Overview
overview
10Static
static
3pengisv/Fix.exe
windows7-x64
10pengisv/Fix.exe
windows10-2004-x64
10pengisv/FixV2.exe
windows7-x64
7pengisv/FixV2.exe
windows10-2004-x64
7pengisv/Injector.exe
windows7-x64
10pengisv/Injector.exe
windows10-2004-x64
10pengisv/bocchisr.dll
windows7-x64
1pengisv/bocchisr.dll
windows10-2004-x64
1pengisv/ce...64.dll
windows7-x64
1pengisv/ce...64.dll
windows10-2004-x64
1Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
23-04-2024 16:14
Static task
static1
Behavioral task
behavioral1
Sample
pengisv/Fix.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
pengisv/Fix.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral3
Sample
pengisv/FixV2.exe
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
pengisv/FixV2.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral5
Sample
pengisv/Injector.exe
Resource
win7-20231129-en
Behavioral task
behavioral6
Sample
pengisv/Injector.exe
Resource
win10v2004-20240412-en
Behavioral task
behavioral7
Sample
pengisv/bocchisr.dll
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
pengisv/bocchisr.dll
Resource
win10v2004-20240412-en
Behavioral task
behavioral9
Sample
pengisv/ced3d9hook64.dll
Resource
win7-20240215-en
Behavioral task
behavioral10
Sample
pengisv/ced3d9hook64.dll
Resource
win10v2004-20240412-en
General
-
Target
pengisv/Injector.exe
-
Size
300.0MB
-
MD5
d21c2d4f372af938109fd2345ac1938b
-
SHA1
f76729490360354f30548f49a8ca3ddeb638758c
-
SHA256
1d61735d5000942390505f6962882af0c9bbd8d52b6e2e179ac47781edc9f281
-
SHA512
f7c7f0962325b3c0d19be00096b618b2bb576b06eda78dc396d9ab6325031d9e8ff86fff33f1189954f32e6300d427029942400a621854848a2930947aa64ae0
-
SSDEEP
24576:bNpd12nDhPgnRcmIoWMsH4YcxGg8Zfq7NtmIxEAzLDV7YTGTbX:BdiDeRQbMsH/JRZfq7NtmDwLDZX
Malware Config
Signatures
-
Detect ZGRat V1 1 IoCs
Processes:
resource yara_rule behavioral6/memory/1612-47-0x0000000000BC0000-0x0000000000C80000-memory.dmp family_zgrat_v1 -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 1 IoCs
Processes:
resource yara_rule behavioral6/memory/1612-47-0x0000000000BC0000-0x0000000000C80000-memory.dmp family_redline -
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
Multimedia.pifdescription pid process target process PID 1740 created 3272 1740 Multimedia.pif Explorer.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Injector.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation Injector.exe -
Executes dropped EXE 2 IoCs
Processes:
Multimedia.pifRegAsm.exepid process 1740 Multimedia.pif 1612 RegAsm.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates processes with tasklist 1 TTPs 2 IoCs
Processes:
tasklist.exetasklist.exepid process 2244 tasklist.exe 4648 tasklist.exe -
Processes:
RegAsm.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064 RegAsm.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F1A578C4CB5DE79A370893983FD4DA8B67B2B064\Blob = 0b000000010000004800000054006900740061006e00690075006d00200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f00720069007400790000000200000001000000cc0000001c0000006c00000001000000000000000000000000000000010000007b00340031003700340034004200450034002d0031003100430035002d0034003900340043002d0041003200310033002d004200410030004300450039003400340039003300380045007d00000000004d006900630072006f0073006f0066007400200045006e00680061006e006300650064002000430072007900700074006f0067007200610070006800690063002000500072006f00760069006400650072002000760031002e00300000000000030000000100000014000000f1a578c4cb5de79a370893983fd4da8b67b2b06420000000010000000a03000030820306308201eea003020102020867f7beb96a4c2798300d06092a864886f70d01010b0500302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f72697479301e170d3233303331343130333532305a170d3236303631373130333532305a302e312c302a06035504030c23546974616e69756d20526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a028201010086e4577a5861ce819177d005fa51d5515a936c610ccfcbde5332cd151da647ee881a245c9b02833b02af3d76fe20bd3bfaf7a20973e72ebd9440d09d8c3d2713bdf0d09feb9532acd7a42da2a952daa86a2a88ee427d30959d90bfba05276aa02998a6986fc01306629b79b8405d1f1fa6d9a42f827afc7566340dc2de27012b94bb4a27b3cb1c219a3cb2c14203f34451bd626520edd4dbcc414f593f2acbc48479f7143cbe139cfd129c913e5303dc20f94c44358901b69a848d7ea02e308a311560ac00ae009a29109aeed9713dd8919b97ed598058e17f0726c7a020f710abc06291dfaaf181c6be6a76c89cb68eb0b0ec1cd95f326c7e55588bfd76c5190203010001a328302630130603551d25040c300a06082b06010505070301300f0603551d130101ff040530030101ff300d06092a864886f70d01010b0500038201010070851293d757e982797dc5f7f27da894ef0cdb329f06a6096e0cf604b0e54711560ef40f5282082e210f55a3db41f312548b7611f5f0dacea3c78b13f6fc243c02b106665be69e184088415b273999b877bee353a248cec7eeb5a095c2174bc9526cafe3372c59dbfbe758134ed351e5147273fec68577ae4552a6f99ac80ca8d0ee422af528858c6be81cb0a8031ab0ae83c0eb5564f4e87a5c06295d3903eee2fdf92d62a7f4d4054deaa79bcaebda4e8b1a6efd42aef9d01c7075728cb13aa8557c85a72532b5e2d6c3e55041c9867ca8f562bbd2ab0c3710d83173ec3781d1dcaac5c6e07ee726624dfdc5814cffd336e17932f89beb9cf7fdbee9bebf61 RegAsm.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
Multimedia.pifRegAsm.exepid process 1740 Multimedia.pif 1740 Multimedia.pif 1740 Multimedia.pif 1740 Multimedia.pif 1740 Multimedia.pif 1740 Multimedia.pif 1740 Multimedia.pif 1740 Multimedia.pif 1612 RegAsm.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
tasklist.exetasklist.exeRegAsm.exedescription pid process Token: SeDebugPrivilege 2244 tasklist.exe Token: SeDebugPrivilege 4648 tasklist.exe Token: SeDebugPrivilege 1612 RegAsm.exe Token: SeBackupPrivilege 1612 RegAsm.exe Token: SeSecurityPrivilege 1612 RegAsm.exe Token: SeSecurityPrivilege 1612 RegAsm.exe Token: SeSecurityPrivilege 1612 RegAsm.exe Token: SeSecurityPrivilege 1612 RegAsm.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
Processes:
Multimedia.pifpid process 1740 Multimedia.pif 1740 Multimedia.pif 1740 Multimedia.pif -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
Multimedia.pifpid process 1740 Multimedia.pif 1740 Multimedia.pif 1740 Multimedia.pif -
Suspicious use of WriteProcessMemory 35 IoCs
Processes:
Injector.execmd.exeMultimedia.pifdescription pid process target process PID 4020 wrote to memory of 4716 4020 Injector.exe cmd.exe PID 4020 wrote to memory of 4716 4020 Injector.exe cmd.exe PID 4020 wrote to memory of 4716 4020 Injector.exe cmd.exe PID 4716 wrote to memory of 2244 4716 cmd.exe tasklist.exe PID 4716 wrote to memory of 2244 4716 cmd.exe tasklist.exe PID 4716 wrote to memory of 2244 4716 cmd.exe tasklist.exe PID 4716 wrote to memory of 552 4716 cmd.exe findstr.exe PID 4716 wrote to memory of 552 4716 cmd.exe findstr.exe PID 4716 wrote to memory of 552 4716 cmd.exe findstr.exe PID 4716 wrote to memory of 4648 4716 cmd.exe tasklist.exe PID 4716 wrote to memory of 4648 4716 cmd.exe tasklist.exe PID 4716 wrote to memory of 4648 4716 cmd.exe tasklist.exe PID 4716 wrote to memory of 5060 4716 cmd.exe findstr.exe PID 4716 wrote to memory of 5060 4716 cmd.exe findstr.exe PID 4716 wrote to memory of 5060 4716 cmd.exe findstr.exe PID 4716 wrote to memory of 4464 4716 cmd.exe cmd.exe PID 4716 wrote to memory of 4464 4716 cmd.exe cmd.exe PID 4716 wrote to memory of 4464 4716 cmd.exe cmd.exe PID 4716 wrote to memory of 932 4716 cmd.exe findstr.exe PID 4716 wrote to memory of 932 4716 cmd.exe findstr.exe PID 4716 wrote to memory of 932 4716 cmd.exe findstr.exe PID 4716 wrote to memory of 3620 4716 cmd.exe cmd.exe PID 4716 wrote to memory of 3620 4716 cmd.exe cmd.exe PID 4716 wrote to memory of 3620 4716 cmd.exe cmd.exe PID 4716 wrote to memory of 1740 4716 cmd.exe Multimedia.pif PID 4716 wrote to memory of 1740 4716 cmd.exe Multimedia.pif PID 4716 wrote to memory of 1740 4716 cmd.exe Multimedia.pif PID 4716 wrote to memory of 4032 4716 cmd.exe PING.EXE PID 4716 wrote to memory of 4032 4716 cmd.exe PING.EXE PID 4716 wrote to memory of 4032 4716 cmd.exe PING.EXE PID 1740 wrote to memory of 1612 1740 Multimedia.pif RegAsm.exe PID 1740 wrote to memory of 1612 1740 Multimedia.pif RegAsm.exe PID 1740 wrote to memory of 1612 1740 Multimedia.pif RegAsm.exe PID 1740 wrote to memory of 1612 1740 Multimedia.pif RegAsm.exe PID 1740 wrote to memory of 1612 1740 Multimedia.pif RegAsm.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\pengisv\Injector.exe"C:\Users\Admin\AppData\Local\Temp\pengisv\Injector.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c move Originally Originally.cmd && Originally.cmd3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "wrsa.exe opssvc.exe"4⤵
-
C:\Windows\SysWOW64\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\findstr.exefindstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c md 55202254⤵
-
C:\Windows\SysWOW64\findstr.exefindstr /V "enjoyingepapostpostedsrc" Pulling4⤵
-
C:\Windows\SysWOW64\cmd.execmd /c copy /b Material + Eur + Courses + Ima + Tender + Twiki + Flags + Holidays + Applicable + Decades 5520225\f4⤵
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\5520225\Multimedia.pif5520225\Multimedia.pif 5520225\f4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping -n 5 127.0.0.14⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\5520225\RegAsm.exeC:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\5520225\RegAsm.exe2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\5520225\Multimedia.pifFilesize
872KB
MD56ee7ddebff0a2b78c7ac30f6e00d1d11
SHA1f2f57024c7cc3f9ff5f999ee20c4f5c38bfc20a2
SHA256865347471135bb5459ad0e647e75a14ad91424b6f13a5c05d9ecd9183a8a1cf4
SHA51257d56de2bb882f491e633972003d7c6562ef2758c3731b913ff4d15379ada575062f4de2a48ca6d6d9241852a5b8a007f52792753fd8d8fee85b9a218714efd0
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\5520225\RegAsm.exeFilesize
63KB
MD50d5df43af2916f47d00c1573797c1a13
SHA1230ab5559e806574d26b4c20847c368ed55483b0
SHA256c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\5520225\fFilesize
744KB
MD533b021c97820ee793907275fbd8f056a
SHA19dcbbd2ad1c5070a03a13e614d31f707acfe92b9
SHA2561bb2c0118b452d248d326fe1d73d111a4665c58ebe3007a17c5ce9edd881c647
SHA512777c6a2e993ff431f06db52d6fa8c99fbc79fb5309d3d2a079fb70194e21aa51dff1dc6e8e6b3f3218cce779c64579bb4c6ca67062df6654bf0686b1fcd80aad
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\ApplicableFilesize
108KB
MD5bddeadbd7031beb2e8af0f53987cd8ea
SHA18b3264c3cd231168c92f9b62452a344e8a9f3f9f
SHA256e97b97816dcf666c1019afcc7824763fe963183485adfa5ad63008233fdddc1b
SHA5128afdff4bfff759e973b20f0c81850a96063cc792bc14044d716ca644854995a34bed176da93663052bb769bb65c01ba564ae5befff2618607be3813e99b978cc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\CommentaryFilesize
131KB
MD514db6b8adb66d7c07013e5b79fa9ba05
SHA129f3a2eace5fc67c1c9662d50a1108ac9548a8d3
SHA2561226755a99cf0c82761e6e36b387f9256bf05c13774d71c091fb7320103c0aa2
SHA5120908682a9bc0d7bb29fe195e83f239c070904a536bf1b5a92ffe0ace0c87241bcb2ed424a627afc73c53e8050b6a48bed64c3b6a21f83d893dda1742e9407ffb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\CoursesFilesize
36KB
MD5bbd5f14055dff7960feea7bc8113e8b0
SHA13e92f25f95c6d12b9dd445689bfaa7369ced7d5f
SHA256ae305f8aafc9ea9ec68a684e9636a4e8eeeebdd7712ecca8673deef3ff9c99eb
SHA5127509a7893e73c36a591a80442e336e2054eee0ee9579f11b40af3294a3198bba0d88dfe1b317a6b5e9adef695c6e54bb804ecab06f0dd7f78fcd0c1d9f8c6b37
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\DecadesFilesize
43KB
MD513d3fb445e416e8cc2163570a1a5df1d
SHA1e15f2d26a7362bf5f04f8459632a885fa1b23c4a
SHA2568612e2f681988aadcaa37c12c64b39b93e54ab29904d4a703bb48fc4e08935d5
SHA51204ed6d9c5d66c8371ea002b3b68c12944a069eb3a8ec465c3e1f943596d68ba5e68e550d5c5023a1cf8bcc374ccbdf685fa4454f1bc95bb727d58fc96c76829d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\EurFilesize
123KB
MD5a3271f57dc1a552107ff4919a751427f
SHA1961a56730fc8f69f31bbef78ac49c26f4a8984b4
SHA25612b7ffeac475361f90654d1d08410d47044e75d394873d7228fea7f766d9c4a8
SHA512f72647b0c481e80f32c5a982b01d6ae79d1990c068950a3f5fe978e007dae9581100e3117cedc1e6bcc08e0f2437cce97526b47235af90626cf6036478e59f3c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\FlagsFilesize
34KB
MD5a7e798c30d7cc1fdbc96e19df852a482
SHA16f52254b882a16257bd170f4075919dcf15099d4
SHA256c520ebbcc428505f09e53422540931bd4e504fdbdeae13e6d7a47d9c53a6548a
SHA5127628c6111fa4c719ae893254e22b30d4e60458dc1584dbd24aa93462ccd90f2a2c9075b97111d4f460116666727accf056db637577322ff128dc2ad7bab6c60d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\HolidaysFilesize
182KB
MD5cccf69cc01d66f7b7c20b0bfefd86424
SHA127b737a343f2dbaf23056cd334e47b1fad8fa968
SHA25656b952fb94efdebaccb29ef1925c6bbf96ed48e368dde1e13fdaae448635dab7
SHA5129569702b83a81944658d765312c3ffc4e6d42fac054e115da3ad4e418ecea922bbbfcea50a66f1c41f976fb73f7f82904ebbe7bd5c4affea3aef4dcc77e15c96
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\ImaFilesize
61KB
MD5a58f706c11bb8f19a97fbddfad5afd81
SHA1b0a6500f1783db8ac402ea1f1489c11e65ae159d
SHA256baac6855b3fd75642f2299a6836df4e9a87e267b64d6840d8bdb9fdf0d7afcad
SHA512e508c128c80bfcbae023bd44c52a2d182a5013e1d9ddf41047897ab407b67f824dbb8ee0ff46a6dda32001a98662a6bd6b5f71e249b541bc723d3d5fe56dfdfb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\MaterialFilesize
50KB
MD53dc511ca38649a823b73bc51dc2ced55
SHA18db513e196c74c8ab6ac4d124efd16a268955f44
SHA256afe97f44b24ff2164c9ac20cc8d5b4968d07a7ea1a8ac312801a761244e4d684
SHA512f29e6e65993d192a9f2dda1c3708dc4c870a20ff734ca48c2942a64d47ef4c19093481715bc850d2405727d45b55ecf03dbe4ac582bd199f5ef32d6be88d6838
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\OriginallyFilesize
19KB
MD531ec7d55fa509c1d0c31028bd2f58ac5
SHA19471c909e26b693d196e99abe8ea86426742227b
SHA256e2c206bdf03ad22051cfeb5bf044042ac1a590ce2aad2a18f8302671121514fb
SHA51239bd2376165b32368484552b721253011cc8275b12574a9f86c4c2ed147d3b2c99c2c4eda3b9836404a8ea84dd17873d1e8bf2a845386ff0eb66dac947a2ae73
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\PostageFilesize
184KB
MD528c9d478e19ab3aabc0cacf92ae1f59c
SHA1e3b2358274144824c51bb9711eeb7df22b73e728
SHA25645636fc3143227ed06817479be8bad4af1035f4f6c9d2888e4ee79a1e15d93b2
SHA512d25f4c4e258c145d2bd912ac7fb90897b233c32a6726a41a7ba5bac5db3d5da379b20a51272818db1376b9b5bbe85975090762badc9139321139b1223b260673
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\PullingFilesize
139B
MD539cae79359d181885c37e057ed2fbc6b
SHA16cb2c3ba8fb1586506c0e82c018cba0f682a2108
SHA256920582a437e2310301ea1f3f1c49e6c41eef776d443f43f7830f33a52af6511f
SHA512c32f98b12185b0554c106f7a5d77819b1b0f5820daa16d2b6358f69e08174e3685ce1ee74d44802c5356211b44d111ead52a1dfde45eb97c19dbadba8aa41551
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\RefineFilesize
145KB
MD55181681175efbeb43af6199c4e07664f
SHA14ca0f35a29ba95aeba2ca585c503281e15127c26
SHA2560078fb7db6bcd0215908f415b5a72347c030cb444dc874e9ed9f11adf61b1b18
SHA51225b282f1f63f2e05d1f091ad716e2cca97f6b1c2e228eee30e182acbd25bb1fcbeb1301461770205795331cd6295f8ea49aa32f33813f9f3dd61f3be0be499a1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\ReportFilesize
68KB
MD586398c0b56252fb1f4560f740f21245e
SHA15395ba23b83e97143bd0f1ee56ffa9183e21fea3
SHA25603a647527ddc7e0c8627e1505491b5df6d883f7ff3e867911ac83dcbf32c4a41
SHA51213678130243914b4110f88effc00ed7e5dd959817fc97298c8911d0b4c75358025e0eec13edd07c77e1a290ca78c5a3a070167fe8cda22caef6542363113c7df
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\TenderFilesize
87KB
MD5c1cd5296c6af4d0aa5b3d8a52c095944
SHA1e14dae90b79ab8409d81025a80755e05aecf4ae6
SHA256faba59637a647b584f4c7d5c9741adb6b4415c391c26feed6fa0a950354864b9
SHA5128ca830d52822993a1f367d08c897e0cc5f6e3c94f56603fb52271e9b142eb16da68721ae1d5c5c2a4fad988412aa3665f75acbc4131ba7885154bf1f3f64a59e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\TherapeuticFilesize
244KB
MD5224efe82cb29ac185f98bdadc134ca5b
SHA1249cbeae1ba2e93a3fc7a93bdb5d1710aab5591f
SHA256fcbec8e4ed5fadf6f7934965a5d486cc6507b0ded3f78959a1231d32ece8356e
SHA512432a49c84958355c4c11694b3b5bcd47d36f0dcf0981aac92caa2ca34fb1c58365fe88da5439a7c7826e4961494e7bab8e24acd5d29baa22b2bb42489c822116
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\ThisFilesize
100KB
MD5adac35d28bda93f8a294877871399652
SHA172c48612f9b55490c775309c7f862253f2030534
SHA256b13ce090c3c2025465c467b046360db27f4a20df79c42a8c969d65a6fa4e842a
SHA512b5526de379edbd2d4cde50d8fa59a1ce73b7bc7b05d542bfe8a1af74fc6097d7d4a719adac3f6d15582f7ceb735066aceef3c4cdc1c0428a3fe7cdef6e504a59
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\TwikiFilesize
20KB
MD571a15cfd8efd8a49360da9776deb6f1d
SHA14b77fcd8b8eebe8c7b764fdfc8dce567e6a3c424
SHA2568ea8e78eea7b7a42d3e5b68d4bb2d87dcd19c40e90dc0501d2641c5dcde57b89
SHA512149e54f18da24fe068b7e8dd28ed69c79ebe1d41cee68726fbeba4fabe0ee9091174ea66d45b15aece666cf73ddf7e82e1df2b4a557e85fef1d9fb8b4adbbb66
-
C:\Users\Admin\AppData\Local\Temp\TmpCCD5.tmpFilesize
2KB
MD51420d30f964eac2c85b2ccfe968eebce
SHA1bdf9a6876578a3e38079c4f8cf5d6c79687ad750
SHA256f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9
SHA5126fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8
-
memory/1612-56-0x0000000008530000-0x000000000863A000-memory.dmpFilesize
1.0MB
-
memory/1612-57-0x0000000008480000-0x0000000008492000-memory.dmpFilesize
72KB
-
memory/1612-50-0x0000000073B20000-0x00000000742D0000-memory.dmpFilesize
7.7MB
-
memory/1612-51-0x0000000005910000-0x0000000005EB4000-memory.dmpFilesize
5.6MB
-
memory/1612-52-0x00000000052B0000-0x0000000005342000-memory.dmpFilesize
584KB
-
memory/1612-53-0x0000000005260000-0x0000000005270000-memory.dmpFilesize
64KB
-
memory/1612-54-0x0000000005390000-0x000000000539A000-memory.dmpFilesize
40KB
-
memory/1612-55-0x00000000089D0000-0x0000000008FE8000-memory.dmpFilesize
6.1MB
-
memory/1612-86-0x0000000073B20000-0x00000000742D0000-memory.dmpFilesize
7.7MB
-
memory/1612-47-0x0000000000BC0000-0x0000000000C80000-memory.dmpFilesize
768KB
-
memory/1612-58-0x00000000084E0000-0x000000000851C000-memory.dmpFilesize
240KB
-
memory/1612-59-0x0000000008640000-0x000000000868C000-memory.dmpFilesize
304KB
-
memory/1612-60-0x00000000087E0000-0x0000000008846000-memory.dmpFilesize
408KB
-
memory/1612-61-0x0000000009170000-0x00000000091E6000-memory.dmpFilesize
472KB
-
memory/1612-62-0x00000000089A0000-0x00000000089BE000-memory.dmpFilesize
120KB
-
memory/1612-63-0x0000000009C00000-0x0000000009DC2000-memory.dmpFilesize
1.8MB
-
memory/1612-64-0x000000000A300000-0x000000000A82C000-memory.dmpFilesize
5.2MB
-
memory/1740-43-0x0000000077671000-0x0000000077791000-memory.dmpFilesize
1.1MB
-
memory/1740-45-0x0000000003E30000-0x0000000003E31000-memory.dmpFilesize
4KB