0MB
-
memory/468-114-0x0000000003E50000-0x0000000004050000-memory.dmpFilesize
2.0MB
-
memory/468-115-0x0000000003E50000-0x0000000004050000-memory.dmpFilesize
2.0MB
-
memory/468-116-0x0000000003E50000-0x0000000004050000-memory.dmpFilesize
2.0MB
-
memory/468-117-0x0000000003E50000-0x0000000004050000-memory.dmpFilesize
2.0MB
-
memory/468-118-0x0000000003E50000-0x0000000004050000-memory.dmpFilesize
2.0MB
-
memory/468-119-0x0000000003E50000-0x0000000004050000-memory.dmpFilesize
2.0MB
-
memory/468-121-0x0000000003E50000-0x0000000004050000-memory.dmpFilesize
2.0MB
-
memory/468-120-0x0000000003E50000-0x0000000004050000-memory.dmpFilesize
2.0MB
-
memory/468-122-0x0000000003E50000-0x0000000004050000-memory.dmpFilesize
2.0MB
-
memory/468-123-0x0000000003E50000-0x0000000004050000-memory.dmpFilesize
2.0MB
-
memory/468-124-0x0000000003E50000-0x0000000004050000-memory.dmpFilesize
2.0MB
-
memory/468-125-0x0000000003E50000-0x0000000004050000-memory.dmpFilesize
2.0MB
-
memory/468-126-0x0000000003E50000-0x0000000004050000-memory.dmpFilesize
2.0MB
-
memory/468-66-0x0000000000410000-0x00000000010F5000-memory.dmpFilesize
12.9MB
-
memory/468-64-0x0000000002F70000-0x0000000002F71000-memory.dmpFilesize
4KB
-
memory/468-54-0x0000000000410000-0x00000000010F5000-memory.dmpFilesize
12.9MB
-
memory/468-63-0x0000000002F60000-0x0000000002F61000-memory.dmpFilesize
4KB
-
memory/948-22-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/948-24-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/948-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/948-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/948-38-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1576-41-0x00000000049C0000-0x0000000004A5C000-memory.dmpFilesize
624KB
-
memory/1828-47-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1828-45-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1828-44-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/1900-665-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1900-653-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2808-555-0x0000021E4EED0000-0x0000021E4EEF0000-memory.dmpFilesize
128KB
-
memory/3028-20-0x0000000004AE0000-0x0000000004B80000-memory.dmpFilesize
640KB
-
memory/3028-21-0x0000000004B80000-0x0000000004C9B000-memory.dmpFilesize
1.1MB
-
memory/3220-4-0x00000000027A0000-0x00000000027B6000-memory.dmpFilesize
88KB
-
memory/3220-316-0x0000000002770000-0x0000000002771000-memory.dmpFilesize
4KB
-
memory/4100-647-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/4388-652-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/4388-648-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/4388-632-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/4388-659-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/4388-664-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/4388-667-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/4388-670-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/4388-673-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/4688-506-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB
-
memory/4688-478-0x0000000000400000-0x0000000003127000-memory.dmpFilesize
45.2MB