exelastealer | 9229117216317e7dcc00258d0f6dafedd23e33b4837ad0bfee498ac4e1372e97

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
15-06-2024 23:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Gambler-AI.exe
Size

24.7MB
MD5

c420b385e0ce173ecbffc7df90f0fa9b
SHA1

fc924e44b47fb95368d32738b39d29165eff31a2
SHA256

9229117216317e7dcc00258d0f6dafedd23e33b4837ad0bfee498ac4e1372e97
SHA512

6af111a1f0da027d36103f850b2c504bfef729ed8e679ff46c4a6bbe9516798ee7df02696fa063f25f1c0a9f6378c84411e06548fb1991577d089f91b7ec704d
SSDEEP

196608:3hCXpentNSSwLRXgWPmpzdhqiyDOlbJlpZstQoS9Hf1BKXEymH3bS7C:ta5L1V8dm0xGt7G/Dym

Score

10^/10

exelastealer evasion spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5716	netsh.exe
5696	netsh.exe

Loads dropped DLL 32 IoCs

pid	Process
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe
3024	Gambler-AI.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002361d-47.dat	upx
behavioral2/memory/3024-51-0x00007FFCC9670000-0x00007FFCC9AD5000-memory.dmp	upx
behavioral2/files/0x00070000000235ee-53.dat	upx
behavioral2/files/0x0007000000023617-58.dat	upx
behavioral2/files/0x00070000000235f8-79.dat	upx
behavioral2/files/0x000700000002361e-83.dat	upx
behavioral2/memory/3024-85-0x00007FFCE0DE0000-0x00007FFCE0DED000-memory.dmp	upx
behavioral2/files/0x00070000000235f1-87.dat	upx
behavioral2/files/0x000700000002361f-89.dat	upx
behavioral2/memory/3024-90-0x00007FFCDD970000-0x00007FFCDD988000-memory.dmp	upx
behavioral2/memory/3024-93-0x00007FFCC90D0000-0x00007FFCC9241000-memory.dmp	upx
behavioral2/memory/3024-92-0x00007FFCDA260000-0x00007FFCDA27E000-memory.dmp	upx
behavioral2/memory/3024-91-0x00007FFCDD840000-0x00007FFCDD86C000-memory.dmp	upx
behavioral2/files/0x00070000000235f6-88.dat	upx
behavioral2/files/0x00070000000235ec-86.dat	upx
behavioral2/memory/3024-84-0x00007FFCDD990000-0x00007FFCDD9A9000-memory.dmp	upx
behavioral2/files/0x00070000000235f5-82.dat	upx
behavioral2/memory/3024-81-0x00007FFCE0DF0000-0x00007FFCE0DFF000-memory.dmp	upx
behavioral2/memory/3024-80-0x00007FFCDD9B0000-0x00007FFCDD9D4000-memory.dmp	upx
behavioral2/memory/3024-95-0x00007FFCDA230000-0x00007FFCDA25E000-memory.dmp	upx
behavioral2/files/0x00070000000235f7-94.dat	upx
behavioral2/files/0x00070000000235f4-75.dat	upx
behavioral2/files/0x00070000000235f3-74.dat	upx
behavioral2/files/0x00070000000235f2-73.dat	upx
behavioral2/files/0x00070000000235f0-71.dat	upx
behavioral2/files/0x00070000000235ef-70.dat	upx
behavioral2/files/0x00070000000235ed-69.dat	upx
behavioral2/files/0x00070000000235eb-67.dat	upx
behavioral2/files/0x00070000000235ea-66.dat	upx
behavioral2/files/0x0007000000023620-65.dat	upx
behavioral2/files/0x000700000002361b-62.dat	upx
behavioral2/files/0x0007000000023618-61.dat	upx
behavioral2/files/0x0007000000023616-60.dat	upx
behavioral2/memory/3024-101-0x00007FFCC8D50000-0x00007FFCC90C7000-memory.dmp	upx
behavioral2/memory/3024-99-0x00007FFCD9E10000-0x00007FFCD9EC7000-memory.dmp	upx
behavioral2/memory/3024-108-0x00007FFCD9F90000-0x00007FFCD9FA4000-memory.dmp	upx
behavioral2/memory/3024-107-0x00007FFCDF300000-0x00007FFCDF310000-memory.dmp	upx
behavioral2/memory/3024-106-0x00007FFCD9FB0000-0x00007FFCD9FC4000-memory.dmp	upx
behavioral2/files/0x000700000002361a-105.dat	upx
behavioral2/memory/3024-110-0x00007FFCD9C20000-0x00007FFCD9C35000-memory.dmp	upx
behavioral2/files/0x0007000000023622-113.dat	upx
behavioral2/memory/3024-116-0x00007FFCD9BF0000-0x00007FFCD9C12000-memory.dmp	upx
behavioral2/memory/3024-115-0x00007FFCD93B0000-0x00007FFCD94C8000-memory.dmp	upx
behavioral2/memory/3024-114-0x00007FFCC9670000-0x00007FFCC9AD5000-memory.dmp	upx
behavioral2/files/0x00070000000235fa-117.dat	upx
behavioral2/memory/3024-119-0x00007FFCDD990000-0x00007FFCDD9A9000-memory.dmp	upx
behavioral2/memory/3024-120-0x00007FFCD9B50000-0x00007FFCD9B67000-memory.dmp	upx
behavioral2/memory/3024-124-0x00007FFCC90D0000-0x00007FFCC9241000-memory.dmp	upx
behavioral2/files/0x00070000000235fc-123.dat	upx
behavioral2/memory/3024-122-0x00007FFCDA260000-0x00007FFCDA27E000-memory.dmp	upx
behavioral2/files/0x00070000000235fd-131.dat	upx
behavioral2/memory/3024-138-0x00007FFCD9BE0000-0x00007FFCD9BEA000-memory.dmp	upx
behavioral2/files/0x0007000000023615-140.dat	upx
behavioral2/files/0x0007000000023613-141.dat	upx
behavioral2/memory/3024-137-0x00007FFCD9AA0000-0x00007FFCD9AEC000-memory.dmp	upx
behavioral2/memory/3024-144-0x00007FFCD95E0000-0x00007FFCD95FE000-memory.dmp	upx
behavioral2/memory/3024-145-0x00007FFCC8650000-0x00007FFCC8D45000-memory.dmp	upx
behavioral2/memory/3024-143-0x00007FFCC8D50000-0x00007FFCC90C7000-memory.dmp	upx
behavioral2/memory/3024-136-0x00007FFCD9600000-0x00007FFCD9611000-memory.dmp	upx
behavioral2/memory/3024-134-0x00007FFCD9AF0000-0x00007FFCD9B09000-memory.dmp	upx
behavioral2/files/0x00070000000235fb-130.dat	upx
behavioral2/memory/3024-129-0x00007FFCD9E10000-0x00007FFCD9EC7000-memory.dmp	upx
behavioral2/memory/3024-127-0x00007FFCDA230000-0x00007FFCDA25E000-memory.dmp	upx
behavioral2/memory/3024-126-0x00007FFCC9250000-0x00007FFCC931F000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
201	discord.com
48	discord.com
99	discord.com
100	discord.com
190	discord.com
49	discord.com
46	discord.com
59	discord.com
123	discord.com
195	discord.com
44	discord.com
98	discord.com
174	discord.com
45	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
38	ip-api.com

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3228	sc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3880	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3344	WMIC.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
1000	tasklist.exe
2852	tasklist.exe
3988	tasklist.exe
4324	tasklist.exe
1208	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4820	ipconfig.exe
4060	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5380	systeminfo.exe

Kills process with taskkill 14 IoCs

evasion

pid	Process
5188	taskkill.exe
5304	taskkill.exe
5384	taskkill.exe
5956	taskkill.exe
5712	taskkill.exe
5116	taskkill.exe
5460	taskkill.exe
5876	taskkill.exe
6032	taskkill.exe
5792	taskkill.exe
6108	taskkill.exe
5208	taskkill.exe
5540	taskkill.exe
5628	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000_Classes\Local Settings	firefox.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
5000	chrome.exe
5000	chrome.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4324	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3344	WMIC.exe
Token: SeSecurityPrivilege	3344	WMIC.exe
Token: SeTakeOwnershipPrivilege	3344	WMIC.exe
Token: SeLoadDriverPrivilege	3344	WMIC.exe
Token: SeSystemProfilePrivilege	3344	WMIC.exe
Token: SeSystemtimePrivilege	3344	WMIC.exe
Token: SeProfSingleProcessPrivilege	3344	WMIC.exe
Token: SeIncBasePriorityPrivilege	3344	WMIC.exe
Token: SeCreatePagefilePrivilege	3344	WMIC.exe
Token: SeBackupPrivilege	3344	WMIC.exe
Token: SeRestorePrivilege	3344	WMIC.exe
Token: SeShutdownPrivilege	3344	WMIC.exe
Token: SeDebugPrivilege	3344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3344	WMIC.exe
Token: SeRemoteShutdownPrivilege	3344	WMIC.exe
Token: SeUndockPrivilege	3344	WMIC.exe
Token: SeManageVolumePrivilege	3344	WMIC.exe
Token: 33	3344	WMIC.exe
Token: 34	3344	WMIC.exe
Token: 35	3344	WMIC.exe
Token: 36	3344	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5100	WMIC.exe
Token: SeSecurityPrivilege	5100	WMIC.exe
Token: SeTakeOwnershipPrivilege	5100	WMIC.exe
Token: SeLoadDriverPrivilege	5100	WMIC.exe
Token: SeSystemProfilePrivilege	5100	WMIC.exe
Token: SeSystemtimePrivilege	5100	WMIC.exe
Token: SeProfSingleProcessPrivilege	5100	WMIC.exe
Token: SeIncBasePriorityPrivilege	5100	WMIC.exe
Token: SeCreatePagefilePrivilege	5100	WMIC.exe
Token: SeBackupPrivilege	5100	WMIC.exe
Token: SeRestorePrivilege	5100	WMIC.exe
Token: SeShutdownPrivilege	5100	WMIC.exe
Token: SeDebugPrivilege	5100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5100	WMIC.exe
Token: SeRemoteShutdownPrivilege	5100	WMIC.exe
Token: SeUndockPrivilege	5100	WMIC.exe
Token: SeManageVolumePrivilege	5100	WMIC.exe
Token: 33	5100	WMIC.exe
Token: 34	5100	WMIC.exe
Token: 35	5100	WMIC.exe
Token: 36	5100	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3344	WMIC.exe
Token: SeSecurityPrivilege	3344	WMIC.exe
Token: SeTakeOwnershipPrivilege	3344	WMIC.exe
Token: SeLoadDriverPrivilege	3344	WMIC.exe
Token: SeSystemProfilePrivilege	3344	WMIC.exe
Token: SeSystemtimePrivilege	3344	WMIC.exe
Token: SeProfSingleProcessPrivilege	3344	WMIC.exe
Token: SeIncBasePriorityPrivilege	3344	WMIC.exe
Token: SeCreatePagefilePrivilege	3344	WMIC.exe
Token: SeBackupPrivilege	3344	WMIC.exe
Token: SeRestorePrivilege	3344	WMIC.exe
Token: SeShutdownPrivilege	3344	WMIC.exe
Token: SeDebugPrivilege	3344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3344	WMIC.exe
Token: SeRemoteShutdownPrivilege	3344	WMIC.exe
Token: SeUndockPrivilege	3344	WMIC.exe
Token: SeManageVolumePrivilege	3344	WMIC.exe
Token: 33	3344	WMIC.exe
Token: 34	3344	WMIC.exe
Token: 35	3344	WMIC.exe
Token: 36	3344	WMIC.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
5000	chrome.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe
2264	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1256 wrote to memory of 3024	1256	Gambler-AI.exe	90
PID 1256 wrote to memory of 3024	1256	Gambler-AI.exe	90
PID 3024 wrote to memory of 4736	3024	Gambler-AI.exe	94
PID 3024 wrote to memory of 4736	3024	Gambler-AI.exe	94
PID 5000 wrote to memory of 3228	5000	chrome.exe	98
PID 5000 wrote to memory of 3228	5000	chrome.exe	98
PID 3024 wrote to memory of 4552	3024	Gambler-AI.exe	99
PID 3024 wrote to memory of 4552	3024	Gambler-AI.exe	99
PID 3024 wrote to memory of 1860	3024	Gambler-AI.exe	100
PID 3024 wrote to memory of 1860	3024	Gambler-AI.exe	100
PID 3024 wrote to memory of 4572	3024	Gambler-AI.exe	101
PID 3024 wrote to memory of 4572	3024	Gambler-AI.exe	101
PID 3024 wrote to memory of 1208	3024	Gambler-AI.exe	102
PID 3024 wrote to memory of 1208	3024	Gambler-AI.exe	102
PID 1208 wrote to memory of 4324	1208	cmd.exe	107
PID 1208 wrote to memory of 4324	1208	cmd.exe	107
PID 4552 wrote to memory of 3344	4552	cmd.exe	108
PID 4552 wrote to memory of 3344	4552	cmd.exe	108
PID 1860 wrote to memory of 5100	1860	cmd.exe	109
PID 1860 wrote to memory of 5100	1860	cmd.exe	109
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 3152	5000	chrome.exe	111
PID 5000 wrote to memory of 1796	5000	chrome.exe	112
PID 5000 wrote to memory of 1796	5000	chrome.exe	112
PID 5000 wrote to memory of 4092	5000	chrome.exe	113
PID 5000 wrote to memory of 4092	5000	chrome.exe	113
PID 5000 wrote to memory of 4092	5000	chrome.exe	113
PID 5000 wrote to memory of 4092	5000	chrome.exe	113
PID 5000 wrote to memory of 4092	5000	chrome.exe	113
PID 5000 wrote to memory of 4092	5000	chrome.exe	113
PID 5000 wrote to memory of 4092	5000	chrome.exe	113
PID 5000 wrote to memory of 4092	5000	chrome.exe	113
PID 5000 wrote to memory of 4092	5000	chrome.exe	113
PID 5000 wrote to memory of 4092	5000	chrome.exe	113
PID 5000 wrote to memory of 4092	5000	chrome.exe	113

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4936	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Gambler-AI.exe
"C:\Users\Admin\AppData\Local\Temp\Gambler-AI.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\Gambler-AI.exe
  "C:\Users\Admin\AppData\Local\Temp\Gambler-AI.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4552
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:4572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:4308
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:2684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2832
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2224
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    PID:628
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:4936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:1248
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:3196
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2980"
    3⤵
    PID:5164
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2980
      4⤵
      Kills process with taskkill
      PID:5208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 428"
    3⤵
    PID:5244
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 428
      4⤵
      Kills process with taskkill
      PID:5304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4980"
    3⤵
    PID:5336
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4980
      4⤵
      Kills process with taskkill
      PID:5384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2348"
    3⤵
    PID:5416
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2348
      4⤵
      Kills process with taskkill
      PID:5460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4396"
    3⤵
    PID:5496
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4396
      4⤵
      Kills process with taskkill
      PID:5540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5000"
    3⤵
    PID:5572
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5000
      4⤵
      Kills process with taskkill
      PID:5628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3228"
    3⤵
    PID:5664
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3228
      4⤵
      Kills process with taskkill
      PID:5712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3152"
    3⤵
    PID:5744
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3152
      4⤵
      Kills process with taskkill
      PID:5792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1796"
    3⤵
    PID:5828
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1796
      4⤵
      Kills process with taskkill
      PID:5876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4092"
    3⤵
    PID:5908
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4092
      4⤵
      Kills process with taskkill
      PID:5956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4988"
    3⤵
    PID:5988
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4988
      4⤵
      Kills process with taskkill
      PID:6032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4800"
    3⤵
    PID:6064
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4800
      4⤵
      Kills process with taskkill
      PID:6108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4216"
    3⤵
    PID:6140
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:628
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4216
      4⤵
      Kills process with taskkill
      PID:5116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2268"
    3⤵
    PID:5228
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2268
      4⤵
      Kills process with taskkill
      PID:5188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:1960
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:3304
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:3564
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:1956
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2876
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    PID:3272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:4268
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:5396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    PID:232
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5380
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:1196
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:3880
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:3584
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4588
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:552
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:2956
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:3120
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:3632
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:1332
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1168
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:2300
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:5016
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:436
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:3320
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:4008
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:3988
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4820
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:1688
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      PID:2120
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      PID:4060
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:3228
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      PID:5716
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      PID:5696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3428
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4656
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xd4,0x128,0x7ffcc814ab58,0x7ffcc814ab68,0x7ffcc814ab78
  2⤵
  PID:3228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1952,i,9515565343748575146,12566778280127767138,131072 /prefetch:2
  2⤵
  PID:3152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 --field-trial-handle=1952,i,9515565343748575146,12566778280127767138,131072 /prefetch:8
  2⤵
  PID:1796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2268 --field-trial-handle=1952,i,9515565343748575146,12566778280127767138,131072 /prefetch:8
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1952,i,9515565343748575146,12566778280127767138,131072 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3116 --field-trial-handle=1952,i,9515565343748575146,12566778280127767138,131072 /prefetch:1
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4352 --field-trial-handle=1952,i,9515565343748575146,12566778280127767138,131072 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=1952,i,9515565343748575146,12566778280127767138,131072 /prefetch:8
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4660 --field-trial-handle=1952,i,9515565343748575146,12566778280127767138,131072 /prefetch:8
  2⤵
  PID:2844

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3928,i,3833046924978547022,12404847742964713612,262144 --variations-seed-version --mojo-platform-channel-handle=4228 /prefetch:8
1⤵
PID:2268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4812
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2264.0.443110195\137298594" -parentBuildID 20230214051806 -prefsHandle 1740 -prefMapHandle 1732 -prefsLen 22076 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {05fcf8b2-8e57-47bf-a7f0-f6e0b2a71c4a} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" 1832 259e5b0d758 gpu
    3⤵
    PID:5828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2264.1.1567912107\1019030700" -parentBuildID 20230214051806 -prefsHandle 2432 -prefMapHandle 2420 -prefsLen 22112 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d65ef5e-10ba-4e80-9964-907734a7cdb7} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" 2444 259d8c87e58 socket
    3⤵
    PID:5908
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2264.2.1560225882\1553797181" -childID 1 -isForBrowser -prefsHandle 2920 -prefMapHandle 2660 -prefsLen 22215 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb362139-e8e8-4733-9ace-cf8af8aec316} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" 2932 259e840b158 tab
    3⤵
    PID:6064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2264.3.951221267\1614133537" -childID 2 -isForBrowser -prefsHandle 3672 -prefMapHandle 3664 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8b9cc24-ab7c-47cf-acb7-bfd1af966e67} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" 3684 259d8c77258 tab
    3⤵
    PID:4792
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2264.4.1412950614\1966644131" -childID 3 -isForBrowser -prefsHandle 5044 -prefMapHandle 5108 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {386eaf0d-1394-41f1-9d4b-70d8f9614c50} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" 5060 259e6124058 tab
    3⤵
    PID:3512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2264.5.2067169798\320899463" -childID 4 -isForBrowser -prefsHandle 5260 -prefMapHandle 5264 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e1321f64-6a20-4edf-8a94-e445f7aa4d4d} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" 5248 259ecc41058 tab
    3⤵
    PID:3272
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2264.6.522642764\1131004255" -childID 5 -isForBrowser -prefsHandle 5444 -prefMapHandle 5448 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f0a4f0a-f1a8-4e8e-bcbf-66c07ee70a3b} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" 5436 259ecc42b58 tab
    3⤵
    PID:3684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2264.7.1688430431\1491287894" -childID 6 -isForBrowser -prefsHandle 5840 -prefMapHandle 5280 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {eb0fe3d0-b01b-4834-a53e-0e58aba1a38a} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" 4200 259ec9fdf58 tab
    3⤵
    PID:760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2264.8.2098881036\1224595152" -parentBuildID 20230214051806 -prefsHandle 1608 -prefMapHandle 6200 -prefsLen 27697 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {11464498-4a74-4cfe-b7af-e337f80217e4} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" 6232 259ea645958 rdd
    3⤵
    PID:2504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2264.9.1245216159\1360280620" -parentBuildID 20230214051806 -sandboxingKind 1 -prefsHandle 6276 -prefMapHandle 6280 -prefsLen 27697 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {523ef208-17fa-405b-8899-028fdd29c0f0} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" 6292 259ea646558 utility
    3⤵
    PID:3340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2264.10.7103446\1159431716" -childID 7 -isForBrowser -prefsHandle 6560 -prefMapHandle 6556 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d1118c36-5a3d-4b59-b6a8-387aa4155c64} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" 6568 259e4c24158 tab
    3⤵
    PID:388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2264.11.1778500529\422656524" -parentBuildID 20230214051806 -sandboxingKind 0 -prefsHandle 6840 -prefMapHandle 4996 -prefsLen 27962 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4dbac4e3-6e1f-40ab-9160-ce1ace81b9af} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" 5740 259ecd65d58 utility
    3⤵
    PID:1516
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2264.12.161377607\845093072" -childID 8 -isForBrowser -prefsHandle 6860 -prefMapHandle 6884 -prefsLen 28177 -prefMapSize 235121 -jsInitHandle 948 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec5f29f1-e7fd-47e6-9561-65f6e85f1a04} 2264 "\\.\pipe\gecko-crash-server-pipe.2264" 6896 259eafeee58 tab
    3⤵
    PID:2828

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x40c
1⤵
PID:5704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m5gevmzl.default-release\activity-stream.discovery_stream.json.tmp

Filesize
31KB

MD5
2f15043b0ae9e642c5aa5c1955a426a2

SHA1
b2cf2ca5948f7056eadbacfe13661510cfd180ef

SHA256
bb7f453a054e85b7cc2ebaab6deb28ebfdb6a69cea3758338261c6e58f7ca5aa

SHA512
34eda71f75fce6a34eccfbef3533ee20b9ffafd2b0f6e7d66c1f959120334fe2bc993feca2c75d5dc0a4f385c4ee4ba52633ceee8a7b72d93484e7d1d16a40a1

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m5gevmzl.default-release\activity-stream.discovery_stream.json.tmp

Filesize
32KB

MD5
377112e9c07b64da2387785065958491

SHA1
98c5cd1186839f737af6a19a6fdba9498cfb6fbe

SHA256
cf4bc354efe33969c55de1abe918b7e2a06e8d6c5de80c77a8647f5dd349f5f5

SHA512
f1c01d61b1b396aa0acf35ea7d029f93b4cca3d9b2edf4f4f148b63974f02e0ec01d4045c907986bf3598085032535c7fcb65f0d6dac6e162e7f44c519e9b399

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m5gevmzl.default-release\cache2\doomed\10088

Filesize
20KB

MD5
1a877e6255e404ee707ce0a3c34580a4

SHA1
ed5687a0d0cfd99ecf2acbba30db8857f74fe471

SHA256
9a2e03a32ab517006393ee6d0f84ba3a3b8ddee3ac6ca27b7ca6f141ff4d96c1

SHA512
ef882bdacb18e2dc52ed15b2eaf46e860b0245d083674b4e298fa021a65adc164097c16ebf902a85255f640bea3f4284e51d54d2bd7d8630b25c7fc5a256874f

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m5gevmzl.default-release\cache2\doomed\10525

Filesize
8KB

MD5
0c8f4a95a7a86e86e00b35bba01347d5

SHA1
ef628e2f174e8ea08efb798debe2aa4d7ad8d7be

SHA256
1618a41e1cb299a3e2abd2295b22d383e1d7afb3dd50366226ba78667ce095f0

SHA512
30d40f1f9c4b6a334f186bd93ef16206d37be78b7e51916afad7b261d6ae68d1c8edd4a4f021e40e78c001307303a38464af0e840c9b6dd9088a4cb2c0dbc598

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m5gevmzl.default-release\cache2\doomed\2210

Filesize
8KB

MD5
63a5618d4f00d9dfad7130f8e6d34d8d

SHA1
49c982ee81feef597d0639f3ff27ce40fcf39a6a

SHA256
405914071b5e27f235398b2cea6099e6ae662df928b037bc031c7919a50dcd56

SHA512
53b602798bcc5434bc8a8e966b2ba9028e8f2dbd736e441d4fc6d4e2017b988bf784996dccb74e7f4f136f15c93fa05ef4eb71004ddb226d554d8311df24a321

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m5gevmzl.default-release\cache2\doomed\23560

Filesize
8KB

MD5
fc618236eeaf82dc76cc4d0036611f4b

SHA1
caac8eeab1808d637adf86c9efffb73ce6245b0f

SHA256
f3df69e21f36d4068896d84704b0852a12005838a6c874325a88f1900a6741c2

SHA512
9fce5f0e5f867f6a4bc21b93e112937d3d10ae07a652a5d451b1472557b008dcd8a214459887e851f101fced1bb00eda32b18d61ef0994047a7d3d1cdac44d14

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m5gevmzl.default-release\cache2\entries\2C4BAA6F19DAD1966BACFFE00E8A81C718359637

Filesize
13KB

MD5
dde887a431ab28a454e7cc5625d4cc3e

SHA1
9a433fcfd01f8e04576c6cede21bc37f142713cc

SHA256
69ecf9be7d2b39049f70469cb9a569ac3d2fb076286eb5cdc94dc12583a9f4bb

SHA512
faa82e0f20cd629b2cacda99bfe4042a9031755ef2c73db7ff6a0cbca7e496d5c72d47009748906aa5c7e498227d69d1e58e6b05a880eabc75e7a72a1d1d0062

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m5gevmzl.default-release\cache2\entries\383A97A57B113BD106DE6984E6DBA5F537327263

Filesize
13KB

MD5
fecaf87c951506d16d49791f7b1b9884

SHA1
8790629e08c754e49c1c710ac074bb8e57ccc891

SHA256
6cbf049825ad204ff538b1008381f37a6873aa5bcc6be4e810b5ad5c93823f37

SHA512
5eb2d04a2baed8cb202c7c732b602b555ddb5ad13462b0ec9710cbb97db70b15700c6498534136f96486e6ca87a1da9ac0767d1fd307528340420fedd97615d8

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m5gevmzl.default-release\cache2\entries\955BB8F45BB96266A5D468DF8AF3C93A90194E69

Filesize
113KB

MD5
5345df1ddd58970e3c17faaf9da8143d

SHA1
7085027a8de3b1b83e403bf283605e8536e34721

SHA256
a619599b87711df19f5a5deb89945b7c96e016447459b001f9b62f512fce78fe

SHA512
23215763930b0280b0e4697b854ba0861eeabb8c5c533c477b3bba21c06d4e507d0e8753a16e1d0712c1725a2f7a4309b8fb6c68e999e0daf5274943f19a744d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\m5gevmzl.default-release\cache2\entries\CEC1586D39FAEE8338599DD327271E3EC5EA783C

Filesize
1.7MB

MD5
9da7a33560ab2ff1f541e9c1745cebb5

SHA1
4f1d2d0e55d6dc63ad51e6c664d1a1e64459338f

SHA256
984d27c25d31e1f317f46e6dc2f85b534e2502abbc0bf3cd24c3e77397650f0e

SHA512
b95376fd07dc21036181ed8409400b3888006f93b0708e79b960f9cfe4f1108858a6a3685caededce4db6730a583d41fd5c1c647a303ed40cd5c0127b75a15b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_asyncio.pyd

Filesize
32KB

MD5
7d2f4f793195eb2a67e1f9e4981c9c4e

SHA1
8f0def2c0d5fc89fb5975d7ab77d68e8f3c18604

SHA256
f0a9762a537399d42dd9e92307ad836fb28017633a0ff667ead192d3271a540d

SHA512
c48153e1e0d520208d87baa8a0493740ff16afdb34b95206cfaf127504ce1fd7705b70609d50ab08f804ded834bc575076b5d21a7a69a2e7d2e703aee6e8c646

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_brotli.cp310-win_amd64.pyd

Filesize
274KB

MD5
94c13e0636646019a4c7d405c2d919df

SHA1
8ed8519e9b310f59e5b40f3c8fb675791cae09f9

SHA256
10517c02bb69dafd60053152e65d00c02e24952f63ca230af807ec6b2053f2a6

SHA512
82fba52c4db4206f7a1ebb1a3ebf12fc60f3deff4763fd5a059b00f46aa7513279da994a815a0883ce3301c3cdd1d20923db21b926c43b2ee732c28852979945

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_bz2.pyd

Filesize
44KB

MD5
3d2088f03b8fdbdce585012c0186b353

SHA1
0e8996b391f74563d763bef2e431020b6d05229d

SHA256
9f8b4a677b8184a60c3315670755ed971992c55dfcd8280774ffc77817cd9611

SHA512
0885f3099cd12042c61e0a994794abdf7706719f2330300d03ba3b1430abc60a2836b7f9553222534ed9667fa9ebb2f225a86e4ac68564bcb38a72958e528836

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
641e49ce0c4fa963d347fbf915aabdbe

SHA1
1351f6c4ac5dcda7e3ffbf3d5e355b4bb864eb10

SHA256
1c795df278c7f64be8e6973f8dbf1a625997cb39ae2dcb5bee0ca4c1b90c8906

SHA512
766b9adb5143e89d663177c2fb0e951afb84c0a43ec690ae2c477ee0bbe036df6f4161a6012430d42e4913fd5fbe7e49af6d13ac7c62d042a484861fc5a04616

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_ctypes.pyd

Filesize
55KB

MD5
ef8a89b1a76c481df5255e3975d025cb

SHA1
8b2a13eaf2f37b51f00e5143e56df89d29ecc3bd

SHA256
9aaafc4f450a699029a1dc8c818886e3605dd40f35488d7679540c77eafa1b5b

SHA512
d30f2c1a89545f4f66048791b9f37e639664cd79f0e7380b3f35da09f0d6be3ec5d365081e07b9406d1d5b08b2504192b85748deb266b1cbadf51189404a82b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_decimal.pyd

Filesize
102KB

MD5
34e05c43ead82c246b1823ed83b56c5e

SHA1
f8cf172a57638d059866fd00abed42d0550cae0e

SHA256
61953424f6359c460d25f304da49b56338149dc6a67a4b702eff7f4036b3ea6d

SHA512
7c3eb868c5fea40b4fcac10603c1bb60273c14f4bea20a3c38fce679998332a137ffa5bc5c7c3b45990d0863b14bc72f9e92ffc39d4b23f47c860e043b550a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_hashlib.pyd

Filesize
32KB

MD5
dacb69169009998d69fbdfef4c0dd9e8

SHA1
793f86ea4adafd60ecad7497799df59b11213443

SHA256
2d0ff88e65e0c0e502974631c539ee5d355f2b17b113f835a5a4aff6cb03c173

SHA512
19e1c58cc6b70a40178a558170ccab3a31489f4ca49662ee909d3c12b33060685fcf18e41e9daa1498111bdb0e68355160bbc0891f2eb13cbe106f2db834a8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_lzma.pyd

Filesize
82KB

MD5
c312a9353b8cc4a01ba16a77cf84cee1

SHA1
27a2431b66f7319d666e85d29368f7e721a8da36

SHA256
50bc124862c170f4ce59f003ecc103a0aa3e2180caa99466812ca4520d4925a9

SHA512
340d5bcac85c14235e8bb46c4efa38dbd2f648470a8bcaf01c5daa5caa27e63367e1d3266f5426cee2904acad3b0b7243d7df0d2f2975e6d3247f49f359fdc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_multiprocessing.pyd

Filesize
23KB

MD5
7daa7ff4329fd7e1ace0ec2926b25bb7

SHA1
07b4bd8b65ed18c6913d011399097bcd589202d3

SHA256
e6ae85ffe5cddc5d9c9187a5dfc0b0b0bec3eba4cb7666cdac5b28c433e56808

SHA512
3dc07b888918ba49df1be823888fdbbbfc0f161db0e46cf6a6041014343c0c1b1016ad2eb2c982ed2f513d9cac3653c64665137c091f21125fbedb143df0beae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_overlapped.pyd

Filesize
28KB

MD5
f005ba1a3959e87f97b7c701654a2751

SHA1
fd07361042814104f18ac80ba658466f27ad850e

SHA256
e43a8f704b2ed404ffe188fc57e7600b73ed01b107e58e024b8345bab4c3f14a

SHA512
252de47cf7b40f5c31471b7949ef2bf61ba9c2e00a726406e2fa0eb4f2177565c81249e674e8e41a6869e787e552166b4ac47cd01e3f5a931c58a775e6308ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_queue.pyd

Filesize
22KB

MD5
9e5db585986c35bbdb37c8ade021a73e

SHA1
89186c0e4737b7a92ee802b8f859a2a5211cac98

SHA256
55534c47d8b9e46e86363cfad69ad9dfab93d3c2fc90b5539d19be47fd0cdd05

SHA512
8a3643fcb28c9275e37e3daf3ae41d92bec96251ace52009359990919186d3337098995aa9dc134f117404985f42e5c0a79c8e87f1fc7f374ef805688bf7ae6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_socket.pyd

Filesize
39KB

MD5
7af126cffd5718681441572d46f63e37

SHA1
83608518514890685550a5b8d502827b0a8ff6b4

SHA256
7738c3756b73282fdb800bbc544a85f15fe843941745d2e8ed88bc44c1e97637

SHA512
0b8dbcda13ac14e059114eb0e8d9662ecc4797af19b5d516cf250b216af545b6bfb5299da9bc2082a2d1db24a9286a799e9d5451178375b7d43da4e74a43a1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_sqlite3.pyd

Filesize
47KB

MD5
d00dcf342baded08a4b587db7674ce9b

SHA1
cd8d989f11dfa574433a80da2d6daf49c6379a48

SHA256
6ec3c71e65c037bfffa5b7af2ebe5668aedcb6480665682e8e7e110e37289518

SHA512
9a5f373f19c51b5aca88f47042516086fa515b7354a553a03f56101a6163f745d72f82b5d2af2eaab7c7271199355cacdfe1a848a06b8fcc23f653d1c525da29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_ssl.pyd

Filesize
59KB

MD5
67f0fd52d4b4fa801de864cafdccca42

SHA1
ff1f4e4cf0b269dcab87ec7c35493f21d2cd98be

SHA256
79db1bb8a6e542a743f050f776f7fe7f62088acefd317d72e3a13a914de036c7

SHA512
e7730c395efb9486ecf2613dee1ee4a1da2724d2fce5b84737957a8889b7df034e1f264fc18de3b9bd5026796906018974a93a29d40d24aa90fbe33c85bf0aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\_uuid.pyd

Filesize
20KB

MD5
2ae02a5f40e9efbc503ad5a45561aba8

SHA1
5726c945e6d979bf304ca21c700608075f4a4ed1

SHA256
2b58278f3fca5d4bcc0c6e7aa8ede6e81a9798828375e38194c6c128fe32a1e8

SHA512
385c566399a2116d1a79aa517b88fdc984615787e906b0abdfb69e8cbd212c6459ad0fa2e2e616c7bab485229daefbf673d14f383b0b19e8c53ee7e73fbfc325

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\aiohttp\_helpers.cp310-win_amd64.pyd

Filesize
26KB

MD5
79dbf6677f21a17c9561eb008cc2a987

SHA1
096ef929cd31638cdc3ec18883495e5999efd263

SHA256
bd1638d83bcc69d9cadc1812d5db298f67d1e1b2831cc7783587c0ac7cf9b595

SHA512
2d9d8814f0d69b56a7ff1e9bb4207d00f9259113bc8f3e20211341cffeed117829ba9b80d8c0fb9b2da9fc68910a2be039b0fcf1c7bb0de23efee6644d17e164

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\aiohttp\_http_parser.cp310-win_amd64.pyd

Filesize
80KB

MD5
16a2765d0487ee171c8f8761df29ddcf

SHA1
44fc0c0700039457095256f18702f56ec8ff743e

SHA256
285d9d527b2f1c70182d3060fee35a95b2c4e8316137f5f4dec806eb64e57af2

SHA512
f78c29c91eb08de69810a64e6a5025e24c692394b0f242f6e281c7bb59f88194ea22a2e33954c1a40adf00b34dd81164655674e496c552057a19b4780b968a6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\aiohttp\_http_writer.cp310-win_amd64.pyd

Filesize
24KB

MD5
878a426eb61ebecdba1016400e8fe60d

SHA1
7ae2f28199cde86ce2cc382d6a1b87b373940d95

SHA256
53fc5a5371a69ec8a700dea681654483c2be301f584d9393789cb5a134ba6aa8

SHA512
d1297868c9400530733538947603e0c73722600c11dc5ce0d7d8371939a7ac840ac0b574b42d9a9a407c3cfbdd938672f73e5da54aa8317eea4053e66fcd6475

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\aiohttp\_websocket.cp310-win_amd64.pyd

Filesize
19KB

MD5
623862193e92582b732fcc4683bfb515

SHA1
ce0b2201938cb7e7ea18dcdd98d8ccc2fa28ef9d

SHA256
dfd68ae5add1c99e0e31820a676fafdf6a472dcab49362d9970c8a66f4121645

SHA512
5b7333af6b6e20aa33cce6561b9673ed590e942d58c48004a7203ff3b33eb6f21541398716b550fa602953c14c80a06da8a439f95bd3f004731ecc5c29e347b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\base_library.zip

Filesize
859KB

MD5
0b9c8deab94c8bc0494b264d640c00c4

SHA1
2fb2d6acfa65d44c2ac7bc53bd1c80c81c01f4c1

SHA256
8b4edcc75c502cb952f54d5b7dc815d71e87ee6700c8c8020627918e3598ed73

SHA512
90ff1c5121e73cff42cdd36a0d66458b568d6b3ee9528b9c27607fbfdbe45b5d4ccee660aae07da8ae6c608876a87e92e06a529dcf08b8a400a434f5b7331ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.0MB

MD5
2fcce5a4be27c1f03c07f28442c519c2

SHA1
720309702539887f00b604ef9482e6f4e90267fe

SHA256
eed558d5a0fe7cea03d6b52950594ec8a7c2e451daca1018118a7c640af4990a

SHA512
71629b36b48bb353b7cd97c23cef116a006a61582cb7064e38cfd6e0769a8f8edbb51e7e141e365c0be2dbb0985cb3ef3cc0f0d3fd4eeb32322f8c406352b4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\frozenlist\_frozenlist.cp310-win_amd64.pyd

Filesize
36KB

MD5
6106b4d1eec11d2a71def28d2a2afa46

SHA1
e10039eff42f88a2cd8dfe11d428c35f6178c6ce

SHA256
19b144f1bfeb38f5a88da4471d0e9eeefcee979e0d574ecf13a28d06bdf7f1da

SHA512
d08ba0cf57d533ce2df7027158329da66518fb1bf10220d836ce39bdf8bc0436dfc3a649cf937b3b3e2bb9ff0d3c9e964416e9ac965cff4b24bd203067f53d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\libcrypto-1_1.dll

Filesize
1.1MB

MD5
5e999bc10636935a56a26b623718d4be

SHA1
378622eb481006983f14607fdce99641d161f244

SHA256
35460fc9fd3bac20826a5bd7608cbe71822ac172e014a6b0e0693bd1b6e255c1

SHA512
d28ecc0f001b91c06fe4572ad18eb49cb0c81c2b3496725d69f6f82eccd992047ecd5819e05e4f7bf786904b6c2e5d68fecc629fa50425a7d7abd9fe33c0052a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\libssl-1_1.dll

Filesize
200KB

MD5
8d8d9c30250f7042d25d73b9822efc45

SHA1
f6b83a793175e77f6e8a6add37204115da8cb319

SHA256
92bf5bdc30c53d52ab53b4f51e5f36f5b8be1235e7929590a9fddc86819dba1d

SHA512
ed40078d289b4293f4e22396f5b7d3016daec76a4406444ccd0a8b33d9c939a6f3274b4028b1c85914b32e69fc00c50ec9a710738746c9ee9962f86d99455bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\multidict\_multidict.cp310-win_amd64.pyd

Filesize
20KB

MD5
58a0ff76a0d7d3cd86ceb599d247c612

SHA1
af52bdb9556ef4b9d38cf0f0b9283494daa556a6

SHA256
2079d8be068f67fb2ece4fb3f5927c91c1c25edecb9d1c480829eb1cd21d7cc5

SHA512
e2d4f80cdeba2f5749a4d3de542e09866055d8aee1d308b96cb61bc53f4495c781e9b2559cc6a5f160be96b307539a8b6e06cabeffcc0ddb9ad4107dcacd8a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\pyexpat.pyd

Filesize
84KB

MD5
6b2713f310ab692eac1fd5cbc5649132

SHA1
426b22c96a6f04cff186558c8cbc6f2815c5e1e0

SHA256
8800c7df298f5d8afa4dca596e0a627e633d67a651fe14b41ac2791d12ea512e

SHA512
716c2bcf6dac6d7d4a666c6809da44f35601f10608cd4403592607fa767d7568367296c3b3afd2cc7606a049d9998cb4d16e2ed4dad72464c32606a865c8a917

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\python3.DLL

Filesize
61KB

MD5
704d647d6921dbd71d27692c5a92a5fa

SHA1
6f0552ce789dc512f183b565d9f6bf6bf86c229d

SHA256
a1c5c6e4873aa53d75b35c512c1cbadf39315deeec21a3ada72b324551f1f769

SHA512
6b340d64c808388fe95e6d632027715fb5bd801f013debaaa97e5ecb27a6f6ace49bf23648517dd10734daff8f4f44969cff2276010bf7502e79417736a44ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\python310.dll

Filesize
1.4MB

MD5
36fd0e7f37bcc508f4c88bb93ee103fe

SHA1
305e8a7da7508ea0571efd0e6248ba32a54160e6

SHA256
e44fc24423b18f343fbbab490fcbfddb17aade548f01de0926428a1944e87a95

SHA512
9f47fb8a96595498342e53b23671fb7c96ca438427f8bec9aeef845ce604817d6200f544afe530b2906edcb0f448d42ca10c1824a9d2ebd5ced4beb4bd5c1bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\select.pyd

Filesize
22KB

MD5
35eecd97e3e1b5e0c75bf7b018e0f04b

SHA1
f1ea7b96d733b3ff8b93db70a6a9770be0e1ed77

SHA256
ea46b47dafc1fafaf790dae6a75fdf8eec4429a73a2369f4e956d3b3b19ccac4

SHA512
2be099a0f92aa026ca0a0d0ae1691f4513c65fb5f2a85b90e92090df09987957ce7ec69807b56280ae97834b237172a6baeb712659a512a46ca004433ef06446

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\sqlite3.dll

Filesize
612KB

MD5
e45c51708eb87295aa418c94f85490d2

SHA1
5d8c0683abdd4a56c1c29c368b998f50e2825112

SHA256
a8a26572f2e0ece5196fcecb7e54b29500d3f8deaf91cb0fd314f3af20342f8e

SHA512
d14046651961e740f7d62ba1cd4fc0ed8a156a47019bd99911c6fd72d1bdbdbda61eb12ea72f3b1161e87f6aeaf98b962ffcb2b9f223d191694d4caa2c79eb38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\unicodedata.pyd

Filesize
286KB

MD5
47a9df0a0ec9232a3fa357da50454679

SHA1
be91c3991d20cc38e8dcd94acb96593e8e49ecbd

SHA256
799296850dd8a0774ac78d874700901b58a790e85fb3ae113a3174122cdc637b

SHA512
cdf8faeb17f122a5cad2dbb58b9e27d0ca6842cee62fbf1a0b7391edee2ffc66782bf85046077c16bba31330c22da0b198e0146e4f607374d3f2e98f927bd5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12562\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
40KB

MD5
c14493cd3cc9b9b5f850b5fadcbe936e

SHA1
eddb260ff89bfa132a479fdf783c67098011fb85

SHA256
1782f3c12b3eb01716fcd59b0cd69c02c2fb888db4377f4d5fe00f07986be8e3

SHA512
0a7b85322b8fa566fb3d24b8e4021fb64433be06c3c4dbeb06d9633e4af0a5b76252fb2228de0abd818be5f4a18fffc712c727816632dd8c8585c9a9a7bf0fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jnunrzjm.rvf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\prefs-1.js

Filesize
6KB

MD5
2f625af788789128e26137d2b5d973d6

SHA1
e83264eb0df44489bf711d4dc0f5031ffe2a52d0

SHA256
a7e78990a864b951d1230c01f54705d38ae63418fda3101a1ec6e5842d7988a9

SHA512
b2a386d0178ccda78f6ae47644626f9a171bca6b301f84a565dc0bbcfa6da854e98c6de03d67bc84209bf2594e9c8f2b4fc364dde562d165f4234e5943b62129

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\prefs-1.js

Filesize
7KB

MD5
82cfbb6f743051ba0afb429f9290c4ea

SHA1
5ed4123b6fb142d7cd472750643067742b60fd21

SHA256
91f47e8fe2eba399863dacbdb96875e07504bc0b708e1172891df1459d92f20b

SHA512
d1965b4f87698a88f4928e5a9bd5efa0615148370dab37cdf31d92ef659eaae1b12d20e43eb282c040740aa487cd09ef580ae2cd1392a22d4c3fd6ae4d4cf023

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\prefs-1.js

Filesize
8KB

MD5
1b73ae48eee3950276062462d5412a71

SHA1
17fba787f86434f94bb20adc63ac20a4ad345aff

SHA256
0ae32e1338746323016a251e37881a6c997dd1c81e59d124f49b2a74cb267722

SHA512
9811a991b9e921479a1f3185d4575eec64bd6a933724cc617dd4e3f11a4149e257c6de0540a82c703c663c340a042301f71d76104e3a48db089605e63bd28864

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
528f285539c4a2c7da8227df348d2f80

SHA1
90d61ad1003fa6b0e2b78d62accbcb04e25c30c2

SHA256
9ccfaf4c1880e646f7b37104f48728bda4975f78a3fbe7c64881f6087cdd019d

SHA512
3ae359e8bae3a5a482f84db282f24d0487489eeda92441c331c7a83838aa83e7209d337be42eea2cbabfdc5006d5b01ef54d9a1e264c8b57f9a3437dd54f86c4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
20KB

MD5
184b5070549f3924356c0234b5af2f19

SHA1
863a2b5959f3bada1f03854e99eec65020877850

SHA256
074a077bd8c356fb15b56dba0bb48d1729b90f1065eaced73af69186ad5a2a1e

SHA512
a28f7fdbb5cd893acfde458b05f5819814b89906852121713f2aa56f1fd2c398f940ec20a725da352103ec35b90cf47ab54cc5c4042f077b807c2f0e19ea3440

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
20KB

MD5
d1cd8a36ad7effcc3fbcc159b9457d0a

SHA1
2e2989322878d070e6180614f64cea2774848320

SHA256
12022c3480c6653f6744fa07891e476e52d529ed613bfce5484fcf70b82bb210

SHA512
092fa0209f1dcefd4815072602b60704a51ec79be2e5fc77129f042cf3075934d776d13eee91da995d54185f37d0f92275645293f20dc3bf484d8363f43dc520

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
20KB

MD5
bc96c819b9029bc3190915385d1556ac

SHA1
37dacd99ab95869f2fd439245ad680f266769b87

SHA256
8cc81ecc74963322409a29358b2a49bb8838c6620fc27f723ad01522838b95c9

SHA512
21b12b67dceafbaeaf25d036501176c7410aa75afd9efb9e731a0923c9d6c7b629481ead87793ddf06bf9ef7e2a0fd4647ff8d88a27b11892dd3b87fc71ae009

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\m5gevmzl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
20KB

MD5
a6ac09d3163b4810b227b6600ef9d927

SHA1
fece179ab848249143d6be36fd0cfc5aa578793f

SHA256
c765a05cd5fbb659bf4cb5f528bec0c66818370ebd739b523abbd03c34462a60

SHA512
5e34624e9c3479b1c47f4babfa22b18fb71c99c8cab4f33e6640a8fa14450d6254a40e2954c602ecc1e929ea1a5ef9d50e9b0ebaad651c808ffda0999352190b

Download Submit
memory/3024-145-0x00007FFCC8650000-0x00007FFCC8D45000-memory.dmp

Filesize
7.0MB

Download
memory/3024-133-0x000001B716390000-0x000001B716707000-memory.dmp

Filesize
3.5MB

Download
memory/3024-134-0x00007FFCD9AF0000-0x00007FFCD9B09000-memory.dmp

Filesize
100KB

Download
memory/3024-129-0x00007FFCD9E10000-0x00007FFCD9EC7000-memory.dmp

Filesize
732KB

Download
memory/3024-127-0x00007FFCDA230000-0x00007FFCDA25E000-memory.dmp

Filesize
184KB

Download
memory/3024-126-0x00007FFCC9250000-0x00007FFCC931F000-memory.dmp

Filesize
828KB

Download
memory/3024-146-0x00007FFCD8D10000-0x00007FFCD8D48000-memory.dmp

Filesize
224KB

Download
memory/3024-136-0x00007FFCD9600000-0x00007FFCD9611000-memory.dmp

Filesize
68KB

Download
memory/3024-240-0x00007FFCE1510000-0x00007FFCE151D000-memory.dmp

Filesize
52KB

Download
memory/3024-143-0x00007FFCC8D50000-0x00007FFCC90C7000-memory.dmp

Filesize
3.5MB

Download
memory/3024-274-0x00007FFCD9BF0000-0x00007FFCD9C12000-memory.dmp

Filesize
136KB

Download
memory/3024-284-0x00007FFCE1510000-0x00007FFCE151D000-memory.dmp

Filesize
52KB

Download
memory/3024-283-0x00007FFCD8D10000-0x00007FFCD8D48000-memory.dmp

Filesize
224KB

Download
memory/3024-278-0x00007FFCD9AA0000-0x00007FFCD9AEC000-memory.dmp

Filesize
304KB

Download
memory/3024-277-0x00007FFCD9AF0000-0x00007FFCD9B09000-memory.dmp

Filesize
100KB

Download
memory/3024-275-0x00007FFCD9B50000-0x00007FFCD9B67000-memory.dmp

Filesize
92KB

Download
memory/3024-270-0x00007FFCDF300000-0x00007FFCDF310000-memory.dmp

Filesize
64KB

Download
memory/3024-269-0x00007FFCD9FB0000-0x00007FFCD9FC4000-memory.dmp

Filesize
80KB

Download
memory/3024-257-0x00007FFCC9670000-0x00007FFCC9AD5000-memory.dmp

Filesize
4.4MB

Download
memory/3024-265-0x00007FFCC90D0000-0x00007FFCC9241000-memory.dmp

Filesize
1.4MB

Download
memory/3024-264-0x00007FFCDA260000-0x00007FFCDA27E000-memory.dmp

Filesize
120KB

Download
memory/3024-258-0x00007FFCDD9B0000-0x00007FFCDD9D4000-memory.dmp

Filesize
144KB

Download
memory/3024-282-0x00007FFCC8650000-0x00007FFCC8D45000-memory.dmp

Filesize
7.0MB

Download
memory/3024-144-0x00007FFCD95E0000-0x00007FFCD95FE000-memory.dmp

Filesize
120KB

Download
memory/3024-137-0x00007FFCD9AA0000-0x00007FFCD9AEC000-memory.dmp

Filesize
304KB

Download
memory/3024-138-0x00007FFCD9BE0000-0x00007FFCD9BEA000-memory.dmp

Filesize
40KB

Download
memory/3024-355-0x00007FFCC8D50000-0x00007FFCC90C7000-memory.dmp

Filesize
3.5MB

Download
memory/3024-361-0x00007FFCD9BF0000-0x00007FFCD9C12000-memory.dmp

Filesize
136KB

Download
memory/3024-356-0x00007FFCD9FB0000-0x00007FFCD9FC4000-memory.dmp

Filesize
80KB

Download
memory/3024-354-0x00007FFCD9E10000-0x00007FFCD9EC7000-memory.dmp

Filesize
732KB

Download
memory/3024-353-0x00007FFCDA230000-0x00007FFCDA25E000-memory.dmp

Filesize
184KB

Download
memory/3024-344-0x00007FFCC9670000-0x00007FFCC9AD5000-memory.dmp

Filesize
4.4MB

Download
memory/3024-122-0x00007FFCDA260000-0x00007FFCDA27E000-memory.dmp

Filesize
120KB

Download
memory/3024-124-0x00007FFCC90D0000-0x00007FFCC9241000-memory.dmp

Filesize
1.4MB

Download
memory/3024-120-0x00007FFCD9B50000-0x00007FFCD9B67000-memory.dmp

Filesize
92KB

Download
memory/3024-119-0x00007FFCDD990000-0x00007FFCDD9A9000-memory.dmp

Filesize
100KB

Download
memory/3024-114-0x00007FFCC9670000-0x00007FFCC9AD5000-memory.dmp

Filesize
4.4MB

Download
memory/3024-115-0x00007FFCD93B0000-0x00007FFCD94C8000-memory.dmp

Filesize
1.1MB

Download
memory/3024-116-0x00007FFCD9BF0000-0x00007FFCD9C12000-memory.dmp

Filesize
136KB

Download
memory/3024-110-0x00007FFCD9C20000-0x00007FFCD9C35000-memory.dmp

Filesize
84KB

Download
memory/3024-106-0x00007FFCD9FB0000-0x00007FFCD9FC4000-memory.dmp

Filesize
80KB

Download
memory/3024-107-0x00007FFCDF300000-0x00007FFCDF310000-memory.dmp

Filesize
64KB

Download
memory/3024-108-0x00007FFCD9F90000-0x00007FFCD9FA4000-memory.dmp

Filesize
80KB

Download
memory/3024-99-0x00007FFCD9E10000-0x00007FFCD9EC7000-memory.dmp

Filesize
732KB

Download
memory/3024-101-0x00007FFCC8D50000-0x00007FFCC90C7000-memory.dmp

Filesize
3.5MB

Download
memory/3024-100-0x000001B716390000-0x000001B716707000-memory.dmp

Filesize
3.5MB

Download
memory/3024-95-0x00007FFCDA230000-0x00007FFCDA25E000-memory.dmp

Filesize
184KB

Download
memory/3024-80-0x00007FFCDD9B0000-0x00007FFCDD9D4000-memory.dmp

Filesize
144KB

Download
memory/3024-81-0x00007FFCE0DF0000-0x00007FFCE0DFF000-memory.dmp

Filesize
60KB

Download
memory/3024-84-0x00007FFCDD990000-0x00007FFCDD9A9000-memory.dmp

Filesize
100KB

Download
memory/3024-91-0x00007FFCDD840000-0x00007FFCDD86C000-memory.dmp

Filesize
176KB

Download
memory/3024-92-0x00007FFCDA260000-0x00007FFCDA27E000-memory.dmp

Filesize
120KB

Download
memory/3024-93-0x00007FFCC90D0000-0x00007FFCC9241000-memory.dmp

Filesize
1.4MB

Download
memory/3024-90-0x00007FFCDD970000-0x00007FFCDD988000-memory.dmp

Filesize
96KB

Download
memory/3024-85-0x00007FFCE0DE0000-0x00007FFCE0DED000-memory.dmp

Filesize
52KB

Download
memory/3024-51-0x00007FFCC9670000-0x00007FFCC9AD5000-memory.dmp

Filesize
4.4MB

Download
memory/5060-248-0x0000013940D70000-0x0000013940D92000-memory.dmp

Filesize
136KB

Download