Analysis
-
max time kernel
657s -
max time network
695s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
-
submitted
28-06-2024 14:41
General
-
Target
XClient.exe
-
Size
69KB
-
MD5
95ffbe3fbb27e900e3bf7012175efc24
-
SHA1
b386127111d1c82f20e4625b805aa8a01dae9192
-
SHA256
aeea4b2f2f8d924f36c902d96c0b77182984530acaedb33b3124665c4b2f769f
-
SHA512
409ede5eff17f9d239adae7df9a594072b828088e9a19d173f7064b89f678ee36a6b25db4ba0db6bb74521d7e88b12f737b8d80abd7854476df94aa89edacc95
-
SSDEEP
1536:ALSNQK0UvT9Mti+zoQ+bVEmuZAauL67LHXOoG1U2CEW1:AeN1/QX+bCY6HXOv4EG
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload 11 IoCs
-
Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
-
Suspicious use of NtCreateProcessExOtherParentProcess 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Creates new service(s) 2 TTPs
-
Disables Task Manager via registry modification
-
Drops file in Drivers directory 2 IoCs
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 7 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 27 IoCs
-
Loads dropped DLL 1 IoCs
-
UPX packed file 9 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
Drops file in System32 directory 19 IoCs
-
Suspicious use of SetThreadContext 4 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Launches sc.exe 6 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 33 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 23 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 13 IoCs
-
Modifies Internet Explorer settings 1 TTPs 33 IoCs
-
Modifies data under HKEY_USERS 61 IoCs
-
Modifies registry class 63 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of SetWindowsHookEx 14 IoCs
-
Suspicious use of UnmapMainImage 5 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
System policy modification 1 TTPs 2 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
- Suspicious behavior: GetForegroundWindowSpam
-
C:\Users\Admin\AppData\Roaming\wininit.exeC:\Users\Admin\AppData\Roaming\wininit.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\wininit.exeC:\Users\Admin\AppData\Roaming\wininit.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\wininit.exeC:\Users\Admin\AppData\Roaming\wininit.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\wininit.exeC:\Users\Admin\AppData\Roaming\wininit.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\wininit.exeC:\Users\Admin\AppData\Roaming\wininit.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\wininit.exeC:\Users\Admin\AppData\Roaming\wininit.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\wininit.exeC:\Users\Admin\AppData\Roaming\wininit.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\wininit.exeC:\Users\Admin\AppData\Roaming\wininit.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\wininit.exeC:\Users\Admin\AppData\Roaming\wininit.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\wininit.exeC:\Users\Admin\AppData\Roaming\wininit.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\wininit.exeC:\Users\Admin\AppData\Roaming\wininit.exe2⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Roaming\wininit.exeC:\Users\Admin\AppData\Roaming\wininit.exe2⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta4168461h7b94h4247ha1dch1135b7eac11c3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffe702346f8,0x7ffe70234708,0x7ffe702347184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,11673268259578779402,16932721816797098724,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,11673268259578779402,16932721816797098724,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,11673268259578779402,16932721816797098724,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:84⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault4ae083e0hbcdeh44bah910bh671611733e523⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x140,0x144,0x148,0x11c,0x14c,0x7ffe702346f8,0x7ffe70234708,0x7ffe702347184⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,129735251191418019,1989480393487586548,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:24⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,129735251191418019,1989480393487586548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:34⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,129735251191418019,1989480393487586548,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:84⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
- Modifies Internet Explorer settings
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4ac 0x2f82⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"2⤵
- UAC bypass
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\wininit.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wininit.exe'3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "wininit" /tr "C:\Users\Admin\AppData\Roaming\wininit.exe"3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\dxfhll.exe"C:\Users\Admin\AppData\Local\Temp\dxfhll.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dxfhllSrv.exeC:\Users\Admin\AppData\Local\Temp\dxfhllSrv.exe4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\DesktopLayer.exe"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"6⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2976 CREDAT:17410 /prefetch:27⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\eoovwb.exe"C:\Users\Admin\AppData\Local\Temp\eoovwb.exe"3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart5⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "EWLOMKXJ"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "EWLOMKXJ" binpath= "C:\ProgramData\noaxzqghumuf\fiwtysvghhbt.exe" start= "auto"4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "EWLOMKXJ"4⤵
- Launches sc.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵
-
C:\Users\Admin\AppData\Local\Temp\gkmxlp.exe"C:\Users\Admin\AppData\Local\Temp\gkmxlp.exe"3⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\hfwgco.exe"C:\Users\Admin\AppData\Local\Temp\hfwgco.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354\ERR0R422.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354\ERR0R422.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\5371.tmp\5372.tmp\5373.bat C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354\ERR0R422.exe"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -Xmx1024M -Xms1024M -cp ERROR422.jar "-Dorg.lwjgl.librarypath=C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354/natives" "-Dnet.java.games.input.librarypath=C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354/natives" Start6⤵
-
C:\Users\Admin\AppData\Local\Temp\pcnpen.exe"C:\Users\Admin\AppData\Local\Temp\pcnpen.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\wwlkzh.exe"C:\Users\Admin\AppData\Local\Temp\wwlkzh.exe"3⤵
- Loads dropped DLL
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 2232 -s 15164⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Users\Admin\AppData\Local\Temp\kxriak.EXE"C:\Users\Admin\AppData\Local\Temp\kxriak.EXE"3⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ice-berg.any.ru/4⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe702346f8,0x7ffe70234708,0x7ffe702347185⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,17443854739828115212,12284566577852803099,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:25⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,17443854739828115212,12284566577852803099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:35⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,17443854739828115212,12284566577852803099,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17443854739828115212,12284566577852803099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17443854739828115212,12284566577852803099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3096 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17443854739828115212,12284566577852803099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,17443854739828115212,12284566577852803099,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3092 /prefetch:15⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,17443854739828115212,12284566577852803099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 /prefetch:85⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,17443854739828115212,12284566577852803099,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4468 /prefetch:85⤵
-
C:\Users\Admin\AppData\Local\Temp\vxshdx.exe"C:\Users\Admin\AppData\Local\Temp\vxshdx.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\huii.exe"C:\Users\Admin\AppData\Local\Temp\huii.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hui.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\hui.exe" xui25⤵
- Executes dropped EXE
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\wvxwfy.exe"C:\Users\Admin\AppData\Local\Temp\wvxwfy.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354\ERR0R422.exe"C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354\ERR0R422.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\E8F6.tmp\E8F7.tmp\E8F8.bat C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354\ERR0R422.exe"5⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV16⤵
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -Xmx1024M -Xms1024M -cp ERROR422.jar "-Dorg.lwjgl.librarypath=C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354/natives" "-Dnet.java.games.input.librarypath=C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354/natives" Start6⤵
-
C:\Users\Admin\AppData\Local\Temp\iwvqsi.exe"C:\Users\Admin\AppData\Local\Temp\iwvqsi.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" stop wuauserv3⤵
- Launches sc.exe
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config wuauserv start=disabled3⤵
- Launches sc.exe
-
C:\Users\Admin\AppData\Local\Temp\yokazz.exe"C:\Users\Admin\AppData\Local\Temp\yokazz.exe"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\scream\sound.vbs"4⤵
-
C:\Windows\SysWOW64\mshta.exe"C:\Windows\SysWOW64\mshta.exe" "C:\scream\gif.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}5⤵
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /42⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Checks SCSI registry key(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of UnmapMainImage
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks processor information in registry
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
-
C:\ProgramData\noaxzqghumuf\fiwtysvghhbt.exeC:\ProgramData\noaxzqghumuf\fiwtysvghhbt.exe1⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force2⤵
- Command and Scripting Interpreter: PowerShell
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart2⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart3⤵
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe2⤵
-
C:\Windows\system32\dialer.exedialer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵
-
C:\Windows\system32\BackgroundTransferHost.exe"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.11⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{7966B4D8-4FDC-4126-A10B-39A3209AD251}1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 420 -p 2232 -ip 22322⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks SCSI registry key(s)
- Enumerates system info in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\ApplicationFrameHost.exeC:\Windows\system32\ApplicationFrameHost.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s BthAvctpSvc1⤵
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WerSvcGroup1⤵
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\813eddbe2f294c0a842f64805a6fa100 /t 5904 /p 59002⤵
-
C:\Windows\SysWOW64\werfault.exewerfault.exe /h /shared Global\e14066e2560742f1a9ec0e9e2a18a4b9 /t 2196 /p 31562⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\ImmersiveControlPanel\SystemSettings.exe"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\mousocoreworker.exeC:\Windows\System32\mousocoreworker.exe -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
2Service Execution
2Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Create or Modify System Process
2Windows Service
2Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER18AB.tmp.csvFilesize
39KB
MD5a2cc87c9489124d539954c61938f5fb6
SHA15eb1429db55f4fdf623dcfa578e2498bcdeb08a9
SHA25611b9602f04b03ab6824938b885e762e6f9163b2e352846fb8b6cd149d868d420
SHA512d6769edd3fcb30d3a36d256f672dddf354eee7d0716fe0ad15320e5760f59b292c4e07f873d24916eb0045cda2006919e730ac488f69e036542148eb2c7e01f5
-
C:\ProgramData\Microsoft\Windows\WER\Temp\WER18CB.tmp.txtFilesize
13KB
MD56621f0dddaa761b05ca88f039d66c83c
SHA1de335c052f329e28b60ebafb182cf8403d142029
SHA256b406185f99968780a032fc7c59e7fdcfb19286e6afcfedb34e6768e2d88b2ff0
SHA5124f14a8de64f9914396fe37b1811d5e1bf57be62a2f9b44a1d7eecb0de64cc3da19a02a2df5161f4685ae15ab88d1082fbdd671c5133ed332233690cb7d5eafc8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506Filesize
328B
MD52d0444af607d15cce18faf17766d1201
SHA12bc7a8d767d0666325eb99e4280699f15975e925
SHA256a90ae817dd429ba168ecf442ca5cdd904db23fc83e44c1676ac853559d7428c7
SHA5122534d85e4f6b26b6c43643087917b80246d3f013c5478e37034565274cb0c7a13af66eace769188fd36d0f4033214a3825b801122fbec08d3f0bb3f0cd0894ae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749Filesize
330B
MD576ca8205ebbecabb4f2c50d031b8e5f5
SHA1cb6155a41148cb7bda6868e1ceffc617c1b10924
SHA256f798152e14a3e7fcb590d2070b091fbb4a0db3158c35e4ec5760087efe3f7d45
SHA512d176b21d3e03f9aba2b400ee79c39adc9eb29ac96ae40856e71733c6b45736ceceb268fa0fb0be0ecd8474b9ffcaf0b97e6cd74c34019a02ded96245d9002df6
-
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idxFilesize
64KB
MD5d2fb266b97caff2086bf0fa74eddb6b2
SHA12f0061ce9c51b5b4fbab76b37fc6a540be7f805d
SHA256b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a
SHA512c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8
-
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lockFilesize
4B
MD5f49655f856acb8884cc0ace29216f511
SHA1cb0f1f87ec0455ec349aaa950c600475ac7b7b6b
SHA2567852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba
SHA512599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8
-
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.valFilesize
944B
MD56bd369f7c74a28194c991ed1404da30f
SHA10f8e3f8ab822c9374409fe399b6bfe5d68cbd643
SHA256878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d
SHA5128fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD556067634f68231081c4bd5bdbfcc202f
SHA15582776da6ffc75bb0973840fc3d15598bc09eb1
SHA2568c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4
SHA512c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD581e892ca5c5683efdf9135fe0f2adb15
SHA139159b30226d98a465ece1da28dc87088b20ecad
SHA256830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17
SHA512c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5d18756a95e5ea0e568ff79a30053365a
SHA187a37abc48de19e798df6d77c68b883314e41a2a
SHA2564398d7392abdbcca0d964a6be095e144138f3213d049a560b95df2dd4afcec6d
SHA5126026fee9ec352ca904b0c74753525b699138b44923a6cedc2b80650f66a4acbc9e6031b07fb5d7af3ca5f392d5beae23f37a1840b3e214e460dfc3d17f051ade
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a5c80e12cb57a5b8b42d7603865618e6
SHA13e8e2de5b2f7f95a91c62f6056c2285676030128
SHA256dd2505b4f678dfb179bbc009310ff1afb083da7f338c3360ae39a8280d5c1968
SHA51282dfc1c65a797ca0bbe9b7dee1ae213a60addd8f3947cd5f9e3980f526f678f41a278ba9e29f606b5cd5df5254ef8847947a1903583eb996468c5d0f394cc3bf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\05743e59-f0a5-4cc1-976e-4f81b88fed63.tmpFilesize
1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5ba1a7e93aa4c2115aa19a5a911c387ee
SHA10628b5ce86040574a25a19234c160066d31015e2
SHA256b02b035f7d3ab261e38119ca291bc6c691f910a9421e4c95ba540430b67ca556
SHA512fc458a544e5fb2772920b598ef1740a29357071d5031aa0d3956397a488c59dc8a83b89acfb22a55c95c7166c2ae84d51ba83190f9aeb8c24ce1f38c9c88add9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD57e00bc2642161016abdb8128444aebfc
SHA127a3f1706369eeccf77ad63284a30cc333debc74
SHA256ed3ef5619732f21ce74da91448a70e9d607b67777ebf5e8e9d820ea8f6b31f8a
SHA512d7fb034a81f725fb3282d26a72e1f2e6a6ea9110ef62804a8312d6ee4bb25e78b13dc4d4360f2774aa5426ee5a3cfe5381e4b3cbb99ecaa023793e1ffbc9989b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5341782b9f2e70febc942f23c7118842b
SHA15267071e4c7de57c74a850772b1477ba0bab0856
SHA256858dc60270e5d4d0a69c00b93b2ae54a235cda68b666c403361f4e2872d5493e
SHA512c69cf722479ca033a3861e6750b35000198fe58c92aff8d446cd10ec894f067dc0ecdf6f9462f8c725bf4bbd17d9ca816e9a3c31e7320eb88ee8b36a68f91daa
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdbFilesize
256KB
MD5077f30960d9e4ee83fff7d6734fd4756
SHA188d4bfc40e94bfd1c60f8142d69ab2adfa00cddf
SHA2569999209b6d22ce028595e36c06490222dc9e56489d3595539e762c609dea5ac0
SHA512285dc9ca635cee97b1d64efcdf03a700ca5cf7b77bca7a77c1d29f5509b98b6c904b9cbcd8eb73112029ba562da731a2e4ba88eed8e08922e4f75c9a48728b0c
-
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XMLFilesize
9KB
MD57050d5ae8acfbe560fa11073fef8185d
SHA15bc38e77ff06785fe0aec5a345c4ccd15752560e
SHA256cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b
SHA512a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\54455354\ERR0R422.exeFilesize
44KB
MD551ec46a22f2f8bea7c396f8f5fa4dca3
SHA1cc260eade22bc79b82f04cc2fb70f1a529a537e0
SHA2567a083b17aa3ddd054d5221bda285d75ed4a060fb3933f8461e178ccc647da7b5
SHA51269907e7074c8a4bdf1b657a9daad3378ea8df1a92d4b8f5f1ed8a4b3a87b8f0351298d973c7b1827f7d2b04fb67ce672d065bfdf9c8feee65f520a27989513ce
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5da5c82b0e070047f7377042d08093ff4
SHA189d05987cd60828cca516c5c40c18935c35e8bd3
SHA25677a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5
SHA5127360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD577d622bb1a5b250869a3238b9bc1402b
SHA1d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD596e3b86880fedd5afc001d108732a3e5
SHA18fc17b39d744a9590a6d5897012da5e6757439a3
SHA256c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294
SHA512909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD509556ba16d6d816c93fb3f26df44ce6c
SHA17bc417f360e50cb047d65a4b16de7f603883eeb3
SHA256b66d2ede19b3012c63d7d2353a1bc0eb17d2646f7642d6bf600b337bc355e9ac
SHA51223b804001ae07c95b7cce4b29089ca787df4be2f2723b7b164ff0db5cb22343ac307b46c7188e38f5caf5987a0e10c6b336d4023e7d1d5b32e831e4f91929def
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.themeFilesize
1KB
MD56ca73a6f005da960b0c0a4bd0250c30c
SHA14594ea28bc55808f0b21d0b69114ea56e0f529b2
SHA2564ffa90ec6d9fa6146bacabeffc39bb967ea5605733dd95ec794ba56f803d02f3
SHA51297af5c6e84465e98c469672f8c5296984fcba153652765b978ad6c91af342e06396d0f2462abd88543023359cedfa830d4c9295aaa035e8891d601f7966fe242
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.themeFilesize
1KB
MD5b1b8e5fbd3a5d8e8733ba782be4bfec1
SHA1e32114f283f4492ae17612ceef82dfa5b2cbd00b
SHA25627ebf09ccb8eeb06c5039b4ff6b65330cec2df088048c1f4c410d447c9028bdc
SHA512d6d991960bca45d68939c3ff3501d9072e8ce0b4df5e7370e3ecce8eaf7721c3aea1e35fb513bb7be6cae850afbc8b5893f82df464db6c6d13602ebe6090e729
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Themes\Custom.themeFilesize
1KB
MD5381315a8ea7eb66f79f9fc0440bce60b
SHA134c703e25a7543453f7054cbe66480bef641133d
SHA25607beb6a1a33552322a61f94310e02922b13424adc9eb444c303b07959cdd2e63
SHA5124ca0ab83125828c8e2074ef9f0a303e74d68649409929ded899fc9eef5c4bf494ffe0c47655327a4a8c2ae966c84be925a7f6f90708a66ca62502d8b30004a06
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edb.chkFilesize
8KB
MD52be41f99bf4e0aae142cfc9c579d7f9f
SHA1df2e4e83580f6e729781fc5bd2c9855bb2d69882
SHA25681e8c8c14ae3608396e2fddf1d4f0f80e21d1a5edb259cafb9018c54ba9db26d
SHA51296e1ac2d2315c4c5806bda3da3dbdd68d9d61ab0a6b4a011beadb97cc2acf3c82665deada7694692339ee18389e71b0bc3ee277f011f816b99353fa2875fcc4f
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AppData\Indexed DB\edb.logFilesize
512KB
MD55f0aa7c8ca7bb990ebb696087f177430
SHA16d37c70d7c77821ec8cb7dbb0c4e8b4930e66888
SHA256cd5a0adc07a8a6ed955c4dc0e4d5b4aa00ff570793e317cde94a4eeb5777eea9
SHA51245a49188e7ae8e13b701b853db57ef287c9b7c1de2983d4f91a34e33c332b823b358cecd40303b466bf86261692443af846ec53ff27574ce8d0839506088775d
-
C:\Users\Admin\AppData\Local\Temp\5371.tmp\5372.tmp\5373.batFilesize
147B
MD5c18d654820bb66f2a1c8d14177590758
SHA16d5d5b551f1d530e5538e534709605bb5f7a7ceb
SHA2560a3bcb6f9e67056e8a69553c85a37eda4b27007c07b74891aa6de647ea4e8754
SHA5122c172bbebac2c3bdafa81c440a0a4d66fad64a96acbc9084a7a977abb8d69c779206ff46cedea2f36686f43e5d168aca39a1bf6630b926337d05d8d4d5b1666a
-
C:\Users\Admin\AppData\Local\Temp\Log.tmpFilesize
137B
MD5e88c8232f0210e8b03c6a2132b6a2cec
SHA199a16e9ace5f3ad0e5bb9483438d3bee5c30fc9e
SHA256d4f5181a574d9db20064fff95fb837b4cd2b1a5635255066f72a0f3cae8f3be2
SHA5121f5839234bfee82f9384a70bb177510baa77077836dffa61ea6dee3eb58a6b2445d94638c5389af1d58d5b2be9191597a9a84bd20177cef27cbf7748985f3fd7
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\hui.exeFilesize
5KB
MD517b935ed6066732a76bed69867702e4b
SHA123f28e3374f9d0e03d45843b28468aace138e71c
SHA256e60353b37f785c77e1063ac44cba792e9ec69f27b1dc9f3b719280d5ce015cc0
SHA512774ea047cdc5f008df03ad67242df04d630bb962bc99f1ea8974a21baf6a902c7a5d8b8d09d9e5c7d7e46b0378c7baf33bf80fb3e34777cd0958b8fc740d0318
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tboknlmo.kaa.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\dxfhll.exeFilesize
163KB
MD527d06a1dfc94073b72e19979b08a7b3f
SHA1197579c745b81d1ffc7ea79269fd630eebcb7ead
SHA256ddcd0e5afed1b0be5531e2836965a458144cab385250435471710c0e2d463f59
SHA5126995dd0c1d45a7255699cddffe1bc888ad39aa6c8a791ea35ca3653701ee521ffbc54319775d316ce60e4740220fa7abfc64e93d15950d6018bc3b6757491443
-
C:\Users\Admin\AppData\Local\Temp\dxfhllSrv.exeFilesize
55KB
MD5ff5e1f27193ce51eec318714ef038bef
SHA1b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a
-
C:\Users\Admin\AppData\Local\Temp\eoovwb.exeFilesize
2.7MB
MD5dbf52318754b27167746fc2e878d7193
SHA1a8831d8e6bb3c4cd0d5e2490e54cda31e8d422f7
SHA256fc97019fecf86a78a4ce2387491b3b3ce92186fab98b4d314db9d237e52dceb2
SHA51202154acbd5d27c9964f034de93e72df7256573b1f639268c862aa70932c806a4a479f8ff285841cd5b61790bf0ae634b9ea94f9f401087934abedf567b2f9d6d
-
C:\Users\Admin\AppData\Local\Temp\gkmxlp.exeFilesize
1.0MB
MD5ae250258012727720a7be047f3a551bb
SHA1a605d60d81c6002c8a67c8770c6a7133a281359c
SHA25675cca561fd994676c8925dc592a324739c15e834deae2e0c26cd09519c2f84d7
SHA5129c3e2e449270a74be1af746752946c77dcdff677f4d38767f4eac65b292dca18d5e6935e2c134e625d762af7dd7e3a35ba01ade3c34cc9ae1c66e28d6506ad62
-
C:\Users\Admin\AppData\Local\Temp\hfwgco.exeFilesize
10.4MB
MD5c15722d1f29b28fefac3a34c1d1a296a
SHA1cf775816f832f08a024de89c96eb9311ef2a66c5
SHA256c1d06468a2f089b4f6efbd51f4a140be40283e2efc76d25712e63471bca9f235
SHA51211618e411a8c55eb0a6f7cea0a0c0a70c5df521652cadc09339d43dffcdb7da15155adb8d42bf8a214f542382f01c29086fb14258ea5eab91bb2335474a070ad
-
C:\Users\Admin\AppData\Local\Temp\huii.exeFilesize
313KB
MD5c125391f5a989f964548e45decc7490e
SHA108906a336b65dbb61cfc0b95f11315f18a5301f8
SHA256acc6fecd839b1de178b5d17525b3764fb7511e589ae04f6217666e869cacce91
SHA5129a6b36c78b9016f662124f4761d4ad42965748259fba7f8fc59730d0fbd63b151ff34b650019645fe845659ea024e9a9f173c55427aced781b5e5a6938b8dd3d
-
C:\Users\Admin\AppData\Local\Temp\iwvqsi.exeFilesize
24KB
MD51a4bab8710264cbee18fccd998dd4dd3
SHA141e6d14da0a559a3764bd57cd8017e4c5b41a97b
SHA256522690525ad617c5995ee43c1efcf7c4e43750e9118825f054cc2136e19d93a9
SHA512d279e5fe40dcacaba2cd162cb3f18219868768612b50da460d4acc02e358e7b83033a685dc68c2741a2e8048b6df525bc99a825e87b8a03679d8ee23847ebdfa
-
C:\Users\Admin\AppData\Local\Temp\kxriak.EXEFilesize
1.0MB
MD542dd94809ad0c60480690c0ae0019ee8
SHA1d578fb2fc7c0b08a8ebb375e920d3602a70a098d
SHA2560040cd2d77e8f81db7414c284bf9828348d7b3a5a5322177fd9e8151fc00638f
SHA512b8ba04feb9e2a6b15b017af6d2af55756987ac33de1c0740208ac09f402218ca585bbe0e6ce91b8aa50b0653fc8999473c1ed34c3b1a0d5e87b21ce35c19470b
-
C:\Users\Admin\AppData\Local\Temp\pcnpen.exeFilesize
7.4MB
MD53c3d1168fc2724c551837a505ea4374e
SHA186c913a12067fd2c1bbc31fb64a5b5d056175841
SHA256f91c14c328544a2d4cc216c7c2115283806fa3201d40bd3c7c5d79dccd025b09
SHA5120f181c9753a3f55e4f4a434ea3e972e00b46fb7319d95a4b7a5c7d09888537df4a8fc4c2c5e0232f96b441727e45a595eed42721ff8c7799302e4d3f13156a8e
-
C:\Users\Admin\AppData\Local\Temp\vxshdx.exeFilesize
323KB
MD5c76b0867436829232609a7f6c786c37c
SHA106d88a277a77db9494feca72c31a35af3f83a4f8
SHA2563c399e4c4826de5f378e1da9a9e54c29bf8d557aae01f53d307c4bf565d03194
SHA5129047a8ac3a2795c73e5650ce37d0595798532579ca4013f2498e9641796d9814aba1d138812ee28135edd4b48843f58063c278511c4279ee3afbd422a683359d
-
C:\Users\Admin\AppData\Local\Temp\wwlkzh.exeFilesize
3.8MB
MD5a06b3a0a8bcc14b73a6a2b566e6d0cfa
SHA1b2db8cd4ab404f71914e1a0acc3882b036646e2b
SHA256df1d3303f29c9b8a7c375ea9117688248834a6929a3092097c144e0cd90c94a5
SHA5121080ac681008cfaec018428e08bd643efa99f4805c3e788ccb82711135a9d22c6b10ae7b7645d37d7465b5e291207adffe56534c9525887597173a9bb250cd1e
-
C:\Users\Admin\AppData\Local\Temp\yokazz.exeFilesize
14.4MB
MD589b71fbe1673bc0e6ca1080a5a44db44
SHA17ba6febc919bf5b8e9c43a9afd157da98698adab
SHA256d1f870c4e341f2aa1e2ec137b5b5dcfe0802891df37552a86211fb4b6731325a
SHA512eae740aabfb841eda246f78a36c1a14e557ec7aa60818c4f6eca521f5e99524d7724b634221272f56ccc59edd1b8a964a450599d89dbeafc243df1c266445e10
-
C:\Users\Admin\AppData\Local\Temp\~DF51A9A2F4D443E29F.TMPFilesize
16KB
MD50651453c1bf1b052d0241420b96c7ddf
SHA14035c11d705f530a04b089646924b013f9a3b5d6
SHA25610e35e67296f3e72a757df7dc0848f173f530037524690ea0d5decd537a09ca1
SHA5127a74ae9fffa160f384b1ce80b3577efdcd083217eb570e495f4d251b1a2c9a2fcfb28d77c19e923b1867278432ca5dfc6e9554fe87528cb0c09c4c030a3c1fce
-
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dicFilesize
2B
MD5f3b25701fe362ec84616a93a45ce9998
SHA1d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA51298c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\4RVU487Z3ANPAGXN6T22.tempFilesize
24B
MD54fcb2a3ee025e4a10d21e1b154873fe2
SHA157658e2fa594b7d0b99d02e041d0f3418e58856b
SHA25690bf6baa6f968a285f88620fbf91e1f5aa3e66e2bad50fd16f37913280ad8228
SHA5124e85d48db8c0ee5c4dd4149ab01d33e4224456c3f3e3b0101544a5ca87a0d74b3ccd8c0509650008e2abed65efd1e140b1e65ae5215ab32de6f6a49c9d3ec3ff
-
C:\Users\Admin\AppData\Roaming\wininit.exeFilesize
69KB
MD595ffbe3fbb27e900e3bf7012175efc24
SHA1b386127111d1c82f20e4625b805aa8a01dae9192
SHA256aeea4b2f2f8d924f36c902d96c0b77182984530acaedb33b3124665c4b2f769f
SHA512409ede5eff17f9d239adae7df9a594072b828088e9a19d173f7064b89f678ee36a6b25db4ba0db6bb74521d7e88b12f737b8d80abd7854476df94aa89edacc95
-
C:\Users\Admin\Desktop\CheckpointSelect.wvxFilesize
722KB
MD582d4502f1fcee0757b531f0b91e9b5d3
SHA15c6191b6d0377ef1f09db442763907ade0d71fcf
SHA2561ea1b60c941c3132f0445ef217ebde592e477e6a028aa77a3b02899adca428fa
SHA5121542a0094787bb1f1587cceea18c419be792366ac0e3773520056472dc8afe8ce794386f7a19eb53748a3764f93b698d743ea0b35229e97eeab8df4d6c0dcd10
-
C:\Users\Admin\Desktop\CompareRestart.mp3Filesize
457KB
MD53cadc273b09d4d0d424b39b39a8f06a2
SHA1fd9dbb713f10122e5e267980794d86eaf8a047f2
SHA256892ec2066628b0b152f41a4483b20660cd718e2f1966dcba2ef4113a76fd1b4a
SHA512f6123f11e100c4892d0d0df41463973502f7415bb6be38908bd605efe7c9831235398e58f422ad01d4d5a738fef8a56679292e816d63723ce4f24d8d1b112e0c
-
C:\Users\Admin\Desktop\CompressUnprotect.dibFilesize
752KB
MD5b9e2a30c0f08828ed52c3f8abc091b65
SHA1b7b652be1b533b3935a9e4b21083bdeb724ff9e8
SHA2569475535e6a09fdff361d9e3fec81130b55acb6d8f9369d44064d6c281997b277
SHA512abaea2a969c994290b9f093e8b4b258d74fb44a61feb4cc5bbe4f06e63d2db84d70b4ee7b043c6b4d7ca603527bb4e7e5f5ddcc25dc276da3a3d47908c4a0808
-
C:\Users\Admin\Desktop\DisconnectWait.3gppFilesize
869KB
MD530b36605538631b46c95645cec1b294a
SHA16b105247c616f9e42f0d8725537801788f50eac8
SHA256720327cbb73bd3b591f0411aed77af3a484f0d9f05a76884410272d35d334638
SHA5125dbd87f21979e4f6d11547ef78baeac3e5c0c8af98a765c3e647aeaf2d62241149b6e0089158750e21953f032a78f5906eb7868843812e0d1c8d48e97b304c20
-
C:\Users\Admin\Desktop\EnterExpand.ps1Filesize
811KB
MD5e34e48f5cce3bc11d4deceb6f83c9fab
SHA1d4b0847a17236d32bbf60473d2ae0a8581ef2efb
SHA2563d3c681359b9a58d3a3be00c2800543d1dcebc13f29a458ead0473c2394c8f48
SHA5127ef88310b1b8f1c58d2fe3dad1a485e15c53674d4b9b98d1294f1d11d181221fbd6a6ace91ad4d0fb41f94a907fd37727d4ddc2c7523efec14727f62f27cd8e5
-
C:\Users\Admin\Desktop\ExitSplit.tiffFilesize
781KB
MD5c3c79d35a761f1b64f40c58f7e149ee8
SHA15a3d30d72733614199a13cb8568ba1b588e66bbb
SHA256fc183453b75aa97ce2cad04642d026e9986842ba17277a76ec327d550d482b6a
SHA5125e2e2a0f29242ce188bdb91568410c1e9ac8b3a1fafe362f2e393478a126c60d6dbd08c59378fd02c5f874166efdf21da0cebdac45c18ceaae0b31069c6a99a8
-
C:\Users\Admin\Desktop\ExitTrace.001Filesize
928KB
MD50e58c7299d706c55dd8f75e246c87d64
SHA16220873a74f3cc0a54e1c99608f83c80594f6cd5
SHA2567a53bfce3648e42623eafae3e76fb4766c762596cf73e248cefdb60c87521b05
SHA5121110786010db99c521c2dc6f63cf122bc29968544d180d037a7a989776b31973fe25a7c4f67585dc58c157ca1f172364ea324e3f627f3b35aa36961078922ae0
-
C:\Users\Admin\Desktop\ExportRevoke.tiffFilesize
1017KB
MD547e3f47ad835d31491868410e7022ac1
SHA12986c450c7f9d97c20c4a3f10c057f68596c140a
SHA2564803e553b324df830db2a173aab57829bd47f631bf578eb9c8d0a82558e81559
SHA512117d68b774e8dc261621b552c93f2c3fcc66d63d628f352aa10fb8216f8fe147371493867ddb92c1ca2ebd963a6d73750e708740cacddcfdf8c00303432b96f4
-
C:\Users\Admin\Desktop\GrantPush.wvxFilesize
604KB
MD59fb0c5aa45439af64e7155910cb6d753
SHA1d84a9110e367f879dca44d24ada3bd324e6e43a9
SHA256b6d661f24c1b35ffabe4ea8df88f99aa5de58ccefb5f84909566ffcab338339e
SHA512c7d89aa5f4bb7d090709f0c77535b1692d42a21d00d0846a03e814063566b613994c9aa5484ba262a04b099ed08c211c2ec8f5670f399ece6117c7b044d5122b
-
C:\Users\Admin\Desktop\MeasureResume.rmFilesize
840KB
MD5a4f08d9de8086b97827431598f127d64
SHA18025123f2a63daf495a48295bc6068e1b85021ad
SHA25676ac59aee81b3be4786576c69e5111786fde99bd6b15b55f613ce4b37a95cc13
SHA512fa8bd32615afcc996218c42431a46446f678e19c4ab84705835658ddbc6098580b629be1e522fca1e2b3e2fe1bf03282c15dcd58f7479714147c458228922c41
-
C:\Users\Admin\Desktop\ProtectSplit.mpv2Filesize
516KB
MD5fad75751f80df7313fc55c018cc88443
SHA11412016379608d39e85cb1d7e3cbc8c4f1bb993d
SHA2561217677ea1280e512562d34e702730b0606a71a9bb97c8b2bcd7a38ea2c2c3be
SHA5122a695178e15eaff42bb377200bfb9d771904333b7020992a0e19adda68c602d9692046aed9d7da1038174cefe17b8606756563c831096fdc39090cc3bb1097ad
-
C:\Users\Admin\Desktop\RemovePop.dllFilesize
368KB
MD53cf25abac12441e2582c9ac2e7d7b85c
SHA1dbd6060dcfd836ab5d0a63d09538a664810c863c
SHA25665e54db9a9ef4500dfe4078f04230cd8f30a9da5ed4b1fe36f152357454f942d
SHA512beab0e392df0a6152fae16bdb5d3aa2d73ea370a155564b9ca01b32327619ce038f47e5f9f31d5d6c3b949da5218cabfeb19ce20f30cc34c946ae299c3736bc0
-
C:\Users\Admin\Desktop\ResetMove.xslFilesize
634KB
MD5afaa449080cd133c27962ec895b001cb
SHA18bd517cc24b851800e0b186dccc466286b43c0a7
SHA2563b6f6da66e960fb2ce7e1cd9fc477b417ff5e8d2678198cea4193d942beda9bc
SHA51215392e8578c99427a122df24a8135d79bd76f920d590c3f649352649f7cf2b60b2ac410cec4813ec55a3db93742988e88dc785166f63bc8b42ca7ed97f7c872b
-
C:\Users\Admin\Videos\Captures\desktop.iniFilesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD58abf2d6067c6f3191a015f84aa9b6efe
SHA198f2b0a5cdb13cd3d82dc17bd43741bf0b3496f7
SHA256ee18bd3259f220c41062abcbe71a421da3e910df11b9f86308a16cdc3a66fbea
SHA512c2d686a6373efcff583c1ef50c144c59addb8b9c4857ccd8565cd8be3c94b0ac0273945167eb04ebd40dfb0351e4b66cffe4c4e478fb7733714630a11f765b63
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Maintenance WorkFilesize
2KB
MD5f313c5b4f95605026428425586317353
SHA106be66fa06e1cffc54459c38d3d258f46669d01a
SHA256129d0b993cd3858af5b7e87fdf74d8e59e6f2110184b5c905df8f5f6f2c39d8b
SHA512b87a829c86eff1d10e1590b18a9909f05101a535e5f4cef914a4192956eb35a8bfef614c9f95d53783d77571687f3eb3c4e8ee2f24d23ad24e0976d8266b8890
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD5ceb7caa4e9c4b8d760dbf7e9e5ca44c5
SHA1a3879621f9493414d497ea6d70fbf17e283d5c08
SHA25698c054088df4957e8d6361fd2539c219bcf35f8a524aad8f5d1a95f218e990e9
SHA5121eddfbf4cb62d3c5b4755a371316304aaeabb00f01bad03fb4f925a98a2f0824f613537d86deddd648a74d694dc13ed5183e761fdc1ec92589f6fa28beb7fbff
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule Wake To WorkFilesize
2KB
MD57d612892b20e70250dbd00d0cdd4f09b
SHA163251cfa4e5d6cbf6fb14f6d8a7407dbe763d3f5
SHA256727c9e7b91e144e453d5b32e18f12508ee84dabe71bc852941d9c9b4923f9e02
SHA512f8d481f3300947d49ce5ab988a9d4e3154746afccc97081cbed1135ffb24fc107203d485dda2d5d714e74e752c614d8cfd16781ea93450fe782ffae3f77066d1
-
C:\Windows\System32\Tasks\Microsoft\Windows\UpdateOrchestrator\Schedule WorkFilesize
2KB
MD50b990e24f1e839462c0ac35fef1d119e
SHA19e17905f8f68f9ce0a2024d57b537aa8b39c6708
SHA256a1106ed0845cd438e074344e0fe296dc10ee121a0179e09398eaaea2357c614a
SHA512c65ba42fc0a2cb0b70888beb8ca334f7d5a8eaf954a5ef7adaecbcb4ce8d61b34858dfd9560954f95f59b4d8110a79ceaa39088b6a0caf8b42ceda41b46ec4a4
-
C:\Windows\system32\drivers\etc\hostsFilesize
1KB
MD59c290d137eaeb3a9a3a72d3b65b9e3df
SHA135dcaed00c229f9f021ab3026e6d87fdd7966388
SHA2569a63f4864834d1cea0d810d6f9765c85fc5f6fe1b4d1bf976893fd41869c5a34
SHA5124750b21194c699e3c8850014e580bf0772cfea0c62e672bcf761693bf690b3bc852bef2b29cad4fd601f09b6923886eeec55c1d62808a2d3e18c6b01f107add1
-
memory/224-939-0x0000000005CE0000-0x0000000005D72000-memory.dmpFilesize
584KB
-
memory/224-940-0x0000000005E70000-0x0000000005E7A000-memory.dmpFilesize
40KB
-
memory/224-938-0x0000000006290000-0x0000000006834000-memory.dmpFilesize
5.6MB
-
memory/224-937-0x0000000000B80000-0x00000000012E0000-memory.dmpFilesize
7.4MB
-
memory/316-159-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmpFilesize
64KB
-
memory/316-158-0x0000024FCEC70000-0x0000024FCEC9B000-memory.dmpFilesize
172KB
-
memory/380-710-0x0000000000A80000-0x0000000000A98000-memory.dmpFilesize
96KB
-
memory/508-173-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmpFilesize
64KB
-
memory/508-172-0x000001E72B570000-0x000001E72B59B000-memory.dmpFilesize
172KB
-
memory/536-58-0x00007FFE76233000-0x00007FFE76235000-memory.dmpFilesize
8KB
-
memory/536-1-0x0000000000C00000-0x0000000000C18000-memory.dmpFilesize
96KB
-
memory/536-0-0x00007FFE76233000-0x00007FFE76235000-memory.dmpFilesize
8KB
-
memory/536-1087-0x000000001C6B0000-0x000000001C6BA000-memory.dmpFilesize
40KB
-
memory/536-2445-0x000000001B960000-0x000000001B96E000-memory.dmpFilesize
56KB
-
memory/536-54-0x00007FFE76230000-0x00007FFE76CF1000-memory.dmpFilesize
10.8MB
-
memory/536-925-0x000000001B1B0000-0x000000001B1BC000-memory.dmpFilesize
48KB
-
memory/536-59-0x00007FFE76230000-0x00007FFE76CF1000-memory.dmpFilesize
10.8MB
-
memory/612-150-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmpFilesize
64KB
-
memory/612-148-0x000001C8ED960000-0x000001C8ED984000-memory.dmpFilesize
144KB
-
memory/612-149-0x000001C8ED9C0000-0x000001C8ED9EB000-memory.dmpFilesize
172KB
-
memory/672-154-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmpFilesize
64KB
-
memory/672-153-0x000002EAC88E0000-0x000002EAC890B000-memory.dmpFilesize
172KB
-
memory/868-176-0x000001C82B3A0000-0x000001C82B3CB000-memory.dmpFilesize
172KB
-
memory/868-177-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmpFilesize
64KB
-
memory/956-163-0x000001D1A8450000-0x000001D1A847B000-memory.dmpFilesize
172KB
-
memory/956-164-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmpFilesize
64KB
-
memory/1076-184-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmpFilesize
64KB
-
memory/1076-183-0x000001F3C17B0000-0x000001F3C17DB000-memory.dmpFilesize
172KB
-
memory/1084-187-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmpFilesize
64KB
-
memory/1084-186-0x0000026A86A60000-0x0000026A86A8B000-memory.dmpFilesize
172KB
-
memory/1160-193-0x00000212CB5A0000-0x00000212CB5CB000-memory.dmpFilesize
172KB
-
memory/1160-194-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmpFilesize
64KB
-
memory/1208-196-0x000001F70E4C0000-0x000001F70E4EB000-memory.dmpFilesize
172KB
-
memory/1208-197-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmpFilesize
64KB
-
memory/1272-201-0x00000264687D0000-0x00000264687FB000-memory.dmpFilesize
172KB
-
memory/1272-202-0x00007FFE542D0000-0x00007FFE542E0000-memory.dmpFilesize
64KB
-
memory/1292-1225-0x0000000000110000-0x0000000000128000-memory.dmpFilesize
96KB
-
memory/1568-820-0x0000000000320000-0x0000000000338000-memory.dmpFilesize
96KB
-
memory/2220-879-0x0000000000540000-0x0000000000558000-memory.dmpFilesize
96KB
-
memory/2232-997-0x000001BBAD2E0000-0x000001BBAD6A4000-memory.dmpFilesize
3.8MB
-
memory/2296-2433-0x0000000000C60000-0x0000000000C78000-memory.dmpFilesize
96KB
-
memory/2436-445-0x000001E09D940000-0x000001E09D948000-memory.dmpFilesize
32KB
-
memory/2436-439-0x000001E09D720000-0x000001E09D7D5000-memory.dmpFilesize
724KB
-
memory/2436-438-0x000001E09D700000-0x000001E09D71C000-memory.dmpFilesize
112KB
-
memory/2436-440-0x000001E09D7E0000-0x000001E09D7EA000-memory.dmpFilesize
40KB
-
memory/2436-446-0x000001E09D970000-0x000001E09D976000-memory.dmpFilesize
24KB
-
memory/2436-441-0x000001E09D950000-0x000001E09D96C000-memory.dmpFilesize
112KB
-
memory/2436-444-0x000001E09D990000-0x000001E09D9AA000-memory.dmpFilesize
104KB
-
memory/2436-447-0x000001E09D980000-0x000001E09D98A000-memory.dmpFilesize
40KB
-
memory/2436-443-0x000001E09D930000-0x000001E09D93A000-memory.dmpFilesize
40KB
-
memory/2444-1005-0x0000000000A40000-0x0000000000A58000-memory.dmpFilesize
96KB
-
memory/3576-83-0x0000000002050000-0x0000000002051000-memory.dmpFilesize
4KB
-
memory/3576-84-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/4136-139-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/4136-136-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/4136-138-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/4136-141-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/4136-142-0x00007FFE94250000-0x00007FFE94445000-memory.dmpFilesize
2.0MB
-
memory/4136-145-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/4136-137-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/4136-143-0x00007FFE92770000-0x00007FFE9282E000-memory.dmpFilesize
760KB
-
memory/4336-18-0x00007FFE76230000-0x00007FFE76CF1000-memory.dmpFilesize
10.8MB
-
memory/4336-11-0x0000020771730000-0x0000020771752000-memory.dmpFilesize
136KB
-
memory/4336-12-0x00007FFE76230000-0x00007FFE76CF1000-memory.dmpFilesize
10.8MB
-
memory/4336-13-0x00007FFE76230000-0x00007FFE76CF1000-memory.dmpFilesize
10.8MB
-
memory/4336-14-0x00007FFE76230000-0x00007FFE76CF1000-memory.dmpFilesize
10.8MB
-
memory/4336-17-0x0000020771510000-0x000002077172C000-memory.dmpFilesize
2.1MB
-
memory/4420-692-0x0000000000030000-0x0000000000048000-memory.dmpFilesize
96KB
-
memory/4496-80-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/4496-75-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/4692-1421-0x0000000000660000-0x0000000000668000-memory.dmpFilesize
32KB
-
memory/4732-779-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4732-812-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/4976-697-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/4976-98-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/4976-71-0x0000000000400000-0x0000000000457000-memory.dmpFilesize
348KB
-
memory/5572-2386-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/5572-2361-0x0000000000400000-0x000000000041D000-memory.dmpFilesize
116KB
-
memory/5808-2478-0x0000000000D40000-0x0000000000D58000-memory.dmpFilesize
96KB
-
memory/5816-2664-0x0000000000E90000-0x0000000000EA8000-memory.dmpFilesize
96KB