Analysis
-
max time kernel
68s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
31-03-2024 20:36
General
-
Target
d9af684e1af60439245790f0cc4e0ac4017f3e295f0a22bac869b70551b89f15.exe
-
Size
269KB
-
MD5
b4daa1e2cbed5b1208728306f7009a80
-
SHA1
50fa36b4d785ea212a8341062bebcd379a7d4224
-
SHA256
d9af684e1af60439245790f0cc4e0ac4017f3e295f0a22bac869b70551b89f15
-
SHA512
a86370bbd9a0367f287a1e952eda34d3bf23589b4b1f79d7fc94c0686619dbab51c959353c76e0869d7f043404cf0394cb26931da42aaafd42a1bc3de19c526d
-
SSDEEP
3072:ZIG169wfIDD+lwZXhdqEgO6Co3b/f7hxUot7rDhmg/E4Kw6SmBlVa:ZILUEDJedz7D9tUgew6RB
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS
Extracted
lumma
https://resergvearyinitiani.shop/api
Signatures
-
DcRat 3 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected Djvu ransomware 9 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 11 IoCs
-
Lumma Stealer
An infostealer written in C++ first seen in August 2022.
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 15 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\d9af684e1af60439245790f0cc4e0ac4017f3e295f0a22bac869b70551b89f15.exe"C:\Users\Admin\AppData\Local\Temp\d9af684e1af60439245790f0cc4e0ac4017f3e295f0a22bac869b70551b89f15.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6CEE.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\7B37.exeC:\Users\Admin\AppData\Local\Temp\7B37.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7B37.exeC:\Users\Admin\AppData\Local\Temp\7B37.exe2⤵
- DcRat
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\8d76aa49-b3ad-4381-85b5-ec60abf4529a" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\7B37.exe"C:\Users\Admin\AppData\Local\Temp\7B37.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7B37.exe"C:\Users\Admin\AppData\Local\Temp\7B37.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3756 -s 5685⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3756 -ip 37561⤵
-
C:\Users\Admin\AppData\Local\Temp\B563.exeC:\Users\Admin\AppData\Local\Temp\B563.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BAB3.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=4036 --field-trial-handle=3088,i,14310325015283915034,7660943942870463106,262144 --variations-seed-version /prefetch:31⤵
-
C:\Users\Admin\AppData\Local\Temp\D699.exeC:\Users\Admin\AppData\Local\Temp\D699.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\D699.exe"C:\Users\Admin\AppData\Local\Temp\D699.exe"2⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD5998bb0326f3b0f09e3807b631dc5d7b8
SHA11266cdd46c71687067d517a8873fbc892216b5b9
SHA25686d01464baba49c3a243770da3f12642373f82f6502d88e8b54fde107a638434
SHA5126122adabd9b20c12d9b39a9708aabd1862c62a06ea12a22f4a4d9679d177b6b19907a06c5b6091f121cdd8d056d7d0716c56a8ace5209e5355ad135ce3c953ac
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD5e7d865935d7e35c24d6ea2825850cb88
SHA15ff0ab64ea5dba6950e04e992461697559e5b2d1
SHA25656d5845a86510df61c6594cf980ffa1c04328e4fc71b3d735d4a80d294f0e5ee
SHA512a035c437b83da0d7801cf8992ea6e400e114f7d1b10013b68c696f1e437f45eac8c36d5008b4a6c3cb3db7026bdf271e81ce94caa5d203d910daf93921b4e8ab
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch DictionariesFilesize
40B
MD520d4b8fa017a12a108c87f540836e250
SHA11ac617fac131262b6d3ce1f52f5907e31d5f6f00
SHA2566028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d
SHA512507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\TokenBroker\Cache\fbaf94e759052658216786bfbabcdced1b67a5c2.tbresFilesize
2KB
MD5c3d296ddc089d482171c0eb06461eaae
SHA14fb24ba7aed1dac1d8de79d281b2dd332f5b1390
SHA25681ad588be7ab758759881e836eb696f5717cdf2a86e6dd2f56b2c2adf8e93b91
SHA512f32bb523c02277482f18b2f4db72f6a427988d537eb544d91fcfb8694f6b4b11b78829e679b5bdac204205d734473cc3a8f5c4046444576b70c0e2fa171d405c
-
C:\Users\Admin\AppData\Local\Temp\6CEE.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\7B37.exeFilesize
768KB
MD51d12763b9095b1d14607833deae59b2b
SHA10acf80ed680a678f49f5bfddb14cafd96544fbcb
SHA25674ea265a9044414b3318c2f3a0893a1faf11da8538196740c3880a6a2cf87a1c
SHA512f18ea8e5304a286178b2bd54ce494ee6034f87976f0668e45737e547638658d323d50aa5ba9756bcfbe6089825f81529e5a65a0b03eac63712f118212f028d15
-
C:\Users\Admin\AppData\Local\Temp\B563.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\D699.exeFilesize
4.2MB
MD5f20545112aac4d388966aa18162768b2
SHA19d2c872f30d402e467128dbcada3c69361a2909b
SHA2560958e59de7186b792e95f1f2c727317fe901cec23b17ec77704092572315f57c
SHA512f558402740241801ef3ab00ca8e84686743836d0ae6787d5e9b09000d4417e44b6b35181a0c57e85533f404d1720fc73f8a9b34a0653337f03e53ac5f7ad43ad
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ookzbu0d.ftl.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD51fbf8d3b3d759933b53c910f41ff6e91
SHA1c26f67ef037d513efba43ca11d95026144d8862c
SHA256d79ba70216b0881ce572186cf5cfb6719ab90d8385211592160bcc52e9300058
SHA512ac54b4da733a598ea841ecc9314a45542c9b7948cc84a3b17500a8c8f937049934ca3c5d47d4947d57e55dddd9febaefc89d95e364fdbe36dab9ca613067e2ba
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD53d96d003bce5539a1197a92338c49770
SHA1baf4a7901cd2e47b4209f4991a960be5449298d4
SHA2568609f46e0d36c1f72033560437125429a084207627157b15d2aaa66dd7b6a421
SHA51235305744bda136ef6a6b163f66ef2e565d1a9d457efcb5c4293df53aaccd5415d970197cfee12cb871338df05ba8c35f750065e5eee1e612164df83ad701941a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5d132401aacf7609358b3f51a62507072
SHA1d3c05510aa0b7b6655f9e6f453b03ff83687aa51
SHA256164d7ab599bed3f326ec8f8064e8706385e4267177f8c0a1fdbb6c4226fd2798
SHA512f602087d9c3697e617bfc896c9842638e0bf1eaeb2b8432f9f334f190e63b412a00e1a52c17b9c396104eaddb31c63411b07659f5af334eb6359fa8e1f5cbe7b
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5d38d32adce192903bb239c0bdda9f4a5
SHA107e9bd1ca3a035efa5a0778fbd6787eb91971d6e
SHA256ad7bb546248e9dd2d163392aa88158c922c0cc0117f1392ef9bd22d5682f1ccb
SHA5127f11848139dd8d23bb76d1f61a351b39b314bd50ecc25a8f54d948f454449455ebf8f6749ab871a9689dafcecf9dc29ad5362a312b08f905f9a0730eb39d4a0f
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5bd23f71d28018d3356e50a4b81277472
SHA16a8976cae17495e762c68d596a59a31f684859de
SHA256a23bcb5468288ace721ebcfb4872652e1e0bbcca6f7613bf4739fc44819c5568
SHA51241a659b5f6957720dbdeb4b11e715515a1c1466b1f34f7ba789c8f587ef65efb922a3f9f5e205d8f15910146823e160e27998db724c3ba7b4da16eac3eb9aa7d
-
memory/64-363-0x0000000000400000-0x0000000003125000-memory.dmpFilesize
45.1MB
-
memory/64-398-0x0000000000400000-0x0000000003125000-memory.dmpFilesize
45.1MB
-
memory/408-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/408-23-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/408-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/408-27-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/408-37-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/412-2-0x0000000002E20000-0x0000000002E2B000-memory.dmpFilesize
44KB
-
memory/412-1-0x0000000002E70000-0x0000000002F70000-memory.dmpFilesize
1024KB
-
memory/412-8-0x0000000002E20000-0x0000000002E2B000-memory.dmpFilesize
44KB
-
memory/412-5-0x0000000000400000-0x0000000002D42000-memory.dmpFilesize
41.3MB
-
memory/412-3-0x0000000000400000-0x0000000002D42000-memory.dmpFilesize
41.3MB
-
memory/556-21-0x0000000004A90000-0x0000000004B32000-memory.dmpFilesize
648KB
-
memory/556-22-0x0000000004B40000-0x0000000004C5B000-memory.dmpFilesize
1.1MB
-
memory/1176-286-0x0000000002E50000-0x0000000002E51000-memory.dmpFilesize
4KB
-
memory/2608-297-0x0000014AA6310000-0x0000014AA6330000-memory.dmpFilesize
128KB
-
memory/2608-294-0x0000014AA6020000-0x0000014AA6040000-memory.dmpFilesize
128KB
-
memory/2608-300-0x0000014AA6430000-0x0000014AA6450000-memory.dmpFilesize
128KB
-
memory/2716-153-0x0000000004ED0000-0x0000000004EE0000-memory.dmpFilesize
64KB
-
memory/2716-127-0x00000000053F0000-0x0000000005412000-memory.dmpFilesize
136KB
-
memory/2716-123-0x0000000074530000-0x0000000074CE0000-memory.dmpFilesize
7.7MB
-
memory/2716-124-0x0000000002DD0000-0x0000000002E06000-memory.dmpFilesize
216KB
-
memory/2716-125-0x0000000004ED0000-0x0000000004EE0000-memory.dmpFilesize
64KB
-
memory/2716-126-0x0000000005510000-0x0000000005B38000-memory.dmpFilesize
6.2MB
-
memory/2716-128-0x0000000005CF0000-0x0000000005D56000-memory.dmpFilesize
408KB
-
memory/2716-129-0x0000000005D60000-0x0000000005DC6000-memory.dmpFilesize
408KB
-
memory/2716-139-0x0000000005ED0000-0x0000000006224000-memory.dmpFilesize
3.3MB
-
memory/2716-145-0x0000000005120000-0x000000000513E000-memory.dmpFilesize
120KB
-
memory/2716-154-0x0000000007720000-0x0000000007796000-memory.dmpFilesize
472KB
-
memory/2716-146-0x0000000006420000-0x000000000646C000-memory.dmpFilesize
304KB
-
memory/2716-152-0x0000000006940000-0x0000000006984000-memory.dmpFilesize
272KB
-
memory/3188-323-0x0000000000400000-0x0000000003125000-memory.dmpFilesize
45.1MB
-
memory/3188-238-0x0000000000400000-0x0000000003125000-memory.dmpFilesize
45.1MB
-
memory/3188-236-0x0000000000400000-0x0000000003125000-memory.dmpFilesize
45.1MB
-
memory/3188-272-0x0000000000400000-0x0000000003125000-memory.dmpFilesize
45.1MB
-
memory/3240-150-0x0000000000BD0000-0x0000000000BD1000-memory.dmpFilesize
4KB
-
memory/3240-4-0x0000000002E20000-0x0000000002E36000-memory.dmpFilesize
88KB
-
memory/3756-43-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3756-46-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3756-44-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4156-40-0x0000000004900000-0x000000000499C000-memory.dmpFilesize
624KB
-
memory/4244-187-0x0000000004AE0000-0x0000000004AE1000-memory.dmpFilesize
4KB
-
memory/4968-194-0x0000000000400000-0x0000000003125000-memory.dmpFilesize
45.1MB
-
memory/4968-197-0x0000000000400000-0x0000000003125000-memory.dmpFilesize
45.1MB
-
memory/4968-151-0x0000000000400000-0x0000000003125000-memory.dmpFilesize
45.1MB
-
memory/4968-161-0x0000000000400000-0x0000000003125000-memory.dmpFilesize
45.1MB
-
memory/4968-122-0x0000000000400000-0x0000000003125000-memory.dmpFilesize
45.1MB
-
memory/5060-69-0x0000000000EB0000-0x0000000001B95000-memory.dmpFilesize
12.9MB
-
memory/5060-109-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-95-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-94-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-93-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-92-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-96-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-108-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-121-0x0000000000EB0000-0x0000000001B95000-memory.dmpFilesize
12.9MB
-
memory/5060-107-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-97-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-98-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-99-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-106-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-104-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-103-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-105-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-100-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-101-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-102-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-90-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-91-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-89-0x0000000000EB0000-0x0000000001B95000-memory.dmpFilesize
12.9MB
-
memory/5060-88-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-85-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-86-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-87-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-75-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-76-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-79-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-80-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-82-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-81-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-83-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-84-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-77-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-78-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-74-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-73-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-72-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-71-0x0000000000EA0000-0x0000000000EA1000-memory.dmpFilesize
4KB
-
memory/5060-70-0x0000000000D10000-0x0000000000D11000-memory.dmpFilesize
4KB
-
memory/5060-68-0x0000000000D00000-0x0000000000D01000-memory.dmpFilesize
4KB
-
memory/5060-63-0x0000000000C90000-0x0000000000C91000-memory.dmpFilesize
4KB
-
memory/5060-67-0x0000000000CE0000-0x0000000000CE1000-memory.dmpFilesize
4KB
-
memory/5060-66-0x0000000000CD0000-0x0000000000CD1000-memory.dmpFilesize
4KB
-
memory/5060-65-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/5060-64-0x0000000000EB0000-0x0000000001B95000-memory.dmpFilesize
12.9MB
-
memory/5060-62-0x0000000000BF0000-0x0000000000BF1000-memory.dmpFilesize
4KB
-
memory/5060-57-0x0000000000EB0000-0x0000000001B95000-memory.dmpFilesize
12.9MB