kinsing | 894c046b185fff2c40af6afd117148e54b830383224f387ed2f389c0556fcf92

Analysis

max time kernel
121s
max time network
149s
platform
windows10-1703_x64
resource
win10-20231215-en
resource tags

arch:x64arch:x86image:win10-20231215-enlocale:en-usos:windows10-1703-x64system
submitted
25-01-2024 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Zero_Loader.exe
Size

51.3MB
MD5

0216e67c988fe280add3a09e262dac03
SHA1

4c0a6dec8c8cd2745c5306c5e660afe39263c5b0
SHA256

a5fd77cf9ba05e9c133f773665a66fc84cd8d50e11949fd9d578836dc2e4222e
SHA512

1eeab94cfd5d3570d840e39366eca900fe16763e5b2a2d499a6defd521cf2c95b4f01fcbd7cd1c9bc70bdf9b7f3480e5372d908530dcd01743a87e1e245626ee
SSDEEP

786432:fMguj8Q4VfvIqFTrYI2mkZlNc2cqmDAZUU2nE2:fiAQIHIkHb2pZU98ZyE2

Score

10^/10

kinsing loader spyware stealer

Malware Config

Signatures

Kinsing
Kinsing is a loader written in Golang.
loader kinsing

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Zero_Loader.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4068299709-2976237847-2753307267-1000\Control Panel\International\Geo\Nation	Zero_Loader.exe

Drops startup file 2 IoCs

Processes:

Zero_Loader.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe	Zero_Loader.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Update.exe	Zero_Loader.exe

Loads dropped DLL 2 IoCs

Processes:

Zero_Loader.exe

pid process

1812 Zero_Loader.exe
1812 Zero_Loader.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1812	Zero_Loader.exe
1812	Zero_Loader.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

Zero_Loader.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Save-WxMm0VNFhw\FilesGrabber\desktop.ini	Zero_Loader.exe
File created	C:\Users\Admin\AppData\Local\Temp\Save-WxMm0VNFhw\FilesGrabber\desktop.ini	Zero_Loader.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

1 api.ipify.org
2 api.ipify.org
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.

Data from Local System
T1005

Processes:

WMIC.exe

pid process

424 WMIC.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

4812 WMIC.exe

flow	ioc
1	api.ipify.org
2	api.ipify.org

pid	process
424	WMIC.exe

pid	process
4812	WMIC.exe

Modifies registry key 1 TTPs 29 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
2748	reg.exe
4792	reg.exe
2896	reg.exe
1016	reg.exe
196	reg.exe
4508	reg.exe
1544	reg.exe
4220	reg.exe
2884	reg.exe
1768	reg.exe
4160	reg.exe
32	reg.exe
2236	reg.exe
2156	reg.exe
5112	reg.exe
4192	reg.exe
1984	reg.exe
2100	reg.exe
3364	reg.exe
4056	reg.exe
4500	reg.exe
432	reg.exe
3896	reg.exe
5088	reg.exe
2928	reg.exe
4116	reg.exe
4540	reg.exe
680	reg.exe
1256	reg.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exepowershell.execmd.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
4180	powershell.exe
4180	powershell.exe
4180	powershell.exe
4148	powershell.exe
4148	powershell.exe
4148	powershell.exe
4192	powershell.exe
4192	powershell.exe
4192	powershell.exe
2436	powershell.exe
2436	powershell.exe
2436	powershell.exe
4684	powershell.exe
4684	powershell.exe
4684	powershell.exe
4796	powershell.exe
4796	powershell.exe
4796	powershell.exe
4256	cmd.exe
4256	powershell.exe
4256	powershell.exe
3124	powershell.exe
3124	powershell.exe
3124	powershell.exe
4916	powershell.exe
4916	powershell.exe
4916	powershell.exe
652	cmd.exe
652	cmd.exe
652	cmd.exe
1800	powershell.exe
1800	powershell.exe
1800	powershell.exe
3720	powershell.exe
3720	powershell.exe
3720	powershell.exe
3152	powershell.exe
3152	powershell.exe
3152	powershell.exe
5048	powershell.exe
5048	powershell.exe
5048	powershell.exe
4812	powershell.exe
4812	powershell.exe
4812	powershell.exe
5112	powershell.exe
5112	powershell.exe
5112	powershell.exe
3712	powershell.exe
3712	powershell.exe
3712	powershell.exe
3272	powershell.exe
3272	powershell.exe
3272	powershell.exe
2668	powershell.exe
2668	powershell.exe
2668	powershell.exe
2212	powershell.exe
2212	powershell.exe
2212	powershell.exe
396	powershell.exe
396	powershell.exe
396	powershell.exe
4212	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4640	WMIC.exe
Token: SeSecurityPrivilege	4640	WMIC.exe
Token: SeTakeOwnershipPrivilege	4640	WMIC.exe
Token: SeLoadDriverPrivilege	4640	WMIC.exe
Token: SeSystemProfilePrivilege	4640	WMIC.exe
Token: SeSystemtimePrivilege	4640	WMIC.exe
Token: SeProfSingleProcessPrivilege	4640	WMIC.exe
Token: SeIncBasePriorityPrivilege	4640	WMIC.exe
Token: SeCreatePagefilePrivilege	4640	WMIC.exe
Token: SeBackupPrivilege	4640	WMIC.exe
Token: SeRestorePrivilege	4640	WMIC.exe
Token: SeShutdownPrivilege	4640	WMIC.exe
Token: SeDebugPrivilege	4640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4640	WMIC.exe
Token: SeRemoteShutdownPrivilege	4640	WMIC.exe
Token: SeUndockPrivilege	4640	WMIC.exe
Token: SeManageVolumePrivilege	4640	WMIC.exe
Token: 33	4640	WMIC.exe
Token: 34	4640	WMIC.exe
Token: 35	4640	WMIC.exe
Token: 36	4640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4640	WMIC.exe
Token: SeSecurityPrivilege	4640	WMIC.exe
Token: SeTakeOwnershipPrivilege	4640	WMIC.exe
Token: SeLoadDriverPrivilege	4640	WMIC.exe
Token: SeSystemProfilePrivilege	4640	WMIC.exe
Token: SeSystemtimePrivilege	4640	WMIC.exe
Token: SeProfSingleProcessPrivilege	4640	WMIC.exe
Token: SeIncBasePriorityPrivilege	4640	WMIC.exe
Token: SeCreatePagefilePrivilege	4640	WMIC.exe
Token: SeBackupPrivilege	4640	WMIC.exe
Token: SeRestorePrivilege	4640	WMIC.exe
Token: SeShutdownPrivilege	4640	WMIC.exe
Token: SeDebugPrivilege	4640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4640	WMIC.exe
Token: SeRemoteShutdownPrivilege	4640	WMIC.exe
Token: SeUndockPrivilege	4640	WMIC.exe
Token: SeManageVolumePrivilege	4640	WMIC.exe
Token: 33	4640	WMIC.exe
Token: 34	4640	WMIC.exe
Token: 35	4640	WMIC.exe
Token: 36	4640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3176	WMIC.exe
Token: SeSecurityPrivilege	3176	WMIC.exe
Token: SeTakeOwnershipPrivilege	3176	WMIC.exe
Token: SeLoadDriverPrivilege	3176	WMIC.exe
Token: SeSystemProfilePrivilege	3176	WMIC.exe
Token: SeSystemtimePrivilege	3176	WMIC.exe
Token: SeProfSingleProcessPrivilege	3176	WMIC.exe
Token: SeIncBasePriorityPrivilege	3176	WMIC.exe
Token: SeCreatePagefilePrivilege	3176	WMIC.exe
Token: SeBackupPrivilege	3176	WMIC.exe
Token: SeRestorePrivilege	3176	WMIC.exe
Token: SeShutdownPrivilege	3176	WMIC.exe
Token: SeDebugPrivilege	3176	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3176	WMIC.exe
Token: SeRemoteShutdownPrivilege	3176	WMIC.exe
Token: SeUndockPrivilege	3176	WMIC.exe
Token: SeManageVolumePrivilege	3176	WMIC.exe
Token: 33	3176	WMIC.exe
Token: 34	3176	WMIC.exe
Token: 35	3176	WMIC.exe
Token: 36	3176	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3176	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Zero_Loader.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1812 wrote to memory of 520	1812	Zero_Loader.exe	cmd.exe
PID 1812 wrote to memory of 520	1812	Zero_Loader.exe	cmd.exe
PID 520 wrote to memory of 4800	520	cmd.exe	HOSTNAME.EXE
PID 520 wrote to memory of 4800	520	cmd.exe	HOSTNAME.EXE
PID 1812 wrote to memory of 5092	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 5092	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 680	1812	Zero_Loader.exe	cmd.exe
PID 1812 wrote to memory of 680	1812	Zero_Loader.exe	cmd.exe
PID 680 wrote to memory of 4640	680	cmd.exe	WMIC.exe
PID 680 wrote to memory of 4640	680	cmd.exe	WMIC.exe
PID 680 wrote to memory of 2720	680	cmd.exe	more.com
PID 680 wrote to memory of 2720	680	cmd.exe	more.com
PID 1812 wrote to memory of 3152	1812	Zero_Loader.exe	cmd.exe
PID 1812 wrote to memory of 3152	1812	Zero_Loader.exe	cmd.exe
PID 3152 wrote to memory of 3176	3152	cmd.exe	WMIC.exe
PID 3152 wrote to memory of 3176	3152	cmd.exe	WMIC.exe
PID 3152 wrote to memory of 1560	3152	cmd.exe	more.com
PID 3152 wrote to memory of 1560	3152	cmd.exe	more.com
PID 1812 wrote to memory of 3700	1812	Zero_Loader.exe	cmd.exe
PID 1812 wrote to memory of 3700	1812	Zero_Loader.exe	cmd.exe
PID 3700 wrote to memory of 4508	3700	cmd.exe	WMIC.exe
PID 3700 wrote to memory of 4508	3700	cmd.exe	WMIC.exe
PID 3700 wrote to memory of 3696	3700	cmd.exe	more.com
PID 3700 wrote to memory of 3696	3700	cmd.exe	more.com
PID 1812 wrote to memory of 744	1812	Zero_Loader.exe	cmd.exe
PID 1812 wrote to memory of 744	1812	Zero_Loader.exe	cmd.exe
PID 744 wrote to memory of 4812	744	cmd.exe	WMIC.exe
PID 744 wrote to memory of 4812	744	cmd.exe	WMIC.exe
PID 744 wrote to memory of 4288	744	cmd.exe	more.com
PID 744 wrote to memory of 4288	744	cmd.exe	more.com
PID 1812 wrote to memory of 1680	1812	Zero_Loader.exe	cmd.exe
PID 1812 wrote to memory of 1680	1812	Zero_Loader.exe	cmd.exe
PID 1680 wrote to memory of 5044	1680	cmd.exe	WMIC.exe
PID 1680 wrote to memory of 5044	1680	cmd.exe	WMIC.exe
PID 1680 wrote to memory of 4120	1680	cmd.exe	more.com
PID 1680 wrote to memory of 4120	1680	cmd.exe	more.com
PID 1812 wrote to memory of 1032	1812	Zero_Loader.exe	cmd.exe
PID 1812 wrote to memory of 1032	1812	Zero_Loader.exe	cmd.exe
PID 1032 wrote to memory of 424	1032	cmd.exe	WMIC.exe
PID 1032 wrote to memory of 424	1032	cmd.exe	WMIC.exe
PID 1032 wrote to memory of 3936	1032	cmd.exe	more.com
PID 1032 wrote to memory of 3936	1032	cmd.exe	more.com
PID 1812 wrote to memory of 3896	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 3896	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 2100	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 2100	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 3364	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 3364	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 5112	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 5112	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 3884	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 3884	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 5088	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 5088	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 4220	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 4220	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 2236	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 2236	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 2748	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 2748	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 4792	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 4792	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 4192	1812	Zero_Loader.exe	reg.exe
PID 1812 wrote to memory of 4192	1812	Zero_Loader.exe	reg.exe

C:\Users\Admin\AppData\Local\Temp\Zero_Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Zero_Loader.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "hostname"
2⤵
- Suspicious use of WriteProcessMemory
PID:520

C:\Windows\system32\HOSTNAME.EXE
hostname
3⤵
PID:4800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:32

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
2⤵
PID:5092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic csproduct get uuid | more +1"
2⤵
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\system32\more.com
more +1
3⤵
PID:2720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic OS get caption, osarchitecture | more +1"
2⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Windows\system32\more.com
more +1
3⤵
PID:1560

C:\Windows\System32\Wbem\WMIC.exe
wmic OS get caption, osarchitecture
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic cpu get name | more +1"
2⤵
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\system32\more.com
more +1
3⤵
PID:3696

C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get name
3⤵
PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic PATH Win32_VideoController get name | more +1"
2⤵
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\System32\Wbem\WMIC.exe
wmic PATH Win32_VideoController get name
3⤵
- Detects videocard installed
PID:4812

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
4⤵
PID:4256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
PID:4812

C:\Windows\system32\more.com
more +1
3⤵
PID:4288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic computersystem get totalphysicalmemory | more +1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1680

C:\Windows\system32\more.com
more +1
3⤵
PID:4120

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
3⤵
PID:5044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get size | more +1"
2⤵
- Suspicious use of WriteProcessMemory
PID:1032

C:\Windows\system32\more.com
more +1
3⤵
PID:3936

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get size
3⤵
- Collects information from the system
PID:424

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
2⤵
- Modifies registry key
PID:3896

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
2⤵
- Modifies registry key
PID:2100

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\7-Zip
2⤵
- Modifies registry key
PID:3364

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook
2⤵
- Modifies registry key
PID:5112

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager"
2⤵
PID:3884

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx
2⤵
- Modifies registry key
PID:5088

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime
2⤵
- Modifies registry key
PID:4220

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore
2⤵
- Modifies registry key
PID:2236

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40
2⤵
- Modifies registry key
PID:2748

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data
2⤵
- Modifies registry key
PID:4792

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX
2⤵
- Modifies registry key
PID:4192

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData
2⤵
- Modifies registry key
PID:2928

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack
2⤵
- Modifies registry key
PID:2884

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Mozilla Firefox 105.0.3 (x64 en-US)"
2⤵
PID:648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:2668

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MozillaMaintenanceService
2⤵
- Modifies registry key
PID:4056

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2
2⤵
- Modifies registry key
PID:4116

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ProPlusRetail - en-us"
2⤵
PID:4820

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent
2⤵
- Modifies registry key
PID:4540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:780

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VLC media player"
2⤵
PID:3268

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WIC
2⤵
- Modifies registry key
PID:1768

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1D8E6291-B0D5-35EC-8441-6616F567A0F7}
2⤵
- Modifies registry key
PID:4160

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37B8F9C7-03FB-3253-8781-2517C99D7C00}
2⤵
- Modifies registry key
PID:680

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}
2⤵
- Modifies registry key
PID:2896

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5FCE6D76-F5DC-37AB-B2B8-22AB8CEDB1D4}
2⤵
- Modifies registry key
PID:2156

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64A3A4F4-B792-11D6-A78A-00B0D0180381}
2⤵
- Modifies registry key
PID:4500

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{662A0088-6FCD-45DD-9EA7-68674058AED5}
2⤵
- Modifies registry key
PID:1016

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}
2⤵
- Modifies registry key
PID:1256

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{77924AE4-039E-4CA4-87B4-2F64180381F0}
2⤵
- Modifies registry key
PID:32

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-007E-0000-1000-0000000FF1CE}
2⤵
- Modifies registry key
PID:196

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0000-1000-0000000FF1CE}
2⤵
- Modifies registry key
PID:432

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{90160000-008C-0409-1000-0000000FF1CE}
2⤵
- Modifies registry key
PID:4508

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3032

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB0836EC-B072-368D-82B2-D3470BF95707}
2⤵
- Modifies registry key
PID:1544

C:\Windows\system32\reg.exe
C:\Windows\system32\reg.exe QUERY HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}
2⤵
- Modifies registry key
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3952

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4896

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3184

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:660

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2776

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:5048

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2500

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:3272

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1680

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2664

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2432

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:516

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1668

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:868

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3336

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2832

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:5088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:4256

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2432

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3752

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
- Suspicious behavior: EnumeratesProcesses
PID:1800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1412

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2664

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2236

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3200

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4584

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3176

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:64

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:312

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:96

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4632

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3168

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3952

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2204

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:5044

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1836

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4552

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4168

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4196

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3272

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4896

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3768

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4872

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2024

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4640

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2540

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:5040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4288

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:4116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4948

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:2492

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:3152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3088

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3528

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:2028

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:1132

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:5000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:3268

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
3⤵
PID:1408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "powershell Get-Clipboard"
2⤵
PID:844

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4192

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2436

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4796

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4916

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:652

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3720

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3712

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:396

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4160

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:2212

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2136

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3304

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4116

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3748

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:4124

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2596

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2876

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1940

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:1424

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:3344

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:5056

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-Clipboard
1⤵
PID:2108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
3de7dfd15c46f7130d4fc1fa4770b295

SHA1
b677f2c050b0846f0b646a2dd3c3bf2e71bbcf02

SHA256
2b4f720648bd3c70c150286a116c66aa42bede7e9d0e8f160761bb3dc0bdf9e9

SHA512
b71a3cc929ec5769e5468b6b66d986a2d96c660b2e7073fc9ae6d2ca4e777d980fda1e69f9937bc77171c79090275fc7f5e0deaa7a13729bd00973f179127acb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
31047f58a598f3a174161c6c57dbbb36

SHA1
9db9c3c2e0b76f6392cc6e47041dedcd4dd37c55

SHA256
114b2af97ea5f59413fb51c1b74296d9d5fc3f641f936fee0af7dd5b1eaae688

SHA512
14cfbee299a05607e41c5c4a5267209d921f1a144eee9cf6e8170ee1df56211b307c4170ae77028e5ace9575ddc4e977efdb1ada9ee4779e8d1d1c389cfe62e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
248b13bdcf44a6ec3bb8036e874b5a3e

SHA1
df37fdbb0bb726cb676ab71bb410d0769710849c

SHA256
a33ba0f28b0302347c2889777e91b41bc7ae1310c722b5ae05d2f091c1345a42

SHA512
6d13f3b3dc9fbc2208cc11dd0b7375ac7a73470bc8721c747cf6ad44d924b1a356646f0157c27f8ef636fd67b5e1fd22191806a342ad936697e54d7275746fe4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cf99ad78587fa24e3a95995bea3cac31

SHA1
631010ab3e3a3405230f019c3f36190458f702ad

SHA256
f16b79f243895214e24ae37777d9b9ab7437db6cdb53686304d04bebf7ec33ce

SHA512
d59ea6b5aa524c6e415f0473b5f6334bf6dfc12c7622833cf6949b3f6f352d7581f2715ccb20f1e723728341e7e3a76f26df73af79ac577a1422e26c4303b7c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b4a794f17e24e772a2a98ed31a7ac515

SHA1
8658c9840604c375bde03a6c7e00603468a8a40b

SHA256
95199da030b50eb77638507055fd1e626c360815d876ca5a07ddf17eb212dafa

SHA512
a62b6868375947f4fa009370a033701c877f3dd1d5541934115ad2264cbbdcefea9e09a4615a600deacf7cb0e04a8f27212a4ba8340a8a93adc68f2273b6ded8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
38f358b193bc678623c239167c7813c2

SHA1
9fdeb0ff2fbd932792ce92f24c9f4b002bfd00c2

SHA256
0b72a17a0b2b86aa2f0f9b0862233a243698e6f5dba2f4ddf07219e96bf420c4

SHA512
7722cc81bfc63584c461f9c52aeb194dc63f4a865bce4474d1b727b485c97d302850c71004a1752864463b651b2e3cedab84033e6a14e2b675d88029d2a413f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a5ec6049675c64bb89a0b1bc4f0322d3

SHA1
12e70e67106e956b6c98813f65deea9be47130fc

SHA256
10be6eb50478baed4a5af6a31666166d480e8930107cb5269e2ba714a6844fc6

SHA512
6a07d8beb131c934e32935d76bb1b8e4813e7885d52b8dbfe0c8dce7a7ef0069932739d66acc2275b4a626b73de71c3bd00779335e72c54cb21e110db242b5bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
ad890d5408c79d3a776b80947e0cc899

SHA1
ed1512cb6782edddf2a6573958c4e4699cad1b4b

SHA256
5a756544904ae5f52c169b5d9ce8782271301b16937646ea5e8bad5f7d8c1670

SHA512
39772833013840b1647b6f41e584f346552ac41ccac03512a7ba449ec76fbfbd576c2b2ce2d550ecd7c768d2c6cf21971b22f96cce4b7a508e426e2bbaad66a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
1dbc3063769eeffa42b05fa806b415c7

SHA1
1caaab011923d280c9ea166ea65ff6daa7362cb0

SHA256
5a9047355dfbe66fad0b9aaff016cb5a6cf23b39bdbd4b854089a144d213bb22

SHA512
3d6ac563806f21498da152dbf985f938837625eb505319bdf14cc527fe1e03ac9071cbf3503abd3493ae93530fe8f72966b0e5fd5cd3a15dd49a1d949b62b1b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4a0103a31d1ef6be9ecc43a593ae6ae0

SHA1
5b150c2af771ec42e54a366d1ca56f1277aa9fde

SHA256
ad4f91a625f408ecb7807ad163bf1077a5f9acf99dd1144477910522afc3dd13

SHA512
6614eabaa85f806dec154cbd60944f6191cb14004b10c52afc27f07615791740ca9590dc86ce08611858a6b9d9b1abd536fa4646b03848258e74667ccc407a09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a7e100a96a1f75d5e9d3116ea7f34fb9

SHA1
2d67bfe98fb0dee0e1f04e9563c294a156ea490a

SHA256
2b72d9a5cbf64e70632cdb1b3c5d5f9b2d4b31a2089fb1c0993d0a175170125b

SHA512
949d4ddae0e41cd0acdfa717d2a49a186331927b796d49cd9a1511d46752546427723892e1762b1bf92117ef98e780507339f3d8fb9bcfc81dc8061a9d871d24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
07aec5df9f5ba9523b711f940afb51c6

SHA1
1f593b317bb1befa3a3f3a10485f62818d787160

SHA256
2af093bc311af5ef5a6a5ae2a5c86d8db4873dedff6e241b18ccba046cab36bc

SHA512
da1fb374011d5c2a13d07b8cb2ccbf1afaf840ab1920e16809bc9597e5bf647540455cdf2376ed821d219d28fb25ea1df6ec6a2613c9490caed6783fd26e6351

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9bf970d82e49441d72828ef0388e0235

SHA1
4f3b6121f0e5f66a73b6eaaec1e899f477ccde48

SHA256
46982458c013264b7c19b6077df18dc92022bbfe732714afadbfc0493e6e9b46

SHA512
7bf959509675d81e2e702e924e414730cda7be240d9752522698917b1b3e0cd1b5de6f77b3de7fdb26be41ad8573fe5723287db33eb2f6fcef34cd7165599751

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
e104d4491bd9aa49e98eadfd69daafd2

SHA1
76ac4cd3cff751f6f1f781e60b2d0aef876a55ea

SHA256
9d5770e451c032cddbb2d34c67a0bdb4f9f8ff175526946ce0298f25b6cbc72e

SHA512
982b1edbe9885e3eea92212855d3b8cc5f07a840150a5c759e9cab7c3cccd7bd2aab9fb5b7f25e772c8a4dca1ae2f042f1b2118b35a01318e2ad6fd574c840f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
4eccb43639bde8ee3395e6605ed061d9

SHA1
0a4fb25913ea645b56533d60fc6a3525f907f888

SHA256
16a6501da251d825a21801b7ccf1dd2825731e21b2ac6d88e7f0f8d7d40b104b

SHA512
8e15918e13cb5d0711128efcf6cccef406a9cf85679a4513075d06df4b9a8fdb6a2005d4bd439539b03e6924570860b1b15b65e0784832254f5c2c6b203f4ab4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9c547ffecafe095403ed5d162af89244

SHA1
f6bba2ff3a615d05e08802a6ef441e76a9769645

SHA256
693ee44693cd7466921c91683a57ee4b08b0986e8a3dee417757ef57fdacf5bc

SHA512
993e4fdb4ee7dbea3e13a5a84305f5ece498fa3bec7ea902fb8572ab258ff4434e44fc72bdbd5e2c6d86a479f38dc0323df8512bbd86f46a55dbf39a02b862d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
673b8d3c6ccf6c87b29dd6d8a7c736aa

SHA1
eb69ade7d8fac19ea54b068803d1f160f873338a

SHA256
9d62ad8174185155c890ba44dc8feac09c9dd5a4aaf6e2444b49209ad0b58478

SHA512
90e01a5bba0bb3b4d7832bb007dc5621a215fa97b34397a20057bde71dd8fe882c3dba047b704e27fdfa06c411c93cf006c3b42027d3f435703847dde2d015d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
23da8054cfebc263ea1a12107765154f

SHA1
a02946519d6cec390754ed5ab38bb1f5540c2495

SHA256
7189e5006cb2e14841e63437b0c627558123f4a8ea2faa1d23aebf739c253aa9

SHA512
1a339c738215bedd339929b8283c29a22c5fef989cc58fb25ba90b64a56f0845e5c165c1720a17ec20927f47420b7aaa6a5f9408ebf92db48cadf3feeab85417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
de78ed876d32ff793c42443def6c0273

SHA1
51ccd621497d5fb6658df968f3fbd2d1a5645b0b

SHA256
166d0a59fa4f2289fdbaf7aa3708b41de458a6a32bd201d2b3488a83d2732326

SHA512
8bb8cc9bfad0373a246870659ab1a4426ddd2facc868ec74cf4f244463af6c189766d1e04e589b46c2bfde10ddad14c28f9da501bcda0b4864ada46cd83be938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9c2990dffb941acf3dcdff30d10d48de

SHA1
f7b9fde4fc7cc547f5ee1504a81b265ffcdab1fe

SHA256
5a5aa0976b1eb9a32bf11a6e3ea8eee8f45033a092d69d81eddcf864c76ce663

SHA512
3c8751f9db84fd8bcfe1d2f8bd49a3bac999143e5c5363813a21b9623302c8389ec3bdb1c7d6e70240fd485ab88ddaac98f84bb3d70451fc035b25b859c1f2d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f4e944460e28ad4acd0249019f36b66c

SHA1
d17411e5d17b1fd4fa890b5fab4c0845215e42e1

SHA256
f208865d132e9272b82969a6d4ff8abe7335edf4ef8f57f54377a3640030bdd0

SHA512
568334fb73860b8ea1b67ea43e838c2c208d87dc9ccb0104c1c3936ebfceec3a0b193e09d8969eceb861be4584f0f35ac7ddeeac004473e35439cb8909f46906

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8acd126ea51d1c5e06c1a8aea2fc87b9

SHA1
8fe45d933168fd6272d6db3a7c869900aeddcbeb

SHA256
b2ba4360728c11dfe95ff3df9be048e9ec9137730a0952db535e3dced22d868c

SHA512
6d08c2a9ff7855d732cd5d5afe5050b0e37930255a64c6dbf0dd6c44d7b76186380210abe823c3913c5285c767ecffbe3a61bd3c8bb94e773ae3ee4cec7aa66d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6047ec6433ad0d234aaaf25566e3082f

SHA1
dfcbc4110c816ca7038a2313583b011481abea96

SHA256
f325c940742df476fae4452b710d8256ba4acc836013a9aeb9dfbe7e78ab7b3b

SHA512
1f31d0492768ce7917aa9c825317ac4b07765e6e87b8e717461a51a7d68f3679d0f2d158d7436fc9d52a2880af5b112afa3103b31df459872027fd233d5b7299

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
dc7ebb7bcf10dc7fe131c6301a790198

SHA1
ef9201f05d71683eb717522c0f8a32ffaee97e79

SHA256
29b187de24c3c9a48193bd1268ac9bf0b88b6b66667f4672c569605cdb333554

SHA512
569cac06b42821f4f364778bd858b95bfa9dfbbf29f3ca335ce414ecba265d204cfff0e9631d7fd0f00162ceec659cc0bd47b9ae13c4d93e361384aadac898e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
16d227503d04a8b47e7412f7fcf264af

SHA1
ae0905f6e33e36b8a16dd844e1bb1a42f68b0954

SHA256
5921c3d2c020e31c67531b8caea53e0cf0eaec879807b91d6042c2fc5aaec56e

SHA512
5c21b3d2948e4d678e5b919267458409e4a78dbbcab7c65a5fe76bb32fb22d10c52c9ba0c7e5d8893d352e3aacd7de0f0fd65c121e74deff00f5560356a474c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
508ce40031605bae7ed7d0b4fe60278b

SHA1
c4d636d3be1f4eed3049b25a2126260c019acadb

SHA256
ae0364c614467009841095751428ab1e1ea83ed046ecdfdb1929d20013d221d5

SHA512
d5a97931e49f1145335bd8274276f3ede9146dd4c155590b95de7757be9edca81d0bb9f9eef344815c7839369698590d55e931389c48445fb399cc3881c6d6f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
0a5a5c52100c4a32297b058c119d96b6

SHA1
adcb48e622502b831e2e2d91508e70cce5391a71

SHA256
0b88491bbe0f015eb39af6a94889d1a08b3222d875d6285be2619568a468c3f7

SHA512
a6861013d8d651d9c263de77ddd40320e4ad9e1a7e51664a16160732a927e3b81acd00c790dbf7361d7b26ff84c6715b0c26a7320cc540ec3762ec7accf598cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
bd9bf56fe675667167af63df97cfc438

SHA1
749a6246e5fb618050dd3575dd38ab9a8e135247

SHA256
4158c9870d4b594eb914628423b8025592054906404f1b6de5034c8dcd8d73f5

SHA512
4795e544776f87c5ea85b15c1b4df4c22e760ac3625f13ea124ec3bff2075e809ff3753749ed5fdf5d89a4651df289b0a497665773555d7cdc4aac1609a32685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
00db470b0d817c3e19e1fd213628aa97

SHA1
b8050bf1a755ee78a6406b8e3adb35c8be446174

SHA256
559732b2095a5c88b5c6054ad7b5b3912e88d7cb965236240fb55dd450cc5c8f

SHA512
5e106d8c011ec551e139aa40a35a13e9ef2b73312627cd5ab7d6c54605d9c865ac64935292c83b78ab3d4afa31c37becc9086e2ec68473a79bc8e0b1072d9cff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
f012158f336ca5642342c585800eb6b3

SHA1
0b9de781a1b9c21e5e4b90daefb23965c1b14c01

SHA256
7656ad2665c77ba5a6f33004bb7c1c92c1accd24ad406a19e4753f66f3338eea

SHA512
96a8e0387268438bc99de9facdabac4021e4972afa35bb337a8c31a512a1be812d3143424d65d77cfa793729dd24703fe82a0a881603e9076652e86a5abfe845

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
d69d092f8baf2de129144e7034407d02

SHA1
d9695902fd3df64e25f7105d4ec4f2b1dda2303f

SHA256
a00ad9f6cae900624818331fdbba09c4ec177da736a329411216caaae61c166f

SHA512
01a051b30d72b21d99b8f26f22adf3aeab1fa9a9a9d41cc4ad8d66c7f219eb55b48ad9575117c22d18898a23d7ca7e6d8fe56390d37c6a70afe4c11ba49aef25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9ed9b900d5f94b239ed354c1cb43b192

SHA1
05d654dd00e50eb22fac4924e6f8bf297e25570b

SHA256
7a2883e72761b47fb187a1a3653a2a98050309dd2bcc2e3cb8453a613ffea4f3

SHA512
6fd8e458daddc3dbc231e6d008b2e11c547b4ee1178746493138538d4886314d59f6e98448b25fae11b118f6a5792121cc77c3ed1b5b2546f9fcae657ad5b56b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b82680c36b6b6914004c3330a0e9938b

SHA1
b2acc87b4a2bbc2318d6bbdd9ce2ab39f88773f7

SHA256
875d8125c17ba2d2db575be37f7129fdad9d1aba37b74748715cfa948108ebb9

SHA512
6bf9de40f9bfb556c37bcd7b3d6bf21342fd5a4339e2c7b172b44e763056cac5af88866cd945c9977787bb006ec33a9073235036a883ba0eaf0c9b8774537b0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
dde285b2db6c181cba99e41d2deb8f0a

SHA1
d06d98ce996502b20f532b253d261282aebc03ad

SHA256
c7d64a1430d7d2efa50b41a257ea81c89828999c361ab0af9c1c4f1b7ff1385b

SHA512
9ce6503646504bff0a5881e5c9936949654e7b7e3f0a6fe9dd09e369ee93771b2a645d9e7c29fe90398b61f121aa85055630516807cd9048fdf5f982d211c2e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b30baef76cdcab23eb31ca72c49b3207

SHA1
f77ac1def8a8b20f5005133eb5702c3c8389dfda

SHA256
d1bd3036c186c7b8f7c4e3f31ca59558edeb730c332abf1633e9620c877bb103

SHA512
230215da841f6b317fc39084748c8cd44fb66b067bbd0b103776f3e23763b1279c23881a20869b1de19e5678bd603c4ae06562788d5cf55bcf32c803f30d3936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
29e641e159f3d612a773814ae679f052

SHA1
582b4ecacd666d7ce123219fc317afe9c75572e5

SHA256
90ca8a18f176b2be38e988dabe44afaf75ef19af3cb074e05c1383c776e4d02a

SHA512
875d3ed25fd47e64a612b2774ff96d7c08d2ca8ecb5f856c89d0d712461e1593de2d7b033d223c00f4ea7bc1e2b78da9ec7106eab45cc956c25600e9eaadf218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
736209d21f89dcee559fec7ea096b4d3

SHA1
7ffdcea306f827b95c89d35908758f9eb7d78b20

SHA256
6adc17ea2f469cc5d42c3a2451da8170b0d42653d56653d905a66973592b209a

SHA512
f7e72c0cb5d85680194457da3d9082eebbe91323a3c7e7c8ed845b05426db910fd4b07069be2cde4f5e92736669c0b9c0b01dda5c35430fbc557c5365ab737ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
cf002d856f03fd2aaa847876582d6bf3

SHA1
9f6fba8ecda88df7df3fb31d2366a6d15a159432

SHA256
722063c44cf16ec18266ea08942d15b915679b35a9edd17f11143092a574d96f

SHA512
2b007aca8b71e12398ee57358d9bede95c574fff262bc62cccd3473f30158fa0f6bdcbd277c87bc4c153f8d88098502e08e61b3c952480d06549ed9f5ef9997d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
18a6e25b09a3a8eaae0419ddda9f70fd

SHA1
fc7772fde07c3f764144deb46015cae28cb018c5

SHA256
fec8c5818ab9986ddb5980eb1ad71f792810bd141de490ee88affd7503d91a81

SHA512
e79307e5c3e78de2c837a6cdfb067610cb91ccb3531945869b979843dcc888279867981eec7f97353ba391dd32a8a4300c043e970baec409430383dc4bdc36f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6cb2a8b987eed586014835282ce74a65

SHA1
45ba452a5010d387c2cfbc0ac1606cbb597ad2af

SHA256
e7a861b7fcfcca5714e6d9e6562a57ccae82bd2f4d780829479ef1b10b9b749f

SHA512
5fcd96c46692c66a89337f371374612106e0f193c669278a3adb78e2f367a87b914ccfab22859c8d7dc499614c3d217beb4718b51e549ee21ac2ff01511016f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
bea9956cbde42671a49a0983096d1913

SHA1
7e78bc4cb97b7a1bafed6bcd7c447f06f1fc6492

SHA256
df8d3d7976df95f7b5a2b756cefc9febe9c4c4eb0cd8cfeb96584c151bede136

SHA512
843a9cc95f9c6d6eff6d4a0310c2c4bb20e46480e6bc28878e2c071341deb31e63ab4162e7c31c5783cf5a8c6b50cc3fa72a30996978a1e04691b6509cb58ae9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
743a79cd413b6656203065a199406729

SHA1
d47aa3ec5bf076f1ae841e44cf0790866d9a294d

SHA256
2bb836733aa86864ee8dc7c3ef239d631de499ba4c61082aac86f89fd1d62152

SHA512
27be600ea575b42c665403bdfeceebdff2c8bd2dc044380def8e8260ba915e0e415db2b421d9793a1e1d1858d2de1ef3693f1eaf535c355c8c674ff4fe2b1e27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b02885330560d823c0c516d31b961a44

SHA1
b308668c74c01bf6e5b9bf8b169f394190a704d7

SHA256
a6416737cfa2e5f801e104785e06de4df901bc7d768076c7285fd4376cb7b391

SHA512
501cf5d3a36c48c84c85d8716883eb1efe116fc03e91b91a01c7fbb3bb65ed280c8d658d1c888fb900e2871ef4cd70cf59c09c6f70504b6e3534691fa01cdc0a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
9b7c29ecd32b469f36490e6a666fd4b6

SHA1
43da3afab74f83212429c51062f7d95db911c48e

SHA256
e8359e2b17f63cb1983c5f4c63558f9780d98c580a78e2455142f0159a4ad73b

SHA512
f0a2845b93b36f6dc8047f7c8bebc0212d6c512c01deedeedbe41a6f1af91f571e4d6a6b6ad31192a482648547b85715b670c212fc6d8c9c58a5b1bb540aa1bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
eb2556d8318f645f623d32770e0dde00

SHA1
31f90ff5adf78f9fc239c79752a5facb0e1ba59e

SHA256
f7854cd4413af38826f371eda77f974a80e6a153664c0b8fcd394daa2ac98f22

SHA512
6c3b3abe8e5407408640dcd1c31f8bc24dc0188f87a364f9a584b2c80b464ec80d3f7fe509fce20bc0b4a00caad2a1003e23385cebc51b8a34566ac31630b2e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b5826984cd4a008d890e3db1a7f45502

SHA1
3b4d6dc0c1a2754f01de10464b8fc303a1765152

SHA256
8d5bab0e58b950e20b980e08f1b2c6ff49b9f76a9fd0da9ae2d679aa9616a6f8

SHA512
5552c629c9535f4a81c6be32e687f8627f46d84d63ee958a1290c0650aac1d2f56ed2f2e99a073fa43062ee5ac67d1662b9d01fc8a2788cb77af0624bba1d477

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
6f99ffee6b2c1785e3eaef82ba29108f

SHA1
1888f05af195a4747dd13f129894888cd5c9f74e

SHA256
7ef429b02aea491cc5e4baa5768fe2885bd0f6906b07efac79ff7e03e5bcb73d

SHA512
ad3b7c3a40498daad07cce65a5e74dcfed81f36a32ba71cc104541a950f2f3a424c7d672a1978b7ced0ee4fc2678494ed97b465a37c3c7ea3bef4598f0825ccc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
b7452372bb53d6c3f9012e0d3d0d6e5d

SHA1
ae0e362b965a7262acbecdb4184d43bdf6fd2435

SHA256
04806744521cf7da2dff2bd95049ec3d5e07d2c6e8cae9402be8c6855b9cc19b

SHA512
980504e05fb85c5f1855d38f14a700c7f67625218a7a60e352a1eaa8a5d2d187bdd97bdf4f402926d212bded7aa243c7cf71a9021cb15516a9f0a232cb80c0a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
8efae389369ded7a23135e8e7c082da4

SHA1
869f9dbaee028f4ba6246ca505e6b6614344bdeb

SHA256
79816dfb4a33bbb74b25096f744a41287e66c2c7314c701ad0aecb76c0b53163

SHA512
253e29e71699fa7e3250774ee52b72b3d5f86e8bf8c54e785902528956ed5abeb6b2d26712b8afb0e0fa9e037d70101ab4e16e0fcabaa787cf94c5f1e55a498b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_1goozbqc.mym.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg\7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01\sqlite3\lib\binding\napi-v6-win32-unknown-x64\node_sqlite3.node
Filesize
1.8MB

MD5
3072b68e3c226aff39e6782d025f25a8

SHA1
cf559196d74fa490ac8ce192db222c9f5c5a006a

SHA256
7fb52b781709b065c240b6b81394be6e72e53fe11d7c8e0f7b49dd417eb78a01

SHA512
61ebc72c20195e99244d95af1ab44fa06201a1aee2b5da04490fdc4312e8324a40b0e15a7b42fab5179753d767c1d08ae1a7a56ac71a6e100e63f83db849ee61

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ybbdryvc.default-release\places.sqlite_tmp
Filesize
5.0MB

MD5
7a8dbbd21d9a460640782baeaaaa42a4

SHA1
f9c5b5763051773d14570f5466a842df3292c2c5

SHA256
e238538ef876f380b162fb1b22359228fcafe8143a45c22ce5dcb4337ab30da7

SHA512
c72e62660e9dc7c605a58d33d7780a73ac059a9895ac667c0f2d7a5956cf963ff7bcb6b826b7c318003a9c7c4cc424708c28fb5cd8a0686638ea4a471e386987

Download Submit
\Users\Admin\AppData\Local\Temp\pkg\2392309a42385e2ae29cd4953ce8021de9c9008ec8e6120b5822eb7313a4970f\win-dpapi\build\Release\node-dpapi.node
Filesize
136KB

MD5
79e6fb42b4575bc2c824cd14f3de1603

SHA1
9c6a9bb6237a0103c37dd753c232178050a86992

SHA256
2392309a42385e2ae29cd4953ce8021de9c9008ec8e6120b5822eb7313a4970f

SHA512
cc320134254df38e27db80a8bab8d0e8a53518974161007bf06a3cf0ec28b3f6ae36fec94bec9565975b1f4d25868cac3c04fd9e1b38236db3f8490e2f6a5c4e

Download Submit
memory/652-659-0x0000016897470000-0x0000016897480000-memory.dmp

Filesize
64KB

Download
memory/652-657-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/652-740-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/652-660-0x0000016897470000-0x0000016897480000-memory.dmp

Filesize
64KB

Download
memory/1800-706-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/1800-684-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/1800-685-0x0000025F81B60000-0x0000025F81B70000-memory.dmp

Filesize
64KB

Download
memory/1800-705-0x0000025F81B60000-0x0000025F81B70000-memory.dmp

Filesize
64KB

Download
memory/2436-507-0x00000186F9DE0000-0x00000186F9DF0000-memory.dmp

Filesize
64KB

Download
memory/2436-489-0x00000186F9DE0000-0x00000186F9DF0000-memory.dmp

Filesize
64KB

Download
memory/2436-488-0x00000186F9DE0000-0x00000186F9DF0000-memory.dmp

Filesize
64KB

Download
memory/2436-487-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/2436-510-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/3124-605-0x0000024D26880000-0x0000024D26890000-memory.dmp

Filesize
64KB

Download
memory/3124-604-0x0000024D26880000-0x0000024D26890000-memory.dmp

Filesize
64KB

Download
memory/3124-623-0x0000024D26880000-0x0000024D26890000-memory.dmp

Filesize
64KB

Download
memory/3124-602-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/3124-626-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/3152-743-0x000002453F900000-0x000002453F910000-memory.dmp

Filesize
64KB

Download
memory/3152-764-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/3152-761-0x000002453F900000-0x000002453F910000-memory.dmp

Filesize
64KB

Download
memory/3152-741-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/3152-742-0x000002453F900000-0x000002453F910000-memory.dmp

Filesize
64KB

Download
memory/3720-714-0x00000279B7FE0000-0x00000279B7FF0000-memory.dmp

Filesize
64KB

Download
memory/3720-735-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/3720-732-0x00000279B7FE0000-0x00000279B7FF0000-memory.dmp

Filesize
64KB

Download
memory/3720-713-0x00000279B7FE0000-0x00000279B7FF0000-memory.dmp

Filesize
64KB

Download
memory/3720-712-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/4148-450-0x0000021CF65A0000-0x0000021CF65B0000-memory.dmp

Filesize
64KB

Download
memory/4148-451-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/4148-428-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/4148-429-0x0000021CF65A0000-0x0000021CF65B0000-memory.dmp

Filesize
64KB

Download
memory/4148-430-0x0000021CF65A0000-0x0000021CF65B0000-memory.dmp

Filesize
64KB

Download
memory/4180-399-0x00000249BD440000-0x00000249BD4B6000-memory.dmp

Filesize
472KB

Download
memory/4180-414-0x00000249A4C70000-0x00000249A4C80000-memory.dmp

Filesize
64KB

Download
memory/4180-395-0x00000249A4C70000-0x00000249A4C80000-memory.dmp

Filesize
64KB

Download
memory/4180-396-0x00000249A4C70000-0x00000249A4C80000-memory.dmp

Filesize
64KB

Download
memory/4180-393-0x00000249BD290000-0x00000249BD2B2000-memory.dmp

Filesize
136KB

Download
memory/4180-394-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/4180-420-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/4192-460-0x0000019DFA6C0000-0x0000019DFA6D0000-memory.dmp

Filesize
64KB

Download
memory/4192-462-0x0000019DFA6C0000-0x0000019DFA6D0000-memory.dmp

Filesize
64KB

Download
memory/4192-458-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/4192-477-0x0000019DFA6C0000-0x0000019DFA6D0000-memory.dmp

Filesize
64KB

Download
memory/4192-481-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/4256-576-0x000002107F840000-0x000002107F850000-memory.dmp

Filesize
64KB

Download
memory/4256-595-0x000002107F840000-0x000002107F850000-memory.dmp

Filesize
64KB

Download
memory/4256-575-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/4256-577-0x000002107F840000-0x000002107F850000-memory.dmp

Filesize
64KB

Download
memory/4256-598-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/4684-537-0x00000249A29C0000-0x00000249A29D0000-memory.dmp

Filesize
64KB

Download
memory/4684-516-0x00000249A29C0000-0x00000249A29D0000-memory.dmp

Filesize
64KB

Download
memory/4684-514-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/4684-538-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/4796-564-0x000002527B320000-0x000002527B330000-memory.dmp

Filesize
64KB

Download
memory/4796-543-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/4796-546-0x000002527B320000-0x000002527B330000-memory.dmp

Filesize
64KB

Download
memory/4796-545-0x000002527B320000-0x000002527B330000-memory.dmp

Filesize
64KB

Download
memory/4796-569-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/4916-630-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/4916-651-0x000002A7D2AA0000-0x000002A7D2AB0000-memory.dmp

Filesize
64KB

Download
memory/4916-653-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download
memory/4916-632-0x000002A7D2AA0000-0x000002A7D2AB0000-memory.dmp

Filesize
64KB

Download
memory/5048-767-0x00007FFD8D5C0000-0x00007FFD8DFAC000-memory.dmp

Filesize
9.9MB

Download