Analysis
-
max time kernel
160s -
max time network
169s -
platform
windows10-1703_x64 -
resource
win10-20230220-es -
resource tags
-
submitted
23-03-2023 05:44
Errors
General
-
Target
minitool_partition_wizard_12.6_full.exe
-
Size
130.4MB
-
MD5
debc5f5b71f637030872b33caab64c0a
-
SHA1
25a8f4f53e9ec1123d62427c6740e3250dae9282
-
SHA256
a7f19f8d65bfd54fe1f8a5eb8c1a4a960361234046a56c176cd58c56919eec2c
-
SHA512
3e6a4755de6353fff3b0dce1c9fc308df701acd0e5d5e9bcc6f5abc2c444edb85a3ba0bf5a1878e2b76b292b889538eda1e3f855fe7fad70b550c18939279821
-
SSDEEP
3145728:uwYi3ZoPxT77M0XZeiYWe6LdSP5TKLc+S6k:ug3ZoZT7aWeGdu5T0Vk
Malware Config
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Process spawned unexpected child process 45 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
UAC bypass 3 TTPs 6 IoCs
-
DCRat payload 8 IoCs
Detects payload of DCRat, commonly dropped by NSIS installers.
-
Checks BIOS information in registry 2 TTPs 4 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 58 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks whether UAC is enabled 1 TTPs 4 IoCs
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 5 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 31 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 8 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 45 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 64 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: LoadsDriver 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 35 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 17 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
-
System policy modification 1 TTPs 6 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\minitool_partition_wizard_12.6_full.exe"C:\Users\Admin\AppData\Local\Temp\minitool_partition_wizard_12.6_full.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MiniTool Partition Wizard 12.6.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\MiniTool Partition Wizard 12.6.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Temp\8mGSyTUtVfuMkV8vtHuW9UFpBdYFm.vbe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\oX3JL1WEizcdnPmVyjer7.bat" "4⤵
- Suspicious use of WriteProcessMemory
-
C:\Temp\Runtime Broker.exe"C:\Temp\Runtime Broker.exe"5⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"powershell" -Command Add-MpPreference -ExclusionPath 'C:\'6⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z6y56Ktdl4.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\w32tm.exew32tm /stripchart /computer:localhost /period:5 /dataonly /samples:27⤵
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhostw.exe"C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhostw.exe"7⤵
- UAC bypass
- Executes dropped EXE
- Checks whether UAC is enabled
- Modifies registry class
- System policy modification
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0aa4163-9373-4c7d-8dbe-822e526dc09d.vbs"8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\e0bc551d-332b-47ef-b80f-9ddac9169cd4.vbs"8⤵
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MiniTool Partition Wizard 12.6_LICENSE.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\MiniTool Partition Wizard 12.6_LICENSE.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-SPHJQ.tmp\MiniTool Partition Wizard 12.6_LICENSE.tmp"C:\Users\Admin\AppData\Local\Temp\is-SPHJQ.tmp\MiniTool Partition Wizard 12.6_LICENSE.tmp" /SL5="$501CA,134097334,67072,C:\Users\Admin\AppData\Local\Temp\RarSFX0\MiniTool Partition Wizard 12.6_LICENSE.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\regedit.exe"C:\Windows\regedit.exe" /S "C:\Users\Admin\AppData\Local\Temp\RarSFX0\settings.reg"4⤵
- Runs .reg file with regedit
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\odt\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 10 /tr "'C:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "minitool_partition_wizard_12.6_fullm" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\minitool_partition_wizard_12.6_full.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\dwm.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Windows\ja-JP\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ja-JP\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\odt\WmiPrvSE.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\odt\WmiPrvSE.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\odt\System.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\odt\System.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\dllhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\Downloaded Program Files\dllhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "minitool_partition_wizard_12.6_fullm" /sc MINUTE /mo 10 /tr "'C:\odt\minitool_partition_wizard_12.6_full.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "minitool_partition_wizard_12.6_full" /sc ONLOGON /tr "'C:\odt\minitool_partition_wizard_12.6_full.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhostw.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhostw.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "minitool_partition_wizard_12.6_fullm" /sc MINUTE /mo 7 /tr "'C:\odt\minitool_partition_wizard_12.6_full.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\dwm.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Windows\fr-FR\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\fr-FR\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\fr-FR\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "minitool_partition_wizard_12.6_full" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\minitool_partition_wizard_12.6_full.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "minitool_partition_wizard_12.6_fullm" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\minitool_partition_wizard_12.6_full.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\OfficeClickToRun.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\Windows\SoftwareDistribution\SLS\855E8A7C-ECB4-4CA3-B045-1DFA50104289\OfficeClickToRun.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\odt\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\winlogon.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Java\Java Update\winlogon.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\cmd.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\cmd.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\conhost.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\conhost.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exeschtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\browser_broker.exeC:\Windows\system32\browser_broker.exe -Embedding1⤵
- Modifies Internet Explorer settings
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca1⤵
- Drops file in Windows directory
- Modifies registry class
-
C:\Program Files\MiniTool Partition Wizard 12\partitionwizard.exe"C:\Program Files\MiniTool Partition Wizard 12\partitionwizard.exe"1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x3cc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\MiniTool Partition Wizard 12\partitionwizard.exe"C:\Program Files\MiniTool Partition Wizard 12\partitionwizard.exe"1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Checks processor information in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x0 /state0:0xa3a43055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhostw.exeFilesize
2.0MB
MD51b5477e8b0e89279003639c7f4422851
SHA1f75a0f1226ea7e2bba0b5bfc51039bab188cfa3f
SHA256954f517954949fb0c20395f3cc0c3ca6e6b1e93dbc364c147198b382970837c9
SHA512f04223dd34b60834209a15120827e85baf7074aae7d4b77023745f0177c745caf6df76178a50aded7327717ab627f2c5996a768c5435476ee8ce35f6ef0ec31d
-
C:\Program Files\MiniTool Partition Wizard 12\LIBEAY32.dllFilesize
1.6MB
MD5aaae8fe70e4c9da4acf5b6445fe7d9a3
SHA19916fdcbca4584cfd2e5fb86d187df1bdfae40ef
SHA256e0297bc3b64d0f39fa0fbf751216dc150ecd1cf403440d5b533d132c9b185cae
SHA512dc8ddcf3fbf71b85ccdab0d2c20fc002033ceb96370e0f034f4c35ec8588b2a52de63678461b8fe9c516e76420a4a3f39881b1fcd46e2b9563b1928f6cf21f66
-
C:\Program Files\MiniTool Partition Wizard 12\MSVCP120.dllFilesize
644KB
MD5edef53778eaafe476ee523be5c2ab67f
SHA158c416508913045f99cdf559f31e71f88626f6de
SHA25692faedd18a29e1bd2dd27a1d805ea5aa3e73b954a625af45a74f49d49506d20f
SHA5127fc931c69aca6a09924c84f57a4a2bcf506859ab02f622d858e9e13d5917c5d3bdd475ba88f7a7e537bdae84ca3df9c3a7c56b2b0ca3c2d463bd7e9b905e2ef8
-
C:\Program Files\MiniTool Partition Wizard 12\MSVCR120.dllFilesize
940KB
MD5aeb29ccc27e16c4fd223a00189b44524
SHA145a6671c64f353c79c0060bdafea0ceb5ad889be
SHA256d28c7ab34842b6149609bd4e6b566ddab8b891f0d5062480a253ef20a6a2caaa
SHA5122ec4d768a07cfa19d7a30cbd1a94d97ba4f296194b9c725cef8e50a2078e9e593a460e4296e033a05b191dc863acf6879d50c2242e82fe00054ca1952628e006
-
C:\Program Files\MiniTool Partition Wizard 12\PowerDataRecoveryCore.dllFilesize
1.3MB
MD54ab6338463fbeafd4b4edb7aff66495f
SHA14475d03a741f47fc6a2bff0c8363ec8660e47b4a
SHA256ad0fd476a81136ae4047b23fa94ff30eb0f56feddb19ce3305e86e3fb4450aff
SHA512b79b1719d60dfe17253076ae979b1c2550f579d7083ddd9871c80cbcd55c7587c39c527755d6b0bfa64e1504688485e7eb2e647b00c0b6e0cd85d423afe79c37
-
C:\Program Files\MiniTool Partition Wizard 12\PowerDataRecoveryUI.dllFilesize
5.3MB
MD586461a78c6a24789f7220f494b48552f
SHA146af4c448a18201966d36991c5944612b8287ef3
SHA2560cdbad6d79addd3b3b6e2fb59150405acf4a8eca5d5b2aef819660942b7050da
SHA512be5e41b32ebfa83db44428c0a741b02acb6ffd4927b27b4e9fd91d23bbaf35f49dfe9da69c3f0847848df0319514b55a1dd59349638c3041692abc554de1bc0c
-
C:\Program Files\MiniTool Partition Wizard 12\Qt5Charts.dllFilesize
1.3MB
MD507e4bd7c3a018d39206e9a30c35d9320
SHA1f1cf5dd2e45bf2d9020855d469c60fcee7f22046
SHA256f22551ef3c8628430749a04189d5ae15ebcd74779ad2157a2ef2b7fc12249cec
SHA51200c5d0a0fd623d1657ff91b8b6ab118a01eca837227a234af34aeccab678feac2cb0cb76ff768eae68bbf150432ef7bd549c57d0665f62f80a71866df67d875a
-
C:\Program Files\MiniTool Partition Wizard 12\Qt5Core.dllFilesize
5.3MB
MD5a7e479e3fb8c45b4b572a301588c0de0
SHA1a254d7e90a27196a6e40b9daacc1f72748ccc155
SHA256a71c5a226fbb4334353cc1d0f4abacba8a509f8544f286d352e1ec29c86c0742
SHA51292c4303df4967d48a957d258dc2502eedd50a39c7d5d2120f69233f53d67dde13be7112309dd71c0ba9b005951e59a416c5139861522c73cfba3bd49e6b370ae
-
C:\Program Files\MiniTool Partition Wizard 12\Qt5Gui.dllFilesize
5.7MB
MD589c68c9d29d7c527097eb4a1317f71ad
SHA158add7d0d991931ac92eb144e007894412ae570a
SHA256be00d70e40813e1a8ae4715b8e3cdbfb6470dbffc7d591459bb4afc30e77f715
SHA512bfe224dec896857ebe32e75e52823f821b3791312d9629d63b565e2cd12e1854aff5e66cc416555dfbe08887a6171dfb6393e9084a0adaa2ee3528aaf0e2617f
-
C:\Program Files\MiniTool Partition Wizard 12\Qt5Network.dllFilesize
1.0MB
MD568ec8a5f852fe3eca746393e01124ad3
SHA18d750ef88248e20316056e5f7a09a7973cb7145a
SHA2561e971e5e8996b350622f447c88dd6d020cb4c32c259550aef29b9fdac8df9645
SHA512efa0294bc337d039b49a806e542d8cdf948054594dea02f8ccf09ade4942a49c566d6804b5d9e5f439ff5a78dd74c67143fcd54e778201fab57174faec259084
-
C:\Program Files\MiniTool Partition Wizard 12\Qt5Widgets.dllFilesize
5.3MB
MD5d654ed44099c61cf7ddc07dabeca28d3
SHA11acf0f22f3cb15585fe8ec97dad00eda8ac30d51
SHA2563bc64a69dc06e7a12442c04225630ba57c779d6e9e4e1aff9f986c3e68883f27
SHA5129012f71a8dd27c56b46b341c97a8ac964bdf399f1f9d8740763be34bc4d179db5bb4fbee153e715990a37c2b1391b2622bcacffe32756abfaceb45183bf7f0ea
-
C:\Program Files\MiniTool Partition Wizard 12\RawObject.dllFilesize
360KB
MD5e4f38dc0d2794113ebc52a2dc5774f59
SHA1a45a26800c340c9b459bbee2cbf39d9846e6a9f8
SHA25689eb4e8eb2620dcbe5a7b775c0084b0e5221c567b54bd1c79d20dc02a9cecf17
SHA512a89fb208702b89fa7a169aeec57f9537381e0b3b3ec96b94a52ee719ca361e3bb8552f2527b09bc6e1969482eb596171c9684da9e830dbf5e8a8d6362069c86b
-
C:\Program Files\MiniTool Partition Wizard 12\efs.dllFilesize
25KB
MD5038ef653d4c317251b7ddcc5aa7a8858
SHA16229db50ceb8eb2c1eaf53ab7fac92dcd5709183
SHA256b472bda60fb88eb4ba5e751d75710f5046068601d089367b882a018e6489fbad
SHA51227f9f2e789f4b1803e69a463629ac3703db71dfd9dbc3798b718b5bc6d6115535095e4cfbcbc50e611e06d46317923139b33720a295f3346d570b4040bca1d9d
-
C:\Program Files\MiniTool Partition Wizard 12\idriver.dllFilesize
24KB
MD588249d061d4b0960f096edb161123ae6
SHA106294d0ac2b87df72f4bf67703b0cf2f25108e02
SHA25662ad27d89a7ef1496328ea9d128a3abb80ae1cdb7025831101b8777cdb5dae81
SHA512228596df4c0a4c00c1d11165060fb4059254ec2d481e5efaef1cdb6e20f96afac0013f17236d18e038fafc758f17a5eea903aa4b9da232fa4d0f4703a5afeb3b
-
C:\Program Files\MiniTool Partition Wizard 12\ikernel.dllFilesize
3.1MB
MD545986fb2a3b486739265fb97c78bf613
SHA1baa9b8d6940ace3c3f6e0e24c287ae16b3822c29
SHA256b9369eb0899e8f81ec95ef51dadd1b5c415e39472787a41c2798c6e1950903a3
SHA51216cfa61ec09cf7919b7c69e3dd8a52d83927a49cfc0934066601f5250d3488a4e3c0d68d4d36ed1bcd9779ad18e06d3fa75bc619be67919e718ea0701198ab81
-
C:\Program Files\MiniTool Partition Wizard 12\libcurl.dllFilesize
359KB
MD54edcb47ff216a3d465534620f2e26a1a
SHA1245920aa97fc1299e6416665f26147acb54f9090
SHA256753c458e48291eb08cb42cd9a03484f7c4a9dd8c209cdd070c4be8b7f32c248e
SHA5122df293d15d0a157752542586a5f4dec7c4b334378936d22d8ed8f80b3b58b75f9642df0e9295c124056ca1383af587acfbbf7ac5ac965454d67b0db5fdd83af3
-
C:\Program Files\MiniTool Partition Wizard 12\partitionwizard.dllFilesize
4.8MB
MD5f698b0fb04c8d4da9ca974da81f67ab5
SHA1d554ecd7bfbdf040275aaebd3aaa69212dc6b4cd
SHA256c24a746b4a24edf2a16df60218bc1fcad1cdbe166d861dfff6874206cb257c10
SHA5121e1181f2449e46fd2672c97492050cd2782e46fe9bf12dcafec193479b03b6bccacfdb42c89249fe394d8524037a11445af4a0ae24a20afabff5de991148ae9a
-
C:\Program Files\MiniTool Partition Wizard 12\partitionwizard.exeFilesize
437KB
MD577f4dd88cf0158f244ba0a3cd2d2aa15
SHA1f1eb5a39d05fca0549e177d2480e845982114e3c
SHA256e225c6cee399f3e828d6494a2852d84cc7c2f1da9801ef5be05886a1d0a0b478
SHA5129cddf43cad93c2354033b3eb6e7043b37cf0d4a8ac0a8f188cce1eb7ec920a82dc0c4ef792dd720413530eda8ef0160ce474585c40ae6e64088dbd49e0251b4b
-
C:\Program Files\MiniTool Partition Wizard 12\partitionwizard.exeFilesize
437KB
MD577f4dd88cf0158f244ba0a3cd2d2aa15
SHA1f1eb5a39d05fca0549e177d2480e845982114e3c
SHA256e225c6cee399f3e828d6494a2852d84cc7c2f1da9801ef5be05886a1d0a0b478
SHA5129cddf43cad93c2354033b3eb6e7043b37cf0d4a8ac0a8f188cce1eb7ec920a82dc0c4ef792dd720413530eda8ef0160ce474585c40ae6e64088dbd49e0251b4b
-
C:\Program Files\MiniTool Partition Wizard 12\x64\pwdrvio.sysFilesize
36KB
MD50236f0292f87887bbe26f280f813b163
SHA14b4d962504139a4beec57caa98b5bbd36eea418f
SHA256a08cca66ad333d3b4d5ee8a6aeabca317624207810f8a40ef0e07c8a6f4ce5df
SHA512302f63649bf3625bbf29fab5e7401a3e28e5780ef0fb5d39311e5d35262c0c919bc4f98141888677e363dd372fccab7fc26094f96c2f3d5fa292b3dc34c578fa
-
C:\Program Files\MiniTool Partition Wizard 12\x64\pwdspio.sysFilesize
12KB
MD5d619356b955eefa642f5ff72755e8b3c
SHA16113cf3a71b13f97aeca3607cabc9000a9829f5e
SHA2561fd54978a77acd6fbf1236e177ed074894743a9141e4169fe9afe28680fc93c5
SHA5121971d87d119c89dc6c5582286677853569343483863bd5cb26ba8f11c385c27af00feac2737a6097b6a3dfa46e56ef1a0d421d92648bb8313f1b185c37738b5a
-
C:\Recovery\WindowsRE\RCXDFDA.tmpFilesize
2.0MB
MD59c4fe723bc628e30f7192b2881a0ff70
SHA128984704ee7e8573576182775e28b5ab27ae8ca3
SHA25626449e0e7fe9b7e35cb5f630016ef7b436c13efe72942314c3327a02207ae4e6
SHA5122ad7b2c3b223cc396ca06e84d4f4bc19e830483a0150ed785ab4fa04e1ed5467d998b74f62efd15c5c903ef47eb9643ebc62fd51011274c12ee8179d5b055d2b
-
C:\Recovery\WindowsRE\conhost.exeFilesize
2.0MB
MD51b5477e8b0e89279003639c7f4422851
SHA1f75a0f1226ea7e2bba0b5bfc51039bab188cfa3f
SHA256954f517954949fb0c20395f3cc0c3ca6e6b1e93dbc364c147198b382970837c9
SHA512f04223dd34b60834209a15120827e85baf7074aae7d4b77023745f0177c745caf6df76178a50aded7327717ab627f2c5996a768c5435476ee8ce35f6ef0ec31d
-
C:\Temp\8mGSyTUtVfuMkV8vtHuW9UFpBdYFm.vbeFilesize
202B
MD5d4490bf04ced6fce8be8f2c04ce34635
SHA1be394c0ebdfdb59d748b7cfbeef46896e756e4ff
SHA2562577d9e73cf17493ffacaa27ef80ca2bdfe194b01c2d9c2923e2a2b8de9b47df
SHA512940e3387266e0c43add68f6dd8d7e799e825ece0bb99d1e0cb34e577b57da66abb4e670a902ff8245784aef6dea0c0d788e349399b9b067e858b32fbd05910e6
-
C:\Temp\Runtime Broker.exeFilesize
2.0MB
MD51b5477e8b0e89279003639c7f4422851
SHA1f75a0f1226ea7e2bba0b5bfc51039bab188cfa3f
SHA256954f517954949fb0c20395f3cc0c3ca6e6b1e93dbc364c147198b382970837c9
SHA512f04223dd34b60834209a15120827e85baf7074aae7d4b77023745f0177c745caf6df76178a50aded7327717ab627f2c5996a768c5435476ee8ce35f6ef0ec31d
-
C:\Temp\Runtime Broker.exeFilesize
2.0MB
MD51b5477e8b0e89279003639c7f4422851
SHA1f75a0f1226ea7e2bba0b5bfc51039bab188cfa3f
SHA256954f517954949fb0c20395f3cc0c3ca6e6b1e93dbc364c147198b382970837c9
SHA512f04223dd34b60834209a15120827e85baf7074aae7d4b77023745f0177c745caf6df76178a50aded7327717ab627f2c5996a768c5435476ee8ce35f6ef0ec31d
-
C:\Temp\oX3JL1WEizcdnPmVyjer7.batFilesize
28B
MD51c0820915b23fa02cd5c9d5ee69e2110
SHA1cb03a2ee3817d3fa191364429eada237f1fc15a4
SHA2561d73a85802574d06a478525aa333dcbed44c1c2cdec62e637a9a729c6c524fcb
SHA5122d16a37ca7542bd7d41f456ddbaa2d9f44f1fc0a862549f262abde4de8728766b8c2d13e641f700c81d7c4ca6158d7ec3ee97bf51a90603e08cbef288f465ec2
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.logFilesize
512KB
MD5167239b31ec8ad65eebe004326be42b4
SHA17f64210c0744513278cabd82d59c8cfb70f4b071
SHA25610fe1394b074502aa72ffac1be13bb6a42ecb99b460b0cdd279d69ae66ca5f8a
SHA512c9b6ec3e4015d60a4c5570a25b2684cdbb6b6b67c102d06079b61ee616786e2366b3be1bd2f2c4def5b7b70fedba93a9759abe75391176e30b14470505e9f098
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751Filesize
717B
MD5ec8ff3b1ded0246437b1472c69dd1811
SHA1d813e874c2524e3a7da6c466c67854ad16800326
SHA256e634c2d1ed20e0638c95597adf4c9d392ebab932d3353f18af1e4421f4bb9cab
SHA512e967b804cbf2d6da30a532cbc62557d09bd236807790040c6bee5584a482dc09d724fc1d9ac0de6aa5b4e8b1fff72c8ab3206222cc2c95a91035754ac1257552
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\Content\68D82DB513E834EAE87CBFCCAA18B05AFilesize
503B
MD56cf1be2639d7b3f13928a1f635d4bc3c
SHA1bfec6371c827b1031130e4bd5532ac524a816478
SHA256216831a87e11026f4d1100b52b5d87d74c3c4dd133e6c8ac560ec401536c12f9
SHA51274c58b1e221c54b0dd3728e89b078e1d6a37a4300adb8009ee617e547f64fc6235a5b9af176c9a13c295f38ab05dce9c494d41df464626cae56676b64dfef9a5
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751Filesize
192B
MD5f9b2966a9eef8155555fcbce0cd3a7a9
SHA1097af7d1bfaca6df5bb8033530e7162037dc6dd0
SHA2567fd11a16158a32272f5f8b61fa5f6484850e850ee87cb3cde2018d9f62144b1c
SHA51244fcb403565ce39d93fdf2a851d24201301ea70570401d209a99c7ab0c0744eeb27a015ee95e0d8167ad7fc78514ba57e7e2b5fed19d8bd891b28a5e32fd5ce1
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\CryptnetUrlCache\MetaData\68D82DB513E834EAE87CBFCCAA18B05AFilesize
552B
MD589362b74367fbca77ffe38ef159ceb30
SHA1fd4f2cef294eef147ec1019f825d38ab15482b71
SHA25631dab3fe7acc65b63277242f896067e43d56c5ec8b92ee0e2e26c1a5d7535d5c
SHA512a1360c648677f222a6bdc6748097af71afe8c8fb811c0a506e3c0ed7a2117a16ddba3ccb362dc32b596c871a9eb7528a3545bb6003ec4613f3b1b4a1f3934a79
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\Microsoft\Windows\3720402701\2219095117.priFilesize
207KB
MD5e2b88765ee31470114e866d939a8f2c6
SHA1e0a53b8511186ff308a0507b6304fb16cabd4e1f
SHA256523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e
SHA512462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\LogFiles\edb.logFilesize
512KB
MD576af1839d3baabb573429534b17f2139
SHA13c582f061aa6e7b6aa57bc6ab95a8ef5eee00bcc
SHA256abf30ddb4a673efb458f150467cd8cbbd94bef798ca0a88b13113fd30b0e9878
SHA5128eaaae67c7e3be3d5af3486e75735bf6110d021b1914fc029487fdf8f215073434325411e66a2772781c4dfc0b862504c02a5992cd148e1a518ad4b93d742b74
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\edb.chkFilesize
8KB
MD5f2aafd56e102ec7f187fca805737a9a7
SHA1a5761d9a3d3c6ded38392cdce5dc1ed2a57f1c77
SHA25695eb024ce013b363e92eca324e5800ea77d437ae76615f54980a2e83323bd285
SHA512aa4e5d2b02d5273affa9591be43bec93ae96d01e4d75b7ff91fb0d51ac2c43e913509a4b49bb3eecb5b6a1db3a07d9f4106703c67b18cc214495b9f5d377ba07
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.edbFilesize
2.0MB
MD564058fc50ae7c0b24c9a9727457e9eee
SHA181bc940eb0e8440809ac5c4df513fbe708e3d30a
SHA2561a63b2a04e8dbc48573d2ffbc403b1fb97b46616e165dacc41e8fe917a4d781e
SHA512252ee9be2226ee269114ae7dd8748b565491f4eb72c17ebc1b119cd7332ae25630a9e6c18d4aa8ce4f65d4f92107ce8feeedd76c138441ccf5f964f7aa923924
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\DataStore\Data\nouser1\120712-0049\DBStore\spartan.jfmFilesize
16KB
MD5f82a4dd6175a13bb92f48038814050f9
SHA1bfaa83790c71008c7c3d8c67ba4a40ec305e73bd
SHA25653a59b0dba7e333c4139e1b1189bbd79df82d177a162b5ecc39e872bb627841b
SHA512659d24b99110c27a1ccaaf62697710a52621cc7b20ea19f8d2d7d17157239a7e954458abeb68abedd98ba8a860bce1186cb2d6eb977233110882fa4f071ab923
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\RecoveryStore.{29150669-3EF2-40C2-AC8D-D9C951A9AF6B}.datFilesize
4KB
MD50c7ae07c55abe6ba1919570a895f4ac5
SHA16e6738a1fbca8d27f3aecee83030fd99011c5af6
SHA256a1cc03bc3a0ae7ca94116fdff8de33a8a98f6be29433d8ec3eb9080b9adca8b8
SHA512af9591b00f0b667e1d3f5e520673728f65d75e352cbc21cda30adb0d538863a3b7d77ffdd60ceb5a1d985c1ca9e8dd3dd6fef333d9304e35bd09544254d9c9d9
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\User\Default\Recovery\Active\{3446DD7C-E0EC-4AD0-ACFA-69A17CCBCD31}.datFilesize
4KB
MD51248ebdddb5c7c6d912898c59cac7755
SHA183f2ecd865f6d4ba10fc04dc09c00fe11b4f34ca
SHA256ac1934e12f365253b9b0cd0b4123df336dd2c81758dbd54bc0c767791faf124d
SHA5125ab60de05fbd9deb9690bfc2fecafaca9b9325464e137fbcdec9e17461f5e8490e81dfb85fac0b59b2a73e2908cc20c18643ffc97084b7183721a8acdd136657
-
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\Microsoft\Windows\3720402701\2219095117.priFilesize
207KB
MD5e2b88765ee31470114e866d939a8f2c6
SHA1e0a53b8511186ff308a0507b6304fb16cabd4e1f
SHA256523e419d2fa2e780239812d36caa37e92f8c3e6a5cd9f18f0d807c593effa45e
SHA512462e8e6b4e63fc6781b6a9935b332a1dc77bfb88e1de49134f86fd46bd1598d2e842902dd9415a328e325bd7cdee766bd9473f2695acdfa769ffe7ba9ae1953d
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MiniTool Partition Wizard 12.6.exeFilesize
2.3MB
MD569278416d5b1e45bdc199424889d1efe
SHA1d03e8357ac70b8120e78ba75f4216562be54e61f
SHA2567ff5cf5a299bb3f9b1ff80582813cd3738d2778de1bdb5d021200221802187d7
SHA512f7401fdeff531b22e3b2c9b55b5d2721f93b2a00ebffd13e4acceb9ff83eee4146f77bc060df7705cc29e88b01aa796b3e5fa3f2117cae4994856d078fa15ba1
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MiniTool Partition Wizard 12.6.exeFilesize
2.3MB
MD569278416d5b1e45bdc199424889d1efe
SHA1d03e8357ac70b8120e78ba75f4216562be54e61f
SHA2567ff5cf5a299bb3f9b1ff80582813cd3738d2778de1bdb5d021200221802187d7
SHA512f7401fdeff531b22e3b2c9b55b5d2721f93b2a00ebffd13e4acceb9ff83eee4146f77bc060df7705cc29e88b01aa796b3e5fa3f2117cae4994856d078fa15ba1
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MiniTool Partition Wizard 12.6_LICENSE.exeFilesize
128.2MB
MD5aaa0657e4501267510f328c964c6ae79
SHA1079359bc7a0741be054f59e8dbc4c21a50520ee2
SHA256c6c2b2d5173c2d2bc71e3c9196ea9ba8a1af5f0dc440564927a8461306b44abd
SHA512657c6cec51691e8d40bf8a4848cf2f7008307211575a18aa2edf6fc495aaa61602b88cb89e1b231b61c0f294eda7e27a4ee44bc70b8f8fcdaef6e7e92d781fff
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MiniTool Partition Wizard 12.6_LICENSE.exeFilesize
128.2MB
MD5aaa0657e4501267510f328c964c6ae79
SHA1079359bc7a0741be054f59e8dbc4c21a50520ee2
SHA256c6c2b2d5173c2d2bc71e3c9196ea9ba8a1af5f0dc440564927a8461306b44abd
SHA512657c6cec51691e8d40bf8a4848cf2f7008307211575a18aa2edf6fc495aaa61602b88cb89e1b231b61c0f294eda7e27a4ee44bc70b8f8fcdaef6e7e92d781fff
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c5r3u1co.ag1.ps1Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
C:\Users\Admin\AppData\Local\Temp\is-SPHJQ.tmp\MiniTool Partition Wizard 12.6_LICENSE.tmpFilesize
913KB
MD52a24c0a674f4692da02e631e4a4afbe9
SHA1fa678a5b96a3562bc75431197979ad1f83346e32
SHA256bc80b9ed6d079ab2f13092e9802d81ee537b3bfa349c7732585b5c8eafaa1dbd
SHA512248166b2a37f31111ddde5ec34ed98e133d9aa9f463243f27c821efb27eb79768fc7d3af33a13b43b0a2a3d49a500c6432c745afed59919984da755aa95a7ad7
-
C:\Users\Admin\AppData\Local\Temp\is-SPHJQ.tmp\MiniTool Partition Wizard 12.6_LICENSE.tmpFilesize
913KB
MD52a24c0a674f4692da02e631e4a4afbe9
SHA1fa678a5b96a3562bc75431197979ad1f83346e32
SHA256bc80b9ed6d079ab2f13092e9802d81ee537b3bfa349c7732585b5c8eafaa1dbd
SHA512248166b2a37f31111ddde5ec34ed98e133d9aa9f463243f27c821efb27eb79768fc7d3af33a13b43b0a2a3d49a500c6432c745afed59919984da755aa95a7ad7
-
C:\Users\Admin\AppData\Local\Temp\z6y56Ktdl4.batFilesize
234B
MD5cbd35b6e56f5a6cbe427a78807c42edf
SHA15b1a2ecc32b092b27237f89f091dce33a4b5f85f
SHA25652fcec842192d10e98ef9b2ac9ab2040ab4d47e6147f0076f35519f42c5bedb2
SHA51296de1c0b4013e612a818b5f6f3d63d4cb651540aa9e3a3b5f86c0ed4feaa34082f57d7f11f8534e7aaaea727042f73f3aee32859126e209fd2735cc521b9502e
-
\Program Files\MiniTool Partition Wizard 12\PowerDataRecoveryCore.dllFilesize
1.3MB
MD54ab6338463fbeafd4b4edb7aff66495f
SHA14475d03a741f47fc6a2bff0c8363ec8660e47b4a
SHA256ad0fd476a81136ae4047b23fa94ff30eb0f56feddb19ce3305e86e3fb4450aff
SHA512b79b1719d60dfe17253076ae979b1c2550f579d7083ddd9871c80cbcd55c7587c39c527755d6b0bfa64e1504688485e7eb2e647b00c0b6e0cd85d423afe79c37
-
\Program Files\MiniTool Partition Wizard 12\PowerDataRecoveryUI.dllFilesize
5.3MB
MD586461a78c6a24789f7220f494b48552f
SHA146af4c448a18201966d36991c5944612b8287ef3
SHA2560cdbad6d79addd3b3b6e2fb59150405acf4a8eca5d5b2aef819660942b7050da
SHA512be5e41b32ebfa83db44428c0a741b02acb6ffd4927b27b4e9fd91d23bbaf35f49dfe9da69c3f0847848df0319514b55a1dd59349638c3041692abc554de1bc0c
-
\Program Files\MiniTool Partition Wizard 12\Qt5Charts.dllFilesize
1.3MB
MD507e4bd7c3a018d39206e9a30c35d9320
SHA1f1cf5dd2e45bf2d9020855d469c60fcee7f22046
SHA256f22551ef3c8628430749a04189d5ae15ebcd74779ad2157a2ef2b7fc12249cec
SHA51200c5d0a0fd623d1657ff91b8b6ab118a01eca837227a234af34aeccab678feac2cb0cb76ff768eae68bbf150432ef7bd549c57d0665f62f80a71866df67d875a
-
\Program Files\MiniTool Partition Wizard 12\Qt5Core.dllFilesize
5.3MB
MD5a7e479e3fb8c45b4b572a301588c0de0
SHA1a254d7e90a27196a6e40b9daacc1f72748ccc155
SHA256a71c5a226fbb4334353cc1d0f4abacba8a509f8544f286d352e1ec29c86c0742
SHA51292c4303df4967d48a957d258dc2502eedd50a39c7d5d2120f69233f53d67dde13be7112309dd71c0ba9b005951e59a416c5139861522c73cfba3bd49e6b370ae
-
\Program Files\MiniTool Partition Wizard 12\Qt5Gui.dllFilesize
5.7MB
MD589c68c9d29d7c527097eb4a1317f71ad
SHA158add7d0d991931ac92eb144e007894412ae570a
SHA256be00d70e40813e1a8ae4715b8e3cdbfb6470dbffc7d591459bb4afc30e77f715
SHA512bfe224dec896857ebe32e75e52823f821b3791312d9629d63b565e2cd12e1854aff5e66cc416555dfbe08887a6171dfb6393e9084a0adaa2ee3528aaf0e2617f
-
\Program Files\MiniTool Partition Wizard 12\Qt5Network.dllFilesize
1.0MB
MD568ec8a5f852fe3eca746393e01124ad3
SHA18d750ef88248e20316056e5f7a09a7973cb7145a
SHA2561e971e5e8996b350622f447c88dd6d020cb4c32c259550aef29b9fdac8df9645
SHA512efa0294bc337d039b49a806e542d8cdf948054594dea02f8ccf09ade4942a49c566d6804b5d9e5f439ff5a78dd74c67143fcd54e778201fab57174faec259084
-
\Program Files\MiniTool Partition Wizard 12\Qt5Widgets.dllFilesize
5.3MB
MD5d654ed44099c61cf7ddc07dabeca28d3
SHA11acf0f22f3cb15585fe8ec97dad00eda8ac30d51
SHA2563bc64a69dc06e7a12442c04225630ba57c779d6e9e4e1aff9f986c3e68883f27
SHA5129012f71a8dd27c56b46b341c97a8ac964bdf399f1f9d8740763be34bc4d179db5bb4fbee153e715990a37c2b1391b2622bcacffe32756abfaceb45183bf7f0ea
-
\Program Files\MiniTool Partition Wizard 12\RawObject.dllFilesize
360KB
MD5e4f38dc0d2794113ebc52a2dc5774f59
SHA1a45a26800c340c9b459bbee2cbf39d9846e6a9f8
SHA25689eb4e8eb2620dcbe5a7b775c0084b0e5221c567b54bd1c79d20dc02a9cecf17
SHA512a89fb208702b89fa7a169aeec57f9537381e0b3b3ec96b94a52ee719ca361e3bb8552f2527b09bc6e1969482eb596171c9684da9e830dbf5e8a8d6362069c86b
-
\Program Files\MiniTool Partition Wizard 12\efs.dllFilesize
25KB
MD5038ef653d4c317251b7ddcc5aa7a8858
SHA16229db50ceb8eb2c1eaf53ab7fac92dcd5709183
SHA256b472bda60fb88eb4ba5e751d75710f5046068601d089367b882a018e6489fbad
SHA51227f9f2e789f4b1803e69a463629ac3703db71dfd9dbc3798b718b5bc6d6115535095e4cfbcbc50e611e06d46317923139b33720a295f3346d570b4040bca1d9d
-
\Program Files\MiniTool Partition Wizard 12\idriver.dllFilesize
24KB
MD588249d061d4b0960f096edb161123ae6
SHA106294d0ac2b87df72f4bf67703b0cf2f25108e02
SHA25662ad27d89a7ef1496328ea9d128a3abb80ae1cdb7025831101b8777cdb5dae81
SHA512228596df4c0a4c00c1d11165060fb4059254ec2d481e5efaef1cdb6e20f96afac0013f17236d18e038fafc758f17a5eea903aa4b9da232fa4d0f4703a5afeb3b
-
\Program Files\MiniTool Partition Wizard 12\ikernel.dllFilesize
3.1MB
MD545986fb2a3b486739265fb97c78bf613
SHA1baa9b8d6940ace3c3f6e0e24c287ae16b3822c29
SHA256b9369eb0899e8f81ec95ef51dadd1b5c415e39472787a41c2798c6e1950903a3
SHA51216cfa61ec09cf7919b7c69e3dd8a52d83927a49cfc0934066601f5250d3488a4e3c0d68d4d36ed1bcd9779ad18e06d3fa75bc619be67919e718ea0701198ab81
-
\Program Files\MiniTool Partition Wizard 12\libcurl.dllFilesize
359KB
MD54edcb47ff216a3d465534620f2e26a1a
SHA1245920aa97fc1299e6416665f26147acb54f9090
SHA256753c458e48291eb08cb42cd9a03484f7c4a9dd8c209cdd070c4be8b7f32c248e
SHA5122df293d15d0a157752542586a5f4dec7c4b334378936d22d8ed8f80b3b58b75f9642df0e9295c124056ca1383af587acfbbf7ac5ac965454d67b0db5fdd83af3
-
\Program Files\MiniTool Partition Wizard 12\libeay32.dllFilesize
1.6MB
MD5aaae8fe70e4c9da4acf5b6445fe7d9a3
SHA19916fdcbca4584cfd2e5fb86d187df1bdfae40ef
SHA256e0297bc3b64d0f39fa0fbf751216dc150ecd1cf403440d5b533d132c9b185cae
SHA512dc8ddcf3fbf71b85ccdab0d2c20fc002033ceb96370e0f034f4c35ec8588b2a52de63678461b8fe9c516e76420a4a3f39881b1fcd46e2b9563b1928f6cf21f66
-
\Program Files\MiniTool Partition Wizard 12\msvcp120.dllFilesize
644KB
MD5edef53778eaafe476ee523be5c2ab67f
SHA158c416508913045f99cdf559f31e71f88626f6de
SHA25692faedd18a29e1bd2dd27a1d805ea5aa3e73b954a625af45a74f49d49506d20f
SHA5127fc931c69aca6a09924c84f57a4a2bcf506859ab02f622d858e9e13d5917c5d3bdd475ba88f7a7e537bdae84ca3df9c3a7c56b2b0ca3c2d463bd7e9b905e2ef8
-
\Program Files\MiniTool Partition Wizard 12\msvcr120.dllFilesize
940KB
MD5aeb29ccc27e16c4fd223a00189b44524
SHA145a6671c64f353c79c0060bdafea0ceb5ad889be
SHA256d28c7ab34842b6149609bd4e6b566ddab8b891f0d5062480a253ef20a6a2caaa
SHA5122ec4d768a07cfa19d7a30cbd1a94d97ba4f296194b9c725cef8e50a2078e9e593a460e4296e033a05b191dc863acf6879d50c2242e82fe00054ca1952628e006
-
\Program Files\MiniTool Partition Wizard 12\partitionwizard.dllFilesize
4.8MB
MD5f698b0fb04c8d4da9ca974da81f67ab5
SHA1d554ecd7bfbdf040275aaebd3aaa69212dc6b4cd
SHA256c24a746b4a24edf2a16df60218bc1fcad1cdbe166d861dfff6874206cb257c10
SHA5121e1181f2449e46fd2672c97492050cd2782e46fe9bf12dcafec193479b03b6bccacfdb42c89249fe394d8524037a11445af4a0ae24a20afabff5de991148ae9a
-
\Users\Admin\AppData\Local\Temp\is-51H67.tmp\ISTask.dllFilesize
66KB
MD586a1311d51c00b278cb7f27796ea442e
SHA1ac08ac9d08f8f5380e2a9a65f4117862aa861a19
SHA256e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d
SHA512129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec
-
\Users\Admin\AppData\Local\Temp\is-51H67.tmp\ISTask.dllFilesize
66KB
MD586a1311d51c00b278cb7f27796ea442e
SHA1ac08ac9d08f8f5380e2a9a65f4117862aa861a19
SHA256e916bdf232744e00cbd8d608168a019c9f41a68a7e8390aa48cfb525276c483d
SHA512129e4b8dd2665bcfc5e72b4585343c51127b5d027dbb0234291e7a197baeca1bab5ed074e65e5e8c969ee01f9f65cc52c9993037416de9bfff2f872e5aeba7ec
-
\Users\Admin\AppData\Local\Temp\is-51H67.tmp\VclStylesInno.dllFilesize
3.0MB
MD5b0ca93ceb050a2feff0b19e65072bbb5
SHA17ebbbbe2d2acd8fd516f824338d254a33b69f08d
SHA2560e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246
SHA51237242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2
-
\Users\Admin\AppData\Local\Temp\is-51H67.tmp\VclStylesInno.dllFilesize
3.0MB
MD5b0ca93ceb050a2feff0b19e65072bbb5
SHA17ebbbbe2d2acd8fd516f824338d254a33b69f08d
SHA2560e93313f42084d804b9ac4be53d844e549cfcaf19e6f276a3b0f82f01b9b2246
SHA51237242423e62af30179906660c6dbbadca3dc2ba9e562f84315a69f3114765bc08e88321632843dbd78ba1728f8d1ce54a4edfa3b96a9d13e540aee895ae2d8e2
-
memory/592-494-0x000001DE4FDA0000-0x000001DE4FDB0000-memory.dmpFilesize
64KB
-
memory/592-496-0x000001DE67E90000-0x000001DE67EB2000-memory.dmpFilesize
136KB
-
memory/592-498-0x000001DE67F20000-0x000001DE67F30000-memory.dmpFilesize
64KB
-
memory/592-499-0x000001DE67F20000-0x000001DE67F30000-memory.dmpFilesize
64KB
-
memory/592-503-0x000001DE68360000-0x000001DE683D6000-memory.dmpFilesize
472KB
-
memory/592-516-0x000001DE684E0000-0x000001DE6852A000-memory.dmpFilesize
296KB
-
memory/592-492-0x000001DE67F30000-0x000001DE67FB2000-memory.dmpFilesize
520KB
-
memory/592-537-0x000001DE67F20000-0x000001DE67F30000-memory.dmpFilesize
64KB
-
memory/592-538-0x000001DE682E0000-0x000001DE682FE000-memory.dmpFilesize
120KB
-
memory/1000-141-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/1000-191-0x0000000000400000-0x0000000000417000-memory.dmpFilesize
92KB
-
memory/4600-207-0x000000001B3D0000-0x000000001B3E0000-memory.dmpFilesize
64KB
-
memory/4600-197-0x00000000029E0000-0x00000000029FC000-memory.dmpFilesize
112KB
-
memory/4600-210-0x000000001B350000-0x000000001B35A000-memory.dmpFilesize
40KB
-
memory/4600-199-0x000000001B360000-0x000000001B3B0000-memory.dmpFilesize
320KB
-
memory/4600-202-0x000000001B320000-0x000000001B336000-memory.dmpFilesize
88KB
-
memory/4600-218-0x000000001B3B0000-0x000000001B3BC000-memory.dmpFilesize
48KB
-
memory/4600-204-0x000000001B340000-0x000000001B352000-memory.dmpFilesize
72KB
-
memory/4600-214-0x000000001BF20000-0x000000001C022000-memory.dmpFilesize
1.0MB
-
memory/4600-166-0x0000000000780000-0x0000000000988000-memory.dmpFilesize
2.0MB
-
memory/4600-233-0x000000001BCE0000-0x000000001BCEE000-memory.dmpFilesize
56KB
-
memory/4600-200-0x000000001B310000-0x000000001B320000-memory.dmpFilesize
64KB
-
memory/4600-173-0x000000001B3C0000-0x000000001B3D0000-memory.dmpFilesize
64KB
-
memory/4600-221-0x000000001B3E0000-0x000000001B3EC000-memory.dmpFilesize
48KB
-
memory/4600-236-0x000000001BCF0000-0x000000001BCFC000-memory.dmpFilesize
48KB
-
memory/4600-231-0x000000001BC50000-0x000000001BC5E000-memory.dmpFilesize
56KB
-
memory/4600-230-0x000000001BC40000-0x000000001BC4A000-memory.dmpFilesize
40KB
-
memory/4600-223-0x000000001B3F0000-0x000000001B402000-memory.dmpFilesize
72KB
-
memory/4600-227-0x000000001BC30000-0x000000001BC3C000-memory.dmpFilesize
48KB
-
memory/4600-225-0x000000001C560000-0x000000001CA86000-memory.dmpFilesize
5.1MB
-
memory/4600-187-0x0000000002A20000-0x0000000002A2E000-memory.dmpFilesize
56KB
-
memory/4600-184-0x0000000002A10000-0x0000000002A1E000-memory.dmpFilesize
56KB
-
memory/4684-194-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-346-0x0000000002400000-0x0000000002401000-memory.dmpFilesize
4KB
-
memory/4684-289-0x0000000007930000-0x0000000007931000-memory.dmpFilesize
4KB
-
memory/4684-213-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-226-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-229-0x00000000078E0000-0x00000000078E1000-memory.dmpFilesize
4KB
-
memory/4684-235-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-238-0x00000000078F0000-0x00000000078F1000-memory.dmpFilesize
4KB
-
memory/4684-285-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-284-0x0000000007920000-0x0000000007921000-memory.dmpFilesize
4KB
-
memory/4684-286-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-283-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-544-0x0000000002400000-0x0000000002401000-memory.dmpFilesize
4KB
-
memory/4684-270-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-279-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-275-0x0000000007910000-0x0000000007911000-memory.dmpFilesize
4KB
-
memory/4684-269-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-268-0x0000000007900000-0x0000000007901000-memory.dmpFilesize
4KB
-
memory/4684-262-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-241-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-239-0x00000000073D0000-0x00000000076EA000-memory.dmpFilesize
3.1MB
-
memory/4684-237-0x00000000023E0000-0x00000000023F6000-memory.dmpFilesize
88KB
-
memory/4684-234-0x0000000000400000-0x00000000004F7000-memory.dmpFilesize
988KB
-
memory/4684-232-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-228-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-215-0x00000000078B0000-0x00000000078B1000-memory.dmpFilesize
4KB
-
memory/4684-220-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-224-0x00000000078D0000-0x00000000078D1000-memory.dmpFilesize
4KB
-
memory/4684-222-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-219-0x00000000078C0000-0x00000000078C1000-memory.dmpFilesize
4KB
-
memory/4684-217-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-216-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-212-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-211-0x00000000078A0000-0x00000000078A1000-memory.dmpFilesize
4KB
-
memory/4684-206-0x0000000007890000-0x0000000007891000-memory.dmpFilesize
4KB
-
memory/4684-209-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-208-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-205-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-203-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-201-0x0000000007880000-0x0000000007881000-memory.dmpFilesize
4KB
-
memory/4684-198-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-196-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-195-0x0000000007870000-0x0000000007871000-memory.dmpFilesize
4KB
-
memory/4684-193-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-192-0x0000000007860000-0x0000000007861000-memory.dmpFilesize
4KB
-
memory/4684-188-0x0000000007850000-0x0000000007851000-memory.dmpFilesize
4KB
-
memory/4684-190-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-189-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-186-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-185-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-182-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-183-0x0000000007840000-0x0000000007841000-memory.dmpFilesize
4KB
-
memory/4684-180-0x0000000007830000-0x0000000007831000-memory.dmpFilesize
4KB
-
memory/4684-181-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-179-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-178-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-177-0x0000000002430000-0x0000000002431000-memory.dmpFilesize
4KB
-
memory/4684-176-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-175-0x00000000076F0000-0x0000000007830000-memory.dmpFilesize
1.2MB
-
memory/4684-174-0x0000000002420000-0x0000000002421000-memory.dmpFilesize
4KB
-
memory/4684-170-0x00000000073D0000-0x00000000076EA000-memory.dmpFilesize
3.1MB
-
memory/4684-159-0x00000000023E0000-0x00000000023F6000-memory.dmpFilesize
88KB
-
memory/4684-148-0x00000000006A0000-0x00000000006A1000-memory.dmpFilesize
4KB