exelastealer | 3f45b4acd905e47dbc1357ec44040af6e1fcb68fd09d8bacccad0d729be1d5da

Analysis

max time kernel
283s
max time network
285s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12-08-2024 09:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ElectronV3/ElectronV3.exe
Size

11.1MB
MD5

4979832d16c1939778dca736be8e71ea
SHA1

baac87a287eb2196e007210c035b8aee30d4e7e8
SHA256

0a6f14a7712e40df040843f1dde023197159f45c234e8c2f235c8d8b986bede9
SHA512

57350dc480015767bc312cbcfd7f41d7616f81134f447c84b41923d100fedd1632fcaefa556a19dc6119cc2a972cbf11a7d06a10b4b234234e73c5e2179b9cbd
SSDEEP

196608:mpMt8FC/PANmJb3tQk5tOeNvX+wfm/pf+xfdkRAzLWK8rIWOzW0DaqkH:mMnANm7v5tRvX+9/pWFGR+LB8rIWeRaL

Score

10^/10

exelastealer collection credential_access defense_evasion discovery evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4872	netsh.exe
2696	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3200	cmd.exe
4688	powershell.exe

Loads dropped DLL 32 IoCs

pid	Process
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe
2036	ElectronV3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023485-46.dat	upx
behavioral2/memory/2036-50-0x00007FFCB15F0000-0x00007FFCB1BD8000-memory.dmp	upx
behavioral2/files/0x0007000000023456-52.dat	upx
behavioral2/files/0x000700000002347f-57.dat	upx
behavioral2/files/0x000700000002347e-61.dat	upx
behavioral2/files/0x0007000000023460-80.dat	upx
behavioral2/files/0x000700000002345f-79.dat	upx
behavioral2/files/0x000700000002345d-77.dat	upx
behavioral2/files/0x0007000000023486-82.dat	upx
behavioral2/files/0x0007000000023459-84.dat	upx
behavioral2/files/0x000700000002345e-85.dat	upx
behavioral2/files/0x0007000000023487-86.dat	upx
behavioral2/memory/2036-91-0x00007FFCC1090000-0x00007FFCC10B3000-memory.dmp	upx
behavioral2/memory/2036-92-0x00007FFCC0700000-0x00007FFCC0873000-memory.dmp	upx
behavioral2/memory/2036-90-0x00007FFCC1210000-0x00007FFCC123D000-memory.dmp	upx
behavioral2/memory/2036-89-0x00007FFCC1590000-0x00007FFCC15A9000-memory.dmp	upx
behavioral2/memory/2036-88-0x00007FFCC6AC0000-0x00007FFCC6ACD000-memory.dmp	upx
behavioral2/memory/2036-87-0x00007FFCC47F0000-0x00007FFCC4809000-memory.dmp	upx
behavioral2/files/0x0007000000023454-83.dat	upx
behavioral2/files/0x000700000002345c-76.dat	upx
behavioral2/files/0x000700000002345b-75.dat	upx
behavioral2/files/0x000700000002345a-74.dat	upx
behavioral2/files/0x0007000000023458-72.dat	upx
behavioral2/files/0x0007000000023457-71.dat	upx
behavioral2/files/0x0007000000023455-70.dat	upx
behavioral2/files/0x0007000000023453-68.dat	upx
behavioral2/files/0x0007000000023452-67.dat	upx
behavioral2/files/0x0007000000023488-66.dat	upx
behavioral2/files/0x0007000000023483-63.dat	upx
behavioral2/files/0x0007000000023480-62.dat	upx
behavioral2/memory/2036-60-0x00007FFCC9720000-0x00007FFCC972F000-memory.dmp	upx
behavioral2/memory/2036-59-0x00007FFCC13A0000-0x00007FFCC13C4000-memory.dmp	upx
behavioral2/memory/2036-94-0x00007FFCC1020000-0x00007FFCC104E000-memory.dmp	upx
behavioral2/memory/2036-96-0x00007FFCC0ED0000-0x00007FFCC0F88000-memory.dmp	upx
behavioral2/memory/2036-99-0x00007FFCB0CB0000-0x00007FFCB1025000-memory.dmp	upx
behavioral2/memory/2036-102-0x00007FFCC0EB0000-0x00007FFCC0EC5000-memory.dmp	upx
behavioral2/files/0x0007000000023482-105.dat	upx
behavioral2/memory/2036-104-0x00007FFCC0E40000-0x00007FFCC0E52000-memory.dmp	upx
behavioral2/memory/2036-112-0x00007FFCB14D0000-0x00007FFCB15EC000-memory.dmp	upx
behavioral2/memory/2036-111-0x00007FFCC06E0000-0x00007FFCC06F4000-memory.dmp	upx
behavioral2/memory/2036-110-0x00007FFCC0E20000-0x00007FFCC0E34000-memory.dmp	upx
behavioral2/memory/2036-109-0x00007FFCB15F0000-0x00007FFCB1BD8000-memory.dmp	upx
behavioral2/files/0x000700000002348a-113.dat	upx
behavioral2/memory/2036-115-0x00007FFCC13A0000-0x00007FFCC13C4000-memory.dmp	upx
behavioral2/memory/2036-116-0x00007FFCBE830000-0x00007FFCBE852000-memory.dmp	upx
behavioral2/files/0x0007000000023462-117.dat	upx
behavioral2/memory/2036-119-0x00007FFCC06C0000-0x00007FFCC06D7000-memory.dmp	upx
behavioral2/memory/2036-121-0x00007FFCC47F0000-0x00007FFCC4809000-memory.dmp	upx
behavioral2/memory/2036-123-0x00007FFCC1090000-0x00007FFCC10B3000-memory.dmp	upx
behavioral2/files/0x0007000000023464-122.dat	upx
behavioral2/memory/2036-126-0x00007FFCC0700000-0x00007FFCC0873000-memory.dmp	upx
behavioral2/memory/2036-127-0x00007FFCB1400000-0x00007FFCB14CF000-memory.dmp	upx
behavioral2/files/0x0007000000023463-128.dat	upx
behavioral2/files/0x000700000002347d-137.dat	upx
behavioral2/memory/2036-141-0x00007FFCC16C0000-0x00007FFCC16CA000-memory.dmp	upx
behavioral2/memory/2036-140-0x00007FFCB0CB0000-0x00007FFCB1025000-memory.dmp	upx
behavioral2/files/0x000700000002347b-142.dat	upx
behavioral2/memory/2036-145-0x00007FFCB01D0000-0x00007FFCB0971000-memory.dmp	upx
behavioral2/memory/2036-146-0x00007FFCC0EB0000-0x00007FFCC0EC5000-memory.dmp	upx
behavioral2/memory/2036-144-0x00007FFCBAD90000-0x00007FFCBADAE000-memory.dmp	upx
behavioral2/memory/2036-135-0x00007FFCC0ED0000-0x00007FFCC0F88000-memory.dmp	upx
behavioral2/memory/2036-134-0x00007FFCB7B30000-0x00007FFCB7B7D000-memory.dmp	upx
behavioral2/memory/2036-133-0x00007FFCBB770000-0x00007FFCBB781000-memory.dmp	upx
behavioral2/memory/2036-132-0x00007FFCC1020000-0x00007FFCC104E000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
38	discord.com
39	discord.com
40	discord.com
41	discord.com
42	discord.com
43	discord.com

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
28	ip-api.com
538	api.ipify.org
540	api.ipify.org
541	api.ipify.org
550	api.ipify.org
763	api.ipify.org

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1460	cmd.exe
1564	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1704	tasklist.exe
4372	tasklist.exe
1752	tasklist.exe
2212	tasklist.exe
3264	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4560	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1372	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1968	cmd.exe
3040	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2800	NETSTAT.EXE

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
1980	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4340	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3692	ipconfig.exe
2800	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4880	systeminfo.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	firefox.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
4688	powershell.exe
4688	powershell.exe
4688	powershell.exe
2168	chrome.exe
2168	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4340	WMIC.exe
Token: SeSecurityPrivilege	4340	WMIC.exe
Token: SeTakeOwnershipPrivilege	4340	WMIC.exe
Token: SeLoadDriverPrivilege	4340	WMIC.exe
Token: SeSystemProfilePrivilege	4340	WMIC.exe
Token: SeSystemtimePrivilege	4340	WMIC.exe
Token: SeProfSingleProcessPrivilege	4340	WMIC.exe
Token: SeIncBasePriorityPrivilege	4340	WMIC.exe
Token: SeCreatePagefilePrivilege	4340	WMIC.exe
Token: SeBackupPrivilege	4340	WMIC.exe
Token: SeRestorePrivilege	4340	WMIC.exe
Token: SeShutdownPrivilege	4340	WMIC.exe
Token: SeDebugPrivilege	4340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4340	WMIC.exe
Token: SeRemoteShutdownPrivilege	4340	WMIC.exe
Token: SeUndockPrivilege	4340	WMIC.exe
Token: SeManageVolumePrivilege	4340	WMIC.exe
Token: 33	4340	WMIC.exe
Token: 34	4340	WMIC.exe
Token: 35	4340	WMIC.exe
Token: 36	4340	WMIC.exe
Token: SeDebugPrivilege	1752	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1060	WMIC.exe
Token: SeSecurityPrivilege	1060	WMIC.exe
Token: SeTakeOwnershipPrivilege	1060	WMIC.exe
Token: SeLoadDriverPrivilege	1060	WMIC.exe
Token: SeSystemProfilePrivilege	1060	WMIC.exe
Token: SeSystemtimePrivilege	1060	WMIC.exe
Token: SeProfSingleProcessPrivilege	1060	WMIC.exe
Token: SeIncBasePriorityPrivilege	1060	WMIC.exe
Token: SeCreatePagefilePrivilege	1060	WMIC.exe
Token: SeBackupPrivilege	1060	WMIC.exe
Token: SeRestorePrivilege	1060	WMIC.exe
Token: SeShutdownPrivilege	1060	WMIC.exe
Token: SeDebugPrivilege	1060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1060	WMIC.exe
Token: SeRemoteShutdownPrivilege	1060	WMIC.exe
Token: SeUndockPrivilege	1060	WMIC.exe
Token: SeManageVolumePrivilege	1060	WMIC.exe
Token: 33	1060	WMIC.exe
Token: 34	1060	WMIC.exe
Token: 35	1060	WMIC.exe
Token: 36	1060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4340	WMIC.exe
Token: SeSecurityPrivilege	4340	WMIC.exe
Token: SeTakeOwnershipPrivilege	4340	WMIC.exe
Token: SeLoadDriverPrivilege	4340	WMIC.exe
Token: SeSystemProfilePrivilege	4340	WMIC.exe
Token: SeSystemtimePrivilege	4340	WMIC.exe
Token: SeProfSingleProcessPrivilege	4340	WMIC.exe
Token: SeIncBasePriorityPrivilege	4340	WMIC.exe
Token: SeCreatePagefilePrivilege	4340	WMIC.exe
Token: SeBackupPrivilege	4340	WMIC.exe
Token: SeRestorePrivilege	4340	WMIC.exe
Token: SeShutdownPrivilege	4340	WMIC.exe
Token: SeDebugPrivilege	4340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4340	WMIC.exe
Token: SeRemoteShutdownPrivilege	4340	WMIC.exe
Token: SeUndockPrivilege	4340	WMIC.exe
Token: SeManageVolumePrivilege	4340	WMIC.exe
Token: 33	4340	WMIC.exe
Token: 34	4340	WMIC.exe
Token: 35	4340	WMIC.exe
Token: 36	4340	WMIC.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
2168	chrome.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe
1108	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 2036	5036	ElectronV3.exe	84
PID 5036 wrote to memory of 2036	5036	ElectronV3.exe	84
PID 2036 wrote to memory of 2880	2036	ElectronV3.exe	88
PID 2036 wrote to memory of 2880	2036	ElectronV3.exe	88
PID 2036 wrote to memory of 2736	2036	ElectronV3.exe	91
PID 2036 wrote to memory of 2736	2036	ElectronV3.exe	91
PID 2036 wrote to memory of 4072	2036	ElectronV3.exe	92
PID 2036 wrote to memory of 4072	2036	ElectronV3.exe	92
PID 2036 wrote to memory of 4760	2036	ElectronV3.exe	94
PID 2036 wrote to memory of 4760	2036	ElectronV3.exe	94
PID 2036 wrote to memory of 460	2036	ElectronV3.exe	95
PID 2036 wrote to memory of 460	2036	ElectronV3.exe	95
PID 2736 wrote to memory of 4340	2736	cmd.exe	99
PID 2736 wrote to memory of 4340	2736	cmd.exe	99
PID 460 wrote to memory of 1752	460	cmd.exe	100
PID 460 wrote to memory of 1752	460	cmd.exe	100
PID 4072 wrote to memory of 1060	4072	cmd.exe	101
PID 4072 wrote to memory of 1060	4072	cmd.exe	101
PID 2036 wrote to memory of 3048	2036	ElectronV3.exe	103
PID 2036 wrote to memory of 3048	2036	ElectronV3.exe	103
PID 3048 wrote to memory of 4360	3048	cmd.exe	105
PID 3048 wrote to memory of 4360	3048	cmd.exe	105
PID 2036 wrote to memory of 752	2036	ElectronV3.exe	106
PID 2036 wrote to memory of 752	2036	ElectronV3.exe	106
PID 2036 wrote to memory of 1536	2036	ElectronV3.exe	107
PID 2036 wrote to memory of 1536	2036	ElectronV3.exe	107
PID 752 wrote to memory of 2260	752	cmd.exe	110
PID 752 wrote to memory of 2260	752	cmd.exe	110
PID 1536 wrote to memory of 2212	1536	cmd.exe	111
PID 1536 wrote to memory of 2212	1536	cmd.exe	111
PID 2036 wrote to memory of 4560	2036	ElectronV3.exe	112
PID 2036 wrote to memory of 4560	2036	ElectronV3.exe	112
PID 4560 wrote to memory of 4520	4560	cmd.exe	114
PID 4560 wrote to memory of 4520	4560	cmd.exe	114
PID 2036 wrote to memory of 4184	2036	ElectronV3.exe	115
PID 2036 wrote to memory of 4184	2036	ElectronV3.exe	115
PID 2036 wrote to memory of 864	2036	ElectronV3.exe	116
PID 2036 wrote to memory of 864	2036	ElectronV3.exe	116
PID 4184 wrote to memory of 3396	4184	cmd.exe	119
PID 4184 wrote to memory of 3396	4184	cmd.exe	119
PID 864 wrote to memory of 3264	864	cmd.exe	120
PID 864 wrote to memory of 3264	864	cmd.exe	120
PID 2036 wrote to memory of 3512	2036	ElectronV3.exe	121
PID 2036 wrote to memory of 3512	2036	ElectronV3.exe	121
PID 2036 wrote to memory of 4872	2036	ElectronV3.exe	122
PID 2036 wrote to memory of 4872	2036	ElectronV3.exe	122
PID 2036 wrote to memory of 2044	2036	ElectronV3.exe	123
PID 2036 wrote to memory of 2044	2036	ElectronV3.exe	123
PID 2036 wrote to memory of 3200	2036	ElectronV3.exe	124
PID 2036 wrote to memory of 3200	2036	ElectronV3.exe	124
PID 3200 wrote to memory of 4688	3200	cmd.exe	131
PID 3200 wrote to memory of 4688	3200	cmd.exe	131
PID 4872 wrote to memory of 1564	4872	cmd.exe	132
PID 4872 wrote to memory of 1564	4872	cmd.exe	132
PID 3512 wrote to memory of 2800	3512	cmd.exe	133
PID 3512 wrote to memory of 2800	3512	cmd.exe	133
PID 2044 wrote to memory of 1704	2044	cmd.exe	134
PID 2044 wrote to memory of 1704	2044	cmd.exe	134
PID 1564 wrote to memory of 3484	1564	cmd.exe	135
PID 1564 wrote to memory of 3484	1564	cmd.exe	135
PID 2800 wrote to memory of 1832	2800	cmd.exe	136
PID 2800 wrote to memory of 1832	2800	cmd.exe	136
PID 2036 wrote to memory of 1968	2036	ElectronV3.exe	137
PID 2036 wrote to memory of 1968	2036	ElectronV3.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4520	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ElectronV3\ElectronV3.exe
"C:\Users\Admin\AppData\Local\Temp\ElectronV3\ElectronV3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Users\Admin\AppData\Local\Temp\ElectronV3\ElectronV3.exe
  "C:\Users\Admin\AppData\Local\Temp\ElectronV3\ElectronV3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:2880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2736
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:4760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:460
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:4520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4184
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:3396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1564
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1968
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:1460
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4880
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2832
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:1980
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:2672
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4492
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:1064
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:404
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:3800
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:1996
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:4692
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:4828
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:1524
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4236
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:3308
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:4500
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:4864
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:4372
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:3692
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:3384
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:1564
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:2800
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:1372
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4872
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5064
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1464
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:444

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcc0a1cc40,0x7ffcc0a1cc4c,0x7ffcc0a1cc58
  2⤵
  PID:4380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1844,i,16434153671546085989,10464250732945621008,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1840 /prefetch:2
  2⤵
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2200,i,16434153671546085989,10464250732945621008,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  PID:2380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2292,i,16434153671546085989,10464250732945621008,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2432 /prefetch:8
  2⤵
  PID:720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,16434153671546085989,10464250732945621008,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:1704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3444,i,16434153671546085989,10464250732945621008,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4576,i,16434153671546085989,10464250732945621008,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4564 /prefetch:1
  2⤵
  PID:4592

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1480

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1640
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2000 -parentBuildID 20240401114208 -prefsHandle 1928 -prefMapHandle 1920 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e9147bd-22fb-4c65-b8c5-88bc39f1c0d6} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" gpu
    3⤵
    PID:424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2412 -parentBuildID 20240401114208 -prefsHandle 2388 -prefMapHandle 2384 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {16909a33-379b-4aa3-9742-9bf5d5e51b52} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" socket
    3⤵
    - Checks processor information in registry
    PID:3860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2856 -childID 1 -isForBrowser -prefsHandle 2956 -prefMapHandle 2972 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e37edb1-8fd4-419f-a0c1-4f25d228d436} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" tab
    3⤵
    PID:4480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4164 -childID 2 -isForBrowser -prefsHandle 4156 -prefMapHandle 4152 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {69f97323-611d-4dd8-bd1d-76cd900beb57} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" tab
    3⤵
    PID:1132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4752 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4840 -prefMapHandle 4848 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97a59597-1d2c-4495-80cd-aab3efac4fa2} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" utility
    3⤵
    - Checks processor information in registry
    PID:5324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5304 -childID 3 -isForBrowser -prefsHandle 5236 -prefMapHandle 5048 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0d1c98fd-f13e-4c72-982b-bb0489460cc2} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" tab
    3⤵
    PID:5692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5212 -childID 4 -isForBrowser -prefsHandle 5428 -prefMapHandle 5432 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f10130de-b918-4ce2-b76e-422e97c12b74} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" tab
    3⤵
    PID:5704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -childID 5 -isForBrowser -prefsHandle 5608 -prefMapHandle 5612 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79758c7d-ca3d-43a1-9562-9a6768704d69} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" tab
    3⤵
    PID:5716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6120 -childID 6 -isForBrowser -prefsHandle 6112 -prefMapHandle 6108 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36f9ec9d-ab99-48ca-a52e-f699dcf7a947} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" tab
    3⤵
    PID:2120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5300 -childID 7 -isForBrowser -prefsHandle 4852 -prefMapHandle 5408 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f01721ab-16ab-4588-af13-b13e8ed50d11} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" tab
    3⤵
    PID:4292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6240 -childID 8 -isForBrowser -prefsHandle 4596 -prefMapHandle 5812 -prefsLen 27998 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4228bd1e-c737-45fa-a9ac-0042c330d843} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" tab
    3⤵
    PID:848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5600 -parentBuildID 20240401114208 -prefsHandle 4440 -prefMapHandle 4500 -prefsLen 30532 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {203cb066-d102-497b-bac7-b1bf2215948a} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" rdd
    3⤵
    PID:5072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4480 -parentBuildID 20240401114208 -sandboxingKind 1 -prefsHandle 6688 -prefMapHandle 4440 -prefsLen 30532 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7f1d3cc-44ee-4b4c-90c3-8407434521c4} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" utility
    3⤵
    - Checks processor information in registry
    PID:3900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7184 -childID 9 -isForBrowser -prefsHandle 5400 -prefMapHandle 7212 -prefsLen 28040 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1189a4c-2efe-46e6-97fb-169bb99a7f6b} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" tab
    3⤵
    PID:5788
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7320 -childID 10 -isForBrowser -prefsHandle 7396 -prefMapHandle 7392 -prefsLen 28040 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b88ba04d-29c0-4446-8af1-7882248ff723} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" tab
    3⤵
    PID:5780
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7520 -childID 11 -isForBrowser -prefsHandle 7472 -prefMapHandle 7312 -prefsLen 28040 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8c63b266-6f3f-4050-baf4-a6fae439f5e4} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" tab
    3⤵
    PID:5684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7588 -childID 12 -isForBrowser -prefsHandle 6588 -prefMapHandle 6604 -prefsLen 28040 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2d5deba0-3542-4e18-b992-fcd628193c39} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" tab
    3⤵
    PID:180
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6176 -childID 13 -isForBrowser -prefsHandle 6200 -prefMapHandle 6212 -prefsLen 28040 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a1afbd0-93e2-4f25-8808-12c7e27dd476} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" tab
    3⤵
    PID:5680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6256 -childID 14 -isForBrowser -prefsHandle 2548 -prefMapHandle 6600 -prefsLen 28090 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e9358206-2375-4baa-b87b-1dafd02f9dc0} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" tab
    3⤵
    PID:5560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6208 -childID 15 -isForBrowser -prefsHandle 6956 -prefMapHandle 7756 -prefsLen 28334 -prefMapSize 244658 -jsInitHandle 1312 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd64ca93-46ae-4c4a-aa74-7dc50e5d3d58} 1108 "\\.\pipe\gecko-crash-server-pipe.1108" tab
    3⤵
    PID:4904

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x404 0x3f0
1⤵
PID:5580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
dc7a48b20391390b77d775798897aa47

SHA1
8971101f151f22d152f512f46364c43e406e6b25

SHA256
0fc97bcb2174588ce3c0a9955653f61db21a0bf96988b4dd19dff6f911071e1b

SHA512
c4d73e375b173313e7c6a180e5f06413ef163b90415da42bcb200fc5dab8b9afca0a9ccaee8d00b06203b88bacd9c28b68dbd14b889b5d2384f0ae5b540a6edc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
fd531b7307d12d48bda8412ee73afec8

SHA1
252d9e6b7a7e822bc1175b87803c176781a57299

SHA256
7a3abfc6df240cc635ba7b6cb0805fdafbe2a20a92a41d406a56984c37efd07e

SHA512
0bd4e09cff3acb4f860d5029c31c07cb9a487b433dee152fe9143a3af8c306f6ffc0a9c948c702dcbcefa6b62eaf21ee8ee6548188127e3b22245fd952612e87

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5dbfc7f7e4a3ffcfb5eaf67dadcbe6c8

SHA1
508eb0322efc96cb57022fdf0304d3a6bd1ba93e

SHA256
d5b0862e522d16c10b8b12abc8e50579b90da9bb09d2ca1a8632e302babd3553

SHA512
9908dab9a449b0be6b7ff11d042927eb419d39d60d4a892c83e42e0d102d7ea1a3a13cf0a1ff9a638a5ec92d77b35927d804ebe8043cd9977daa5ab659d48b26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
c837cb1e3c85ef7b3742f45351036b70

SHA1
a229e73a4340a356012426fa0592548d0321a0df

SHA256
56d5df16eeae9ee974edf6f445cf6d55fef72764b8ea47830857c233cf535581

SHA512
7fa7ca1c5eb623fa5224891a23302865ec3c7c1c601458137a4ff20a02647fca1a10c14a956ca5dbf6dba8ffd0ae98bc766e2eb92201e7598b1c73024334fa1c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\activity-stream.discovery_stream.json

Filesize
42KB

MD5
4fb2f94f257bfccafeaa13d80dd60f49

SHA1
581706b3cefaa0ff671809f0dd3d9b3f4f4df9ad

SHA256
7d5ac0f7129fe6e3b69318eb2360d4c4c270756f10f026b935679a0469d97331

SHA512
d694e0246c4577fe57e289d7d8482a2ae822ea74421ab2c57c5a2852d34a267e33902e49d94cb2b6a3f0b2da2818b2894d71fd594c62d9c87991579bc9351ed5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\cache2\doomed\27461

Filesize
16KB

MD5
3e59e4c652af723151331635ff84eb00

SHA1
d00ab34ae4a400df820015b5b0e9cf2504ac684d

SHA256
5a9f3502cb9c250b3df5956c6e291ef77b2a51af17c8cc5325d2fb5d989f3de1

SHA512
005d5f9aea18046f675fcb0c25227e191c51bb03806520bc1e6083e6f9092f27964466812d62dcd3cbdfd1f163d464adae5ad39f60b3c1387b4cc008a8f9a8ab

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\cache2\entries\03D3824C19A5C27E142D034D4C7DE4FDFB8F1430

Filesize
139KB

MD5
bb922ef51a99ae9ddcc2b64fdeb56dac

SHA1
06bfc3924380ed6668cce02a9319330579972cd1

SHA256
f4e6038bfbc5f870c5b5ec26776c57e2dc2cda41727a34dcb230dd0d77a217cf

SHA512
4bc4c5b933a501800c0b80870f44307dac138b3074319b4fb5b04370e9b6be7a4ddb0996d9d23a06d8e5f2d650b61e7ee854a7d038e29b103edec9cb17077989

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\cache2\entries\13A2ACFC0427FB282C34060AC5F4E7F753C72AE2

Filesize
60KB

MD5
917ee4e987c3a919419c6342126990c6

SHA1
d720bea3da97187315eeb50dc0f49147ca27a707

SHA256
63defe6e5ae1d091fd9de78042aeb7ffa90fb83dca6328658a13e3c1f5daace7

SHA512
2d80fcac9d01f64f2b9efd08dbc5049264a71690af98544f525e6458e2b2d85b9780d9fb08b1b0c3b7795501977de1c13c0dee40612db50b0a872fd4bcac019e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\cache2\entries\165DF938F3237C2FF1B5C665EC434411BAF79425

Filesize
73KB

MD5
899c2563fc9de2f78240f39f0c00d132

SHA1
311200c920dc4747342a2dcb5cac75631f8a7b3a

SHA256
4ad4dbf36777405a251836544e9744df9828a7ff6f7e62e38d450f25eb2be747

SHA512
a230daf5016aa83aca65a64325f8632eaf0f9d36f2a7a9869d35e6015c6f68bc1e261cee13c7461275fcaf716b83e258ad7702db06882b87258dd2961b137faa

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\cache2\entries\3105B23AD4C353AC6DB41B3D28453F447895A24A

Filesize
16KB

MD5
55401cd5edda59300b2641bc04568ff1

SHA1
f0c209d77cb0a0f596744ae9386beb0d6ef63127

SHA256
54602099a753f42817b7ab2b6ad3a35088cd555b616c76ba333f2e58880eeb08

SHA512
c01c1aafeda8a4da1dde320cf7fe89c0513d2d64e5ab2409a5cd14952a95eda5b209cb38056926d60eba07625f73df3ff1a2ccca35612538f9c2e40ecfe8401e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\cache2\entries\375B719C97CC787CAE4965B6560AF0FCA079FC53

Filesize
2.0MB

MD5
fcd52dc3631eb3c2221f4d4ddbac552f

SHA1
8cf5c430cb453ad50fccab158a727d0edae85693

SHA256
454418b50c0193f6b93f9a3928aa1996b7ef643c336b7b838d229630b33fb14b

SHA512
cb1bb157c394ff698e2f714b1024df1563e7e81273e15fa0effbb5699db531f8ec797d5bca61c73b19f238cdc30115314986e61b4e631ca399fbecd48e2d00db

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\cache2\entries\8999BC8CB7B8114B87D8185D8CE1BBF1E6377016

Filesize
219KB

MD5
e746ef74ed4322a13d6580df4a55563b

SHA1
1f5f51cdfddc02e8544ff05da02a3640110993ec

SHA256
6854a2b8bb9d3b14dd752dd35102da41f2bb75d75bcc35fbb8e4a74f4eea0927

SHA512
68fa3a5427d64d5308c2076158d609eb67358d2f1eeec0aef62f99c8a53b7f425ae21edd407d986229d2e7ac1a5d0d7055d2d73f422816ee06b3fb3f2d92bbde

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_asyncio.pyd

Filesize
34KB

MD5
1b8ce772a230a5da8cbdccd8914080a5

SHA1
40d4faf1308d1af6ef9f3856a4f743046fd0ead5

SHA256
fa5a1e7031de5849ab2ab5a177e366b41e1df6bbd90c8d2418033a01c740771f

SHA512
d2fc21b9f58b57065b337c3513e7e6c3e2243b73c5a230e81c91dafcb6724b521ad766667848ba8d0a428d530691ffc4020de6ce9ce1eaa2bf5e15338114a603

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_brotli.cp311-win_amd64.pyd

Filesize
274KB

MD5
22a42d16bc447746b0845c637ac70128

SHA1
546af128ff40982c487e747a19aafd825cf1120d

SHA256
c0a4f520f06425500d07ead20fb8c9aaff4b9efb9c771725bbd94bc018cc4dfa

SHA512
8259104d9fb8f1045037755af661b942a42432ad255c709f11e42cf215feffcc2ee160c6884cb2cc7256ea55409c362352bc09219bf54c77dbc0a72a487093de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_bz2.pyd

Filesize
46KB

MD5
80c69a1d87f0c82d6c4268e5a8213b78

SHA1
bae059da91d48eaac4f1bb45ca6feee2c89a2c06

SHA256
307359f1b2552b60839385eb63d74cbfe75cd5efdb4e7cd0bb7d296fa67d8a87

SHA512
542cf4ba19dd6a91690340779873e0cb8864b28159f55917f98a192ff9c449aba2d617e9b2b3932ddfeee13021706577ab164e5394e0513fe4087af6bc39d40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_cffi_backend.cp311-win_amd64.pyd

Filesize
71KB

MD5
2443ecaddfe40ee5130539024324e7fc

SHA1
ea74aaf7848de0a078a1510c3430246708631108

SHA256
9a5892ac0cd00c44cd7744d60c9459f302d5984ddb395caea52e4d8fd9bca2da

SHA512
5896af78cf208e1350cf2c31f913aa100098dd1cf4bae77cd2a36ec7695015986ec9913df8d2ebc9992f8f7d48bba102647dc5ee7f776593ae7be36f46bd5c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_ctypes.pyd

Filesize
57KB

MD5
b4c41a4a46e1d08206c109ce547480c7

SHA1
9588387007a49ec2304160f27376aedca5bc854d

SHA256
9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9

SHA512
30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_decimal.pyd

Filesize
104KB

MD5
e9501519a447b13dcca19e09140c9e84

SHA1
472b1aa072454d065dfe415a05036ffd8804c181

SHA256
6b5fe2dea13b84e40b0278d1702aa29e9e2091f9dc09b64bbff5fd419a604c3c

SHA512
ef481e0e4f9b277642652cd090634e1c04702df789e2267a87205e0fe12b00f1de6cdd4fafb51da01efa726606c0b57fcb2ea373533c772983fc4777dc0acc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_hashlib.pyd

Filesize
33KB

MD5
0629bdb5ff24ce5e88a2ddcede608aee

SHA1
47323370992b80dafb6f210b0d0229665b063afb

SHA256
f404bb8371618bbd782201f092a3bcd7a96d3c143787ebea1d8d86ded1f4b3b8

SHA512
3faeff1a19893257c17571b89963af37534c189421585ea03dd6a3017d28803e9d08b0e4daceee01ffeda21da60e68d10083fe7dbdbbde313a6b489a40e70952

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_lzma.pyd

Filesize
84KB

MD5
bfca96ed7647b31dd2919bedebb856b8

SHA1
7d802d5788784f8b6bfbb8be491c1f06600737ac

SHA256
032b1a139adcff84426b6e156f9987b501ad42ecfb18170b10fb54da0157392e

SHA512
3a2926b79c90c3153c88046d316a081c8ddfb181d5f7c849ea6ae55cb13c6adba3a0434f800c4a30017d2fbab79d459432a2e88487914b54a897c4301c778551

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_multiprocessing.pyd

Filesize
25KB

MD5
849b4203c5f9092db9022732d8247c97

SHA1
ed7bd0d6dcdcfa07f754b98acf44a7cfe5dcb353

SHA256
45bfbab1d2373cf7a8af19e5887579b8a306b3ad0c4f57e8f666339177f1f807

SHA512
cc618b4fc918b423e5dbdcbc45206653133df16bf2125fd53bafef8f7850d2403564cf80f8a5d4abb4a8928ff1262f80f23c633ea109a18556d1871aff81cd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_overlapped.pyd

Filesize
30KB

MD5
97a40f53a81c39469cc7c8dd00f51b5d

SHA1
6c3916fe42e7977d8a6b53bfbc5a579abcf22a83

SHA256
11879a429c996fee8be891af2bec7d00f966593f1e01ca0a60bd2005feb4176f

SHA512
02af654ab73b6c8bf15a81c0e9071c8faf064c529b1439a2ab476e1026c860cf7d01472945112d4583e5da8e4c57f1df2700331440be80066dbb6a7e89e1c5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_queue.pyd

Filesize
24KB

MD5
0614691624f99748ef1d971419bdb80d

SHA1
39c52450ed7e31e935b5b0e49d03330f2057747d

SHA256
ac7972502144e9e01e53001e8eec3fc9ab063564678b784d024da2036ba7384d

SHA512
184bc172c7bb8a1fb55c4c23950cbe5e0b5a3c96c1c555ed8476edf79c5c729ed297112ee01b45d771e5c0055d2dc402b566967d1900b5abf683ee8e668c5b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_socket.pyd

Filesize
41KB

MD5
04e7eb0b6861495233247ac5bb33a89a

SHA1
c4d43474e0b378a00845cca044f68e224455612a

SHA256
7efe25284a4663df9458603bf0988b0f47c7dcf56119e3e853e6bda80831a383

SHA512
d4ea0484363edf284ac08a1c3356cc3112d410dd80fe5010c1777acf88dbd830e9f668b593e252033d657a3431a79f7b68d09eb071d0c2ceb51632dbe9b8ed97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_sqlite3.pyd

Filesize
54KB

MD5
d9eeeeacc3a586cf2dbf6df366f6029e

SHA1
4ff9fb2842a13e9371ce7894ec4fe331b6af9219

SHA256
67649e1e8acd348834efb2c927ab6a7599cf76b2c0c0a50b137b3be89c482e29

SHA512
0b9f1d80fb92c796682dba94a75fbce0e4fbeaedccd50e21d42d4b9366463a830109a8cd4300aa62b41910655f8ca96ecc609ea8a1b84236250b6fd08c965830

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_ssl.pyd

Filesize
60KB

MD5
fd0f4aed22736098dc146936cbf0ad1d

SHA1
e520def83b8efdbca9dd4b384a15880b036ee0cf

SHA256
50404a6a3de89497e9a1a03ff3df65c6028125586dced1a006d2abb9009a9892

SHA512
c8f3c04d87da19041f28e1d474c8eb052fe8c03ffd88f0681ef4a2ffe29755cfd5b9c100a1b1d2fdb233cb0f70e367af500cbd3cd4ce77475f441f2b2aa0ab8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\_uuid.pyd

Filesize
21KB

MD5
3377ae26c2987cfee095dff160f2c86c

SHA1
0ca6aa60618950e6d91a7dea530a65a1cdf16625

SHA256
9534cb9c997a17f0004fb70116e0141bdd516373b37bbd526d91ad080daa3a2b

SHA512
8e408b84e2130ff48b8004154d1bdf6a08109d0b40f9fafb6f55e9f215e418e05dca819f411c802792a9d9936a55d6b90460121583e5568579a0fda6935852ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\aiohttp\_helpers.cp311-win_amd64.pyd

Filesize
26KB

MD5
580df94471407eb0eabe4f1bdb7645d5

SHA1
049b6518f159c02b0a3584c86ed78c31fe84b2aa

SHA256
83fddc339f13339aa17f872a17816b84f535b873b07500f9892ec105be0d6beb

SHA512
3fc02b48154120d93e85baa2e6ff4e4f728f06e7173c552c4fdb55a731fe506494cb4e9e33d1054876a1db59cf796c3a98c5bedbfcbba781e37a5d5074472b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\aiohttp\_http_parser.cp311-win_amd64.pyd

Filesize
80KB

MD5
1286f2b36ee759286a25ba58348ad300

SHA1
9d9448da7f20061431b3a261bef0f1b9fc5dd871

SHA256
c523606610296699a05b83cc3ab4c5eeb4a74596e4166f83a1405c89b4229244

SHA512
8bf9e78ec7755e6ee70257f2be006da854fac1f3fa3a4808f929319fecaef2bcf7355aedbabfdb5569e4b185356bd3be5b7a1c0085cfb3c2a2726034a9f7c9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\aiohttp\_http_writer.cp311-win_amd64.pyd

Filesize
24KB

MD5
b45a1db267ace9925422eb13a3f721d2

SHA1
83b8a6318f0f3f820fb0a6abf7b8e8bd4d09af19

SHA256
41085f597a17954b38b72e52c5c61cd605293bcaaed65964a317a5773b5d264d

SHA512
2bc5fb4ae64dd0c5465e8a7dcc8b3bca909e68b5a877f2084124a254215d0e1a65692519323def87a47fd71d76913d2c19904c417326f50254c04a2f8b15d935

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\aiohttp\_websocket.cp311-win_amd64.pyd

Filesize
20KB

MD5
031388d797d6bef0f9b1799b78f9398c

SHA1
cfbfe488e93a3881fb3fd53888c619aa001ad4cc

SHA256
8db41f035b34e3ddfd1c6361c25b73949d92f8e74f55fef075f7945852ca6266

SHA512
609202958836d5b39472bec86ee9d25d4d5d57b386aab1b7d78e0ac54061fc72ecc190c62deb55f159664db20f7973932d8f380a934baa1cc903776da5694c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.1MB

MD5
073606ea92928af7b2863782c0114949

SHA1
ec7b4dbf415af6a071a6ca3a0d4f4a0cf544515c

SHA256
9be10e3f170875a5b3e403f29d7241bf64957c01bfcae3504f5576578183610a

SHA512
5cd48348b475c9de7c2c8d85f36a1f8cf63ee5ee2bde60e2e5a1026f0e877b4c686ad07ab37c8ae37b46b719233b28aa699ce5a2fedd0247c7607da6e519a11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\frozenlist\_frozenlist.cp311-win_amd64.pyd

Filesize
35KB

MD5
15b0df96344baf6a4c72766721943e52

SHA1
a3666e88594d1ec97de23b9242f346c43a34c070

SHA256
abb6f497003738db2407b01dfa0abc61f6bc7fdb2452c52f76ab11f5430d844f

SHA512
4fbf295d0882646b8c4b3284f11331fb12767fd1404d78d3e4d88a434896058c2df05dd1a2d9c8ce696d2d3aad8c7251d00d95c399df2e8c11bb319f87a4385e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\libcrypto-1_1.dll

Filesize
1.1MB

MD5
86cfc84f8407ab1be6cc64a9702882ef

SHA1
86f3c502ed64df2a5e10b085103c2ffc9e3a4130

SHA256
11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307

SHA512
b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\libffi-8.dll

Filesize
24KB

MD5
decbba3add4c2246928ab385fb16a21e

SHA1
5f019eff11de3122ffa67a06d52d446a3448b75e

SHA256
4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d

SHA512
760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\libssl-1_1.dll

Filesize
203KB

MD5
6cd33578bc5629930329ca3303f0fae1

SHA1
f2f8e3248a72f98d27f0cfa0010e32175a18487f

SHA256
4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0

SHA512
c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\multidict\_multidict.cp311-win_amd64.pyd

Filesize
20KB

MD5
eeaded775eabfaaede5ca025f55fd273

SHA1
8eefb3b9d85b4d5ad4033308f8af2a24e8792e02

SHA256
db4d6a74a3301788d32905b2ccc525e9a8e2219f1a36924464871cf211f115a0

SHA512
a6055d5604cc53428d89b308c223634cd94082be0ba4081513974e1826775d6e9fc26180c816d9a38fead89b5e04c5e7cf729c056bfae0ed74d6885c921b70ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\pyexpat.pyd

Filesize
86KB

MD5
fe0e32bfe3764ed5321454e1a01c81ec

SHA1
7690690df0a73bdcc54f0f04b674fc8a9a8f45fb

SHA256
b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92

SHA512
d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\python3.DLL

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\select.pyd

Filesize
24KB

MD5
c39459806c712b3b3242f8376218c1e1

SHA1
85d254fb6cc5d6ed20a04026bff1158c8fd0a530

SHA256
7cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9

SHA512
b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\sqlite3.dll

Filesize
608KB

MD5
895f001ae969364432372329caf08b6a

SHA1
4567fc6672501648b277fe83e6b468a7a2155ddf

SHA256
f5dd29e1e99cf8967f7f81487dc624714dcbec79c1630f929d5507fc95cbfad7

SHA512
05b4559d283ea84174da72a6c11b8b93b1586b4e7d8cda8d745c814f8f6dff566e75f9d7890f32bd9dfe43485244973860f83f96ba39296e28127c9396453261

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\unicodedata.pyd

Filesize
293KB

MD5
06a5e52caf03426218f0c08fc02cc6b8

SHA1
ae232c63620546716fbb97452d73948ebfd06b35

SHA256
118c31faa930f2849a14c3133df36420a5832114df90d77b09cde0ad5f96f33a

SHA512
546b1a01f36d3689b0fdeeda8b1ce55e7d3451731ca70fffe6627d542fff19d7a70e27147cab1920aae8bed88272342908d4e9d671d7aba74abb5db398b90718

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50362\yarl\_quoting_c.cp311-win_amd64.pyd

Filesize
40KB

MD5
9a8f969ecdf0c15734c1d582d2ae35d8

SHA1
a40691e81982f610a062e49a5ad29cffb5a2f5a8

SHA256
874e52cceae9a3c967bac7b628f4144c32e51fc77f519542fc1bac19045ecde8

SHA512
e0deb59abef7440f30effb1aab6295b5a50c817f685be30b21a3c453e3099b97fd71984e6ca6a6c6e0021abb6e906838566f402b00a11813e67a4e00b119619f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wfhc0dpa.nsi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\AlternateServices.bin

Filesize
8KB

MD5
52d0195b670d419694fadca9a55167a3

SHA1
21dfa93df671d3e8847c918beec304814a69f044

SHA256
ff84f979266c4d5ae67ed0e8a28593a380b34b280af85989edbb5c14a688bdf8

SHA512
fa21c4e152d4ac20e9c1fd755d2474894734b14f510728ac078349ff1d2d298aeca0912f0ac73b98cbb8c15306db638a4924e8cb6492e93ecabe63cfbcc972f9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\AlternateServices.bin

Filesize
12KB

MD5
a421d16489862e9105bd431bde410525

SHA1
b3b2f5ae945668d50da5a02dbf7f32685555fcff

SHA256
f12c587ec14fa8cbae36a0bf5bde50a50b3ce49e3e09027f312a00cd0e1cb76a

SHA512
94cf82bada01000992441667d0c8c4f26405f5ecf56ac14e80f466716ee57e57fc0e52589e1ce899cef81600f8520cc4afaf27b77b5625ec155b99b65164f36e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
dd9c5947cba6228e793dd931d9559ea0

SHA1
6c5fea314471b86a447ecc33b987a198c0406051

SHA256
701abadf923a0f6d2454cdb71804f085e215ebdaadcba846622cabe1565a9e98

SHA512
06ecb9cc9690dabe7cce57a1b430d5de18cfa634d0de4b9bb9d764bbeff958a085bad02bd28eca28b6152208b52683676500cac3a5fff94bdcbaccc1c8a809f3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
f0124027597218abed31a7002b7b3b51

SHA1
75f6b49dc26d60995cd8aeb5839e71572a0c47c8

SHA256
391c2b7b6d49691eb044cee64b7c51ad619de353c4e98bb3f9b9df43fae7b66e

SHA512
1636b7edc992c5479841fe83c1de32048464e9c4705b73150801ce6c21a31a02568ac93ed5a90fecdfcd98170a8abad9c05a55ff6d34a128a75304c4f234d68a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\db\data.safe.tmp

Filesize
33KB

MD5
e7fa4a52bd60febb8717527883055e88

SHA1
d4359cdd722826d583aa52f9a6430fd4cd6243a8

SHA256
c24b9a3c53b1c4c451cbffedf13f03bdae5969dcd6d4e5943d6f5aa53ad33f17

SHA512
e195ce2aa92aa7d272effab8c68f74e0589f4abdf8410360a47820d9f77a91cbba909c03fb83a61287f4a7b9171a61d4fb53091c611d7e1285a3f059b7ec90c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\10a9e6ba-718e-4d27-b9ed-4f45d6737ed3

Filesize
27KB

MD5
9ea4c553f1bd32ee880c5f4d2603e2f1

SHA1
cf2d15028d704384c942b5e29d82810fb8e61d2e

SHA256
d324daea8acf964d3ce2ccf8fb14733ccb841efde5f5c70f48ab88c9e3d3a8b5

SHA512
bea78934f86e0338001514b39ac78921467ced0b7799000bfe442436c8f3ac579795c1c6dc2ba34e1bcc30475480bc88f05e3da352910a2f06c1093e9d9a8152

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\2b029261-cb07-4546-855f-351848dbcef2

Filesize
982B

MD5
349c8e79b7ee07d9ae26dc30f0ecdca9

SHA1
2604f6926c11f76d797295c3f1a928885cf7c750

SHA256
79b0d4179f508d1aeca08a7ea49f03255c34fe5630999fb34bca2178b0d86799

SHA512
748cb4666b6b5a962a6823e4622dbc4e5e75efac8e31f9f1ad1d8ddff98a24be7f4c1f0417dd8e3b1990d3ce484dd0ae8dca4c4ee4229fcedef08ddb117ec8a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\ed69e8e4-2f0a-4a81-bedf-4864c9e424dc

Filesize
671B

MD5
8ec5bb14639dbea5bb93ef67d7efcee7

SHA1
e93dda14f897a0323f6249d18cde317c4a693630

SHA256
bf5a8fbf104e17175419473972b7c7c3859e384c9165f09ba560094c08107535

SHA512
5fa2a3d8d2b17e1823d433f509a84c00bb85a293cef0502ff2849c9533085f3c060d5f34e78737c7fdb6e0d28a33c734cbb3f03b5972d7269e1db7ac41fbbc08

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\datareporting\glean\pending_pings\ef179a63-50c1-4144-8d50-7a58c91889ed

Filesize
29KB

MD5
d8ab23fd6aa6f9291792d86643e65302

SHA1
7713923e7c362a6f2a2435c5bad9d1d71f446a72

SHA256
05f9e2d2cdf620e01302d4ab6a8bf76d421dc885d63b03abb68e909653c1484d

SHA512
5fbf141ff21aad1ec5bd0f511c19e9512c81bac4e939107c48c041a7d26620f196ee150eb979e258e0a3698a7ece4f75920f792936446740cb659c8d09cc1f87

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

Filesize
13KB

MD5
b0d0d616911d430dcbb1ced2125946be

SHA1
7de81059729bb53245af0e5155be8fc57abc4c3f

SHA256
46958b93f65ef452cd71cd5c9ed56248991df1369bb52a2e3cf825bd05170981

SHA512
6f7aac94c33906ffac7883c5c04b3a6612efc63afdcd4f294f75245bce10d1e3df29b4671bd8b2410e56fc18277a35d56017be1a07db48521b6d1a14c998d237

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs-1.js

Filesize
12KB

MD5
230ffbd6b0dc3271da301c77a8d2189a

SHA1
f8be5653c5290fd48d5189917178fa8f75ab78b6

SHA256
e31a91e2c50a1ce97760c757a5b1d58cd8e2f884ed4f300ba83d2b9154d55e5a

SHA512
49090363c91abb920d0b74664e815ec0e6ad7e448cf6b10a1a6a6f7569aafb0cc8e53e2b22a34cd21d086c25e841935b679ba6831c3063586292f41292181869

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\prefs.js

Filesize
11KB

MD5
4c06bc7040738aa9b9549af260b73cb5

SHA1
c1aff96e9511e3e31101ab404a7a7d77eff0a0e0

SHA256
8ef04b4f3dcf2477b7848d835c26eb75260151333eb0f5cdcfa1e7c8b2b0deba

SHA512
8ef571bb001f97cc17ccd278e3b59e7f46eea620f60cbc4719e1ddf5f24b474de87d41884cac3744b31e5720ac2c5d13866d7a9db9e82c4d12ee4e864661072f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
ae3a0cdcad9a48b34cac807412a9d696

SHA1
18b56cce968c7bfa80e99fea958905fdc3059a2b

SHA256
bc1d4082536e726f8abee4eea9624a61ca6a8020ec93d7eeca6d38560a68d200

SHA512
dd3f110c6d1cf34e66e0c06b32d21198daf9f82bbd261b1d927ebcd4382c3095a078b801c439c1d7e25af3510fbc08089d7a91ff784684c7b1499c297ad52eb2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
dab8f18855d65e5a8fe2f1aaeb14721a

SHA1
746a339f03670bafacbbc9c5602ecf21cdf40fbb

SHA256
affa03a519b5566ba68d2aab8bef4bace71e23685186f8f13abcefc4735fd390

SHA512
b4621dafb4bf1e1e82745393818dfdcf9966697a3900228eb78167a98cf05322422ab5562fc60ec0a3aed721b52af47e6584f80b5f81e2a72ed8d9a964e223cf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\sessionstore-backups\recovery.baklz4

Filesize
16KB

MD5
f48644e9b5045e7a01ee087dd2eb8617

SHA1
dc5e16d638b07f7b75a8d7df6ebda3696bdd4e16

SHA256
d5cccd53d8fd1cd06699fda2c77ea664015cff8f54e9e6e17cf3d64e01d8c45a

SHA512
0ce0b4af191801578d27c71966471748627b4d9a257c79a3209bec57f0b8c73a6cef9fd8a7b1aa40499069b0602422fd4c105f682ec5749f8bb43702cc853e86

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\sessionstore-backups\recovery.baklz4

Filesize
48KB

MD5
b15332bed639923ca3708a79ada2ac6e

SHA1
5cb2a99cbef0d9aa4ebcf894a0b05c8b213514dc

SHA256
97183544a87abb4101ba48dfd8cacb6e5c061b006cb18214935af4f561de7c53

SHA512
9061471c28f7d806612d677665041f6ec43a15f713d3d5ed6845efe443bd8afe62da7566d9661f5fa1a2215e868c84f357cbb5320057880b41d7a73d072ae4b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\sessionstore-backups\recovery.baklz4

Filesize
48KB

MD5
3886f3c44f5b250168a6e02e2c249dcd

SHA1
eaa0ea85d9f350e3c4752752beb10d1b6253b2bb

SHA256
612cb27990c51a5c4dc2c804f303f17273c40ff08788310409bb8157f85eeda5

SHA512
cabc5d32f974dc145909c101510d52fd41f192b04395fd67e43a7c68795919c8c54508c26e8350c462539b6f51f70bfc2e8f5cbfcc9d6da4f92d8c311c4549d7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
d7770e3866741920af6c57c46cfb9ab1

SHA1
9bac419cc30cd5a5db56d7ecc3ef8f1a04505412

SHA256
8a077bcb0a02fe5cc025e869762096bd132b8c1ba8c7207796a8d3ed530205d2

SHA512
55e3caf136d4d6385bd65c75b485871453bbf0eb17e731d4923f7db8c1f0e584282882bd80f09d636837dddf7aa8c8f486f164fa9e86a9bbf759559175f9464c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\sessionstore-backups\recovery.baklz4

Filesize
48KB

MD5
8dff3b206f1e3c833889d1797eecfd28

SHA1
13139f874c1a88b404506896bb1c1fa319e86f73

SHA256
965d366afdf41c06689d5e93817466e2d39256e74c2498b7de217da4f767f4af

SHA512
fa9256ede1d6012a9f10095a64204701b05eea1db22f08ad928a76984d464f23135ca825bdc309386ff78538b2d3050a08cd9c83ea8d6d2721e159ce336b48d9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\sessionstore-backups\recovery.baklz4

Filesize
4KB

MD5
9b5e43867527b9953632016b6a1293b0

SHA1
ebeb361afa2ecc4460358067545a517d4413cdf1

SHA256
021ddd25f9b715b9a8d2e3ec0ab135b0b14c0b87701c520db3ccdaad882f44ed

SHA512
1a8c85e54f7f3f8e99515adbc8e7237813714c9aa6dd14343480ccf75a4344750c4f6ddfc105e6be32dcfecce9e294bbee5992af7d2f0a2c5edfa45c8ed7e3fa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\sessionstore-backups\recovery.baklz4

Filesize
48KB

MD5
60e0db66b34f827e21905386c9856f43

SHA1
540117073e765c54a12ae02778066efca1811a9b

SHA256
e48399974434d45a18b8e0bff86a7c5c2ac1fba56b403383da6e40776f9a0c58

SHA512
d98232c4e062e13127ecbeca84295048a71c1485f24ae499aa0306484f055b37a77b06cc1e4aa99fd04914faef6d86726601981d6a3e1db7888745837a6df73b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\sessionstore-backups\recovery.baklz4

Filesize
48KB

MD5
03c79ed21d3b36ef8aaa6952146af83b

SHA1
30701bb3482df8e06eb61c8cb7374bab6e61dd68

SHA256
92a0b459e02bffd228821be024650c2487d6b2344638e9a29d9fc2004631d825

SHA512
768585467ea159b4f72568b49b68f7df94138ec514a41db11cf1b4081fcc55dac4559fd95ca7e2c3662984fec6e5c75481128bd7a27c50a07ab7ed78eb7eae98

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\pj0o4bl8.default-release\storage\default\https+++dzen.ru\idb\3285085342rcbn_ys.sqlite

Filesize
48KB

MD5
87f4e7bf6c1b4d8c09105c1260a4f697

SHA1
1182071fc93619fd08d590aef6768dde9282a6f6

SHA256
aa4b1a8a74d7e30b4f0bf76588a40a445703c6073b92743736a3226d1f4788c3

SHA512
66c47596a5fe93556dc856c98819a47b52e0af6c0c4f8b84d26e0f89ef2eb5e2e5fe7dd92cf9c41fe99f84b820ffb94ffd9ad84ed8e7ffd51d2ae38cb051b78a

Download Submit
memory/2036-102-0x00007FFCC0EB0000-0x00007FFCC0EC5000-memory.dmp

Filesize
84KB

Download
memory/2036-234-0x00007FFCC0E40000-0x00007FFCC0E52000-memory.dmp

Filesize
72KB

Download
memory/2036-246-0x00007FFCB01D0000-0x00007FFCB0971000-memory.dmp

Filesize
7.6MB

Download
memory/2036-242-0x00007FFCB7B30000-0x00007FFCB7B7D000-memory.dmp

Filesize
308KB

Download
memory/2036-241-0x00007FFCBB790000-0x00007FFCBB7A9000-memory.dmp

Filesize
100KB

Download
memory/2036-229-0x00007FFCC0700000-0x00007FFCC0873000-memory.dmp

Filesize
1.4MB

Download
memory/2036-221-0x00007FFCB15F0000-0x00007FFCB1BD8000-memory.dmp

Filesize
5.9MB

Download
memory/2036-222-0x00007FFCC13A0000-0x00007FFCC13C4000-memory.dmp

Filesize
144KB

Download
memory/2036-251-0x00007FFCB15F0000-0x00007FFCB1BD8000-memory.dmp

Filesize
5.9MB

Download
memory/2036-268-0x00007FFCBE830000-0x00007FFCBE852000-memory.dmp

Filesize
136KB

Download
memory/2036-263-0x00007FFCC0EB0000-0x00007FFCC0EC5000-memory.dmp

Filesize
84KB

Download
memory/2036-262-0x00007FFCB0CB0000-0x00007FFCB1025000-memory.dmp

Filesize
3.5MB

Download
memory/2036-261-0x00007FFCC0ED0000-0x00007FFCC0F88000-memory.dmp

Filesize
736KB

Download
memory/2036-260-0x00007FFCC1020000-0x00007FFCC104E000-memory.dmp

Filesize
184KB

Download
memory/2036-392-0x00007FFCC13A0000-0x00007FFCC13C4000-memory.dmp

Filesize
144KB

Download
memory/2036-402-0x00007FFCC16C0000-0x00007FFCC16CA000-memory.dmp

Filesize
40KB

Download
memory/2036-401-0x00007FFCC0ED0000-0x00007FFCC0F88000-memory.dmp

Filesize
736KB

Download
memory/2036-407-0x00007FFCC06E0000-0x00007FFCC06F4000-memory.dmp

Filesize
80KB

Download
memory/2036-406-0x00007FFCC0E20000-0x00007FFCC0E34000-memory.dmp

Filesize
80KB

Download
memory/2036-405-0x00007FFCC0E40000-0x00007FFCC0E52000-memory.dmp

Filesize
72KB

Download
memory/2036-404-0x00007FFCC0EB0000-0x00007FFCC0EC5000-memory.dmp

Filesize
84KB

Download
memory/2036-403-0x00007FFCB01D0000-0x00007FFCB0971000-memory.dmp

Filesize
7.6MB

Download
memory/2036-400-0x00007FFCC1020000-0x00007FFCC104E000-memory.dmp

Filesize
184KB

Download
memory/2036-399-0x00007FFCBB790000-0x00007FFCBB7A9000-memory.dmp

Filesize
100KB

Download
memory/2036-398-0x00007FFCC1090000-0x00007FFCC10B3000-memory.dmp

Filesize
140KB

Download
memory/2036-397-0x00007FFCC1210000-0x00007FFCC123D000-memory.dmp

Filesize
180KB

Download
memory/2036-396-0x00007FFCC1590000-0x00007FFCC15A9000-memory.dmp

Filesize
100KB

Download
memory/2036-395-0x00007FFCC6AC0000-0x00007FFCC6ACD000-memory.dmp

Filesize
52KB

Download
memory/2036-394-0x00007FFCC47F0000-0x00007FFCC4809000-memory.dmp

Filesize
100KB

Download
memory/2036-393-0x00007FFCB7B30000-0x00007FFCB7B7D000-memory.dmp

Filesize
308KB

Download
memory/2036-391-0x00007FFCC9720000-0x00007FFCC972F000-memory.dmp

Filesize
60KB

Download
memory/2036-415-0x00007FFCBAD90000-0x00007FFCBADAE000-memory.dmp

Filesize
120KB

Download
memory/2036-414-0x00007FFCB14D0000-0x00007FFCB15EC000-memory.dmp

Filesize
1.1MB

Download
memory/2036-413-0x00007FFCBB770000-0x00007FFCBB781000-memory.dmp

Filesize
68KB

Download
memory/2036-412-0x00007FFCC0700000-0x00007FFCC0873000-memory.dmp

Filesize
1.4MB

Download
memory/2036-411-0x00007FFCB1400000-0x00007FFCB14CF000-memory.dmp

Filesize
828KB

Download
memory/2036-410-0x00007FFCC06C0000-0x00007FFCC06D7000-memory.dmp

Filesize
92KB

Download
memory/2036-409-0x00007FFCBE830000-0x00007FFCBE852000-memory.dmp

Filesize
136KB

Download
memory/2036-408-0x00007FFCB15F0000-0x00007FFCB1BD8000-memory.dmp

Filesize
5.9MB

Download
memory/2036-418-0x00007FFCB8F10000-0x00007FFCB8F1D000-memory.dmp

Filesize
52KB

Download
memory/2036-417-0x00007FFCAFEE0000-0x00007FFCAFF18000-memory.dmp

Filesize
224KB

Download
memory/2036-416-0x00007FFCB0CB0000-0x00007FFCB1025000-memory.dmp

Filesize
3.5MB

Download
memory/2036-233-0x00007FFCC0EB0000-0x00007FFCC0EC5000-memory.dmp

Filesize
84KB

Download
memory/2036-249-0x00007FFCC06C0000-0x00007FFCC06D7000-memory.dmp

Filesize
92KB

Download
memory/2036-212-0x00007FFCBE830000-0x00007FFCBE852000-memory.dmp

Filesize
136KB

Download
memory/2036-50-0x00007FFCB15F0000-0x00007FFCB1BD8000-memory.dmp

Filesize
5.9MB

Download
memory/2036-195-0x00007FFCB8F10000-0x00007FFCB8F1D000-memory.dmp

Filesize
52KB

Download
memory/2036-194-0x00007FFCB14D0000-0x00007FFCB15EC000-memory.dmp

Filesize
1.1MB

Download
memory/2036-147-0x00007FFCAFEE0000-0x00007FFCAFF18000-memory.dmp

Filesize
224KB

Download
memory/2036-131-0x00007FFCBB790000-0x00007FFCBB7A9000-memory.dmp

Filesize
100KB

Download
memory/2036-132-0x00007FFCC1020000-0x00007FFCC104E000-memory.dmp

Filesize
184KB

Download
memory/2036-133-0x00007FFCBB770000-0x00007FFCBB781000-memory.dmp

Filesize
68KB

Download
memory/2036-134-0x00007FFCB7B30000-0x00007FFCB7B7D000-memory.dmp

Filesize
308KB

Download
memory/2036-135-0x00007FFCC0ED0000-0x00007FFCC0F88000-memory.dmp

Filesize
736KB

Download
memory/2036-143-0x000002100C9F0000-0x000002100CD65000-memory.dmp

Filesize
3.5MB

Download
memory/2036-144-0x00007FFCBAD90000-0x00007FFCBADAE000-memory.dmp

Filesize
120KB

Download
memory/2036-146-0x00007FFCC0EB0000-0x00007FFCC0EC5000-memory.dmp

Filesize
84KB

Download
memory/2036-145-0x00007FFCB01D0000-0x00007FFCB0971000-memory.dmp

Filesize
7.6MB

Download
memory/2036-140-0x00007FFCB0CB0000-0x00007FFCB1025000-memory.dmp

Filesize
3.5MB

Download
memory/2036-141-0x00007FFCC16C0000-0x00007FFCC16CA000-memory.dmp

Filesize
40KB

Download
memory/2036-127-0x00007FFCB1400000-0x00007FFCB14CF000-memory.dmp

Filesize
828KB

Download
memory/2036-126-0x00007FFCC0700000-0x00007FFCC0873000-memory.dmp

Filesize
1.4MB

Download
memory/2036-123-0x00007FFCC1090000-0x00007FFCC10B3000-memory.dmp

Filesize
140KB

Download
memory/2036-121-0x00007FFCC47F0000-0x00007FFCC4809000-memory.dmp

Filesize
100KB

Download
memory/2036-119-0x00007FFCC06C0000-0x00007FFCC06D7000-memory.dmp

Filesize
92KB

Download
memory/2036-116-0x00007FFCBE830000-0x00007FFCBE852000-memory.dmp

Filesize
136KB

Download
memory/2036-115-0x00007FFCC13A0000-0x00007FFCC13C4000-memory.dmp

Filesize
144KB

Download
memory/2036-109-0x00007FFCB15F0000-0x00007FFCB1BD8000-memory.dmp

Filesize
5.9MB

Download
memory/2036-110-0x00007FFCC0E20000-0x00007FFCC0E34000-memory.dmp

Filesize
80KB

Download
memory/2036-111-0x00007FFCC06E0000-0x00007FFCC06F4000-memory.dmp

Filesize
80KB

Download
memory/2036-112-0x00007FFCB14D0000-0x00007FFCB15EC000-memory.dmp

Filesize
1.1MB

Download
memory/2036-104-0x00007FFCC0E40000-0x00007FFCC0E52000-memory.dmp

Filesize
72KB

Download
memory/2036-100-0x000002100C9F0000-0x000002100CD65000-memory.dmp

Filesize
3.5MB

Download
memory/2036-99-0x00007FFCB0CB0000-0x00007FFCB1025000-memory.dmp

Filesize
3.5MB

Download
memory/2036-96-0x00007FFCC0ED0000-0x00007FFCC0F88000-memory.dmp

Filesize
736KB

Download
memory/2036-94-0x00007FFCC1020000-0x00007FFCC104E000-memory.dmp

Filesize
184KB

Download
memory/2036-59-0x00007FFCC13A0000-0x00007FFCC13C4000-memory.dmp

Filesize
144KB

Download
memory/2036-60-0x00007FFCC9720000-0x00007FFCC972F000-memory.dmp

Filesize
60KB

Download
memory/2036-87-0x00007FFCC47F0000-0x00007FFCC4809000-memory.dmp

Filesize
100KB

Download
memory/2036-88-0x00007FFCC6AC0000-0x00007FFCC6ACD000-memory.dmp

Filesize
52KB

Download
memory/2036-89-0x00007FFCC1590000-0x00007FFCC15A9000-memory.dmp

Filesize
100KB

Download
memory/2036-90-0x00007FFCC1210000-0x00007FFCC123D000-memory.dmp

Filesize
180KB

Download
memory/2036-92-0x00007FFCC0700000-0x00007FFCC0873000-memory.dmp

Filesize
1.4MB

Download
memory/2036-91-0x00007FFCC1090000-0x00007FFCC10B3000-memory.dmp

Filesize
140KB

Download
memory/4688-203-0x000001FF02100000-0x000001FF02122000-memory.dmp

Filesize
136KB

Download