hxxps://drive[.]google[.]com/drive/folders/1FIHiascCaysZwRtWAW7iD2V_vnpkvHxE?usp=drive_link

Analysis

max time kernel
166s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2024 15:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/drive/folders/1FIHiascCaysZwRtWAW7iD2V_vnpkvHxE?usp=drive_link

Score

10^/10

evasion execution

Malware Config

Signatures

Disables service(s) 3 TTPs
evasion execution

Windows Service
T1543.003

Service Stop
T1489

Service Execution
T1569.002

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
33	drive.google.com
7	drive.google.com
19	drive.google.com
20	drive.google.com
21	drive.google.com

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1536	sc.exe
4720	sc.exe
4896	sc.exe
1424	sc.exe
4352	sc.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 39 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2016	powershell.exe
4980	powershell.exe
628	powershell.exe
464	powershell.exe
4672	powershell.exe
2516	powershell.exe
4980	powershell.exe
3300	powershell.exe
3952	powershell.exe
4152	powershell.exe
3812	powershell.exe
628	powershell.exe
1760	powershell.exe
3316	powershell.exe
2188	powershell.exe
3664	powershell.exe
1132	powershell.exe
1104	powershell.exe
2040	powershell.exe
2004	powershell.exe
316	powershell.exe
1432	powershell.exe
2672	powershell.exe
1516	powershell.exe
1104	powershell.exe
4656	powershell.exe
3316	powershell.exe
908	powershell.exe
1764	powershell.exe
3184	powershell.exe
3952	powershell.exe
4528	powershell.exe
2948	powershell.exe
2828	powershell.exe
1304	powershell.exe
3312	powershell.exe
1760	powershell.exe
2112	powershell.exe
2004	powershell.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
4716	timeout.exe
3844	timeout.exe
4572	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\EXM Free Tweaking Utility V5.1.zip:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1516	powershell.exe
1516	powershell.exe
1516	powershell.exe
628	powershell.exe
628	powershell.exe
628	powershell.exe
3664	powershell.exe
3664	powershell.exe
464	powershell.exe
464	powershell.exe
4672	powershell.exe
4672	powershell.exe
1760	powershell.exe
1760	powershell.exe
4152	powershell.exe
4152	powershell.exe
1760	powershell.exe
1760	powershell.exe
1104	powershell.exe
1104	powershell.exe
1764	powershell.exe
1764	powershell.exe
3184	powershell.exe
3184	powershell.exe
4656	powershell.exe
4656	powershell.exe
2112	powershell.exe
2112	powershell.exe
2040	powershell.exe
2040	powershell.exe
2016	powershell.exe
2016	powershell.exe
4980	powershell.exe
4980	powershell.exe
2004	powershell.exe
2004	powershell.exe
3952	powershell.exe
3952	powershell.exe
3812	powershell.exe
3812	powershell.exe
3316	powershell.exe
3316	powershell.exe
4528	powershell.exe
4528	powershell.exe
2948	powershell.exe
2948	powershell.exe
2828	powershell.exe
2828	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1868	firefox.exe
Token: SeDebugPrivilege	1868	firefox.exe
Token: SeDebugPrivilege	1868	firefox.exe
Token: SeDebugPrivilege	1608	taskmgr.exe
Token: SeSystemProfilePrivilege	1608	taskmgr.exe
Token: SeCreateGlobalPrivilege	1608	taskmgr.exe
Token: 33	1608	taskmgr.exe
Token: SeIncBasePriorityPrivilege	1608	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	3356	WMIC.exe
Token: SeSecurityPrivilege	3356	WMIC.exe
Token: SeTakeOwnershipPrivilege	3356	WMIC.exe
Token: SeLoadDriverPrivilege	3356	WMIC.exe
Token: SeSystemProfilePrivilege	3356	WMIC.exe
Token: SeSystemtimePrivilege	3356	WMIC.exe
Token: SeProfSingleProcessPrivilege	3356	WMIC.exe
Token: SeIncBasePriorityPrivilege	3356	WMIC.exe
Token: SeCreatePagefilePrivilege	3356	WMIC.exe
Token: SeBackupPrivilege	3356	WMIC.exe
Token: SeRestorePrivilege	3356	WMIC.exe
Token: SeShutdownPrivilege	3356	WMIC.exe
Token: SeDebugPrivilege	3356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3356	WMIC.exe
Token: SeRemoteShutdownPrivilege	3356	WMIC.exe
Token: SeUndockPrivilege	3356	WMIC.exe
Token: SeManageVolumePrivilege	3356	WMIC.exe
Token: 33	3356	WMIC.exe
Token: 34	3356	WMIC.exe
Token: 35	3356	WMIC.exe
Token: 36	3356	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3356	WMIC.exe
Token: SeSecurityPrivilege	3356	WMIC.exe
Token: SeTakeOwnershipPrivilege	3356	WMIC.exe
Token: SeLoadDriverPrivilege	3356	WMIC.exe
Token: SeSystemProfilePrivilege	3356	WMIC.exe
Token: SeSystemtimePrivilege	3356	WMIC.exe
Token: SeProfSingleProcessPrivilege	3356	WMIC.exe
Token: SeIncBasePriorityPrivilege	3356	WMIC.exe
Token: SeCreatePagefilePrivilege	3356	WMIC.exe
Token: SeBackupPrivilege	3356	WMIC.exe
Token: SeRestorePrivilege	3356	WMIC.exe
Token: SeShutdownPrivilege	3356	WMIC.exe
Token: SeDebugPrivilege	3356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3356	WMIC.exe
Token: SeRemoteShutdownPrivilege	3356	WMIC.exe
Token: SeUndockPrivilege	3356	WMIC.exe
Token: SeManageVolumePrivilege	3356	WMIC.exe
Token: 33	3356	WMIC.exe
Token: 34	3356	WMIC.exe
Token: 35	3356	WMIC.exe
Token: 36	3356	WMIC.exe
Token: SeDebugPrivilege	1516	powershell.exe
Token: SeDebugPrivilege	628	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	464	powershell.exe
Token: SeDebugPrivilege	4672	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	3184	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe

Suspicious use of FindShellTrayWindow 63 IoCs

pid	Process
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe

Suspicious use of SendNotifyMessage 62 IoCs

pid	Process
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe
1608	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe
1868	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4624 wrote to memory of 1868	4624	firefox.exe	81
PID 4624 wrote to memory of 1868	4624	firefox.exe	81
PID 4624 wrote to memory of 1868	4624	firefox.exe	81
PID 4624 wrote to memory of 1868	4624	firefox.exe	81
PID 4624 wrote to memory of 1868	4624	firefox.exe	81
PID 4624 wrote to memory of 1868	4624	firefox.exe	81
PID 4624 wrote to memory of 1868	4624	firefox.exe	81
PID 4624 wrote to memory of 1868	4624	firefox.exe	81
PID 4624 wrote to memory of 1868	4624	firefox.exe	81
PID 4624 wrote to memory of 1868	4624	firefox.exe	81
PID 4624 wrote to memory of 1868	4624	firefox.exe	81
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 556	1868	firefox.exe	82
PID 1868 wrote to memory of 1064	1868	firefox.exe	83
PID 1868 wrote to memory of 1064	1868	firefox.exe	83
PID 1868 wrote to memory of 1064	1868	firefox.exe	83
PID 1868 wrote to memory of 1064	1868	firefox.exe	83
PID 1868 wrote to memory of 1064	1868	firefox.exe	83
PID 1868 wrote to memory of 1064	1868	firefox.exe	83
PID 1868 wrote to memory of 1064	1868	firefox.exe	83
PID 1868 wrote to memory of 1064	1868	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://drive.google.com/drive/folders/1FIHiascCaysZwRtWAW7iD2V_vnpkvHxE?usp=drive_link"
1⤵
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://drive.google.com/drive/folders/1FIHiascCaysZwRtWAW7iD2V_vnpkvHxE?usp=drive_link
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1976 -parentBuildID 20240401114208 -prefsHandle 1904 -prefMapHandle 1896 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f057e6c-0757-44fe-acc7-1cfadcaa493d} 1868 "\\.\pipe\gecko-crash-server-pipe.1868" gpu
    3⤵
    PID:556
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2448 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {30146e51-8c6b-495d-940c-2d95d7c6b254} 1868 "\\.\pipe\gecko-crash-server-pipe.1868" socket
    3⤵
    - Checks processor information in registry
    PID:1064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3432 -childID 1 -isForBrowser -prefsHandle 3128 -prefMapHandle 2828 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 988 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e7833e3-0ebf-48fd-bbd0-d2c4fc6e96f9} 1868 "\\.\pipe\gecko-crash-server-pipe.1868" tab
    3⤵
    PID:4276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2936 -childID 2 -isForBrowser -prefsHandle 3892 -prefMapHandle 3888 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 988 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba679cdd-a310-47cd-bc02-5f99bf5ea3e4} 1868 "\\.\pipe\gecko-crash-server-pipe.1868" tab
    3⤵
    PID:668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4328 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4300 -prefMapHandle 4236 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d459469e-41ef-4679-8105-a7e4823db1fa} 1868 "\\.\pipe\gecko-crash-server-pipe.1868" utility
    3⤵
    - Checks processor information in registry
    PID:1748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5456 -childID 3 -isForBrowser -prefsHandle 5480 -prefMapHandle 5476 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 988 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a609aa90-906e-4a46-b44d-9a3a656965b0} 1868 "\\.\pipe\gecko-crash-server-pipe.1868" tab
    3⤵
    PID:3812
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5692 -childID 4 -isForBrowser -prefsHandle 5612 -prefMapHandle 5616 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 988 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbf525c1-34ae-4d3d-8c5d-bae29958e658} 1868 "\\.\pipe\gecko-crash-server-pipe.1868" tab
    3⤵
    PID:4676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5840 -childID 5 -isForBrowser -prefsHandle 5456 -prefMapHandle 5488 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 988 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5409ef34-0930-47fd-9a09-e241be066fb1} 1868 "\\.\pipe\gecko-crash-server-pipe.1868" tab
    3⤵
    PID:4976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1228

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\EXM Free Tweaking Utility V5.1.cmd" "
1⤵
PID:4496
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\CONSOLE" /v "VirtualTerminalLevel" /t REG_DWORD /d "1" /f
  2⤵
  PID:1204
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2068
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:3844
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1244
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wmic path Win32_UserAccount where name="Admin" get sid | findstr "S-"
  2⤵
  PID:3236
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path Win32_UserAccount where name="Admin" get sid
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3356
- - C:\Windows\system32\findstr.exe
    findstr "S-"
    3⤵
    PID:5016
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile Enable-ComputerRestore -Drive 'C:\'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1516
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "RPSessionInterval" /f
  2⤵
  PID:640
- C:\Windows\system32\reg.exe
  Reg.exe delete "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "DisableConfig" /f
  2⤵
  PID:4584
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Microsoft\Windows NT\CurrentVersion\SystemRestore" /v "SystemRestorePointCreationFrequency" /t REG_DWORD /d 0 /f
  2⤵
  PID:2432
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:184
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:2156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Downloading resources (power plan, Nvidia profile inspector & more)', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\system32\curl.exe
  curl -g -k -L -# -o "C:\Users\Admin\AppData\Local\Temp\exm.zip" "https://exmapi.onrender.com/static/free/v5.0/v5.0_free_resources.zip"
  2⤵
  PID:4632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -NoProfile Expand-Archive 'C:\Users\Admin\AppData\Local\Temp\exm.zip' -DestinationPath 'C:\exm'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Downloaded resources successfully', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:464
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:3248
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:1396
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:1628
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('Note: If you want to revert anything, you can do it in our revert category on the main page of the utility', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4672
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2188
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -Command "& {Add-Type -AssemblyName System.Windows.Forms; [System.Windows.Forms.MessageBox]::Show('This will apply all tweaks in this page, do you want to continue?', 'Exm Tweaking Utility', 'Ok', [System.Windows.Forms.MessageBoxIcon]::Information);}"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4900
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator"
  2⤵
  PID:768
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Consolidator" /disable
  2⤵
  PID:1508
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM"
  2⤵
  PID:4596
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\BthSQM" /disable
  2⤵
  PID:4560
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask"
  2⤵
  PID:1944
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\KernelCeipTask" /disable
  2⤵
  PID:1104
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip"
  2⤵
  PID:2684
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\UsbCeip" /disable
  2⤵
  PID:3040
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader"
  2⤵
  PID:4744
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Customer Experience Improvement Program\Uploader" /disable
  2⤵
  PID:3756
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser"
  2⤵
  PID:1912
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Application Experience\Microsoft Compatibility Appraiser" /disable
  2⤵
  PID:3300
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater"
  2⤵
  PID:1592
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Application Experience\ProgramDataUpdater" /disable
  2⤵
  PID:1764
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Application Experience\StartupAppTask"
  2⤵
  PID:1988
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor"
  2⤵
  PID:4572
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyMonitor" /disable
  2⤵
  PID:4608
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh"
  2⤵
  PID:4908
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyRefresh" /disable
  2⤵
  PID:3816
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Shell\FamilySafetyUpload"
  2⤵
  PID:1168
- C:\Windows\system32\schtasks.exe
  schtasks /change /tn "\Microsoft\Windows\Shell\FamilySafetyUpload" /disable
  2⤵
  PID:1920
- C:\Windows\system32\schtasks.exe
  schtasks /end /tn "\Microsoft\Windows\Maintenance\WinSAT"
  2⤵
  PID:3184
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\Spooler" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1284
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\PrintNotify" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:1176
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Services\MapsBroker" /v "Start" /t REG_DWORD /d "4" /f
  2⤵
  PID:4452
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\Common\ClientTelemetry" /v "DisableTelemetry" /t REG_DWORD /d "1" /f
  2⤵
  PID:2812
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common" /v "sendcustomerdata" /t REG_DWORD /d "0" /f
  2⤵
  PID:3416
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\Feedback" /v "enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4428
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\Feedback" /v "includescreenshot" /t REG_DWORD /d "0" /f
  2⤵
  PID:3512
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Outlook\Options\Mail" /v "EnableLogging" /t REG_DWORD /d "0" /f
  2⤵
  PID:4656
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Word\Options" /v "EnableLogging" /t REG_DWORD /d "0" /f
  2⤵
  PID:3772
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\Common\ClientTelemetry" /v "SendTelemetry" /t REG_DWORD /d "3" /f
  2⤵
  PID:392
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common" /v "qmenable" /t REG_DWORD /d "0" /f
  2⤵
  PID:1128
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common" /v "updatereliabilitydata" /t REG_DWORD /d "0" /f
  2⤵
  PID:2936
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\General" /v "shownfirstrunoptin" /t REG_DWORD /d "1" /f
  2⤵
  PID:5096
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\General" /v "skydrivesigninoption" /t REG_DWORD /d "0" /f
  2⤵
  PID:556
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Common\ptwatson" /v "ptwoptin" /t REG_DWORD /d "0" /f
  2⤵
  PID:2632
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\Firstrun" /v "disablemovie" /t REG_DWORD /d "1" /f
  2⤵
  PID:1684
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM" /v "Enablelogging" /t REG_DWORD /d "0" /f
  2⤵
  PID:464
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM" /v "EnableUpload" /t REG_DWORD /d "0" /f
  2⤵
  PID:3248
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM" /v "EnableFileObfuscation" /t REG_DWORD /d "1" /f
  2⤵
  PID:1396
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "accesssolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:3564
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "olksolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:1588
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "onenotesolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:2436
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "pptsolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:860
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "projectsolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:2788
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "publishersolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:4036
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "visiosolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:3556
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "wdsolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:1628
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedapplications" /v "xlsolution" /t REG_DWORD /d "1" /f
  2⤵
  PID:3976
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "agave" /t REG_DWORD /d "1" /f
  2⤵
  PID:3356
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "appaddins" /t REG_DWORD /d "1" /f
  2⤵
  PID:3668
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "comaddins" /t REG_DWORD /d "1" /f
  2⤵
  PID:1172
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "documentfiles" /t REG_DWORD /d "1" /f
  2⤵
  PID:512
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Office\16.0\OSM\preventedsolutiontypes" /v "templatefiles" /t REG_DWORD /d "1" /f
  2⤵
  PID:1668
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\GameBar" /v "UseNexusForGameBarEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:220
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\GameBar" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3104
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AppCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4440
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "AudioCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3504
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "CursorCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:3176
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\Software\Microsoft\Windows\CurrentVersion\GameDVR" /v "HistoricalCaptureEnabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:1644
- C:\Windows\system32\reg.exe
  Reg.exe add "HKCU\System\GameConfigStore" /v "GameDVR_Enabled" /t REG_DWORD /d "0" /f
  2⤵
  PID:4672
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\Software\Policies\Microsoft\Windows\GameDVR" /v "AllowgameDVR" /t REG_DWORD /d "0" /f
  2⤵
  PID:2188
- C:\Windows\system32\sc.exe
  sc config xbgm start= disabled
  2⤵
  - Launches sc.exe
  PID:1536
- C:\Windows\system32\sc.exe
  sc config XblAuthManager start= disabled
  2⤵
  - Launches sc.exe
  PID:4720
- C:\Windows\system32\sc.exe
  sc config XblGameSave start= disabled
  2⤵
  - Launches sc.exe
  PID:4896
- C:\Windows\system32\sc.exe
  sc config XboxGipSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:1424
- C:\Windows\system32\sc.exe
  sc config XboxNetApiSvc start= disabled
  2⤵
  - Launches sc.exe
  PID:4352
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:3560
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.BingWeather* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4152
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.GetHelp* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.Getstarted* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1764
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.Microsoft3DViewer* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.MicrosoftSolitaireCollection* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.MicrosoftStickyNotes* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.MixedReality.Portal* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2040
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.OneConnect* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.People* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.Print3D* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.SkypeApp* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsAlarms* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3812
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsCamera* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:3316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *microsoft.windowscommunicationsapps* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:4528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsMaps* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2948
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsFeedbackHub* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WindowsSoundRecorder* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1132
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.YourPhone* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2516
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.ZuneMusic* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.HEIFImageExtension* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WebMediaExtensions* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.WebpImageExtension* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3300
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell.exe -command "& {Get-AppxPackage *Microsoft.3dBuilder* | Remove-AppxPackage}
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1104
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *bing* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *bingfinance* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *bingsports* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:1432
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *CommsPhone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3312
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *Drawboard PDF* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2672
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *Sway* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2188
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *WindowsAlarms* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2004
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell -Command "Get-AppxPackage -allusers *WindowsPhone* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:3952
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:2844
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortana" /t REG_DWORD /d "0" /f
  2⤵
  PID:4204
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCloudSearch" /t REG_DWORD /d "0" /f
  2⤵
  PID:1112
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowCortanaAboveLock" /t REG_DWORD /d "0" /f
  2⤵
  PID:3756
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "AllowSearchToUseLocation" /t REG_DWORD /d "0" /f
  2⤵
  PID:1912
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWeb" /t REG_DWORD /d "0" /f
  2⤵
  PID:2212
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "ConnectedSearchUseWebOverMeteredConnections" /t REG_DWORD /d "0" /f
  2⤵
  PID:2384
- C:\Windows\system32\reg.exe
  Reg.exe add "HKLM\SOFTWARE\Policies\Microsoft\Windows\Windows Search" /v "DisableWebSearch" /t REG_DWORD /d "0" /f
  2⤵
  PID:4876
- C:\Windows\system32\chcp.com
  chcp 437
  2⤵
  PID:5104
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  Powershell -Command "Get-appxpackage -allusers *Microsoft.549981C3F5F10* | Remove-AppxPackage"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:628
- C:\Windows\system32\timeout.exe
  timeout /t 1 /nobreak
  2⤵
  - Delays execution with timeout.exe
  PID:4716
- C:\Windows\system32\chcp.com
  chcp 65001
  2⤵
  PID:4428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0e191469597be9082e03ed3488b3febf

SHA1
5fb06d52d09c9fd1c8c37931b317111bb37556cd

SHA256
80bda37a4a2004630f9eb08c6f803e2c0466077a672465d789eb83f3ac434947

SHA512
32278d64dd552b2a9cd69cd40edc793d1efd7d7959ef9fe7ff0cc898c5499e597136675df888dcf5dfa721f43c4f76ca930679acffc811ed7100868eda7d3cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0c5cf104e949bd6f85ce140f18e8cccd

SHA1
7daf7c49aaf0283d7d4f66193d7ca59089af0f45

SHA256
97e34eb2be7d8b383ef895a3cfd16c3c6924fed2199357dca2c037561334341d

SHA512
56ad2d8bd97ad1dbf6a56c734855a90f6a7db4dc15cf88d2b649331596b4d906a05b6aa7308835e5fa241e51456646d904b1ff4a5b51fbb3f7e0c86917038f0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d133228df70ec02731e0ef0354281665

SHA1
f0e73350121910cb4fe8015a8b2d62659ce11028

SHA256
39f8daccbd681c82b17d6c41ba9504a22e1067bf3deabf33a93b05de20bf77ee

SHA512
6a3d97f56aa51bc9fc6c0c68fe4eef289b98ffeb2f87cabc3544752e103df1ee9ff058bfe3a0245f737d1977123b9053cd9b77b86fcf74e5d35f4a964f963df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
224dcf4c17389871fa59fe45c7acd94a

SHA1
d02998277a18745bc5a5209d80a4d5c5077772ff

SHA256
c10c307786cba93488fb258b288490207e01024028a4340eab17f0c0b23dbb0e

SHA512
8e30a4a06f9a06dd2556ee9125e9dc9effcc1cbb3ce6ff9fabee383db8e4fdbe7f638ea71d5a42d6722748543c8f2a4399baefdd2a2cc20e531c966b29f32e10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b6dfd36e6091ed6aba59eb32c086c283

SHA1
27fdf360f2224366a6be59cf12a9d6f4f95a71fa

SHA256
5027d744204e1ed39b42ac1d73e40c28c80ab8f2b5f3042957de621bb8b543f7

SHA512
5bd347bfd1b6320ec2520032af51904cab2295f12fe660d7fec036750805050720710d524a3d96e4e452fa9d5b402b0bf543feb1a0f4ba7b9d3fe6d46ad22b7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9cd1248bd4ea7c67b037e211d562df75

SHA1
645ec449a44ffbd8fafbb369aedeff8053ec40c6

SHA256
5a2f36d33ee0d58c8ea96d07802ea3077cd914eba3faa24699da8e7313dc32f0

SHA512
8bc0bb55fef6a22da32035cfcdfcd49eaa6f7d8c0c9be98b9f349fe85c9bcd39f55f993f086221c04ce3eab2d0c1ed1e6840838852ae881cc13ee01399f182d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d3c6814e0f03ae4819084f394118f21a

SHA1
c89aed792857245a1e971aff633d6b1094bf765f

SHA256
1e1e4506d64def44408425fd0a1988c9c5d6c84739f6cf162ce2f3a8d6b71ae2

SHA512
78f3eee1d51237cc7f5c0d7e9327a1079981ce04d1dc25ac1dabc41261d6f427fa43ab0eeaac1ad29982fe4e429af370de1f495c586dc1fa7bfbccd7d4abc527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4871df8aed682a3c5640eb8ba3c3a817

SHA1
e1b5c7fbd2ade4541b9f8226fd86a708c14631ef

SHA256
fbc5a247053429db0121d6c9df863c25a76a89458258002fbe288adf36999917

SHA512
d096f97fef59b14728fa1ded74d11b8d830eb363a3118cd9ef28cf957c97b87b4179d2e4b25e73aa7f2d307e378f9afbfca81845520285cc4685bf5750b9318c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
18dbed87c6381a6de1c6e22dec710b96

SHA1
b002b7eae22d59fa079a0cd82fa8adaee60d8a0b

SHA256
6265c51774a1fe89524f85978d59a135bfa531195e19ee2b85a6a534b4ed52af

SHA512
26873b2ed446c5503ebe619d60579ace5e25244d2462ddb46c6c006756ee83fb385130e9934405eca1f90d8db288f92cd207582367eeb044a4514fe46ad78b36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b450d6c74f16153ba49e5e113c64c51d

SHA1
0d37ecde18febf7e05607fdab5f319df4f60b481

SHA256
5e063c87ad63027fa46f7fe409b447049dde6ac6f3b814d462d8bb6485d73832

SHA512
3927b34d1101c3782eac2b405dd49f8d0effd28ad6aa36a7138d8330681f8827357d8ffd39a59319ba03286b0c1c28b7096ee802f37d629db08818a54077f6e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
06029b3b35822d6be9909582736a0a87

SHA1
fa084e080ea62639a7dbbcc389fdef3dd84bda40

SHA256
f55956e1dd7ae98de35be7d1050896c122d89ade990e357307d8f6d2a9987819

SHA512
72a901e300ef58e5e2d21e75a463252d6a987ac8b9cce830283015b86f339df3e6c17373451dc8fbf947a27f14224f315da6ac10260ea014d30d8a9e04077236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
086d3f9d660dd4ec35e3f983b1b99daa

SHA1
2855db7aeb4ad88c447d4d2819b7cf1c0d30f5ea

SHA256
e21925437add061f76f3f1a851f839beae80d5b1e82bdf4ae758b77a25271fff

SHA512
3b0a53adf2330794676e54116ca129515c30115e33e16d6d5191d2452f166eabb15d7572abdb11fe6bb59323e2e799ad4ec5da8298710014a5d987cd15b40e74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
e78daa05711331419e4d97d6d488a153

SHA1
d182f950436ce3eec255297aaffd6b2c2b2a7340

SHA256
f35f6e39d19ef84ce76c303024b4d68b1eca61f231a6abf5668451dae6fad4ad

SHA512
2e4f0262781e954e8f9c0a9a0334fbab7834c488e47801652eae686a4dc479bd13ebc313a8cfd3d7ab7a83a2c70556a6b3f1d48931b4363a57d0ff7007aeeced

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
10d39a0d605968822fc7ee6d1ca857a2

SHA1
427585040cc96b8f4e9362038a930fc7dba82bcb

SHA256
b6a5aa136e6e48637e75abdbfff490381e7e301e6d506f41ef004908222441bc

SHA512
1a1fd3f314ea9d1734ecd930b4fdc7c0362a405c00f9b29f9919cb988e9c9609b24a9bb615bcbe06d6ae6ee1fd8bda8652069ce580f10923a023f23af4fd713f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0c7f79d1e0c675737b1de031bf9e44ea

SHA1
b1ef823c1f2917868a5b728358ac35109d2eacbd

SHA256
53dbfc47bf998860d3b113bce9b31135fdd8d21b9a104236d6fc150d0312cf3f

SHA512
3d3b29ce02ddebf8056ffebc8d1955803040fcfb531d3e6d2154a2dc551201202336b3dfffd12f0083a697b49eeb2418cab54097d78dff504f1859f9fcd7fa86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e4c0d9b320b08b0dd1050e26ce7e3e5

SHA1
a0a256840388d42797d061c5c1d27e2b1f059288

SHA256
83f76d72c9b6180a47800cdf04a4c296e6451979b464998dd300d94e93497964

SHA512
db25bfd18bf25ec5146618a962fbc982ea3583679a9c77ca26c518f95503965b3d3465e32ffe673519495b4a43d5971eddf7073ac2ec6ae20e758bbd5105c9ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
173fb3b3d9bf667c10ee58f522879c38

SHA1
1a66bcb160d3518baea68f4bbe9efd28b2d0df55

SHA256
c3fa247f205ba917b65667fc8f3c3563ad89d7a81668104ee1ac4eaa24f4c7a5

SHA512
148434f20ebad05e0d33f5ab32f5240322b12118164dbb61b6f630a7048776cb5e2531bab5611c32ecb6ef304ce07eccaf8ab591a4cef66a48892dd9066188c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
687c1fadbf886436ee7ac6417d063d69

SHA1
4b7ac8b2e2affdd00385740a3fa4c9801e3436e9

SHA256
339d4b5f8348c2cbdcf9d6f0760b12cfc79d6d89583095755f3cd9a0c768f19e

SHA512
b70f0ce7981ef6a921dabbc91d3bf093d0528ea0a03961b82d566739d0f023552e4607c5da6839d3f665f4c3f005a3dd686aa7aa864648697e013c40d06672ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ba7ee2c1fdd7ab0cdbd1a337cf781b31

SHA1
1a48a38e6c995f0d611268266398744b0e8577ef

SHA256
1494ae57dcf39e362b06fe1226272859d0d7807d4dcfe25d75d71c4329e50bf5

SHA512
45f1bad5db2efae59c94b6a09d1468ef526698e0c7c1f8ed86b707d16c105760843d66aedba298f427facf5054f17872732a2fca14946239c08b5aafeeb6eef6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
2f7165b59d5dca1a7a23fcaf1371ab40

SHA1
27dacde6fe7e703eed452ac8bf90ab21ff3ae8e1

SHA256
d9a4c9aba256eb797c7f25550cfca24fd3642dbb0fd7be84724b4145c6862760

SHA512
ff09795cbeba3e9e5f5793339362c2771f01b74953a3df653c3cd51fb9e31b40ce08fea9aa0d69c093fa259c9e0f3a1c0932a5ffac15ea061e00d0a6335e4b29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c17948fa4d72f01c1e6dcb728ece3c81

SHA1
55c97675f5254241aa15db6ec8fc9b9f720058c3

SHA256
84d35719f7598225412e21d2be561879acafdbc32a6ff354f716195f432df2f3

SHA512
c23ceb274979abeab5b6a8d506019fdb638728a2a8a67aa4c98edaf14c01e575ed04d35dcc887dc4d02745c64d23c48c2e3e74f2f7110f0240b93b295c148dc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a5be4bc3ff6faa4008d3494a958166fd

SHA1
a23933602f1d5e9ba92b22e1b437d3b49053f901

SHA256
f737d6fcd85572221d7f03626d7342519213bd36d6c7b35f15e6a3671997cac2

SHA512
bf6766bbd1a534982308c09a1a66fb014bc0bd45066aa5526686920fa6649236bf80e0b8d0fc053f48fa4569db095a9d7b791879be089018474e40550738ff42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
75608735417946b700374c5bd5d4c835

SHA1
fafa07369b4fdacb70f6621d8a6cbbd8d39b25a5

SHA256
0a4295863ae3de5d47f6f81247326d497606e62542da32730e779cdd00d76b24

SHA512
ef5d35993371fa7dbd50d81f00e777724d7d45cc3d34b2b4c2d0831493917474d46227928e0a645bd434fd018b988307d1bc66f7f2b80da816187f4141fa327c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
227504756e9d16e8d89366db8ef561d0

SHA1
73aafc4e988fe25d7b099a464fac687686a5050b

SHA256
79e7275944872eea17fd2394657a5593704f9afb2344dba0512c2b48ee46152c

SHA512
f9db7f63f369a47976f0288236571d6c1b725f6e366c6b5830d38f5383d92e9b6395ad3b6b78cbe23861986f773268ee7b920b53ef960b3fe540bad105131a63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a1d694b3a1d957d7cdbbf1c1ce14676a

SHA1
b7a3a2ad9b17229187783a4f004db93db51330f1

SHA256
f3f098bb747940e047ffc6ccf0c2bdbbe2a5c3c25b331cfab815e93786e6e89e

SHA512
c4550998323041d024c505be6d2b9df9471eb0e420ead6519b04d00dafb31b70796e6d5c5f7cbea31dce0c540eee78fd1eda7c0ea7befd503f87934f4d6b7ee6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1aba8f32130931bd5faaea335e7032ff

SHA1
0b79033feb622a7f8a5b7da76a8cc3edc1bcf0d5

SHA256
fd81b145514b38cf3e13c2cc8773a6e7908fb9c397cf6e3a0b2a73f277a2e062

SHA512
99a4373362359f9439971dfd59a39bc5046e8da93496e0cc966637fd177677958645053339739b49ee46e6f262568b51577cf2aa3c58bb643e37f5a12efeac5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
092ed83f3d82bbe9a6b2774bb0dbeba9

SHA1
e63b0f5de9fdb68c34433029a7594cfe350959da

SHA256
d2f01498ce981193f83216b28a4994c5a3936989e8617a3d4b21596a69a09ba9

SHA512
5e7db3cdfd1cb3b8e0a45bb791d86c13c1ab6c785d8e8ba82eaa22d206640a0a4b5a692eedc62e65502054712aa7e75f123e1de3a9e288475f8184291fc599e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
4ddffdee15a254f9706e03373299ec29

SHA1
3670d8004607c043d601fded4e6c26cd75bbbe62

SHA256
7121703f70149156b8467413d029688d0df99282a427024dc71d0f87db5d994a

SHA512
0ce529ab1b14bf1fa459ecd8eb4a4a38069acec5987970825ba22268ae8e35f041f8b7198faf9b9a6f69547138b73432983bccbdba1d2d9c9adcf9e33b18e654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5ca1e979aee72b4c78bbed6c4f2d1aaa

SHA1
eb808046d55e635c18850dacdc0db4e012f10cef

SHA256
9afa596ace5eee833af072b2aca7ac348b0029880e2092ab3ad2fc6474c5b013

SHA512
b05ab5e681296acd330c258a27b08e8356bc75b9ae874ca594a9e3c0171bb34ee44dfb26206df3e44a5958a68564e32f5a8271e6a627749f86784b58c0985c26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
12110e46bb6b33b360721263a41e031d

SHA1
63f36db0435bd50ee54e2210c1e772f92c7c18aa

SHA256
600b461662ba1a526c29080b2cc29abb9a12db25b8897e2786f892915da97e75

SHA512
c7284b4f13063fa51ca58cb35ea5855f3d02ebfac6c46c223c3dc8a893c4d2af3b066ec18a36879fa53445b3b470c52742dff6f9fb94edb04c919eb7b5348928

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
1227a4e7358699473346edf9ae3e6644

SHA1
260d8274bf26b0a4fc6146b32776dfce691a23a4

SHA256
397f65dad1c890928f40070623d62f19eb36e4b63c3910c8682d09419d22307c

SHA512
08865093eff36e064028eea68b4eea7d6bba4475c694d54d8abe4330624aa326f4bf3a3b1a99136d700a37191b6669b0ba1b90f0313faced66afc1ae7f916918

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
153e0fb0ab0886366ea70e314e4a5416

SHA1
a2c7d0f89c007aa171a0b449d2e11d05ddd95274

SHA256
b2b1388dda8069c2fb9198da94affb2bf40b57ce7fb882c2623813db26ed237d

SHA512
607614ba2da69692be44da00b5b27b880d26a39bedd416d8401d058c1a714ad89470174b6561687c1d37033ed9cc56d859cca466da8ba70b09da60f689fc3a3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3feaf35a61a08cfb697accc1b79f3eef

SHA1
31630ceee9613b380f3dfcd6d40c5860fe03647b

SHA256
61030662939c583281c8d6398e7eb09147eb03273c0da5ddfdfb3df14859232f

SHA512
d3e4ce6b44b054e5ab347dca31f61cd82ac4d774f30cfa606e61df51b77e42474a61244af9da2a8696be1a7e63a8f793204800ca58a4e61b1ea49df4153a33ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
54a9158de0329f8e6a7abad797f47074

SHA1
453a72d97488ee3c3eda632495c01fbad59e5fbb

SHA256
1bcf1e81723df200c27f0d5625f54c4dc18c0776d69fd9e02c297d51e14acdc4

SHA512
eea566397da58faafdc57afbf35280f0be00b6d4127ca89b7c73ae7850f90b4aabdc4aa91e775a4e3f07da582dd3eaa4d3eacb443c7de3f2da4b7a0a9ba9e706

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
d486c18652cf2131c43fbcaf092cd122

SHA1
53297cfead4e317f7df391e8425bf0c380764e21

SHA256
c4c059feb26f103fd9ae42ebb808039d06fce0f15fec0211fac52a1ce93dfb27

SHA512
30a0e97d7812fcf5397b5b39f833df2a82e8ed0ee8fa13ccd6026e660d236aca112b5b612c0627a444059d2524310669a6d73e252080480440f3d7510d305fa1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5be9415a2a4e3899d25ac663e5adeedf

SHA1
1fa393a25f0d7bb184e92e45146a5011337eb665

SHA256
f3ea9c4b7aebb0b3c0108484811254846dd9320c669f45ec1ba5d9a2b6f66cf5

SHA512
e265388f52e250d80d55db87b2385653bb54ded20c01f56762fa4bf62963c617f94bb9409a57090cca25582a22eb641886146a29167e207ef8da4d8d0d21cc8c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\lirn7gz7.default-release\activity-stream.discovery_stream.json

Filesize
33KB

MD5
0f40c9a76a1c2d0e7957d6dc1dd9b9ea

SHA1
946b1b9d759909ab5da4c69e824a03d5a17a80b2

SHA256
db5e6a64a3bde0da187553e701952133bb10c109a3323936e88c3384a2fa2df3

SHA512
b35d1fcba18b74456b79ce068be5de7cea633d9be2b3994b73abbb27df6da37e2208e7fe9a62d0289c3b7dc3e6e32ca0b9dbf4c0c390e5915f85f32d2d3379b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iaq5fffu.mdy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\exm.zip

Filesize
1.2MB

MD5
771292b5eacd58ed36234cc99eac2f31

SHA1
04486bc0065ffd576169f7c8e8d3159bbe51a702

SHA256
2f4ccb219caa32da0c89119bc8e780063127895793c94377ed2a88934a28845c

SHA512
f6213fdb977e49132b269e19de4282fda375d43e87d30dda8e9e6a1d66dc41c74a4baf0f1ab19c52e896be7fb486d9aeef8b667beccc2d84adacea80bf3eaf0a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

Filesize
6KB

MD5
7ee7366e389a8bdb375ff42e6bf23fed

SHA1
cc549d3154a3414e074db7781bebb5402f391047

SHA256
0172b408382810ea58291cab077a0027a662c2af4c435db51dcd0197bc94c748

SHA512
aa6380dfaa572e21af6fbcc5659870759fc711c3e6252e83416d1601e5006eaf20e0b1b7fabd722bd9af5c08c26b9506d83bc1329cf04d5c4145a2ce00ddd6ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

Filesize
7KB

MD5
dda90141a5f4044ffa18e7cb0f89ad5d

SHA1
fc38ee1dfb2fc676e6d913a897881e4f1c7cb7ae

SHA256
e15a8e6b3bd34fb1a49b59edfb8f2517b5bf106cdbe7090c6f3c5af423b913ef

SHA512
303afda8edef897b8f4fd74bc09c627d3a9f8ba8f9e1571c7265dd24bbe02f62630341a0d28e799d424deedb9dcfdcfd4c669dfe91bbb73e1972e7d6794465f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

Filesize
12KB

MD5
b9bebc20fd1ba9c8e6c448adc27ab36d

SHA1
f93d4e855070f15428f79562ed08ac43b92b24ab

SHA256
dafbab2530c4e8c90d2eb5f5369a6abd218e7f59d73efbf4aa886d5411e5cde4

SHA512
26ac9538c831de7d97922a6a22ab1c02f25a87290bcc8d3886a4eefc5abb234772306820cb8579c945f073c8b6a8c60480860b9dd351de9bccb23c8c7a156e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

Filesize
15KB

MD5
c4ab5c4a97a2d47c2a562b3e0f764126

SHA1
c828cbbad1037f9071cdf2e40e1b4e430352b9ec

SHA256
d8aeecefa73311c084204b0983a8fdbfbd0a80f8c69c091865762656b86cd756

SHA512
b7b93359f65003cc57ef2981fe03d1d2743efbca3b23fbb00630ae5818c970cc5e285c7f29c106552d9e02b9711d06657b197d6ba89adaf4e53fe03500fd8293

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

Filesize
18KB

MD5
35d4ceb480dba71f811e9784d5dd4e30

SHA1
5de04178403c66599ca15b6d2192cd07a468e949

SHA256
769144232d93e37658ede077f4a719eb83c953b378c8c79ccabdc9b8d23473fe

SHA512
297e70ac3f66c45e8b9e51b10ef5bb9a802939d9ae6406cb9d4666ebcc7653bcfe174291424394be545702810b05df05802f640ed3662b2296b05b154e4fcd73

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

Filesize
21KB

MD5
871827526537ceb9a711f248d2be1830

SHA1
8977cbccdea6ca7035203e76cfe17e966dde1ae5

SHA256
918d84b8a08540baf6b4b9f5e6f5326629f7a7f44a664fac34ceee5cc11b05c6

SHA512
f22aa1b562727aed3459c17b084a5031fe9a5fbd3bf693c98db9f38754fcfd4046cad8cf86dcd2ee8533c5c1248fe2d38744286a2fcf10f20f1a70f3f9a26ce1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\AlternateServices.bin

Filesize
22KB

MD5
adbd2ef66cafad8fc4b74de175baa9bc

SHA1
bed7d6974170ec43a32f188034b8ae65e8035c13

SHA256
33a4cfe55542ff5c6f58edb54fd68521bf2e5c4410c95f8669b07e22db7ea093

SHA512
5fe6b3f316811b1d9d3a87b79e26c42fde2ce3eedb7441b501e3b04798b9e2da9d2b405bc37d2cd8d4fee32603d06f53e281eeea3d7a2ecc696ddeedc929866f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
0f5a1889f79aeb60a0b34c1d68ac7cd5

SHA1
dcc1b2a9c9b9cfdb8401821b5d7e5363ffa4a56c

SHA256
50972d61cb1ad24bd738cd813e30f140bac91290b30a9fcab7b9fba0cdd1ed70

SHA512
54729a7f6988d057f574d1ad5591b15c4483ab99969666a1cc4fb81b9c9a96e4b6d76b4783ecef3e105c80711dafbcfbe65312a537110f0751525d986a2aa850

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
1825e209372cb7358d226e46d3f89d46

SHA1
debba154f8d3298b80b39bc442a03824721cc53e

SHA256
efcaf2a5e4ea493317c422ecbfcf0fee4c630382c6bca7f9b8ed220d5ab79f4a

SHA512
947ece55099b87a872720cbf2de6471132c2e6d775051ce30a91411d64764ba78d48c3cecba0f4961906565fe5459e9a06361e71cbda07b77759f2e83be9152c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\7c50d317-2136-470b-8db2-3bd1f3e58136

Filesize
982B

MD5
87c234998ebd7901df722c4d660860e7

SHA1
285af176689950e4755f8227e14fed59f0ef0c7a

SHA256
99fe76aeffa089602c772a29b4ec662a25f8666f09d41a120da9446f5c8f5fcb

SHA512
012eac972b20015f091808ffd363ec273127e8df807e5ea03ad6f4e5cefaa1357b681ec4174f28d5d03f3de64a61b655e0c36656117ff3cbbc8e4dd7638a1cb3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\b4d844d3-efa4-4c29-894d-3c8d00588f06

Filesize
26KB

MD5
fd947bb25639c3e6f85c96ae028ea87c

SHA1
f8d05e54f6de53826cf5f947fd10ef14b4646bae

SHA256
17d06b5c5a11da59b8c852cc971b8952887ababf318f33e7b5b53bf86ba4e8fc

SHA512
d313cc19ef568af6f3cd28d51985152dcaa1195942762f3c6cac00cae38a4ec8eefc4e5c9ba297dd2f36392ac30908df430178135c5a9c9b1b8054b513b66564

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\datareporting\glean\pending_pings\d193bde5-5685-43f3-ad81-2202688aceea

Filesize
671B

MD5
350d58f41546e5444658d7b8b5abd882

SHA1
974b9c31b043347f034480f1a926c577787013c7

SHA256
3eb6179cd0236e50b02a77c218c508310d179df3953c2bb4a8eb7ad7e92ea518

SHA512
7af98c1b3cf65498d965dd68a17da6b153ea9eb5030a2fd4ad753856937a83d8466d4262fb5acd4d09346b60e6cd8c9e3dfbabf3eb6ef32ba3b4a7d4278b60b8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

Filesize
10KB

MD5
e2271c833cef11c1f2525987a703cd5b

SHA1
ff55d661842f427e14da515c8eb8448258d75469

SHA256
849fbe1d2f997e01d35d963c1f779e56d680cb5d03591a003afd9dd4d5b94915

SHA512
43462023c54cb0b51f7235b5f98bbae63a6b3dc591ec2705982015fd73e0970e6c53f27047a8b10e26739729dba27f918c603b8ceeb6b32da41f2fd88603f4e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs-1.js

Filesize
10KB

MD5
9375f39be6da47ef9f1856c41926840e

SHA1
b51ed97c85062f4df7c6477a20e37abc83828608

SHA256
4c1e7c7918b0184a037289df3b0858b6389947819912841b26730060a1f5619c

SHA512
2f717dd672336a59477a20387062fb49dd90a81571a2d6451cc7ef900193826328d46dad718e6590c3e9f8e4f654ea1394c73dc2b4b64a1497a3d684f4df1952

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\prefs.js

Filesize
11KB

MD5
a6317075c4fb12dbdb664eab3197c198

SHA1
ca1992ccdde7bd9c0d15c80c14c5841c69f40cc0

SHA256
ba5cc45409b79c129bb21c92ad365d81da072e7c38f30046f7f0dcf18ea738fd

SHA512
f2e06d79f1a8f431c1890133ee5e61125ccc0de763240fd3433fb49c89db32ac818b57db41ce310c3338aa36209cb706f131f170f2294155593c9364327ae66d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\lirn7gz7.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
376KB

MD5
338ea86ead3bdc42f13d17d0619b999e

SHA1
a4c8ca6f61301241b6b46be310dbcbca0a117d59

SHA256
056b4d1953862455ac36ef76bc5269d837dfcf366aa99fced53976807131198c

SHA512
aae9f2cb132e27e0673d87661fba902a816892cdaa225645a226cf0f7b15a1f19168c99f133daf096f15dd267a2eb7f248aa3f80adfefc914cce0c495e0982e6

Download Submit
C:\Users\Admin\Downloads\EXM Free Tweaking Utility V5.smZHsam3.1.zip.part

Filesize
32KB

MD5
db55d05c9d7b819afb648e882f26dae0

SHA1
156c6b7e46a44d75dc3e9c2ed127fae65af52557

SHA256
b4d48fe20519c9fc6368f85044103ca693d31eed1cf2f9c2c9352dd5660271b8

SHA512
4d7d89065c5e7bf304c504964934ecd49aa69cd45896025c75416fc296fae855e6baf2e7a90020f90e849b7936de943ef3c20e5b84a372985bbfe6c21ae786bf

Download Submit
memory/1516-582-0x00000244A36A0000-0x00000244A36C2000-memory.dmp

Filesize
136KB

Download
memory/1608-569-0x000001CFBEFB0000-0x000001CFBEFB1000-memory.dmp

Filesize
4KB

Download
memory/1608-580-0x000001CFBEFB0000-0x000001CFBEFB1000-memory.dmp

Filesize
4KB

Download
memory/1608-581-0x000001CFBEFB0000-0x000001CFBEFB1000-memory.dmp

Filesize
4KB

Download
memory/1608-578-0x000001CFBEFB0000-0x000001CFBEFB1000-memory.dmp

Filesize
4KB

Download
memory/1608-579-0x000001CFBEFB0000-0x000001CFBEFB1000-memory.dmp

Filesize
4KB

Download
memory/1608-577-0x000001CFBEFB0000-0x000001CFBEFB1000-memory.dmp

Filesize
4KB

Download
memory/1608-571-0x000001CFBEFB0000-0x000001CFBEFB1000-memory.dmp

Filesize
4KB

Download
memory/1608-570-0x000001CFBEFB0000-0x000001CFBEFB1000-memory.dmp

Filesize
4KB

Download
memory/1608-575-0x000001CFBEFB0000-0x000001CFBEFB1000-memory.dmp

Filesize
4KB

Download
memory/1608-576-0x000001CFBEFB0000-0x000001CFBEFB1000-memory.dmp

Filesize
4KB

Download
memory/3664-617-0x000001D4BE020000-0x000001D4BE032000-memory.dmp

Filesize
72KB

Download
memory/3664-618-0x000001D4BDCE0000-0x000001D4BDCEA000-memory.dmp

Filesize
40KB

Download
memory/4152-678-0x0000022A5DEB0000-0x0000022A5DEC6000-memory.dmp

Filesize
88KB

Download
memory/4152-679-0x0000022A5D980000-0x0000022A5D98A000-memory.dmp

Filesize
40KB

Download
memory/4152-680-0x0000022A5DF20000-0x0000022A5DF46000-memory.dmp

Filesize
152KB

Download