exelastealer | hxxps://github[.]com/anathasecanem/roblox-executor/releases/download/vypix/Boostrapper[.]exe

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/anathasecanem/roblox-executor/releases/download/vypix/Boostrapper.exe

Score

10^/10

exelastealer collection credential_access discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1280	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1544	netsh.exe
1032	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4316	cmd.exe
4236	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
4328	Boostrapper.exe
3608	Boostrapper.exe
6828	Boostrapper.exe
3348	Boostrapper.exe
564	bound.exe
6228	bound.exe
7516	Boostrapper.exe
448	Boostrapper.exe

Loads dropped DLL 64 IoCs

pid	Process
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3348	Boostrapper.exe
3348	Boostrapper.exe
3348	Boostrapper.exe
3348	Boostrapper.exe
3348	Boostrapper.exe
3348	Boostrapper.exe
3348	Boostrapper.exe
3348	Boostrapper.exe
3348	Boostrapper.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000238d6-948.dat	upx
behavioral1/memory/3608-952-0x00007FFCD0250000-0x00007FFCD0838000-memory.dmp	upx
behavioral1/files/0x00070000000234ed-954.dat	upx
behavioral1/files/0x000700000002350f-961.dat	upx
behavioral1/files/0x00070000000234f0-966.dat	upx
behavioral1/memory/3608-988-0x00007FFCD5990000-0x00007FFCD59BD000-memory.dmp	upx
behavioral1/memory/3608-987-0x00007FFCE43B0000-0x00007FFCE43C9000-memory.dmp	upx
behavioral1/memory/3608-990-0x00007FFCD3A60000-0x00007FFCD3A95000-memory.dmp	upx
behavioral1/files/0x00070000000238d4-989.dat	upx
behavioral1/files/0x00070000000234f7-986.dat	upx
behavioral1/files/0x00070000000234f6-985.dat	upx
behavioral1/files/0x00070000000234f5-984.dat	upx
behavioral1/files/0x00070000000234f4-983.dat	upx
behavioral1/files/0x00070000000234f3-982.dat	upx
behavioral1/files/0x00070000000234f2-981.dat	upx
behavioral1/files/0x00070000000234f1-980.dat	upx
behavioral1/files/0x00070000000234ef-979.dat	upx
behavioral1/files/0x00070000000234ee-978.dat	upx
behavioral1/files/0x00070000000234ec-977.dat	upx
behavioral1/files/0x00070000000234ea-976.dat	upx
behavioral1/files/0x00070000000238e5-974.dat	upx
behavioral1/files/0x00070000000238e4-973.dat	upx
behavioral1/files/0x00070000000238da-972.dat	upx
behavioral1/files/0x0007000000023510-969.dat	upx
behavioral1/files/0x000700000002350e-968.dat	upx
behavioral1/memory/3608-998-0x00007FFCD2B20000-0x00007FFCD2B4E000-memory.dmp	upx
behavioral1/files/0x00070000000238d9-996.dat	upx
behavioral1/memory/3608-997-0x00007FFCE4860000-0x00007FFCE486D000-memory.dmp	upx
behavioral1/memory/3608-994-0x00007FFCE5300000-0x00007FFCE530D000-memory.dmp	upx
behavioral1/memory/3608-992-0x00007FFCDAEB0000-0x00007FFCDAEC9000-memory.dmp	upx
behavioral1/files/0x00070000000234eb-964.dat	upx
behavioral1/memory/3608-1000-0x00007FFCD17B0000-0x00007FFCD186C000-memory.dmp	upx
behavioral1/memory/3608-1002-0x00007FFCE4760000-0x00007FFCE4784000-memory.dmp	upx
behavioral1/memory/3608-1001-0x00007FFCD2AF0000-0x00007FFCD2B1B000-memory.dmp	upx
behavioral1/memory/3608-999-0x00007FFCD0250000-0x00007FFCD0838000-memory.dmp	upx
behavioral1/memory/3608-962-0x00007FFCE5D60000-0x00007FFCE5D6F000-memory.dmp	upx
behavioral1/memory/3608-960-0x00007FFCE4760000-0x00007FFCE4784000-memory.dmp	upx
behavioral1/memory/3608-1003-0x00007FFCD1690000-0x00007FFCD17AC000-memory.dmp	upx
behavioral1/memory/3608-1004-0x00007FFCD2AC0000-0x00007FFCD2AEE000-memory.dmp	upx
behavioral1/memory/3608-1007-0x00007FFCCF550000-0x00007FFCCF8C5000-memory.dmp	upx
behavioral1/memory/3608-1005-0x00007FFCD13C0000-0x00007FFCD1478000-memory.dmp	upx
behavioral1/memory/3608-1010-0x00007FFCD2AA0000-0x00007FFCD2AB4000-memory.dmp	upx
behavioral1/memory/3608-1009-0x00007FFCD1330000-0x00007FFCD13B7000-memory.dmp	upx
behavioral1/memory/3608-1008-0x00007FFCDAEB0000-0x00007FFCDAEC9000-memory.dmp	upx
behavioral1/memory/3608-1012-0x00007FFCD2B20000-0x00007FFCD2B4E000-memory.dmp	upx
behavioral1/memory/3608-1013-0x00007FFCD1D80000-0x00007FFCD1DA6000-memory.dmp	upx
behavioral1/memory/3608-1011-0x00007FFCDF4C0000-0x00007FFCDF4CB000-memory.dmp	upx
behavioral1/memory/3608-1014-0x00007FFCDD6A0000-0x00007FFCDD6AA000-memory.dmp	upx
behavioral1/memory/3608-1015-0x00007FFCD2A80000-0x00007FFCD2A98000-memory.dmp	upx
behavioral1/memory/3608-1020-0x00007FFCD2AC0000-0x00007FFCD2AEE000-memory.dmp	upx
behavioral1/memory/3608-1019-0x00007FFCD00D0000-0x00007FFCD0243000-memory.dmp	upx
behavioral1/memory/3608-1018-0x00007FFCD13C0000-0x00007FFCD1478000-memory.dmp	upx
behavioral1/memory/3608-1017-0x00007FFCD1300000-0x00007FFCD1323000-memory.dmp	upx
behavioral1/memory/3608-1016-0x00007FFCD1690000-0x00007FFCD17AC000-memory.dmp	upx
behavioral1/memory/3608-1022-0x00007FFCD12C0000-0x00007FFCD12F6000-memory.dmp	upx
behavioral1/memory/3608-1038-0x00007FFCD1260000-0x00007FFCD126D000-memory.dmp	upx
behavioral1/memory/3608-1040-0x00007FFCD1230000-0x00007FFCD123C000-memory.dmp	upx
behavioral1/memory/3608-1025-0x00007FFCD3A50000-0x00007FFCD3A5B000-memory.dmp	upx
behavioral1/memory/3608-1043-0x00007FFCD0890000-0x00007FFCD08AC000-memory.dmp	upx
behavioral1/memory/3608-1044-0x00007FFCCF120000-0x00007FFCCF542000-memory.dmp	upx
behavioral1/memory/3608-1042-0x00007FFCD08B0000-0x00007FFCD08BB000-memory.dmp	upx
behavioral1/memory/3608-1041-0x00007FFCD08C0000-0x00007FFCD08E9000-memory.dmp	upx
behavioral1/memory/3608-1039-0x00007FFCD1240000-0x00007FFCD1252000-memory.dmp	upx
behavioral1/memory/3608-1037-0x00007FFCD1270000-0x00007FFCD127C000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
102	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5588	ARP.EXE
5772	cmd.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
6412	tasklist.exe
2252	tasklist.exe
1056	tasklist.exe
7840	tasklist.exe
8152	tasklist.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
612	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5928	cmd.exe
6192	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
5600	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
6256	WMIC.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1048	WMIC.exe
7808	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2780	ipconfig.exe
5600	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5372	systeminfo.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
6628	taskkill.exe
6820	taskkill.exe
6980	taskkill.exe
7076	taskkill.exe
6516	taskkill.exe
6736	taskkill.exe
6928	taskkill.exe
7160	taskkill.exe
2564	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 12840.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 497667.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
4732	msedge.exe
4732	msedge.exe
852	msedge.exe
852	msedge.exe
4268	identity_helper.exe
4268	identity_helper.exe
5632	msedge.exe
5632	msedge.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3608	Boostrapper.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
3352	msedge.exe
1280	powershell.exe
1280	powershell.exe
1280	powershell.exe
4236	powershell.exe
4236	powershell.exe
4236	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3608	Boostrapper.exe
Token: SeIncreaseQuotaPrivilege	5608	WMIC.exe
Token: SeSecurityPrivilege	5608	WMIC.exe
Token: SeTakeOwnershipPrivilege	5608	WMIC.exe
Token: SeLoadDriverPrivilege	5608	WMIC.exe
Token: SeSystemProfilePrivilege	5608	WMIC.exe
Token: SeSystemtimePrivilege	5608	WMIC.exe
Token: SeProfSingleProcessPrivilege	5608	WMIC.exe
Token: SeIncBasePriorityPrivilege	5608	WMIC.exe
Token: SeCreatePagefilePrivilege	5608	WMIC.exe
Token: SeBackupPrivilege	5608	WMIC.exe
Token: SeRestorePrivilege	5608	WMIC.exe
Token: SeShutdownPrivilege	5608	WMIC.exe
Token: SeDebugPrivilege	5608	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5608	WMIC.exe
Token: SeRemoteShutdownPrivilege	5608	WMIC.exe
Token: SeUndockPrivilege	5608	WMIC.exe
Token: SeManageVolumePrivilege	5608	WMIC.exe
Token: 33	5608	WMIC.exe
Token: 34	5608	WMIC.exe
Token: 35	5608	WMIC.exe
Token: 36	5608	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5608	WMIC.exe
Token: SeSecurityPrivilege	5608	WMIC.exe
Token: SeTakeOwnershipPrivilege	5608	WMIC.exe
Token: SeLoadDriverPrivilege	5608	WMIC.exe
Token: SeSystemProfilePrivilege	5608	WMIC.exe
Token: SeSystemtimePrivilege	5608	WMIC.exe
Token: SeProfSingleProcessPrivilege	5608	WMIC.exe
Token: SeIncBasePriorityPrivilege	5608	WMIC.exe
Token: SeCreatePagefilePrivilege	5608	WMIC.exe
Token: SeBackupPrivilege	5608	WMIC.exe
Token: SeRestorePrivilege	5608	WMIC.exe
Token: SeShutdownPrivilege	5608	WMIC.exe
Token: SeDebugPrivilege	5608	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5608	WMIC.exe
Token: SeRemoteShutdownPrivilege	5608	WMIC.exe
Token: SeUndockPrivilege	5608	WMIC.exe
Token: SeManageVolumePrivilege	5608	WMIC.exe
Token: 33	5608	WMIC.exe
Token: 34	5608	WMIC.exe
Token: 35	5608	WMIC.exe
Token: 36	5608	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1048	WMIC.exe
Token: SeSecurityPrivilege	1048	WMIC.exe
Token: SeTakeOwnershipPrivilege	1048	WMIC.exe
Token: SeLoadDriverPrivilege	1048	WMIC.exe
Token: SeSystemProfilePrivilege	1048	WMIC.exe
Token: SeSystemtimePrivilege	1048	WMIC.exe
Token: SeProfSingleProcessPrivilege	1048	WMIC.exe
Token: SeIncBasePriorityPrivilege	1048	WMIC.exe
Token: SeCreatePagefilePrivilege	1048	WMIC.exe
Token: SeBackupPrivilege	1048	WMIC.exe
Token: SeRestorePrivilege	1048	WMIC.exe
Token: SeShutdownPrivilege	1048	WMIC.exe
Token: SeDebugPrivilege	1048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1048	WMIC.exe
Token: SeRemoteShutdownPrivilege	1048	WMIC.exe
Token: SeUndockPrivilege	1048	WMIC.exe
Token: SeManageVolumePrivilege	1048	WMIC.exe
Token: 33	1048	WMIC.exe
Token: 34	1048	WMIC.exe
Token: 35	1048	WMIC.exe
Token: 36	1048	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 4820	852	msedge.exe	84
PID 852 wrote to memory of 4820	852	msedge.exe	84
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 3808	852	msedge.exe	85
PID 852 wrote to memory of 4732	852	msedge.exe	86
PID 852 wrote to memory of 4732	852	msedge.exe	86
PID 852 wrote to memory of 1044	852	msedge.exe	87
PID 852 wrote to memory of 1044	852	msedge.exe	87
PID 852 wrote to memory of 1044	852	msedge.exe	87
PID 852 wrote to memory of 1044	852	msedge.exe	87
PID 852 wrote to memory of 1044	852	msedge.exe	87
PID 852 wrote to memory of 1044	852	msedge.exe	87
PID 852 wrote to memory of 1044	852	msedge.exe	87
PID 852 wrote to memory of 1044	852	msedge.exe	87
PID 852 wrote to memory of 1044	852	msedge.exe	87
PID 852 wrote to memory of 1044	852	msedge.exe	87
PID 852 wrote to memory of 1044	852	msedge.exe	87
PID 852 wrote to memory of 1044	852	msedge.exe	87
PID 852 wrote to memory of 1044	852	msedge.exe	87
PID 852 wrote to memory of 1044	852	msedge.exe	87
PID 852 wrote to memory of 1044	852	msedge.exe	87
PID 852 wrote to memory of 1044	852	msedge.exe	87
PID 852 wrote to memory of 1044	852	msedge.exe	87
PID 852 wrote to memory of 1044	852	msedge.exe	87
PID 852 wrote to memory of 1044	852	msedge.exe	87
PID 852 wrote to memory of 1044	852	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/anathasecanem/roblox-executor/releases/download/vypix/Boostrapper.exe
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce45246f8,0x7ffce4524708,0x7ffce4524718
  2⤵
  PID:4820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5432 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5732 /prefetch:8
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5124 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6220 /prefetch:8
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6360 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6440 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5844 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,18262377598699223452,7671999458096347218,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4680 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4404

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4132

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2764

C:\Users\Admin\Downloads\Boostrapper.exe
"C:\Users\Admin\Downloads\Boostrapper.exe"
1⤵
- Executes dropped EXE
PID:4328
- C:\Users\Admin\Downloads\Boostrapper.exe
  "C:\Users\Admin\Downloads\Boostrapper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:5412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    PID:4196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:5236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1128
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4244
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1048

C:\Users\Admin\Downloads\Boostrapper.exe
"C:\Users\Admin\Downloads\Boostrapper.exe"
1⤵
- Executes dropped EXE
PID:6828
- C:\Users\Admin\Downloads\Boostrapper.exe
  "C:\Users\Admin\Downloads\Boostrapper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:5856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    PID:4396
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:1280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:5864
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      PID:564
    - - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        5⤵
        Executes dropped EXE
        
        PID:6228
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:7564
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:7652
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:7808
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        6⤵
        
        PID:7664
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        7⤵
        
        PID:7856
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        6⤵
        
        PID:7672
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:7680
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:7840
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        6⤵
        
        PID:7952
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        7⤵
        
        PID:7996
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:8036
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:8128
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:8044
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:8152
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:6344
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:6412
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 852"
        6⤵
        
        PID:6456
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 852
        7⤵
        Kills process with taskkill
        
        PID:6516
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4820"
        6⤵
        
        PID:6580
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4820
        7⤵
        Kills process with taskkill
        
        PID:6628
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3808"
        6⤵
        
        PID:6668
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3808
        7⤵
        Kills process with taskkill
        
        PID:6736
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4732"
        6⤵
        
        PID:6764
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4732
        7⤵
        Kills process with taskkill
        
        PID:6820
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1044"
        6⤵
        
        PID:4328
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1044
        7⤵
        Kills process with taskkill
        
        PID:6928
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2592"
        6⤵
        
        PID:6908
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2592
        7⤵
        Kills process with taskkill
        
        PID:6980
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1992"
        6⤵
        
        PID:7016
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1992
        7⤵
        Kills process with taskkill
        
        PID:7076
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3848"
        6⤵
        
        PID:7104
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3848
        7⤵
        Kills process with taskkill
        
        PID:7160
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3840"
        6⤵
        
        PID:3292
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3840
        7⤵
        Kills process with taskkill
        
        PID:2564
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        6⤵
        
        PID:5440
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        7⤵
        
        PID:220
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:652
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        6⤵
        
        PID:3972
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        7⤵
        
        PID:4992
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:5968
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:4540
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:2252
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        6⤵
        Clipboard Data
        
        PID:4316
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        7⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:4236
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        6⤵
        Network Service Discovery
        
        PID:5772
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:5372
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        7⤵
        
        PID:5384
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        7⤵
        Collects information from the system
        
        PID:6256
        
        C:\Windows\system32\net.exe
        
        net user
        7⤵
        
        PID:4056
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        8⤵
        
        PID:7180
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:4832
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:7200
        
        C:\Windows\system32\net.exe
        
        net localgroup
        7⤵
        
        PID:4692
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        8⤵
        
        PID:956
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        7⤵
        
        PID:3604
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        8⤵
        
        PID:3264
        
        C:\Windows\system32\net.exe
        
        net user guest
        7⤵
        
        PID:7232
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        8⤵
        
        PID:4984
        
        C:\Windows\system32\net.exe
        
        net user administrator
        7⤵
        
        PID:5684
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        8⤵
        
        PID:2420
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        7⤵
        
        PID:3720
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        7⤵
        Enumerates processes with tasklist
        
        PID:1056
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:2780
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        7⤵
        
        PID:5992
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        7⤵
        Network Service Discovery
        
        PID:5588
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:5600
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        7⤵
        Launches sc.exe
        
        PID:612
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1544
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1032
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5928
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:6192
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:6148
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:7256
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:7296
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:7348

C:\Users\Admin\Downloads\Boostrapper.exe
"C:\Users\Admin\Downloads\Boostrapper.exe"
1⤵
- Executes dropped EXE
PID:7516
- C:\Users\Admin\Downloads\Boostrapper.exe
  "C:\Users\Admin\Downloads\Boostrapper.exe"
  2⤵
  - Executes dropped EXE
  PID:448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
265B

MD5
f5cd008cf465804d0e6f39a8d81f9a2d

SHA1
6b2907356472ed4a719e5675cc08969f30adc855

SHA256
fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

SHA512
dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9d89002279b004a733769ff8a56c22c5

SHA1
c2cc408d2c1872e7c14ab7a2c6663fa16be1be44

SHA256
a9ae38c833205d70e45de5da24ceba743edddc1738fc7b60af1abbcb0bd1e4ea

SHA512
9c5ff9531c917375a555575df86c75b0f4dfcc67a8138b8327489f14f423a0ffdd0ed86136233164190ed4bfd74f30aedd23a198c3aed4075fbf4faf7cbd19d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a1bca2770712f22c5d25fbf90643cb24

SHA1
fea638a71f5a1119e2a9b58f11437feda4b0db13

SHA256
f87ba4b34e6353d526d6c73a21f8d311ea09173498b50a998b4657bf94d75e8e

SHA512
9a44cda81fa2d2076e0eadabcfd0b9f5a7d3a86693570d59ea02e5474cca6fe9a572c20be621b408736b2e400a38ff5c2d991fe2b1238ad28d698abb6007cb63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5a769aa5e16d55f7b5e37604750855dd

SHA1
ca0edff3da49334d169ea5072da709a02bb3651d

SHA256
b51d001b61f3b444fbcc515e5e127b2c284abdbcf3089b8735a76a56337289f0

SHA512
3198b8373fe1b1a557a30f735fe149d1421a1f2782084b22c90cb92090d728c492bfb1c4fad9a3d49bac6b49d0f0fddac4dc2ca38a5fcd3c42dd1536473dca2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
5b6c549a21d14288c92ed08b8684dc6f

SHA1
4507191efd05742f8c417ca85ff0c1e395877e36

SHA256
b2d352fa8de2ce7d531224b12cedeb01b8a5d5608123d8c55c082da1922048c7

SHA512
4d489e175c68223ed97a235a6c78561e5a50786313c0047f3d84b6828dca652e6e43f8fee1aa5a44efd3abde3ed682024bcf95fc2f65f507d96f097cb9f41803

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58b169.TMP

Filesize
203B

MD5
e98aca2cff114fd67192ee2a3693eb0c

SHA1
a5bde9c756b1b00d7775177cb574232ad4d06067

SHA256
1451df6b708b94a8c4c3ccc662b0a57473523496425a088faabae6e28246b3e6

SHA512
0a17c4a6e511b74383a9f4f61d6a5760bdffba6c89ae00f5b86808ad8e303116fe03d32af3141b9db8d900dd3de83ff388f0c4865b822bbe2cc0dd4863b89211

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
5e92dffe8bff829de1bcda476a435e37

SHA1
8028a3348002da483f02dabb5204fdbd589ba411

SHA256
c32eb45c6a38d204ebbb5766df9539b2c69f732781ce0da5b15647f6db8d3a36

SHA512
fcd4742926b0fbe51198bcd4bd03e93f9e88763870d3bdeae2867ab4b9065e7dfe23c7a2334995011991a28cddb62f16fa2fa144f7192d46ef1198d165a436c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8ef75198c92a1807956dc1812d7f9555

SHA1
3d4a3eb920a09eb6426eaff1b026221a8648a389

SHA256
65eb7c8895216318f06954beda4ac4984be788992acc7f99babe0a549b5bf217

SHA512
686c081de4461e89365b7f0a467a98421a3744750ac18d7fb427a3f071fe7ead9f40cb937b86d56ab2be1a441e855563753163be94348a2a75ed49bb8c4a8ab2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0ce15ef1ff35f5876c4afd4af351e5b9

SHA1
97c0194223f1d5b64c5ad762be66a90aa93e0a16

SHA256
1c99dd60ea6acefb47332fa24e15cce4b42b36f23d673ee0d6b76562d6a0ef21

SHA512
7d4009049da27dc9b34d6a520963917125a721018f826310046c6e4f538e51bc5a7dc81b44b2d373c0ba0cc1b8a81e5a2d95baadad9328544ca80224bf36bf5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
16bd9ae4a6f2d4bd04a9604449c314fc

SHA1
ca4a1cc1d9dd1b973fa1aa1b87662e5c667f3216

SHA256
e659f90fc405d8146c583220b1f485ac37646df4cdb4e072299a850cd08536d7

SHA512
90643e372b33bf6afd6d319aca048fb7cb383007212e60bc05b4741dbb3cea11f65a88e980e6efee5b32a6d2949246644269d6daf8c3ae5f183526c016dff44d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\VCRUNTIME140_1.dll

Filesize
37KB

MD5
75e78e4bf561031d39f86143753400ff

SHA1
324c2a99e39f8992459495182677e91656a05206

SHA256
1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e

SHA512
ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\_asyncio.pyd

Filesize
34KB

MD5
936e44a303a5957709434a0c6bf4532e

SHA1
e35f0b78f61797d9277741a1ee577b5fe7af3d62

SHA256
11f1062fafb4fbca92e3b2cef97ab66ec011142f5b0312e74815decd93be458b

SHA512
cebe905b718825c1841e9c0e83dfdac95d0ff50b116ab3b91b05ca21f86f1482f5b1e13988c969244c644d17bd378792ac4967caa721f0b0e858cd92859af154

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\_bz2.pyd

Filesize
46KB

MD5
af3d45698d379c97a90cca9625bc5926

SHA1
0783866af330c1029253859574c369901969208e

SHA256
47af0730824f96865b5e20f8bba34b0d5f3a330087411adba71269312bf7ccec

SHA512
117e95d2ba0432f5ece882ad67a3fbf2e2cd251b4327a0d66b3fffd444e2d1813ddb568321bde1636b4180d19607db6103df145153e4ff84e9be601fd2dd5691

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\_cffi_backend.cp311-win_amd64.pyd

Filesize
70KB

MD5
85ea029283f963773fd11fc6db68e58d

SHA1
1e155b263df08417265d0be063ec8ff5c2b7e26c

SHA256
a92281031d1373d3c71c36689b6499c144f0667c7fc56b14bb8abd107942a0c2

SHA512
04e8420f0372ba5972a4508ef2f4fec18d8403b3267d41f0d8b56e3bf5a45559f87b883c455255147f55160f9a6cb26ac902e599818bdfa8d4a02959b0a72c67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\_ctypes.pyd

Filesize
57KB

MD5
2346cf6a1ad336f3ee23c4ec3ff7871c

SHA1
e36b759c0b78d2def431aa11bcbb7d7cf02f1eea

SHA256
490a11d03dd3aeb05a410eb0d285e3da788e73b643ea9914fffd5a2c102dc1df

SHA512
7a92de4937b23952e2a31bb09a58b2ad81c06da23704e4b4f964eb42948adad1a1e57920c021283da1b7154e7ac19e46031ffee6b69a73acbc85d95ef45bf8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\_decimal.pyd

Filesize
104KB

MD5
9b801838394e97e30c99dcf5f9fcc8fa

SHA1
33fb049b2f98bcb2f2cb9508be2408a6698243be

SHA256
15668e03f9c55f07184ec9c048a8569f7d7ebd9ea6dbef145f1f3b581f8623f3

SHA512
5f074c82f344ca43a07a59132fab59e3504e314a2f7673bfec906782b947daf8fe45a1b956f72502eae72f01369a3bb1fbb73b10dc605d43b889a6700bd98a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\_hashlib.pyd

Filesize
33KB

MD5
7fd141630dfa2500f5bf4c61e2c2d034

SHA1
0f8d1dfae2cbce1ad714c93216f01bf7001aabda

SHA256
689f0ac1d44481688cd4ae90b6f801176a52ff4bb4170c62575ea58f44452e15

SHA512
c6b7b1aefb7280f38d63f4ab84a349ebb696ca7300b7a451e7a994baff7e0a83fb4488c43ed3160b94dec74e0d27417d68913056b3006c8c6da11e39681f512e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\_lzma.pyd

Filesize
84KB

MD5
ab6a735ad62592c7c8ea0b06cb57317a

SHA1
e27a0506800b5bbc2b350e39899d260164af2cd1

SHA256
0ebdf15c1c6d59e49716dfb4601f0abe6383449c70db1a349c6ad486742144a8

SHA512
9a285593cd8cc29844688723d8907e55a9f8a3109f9538cc4140912cc973f495de32779a4cd4a48dc62d680fdf81a5797e4e9c33f236a803082dfc3c00d02060

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\_multiprocessing.pyd

Filesize
25KB

MD5
241a977372d63b46b6ae4f7227579cc3

SHA1
21c8fa02217ec69c5cc9a1cc9edaa5de6f8d9f91

SHA256
04e56f1c6919f2987f205e9e3afa16d945eeaffa415c746104ccb7763c067f9c

SHA512
7aeaa94a5cd46d604370e430c72724b683e149af7e032c85708e33bfb94fb6a9ccc52c70bc701dfb94b4ae55d4e8acd8e394efb6cd81466fd9fa1a6addaa4ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\_overlapped.pyd

Filesize
30KB

MD5
ef52dc3e7d12795745e23487026a5b5e

SHA1
6c9f488a9eaabdc6db11ed2c32231d518a8b8f42

SHA256
b1b56328df4b19cf04586303f693979536253078fc7017b4ac4ae6d730296b1f

SHA512
8b3c311bf4a54eaa21fa1db058037b274bd3b9e838e844537269f8e0102ad47ca7181e73bbb4f5269100cfe82499bb0787bc04943b02e36ea0ab26bfa8e65326

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\_queue.pyd

Filesize
24KB

MD5
71955beaf83aca364ed64285021781ca

SHA1
cac93d08f9085079fb32e6fc6d8e4fc8cd9115e6

SHA256
3df280391d7275e73aef70af228bb21c03434147ae9fe31e8c620ea151e08b30

SHA512
9b055a0273ace0f9b673e015a20c8867689090608fffaf85c54636f061cf595de1e6c9bfc2d8ea75fa4dd247b4af0493022f24d6a931b53e7f60009a85b45601

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\_socket.pyd

Filesize
41KB

MD5
53dc1aa457a1e3b4f6c8baed19a6ca0a

SHA1
290a572e981cc5ce896dc52a53f112d9eaaefc39

SHA256
26200892f616f859e82c167701ab866b8291eabbe808dd18c434cc80ebeedf19

SHA512
460de92115288e0e95fd03837df775e5f34425784c18ab7e9ad0885511166371647a6f06d95ffa6c3437de69895d46cd4cddcda2841ccdb5ef268b1a857837e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\_sqlite3.pyd

Filesize
54KB

MD5
1c5e0718dce15682d32185f1e1f8df7d

SHA1
f59662db717663ed1589328c5749bb8b44a0d053

SHA256
56f74ec6490b916c513b618635edaa22cb2374a92e5f79549c1e2b7c5c37f31d

SHA512
702f8348d2fe08ec10e0120129e64c12368c971ea52852cd0c7d26fd159f5b34bc808b9b318168aaa81366ed4944909e305d4e9727f0374d921eddb54ea22cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\_ssl.pyd

Filesize
60KB

MD5
df5a6f6c547300a7c87005eb0fafcfa0

SHA1
c792342e964a1c8a776e5203f3eee7908e6cad09

SHA256
dea09b9750c26813130ca32db0b4455796e12a3d61bb52066d5a53302bcce0ce

SHA512
018a79871faa2cf6a1644e96f10750ddccccd56436720faf760808b1997940f9bcd2866a4533b903058ab608629ff8ed46fadb788e4a6714b19775d557dd69b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\_uuid.pyd

Filesize
21KB

MD5
cf378e1866edaa02db65a838f0e0ad8e

SHA1
cc66b98b3289a126fa4cf960d89cbbecff0f5aa8

SHA256
caabfac7123e70906fafe3a34d11c0c87c62695b2716a5f95b032bb54982744e

SHA512
cdb6fb5861fee4eeee49dd79ba164ef8538235b0b41e505dd59f1b5a79256390a4bb920ade9ff58abdc41c738ec6f316d387df4f588b673d8f324e5c1c32a9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\base_library.zip

Filesize
1.4MB

MD5
ccb6351e5ba35fde70f9526948be531d

SHA1
991354b702d8394c471cafa42c75a8962acdb13b

SHA256
9bc15f8e3dd29eac77f1234f4a66e371b9ceedf44099d70100ce04e4cff36f5a

SHA512
ab7abd00aefeaf9ba550a453962786bf9b4485d1d2aaf16d2ff8c801a18a23665f3ed264bf686946434f98b5d63650d18a3755f39307fb902a8096e9e71aa63c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\bound.luna

Filesize
10.7MB

MD5
a36e249c2d826e8f339c1ce33158cf58

SHA1
ed7f522193e7070e3fb7e707d04e640d58d4e95c

SHA256
8c02428b2069a241d51acec2f11c9c7ba261f758f6042032a0e09732e24d23a9

SHA512
b8ed6d1af3346d818d4c48fc46205cfd638773e561e439bebd8c58ac5b750ae2e4e0f0c82a79281b572488eaf8386fb6d5368e42f38ff47dfbbabcf943f272da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\libcrypto-1_1.dll

Filesize
1.1MB

MD5
571796599d616a0d12aa34be09242c22

SHA1
0e0004ab828966f0c8a67b2f10311bb89b6b74ac

SHA256
6242d2e13aef871c4b8cfd75fc0f8530e8dccfeaba8f1b66280e9345f52b833b

SHA512
7362a6c887600fafc1a45413823f006589bb95a76ac052b6c7022356a7a9a6e8cd3e76f59cecf152e189323791d9626a6fdb7a98bf3a5250d517b746c3e84e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\libffi-8.dll

Filesize
24KB

MD5
24ea21ebcc3bef497d2bd208e7986f88

SHA1
d936f79431517b9687ee54d837e9e4be7afc082d

SHA256
18c097ef19f3e502a025c1d63cfec73a4fa30c5482286f4000d40d4784a0070a

SHA512
1bdbeddd812ecc2cdfbbf3498b0a8ef551cc18ce73fc30eb40b415fab0cdd20b80057a25a33ca2f9247b08978838df3587a3caf6e1a8e108c5a9a4f67dd75a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\libssl-1_1.dll

Filesize
203KB

MD5
aabafc5d0e409123ae5e4523d9b3dee2

SHA1
4d0a1834ed4e4ceecb04206e203d916eb22e981b

SHA256
84e4c37fb28b6cf79e2386163fe6bb094a50c1e8825a4bcdb4cb216f4236d831

SHA512
163f29ad05e830367af3f2107e460a587f4710b8d9d909a01e04cd8cfee115d8f453515e089a727a6466ce0e2248a56f14815588f7df6d42fe1580e1b25369cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\luna.aes

Filesize
5.8MB

MD5
f435b69caada2abe1ef6c192b267e351

SHA1
b106981c41d5f7fa8a3f12eeb9ab03021f4714fa

SHA256
3cc3cc92a5e151be0dfff9967ec403c9d8b5c8b153e30c3e69b30b30fc9c32e0

SHA512
5df034c68db53beb32357823b54819f3b524d737dec5c06c4c8b382277744e628ee84eccc92c03d7fcc1a8e9c9c0baef2a275fbd00c767be43f7250a9b0cb97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\pyexpat.pyd

Filesize
86KB

MD5
c498ed10d7245560412f9df527508b5c

SHA1
b84b57a54a1a9c5631f4d0b8ac31694786cc822b

SHA256
297ec9e654500400ba5731101b65d29c14d0305ae9f6c05b9763f57ab150b07d

SHA512
ab8bcf6e4a395944316e19aa7aa598e8bfeaa038f4ae086fcede6d01747b670896d640dbf4992630fcbd737d2be3ab627b7be8ad36437629671387f4aaf85957

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\python3.DLL

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\python311.dll

Filesize
1.6MB

MD5
4fcf14c7837f8b127156b8a558db0bb2

SHA1
8de2711d00bef7b5f2dcf8a2c6871fa1db67cf1f

SHA256
a67df621a383f4ce5a408e0debe3ebc49ffc766d6a1d6d9a7942120b8ec054dc

SHA512
7a6195495b48f66c35b273a2c9d7ff59e96a4180ea8503f31c8b131167c6cdddd8d6fe77388a34096964a73c85eab504281a14ae3d05350cfee5c51d2491cec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\pywin32_system32\pywintypes311.dll

Filesize
62KB

MD5
04ce7664658c9c18527594708550d59e

SHA1
1db7e6722aaea33d92fba441fca294600d904103

SHA256
e3be247830c23a1751e1bab98d02ba5da3721d2a85469eda3764fc583ca2a6ff

SHA512
e9744b2eee5fa848d5ac83622a6b1c1a1009d7ad8a944bda7a118dd75d8d24218fa2e4ef67718caabda0dd67efdd5be1497705afef8edec830f1b2402d0f0a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\select.pyd

Filesize
24KB

MD5
0dc8f694b3e6a3682b3ff098bd2468f6

SHA1
737252620116c6ac5c527f99d3914e608a0e5a74

SHA256
818120c08358b6b4d1234b7456c7b5c777af8473e26314a6a6c0f37237d53208

SHA512
d0e704d52b0c5e24c07447a60d71ccec490ec15ecb6b4532b2e93ac07036bda7f27051f80dac1ef3705b0186f35f9d6dfc05415412e483b68fd79f1098411123

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\sqlite3.dll

Filesize
608KB

MD5
605b722497acc50ffb33ebdb6afaf1f0

SHA1
e24c55472c827d4b519e5b6f0a3cfc49e10d1fa9

SHA256
a61016520a3f228285e32e40d878fe449450136c55aa9d4d7b54006a8dc7f339

SHA512
9611afc66cd1236cea1fce94e8ecf8e4d2168db3b51d8d9a799b574e8523ca0aea48da6b6c15fc863dd737b9c394ac6e56d2f3fa45e29792b630da389cb21dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43282\unicodedata.pyd

Filesize
293KB

MD5
2b1809546e4bc9d67ea69d24f75edce0

SHA1
9d076445dfa2f58964a6a1fd1844f6fe82645952

SHA256
89cbb2814a75a5bd53acbfb1fe090ca8395c4a7f559acd4fe0187758c172623a

SHA512
5ae015add4697e8290eb881fa770bca2fa22ba8376b86b26f7880d4f92ad362e741042926a4c47cc3413c83f445e372ffda915bcf8567673d807bd2dac28fbbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI68282\cryptography-43.0.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI75162\pycountry\locales\de\LC_MESSAGES\iso3166-2.mo

Filesize
207KB

MD5
fbc3184600f4c885296f36ab500adccd

SHA1
18db52aea5d8fa61653d091af853b19b2c3dd475

SHA256
466aab6a14a6aabfee4ce464f34b404c3252d0f6f28336f1dda972658ed7aa19

SHA512
b01c184aaecf7fc7101d40070314641d14d75ff47d22d01dba337d0941bddd084c30d7b9985fc376b2ce54c24b8c4de1ccc3227f2e322de6f3bfbc7838fd5cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI75162\pycountry\locales\fr\LC_MESSAGES\iso639-3.mo

Filesize
409KB

MD5
972591ca80602d1e82cf3d75d0729d0e

SHA1
94017f374fc09f3baceae08803c76f059b6dbe0d

SHA256
c28273b7da4ca5af1cfbabdd9070219a37afa2cb88bd859aa96ba71271a7dcee

SHA512
550b4e1f2b6540c1dbfbad2a43b15282204b80e2776075cfc3c20053e30c0b46fe205e71fa9a2258220ffd76443cf7f7296e86ffa39c6329dae4d413a0cdc357

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI75162\pycountry\locales\sr@latin\LC_MESSAGES\iso3166-2.mo

Filesize
118KB

MD5
540ca9b22149c3688036b7d0e0979a02

SHA1
aa908ea7c8e8583ea7b712a90e290ad085a69fd2

SHA256
8e85ae3da5e61a4b629ae3d2ac47898c361664ca1c4c01cd0617afe07c723a4d

SHA512
dbf239521d6da964a0b5dc98f4ec8e3d6312b24d02313874f64144137901d80e3b225d332f953c8ecf518fbeefcf8ad1a5e3b7c015828894f2721b719f585e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kl4r2onw.bvd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 12840.crdownload

Filesize
49.1MB

MD5
6a40f196a04e626accaaef03bef85174

SHA1
845a156507206202ea1f2eed106423daad083123

SHA256
749cf24a0a1df66a62079a1a49240d89477cf4998d5aed686aa73a5fb1a869b9

SHA512
2d6d4f0dfdc2e8df55a682892241afd4e8b131aad41a46599ceea7aa5db5ca17a473d1dfca4a3ea3e5325bc06f796a1894bce0e1667bf6d4d9925d33425bed4e

Download Submit
memory/3348-2618-0x00007FFCD1240000-0x00007FFCD13B3000-memory.dmp

Filesize
1.4MB

Download
memory/3348-2610-0x00007FFCCF550000-0x00007FFCCF8C5000-memory.dmp

Filesize
3.5MB

Download
memory/3348-2595-0x00007FFCD0250000-0x00007FFCD0838000-memory.dmp

Filesize
5.9MB

Download
memory/3608-1038-0x00007FFCD1260000-0x00007FFCD126D000-memory.dmp

Filesize
52KB

Download
memory/3608-1099-0x00007FFCD17B0000-0x00007FFCD186C000-memory.dmp

Filesize
752KB

Download
memory/3608-999-0x00007FFCD0250000-0x00007FFCD0838000-memory.dmp

Filesize
5.9MB

Download
memory/3608-962-0x00007FFCE5D60000-0x00007FFCE5D6F000-memory.dmp

Filesize
60KB

Download
memory/3608-960-0x00007FFCE4760000-0x00007FFCE4784000-memory.dmp

Filesize
144KB

Download
memory/3608-1003-0x00007FFCD1690000-0x00007FFCD17AC000-memory.dmp

Filesize
1.1MB

Download
memory/3608-1004-0x00007FFCD2AC0000-0x00007FFCD2AEE000-memory.dmp

Filesize
184KB

Download
memory/3608-1007-0x00007FFCCF550000-0x00007FFCCF8C5000-memory.dmp

Filesize
3.5MB

Download
memory/3608-1006-0x000002634DE70000-0x000002634E1E5000-memory.dmp

Filesize
3.5MB

Download
memory/3608-1005-0x00007FFCD13C0000-0x00007FFCD1478000-memory.dmp

Filesize
736KB

Download
memory/3608-1010-0x00007FFCD2AA0000-0x00007FFCD2AB4000-memory.dmp

Filesize
80KB

Download
memory/3608-1009-0x00007FFCD1330000-0x00007FFCD13B7000-memory.dmp

Filesize
540KB

Download
memory/3608-1008-0x00007FFCDAEB0000-0x00007FFCDAEC9000-memory.dmp

Filesize
100KB

Download
memory/3608-1012-0x00007FFCD2B20000-0x00007FFCD2B4E000-memory.dmp

Filesize
184KB

Download
memory/3608-1013-0x00007FFCD1D80000-0x00007FFCD1DA6000-memory.dmp

Filesize
152KB

Download
memory/3608-1011-0x00007FFCDF4C0000-0x00007FFCDF4CB000-memory.dmp

Filesize
44KB

Download
memory/3608-1014-0x00007FFCDD6A0000-0x00007FFCDD6AA000-memory.dmp

Filesize
40KB

Download
memory/3608-1015-0x00007FFCD2A80000-0x00007FFCD2A98000-memory.dmp

Filesize
96KB

Download
memory/3608-1020-0x00007FFCD2AC0000-0x00007FFCD2AEE000-memory.dmp

Filesize
184KB

Download
memory/3608-1019-0x00007FFCD00D0000-0x00007FFCD0243000-memory.dmp

Filesize
1.4MB

Download
memory/3608-1018-0x00007FFCD13C0000-0x00007FFCD1478000-memory.dmp

Filesize
736KB

Download
memory/3608-1017-0x00007FFCD1300000-0x00007FFCD1323000-memory.dmp

Filesize
140KB

Download
memory/3608-1016-0x00007FFCD1690000-0x00007FFCD17AC000-memory.dmp

Filesize
1.1MB

Download
memory/3608-1022-0x00007FFCD12C0000-0x00007FFCD12F6000-memory.dmp

Filesize
216KB

Download
memory/3608-1021-0x000002634DE70000-0x000002634E1E5000-memory.dmp

Filesize
3.5MB

Download
memory/3608-1002-0x00007FFCE4760000-0x00007FFCE4784000-memory.dmp

Filesize
144KB

Download
memory/3608-1040-0x00007FFCD1230000-0x00007FFCD123C000-memory.dmp

Filesize
48KB

Download
memory/3608-1025-0x00007FFCD3A50000-0x00007FFCD3A5B000-memory.dmp

Filesize
44KB

Download
memory/3608-1043-0x00007FFCD0890000-0x00007FFCD08AC000-memory.dmp

Filesize
112KB

Download
memory/3608-1044-0x00007FFCCF120000-0x00007FFCCF542000-memory.dmp

Filesize
4.1MB

Download
memory/3608-1042-0x00007FFCD08B0000-0x00007FFCD08BB000-memory.dmp

Filesize
44KB

Download
memory/3608-1041-0x00007FFCD08C0000-0x00007FFCD08E9000-memory.dmp

Filesize
164KB

Download
memory/3608-1039-0x00007FFCD1240000-0x00007FFCD1252000-memory.dmp

Filesize
72KB

Download
memory/3608-1037-0x00007FFCD1270000-0x00007FFCD127C000-memory.dmp

Filesize
48KB

Download
memory/3608-1036-0x00007FFCD1290000-0x00007FFCD129B000-memory.dmp

Filesize
44KB

Download
memory/3608-1045-0x00007FFCCC4F0000-0x00007FFCCD897000-memory.dmp

Filesize
19.7MB

Download
memory/3608-1035-0x00007FFCD1280000-0x00007FFCD128C000-memory.dmp

Filesize
48KB

Download
memory/3608-1034-0x00007FFCD12A0000-0x00007FFCD12AB000-memory.dmp

Filesize
44KB

Download
memory/3608-1033-0x00007FFCD14D0000-0x00007FFCD14DE000-memory.dmp

Filesize
56KB

Download
memory/3608-1032-0x00007FFCD12B0000-0x00007FFCD12BC000-memory.dmp

Filesize
48KB

Download
memory/3608-1031-0x00007FFCD1670000-0x00007FFCD167C000-memory.dmp

Filesize
48KB

Download
memory/3608-1030-0x00007FFCD1680000-0x00007FFCD168C000-memory.dmp

Filesize
48KB

Download
memory/3608-1029-0x00007FFCD1D60000-0x00007FFCD1D6B000-memory.dmp

Filesize
44KB

Download
memory/3608-1028-0x00007FFCD1D70000-0x00007FFCD1D7C000-memory.dmp

Filesize
48KB

Download
memory/3608-1027-0x00007FFCD3200000-0x00007FFCD320B000-memory.dmp

Filesize
44KB

Download
memory/3608-1026-0x00007FFCD33F0000-0x00007FFCD33FC000-memory.dmp

Filesize
48KB

Download
memory/3608-1024-0x00007FFCDB560000-0x00007FFCDB56B000-memory.dmp

Filesize
44KB

Download
memory/3608-1023-0x00007FFCCF550000-0x00007FFCCF8C5000-memory.dmp

Filesize
3.5MB

Download
memory/3608-1048-0x00007FFCCF050000-0x00007FFCCF072000-memory.dmp

Filesize
136KB

Download
memory/3608-1047-0x00007FFCD00D0000-0x00007FFCD0243000-memory.dmp

Filesize
1.4MB

Download
memory/3608-1049-0x00007FFCCEE00000-0x00007FFCCF048000-memory.dmp

Filesize
2.3MB

Download
memory/3608-1046-0x00007FFCD1300000-0x00007FFCD1323000-memory.dmp

Filesize
140KB

Download
memory/3608-1061-0x00007FFCD0250000-0x00007FFCD0838000-memory.dmp

Filesize
5.9MB

Download
memory/3608-1001-0x00007FFCD2AF0000-0x00007FFCD2B1B000-memory.dmp

Filesize
172KB

Download
memory/3608-1118-0x00007FFCD12B0000-0x00007FFCD12BC000-memory.dmp

Filesize
48KB

Download
memory/3608-1117-0x00007FFCD1670000-0x00007FFCD167C000-memory.dmp

Filesize
48KB

Download
memory/3608-1116-0x00007FFCD1680000-0x00007FFCD168C000-memory.dmp

Filesize
48KB

Download
memory/3608-1115-0x00007FFCD1D60000-0x00007FFCD1D6B000-memory.dmp

Filesize
44KB

Download
memory/3608-1114-0x00007FFCD1D70000-0x00007FFCD1D7C000-memory.dmp

Filesize
48KB

Download
memory/3608-1113-0x00007FFCD3200000-0x00007FFCD320B000-memory.dmp

Filesize
44KB

Download
memory/3608-1112-0x00007FFCD33F0000-0x00007FFCD33FC000-memory.dmp

Filesize
48KB

Download
memory/3608-1111-0x00007FFCD3A50000-0x00007FFCD3A5B000-memory.dmp

Filesize
44KB

Download
memory/3608-1110-0x00007FFCDB560000-0x00007FFCDB56B000-memory.dmp

Filesize
44KB

Download
memory/3608-1109-0x00007FFCD12C0000-0x00007FFCD12F6000-memory.dmp

Filesize
216KB

Download
memory/3608-1108-0x00007FFCD2A80000-0x00007FFCD2A98000-memory.dmp

Filesize
96KB

Download
memory/3608-1107-0x00007FFCDD6A0000-0x00007FFCDD6AA000-memory.dmp

Filesize
40KB

Download
memory/3608-1106-0x00007FFCD1D80000-0x00007FFCD1DA6000-memory.dmp

Filesize
152KB

Download
memory/3608-1105-0x00007FFCDF4C0000-0x00007FFCDF4CB000-memory.dmp

Filesize
44KB

Download
memory/3608-1104-0x00007FFCD12A0000-0x00007FFCD12AB000-memory.dmp

Filesize
44KB

Download
memory/3608-1103-0x00007FFCD2AA0000-0x00007FFCD2AB4000-memory.dmp

Filesize
80KB

Download
memory/3608-1102-0x00007FFCD1300000-0x00007FFCD1323000-memory.dmp

Filesize
140KB

Download
memory/3608-1101-0x00007FFCD14D0000-0x00007FFCD14DE000-memory.dmp

Filesize
56KB

Download
memory/3608-1100-0x00007FFCD1290000-0x00007FFCD129B000-memory.dmp

Filesize
44KB

Download
memory/3608-1098-0x00007FFCD2B20000-0x00007FFCD2B4E000-memory.dmp

Filesize
184KB

Download
memory/3608-1097-0x00007FFCE4860000-0x00007FFCE486D000-memory.dmp

Filesize
52KB

Download
memory/3608-1096-0x00007FFCE5300000-0x00007FFCE530D000-memory.dmp

Filesize
52KB

Download
memory/3608-1095-0x00007FFCDAEB0000-0x00007FFCDAEC9000-memory.dmp

Filesize
100KB

Download
memory/3608-1094-0x00007FFCD3A60000-0x00007FFCD3A95000-memory.dmp

Filesize
212KB

Download
memory/3608-1093-0x00007FFCD5990000-0x00007FFCD59BD000-memory.dmp

Filesize
180KB

Download
memory/3608-1092-0x00007FFCE43B0000-0x00007FFCE43C9000-memory.dmp

Filesize
100KB

Download
memory/3608-1091-0x00007FFCE5D60000-0x00007FFCE5D6F000-memory.dmp

Filesize
60KB

Download
memory/3608-1090-0x00007FFCE4760000-0x00007FFCE4784000-memory.dmp

Filesize
144KB

Download
memory/3608-1089-0x00007FFCD2AF0000-0x00007FFCD2B1B000-memory.dmp

Filesize
172KB

Download
memory/3608-1084-0x00007FFCD00D0000-0x00007FFCD0243000-memory.dmp

Filesize
1.4MB

Download
memory/3608-1077-0x00007FFCD1330000-0x00007FFCD13B7000-memory.dmp

Filesize
540KB

Download
memory/3608-1076-0x00007FFCCF550000-0x00007FFCCF8C5000-memory.dmp

Filesize
3.5MB

Download
memory/3608-1075-0x00007FFCD13C0000-0x00007FFCD1478000-memory.dmp

Filesize
736KB

Download
memory/3608-1074-0x00007FFCD2AC0000-0x00007FFCD2AEE000-memory.dmp

Filesize
184KB

Download
memory/3608-1073-0x00007FFCD1690000-0x00007FFCD17AC000-memory.dmp

Filesize
1.1MB

Download
memory/3608-1119-0x00007FFCD1280000-0x00007FFCD128C000-memory.dmp

Filesize
48KB

Download
memory/3608-1121-0x00007FFCD1260000-0x00007FFCD126D000-memory.dmp

Filesize
52KB

Download
memory/3608-1123-0x00007FFCD1230000-0x00007FFCD123C000-memory.dmp

Filesize
48KB

Download
memory/3608-1122-0x00007FFCD1240000-0x00007FFCD1252000-memory.dmp

Filesize
72KB

Download
memory/3608-1120-0x00007FFCD1270000-0x00007FFCD127C000-memory.dmp

Filesize
48KB

Download
memory/3608-1000-0x00007FFCD17B0000-0x00007FFCD186C000-memory.dmp

Filesize
752KB

Download
memory/3608-992-0x00007FFCDAEB0000-0x00007FFCDAEC9000-memory.dmp

Filesize
100KB

Download
memory/3608-994-0x00007FFCE5300000-0x00007FFCE530D000-memory.dmp

Filesize
52KB

Download
memory/3608-997-0x00007FFCE4860000-0x00007FFCE486D000-memory.dmp

Filesize
52KB

Download
memory/3608-998-0x00007FFCD2B20000-0x00007FFCD2B4E000-memory.dmp

Filesize
184KB

Download
memory/3608-990-0x00007FFCD3A60000-0x00007FFCD3A95000-memory.dmp

Filesize
212KB

Download
memory/3608-952-0x00007FFCD0250000-0x00007FFCD0838000-memory.dmp

Filesize
5.9MB

Download
memory/3608-988-0x00007FFCD5990000-0x00007FFCD59BD000-memory.dmp

Filesize
180KB

Download
memory/3608-987-0x00007FFCE43B0000-0x00007FFCE43C9000-memory.dmp

Filesize
100KB

Download
memory/6228-3475-0x00007FFCCC630000-0x00007FFCCCC18000-memory.dmp

Filesize
5.9MB

Download
memory/6228-3483-0x00007FFCCE020000-0x00007FFCCE193000-memory.dmp

Filesize
1.4MB

Download