Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240221-en -
resource tags
-
submitted
01-04-2024 02:04
General
-
Target
44d648bfd0f341fb9c9d10a42c0261c7455eb3fbcdd59c93ddad4211b6380452.exe
-
Size
203KB
-
MD5
2c4aebcc97030695e4eae570e2aa1f1a
-
SHA1
b43be65cd79153d07a8959d06583a87650c59699
-
SHA256
44d648bfd0f341fb9c9d10a42c0261c7455eb3fbcdd59c93ddad4211b6380452
-
SHA512
fa99384bc9b5ccb21f0859576d3a420ad6118849fe2892c53e7782096a14d3b9ceb86fb528ce362612d131194c5562ba57190315359e2573564bb2267297f8ee
-
SSDEEP
3072:bKIdo3wKvh4ZsXLK0aWcfX98+8spxn0bDU+OWJ:bK/3wKvh4ZXnX98Bs3nk
Malware Config
Extracted
smokeloader
pub1
Extracted
smokeloader
2022
http://trad-einmyus.com/index.php
http://tradein-myus.com/index.php
http://trade-inmyus.com/index.php
Extracted
djvu
http://sajdfue.com/test1/get.php
-
extension
.vook
-
offline_id
1eSPzWRaNslCgtjBZfL5pzvovoiaVI4IZSnvAwt1
-
payload_url
http://sdfjhuz.com/dl/build2.exe
http://sajdfue.com/files/1/build3.exe
-
ransomnote
ATTENTION! Don't worry, you can return all your files! All your files like pictures, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. Do not ask assistants from youtube and recovery data sites for help in recovering your data. They can use your free decryption quota and scam you. Our contact is emails in this text document only. You can get and look video overview decrypt tool: https://wetransfer.com/downloads/3ed7a617738550b0a00c5aa231c0752020240316170955/d71ce1 Price of private key and decrypt software is $999. Discount 50% available if you contact us first 72 hours, that's price for you is $499. Please note that you'll never restore your data without payment. Check your e-mail "Spam" or "Junk" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 0857PsawqS
Signatures
-
DcRat 4 IoCs
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Detected Djvu ransomware 9 IoCs
-
Djvu Ransomware
Ransomware which is a variant of the STOP family.
-
Glupteba
Glupteba is a modular loader written in Golang with various components.
-
Glupteba payload 9 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Modifies Installed Components in the registry 2 TTPs 1 IoCs
-
Modifies Windows Firewall 2 TTPs 1 IoCs
-
Deletes itself 1 IoCs
-
Executes dropped EXE 11 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Manipulates WinMonFS driver. 1 IoCs
Roottkits write to WinMonFS to hide directories/files from being detected.
-
Drops file in System32 directory 7 IoCs
-
Suspicious use of SetThreadContext 2 IoCs
-
Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 1 IoCs
Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.
-
Drops file in Windows directory 4 IoCs
-
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 61 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Enumerates system info in registry 2 TTPs 12 IoCs
-
Modifies Internet Explorer settings 1 TTPs 6 IoCs
-
Modifies data under HKEY_USERS 64 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 43 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\44d648bfd0f341fb9c9d10a42c0261c7455eb3fbcdd59c93ddad4211b6380452.exe"C:\Users\Admin\AppData\Local\Temp\44d648bfd0f341fb9c9d10a42c0261c7455eb3fbcdd59c93ddad4211b6380452.exe"1⤵
- DcRat
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\C227.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\D33F.exeC:\Users\Admin\AppData\Local\Temp\D33F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\D33F.exeC:\Users\Admin\AppData\Local\Temp\D33F.exe2⤵
- DcRat
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\0eb93f0a-9281-4cc3-8978-367e594ef804" /deny *S-1-1-0:(OI)(CI)(DE,DC)3⤵
- Modifies file permissions
-
C:\Users\Admin\AppData\Local\Temp\D33F.exe"C:\Users\Admin\AppData\Local\Temp\D33F.exe" --Admin IsNotAutoStart IsNotTask3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\D33F.exe"C:\Users\Admin\AppData\Local\Temp\D33F.exe" --Admin IsNotAutoStart IsNotTask4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3476 -s 6005⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3476 -ip 34761⤵
-
C:\Users\Admin\AppData\Local\Temp\27E.exeC:\Users\Admin\AppData\Local\Temp\27E.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\D3D.bat" "1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add "HKEY_CURRENT_USER\Software\clicker\key" /v primary /t REG_DWORD /d 12⤵
-
C:\Users\Admin\AppData\Local\Temp\46CC.exeC:\Users\Admin\AppData\Local\Temp\46CC.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\46CC.exe"C:\Users\Admin\AppData\Local\Temp\46CC.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile3⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\rss\csrss.exeC:\Windows\rss\csrss.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Manipulates WinMonFS driver.
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /delete /tn ScheduledUpdate /f4⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -nologo -noprofile4⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeC:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll4⤵
- Executes dropped EXE
-
C:\Windows\SYSTEM32\schtasks.exeschtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F4⤵
- DcRat
- Creates scheduled task(s)
-
C:\Windows\windefender.exe"C:\Windows\windefender.exe"4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.execmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)5⤵
-
C:\Windows\SysWOW64\sc.exesc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)6⤵
- Launches sc.exe
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Modifies Installed Components in the registry
- Enumerates connected drives
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\windefender.exeC:\Windows\windefender.exe1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Scheduled Task/Job
1Defense Evasion
File and Directory Permissions Modification
1Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\D08ZSWUJ\www.bing[1].xmlFilesize
2KB
MD51d0bb61c4c477f50dc843eb064ee46ba
SHA1aa045e4daffcdf0fc3f46255986feafc6e800c39
SHA25645a2486bae81cf5bedf7f7a5aab0d5744d6192f0a7e779f2c0101598452cb292
SHA51207a9fca12b0b56d97da0a42527d23371c858a5ddd436f70a16885395238e9b74124ae3962dc37b870961a2da7a03c12d6756f9b7a3ceb829bd2f2b67aa01509c
-
C:\Users\Admin\AppData\Local\Temp\27E.exeFilesize
6.5MB
MD59e52aa572f0afc888c098db4c0f687ff
SHA1ef7c2bb222e69ad0e10c8686eb03dcbee7933c2b
SHA2564a40f9d491f09521f4b0c6076a0eb488f6d8e1cf4b67aa6569c2ccce13556443
SHA512d0991e682ae8c954721e905753b56c01f91b85313beb9996331793c3efa8acc13d574ef5ba44853ecc3e05822931ed655bad1924fa11b774a43e015f42185f62
-
C:\Users\Admin\AppData\Local\Temp\46CC.exeFilesize
4.1MB
MD51e578aee6185835cb342b85f99e140df
SHA16ea67ddc96b09150c291ff5ea059e98075bf3823
SHA2560d21b306a868051b31ffac63da269967fc9edd9d680f2e2879d1b8377d2d0e84
SHA5127dcbebe9ca2cd209841aa413d67adecb2a27f65a3d59d510801e51b04555ec5d24641149743f5af2ff7a0edb92ba24a293df213661c4dd161b36e1c3fc47eafb
-
C:\Users\Admin\AppData\Local\Temp\C227.batFilesize
77B
MD555cc761bf3429324e5a0095cab002113
SHA12cc1ef4542a4e92d4158ab3978425d517fafd16d
SHA256d6cceb3c71b80403364bf142f2fa4624ee0be36a49bac25ed45a497cf1ce9c3a
SHA51233f9f5cad22d291077787c7df510806e4ac31f453d288712595af6debe579fabed6cdf4662e46e6fa94de135b161e739f55cfae05c36c87af85ed6a6ad1c9155
-
C:\Users\Admin\AppData\Local\Temp\D33F.exeFilesize
731KB
MD502f6623bb1baf86fff2187d3133a0f4b
SHA17fc70dc931668f080f7c6a32404f4ecef7a6c1fc
SHA256d08ffd814756737222e2812019ec4b6ffeb2714e19d611c15a308ae3902868d0
SHA512c36cc942834274d3078edab9e9975237f323c14d480ebca5b151ce885067b2863fd255d49b6929d26b48548a23b6d7c3bf42d3b0548e82bf3a93afa852b682ae
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gy3cewax.bcu.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exeFilesize
281KB
MD5d98e33b66343e7c96158444127a117f6
SHA1bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA2565de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5ac4917a885cf6050b1a483e4bc4d2ea5
SHA1b1c0a9f27bd21c6bbb8e9be70db8777b4a2a640f
SHA256e39062a62c3c7617feeeff95ea8a0be51104a0d36f46e44eea22556fda74d8d9
SHA512092c67a3ecae1d187cad72a8ea1ea37cb78a0cf79c2cd7fb88953e5990669a2e871267015762fd46d274badb88ac0c1d73b00f1df7394d89bed48a3a45c2ba3d
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5b71b0024c4088bf51d04624f79a74f9c
SHA18c3f3255861025a4c10e7942c0eb9b72cb158fd0
SHA2569e659605d51d150fab851a60672cc8218f3ff79496d14500569f26073cedbae9
SHA512adec9bc8a27e34afa7102fb031df3222ce6daccc6130a5d44d2f2bccf3627284330077169ed8719948c7f173dc6307ee695e4ff0ae76e963c5d36ef544eef13a
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD509e93231c8583b5da5797b2283766f38
SHA1eb3bc24488191520d2ad8112fe938404ba118795
SHA256e3acde6411c1c9075a398dd960a885bc63ff85b8856f194700f37035d2de87fc
SHA512845125a4d149c1ababcd53a410a5d2643921c2c204bc00d80becdc0e49ae8936c617b8af654f48e4a72da6f7e67a712b96ebe3c403b5a51fdd9241df5092d282
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD506948d14c96a36471c7881ccb42a6849
SHA1e10df6aec21f5e9f3f7ed0167fe649db6a9a4645
SHA2569a34431c5da14776388547b6cc60d7a463c8880b0a3b86ace709cfbb067b4696
SHA5126451ef4c1783ce2bc57ffc2e05155eca2a5d7a5a07b5ba3f028acc68da83e5972567a6392a5b19a09c53fc11c733df8f9162462c35a3adc4853ebfd5fd538ba3
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD5bf57bdc9e0fd378282a5c2cd872d7bc9
SHA1b7b08e7ca13675c949f6b22dd3697852e7b79e29
SHA256422d4c00504c63ba24e67254bcbca54b1b95bbe1b4fd134e76a6614987efb8e7
SHA5125dafbf3b2bb841a41af5281f37c6c0bd8883b56144c59a11d69c4cc19a072c82db37e84f95769a156e3d4f7cf8cdf0c748c93fdb34ff87142405ad627127a054
-
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveFilesize
19KB
MD58fb4173b2c35d9ef2fd11078a359d457
SHA1cc416e8916bb87a3f39cce74a7fc94ac2cf1e157
SHA25656a53d27de744ed6faaeeadf0d196a3c04fef2a9a72880b02e43be7437648b79
SHA512b8d4c18555e0d4d706b3e3f3b50acfc487518ab55fa0f356e3115d8fd929914ff7825cb890ffdd5f4a11cefe5c02e92383b283c0e0064cb39fdf81f553d3e319
-
C:\Windows\windefender.exeFilesize
2.0MB
MD58e67f58837092385dcf01e8a2b4f5783
SHA1012c49cfd8c5d06795a6f67ea2baf2a082cf8625
SHA256166ddb03ff3c89bd4525ac390067e180fdd08f10fbcf4aadb0189541673c03fa
SHA51240d8ae12663fc1851e171d9d86cea8bb12487b734c218d7b6f9742eb07d4ca265065cbd6d0bb908f8bda7e3d955c458dfe3fd13265bbf573b9351e0a2bf691ec
-
memory/224-5-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/224-3-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/224-2-0x0000000000760000-0x000000000076B000-memory.dmpFilesize
44KB
-
memory/224-1-0x0000000000770000-0x0000000000870000-memory.dmpFilesize
1024KB
-
memory/236-322-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/652-21-0x0000000002370000-0x000000000248B000-memory.dmpFilesize
1.1MB
-
memory/652-20-0x0000000000830000-0x00000000008C8000-memory.dmpFilesize
608KB
-
memory/1588-97-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-113-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-65-0x0000000003400000-0x0000000003401000-memory.dmpFilesize
4KB
-
memory/1588-67-0x0000000003410000-0x0000000003450000-memory.dmpFilesize
256KB
-
memory/1588-68-0x0000000003410000-0x0000000003450000-memory.dmpFilesize
256KB
-
memory/1588-69-0x0000000003410000-0x0000000003450000-memory.dmpFilesize
256KB
-
memory/1588-71-0x0000000003410000-0x0000000003450000-memory.dmpFilesize
256KB
-
memory/1588-70-0x0000000003410000-0x0000000003450000-memory.dmpFilesize
256KB
-
memory/1588-72-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-73-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-74-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-75-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-76-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-78-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-81-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-80-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-79-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-82-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-77-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-83-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-84-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-86-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-85-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-87-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-88-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-89-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-90-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-92-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-91-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-93-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-95-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-94-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-96-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-61-0x00000000033D0000-0x00000000033D1000-memory.dmpFilesize
4KB
-
memory/1588-99-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-98-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-100-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-101-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-102-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-104-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-106-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-108-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-109-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-110-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-112-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-64-0x00000000033F0000-0x00000000033F1000-memory.dmpFilesize
4KB
-
memory/1588-114-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-115-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-116-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-117-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-118-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-119-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-120-0x0000000004180000-0x0000000004280000-memory.dmpFilesize
1024KB
-
memory/1588-121-0x0000000004280000-0x000000000478F000-memory.dmpFilesize
5.1MB
-
memory/1588-122-0x0000000004280000-0x000000000478F000-memory.dmpFilesize
5.1MB
-
memory/1588-123-0x0000000004280000-0x000000000478F000-memory.dmpFilesize
5.1MB
-
memory/1588-124-0x0000000004280000-0x000000000478F000-memory.dmpFilesize
5.1MB
-
memory/1588-125-0x0000000004280000-0x000000000478F000-memory.dmpFilesize
5.1MB
-
memory/1588-126-0x0000000004280000-0x000000000478F000-memory.dmpFilesize
5.1MB
-
memory/1588-63-0x00000000033E0000-0x00000000033E1000-memory.dmpFilesize
4KB
-
memory/1588-62-0x00000000007E0000-0x00000000014C5000-memory.dmpFilesize
12.9MB
-
memory/1588-54-0x00000000007E0000-0x00000000014C5000-memory.dmpFilesize
12.9MB
-
memory/1588-60-0x00000000015F0000-0x00000000015F1000-memory.dmpFilesize
4KB
-
memory/1588-59-0x00000000015E0000-0x00000000015E1000-memory.dmpFilesize
4KB
-
memory/1788-603-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/1892-43-0x00000000022D0000-0x0000000002365000-memory.dmpFilesize
596KB
-
memory/2036-605-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2036-613-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2036-609-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2036-607-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2036-616-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2036-621-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2036-596-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/2424-614-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2424-608-0x0000000000400000-0x00000000008DF000-memory.dmpFilesize
4.9MB
-
memory/2552-476-0x0000000000400000-0x0000000000D1C000-memory.dmpFilesize
9.1MB
-
memory/3356-4-0x00000000032D0000-0x00000000032E6000-memory.dmpFilesize
88KB
-
memory/3356-278-0x0000000003300000-0x0000000003301000-memory.dmpFilesize
4KB
-
memory/3476-44-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3476-45-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3476-47-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/3992-462-0x00000288783C0000-0x00000288783E0000-memory.dmpFilesize
128KB
-
memory/4232-573-0x00000221A9CA0000-0x00000221A9DA0000-memory.dmpFilesize
1024KB
-
memory/4232-555-0x0000022199340000-0x0000022199360000-memory.dmpFilesize
128KB
-
memory/4788-38-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4788-26-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4788-25-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4788-22-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4788-24-0x0000000000400000-0x0000000000537000-memory.dmpFilesize
1.2MB
-
memory/4828-520-0x0000021FC57E0000-0x0000021FC5800000-memory.dmpFilesize
128KB