Analysis
-
max time kernel
466s -
max time network
605s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
30-06-2024 20:46
General
-
Target
sv.exe
-
Size
63KB
-
MD5
c095a62b525e62244cad230e696028cf
-
SHA1
67232c186d3efe248b540f1f2fe3382770b5074a
-
SHA256
a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
-
SHA512
5ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
SSDEEP
1536:unjFXblMp3wgDkbivVSm16KTOKjLIJXc:unrAwgDkbicmbOKj0JM
Malware Config
Extracted
xworm
amount-acceptance.gl.at.ply.gg:7420
-
Install_directory
%ProgramData%
-
install_file
svhost.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload 2 IoCs
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Stops running service(s) 4 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 7 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Drops desktop.ini file(s) 17 IoCs
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Launches sc.exe 5 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 46 IoCs
-
Modifies registry class 1 IoCs
-
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 60 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 28 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\sv.exe"C:\Users\Admin\AppData\Local\Temp\sv.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'sv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svhost.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svhost" /tr "C:\ProgramData\svhost.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html2⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" qc windefend2⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"2⤵
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" start TrustedInstaller2⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html2⤵
-
C:\Windows\SYSTEM32\taskkill.exetaskkill /F /IM explorer.exe2⤵
- Kills process with taskkill
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" stop wuauserv2⤵
- Launches sc.exe
-
C:\Windows\System32\sc.exe"C:\Windows\System32\sc.exe" config wuauserv start=disabled2⤵
- Launches sc.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=4952 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4740 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5416 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:11⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files\VideoLAN\VLC\vlc.exe"C:\Program Files\VideoLAN\VLC\vlc.exe"1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6028 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6224 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5364 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6508 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=4712 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=3764 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --mojo-platform-channel-handle=6236 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --mojo-platform-channel-handle=6500 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --mojo-platform-channel-handle=6476 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --mojo-platform-channel-handle=6808 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:11⤵
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --mojo-platform-channel-handle=6628 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --mojo-platform-channel-handle=6616 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --mojo-platform-channel-handle=7008 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --mojo-platform-channel-handle=3356 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:11⤵
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --mojo-platform-channel-handle=5660 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --mojo-platform-channel-handle=6792 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:11⤵
-
C:\Windows\servicing\TrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exe1⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -nop -win 1 -c & {rp hkcu:\environment windir -ea 0;$AveYo=' (\ /) ( * . * ) A limited account protects you from UAC exploits ``` ';$env:1=6;iex((gp Registry::HKEY_Users\S-1-5-21*\Volatile* ToggleDefender -ea 0)[0].ToggleDefender)}2⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" qc windefend3⤵
- Launches sc.exe
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe" /d/r SecurityHealthSystray & "%ProgramFiles%\Windows Defender\MSASCuiL.exe"3⤵
-
C:\Windows\system32\whoami.exe"C:\Windows\system32\whoami.exe" /groups3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net1.exe"C:\Windows\system32\net1.exe" stop windefend3⤵
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" config windefend depend= RpcSs-TOGGLE3⤵
- Launches sc.exe
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=6592 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:81⤵
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --mojo-platform-channel-handle=7324 --field-trial-handle=3240,i,13319578961094268484,16557498665191861597,262144 --variations-seed-version /prefetch:11⤵
-
C:\ProgramData\svhost.exeC:\ProgramData\svhost.exe1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4ac 0x49c1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\explorer.exeexplorer.exe1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Scheduled Task/Job
1Scheduled Task
1Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\svhost.exeFilesize
63KB
MD5c095a62b525e62244cad230e696028cf
SHA167232c186d3efe248b540f1f2fe3382770b5074a
SHA256a5728f8fd33c77818782d3eef567b77d1586b1927696affced63d494691edbe6
SHA5125ba859d89a9277d9b6243f461991cc6472d001cdea52d9fcfba3cbead88fbc69d9dfce076b1fdeaf0d1cd21fe4cace54f1cefe1c352d70cc8fa2898fe1b61fb0
-
C:\USERS\ADMIN\DESKTOP\ASSERTCONVERTTO.SVG.ENCFilesize
438KB
MD57cdbaa52f2db06de63470b29b577b266
SHA1c8a9c09f724eefbf60fd765c2491c2fe50a6b939
SHA2567670a76a6211fd3b11adcbba53c434d3306cdce2b9eb8cff517d62481f8d07fb
SHA512a7a7f88eff63257a43c7d2ddfabd7a34ee559135e86e06ac2958e2cfbf6814e2e28257ad9ec9aa435a29a303169a1f8907642002888725d52032c790399a0ac5
-
C:\USERS\ADMIN\DESKTOP\BACKUPSTART.SVG.ENCFilesize
329KB
MD5c09621b8dd11ee7cbd2a28d70da04c69
SHA16ce917581561c90f1e8a8e986f8e04a5b0f9caad
SHA256583e34ab07327023c4d9500b07c1cce7cf19601f7a3f106cca8e6a9bccd583b5
SHA512b7db17ed1afac20551227604188dbeb2db40a89da0558cf553f2e1e36a7e3c3c3fe1b74ac22437a06b59dad73f0edbc68f0bd92bd3ec9873eec9aea1bd51ad25
-
C:\USERS\ADMIN\DESKTOP\CHECKPOINTHIDE.M2TS.ENCFilesize
282KB
MD52595cf6fe397b0340369f991aec777ee
SHA17e32811d51dedd19aa0fe3f0af11d31d00273c2d
SHA2567857fb1bbabeb0cb60c3423ae23b08dabbbecb15268c8a6f2d631b731c4b0152
SHA512a797374673d8ec28ac0a436cdced9945871f42cfcafbba4d89e547a8a6766fc9315765edff37bf931ccc74d59aa430255a55a1da5e44b1288597c63c09bdd343
-
C:\USERS\ADMIN\DESKTOP\CLEARDISMOUNT.VSD.ENCFilesize
517KB
MD5fbc368da815854f409d95fcb3c210f3c
SHA159ed0aaec0534e73ac74119920365567f3310567
SHA25691be2dd016f704c254ee1ac5af6fa0c67e0396c24216f8e3f63510a1453d11e3
SHA51220c0f742d90fa5b011e39f6ee044c95467ef9510bc32b47477f6f4b1cf593eb63c71eef5cec2954eef5a3ee057e24833040befbb1a4a281a00fece8df7353afc
-
C:\USERS\ADMIN\DESKTOP\CONVERTEXPORT.AIFF.ENCFilesize
485KB
MD5c2a5fc68b722fbc11ae1e173c8162dc2
SHA18370661da0236d516ee297a583e6f46cd9bd87a3
SHA2563729e6f65f9fb8a1e6c9b3c9199a41785f6ca3416e0878a1fccde9cf9e319961
SHA5128e36b702adaa187612e0a6ce9e4bf6776b6ec354c0319ea42c359907c9f15f6e28a66d287dd197477f227b42d635d0eb397ac33abf39cbf9a329d89d37819341
-
C:\USERS\ADMIN\DESKTOP\CONVERTTOCOMPRESS.DWG.ENCFilesize
266KB
MD5b03b9662d335536c7b6495f41f7e0299
SHA1b9e14e016daea2ca540d57d678c5d11dbd7f6e98
SHA256d3e01369eebaecd1b573ec24f7df41a87c13d173d5c5a3c7cb127cca9f29e2d4
SHA512d872c415ba2272502f4b13a7929a447334dbe676e1c99f285e5551120e5c69a14cbb20a9e7cbc8bb5459551c43521b4254fe7f892b9d9a64f106fdba229dfa56
-
C:\USERS\ADMIN\DESKTOP\DESKTOP.INI.ENCFilesize
288B
MD51775695ea4684ad88248174ef7a86650
SHA137478f6b09809b15c82b8154792bb147e00f9d07
SHA2560812a9a191fa1328a52476bc8893fd4f70358301fc075fa949f11703e9e96848
SHA51239c19fe0a2a9063bffa9271b1f85f3cf2b5e3551073d8b7d9c326f12854e3d88d4fad54c372653dcc068227cb63d37277a8c49132296683cb7823598f4be444f
-
C:\USERS\ADMIN\DESKTOP\EXITREGISTER.7Z.ENCFilesize
626KB
MD560bce22ad9d22dbfbe77a04f7334eff6
SHA18b9bac6cff53a2e6ab39ffc3f3062a15bba45d78
SHA256da34f28fd2f618446203391c1e0aabde8493770dadf536378f6fa75b54586a0a
SHA512b25406d29fceec1a552faeda9d5b162b64d6735be8c8a0608ed292364762d2962492eba390e1ae5f85d736396c46ae29db8b7f21effa946012ba58568ae2bb4d
-
C:\USERS\ADMIN\DESKTOP\FORMATRESTORE.EMZ.ENCFilesize
219KB
MD5563b92ba8cc62aedc1999b6e89cfbab6
SHA17ed425f0b85d3165716ca47d0cfe7d678b5f8b56
SHA25629fa1c8f9d52994f9401558034748bbccd0c6992c36a1542eea476e0bf5e8c01
SHA512be346375a83ab9d51209f7864926c9777a1643b2020bfb12f5c325a013f8990a652073dded24c7c4723aad193c653564c50fe680a6586fd931d692d46100b580
-
C:\USERS\ADMIN\DESKTOP\GETBACKUP.7Z.ENCFilesize
407KB
MD5747e6dd70e69aa5beb548327871417a2
SHA1c8112e23bbb56130fd8d4404495dbe5c6e2b6691
SHA256f9500ee1ee23ac66db97649c28a2782299e70906562f6f0db62ad8d461845538
SHA512d811474458b566b7b2eb5adfe6b37393e507fdb64e5e31a3863addaf9526d5600af3495edece9522b19763ee2a100ab758e52c515036b95270581e8462d8fec7
-
C:\USERS\ADMIN\DESKTOP\GRANTUNPUBLISH.VSTX.ENCFilesize
454KB
MD5382301aa0c981477f8fa0fbb4607d723
SHA145d7513d82a3759889b9587fadb05518f82a157b
SHA2560fec58b13b3d8ab8aebcddf0cb04a7fa0be77b4b560bc5c771c6afdb67e3ba16
SHA512be039242e06c694c28bf5fab25b9f15f9664a4b475fc5135368d3412f5320eba200f57fbe69a8d260042c02380e45365beea5f4e2b8965ced9a30cac709b529a
-
C:\USERS\ADMIN\DESKTOP\INSTALLUNPUBLISH.TIFF.ENCFilesize
548KB
MD504d33b8f88f1d9a145802ab9d5555450
SHA147b647aea86b78f183f308a6baa25916a6856b28
SHA256e8a2a6fe6ee9437ad1b6054ecf8f9b01f654d3cd72f8bf1bd8276fe640213a4c
SHA512b22fe7e418e046865885776606fd87436d938031e2146da35d30e97ed7b2aed72d77999fcf09d2e8ec464545b0b022a75ae40a7e614be37fe2dae2aa6f1688d8
-
C:\USERS\ADMIN\DESKTOP\LIMITUNPROTECT.CSV.ENCFilesize
344KB
MD51e5a11849cee1ee43e1c4ac58f07e7d7
SHA13619fddffa5cc8a3600cfaaa36ac8fbbff5710f6
SHA256bb314c0144db83e4702059561c0e2a54da696fd608b2fcba580a6ef679b8ffb1
SHA512f13fcf5c3b62da83841a3cca9975b1c0565aa38feb8b4757f5ab281266b756de2af126d645303794196bc2f8c8f8cbb60469abd1bd3e2e961e26cd1272102ea9
-
C:\USERS\ADMIN\DESKTOP\MICROSOFT EDGE.LNK.ENCFilesize
2KB
MD5446916ef99c00f7ac99c4655ae14052f
SHA1484583f0bb8229ed3ecf4cef78387f9daa0871f9
SHA256aeed3cb2fdb9dafab5607e100753d3b11ae9ab2722679eba80d6d2a23513844f
SHA5129c66793d496934f3b0930618210f85e9a45a5e1a9dabdb4abb11fc3c52531e8786b1ebeefdb9edb73bd882d8b643307f618ff7c1247fb73ab2ace5e33e329b29
-
C:\USERS\ADMIN\DESKTOP\MOUNTCONFIRM.WMA.ENCFilesize
611KB
MD5d99be403fce23759406f7573d7b7774e
SHA196872609309b8bd838cdd9fc036754fa884e850a
SHA25659350e0ae1662a42a9a19f37f97f2803ffc3bcb7c58ae721c4efbd73452742ae
SHA512f4e5321c468d20383b5ac7878fed79f58015891d2484b5d128b2b989db574d641a2e9fbbd3fc50e29dfd9c6c039327ced0a137d5080b2cedf56cdcba65f0b242
-
C:\USERS\ADMIN\DESKTOP\POPENTER.7Z.ENCFilesize
235KB
MD552836875126096a377076f3d0afc1589
SHA134c908f0451d69af834a87026463d033adefb9c3
SHA2567ff9f07f93cb1c7e189099cf1c633b0fced9f334f0b942255249bc3cacd24b1e
SHA512b2795dd3ddc9f727d2d3ecb5ad21b781dfb6a4f8fd3994c7225d20f1dde6ca9ed27c7dce387009d9b69d77f080b3aa66e3c8a70016c3cd3bf5fbebc7cd012a85
-
C:\USERS\ADMIN\DESKTOP\PUBLISHLOCK.MIDI.ENCFilesize
579KB
MD539203d836116109fdedfb8ea3744884c
SHA133b1dadf6d803ccff7b148ac9c6044c7560a9de0
SHA25606e9436f35dcedea2cbcd161b91a97a996c37089b687f2907e471206f943f128
SHA512f7a846180cabcd26aa37caebcc6f478622f9ca8ed802c0112ba272b43d50a178a598fa5502e56b69226e22f1d36886abfe406cbd6ec4dd7cf3e01506c6ae55fc
-
C:\USERS\ADMIN\DESKTOP\PUBLISHPING.XLT.ENCFilesize
470KB
MD5013fc371d01abf4e818ae1d91720feed
SHA14b72db482ec669827da41b517022ff35e3e9ff56
SHA2563795a903f29cac2127542fc6e143c83e5c3fb8b3ab4b1d3c9ee5593fe75d7d5b
SHA5125ebe8cc0cc2dc8e99c4838e7e59dbb6af27a162ffecf462017a21bbb2651346ab0c5e3282b09d7bc1b49b9db42068a0e77e0e763c0eec27a1f59b8d43d6a91c4
-
C:\USERS\ADMIN\DESKTOP\READTRACE.M2T.ENCFilesize
391KB
MD5051cafdc7c6b9af59cfd6572f9f53b04
SHA10c5dc8bf520ef5a220e972e8f4c7ddf7eb7090ef
SHA2563b9ce76a8a6ab1a3129bf74877eb7a2768f6192625bfbc6d5b1e677c32599d1a
SHA5120b69c4ff96995c249b95bfb9598874fda48eab468faee645c1c4d6b10e8bb3cb910aba78ee8300ff94191e36ce4fd999e2489f308ac163a592fed59203d00a6f
-
C:\USERS\ADMIN\DESKTOP\REMOVEMOVE.CSS.ENCFilesize
532KB
MD5c4d1690d15e8568b452802de41abff28
SHA1701dad3e762605723cfd02ded926c85f75f590a0
SHA2567ee49ce53feb6092bc731956ffa46795cbaae54babd6e4f1eb19474a661930f9
SHA5123a0bd736ef67e9b7fe4c13b617da60aafa6521ed409b810b076e4e8348bec7cdb882eb72a6a6caf2c81e18359131d3ef41d0a6486af83dc8b74f9a5b59968e30
-
C:\USERS\ADMIN\DESKTOP\RESETMERGE.VDX.ENCFilesize
501KB
MD51b4bd51af27a2443bab855fb171372ca
SHA1bd143200f7e8c3ca079465553e423662082a8d44
SHA256112217b93af4aec86d841417c66ac88fb63d67e33ac9ed93ce851ba70e318f7a
SHA51205ef225040d416164ccfc2f8df6978434ca5058fccfd7edd5f983449566eef4f1997181244b70ae69aa858cc257420459e2e2f470036eeed5d8f2ba887364f74
-
C:\USERS\ADMIN\DESKTOP\RESTARTUSE.WMV.ENCFilesize
564KB
MD5309232808a12e91828279f8a619810ad
SHA1186bf1ba8cfb7841ca2b24c567acff2408658d4c
SHA2569a42383386ce453260d0d4bc3b4fffc0edc7351bef7cd1c2d551e9e9b0282730
SHA5125bcb02bb2db38e88fbb820fa5a40901f42e7506519882b47a323a6fcee9c44703f22a680db3e14b382cf66777b3928a6f0a2d7f2354c7236542c9abf96459c66
-
C:\USERS\ADMIN\DESKTOP\RESTOREUNPROTECT.AU.ENCFilesize
376KB
MD5a2a706f0e04fd43f4c7705a557a444c2
SHA1701ee6f330c64f3a51ed8fdff07757b6d28db2ee
SHA2562db103029d603b99dba18a3af3ea00122c1351a1f3ad4b35169f6a9374c4ed6f
SHA512c809c2b2189987fca0214b582466bab61b78b04761ee97a51892e11df6765a2d7e11c40530d9bea9926c1991499b205e1e85d55a930e4ca099127619c4d39b96
-
C:\USERS\ADMIN\DESKTOP\SEARCHSAVE.RAR.ENCFilesize
297KB
MD520ec85f7f326220b073e5879512f9925
SHA16e97cdc4e7c8feb2cd17f24f468d22b80b802a44
SHA2566417bf50969d9ff50ee93aef9db43411e8519c47820174f88624ac59d08f348f
SHA5129d30e419e41310417bba963cfbff56226fdbb444013d8eec14524558a1abb41573c52c91d5d59bfc29d8cb45d4fab36187896bf3fabe6c6f912c0a2809483ed8
-
C:\USERS\ADMIN\DESKTOP\SETLOCK.MP4.ENCFilesize
595KB
MD56a7ff7fbae8c7710ba35331eec223074
SHA133fe07a968b7a9f4a8aca4c58a6c12f779abecdd
SHA2567dd2fe2f43bba95f7f089041c78a35a4d520095b0f364ce84f8c5fa38d3308d4
SHA512180a2a452c9fefee78a987ae9274073d03ed6514e9b8ebfad2506dbe403a3ece0b21388061721ca1f7babdff7ac4c47a68c05a35013e8e9ca456ba0e143ca37f
-
C:\USERS\ADMIN\DESKTOP\STARTEXPORT.MPG.ENCFilesize
423KB
MD5e6c4aa4a5053d6072c905f11c0db9708
SHA14369a005fac5a9cb0ea7fa0e52f3edf1fd233dc8
SHA25608a0ec2855cfc0b7ed5b0f4a4bf9e8811238a2b594afd0860c7a11a457f59454
SHA51259f18b53f0db5f3327bddfdff855d2b13c05036ba111f37dbe532e361575e03988de8aec5f2600a0cd4aed6d6404d21b8f8e8276a4fa280a53f206684665cc37
-
C:\USERS\ADMIN\DESKTOP\STARTHIDE.MPEG2.ENCFilesize
360KB
MD5693aca10b34a34d69e5304f5c29c4602
SHA1030abb649d6be10aecd9f22aa340c45bf1c3874d
SHA25601483b543f629d75c6f041f30a5c0433ec35cdbcbabc9ef077541230bd2fe1fc
SHA5128807beac8976f4895076d46826640965225bca0b14ed8b36bc8fc443eccdc59be784f67f5a1ceaba50ac771fd0c37598e5ca56c730782c100ff5aa10bb3716d9
-
C:\USERS\ADMIN\DESKTOP\SYNCRESTART.VSTM.ENCFilesize
313KB
MD51a7098487f7547aad37d3bcf937d210e
SHA1313188f08deb29563ad6cda0ae9eb7ff1cf589ba
SHA256785da56e0896717f6a1e1239dad1852a055f967fabc06260212a6fd24e4d68a5
SHA51288d4366707c1537b3521f862fc7c820a3242e2c9f4d90699751645b052d9fe897756ddc3ec252685f7cc4e158ee9f563752aeffca11c98573e1c30f7b9416522
-
C:\USERS\ADMIN\DESKTOP\WRITEENABLE.SHTML.ENCFilesize
250KB
MD5f231cba6639929981974047a0be1a2c4
SHA1dbd5fbbfc3e8fc95a0b2620e904ca6397cd4d92e
SHA25626a2c41af1a1e098942e60d8e7449433be06e9eff80ac08287f24bc18bb37486
SHA512bc2adcb3fffbe2929eaa6e0610fad5e7afb98f4519d0ce2ebd2aaa76a1b4088b82387b58db1b3d2c75b51866e6b6300e5225e0d122ddb72f1f85c624c94689f9
-
C:\USERS\ADMIN\DESKTOP\WRITEUNPUBLISH.RM.ENCFilesize
861KB
MD56051db15ab996441b699f2c688bda5bb
SHA178fb0db5cefe3c69c30ddb6d49b7c911e31f1eff
SHA256c1957435155cecbeaecc52bb842b76f990c72f9a5526164b1b5ed2873ce1082a
SHA512ef2775e8607899a7120392ef4d0df28cd8732b227c31894975cd68dd8e2f8478b3dac15b84dd485b6b1339320ae993e822835695f4e6e8656d7126de3ca890e0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9Filesize
471B
MD59c7e8856a3f456a9f535125a7f3a8020
SHA1fb11b31bb03d8f314a0addc0df4172a1373ed3a4
SHA256db21529cef9e84cda7f7a1b144f36afda687388c204ecd501bab1479c90ece63
SHA512df11fa6bcd4b9ca606fb39e50f0d65b581b4730eb972526ce57da2a807dfd95e092be93ea1f4c4af15c18de2eebd45f7ab65159d666788562e8418632c4a8f23
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_6372E0472AFF76BB926C97818BC773B9Filesize
420B
MD5a71da463e54e6349d541d06981b3e80d
SHA1780db4215478b113ca92bfd1d69db3cfed69ff5d
SHA256fcd5b44a0795e9982b2145617e2a5187c74620420ac5d776ffe375b52a4b1ea7
SHA512671b5b631a42cd46e263f5c2df292750cd74237af47914b1a0f91a1bc80022eb99fa4b646b115f36a049d328149561af5058702f385aec5d248517670e9f58c6
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svhost.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d42b6da621e8df5674e26b799c8e2aa
SHA1ab3ce1327ea1eeedb987ec823d5e0cb146bafa48
SHA2565ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c
SHA51253faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD59bc110200117a3752313ca2acaf8a9e1
SHA1fda6b7da2e7b0175b391475ca78d1b4cf2147cd3
SHA256c88e4bbb64f7fa31429ebe82c1cf07785c44486f37576f783a26ac856e02a4eb
SHA5121f1af32aa18a8cbfcc65b0d4fb7e6ca2705f125eaa85789e981ee68b90c64522e954825abf460d4b4f97567715dfae8d9b0a25a4d54d10bc4c257c472f2e80fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e5663972c1caaba7088048911c758bf3
SHA13462dea0f9c2c16a9c3afdaef8bbb1f753c1c198
SHA2569f7f29a4696876cadca3f14d7e43f9ede0c97fd64be3f5d94bda49a91b6a419e
SHA512ff4e72c46cf083de62baa2ce2661555dd91b5f144294015f7b262fd4500cb67fe80e1871a82da63b607e3e9cef401f4b73c587bf1134637881ecad51aad1eddc
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d3e8199b4634731cf0a0c26c1f14f588
SHA17f8fae27eb80055a436a6b5457978f32673d9ad4
SHA256ef33f487f93c2977e92fb08d6bdcc9d48b5d1864c402f9d3fbf3e1b30e8b3b9a
SHA512806a123100dbc1ca1b27bbad5b93c3a9a840dc795127af8523333a71259a8c5ef8aefccb83ef390f2644e013f138c4b7b63c584acccb197aada0c70c038032e2
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ihknj1oi.zjj.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\Desktop\How To Decrypt My Files.htmlFilesize
639B
MD5d2dbbc3383add4cbd9ba8e1e35872552
SHA1020abbc821b2fe22c4b2a89d413d382e48770b6f
SHA2565ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be
SHA512bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66
-
C:\Users\Admin\Desktop\desktop.iniFilesize
282B
MD59e36cc3537ee9ee1e3b10fa4e761045b
SHA17726f55012e1e26cc762c9982e7c6c54ca7bb303
SHA2564b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026
SHA5125f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790
-
C:\Users\Admin\NTUSER.DAT{53b39e88-18c4-11ea-a811-000d3aa4692b}.TMContainer00000000000000000001.regtrans-ms.ENCFilesize
16B
MD5d012e5555ae6936cbe76b0edf9b0da69
SHA10a80fe68cdd19432d8f4ccae4b505613064f1966
SHA2567a35c4144ba71bf57b0fe01b116314ff31f3765cd6667c3d48def6fe1c4af861
SHA512920b93ad09eddab8b03be79bc8813abce6beaa0cbb37ff0a8d85c92c8940ce003bb03d967eaa84d22b01e00aabfab26e16c2d41fb2c56bd60bf08171cb130de6
-
memory/1432-58-0x00007FF9872D0000-0x00007FF987D91000-memory.dmpFilesize
10.8MB
-
memory/1432-908-0x000000001BF20000-0x000000001BF56000-memory.dmpFilesize
216KB
-
memory/1432-879-0x00000000014B0000-0x00000000014BE000-memory.dmpFilesize
56KB
-
memory/1432-1-0x0000000000C80000-0x0000000000C96000-memory.dmpFilesize
88KB
-
memory/1432-0-0x00007FF9872D3000-0x00007FF9872D5000-memory.dmpFilesize
8KB
-
memory/1432-268-0x0000000001490000-0x000000000149C000-memory.dmpFilesize
48KB
-
memory/1432-267-0x000000001D390000-0x000000001D864000-memory.dmpFilesize
4.8MB
-
memory/1432-1481-0x000000001BF70000-0x000000001BF7A000-memory.dmpFilesize
40KB
-
memory/1432-65-0x00000000013C0000-0x00000000013CC000-memory.dmpFilesize
48KB
-
memory/1432-60-0x00007FF9872D0000-0x00007FF987D91000-memory.dmpFilesize
10.8MB
-
memory/1432-59-0x00007FF9872D3000-0x00007FF9872D5000-memory.dmpFilesize
8KB
-
memory/4620-2-0x00000170DD9E0000-0x00000170DDA02000-memory.dmpFilesize
136KB
-
memory/4620-19-0x00007FF9872D0000-0x00007FF987D91000-memory.dmpFilesize
10.8MB
-
memory/4620-16-0x00007FF9872D0000-0x00007FF987D91000-memory.dmpFilesize
10.8MB
-
memory/4620-15-0x00007FF9872D0000-0x00007FF987D91000-memory.dmpFilesize
10.8MB
-
memory/4620-14-0x00007FF9872D0000-0x00007FF987D91000-memory.dmpFilesize
10.8MB
-
memory/4620-13-0x00007FF9872D0000-0x00007FF987D91000-memory.dmpFilesize
10.8MB
-
memory/4620-12-0x00007FF9872D0000-0x00007FF987D91000-memory.dmpFilesize
10.8MB
-
memory/4748-283-0x00007FF99F830000-0x00007FF99F848000-memory.dmpFilesize
96KB
-
memory/4748-277-0x00007FF99F850000-0x00007FF99F884000-memory.dmpFilesize
208KB
-
memory/4748-276-0x00007FF6D9820000-0x00007FF6D9918000-memory.dmpFilesize
992KB
-
memory/4748-278-0x00007FF97D9D0000-0x00007FF97DC84000-memory.dmpFilesize
2.7MB
-
memory/4748-288-0x00007FF9987F0000-0x00007FF998801000-memory.dmpFilesize
68KB
-
memory/4748-287-0x00007FF998880000-0x00007FF99889D000-memory.dmpFilesize
116KB
-
memory/4748-286-0x00007FF9988A0000-0x00007FF9988B7000-memory.dmpFilesize
92KB
-
memory/4748-285-0x00007FF99EBD0000-0x00007FF99EBE1000-memory.dmpFilesize
68KB
-
memory/4748-284-0x00007FF99F810000-0x00007FF99F827000-memory.dmpFilesize
92KB
-
memory/4748-293-0x00007FF97D9D0000-0x00007FF97DC84000-memory.dmpFilesize
2.7MB
-
memory/4748-292-0x00007FF99F850000-0x00007FF99F884000-memory.dmpFilesize
208KB
-
memory/4748-291-0x00007FF6D9820000-0x00007FF6D9918000-memory.dmpFilesize
992KB
-
memory/4748-294-0x00007FF9795B0000-0x00007FF97A65B000-memory.dmpFilesize
16.7MB
