hxxps://updown[.]link/file/f0ohxj

Analysis

max time kernel
274s
max time network
284s
platform
windows10-1703_x64
resource
win10-20240611-en
resource tags

arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
submitted
07/07/2024, 15:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://updown.link/file/f0ohxj

Score

8^/10

execution persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2180	powershell.exe
388	powershell.exe
4492	powershell.exe

Downloads MZ/PE file

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AMD-Booster.exe	AMD-Booster.exe

Executes dropped EXE 15 IoCs

pid	Process
4412	AMD-Booster.exe
3396	AMD-Booster.exe
4108	AMD-Booster.exe
6112	AMD-Booster.exe
5892	AMD-Booster.exe
4292	AMD-Booster.exe
4668	AMD-Booster.exe
2312	AMD-Booster.exe
5788	AMD-Booster.exe
4996	FPS-Booster.exe
1844	AMD-Booster.exe
4332	AMD-Booster.exe
1400	AMD-Booster.exe
5152	FPS-Booster.exe
5240	FPS-Booster.exe

Loads dropped DLL 64 IoCs

pid	Process
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
2312	AMD-Booster.exe
2312	AMD-Booster.exe
2312	AMD-Booster.exe
2312	AMD-Booster.exe
2312	AMD-Booster.exe
2312	AMD-Booster.exe
2312	AMD-Booster.exe
2312	AMD-Booster.exe
2312	AMD-Booster.exe
2312	AMD-Booster.exe
2312	AMD-Booster.exe
2312	AMD-Booster.exe
2312	AMD-Booster.exe
2312	AMD-Booster.exe
2312	AMD-Booster.exe
2312	AMD-Booster.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001ab40-410.dat	upx
behavioral1/memory/6112-441-0x00007FFA83780000-0x00007FFA83E59000-memory.dmp	upx
behavioral1/files/0x000700000001ab19-453.dat	upx
behavioral1/files/0x000700000001ab3a-458.dat	upx
behavioral1/memory/6112-461-0x00007FFA94D40000-0x00007FFA94D4F000-memory.dmp	upx
behavioral1/files/0x000700000001ab16-463.dat	upx
behavioral1/memory/6112-466-0x00007FFA93860000-0x00007FFA93879000-memory.dmp	upx
behavioral1/files/0x000700000001ab23-486.dat	upx
behavioral1/memory/6112-491-0x00007FFA91F40000-0x00007FFA91F75000-memory.dmp	upx
behavioral1/files/0x000700000001ab3e-490.dat	upx
behavioral1/files/0x000700000001ab43-501.dat	upx
behavioral1/files/0x000700000001ab1e-509.dat	upx
behavioral1/memory/6112-510-0x00007FFA942F0000-0x00007FFA942FD000-memory.dmp	upx
behavioral1/memory/6112-507-0x00007FFA94340000-0x00007FFA9434D000-memory.dmp	upx
behavioral1/memory/6112-503-0x00007FFA8FBC0000-0x00007FFA8FBD9000-memory.dmp	upx
behavioral1/files/0x000700000001ab1f-496.dat	upx
behavioral1/files/0x000700000001ab21-524.dat	upx
behavioral1/files/0x000700000001ab3b-525.dat	upx
behavioral1/files/0x000700000001ab39-526.dat	upx
behavioral1/memory/6112-529-0x00007FFA8F1B0000-0x00007FFA8F1E3000-memory.dmp	upx
behavioral1/memory/6112-530-0x00007FFA83180000-0x00007FFA836A9000-memory.dmp	upx
behavioral1/memory/6112-531-0x00007FFA836B0000-0x00007FFA8377D000-memory.dmp	upx
behavioral1/memory/6112-527-0x00007FFA83780000-0x00007FFA83E59000-memory.dmp	upx
behavioral1/memory/6112-547-0x00007FFA8ECB0000-0x00007FFA8ECC6000-memory.dmp	upx
behavioral1/memory/6112-553-0x00007FFA83000000-0x00007FFA83176000-memory.dmp	upx
behavioral1/memory/6112-552-0x00007FFA930C0000-0x00007FFA930E4000-memory.dmp	upx
behavioral1/memory/6112-551-0x00007FFA8EC90000-0x00007FFA8ECA2000-memory.dmp	upx
behavioral1/memory/6112-546-0x00007FFA93730000-0x00007FFA93755000-memory.dmp	upx
behavioral1/memory/6112-556-0x00007FFA94D70000-0x00007FFA94D88000-memory.dmp	upx
behavioral1/files/0x000700000001ab15-545.dat	upx
behavioral1/memory/6112-558-0x00007FFA93290000-0x00007FFA932A4000-memory.dmp	upx
behavioral1/memory/6112-561-0x00007FFA82E90000-0x00007FFA82FAB000-memory.dmp	upx
behavioral1/memory/6112-560-0x00007FFA86050000-0x00007FFA86077000-memory.dmp	upx
behavioral1/memory/6112-562-0x00007FFA8F1B0000-0x00007FFA8F1E3000-memory.dmp	upx
behavioral1/memory/6112-570-0x00007FFA82E70000-0x00007FFA82E7E000-memory.dmp	upx
behavioral1/memory/6112-597-0x00007FFA82B50000-0x00007FFA82DD3000-memory.dmp	upx
behavioral1/memory/6112-596-0x00007FFA836B0000-0x00007FFA8377D000-memory.dmp	upx
behavioral1/memory/6112-581-0x00007FFA82E50000-0x00007FFA82E5B000-memory.dmp	upx
behavioral1/memory/6112-601-0x00007FFA82AE0000-0x00007FFA82B0E000-memory.dmp	upx
behavioral1/memory/6112-600-0x00007FFA82B10000-0x00007FFA82B39000-memory.dmp	upx
behavioral1/memory/6112-580-0x00007FFA82E60000-0x00007FFA82E6C000-memory.dmp	upx
behavioral1/memory/6112-579-0x00007FFA91AF0000-0x00007FFA91AFB000-memory.dmp	upx
behavioral1/memory/6112-578-0x00007FFA91F30000-0x00007FFA91F3C000-memory.dmp	upx
behavioral1/memory/6112-577-0x00007FFA82DE0000-0x00007FFA82DEC000-memory.dmp	upx
behavioral1/memory/6112-576-0x00007FFA82DF0000-0x00007FFA82E02000-memory.dmp	upx
behavioral1/memory/6112-575-0x00007FFA82E10000-0x00007FFA82E1D000-memory.dmp	upx
behavioral1/memory/6112-574-0x00007FFA82E20000-0x00007FFA82E2C000-memory.dmp	upx
behavioral1/memory/6112-573-0x00007FFA82E30000-0x00007FFA82E3C000-memory.dmp	upx
behavioral1/memory/6112-572-0x00007FFA82E40000-0x00007FFA82E4B000-memory.dmp	upx
behavioral1/memory/6112-569-0x00007FFA82E80000-0x00007FFA82E8C000-memory.dmp	upx
behavioral1/memory/6112-568-0x00007FFA895C0000-0x00007FFA895CC000-memory.dmp	upx
behavioral1/memory/6112-567-0x00007FFA8C210000-0x00007FFA8C21B000-memory.dmp	upx
behavioral1/memory/6112-566-0x00007FFA8E6A0000-0x00007FFA8E6AC000-memory.dmp	upx
behavioral1/memory/6112-565-0x00007FFA930A0000-0x00007FFA930AB000-memory.dmp	upx
behavioral1/memory/6112-564-0x00007FFA930B0000-0x00007FFA930BB000-memory.dmp	upx
behavioral1/memory/6112-563-0x00007FFA83180000-0x00007FFA836A9000-memory.dmp	upx
behavioral1/memory/6112-559-0x00007FFA94D60000-0x00007FFA94D6B000-memory.dmp	upx
behavioral1/memory/6112-557-0x00007FFA949C0000-0x00007FFA949CD000-memory.dmp	upx
behavioral1/memory/6112-489-0x00007FFA949C0000-0x00007FFA949CD000-memory.dmp	upx
behavioral1/files/0x000700000001ab20-483.dat	upx
behavioral1/files/0x000800000001ab0f-480.dat	upx
behavioral1/files/0x000800000001aafc-479.dat	upx
behavioral1/files/0x000700000001ab1b-478.dat	upx
behavioral1/files/0x000700000001ab1a-477.dat	upx

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup5 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP005.TMP\\\""	AMD-Booster.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	AMD-Booster.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	AMD-Booster.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\""	AMD-Booster.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\""	AMD-Booster.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\""	AMD-Booster.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
59	discord.com
65	discord.com
77	discord.com
78	discord.com
80	discord.com
60	discord.com
68	discord.com
73	discord.com
75	discord.com
82	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
70	api.ipify.org
71	api.ipify.org

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000d00000001aaad-214.dat	pyinstaller
behavioral1/files/0x000700000001abd9-1218.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5364	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions\Cached	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\LowRegistry	PaintStudio.View.exe
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions	PaintStudio.View.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133648410029863952"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3136	PaintStudio.View.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5028	chrome.exe
5028	chrome.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
6112	AMD-Booster.exe
5304	powershell.exe
5304	powershell.exe
5304	powershell.exe
5364	powershell.exe
5364	powershell.exe
5364	powershell.exe
2180	powershell.exe
2180	powershell.exe
2180	powershell.exe
388	powershell.exe
388	powershell.exe
388	powershell.exe
4492	powershell.exe
4492	powershell.exe
448	mspaint.exe
448	mspaint.exe
4492	powershell.exe
3136	PaintStudio.View.exe
3136	PaintStudio.View.exe
3136	PaintStudio.View.exe
3136	PaintStudio.View.exe
3136	PaintStudio.View.exe
3136	PaintStudio.View.exe
3136	PaintStudio.View.exe
3136	PaintStudio.View.exe
3136	PaintStudio.View.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5028	chrome.exe
5028	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe
Token: SeShutdownPrivilege	5028	chrome.exe
Token: SeCreatePagefilePrivilege	5028	chrome.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
8	firefox.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
8	firefox.exe
8	firefox.exe
5028	chrome.exe
8	firefox.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
8	firefox.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
5028	chrome.exe
8	firefox.exe
8	firefox.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
8	firefox.exe
448	mspaint.exe
3136	PaintStudio.View.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 1372	5028	chrome.exe	72
PID 5028 wrote to memory of 1372	5028	chrome.exe	72
PID 8 wrote to memory of 1888	8	firefox.exe	75
PID 8 wrote to memory of 1888	8	firefox.exe	75
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 2012	5028	chrome.exe	76
PID 5028 wrote to memory of 4568	5028	chrome.exe	77
PID 5028 wrote to memory of 4568	5028	chrome.exe	77
PID 5028 wrote to memory of 4680	5028	chrome.exe	78
PID 5028 wrote to memory of 4680	5028	chrome.exe	78
PID 5028 wrote to memory of 4680	5028	chrome.exe	78
PID 5028 wrote to memory of 4680	5028	chrome.exe	78
PID 5028 wrote to memory of 4680	5028	chrome.exe	78
PID 5028 wrote to memory of 4680	5028	chrome.exe	78
PID 5028 wrote to memory of 4680	5028	chrome.exe	78
PID 5028 wrote to memory of 4680	5028	chrome.exe	78
PID 5028 wrote to memory of 4680	5028	chrome.exe	78
PID 5028 wrote to memory of 4680	5028	chrome.exe	78
PID 5028 wrote to memory of 4680	5028	chrome.exe	78
PID 5028 wrote to memory of 4680	5028	chrome.exe	78
PID 5028 wrote to memory of 4680	5028	chrome.exe	78
PID 5028 wrote to memory of 4680	5028	chrome.exe	78
PID 5028 wrote to memory of 4680	5028	chrome.exe	78
PID 5028 wrote to memory of 4680	5028	chrome.exe	78
PID 5028 wrote to memory of 4680	5028	chrome.exe	78
PID 5028 wrote to memory of 4680	5028	chrome.exe	78
PID 5028 wrote to memory of 4680	5028	chrome.exe	78
PID 5028 wrote to memory of 4680	5028	chrome.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://updown.link/file/f0ohxj
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa94cc9758,0x7ffa94cc9768,0x7ffa94cc9778
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1592 --field-trial-handle=1796,i,15480375839630089290,3714894523804571759,131072 /prefetch:2
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2032 --field-trial-handle=1796,i,15480375839630089290,3714894523804571759,131072 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2108 --field-trial-handle=1796,i,15480375839630089290,3714894523804571759,131072 /prefetch:8
  2⤵
  PID:4680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1796,i,15480375839630089290,3714894523804571759,131072 /prefetch:1
  2⤵
  PID:360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=1796,i,15480375839630089290,3714894523804571759,131072 /prefetch:1
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5252 --field-trial-handle=1796,i,15480375839630089290,3714894523804571759,131072 /prefetch:8
  2⤵
  PID:5100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5276 --field-trial-handle=1796,i,15480375839630089290,3714894523804571759,131072 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5364 --field-trial-handle=1796,i,15480375839630089290,3714894523804571759,131072 /prefetch:8
  2⤵
  PID:2692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5304 --field-trial-handle=1796,i,15480375839630089290,3714894523804571759,131072 /prefetch:8
  2⤵
  PID:4972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5496 --field-trial-handle=1796,i,15480375839630089290,3714894523804571759,131072 /prefetch:8
  2⤵
  PID:4240
- C:\Users\Admin\Downloads\AMD-Booster.exe
  "C:\Users\Admin\Downloads\AMD-Booster.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4412
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AMD-Booster.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AMD-Booster.exe
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    PID:3396
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AMD-Booster.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AMD-Booster.exe
      4⤵
      Executes dropped EXE
      PID:4108
    - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AMD-Booster.exe
        
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AMD-Booster.exe
        5⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:6112
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        6⤵
        
        PID:6120
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5544
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
        6⤵
        
        PID:5200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-Clipboard
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5304
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
        6⤵
        
        PID:5632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
        7⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2180
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:4492
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic os get Caption"
        6⤵
        
        PID:4328
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic os get Caption
        7⤵
        
        PID:824
      - C:\Windows\System32\Wbem\wmic.exe
        
        wmic cpu get Name
        6⤵
        
        PID:808
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:436
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:5364
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
        6⤵
        
        PID:5580
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:2204
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get totalphysicalmemory
        7⤵
        
        PID:1128
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
        6⤵
        
        PID:5056
        
        C:\Windows\System32\wbem\WMIC.exe
        
        C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
        7⤵
        
        PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FPS-Booster.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\FPS-Booster.exe
      4⤵
      Executes dropped EXE
      PID:5240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5664 --field-trial-handle=1796,i,15480375839630089290,3714894523804571759,131072 /prefetch:8
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 --field-trial-handle=1796,i,15480375839630089290,3714894523804571759,131072 /prefetch:8
  2⤵
  PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4796 --field-trial-handle=1796,i,15480375839630089290,3714894523804571759,131072 /prefetch:8
  2⤵
  PID:2212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 --field-trial-handle=1796,i,15480375839630089290,3714894523804571759,131072 /prefetch:8
  2⤵
  PID:4192

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:8
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.0.1834652446\440708746" -parentBuildID 20221007134813 -prefsHandle 1680 -prefMapHandle 1532 -prefsLen 20935 -prefMapSize 233414 -appDir "C:\Program Files\Mozilla Firefox\browser" - {32e3efa3-0291-4e29-a67c-a6c2a7c389d5} 8 "\\.\pipe\gecko-crash-server-pipe.8" 1760 2a2ffee0e58 gpu
  2⤵
  PID:1888
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.1.455467771\1978085873" -parentBuildID 20221007134813 -prefsHandle 2104 -prefMapHandle 2100 -prefsLen 21016 -prefMapSize 233414 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fe13b7ba-939c-4e3d-bc2c-560b9ab8850f} 8 "\\.\pipe\gecko-crash-server-pipe.8" 2116 2a2f2172b58 socket
  2⤵
  - Checks processor information in registry
  PID:792
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.2.1008154799\1972784742" -childID 1 -isForBrowser -prefsHandle 2904 -prefMapHandle 2844 -prefsLen 21119 -prefMapSize 233414 -jsInitHandle 1244 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6ddcaaa-8679-407c-aef9-9bb93399266f} 8 "\\.\pipe\gecko-crash-server-pipe.8" 2804 2a288c3a558 tab
  2⤵
  PID:3644
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.3.1876868472\888979480" -childID 2 -isForBrowser -prefsHandle 3260 -prefMapHandle 3256 -prefsLen 21160 -prefMapSize 233414 -jsInitHandle 1244 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b023ff28-9fc8-4251-a94a-0a5eaea54c70} 8 "\\.\pipe\gecko-crash-server-pipe.8" 3288 2a2f2130258 tab
  2⤵
  PID:5044
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.4.1244473254\1102642870" -childID 3 -isForBrowser -prefsHandle 3272 -prefMapHandle 3268 -prefsLen 21160 -prefMapSize 233414 -jsInitHandle 1244 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d78936b-9cfb-4779-b706-e4ab450653ae} 8 "\\.\pipe\gecko-crash-server-pipe.8" 3304 2a2ffee1458 tab
  2⤵
  PID:2204
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.5.1039582677\321740062" -childID 4 -isForBrowser -prefsHandle 3532 -prefMapHandle 3536 -prefsLen 21160 -prefMapSize 233414 -jsInitHandle 1244 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {72a7b58d-43af-4dc4-a77a-5b4b2331c813} 8 "\\.\pipe\gecko-crash-server-pipe.8" 3416 2a28907a858 tab
  2⤵
  PID:64
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="8.6.1994174927\490141848" -childID 5 -isForBrowser -prefsHandle 4296 -prefMapHandle 4264 -prefsLen 26477 -prefMapSize 233414 -jsInitHandle 1244 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d8b4a183-5a11-474e-b891-a1652484e52a} 8 "\\.\pipe\gecko-crash-server-pipe.8" 4304 2a288376d58 tab
  2⤵
  PID:5324

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:68

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:792

C:\Users\Admin\Downloads\AMD-Booster.exe
"C:\Users\Admin\Downloads\AMD-Booster.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5892
- C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AMD-Booster.exe
  C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\AMD-Booster.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4292
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AMD-Booster.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AMD-Booster.exe
    3⤵
    - Executes dropped EXE
    PID:4668
  - - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AMD-Booster.exe
      C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\AMD-Booster.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2312
- - C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FPS-Booster.exe
    C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FPS-Booster.exe
    3⤵
    - Executes dropped EXE
    PID:4996

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\AddCompare.jpg" /ForceBootstrapPaint3D
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:448

C:\Users\Admin\Downloads\AMD-Booster.exe
"C:\Users\Admin\Downloads\AMD-Booster.exe"
1⤵
- Executes dropped EXE
- Adds Run key to start application
PID:5788
- C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\AMD-Booster.exe
  C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\AMD-Booster.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:1844
- - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\AMD-Booster.exe
    C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\AMD-Booster.exe
    3⤵
    - Executes dropped EXE
    PID:4332
  - - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\AMD-Booster.exe
      C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\AMD-Booster.exe
      4⤵
      Executes dropped EXE
      PID:1400
- - C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FPS-Booster.exe
    C:\Users\Admin\AppData\Local\Temp\IXP005.TMP\FPS-Booster.exe
    3⤵
    - Executes dropped EXE
    PID:5152

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
f8b285049a5f93f9a8736a1bf30993de

SHA1
cde42cbaced159f8f939632b6cf29f6c1e578e09

SHA256
70cde14afd63a3dcbbc88bc924fb381774a6829633bdce9bbf05f35d8e9e4fc7

SHA512
449f6b5156a452b7f35a17a7c81210acd12358baa9709fa9b720dd6f5e64925d828665bb29be4e6a765e1218e4db70e1170d5c883e64e6aac2f04919d43bb05b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
9d2b3f879a56ca432cf4afe4c2fec346

SHA1
f5d96cd63480a22e56ab2d2469e87acdb7d720ba

SHA256
2185c172d31e1296356c751beeca286c538198c71bf738e68638fbe004f5de4e

SHA512
c4ce2a62af1fbbb440d926b8ddf042872557e0f4be97bd8a32ca2abbca987da1fbfb6b4a368c69bd7bb8f96a659553820176de4a2dda446bb436aad0e6646a21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
34c968ddc67f911b3784d02bfcae8fe1

SHA1
b6804b9dc51b954e4b4b55247132a206e20db6fe

SHA256
dee9f44ccc7dc2b1ef3bc78c1127c79230be8d86958e7b082bf893308c6e74d0

SHA512
0edea95435b8b5dc6337ec09c01deeccd8aa24d4907d798a1cc0cd8ee3b2b126735a6b14fa1152638ad36db6238176af3c41efa1ff019ebd9f7a26445525a747

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
369B

MD5
b2e1c0b3f5b78a2d7c6277716910fbd6

SHA1
947810fa437b962c7cecc4e7fca060daf18fb190

SHA256
712904d3bd67499683a32c8bb53a8b0be92da17f883a5b0788f0b108b6dde0bb

SHA512
1107abc5b4657a5b72e1f659d4de6684dfc35d8869b41f4d15a054914c137f3d8047accfbf8a321dd57357f18a9f621e2d731cf5a8fa9e8371d113156a056ccd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
74220f41abb47f0eef2c26177ef31ad0

SHA1
3621af6fdd5df684b5a27af3f92c53a9198e43e8

SHA256
6f1f6534792bba2d1842c68582168e2dda6ef510e2e0b8fbca9f423c73f3c364

SHA512
90721303ef2f7c559996f46d2aa20e6d5985aa79a610f2b3a7a8dd5a333a1a171f7f004f76fa0db8473e8547b91fa272a13661e6099bda8b6407df549382cb7a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
7918b7894fc022f5ae4ea0968a9db12e

SHA1
33c327f7b593a78c5403a5561632388527abbf34

SHA256
e7d3a7990d6c6a06b22454c0756ceb12782f30879e5a60bc8d48797661632ca0

SHA512
a91930d6996ac51464fce7125a48b120952fc4e06ab8e9cd9acbebe08494352d81cdc839c753f62a499f118a236f075e0bc95ab8cba319d50e845fec5b6a75f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8a69608d728b3d30cc7dab8706357800

SHA1
6b513605706a4ad758d36058ac0c3099046fe60d

SHA256
9dcce4622d5f97898bfd36a51cebfbf25c70c14aa0fb62285dc024645ba54b01

SHA512
4f43309565a3760fca0dd60110157fb1de3d370f04774b567d8e629d4573fcbd70153d19ec33670d140dba8373a6ad93edafd315f2a6ddd0e43f95ae10dd3a00

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
622d4b16255c75ec67efc7f2f6222550

SHA1
95ba963aa38b88b6abc92e98016afbe93c145c0a

SHA256
429700dcbee7ad7d4faf7c287dcdf26da1c49b35615896a78f03976db58dbe8b

SHA512
0fad3cbc3582caa7e70851de8ce4f6d43633e79f5166ff4b6589d3d8fed121ea09443b234bf7c0ab3b1658756d7304573c5cae5e48a228cb04c9c947a36fbcb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
3171d3d18b99f8439a17b3be68945d6e

SHA1
cb5862adae16397a5d639f16805f12296ce7e553

SHA256
f83bf2020bdbd5995b8527f24bdbd2f9b9018ba59ef615295fffba856eeba578

SHA512
75904b13a90d3ac8c6bc8f53cfbbc55c4b3da409dd7959e4e7f4e74a8b6ff3c4cb4775a1cf8e92de12d75a345e76f7fdc7a25b4c9a9f20ecf4f8104bbc3a96bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
150KB

MD5
8766609850e3fa09034bc5837595dc28

SHA1
f2227562366a012672f1da4d9a7e0cd64df32580

SHA256
fbb74251a9fd36b72fce7a9e752c9e630ff164186c24ba8194154fd17d1be362

SHA512
8bcc7df709e3755013563f658cca7d01df61233f92389737f17d63409e27f40a00720a6cd702d458424a9cefd6217b043461873ce6b5906f32a65b4f483d8c45

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\2b7acdhd.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
8885c51de2633054825858fe95509e1b

SHA1
a0236ed83aa51555bbe2bd77d4031d192d937c9b

SHA256
41007e39113bfdf8eacfa104fc76f5403b78399a07934717a15d95a40e43a6ba

SHA512
6790df72a2f376490c35c9614503c5314e2378ca28d8d57d9a5daaa1fdf71e3246f750401afe72df6c61ec06bf60b7e082f5a652be4b0077f02cd7f15ad9363a

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\AMD-Booster.exe

Filesize
15.6MB

MD5
b1f4e6945ff074bb45a011430382ebe1

SHA1
86352b5d79e57d49720963df908750d1613536b7

SHA256
b80652534c32a436300046d1d70f2238e66daa169e9a35595066c3e2d58549b1

SHA512
3a6f548a47d253490481f2f21c2d0ab80c959fd85e1c1e59e9812d363cb1288be116d0ebebf7981f04ad88ddc3f40b51727341c62c74f767b86db69b0879435d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\AMD-Booster.exe

Filesize
15.6MB

MD5
306387f3248942bb899547e0d5fbe8fe

SHA1
6aea22c21ab39baf7621dbad8e6237198ad14a1b

SHA256
4afebd3917dab6d870aa09abac834a6492f84f07b3f48261ef39b54632cd3c63

SHA512
b192b6577828e490bc7546907186a8d95db5b45c3c8d8b6ca9adb6cf9c95f396cd92a90f102909534c5e78afdaa31a79cb1350c80cdc936c136a74e041ff199f

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\FPS-Booster.exe

Filesize
78KB

MD5
1a2febdd145d86a9a0d9395915631f77

SHA1
ab910ff4b9b08d3033c8339691b25b3f97734ffb

SHA256
7f9816ea06b75a4b89d1a149a6ef00929e036d9a665ad45f3d5ee7acb709cb98

SHA512
a8525da563a28fd6f10642b18c90c8d0238e28808e27e63fdc776fea7d404dc822d9b81e49a1b63a1e37b697e052eaf8809e34a182ac36bdc2fc8d2230886220

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\main.exe

Filesize
17.7MB

MD5
e715bf23f431c3b582e5c72cab6b0e41

SHA1
b07a3fa524298ff877283deb15cfee58c528bc4e

SHA256
3c7605de57f2c9c94076a5a6f70e76ae5ea5c9b72d7fa1c57a07ecdd381b5b0f

SHA512
4e23e8bb70303c08c52cc223da326afdc4fb122afff71c808b0bcdcbf3331f2da6205572b7731f905b218ab2360422964481136d15e2a5eb4063f478f81def34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
886da52cb1d06bd17acbd5c29355a3f5

SHA1
45dee87aefb1300ec51f612c3b2a204874be6f28

SHA256
770d04ebe9f4d8271659ba9bf186b8ae422fdd76f7293dbc84be78d9d6dd92cc

SHA512
d6c7a90b8fa017f72f499943d73e4015f2eec0e46188c27848892a99be35e0ecbda1f692630863b89109b04636e813ddad2051f323a24b4d373192a6b67cf978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\_ctypes.pyd

Filesize
59KB

MD5
76288ffffdce92111c79636f71b9bc9d

SHA1
15c10dcd31dab89522bf5b790e912dc7e6b3183b

SHA256
192cc2ac818c78cd21e9f969a95c0ff777d4cd5f79ae51ab7c366d2b8540f6a1

SHA512
29efc143cd72bf886e9bf54463706484f22222f024bd7e8cb206c32f40b76d823efd36061b05bbd6bcf562f83d95449acb3f1440c95e63750c643c15a10816c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\_decimal.pyd

Filesize
105KB

MD5
c2f5d61323fb7d08f90231300658c299

SHA1
a6b15204980e28fc660b5a23194348e6aded83fc

SHA256
a8ea1e613149d04e7ce637413aad6df636556916902718f64e57fdff44f959bb

SHA512
df22676b5268175562574078459820f11eedb06f2845c86398c54861e9e3fb92547e7341b497fb0e79e9d3abba655e6593b1049bf78818c0ba7b9c96e3748606

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\_hashlib.pyd

Filesize
35KB

MD5
caaea46ee25211cbdc762feb95dc1e4d

SHA1
1f900cc99c02f4300d65628c1b22ddf8f39a94d4

SHA256
3ef6e0e5bf3f1ea9713f534c496a96eded9d3394a64324b046a61222dab5073b

SHA512
68c2b1634fcca930c1651f550494a2ef187cf52dce8ff28f410ebed4d84487e3b08f6f70223a83b5313c564dcd293748f3c22f2a4218218e634e924c8390cf9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\_multiprocessing.pyd

Filesize
27KB

MD5
0c942dacb385235a97e373bdbe8a1a5e

SHA1
cf864c004d710525f2cf1bec9c19ddf28984ca72

SHA256
d5161d4e260b2bb498f917307f1c21381d738833efc6e8008f2ebfb9447c583b

SHA512
ca10c6842634cec3cada209b61dd5b60d8ea63722e3a77aa05e8c61f64b1564febe9612b554a469927dbce877b6c29c357b099e81fa7e73ceeae04b8998aa5a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\_overlapped.pyd

Filesize
33KB

MD5
ed9cff0d68ba23aad53c3a5791668e8d

SHA1
a38c9886d0de7224e36516467803c66a2e71c7d9

SHA256
e88452d26499f51d48fe4b6bd95fc782bad809f0cb009d249aacf688b9a4e43f

SHA512
6020f886702d9ff6530b1f0dad548db6ad34171a1eb677cb1ba14d9a8943664934d0cfe68b642b1dd942a70e3ae375071591a66b709c90bd8a13303a54d2198b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\_sqlite3.pyd

Filesize
57KB

MD5
29a6551e9b7735a4cb4a61c86f4eb66c

SHA1
f552a610d64a181b675c70c3b730aa746e1612d0

SHA256
78c29a6479a0a2741920937d13d404e0c69d21f6bd76bdfec5d415857391b517

SHA512
54a322bfe5e34f0b6b713e22df312cfbde4a2b52240a920b2fa3347939cf2a1fecbeac44d7c1fa2355ee6dc714891acd3ee827d73131fd1e39fba390c3a444e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\_uuid.pyd

Filesize
24KB

MD5
7a00ff38d376abaaa1394a4080a6305b

SHA1
d43a9e3aa3114e7fc85c851c9791e839b3a0ee13

SHA256
720e9b68c41c8d9157865e4dd243fb1731f627f3af29c43250804a5995a82016

SHA512
ce39452df539eeeff390f260c062a0c902557fda25a7be9a58274675b82b30bddb7737b242e525f7d501db286f4873b901d94e1cd09aa8864f052594f4b34789

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\_wmi.pyd

Filesize
28KB

MD5
f3767430bbc7664d719e864759b806e4

SHA1
f27d26e99141f15776177756de303e83422f7d07

SHA256
787caad25cb4e2df023ead5e5a3fcd160b1c59a2e4ae1fc7b25c5087964defe8

SHA512
b587dfff4ba86142663de6ef8710ac7ab8831ca5fc989820b6a197bcd31ac5fdcb0b5982bf9a1fc13b331d0e53dc1b7367b54bb47910f3d1e18f8193449acb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\base_library.zip

Filesize
1.3MB

MD5
630153ac2b37b16b8c5b0dbb69a3b9d6

SHA1
f901cd701fe081489b45d18157b4a15c83943d9d

SHA256
ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2

SHA512
7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\libffi-8.dll

Filesize
29KB

MD5
bb1feaa818eba7757ada3d06f5c57557

SHA1
f2de5f06dc6884166de165d34ef2b029bb0acf8b

SHA256
a7ac89b42d203ad40bad636ad610cf9f6da02128e5a20b8b4420530a35a4fb29

SHA512
95dd1f0c482b0b0190e561bc08fe58db39fd8bb879a2dec0cabd40d78773161eb76441a9b1230399e3add602685d0617c092fff8bf0ab6903b537a9382782a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\python312.dll

Filesize
1.8MB

MD5
2889fb28cd8f2f32997be99eb81fd7eb

SHA1
adfeb3a08d20e22dde67b60869c93291ca688093

SHA256
435430e3abfde589d8535bc24a4b1d4147a4971dbe59e9377603974c07a1b637

SHA512
aaa33b8178a8831008ea6ad39b05189d55aa228a20a2315e45df6e2ff590c94478cfc76c9adb762689edb021ecdf98df3e7074d8d65c1c477273056b7509f8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\sqlite3.dll

Filesize
630KB

MD5
8776a7f72e38d2ee7693c61009835b0c

SHA1
677a127c04ef890e372d70adc2ab388134753d41

SHA256
c467fcc7377b4a176e8963f54ffff5c96d1eb86d95c4df839af070d6d7dbf954

SHA512
815bf905fa9a66c05e5c92506d2661c87559c6205c71daa205368dbfd3d56b8a302a4d31729bc6d4c1d86cbcf057638aa17bde0d85ccc59ce1cbcb9e64349732

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41082\unicodedata.pyd

Filesize
295KB

MD5
4253cde4d54e752ae54ff45217361471

SHA1
06aa069c348b10158d2412f473c243b24d6fc7bc

SHA256
67634e2df60da6b457e4ebfbae3edb1f48d87752221600a5814b5e8f351166e6

SHA512
3b714a57747eddf39fc3a84ab3ca37cc0b8103dd3f987331ffb2d1d46f9a34f3793bb0493c55e02ab873314c8990eaebdd0284ad087a651c06a7f862b1a61c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eth3lyng.pbt.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
bfe0f5fa6406e180c0f0ed389d63f604

SHA1
12bf71d722d09877019ce647eacc7105dc0bf476

SHA256
504b6a5f9e7bc16200619395bd9b81fb7721b60c1b925c3f26b01acd6cba0542

SHA512
763cbe36e11a05309b210fba6c4b8fe924d607e74b4d84aaa544427e255485c891878446ad44cdfdccc4407d4d9a133d13c2c702f51d506b96c97332f86dd3c2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\45b7e3ed-10a4-4040-af4c-bbe9c97b4edb

Filesize
669B

MD5
fc9611437ba6a0f8f08a5b7609ca9585

SHA1
578df7dc40bef44152fcc74bda0ce9079728b0ba

SHA256
fd096d697e1bf322b26e89fb4f5cfaa22a163e562d9edf296c8c253f1524052e

SHA512
2cfd42c7c9c4d9a7986f071a91cd19af37eab2acb9e4126ee75af8d5956253db25b9ee88b4c2a1349721a6df5ffa363c07f151527f6e7dd0cb25860dce8b79be

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\datareporting\glean\pending_pings\eda017c8-0c3c-46e9-92ce-5955e1b38f07

Filesize
10KB

MD5
000c5e40af18dad81884eec1ea0eed55

SHA1
1aeb789780b98713efa22fcbc49f4a85306ec7bc

SHA256
a35b2680b4ce95c6ca5c53bda5440e04b0d622c5bd0ab468338236ca14cfb63b

SHA512
1b06c0590490b3884639de8554397d4977daf2ab1cb182fae3f82bf49c57ea3bffe05d7436663491e85c9530be078dd5cfa4bde1e6ec75e521585c31765e5171

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs-1.js

Filesize
6KB

MD5
90ab4c66963380c23cc0bc298a1f1638

SHA1
eef0e3e076e7d684be0f1ab30e39895565d7b4ad

SHA256
49d42b277cbdd42cfda52b3ce0f966e829d5b5d194327f48ac5f8f88b507b7b2

SHA512
9d92e3d8b96e1dcc4897e95f00acd477711a03dc246121eb149690add86f62caeb6243ed75ba57f2f101e616a1d2e78a3f65c2463903bd09155bd9a97507464e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\prefs.js

Filesize
6KB

MD5
db7ae4024ee85890904361aa2370991c

SHA1
0da822093017a61d26f224afd72802373b39236c

SHA256
ad05c819fb4b957f31fad49878ec7f847a6908109d8ae28cbb402f4f6f2ac288

SHA512
761861d651797866e0745144ac96a885c471251116445b0634470cb15c589cf8fcb46cb6e504f3de833817c4b0103fd3c98c5dec89aeca55aaef89918c29778e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
271B

MD5
de388ffde398a3af3dd29d2b18b7a27d

SHA1
4842fea9c12cbbfaaabb66d264e1d911975fa9c5

SHA256
4fca6b282e851589c8a7ea88879d346120ba7a47b7609d945151a41d39ab85ec

SHA512
e0fb682d4fa5ef1838ae43aba07c3ad982177cbf63a0e015c9897d2374b42151bd99c44736c80a00547aeb7163a435eb80c2a93667cf04b0abbef00baa00ecf3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\2b7acdhd.default-release\sessionstore.jsonlz4

Filesize
884B

MD5
aee2c4e0ff6f4c26340cd8a2ecf3a9fa

SHA1
3d1c32c6a3de2fe5aa26021c88354b729fe41d93

SHA256
1fe6c9c0282ce9ca761b16dcfe0c81eaf7684cfcd9414e039de192de712bb903

SHA512
e6f50deaa01c0137dea11ab03d8a57164c5c49544a374d8dba723fa3f0c4fca62f0c39a1aec47519f3d9639fad5b5a823c9af87f30f2b16154c377b5b5841228

Download Submit
C:\Users\Admin\Downloads\AMD-Booster.exe

Filesize
33.3MB

MD5
0b96ae74e135676ee9c39c2127d4c79b

SHA1
4b52d2224820e3bab6301b1559df03d9ef2ce73d

SHA256
086e1dd4eb0266bb013001088694b826eb8960f744caf8b872bba11f487e19ab

SHA512
2ee8d54524cfc50f053fcaea464f9aba4faf600f4175ae9119166dec7595d93bea4a0b30bf37ba341d57340410da514ab8589b196ed31fa59153fb5dd0feb174

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI41082\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI41082\_asyncio.pyd

Filesize
37KB

MD5
b72e9a2f4d4389175e96cd4086b27aac

SHA1
2acfa17bb063ee9cf36fadbac802e95551d70d85

SHA256
f9924bbead1aca98422ba421f5139a4c147559aae5928dfd2f6aada20cb6bb42

SHA512
b55f40451fa9bdd62c761823613fcfe734aaa28e26fb02a9620ad39ab7539c9257eac8cc10d4a3f2390c23a4d951cc02d695498530a4c1d91b4e51e625316e06

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI41082\_bz2.pyd

Filesize
48KB

MD5
f991618bfd497e87441d2628c39ea413

SHA1
98819134d64f44f83a18985c2ec1e9ee8b949290

SHA256
333c06fad79094d43465d128d68078296c925d1ea2b6b5bf13072a8d5cb65e7e

SHA512
3a9ecb293abedcdba3493feb7d19f987735ced5a5194abaa1d1e00946e7ea0f878dd71868eb3d9bfec80432df862367661b825c9e71409c60ec73d1708a63ef6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI41082\_lzma.pyd

Filesize
86KB

MD5
f07f0cfe4bc118aebcde63740635a565

SHA1
44ee88102830434bb9245934d6d4456c77c7b649

SHA256
cc5302895aa164d5667d0df3ebeeee804384889b01d38182b3f7179f3c4ff8c0

SHA512
fcd701903ccd454a661c27835b53f738d947f38e9d67620f52f12781a293e42ae6b96c260600396883d95dd5f536dba2874aaee083adbcc78d66873cefc8e99d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI41082\_queue.pyd

Filesize
26KB

MD5
8347192a8c190895ec8806a3291e70d9

SHA1
0a634f4bd15b7ce719d91f0c1332e621f90d3f83

SHA256
b1ad27547e8f7ab2d1ce829ca9bdcc2b332dc5c2ef4fe224ccb76c78821c7a19

SHA512
de6858ed68982844c405ca8aecf5a0aa62127807b783a154ba5d844b44f0f8f42828dc097ac4d0d1aa8366cdcab44b314effcb0020b65db4657df83b1b8f5fed

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI41082\_socket.pyd

Filesize
44KB

MD5
7e92d1817e81cbafdbe29f8bec91a271

SHA1
08868b9895196f194b2e054c04edccf1a4b69524

SHA256
19573ccc379190277674a013f35bf055f6dbb57adfce79152152a0de3ff8c87c

SHA512
0ed41a3ce83b8f4a492555a41881d292ece61d544f0a4df282f3cc37822255a7a32647724568c9a3b04d13fd3cc93eb080e54ac2ce7705b6b470454366be1cbe

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI41082\_ssl.pyd

Filesize
65KB

MD5
8696f07039706f2e444f83bb05a65659

SHA1
6c6fff6770a757e7c4b22e6e22982317727bf65b

SHA256
5405af77bc6ad0c598490b666c599c625195f7bf2a63db83632e3a416c73e371

SHA512
93e9f8fc1ae8a458eb4d9e7d7294b5c2230cb753386842e72d07cb7f43f248d204d13d93aedae95ec1a7aa6a81a7c09fdba56a0bc31924a1722c423473d97758

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI41082\libcrypto-3.dll

Filesize
1.6MB

MD5
e68a459f00b05b0bd7eafe3da4744aa9

SHA1
41565d2cc2daedd148eeae0c57acd385a6a74254

SHA256
3fcf6956df6f5dc92b2519062b40475b94786184388540a0353f8a0868413648

SHA512
6c4f3747af7be340a3db91e906b949684a39cafc07f42b9fcc27116f4f4bf405583fc0db3684312b277d000d8e6a566db2c43601fa2af499700319c660ef1108

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI41082\libssl-3.dll

Filesize
222KB

MD5
9b8d3341e1866178f8cecf3d5a416ac8

SHA1
8f2725b78795237568905f1a9cd763a001826e86

SHA256
85dd8c17928e78c20cf915c1985659fe99088239793f2bd46acb31a3c344c559

SHA512
815abc0517f94982fc402480bba6e0749f44150765e7f8975e4fcbfce62c4a5ff741e39e462d66b64ba3b804bd5b7190b67fff037d11bb314c7d581cfa6097a8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI41082\pyexpat.pyd

Filesize
87KB

MD5
edcb8f65306461e42065ac6fc3bae5e7

SHA1
4faa04375c3d2c2203be831995403e977f1141eb

SHA256
1299da117c98d741e31c8fb117b0f65ae039a4122934a93d0bbb8dfbddd2dcd7

SHA512
221e6e1eb9065f54a48040b48f7b6109853306f04506ccf9ecb2f5813a5bd9675c38565a59e72770bf33d132977aa1558cc290720e39a4f3a74a0e7c2a3f88fa

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI41082\python3.dll

Filesize
66KB

MD5
6271a2fe61978ca93e60588b6b63deb2

SHA1
be26455750789083865fe91e2b7a1ba1b457efb8

SHA256
a59487ea2c8723277f4579067248836b216a801c2152efb19afee4ac9785d6fb

SHA512
8c32bcb500a94ff47f5ef476ae65d3b677938ebee26e80350f28604aaee20b044a5d55442e94a11ccd9962f34d22610b932ac9d328197cf4d2ffbc7df640efba

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI41082\select.pyd

Filesize
25KB

MD5
c16b7b88792826c2238d3cf28ce773dd

SHA1
198b5d424a66c85e2c07e531242c52619d932afa

SHA256
b81be8cc053734f317ff4de3476dd8c383cc65fe3f2f1e193a20181f9ead3747

SHA512
7b1b2494fe0ef71869072d3c41ba1f2b67e3b9dcc36603d1503bb914d8b8e803dc1b66a3cbf0e45c43e4a5b7a8f44504a35d5e8e1090d857b28b7eba1b89c08a

Download Submit
memory/2312-1018-0x00007FFA89630000-0x00007FFA89649000-memory.dmp

Filesize
100KB

Download
memory/2312-1034-0x00007FFA7E550000-0x00007FFA7E568000-memory.dmp

Filesize
96KB

Download
memory/2312-1089-0x00007FFA94E90000-0x00007FFA94E9C000-memory.dmp

Filesize
48KB

Download
memory/2312-1090-0x00007FFA94E80000-0x00007FFA94E8E000-memory.dmp

Filesize
56KB

Download
memory/2312-1094-0x00007FFA79400000-0x00007FFA79929000-memory.dmp

Filesize
5.2MB

Download
memory/2312-1095-0x00007FFA944F0000-0x00007FFA944FD000-memory.dmp

Filesize
52KB

Download
memory/2312-1096-0x00007FFA944D0000-0x00007FFA944E2000-memory.dmp

Filesize
72KB

Download
memory/2312-1091-0x00007FFA94E70000-0x00007FFA94E7C000-memory.dmp

Filesize
48KB

Download
memory/2312-1092-0x00007FFA94E60000-0x00007FFA94E6B000-memory.dmp

Filesize
44KB

Download
memory/2312-1093-0x00007FFA94520000-0x00007FFA9452B000-memory.dmp

Filesize
44KB

Download
memory/2312-1052-0x00007FFA94EF0000-0x00007FFA94EFB000-memory.dmp

Filesize
44KB

Download
memory/2312-1059-0x000002067D410000-0x000002067D939000-memory.dmp

Filesize
5.2MB

Download
memory/2312-1055-0x00007FFA94EC0000-0x00007FFA94ECC000-memory.dmp

Filesize
48KB

Download
memory/2312-1058-0x00007FFA7E6E0000-0x00007FFA7E713000-memory.dmp

Filesize
204KB

Download
memory/2312-1056-0x00007FFA94EB0000-0x00007FFA94EBB000-memory.dmp

Filesize
44KB

Download
memory/2312-1057-0x00007FFA94EA0000-0x00007FFA94EAC000-memory.dmp

Filesize
48KB

Download
memory/2312-1053-0x00007FFA94EE0000-0x00007FFA94EEC000-memory.dmp

Filesize
48KB

Download
memory/2312-1054-0x00007FFA94ED0000-0x00007FFA94EDB000-memory.dmp

Filesize
44KB

Download
memory/2312-1051-0x00007FFA956A0000-0x00007FFA956AB000-memory.dmp

Filesize
44KB

Download
memory/2312-1047-0x00007FFA98EA0000-0x00007FFA98EAB000-memory.dmp

Filesize
44KB

Download
memory/2312-1050-0x00007FFA94530000-0x00007FFA9464B000-memory.dmp

Filesize
1.1MB

Download
memory/2312-1049-0x00007FFA95220000-0x00007FFA9522D000-memory.dmp

Filesize
52KB

Download
memory/2312-1048-0x00007FFA94F00000-0x00007FFA94F27000-memory.dmp

Filesize
156KB

Download
memory/2312-1006-0x00007FFA7C680000-0x00007FFA7CD59000-memory.dmp

Filesize
6.8MB

Download
memory/2312-1035-0x00007FFA950C0000-0x00007FFA950D4000-memory.dmp

Filesize
80KB

Download
memory/2312-1033-0x00007FFA79280000-0x00007FFA793F6000-memory.dmp

Filesize
1.5MB

Download
memory/2312-1031-0x00007FFA7D310000-0x00007FFA7D334000-memory.dmp

Filesize
144KB

Download
memory/2312-1032-0x00007FFA91F90000-0x00007FFA91FB5000-memory.dmp

Filesize
148KB

Download
memory/2312-1027-0x00007FFA7E6C0000-0x00007FFA7E6D2000-memory.dmp

Filesize
72KB

Download
memory/2312-1028-0x00007FFA7F240000-0x00007FFA7F256000-memory.dmp

Filesize
88KB

Download
memory/2312-1026-0x000002067D410000-0x000002067D939000-memory.dmp

Filesize
5.2MB

Download
memory/2312-1025-0x00007FFA79400000-0x00007FFA79929000-memory.dmp

Filesize
5.2MB

Download
memory/2312-1023-0x00007FFA7C680000-0x00007FFA7CD59000-memory.dmp

Filesize
6.8MB

Download
memory/2312-1024-0x00007FFA7BB70000-0x00007FFA7BC3D000-memory.dmp

Filesize
820KB

Download
memory/2312-1022-0x00007FFA7E6E0000-0x00007FFA7E713000-memory.dmp

Filesize
204KB

Download
memory/2312-1021-0x00007FFA944A0000-0x00007FFA944AD000-memory.dmp

Filesize
52KB

Download
memory/2312-1017-0x00007FFA83E90000-0x00007FFA83EC5000-memory.dmp

Filesize
212KB

Download
memory/2312-1019-0x00007FFA94E50000-0x00007FFA94E5D000-memory.dmp

Filesize
52KB

Download
memory/2312-1016-0x00007FFA95220000-0x00007FFA9522D000-memory.dmp

Filesize
52KB

Download
memory/2312-1015-0x00007FFA89650000-0x00007FFA8967D000-memory.dmp

Filesize
180KB

Download
memory/2312-1014-0x00007FFA93880000-0x00007FFA93899000-memory.dmp

Filesize
100KB

Download
memory/2312-1012-0x00007FFA98750000-0x00007FFA9875F000-memory.dmp

Filesize
60KB

Download
memory/2312-1011-0x00007FFA91F90000-0x00007FFA91FB5000-memory.dmp

Filesize
148KB

Download
memory/5304-614-0x0000022A79440000-0x0000022A79462000-memory.dmp

Filesize
136KB

Download
memory/5304-617-0x0000022A795F0000-0x0000022A79666000-memory.dmp

Filesize
472KB

Download
memory/6112-566-0x00007FFA8E6A0000-0x00007FFA8E6AC000-memory.dmp

Filesize
48KB

Download
memory/6112-564-0x00007FFA930B0000-0x00007FFA930BB000-memory.dmp

Filesize
44KB

Download
memory/6112-460-0x00007FFA93730000-0x00007FFA93755000-memory.dmp

Filesize
148KB

Download
memory/6112-507-0x00007FFA94340000-0x00007FFA9434D000-memory.dmp

Filesize
52KB

Download
memory/6112-491-0x00007FFA91F40000-0x00007FFA91F75000-memory.dmp

Filesize
212KB

Download
memory/6112-697-0x00007FFA93730000-0x00007FFA93755000-memory.dmp

Filesize
148KB

Download
memory/6112-712-0x00007FFA83000000-0x00007FFA83176000-memory.dmp

Filesize
1.5MB

Download
memory/6112-717-0x00007FFA82E90000-0x00007FFA82FAB000-memory.dmp

Filesize
1.1MB

Download
memory/6112-716-0x00007FFA86050000-0x00007FFA86077000-memory.dmp

Filesize
156KB

Download
memory/6112-713-0x00007FFA94D70000-0x00007FFA94D88000-memory.dmp

Filesize
96KB

Download
memory/6112-711-0x00007FFA930C0000-0x00007FFA930E4000-memory.dmp

Filesize
144KB

Download
memory/6112-696-0x00007FFA83780000-0x00007FFA83E59000-memory.dmp

Filesize
6.8MB

Download
memory/6112-467-0x00007FFA93220000-0x00007FFA9324D000-memory.dmp

Filesize
180KB

Download
memory/6112-503-0x00007FFA8FBC0000-0x00007FFA8FBD9000-memory.dmp

Filesize
100KB

Download
memory/6112-529-0x00007FFA8F1B0000-0x00007FFA8F1E3000-memory.dmp

Filesize
204KB

Download
memory/6112-530-0x00007FFA83180000-0x00007FFA836A9000-memory.dmp

Filesize
5.2MB

Download
memory/6112-531-0x00007FFA836B0000-0x00007FFA8377D000-memory.dmp

Filesize
820KB

Download
memory/6112-527-0x00007FFA83780000-0x00007FFA83E59000-memory.dmp

Filesize
6.8MB

Download
memory/6112-532-0x0000027972020000-0x0000027972549000-memory.dmp

Filesize
5.2MB

Download
memory/6112-466-0x00007FFA93860000-0x00007FFA93879000-memory.dmp

Filesize
100KB

Download
memory/6112-547-0x00007FFA8ECB0000-0x00007FFA8ECC6000-memory.dmp

Filesize
88KB

Download
memory/6112-553-0x00007FFA83000000-0x00007FFA83176000-memory.dmp

Filesize
1.5MB

Download
memory/6112-1020-0x00007FFA82B50000-0x00007FFA82DD3000-memory.dmp

Filesize
2.5MB

Download
memory/6112-552-0x00007FFA930C0000-0x00007FFA930E4000-memory.dmp

Filesize
144KB

Download
memory/6112-551-0x00007FFA8EC90000-0x00007FFA8ECA2000-memory.dmp

Filesize
72KB

Download
memory/6112-489-0x00007FFA949C0000-0x00007FFA949CD000-memory.dmp

Filesize
52KB

Download
memory/6112-557-0x00007FFA949C0000-0x00007FFA949CD000-memory.dmp

Filesize
52KB

Download
memory/6112-559-0x00007FFA94D60000-0x00007FFA94D6B000-memory.dmp

Filesize
44KB

Download
memory/6112-563-0x00007FFA83180000-0x00007FFA836A9000-memory.dmp

Filesize
5.2MB

Download
memory/6112-510-0x00007FFA942F0000-0x00007FFA942FD000-memory.dmp

Filesize
52KB

Download
memory/6112-565-0x00007FFA930A0000-0x00007FFA930AB000-memory.dmp

Filesize
44KB

Download
memory/6112-556-0x00007FFA94D70000-0x00007FFA94D88000-memory.dmp

Filesize
96KB

Download
memory/6112-567-0x00007FFA8C210000-0x00007FFA8C21B000-memory.dmp

Filesize
44KB

Download
memory/6112-568-0x00007FFA895C0000-0x00007FFA895CC000-memory.dmp

Filesize
48KB

Download
memory/6112-569-0x00007FFA82E80000-0x00007FFA82E8C000-memory.dmp

Filesize
48KB

Download
memory/6112-571-0x0000027972020000-0x0000027972549000-memory.dmp

Filesize
5.2MB

Download
memory/6112-572-0x00007FFA82E40000-0x00007FFA82E4B000-memory.dmp

Filesize
44KB

Download
memory/6112-573-0x00007FFA82E30000-0x00007FFA82E3C000-memory.dmp

Filesize
48KB

Download
memory/6112-574-0x00007FFA82E20000-0x00007FFA82E2C000-memory.dmp

Filesize
48KB

Download
memory/6112-575-0x00007FFA82E10000-0x00007FFA82E1D000-memory.dmp

Filesize
52KB

Download
memory/6112-576-0x00007FFA82DF0000-0x00007FFA82E02000-memory.dmp

Filesize
72KB

Download
memory/6112-577-0x00007FFA82DE0000-0x00007FFA82DEC000-memory.dmp

Filesize
48KB

Download
memory/6112-578-0x00007FFA91F30000-0x00007FFA91F3C000-memory.dmp

Filesize
48KB

Download
memory/6112-579-0x00007FFA91AF0000-0x00007FFA91AFB000-memory.dmp

Filesize
44KB

Download
memory/6112-580-0x00007FFA82E60000-0x00007FFA82E6C000-memory.dmp

Filesize
48KB

Download
memory/6112-600-0x00007FFA82B10000-0x00007FFA82B39000-memory.dmp

Filesize
164KB

Download
memory/6112-601-0x00007FFA82AE0000-0x00007FFA82B0E000-memory.dmp

Filesize
184KB

Download
memory/6112-581-0x00007FFA82E50000-0x00007FFA82E5B000-memory.dmp

Filesize
44KB

Download
memory/6112-546-0x00007FFA93730000-0x00007FFA93755000-memory.dmp

Filesize
148KB

Download
memory/6112-596-0x00007FFA836B0000-0x00007FFA8377D000-memory.dmp

Filesize
820KB

Download
memory/6112-597-0x00007FFA82B50000-0x00007FFA82DD3000-memory.dmp

Filesize
2.5MB

Download
memory/6112-570-0x00007FFA82E70000-0x00007FFA82E7E000-memory.dmp

Filesize
56KB

Download
memory/6112-562-0x00007FFA8F1B0000-0x00007FFA8F1E3000-memory.dmp

Filesize
204KB

Download
memory/6112-560-0x00007FFA86050000-0x00007FFA86077000-memory.dmp

Filesize
156KB

Download
memory/6112-561-0x00007FFA82E90000-0x00007FFA82FAB000-memory.dmp

Filesize
1.1MB

Download
memory/6112-558-0x00007FFA93290000-0x00007FFA932A4000-memory.dmp

Filesize
80KB

Download
memory/6112-461-0x00007FFA94D40000-0x00007FFA94D4F000-memory.dmp

Filesize
60KB

Download
memory/6112-441-0x00007FFA83780000-0x00007FFA83E59000-memory.dmp

Filesize
6.8MB

Download