exelastealer | 809f13952b78b386ca677565f56b89d8989e674f292938571c8efa29af11f6c3

Analysis

max time kernel
72s
max time network
67s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
14-09-2024 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sample.html
Size

16KB
MD5

f7858f9536dbe492031d69b8e4b1f643
SHA1

9118a2dc86f32e01b0f8572ca541dcc27078a57c
SHA256

809f13952b78b386ca677565f56b89d8989e674f292938571c8efa29af11f6c3
SHA512

b2f7392717ca892d5b7ac2b31f01492adebf87287621fcc858f6809c582778ca2ed9e41c777159a211f7f08ed3ceee30ca08136e0576101ee5a0fe8d18aa34e5
SSDEEP

192:PNxqvrHA1oqTJkNr+f23Plh/67byQCIaSG1SeQFrPpWRU1c+ILW+yHJN:qTg+oJkNifKx63XNaZQFrPjW+IyDN

Score

10^/10

exelastealer collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 1 IoCs

flow	pid	Process
57	7540	Boostrapper.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
7880	powershell.exe

Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4624	netsh.exe
1464	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4972	cmd.exe
5096	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
1068	Boostrapper.exe
5668	Boostrapper.exe
7764	Boostrapper.exe
7540	Boostrapper.exe
8068	bound.exe
5828	bound.exe
5888	Boostrapper.exe
5788	Boostrapper.exe
5456	Boostrapper.exe
5580	Boostrapper.exe

Loads dropped DLL 64 IoCs

pid	Process
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
7540	Boostrapper.exe
7540	Boostrapper.exe
7540	Boostrapper.exe
7540	Boostrapper.exe
7540	Boostrapper.exe
7540	Boostrapper.exe
7540	Boostrapper.exe
7540	Boostrapper.exe
7540	Boostrapper.exe
7540	Boostrapper.exe
7540	Boostrapper.exe
7540	Boostrapper.exe
7540	Boostrapper.exe
7540	Boostrapper.exe
7540	Boostrapper.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002ae6d-1224.dat	upx
behavioral1/memory/5668-1228-0x00007FF808210000-0x00007FF8087F8000-memory.dmp	upx
behavioral1/files/0x000100000002aaa6-1237.dat	upx
behavioral1/memory/5668-1238-0x00007FF826C20000-0x00007FF826C2F000-memory.dmp	upx
behavioral1/files/0x000100000002aa87-1243.dat	upx
behavioral1/files/0x000100000002aa8e-1264.dat	upx
behavioral1/files/0x000100000002aa8b-1261.dat	upx
behavioral1/files/0x000100000002ae70-1273.dat	upx
behavioral1/memory/5668-1279-0x00007FF808150000-0x00007FF80820C000-memory.dmp	upx
behavioral1/files/0x000100000002ae7f-1281.dat	upx
behavioral1/memory/5668-1282-0x00007FF80BBB0000-0x00007FF80BBDB000-memory.dmp	upx
behavioral1/memory/5668-1278-0x00007FF80BD60000-0x00007FF80BD8E000-memory.dmp	upx
behavioral1/files/0x000100000002ae7c-1283.dat	upx
behavioral1/memory/5668-1285-0x00007FF808030000-0x00007FF80814C000-memory.dmp	upx
behavioral1/memory/5668-1284-0x00007FF808210000-0x00007FF8087F8000-memory.dmp	upx
behavioral1/files/0x000100000002ae6f-1277.dat	upx
behavioral1/memory/5668-1272-0x00007FF81C170000-0x00007FF81C189000-memory.dmp	upx
behavioral1/memory/5668-1271-0x00007FF821310000-0x00007FF82131D000-memory.dmp	upx
behavioral1/memory/5668-1270-0x00007FF8213E0000-0x00007FF8213ED000-memory.dmp	upx
behavioral1/memory/5668-1269-0x00007FF8108F0000-0x00007FF810925000-memory.dmp	upx
behavioral1/files/0x000100000002aa8a-1268.dat	upx
behavioral1/files/0x000100000002ae71-1267.dat	upx
behavioral1/files/0x000100000002ae6b-1265.dat	upx
behavioral1/files/0x000100000002aa8d-1263.dat	upx
behavioral1/files/0x000100000002aa8c-1262.dat	upx
behavioral1/files/0x000100000002aa89-1259.dat	upx
behavioral1/files/0x000100000002aaa7-1290.dat	upx
behavioral1/memory/5668-1292-0x00007FF807BC0000-0x00007FF807C78000-memory.dmp	upx
behavioral1/memory/5668-1291-0x00007FF807C80000-0x00007FF807FF5000-memory.dmp	upx
behavioral1/memory/5668-1289-0x00007FF808000000-0x00007FF80802E000-memory.dmp	upx
behavioral1/files/0x000100000002aaa5-1288.dat	upx
behavioral1/memory/5668-1287-0x00007FF81C240000-0x00007FF81C264000-memory.dmp	upx
behavioral1/memory/5668-1297-0x00007FF81BE10000-0x00007FF81BE24000-memory.dmp	upx
behavioral1/files/0x000100000002aa96-1301.dat	upx
behavioral1/memory/5668-1311-0x00007FF811AF0000-0x00007FF811B08000-memory.dmp	upx
behavioral1/memory/5668-1310-0x00007FF8180B0000-0x00007FF8180BA000-memory.dmp	upx
behavioral1/memory/5668-1316-0x00007FF807900000-0x00007FF807A73000-memory.dmp	upx
behavioral1/memory/5668-1322-0x00007FF80BD50000-0x00007FF80BD5C000-memory.dmp	upx
behavioral1/memory/5668-1325-0x00007FF8078A0000-0x00007FF8078AB000-memory.dmp	upx
behavioral1/memory/5668-1336-0x00007FF807820000-0x00007FF80782C000-memory.dmp	upx
behavioral1/memory/5668-1338-0x00007FF8077F0000-0x00007FF807802000-memory.dmp	upx
behavioral1/memory/5668-1342-0x00007FF807780000-0x00007FF80779C000-memory.dmp	upx
behavioral1/memory/5668-1341-0x00007FF8077A0000-0x00007FF8077AB000-memory.dmp	upx
behavioral1/memory/5668-1340-0x00007FF8077B0000-0x00007FF8077D9000-memory.dmp	upx
behavioral1/memory/5668-1339-0x00007FF8077E0000-0x00007FF8077EC000-memory.dmp	upx
behavioral1/memory/5668-1337-0x00007FF807810000-0x00007FF80781D000-memory.dmp	upx
behavioral1/memory/5668-1335-0x00007FF8078C0000-0x00007FF8078F7000-memory.dmp	upx
behavioral1/memory/5668-1334-0x00007FF807860000-0x00007FF80786C000-memory.dmp	upx
behavioral1/memory/5668-1333-0x00007FF807830000-0x00007FF80783C000-memory.dmp	upx
behavioral1/memory/5668-1332-0x00007FF807840000-0x00007FF80784B000-memory.dmp	upx
behavioral1/memory/5668-1331-0x00007FF807850000-0x00007FF80785B000-memory.dmp	upx
behavioral1/memory/5668-1330-0x00007FF807900000-0x00007FF807A73000-memory.dmp	upx
behavioral1/memory/5668-1329-0x00007FF807870000-0x00007FF80787E000-memory.dmp	upx
behavioral1/memory/5668-1328-0x00007FF807A80000-0x00007FF807AA3000-memory.dmp	upx
behavioral1/memory/5668-1327-0x00007FF807880000-0x00007FF80788C000-memory.dmp	upx
behavioral1/memory/5668-1326-0x00007FF807890000-0x00007FF80789C000-memory.dmp	upx
behavioral1/memory/5668-1324-0x00007FF8078B0000-0x00007FF8078BC000-memory.dmp	upx
behavioral1/memory/5668-1323-0x00007FF80BD40000-0x00007FF80BD4B000-memory.dmp	upx
behavioral1/memory/5668-1321-0x00007FF81BE10000-0x00007FF81BE24000-memory.dmp	upx
behavioral1/memory/5668-1320-0x00007FF810C90000-0x00007FF810C9B000-memory.dmp	upx
behavioral1/memory/5668-1319-0x00007FF812DE0000-0x00007FF812DEB000-memory.dmp	upx
behavioral1/memory/5668-1318-0x00007FF807BC0000-0x00007FF807C78000-memory.dmp	upx
behavioral1/memory/5668-1317-0x00007FF8078C0000-0x00007FF8078F7000-memory.dmp	upx
behavioral1/memory/5668-1315-0x00007FF807A80000-0x00007FF807AA3000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
67	discord.com
68	discord.com
69	discord.com
52	discord.com
65	discord.com
66	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
52	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5268	cmd.exe
6152	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3544	tasklist.exe
5844	tasklist.exe
3244	tasklist.exe
5140	tasklist.exe
5856	tasklist.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1456	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\Boostrapper.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4524	cmd.exe
3496	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
5492	NETSTAT.EXE

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4724	WMIC.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5276	WMIC.exe
6064	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5492	NETSTAT.EXE
336	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2892	systeminfo.exe

Kills process with taskkill 11 IoCs

evasion

pid	Process
7276	taskkill.exe
5100	taskkill.exe
388	taskkill.exe
2596	taskkill.exe
4204	taskkill.exe
6092	taskkill.exe
5576	taskkill.exe
3796	taskkill.exe
1308	taskkill.exe
5672	taskkill.exe
7372	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-661032028-162657920-1226909816-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Boostrapper.exe:Zone.Identifier	firefox.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
5668	Boostrapper.exe
7880	powershell.exe
7880	powershell.exe
7880	powershell.exe
5096	powershell.exe
5096	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3412	firefox.exe
Token: SeDebugPrivilege	3412	firefox.exe
Token: SeDebugPrivilege	5668	Boostrapper.exe
Token: SeIncreaseQuotaPrivilege	4524	WMIC.exe
Token: SeSecurityPrivilege	4524	WMIC.exe
Token: SeTakeOwnershipPrivilege	4524	WMIC.exe
Token: SeLoadDriverPrivilege	4524	WMIC.exe
Token: SeSystemProfilePrivilege	4524	WMIC.exe
Token: SeSystemtimePrivilege	4524	WMIC.exe
Token: SeProfSingleProcessPrivilege	4524	WMIC.exe
Token: SeIncBasePriorityPrivilege	4524	WMIC.exe
Token: SeCreatePagefilePrivilege	4524	WMIC.exe
Token: SeBackupPrivilege	4524	WMIC.exe
Token: SeRestorePrivilege	4524	WMIC.exe
Token: SeShutdownPrivilege	4524	WMIC.exe
Token: SeDebugPrivilege	4524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4524	WMIC.exe
Token: SeRemoteShutdownPrivilege	4524	WMIC.exe
Token: SeUndockPrivilege	4524	WMIC.exe
Token: SeManageVolumePrivilege	4524	WMIC.exe
Token: 33	4524	WMIC.exe
Token: 34	4524	WMIC.exe
Token: 35	4524	WMIC.exe
Token: 36	4524	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4524	WMIC.exe
Token: SeSecurityPrivilege	4524	WMIC.exe
Token: SeTakeOwnershipPrivilege	4524	WMIC.exe
Token: SeLoadDriverPrivilege	4524	WMIC.exe
Token: SeSystemProfilePrivilege	4524	WMIC.exe
Token: SeSystemtimePrivilege	4524	WMIC.exe
Token: SeProfSingleProcessPrivilege	4524	WMIC.exe
Token: SeIncBasePriorityPrivilege	4524	WMIC.exe
Token: SeCreatePagefilePrivilege	4524	WMIC.exe
Token: SeBackupPrivilege	4524	WMIC.exe
Token: SeRestorePrivilege	4524	WMIC.exe
Token: SeShutdownPrivilege	4524	WMIC.exe
Token: SeDebugPrivilege	4524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4524	WMIC.exe
Token: SeRemoteShutdownPrivilege	4524	WMIC.exe
Token: SeUndockPrivilege	4524	WMIC.exe
Token: SeManageVolumePrivilege	4524	WMIC.exe
Token: 33	4524	WMIC.exe
Token: 34	4524	WMIC.exe
Token: 35	4524	WMIC.exe
Token: 36	4524	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5276	WMIC.exe
Token: SeSecurityPrivilege	5276	WMIC.exe
Token: SeTakeOwnershipPrivilege	5276	WMIC.exe
Token: SeLoadDriverPrivilege	5276	WMIC.exe
Token: SeSystemProfilePrivilege	5276	WMIC.exe
Token: SeSystemtimePrivilege	5276	WMIC.exe
Token: SeProfSingleProcessPrivilege	5276	WMIC.exe
Token: SeIncBasePriorityPrivilege	5276	WMIC.exe
Token: SeCreatePagefilePrivilege	5276	WMIC.exe
Token: SeBackupPrivilege	5276	WMIC.exe
Token: SeRestorePrivilege	5276	WMIC.exe
Token: SeShutdownPrivilege	5276	WMIC.exe
Token: SeDebugPrivilege	5276	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5276	WMIC.exe
Token: SeRemoteShutdownPrivilege	5276	WMIC.exe
Token: SeUndockPrivilege	5276	WMIC.exe
Token: SeManageVolumePrivilege	5276	WMIC.exe
Token: 33	5276	WMIC.exe
Token: 34	5276	WMIC.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe
3412	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 3412	3768	firefox.exe	81
PID 3768 wrote to memory of 3412	3768	firefox.exe	81
PID 3768 wrote to memory of 3412	3768	firefox.exe	81
PID 3768 wrote to memory of 3412	3768	firefox.exe	81
PID 3768 wrote to memory of 3412	3768	firefox.exe	81
PID 3768 wrote to memory of 3412	3768	firefox.exe	81
PID 3768 wrote to memory of 3412	3768	firefox.exe	81
PID 3768 wrote to memory of 3412	3768	firefox.exe	81
PID 3768 wrote to memory of 3412	3768	firefox.exe	81
PID 3768 wrote to memory of 3412	3768	firefox.exe	81
PID 3768 wrote to memory of 3412	3768	firefox.exe	81
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2512	3412	firefox.exe	82
PID 3412 wrote to memory of 2676	3412	firefox.exe	83
PID 3412 wrote to memory of 2676	3412	firefox.exe	83
PID 3412 wrote to memory of 2676	3412	firefox.exe	83
PID 3412 wrote to memory of 2676	3412	firefox.exe	83
PID 3412 wrote to memory of 2676	3412	firefox.exe	83
PID 3412 wrote to memory of 2676	3412	firefox.exe	83
PID 3412 wrote to memory of 2676	3412	firefox.exe	83
PID 3412 wrote to memory of 2676	3412	firefox.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\sample.html"
1⤵
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\sample.html
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1916 -prefMapHandle 1908 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {52136370-7b8c-4d13-96c3-fb1216b0583b} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" gpu
    3⤵
    PID:2512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2400 -parentBuildID 20240401114208 -prefsHandle 2392 -prefMapHandle 2388 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {face1a67-5a21-4f8e-9cac-79b4c73df189} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" socket
    3⤵
    PID:2676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3116 -childID 1 -isForBrowser -prefsHandle 3180 -prefMapHandle 3220 -prefsLen 24739 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1bf72fd4-129f-4ba8-985a-8f95c9d40ada} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
    3⤵
    PID:2708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3040 -childID 2 -isForBrowser -prefsHandle 3436 -prefMapHandle 3200 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {56f5934d-acd4-4929-80a3-4ec2bf4e9300} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
    3⤵
    PID:4388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4200 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4192 -prefMapHandle 4156 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e481c70-3061-4122-9c84-649e99318d75} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" utility
    3⤵
    - Checks processor information in registry
    PID:888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 3 -isForBrowser -prefsHandle 5372 -prefMapHandle 3864 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e930b37-34b0-46df-8fdf-1ac125f923cb} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
    3⤵
    PID:4836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5392 -childID 4 -isForBrowser -prefsHandle 5384 -prefMapHandle 5380 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e34a471c-c6f7-4d98-ae72-eabd3522f9ab} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
    3⤵
    PID:3436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5784 -childID 5 -isForBrowser -prefsHandle 5532 -prefMapHandle 5392 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7af28562-a259-4384-85ba-294f6a7bf3f4} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
    3⤵
    PID:1200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5360 -childID 6 -isForBrowser -prefsHandle 5644 -prefMapHandle 5924 -prefsLen 29276 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a324c326-308a-4076-b488-32f4b98a30fc} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
    3⤵
    PID:4692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2552 -childID 7 -isForBrowser -prefsHandle 3908 -prefMapHandle 3904 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ed04d2ad-b88d-40a3-ba59-f9b73fad75a7} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
    3⤵
    PID:2256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6344 -childID 8 -isForBrowser -prefsHandle 6352 -prefMapHandle 6356 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8bed4937-4cdc-4593-8dc7-8e18db52f614} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
    3⤵
    PID:4636
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5512 -childID 9 -isForBrowser -prefsHandle 5484 -prefMapHandle 5500 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 968 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a5d20f92-52b3-4750-a574-d8374d537b6d} 3412 "\\.\pipe\gecko-crash-server-pipe.3412" tab
    3⤵
    PID:5064

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4912

C:\Users\Admin\Downloads\Boostrapper.exe
"C:\Users\Admin\Downloads\Boostrapper.exe"
1⤵
- Executes dropped EXE
PID:1068
- C:\Users\Admin\Downloads\Boostrapper.exe
  "C:\Users\Admin\Downloads\Boostrapper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:5928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    PID:3448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:1276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:580
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5228
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:5276

C:\Users\Admin\Downloads\Boostrapper.exe
"C:\Users\Admin\Downloads\Boostrapper.exe"
1⤵
- Executes dropped EXE
PID:7764
- C:\Users\Admin\Downloads\Boostrapper.exe
  "C:\Users\Admin\Downloads\Boostrapper.exe"
  2⤵
  - Blocklisted process makes network request
  - Executes dropped EXE
  - Loads dropped DLL
  PID:7540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:7476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    PID:7860
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:7880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:7848
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      PID:8068
    - - C:\Users\Admin\AppData\Local\Temp\bound.exe
        
        bound.exe
        5⤵
        Executes dropped EXE
        
        PID:5828
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:7916
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:5588
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        
        PID:6064
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        6⤵
        
        PID:5604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:7848
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        7⤵
        
        PID:5792
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        6⤵
        
        PID:5612
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:7540
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:5844
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        6⤵
        
        PID:4268
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        7⤵
        
        PID:5400
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:6068
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:6012
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:6076
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:3244
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        
        PID:5508
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:5140
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3412"
        6⤵
        
        PID:1340
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3412
        7⤵
        Kills process with taskkill
        
        PID:6092
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2512"
        6⤵
        
        PID:6640
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2512
        7⤵
        Kills process with taskkill
        
        PID:7276
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2676"
        6⤵
        
        PID:7304
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2676
        7⤵
        Kills process with taskkill
        
        PID:7372
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2708"
        6⤵
        
        PID:5648
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2708
        7⤵
        Kills process with taskkill
        
        PID:5100
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4388"
        6⤵
        
        PID:2388
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4388
        7⤵
        Kills process with taskkill
        
        PID:5576
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 888"
        6⤵
        
        PID:4248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5276
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 888
        7⤵
        Kills process with taskkill
        
        PID:3796
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1200"
        6⤵
        
        PID:880
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1200
        7⤵
        Kills process with taskkill
        
        PID:388
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4692"
        6⤵
        
        PID:3720
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4692
        7⤵
        Kills process with taskkill
        
        PID:2596
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2256"
        6⤵
        
        PID:3592
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2256
        7⤵
        Kills process with taskkill
        
        PID:1308
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4636"
        6⤵
        
        PID:1452
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4636
        7⤵
        Kills process with taskkill
        
        PID:4204
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5064"
        6⤵
        
        PID:3452
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5064
        7⤵
        Kills process with taskkill
        
        PID:5672
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        6⤵
        
        PID:2304
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        7⤵
        
        PID:5792
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:2192
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        6⤵
        
        PID:3132
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        7⤵
        
        PID:5796
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:6076
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        
        PID:2060
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:5856
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        6⤵
        Clipboard Data
        
        PID:4972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        7⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:5096
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:5100
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3496
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        6⤵
        Network Service Discovery
        
        PID:5268
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:2892
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        7⤵
        
        PID:1412
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        7⤵
        Collects information from the system
        
        PID:4724
        
        C:\Windows\system32\net.exe
        
        net user
        7⤵
        
        PID:2156
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        8⤵
        
        PID:2308
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:3060
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:2704
        
        C:\Windows\system32\net.exe
        
        net localgroup
        7⤵
        
        PID:3824
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        8⤵
        
        PID:2396
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        7⤵
        
        PID:5000
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        8⤵
        
        PID:3076
        
        C:\Windows\system32\net.exe
        
        net user guest
        7⤵
        
        PID:4680
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        8⤵
        
        PID:2596
        
        C:\Windows\system32\net.exe
        
        net user administrator
        7⤵
        
        PID:2344
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        8⤵
        
        PID:4528
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        7⤵
        
        PID:5416
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        7⤵
        Enumerates processes with tasklist
        
        PID:3544
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:336
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        7⤵
        
        PID:1656
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        7⤵
        Network Service Discovery
        
        PID:6152
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:5492
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        7⤵
        Launches sc.exe
        
        PID:1456
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4624
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1464
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:828
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:5132
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:4984
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:2716

C:\Users\Admin\Downloads\Boostrapper.exe
"C:\Users\Admin\Downloads\Boostrapper.exe"
1⤵
- Executes dropped EXE
PID:5888
- C:\Users\Admin\Downloads\Boostrapper.exe
  "C:\Users\Admin\Downloads\Boostrapper.exe"
  2⤵
  - Executes dropped EXE
  PID:5788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:5992

C:\Users\Admin\Downloads\Boostrapper.exe
"C:\Users\Admin\Downloads\Boostrapper.exe"
1⤵
- Executes dropped EXE
PID:5456
- C:\Users\Admin\Downloads\Boostrapper.exe
  "C:\Users\Admin\Downloads\Boostrapper.exe"
  2⤵
  - Executes dropped EXE
  PID:5580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI10682\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\VCRUNTIME140_1.dll

Filesize
37KB

MD5
75e78e4bf561031d39f86143753400ff

SHA1
324c2a99e39f8992459495182677e91656a05206

SHA256
1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e

SHA512
ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\_asyncio.pyd

Filesize
34KB

MD5
936e44a303a5957709434a0c6bf4532e

SHA1
e35f0b78f61797d9277741a1ee577b5fe7af3d62

SHA256
11f1062fafb4fbca92e3b2cef97ab66ec011142f5b0312e74815decd93be458b

SHA512
cebe905b718825c1841e9c0e83dfdac95d0ff50b116ab3b91b05ca21f86f1482f5b1e13988c969244c644d17bd378792ac4967caa721f0b0e858cd92859af154

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\_bz2.pyd

Filesize
46KB

MD5
af3d45698d379c97a90cca9625bc5926

SHA1
0783866af330c1029253859574c369901969208e

SHA256
47af0730824f96865b5e20f8bba34b0d5f3a330087411adba71269312bf7ccec

SHA512
117e95d2ba0432f5ece882ad67a3fbf2e2cd251b4327a0d66b3fffd444e2d1813ddb568321bde1636b4180d19607db6103df145153e4ff84e9be601fd2dd5691

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\_cffi_backend.cp311-win_amd64.pyd

Filesize
71KB

MD5
f5a0e3f73ad4002839a85ec9b5285cc0

SHA1
2657e49964491d8b0784ab6ae157c767cf809673

SHA256
34dff4546abf4cd9d1e605f215339e6816c3aa4ef3c6028afcf00cb6241dbccf

SHA512
81d683f45b6ea1b48d0e377779c9b87ddff5b8549f00ae375ebe617fbd00d0149639a2b5c1b42ea536bde786aea50025646311b3de243c48ed192014dcc9974b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\_ctypes.pyd

Filesize
57KB

MD5
2346cf6a1ad336f3ee23c4ec3ff7871c

SHA1
e36b759c0b78d2def431aa11bcbb7d7cf02f1eea

SHA256
490a11d03dd3aeb05a410eb0d285e3da788e73b643ea9914fffd5a2c102dc1df

SHA512
7a92de4937b23952e2a31bb09a58b2ad81c06da23704e4b4f964eb42948adad1a1e57920c021283da1b7154e7ac19e46031ffee6b69a73acbc85d95ef45bf8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\_decimal.pyd

Filesize
104KB

MD5
9b801838394e97e30c99dcf5f9fcc8fa

SHA1
33fb049b2f98bcb2f2cb9508be2408a6698243be

SHA256
15668e03f9c55f07184ec9c048a8569f7d7ebd9ea6dbef145f1f3b581f8623f3

SHA512
5f074c82f344ca43a07a59132fab59e3504e314a2f7673bfec906782b947daf8fe45a1b956f72502eae72f01369a3bb1fbb73b10dc605d43b889a6700bd98a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\_hashlib.pyd

Filesize
33KB

MD5
7fd141630dfa2500f5bf4c61e2c2d034

SHA1
0f8d1dfae2cbce1ad714c93216f01bf7001aabda

SHA256
689f0ac1d44481688cd4ae90b6f801176a52ff4bb4170c62575ea58f44452e15

SHA512
c6b7b1aefb7280f38d63f4ab84a349ebb696ca7300b7a451e7a994baff7e0a83fb4488c43ed3160b94dec74e0d27417d68913056b3006c8c6da11e39681f512e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\_lzma.pyd

Filesize
84KB

MD5
ab6a735ad62592c7c8ea0b06cb57317a

SHA1
e27a0506800b5bbc2b350e39899d260164af2cd1

SHA256
0ebdf15c1c6d59e49716dfb4601f0abe6383449c70db1a349c6ad486742144a8

SHA512
9a285593cd8cc29844688723d8907e55a9f8a3109f9538cc4140912cc973f495de32779a4cd4a48dc62d680fdf81a5797e4e9c33f236a803082dfc3c00d02060

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\_multiprocessing.pyd

Filesize
25KB

MD5
241a977372d63b46b6ae4f7227579cc3

SHA1
21c8fa02217ec69c5cc9a1cc9edaa5de6f8d9f91

SHA256
04e56f1c6919f2987f205e9e3afa16d945eeaffa415c746104ccb7763c067f9c

SHA512
7aeaa94a5cd46d604370e430c72724b683e149af7e032c85708e33bfb94fb6a9ccc52c70bc701dfb94b4ae55d4e8acd8e394efb6cd81466fd9fa1a6addaa4ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\_overlapped.pyd

Filesize
30KB

MD5
ef52dc3e7d12795745e23487026a5b5e

SHA1
6c9f488a9eaabdc6db11ed2c32231d518a8b8f42

SHA256
b1b56328df4b19cf04586303f693979536253078fc7017b4ac4ae6d730296b1f

SHA512
8b3c311bf4a54eaa21fa1db058037b274bd3b9e838e844537269f8e0102ad47ca7181e73bbb4f5269100cfe82499bb0787bc04943b02e36ea0ab26bfa8e65326

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\_queue.pyd

Filesize
24KB

MD5
71955beaf83aca364ed64285021781ca

SHA1
cac93d08f9085079fb32e6fc6d8e4fc8cd9115e6

SHA256
3df280391d7275e73aef70af228bb21c03434147ae9fe31e8c620ea151e08b30

SHA512
9b055a0273ace0f9b673e015a20c8867689090608fffaf85c54636f061cf595de1e6c9bfc2d8ea75fa4dd247b4af0493022f24d6a931b53e7f60009a85b45601

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\_socket.pyd

Filesize
41KB

MD5
53dc1aa457a1e3b4f6c8baed19a6ca0a

SHA1
290a572e981cc5ce896dc52a53f112d9eaaefc39

SHA256
26200892f616f859e82c167701ab866b8291eabbe808dd18c434cc80ebeedf19

SHA512
460de92115288e0e95fd03837df775e5f34425784c18ab7e9ad0885511166371647a6f06d95ffa6c3437de69895d46cd4cddcda2841ccdb5ef268b1a857837e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\_sqlite3.pyd

Filesize
54KB

MD5
1c5e0718dce15682d32185f1e1f8df7d

SHA1
f59662db717663ed1589328c5749bb8b44a0d053

SHA256
56f74ec6490b916c513b618635edaa22cb2374a92e5f79549c1e2b7c5c37f31d

SHA512
702f8348d2fe08ec10e0120129e64c12368c971ea52852cd0c7d26fd159f5b34bc808b9b318168aaa81366ed4944909e305d4e9727f0374d921eddb54ea22cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\_ssl.pyd

Filesize
60KB

MD5
df5a6f6c547300a7c87005eb0fafcfa0

SHA1
c792342e964a1c8a776e5203f3eee7908e6cad09

SHA256
dea09b9750c26813130ca32db0b4455796e12a3d61bb52066d5a53302bcce0ce

SHA512
018a79871faa2cf6a1644e96f10750ddccccd56436720faf760808b1997940f9bcd2866a4533b903058ab608629ff8ed46fadb788e4a6714b19775d557dd69b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\_uuid.pyd

Filesize
21KB

MD5
cf378e1866edaa02db65a838f0e0ad8e

SHA1
cc66b98b3289a126fa4cf960d89cbbecff0f5aa8

SHA256
caabfac7123e70906fafe3a34d11c0c87c62695b2716a5f95b032bb54982744e

SHA512
cdb6fb5861fee4eeee49dd79ba164ef8538235b0b41e505dd59f1b5a79256390a4bb920ade9ff58abdc41c738ec6f316d387df4f588b673d8f324e5c1c32a9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\base_library.zip

Filesize
1.4MB

MD5
481da210e644d6b317cafb5ddf09e1a5

SHA1
00fe8e1656e065d5cf897986c12ffb683f3a2422

SHA256
3242ea7a6c4c712f10108a619bf5213878146547838f7e2c1e80d2778eb0aaa0

SHA512
74d177794f0d7e67f64a4f0c9da4c3fd25a4d90eb909e942e42e5651cc1930b8a99eef6d40107aa8756e75ffbcc93284b916862e24262df897aaac97c5072210

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\bound.luna

Filesize
10.7MB

MD5
5a8e74c7d4ec1bdaa58b9fa99a405c80

SHA1
deeb3abd9a6fcae4bd5a6366046c1a1bf22f81c1

SHA256
306b05e120692e6f8dd906682c6791067fa82d7647ef1ef23a70105dc2559452

SHA512
98743beaa8b7b86ed3e73ec74619942639fa2af9c9f9f509e1cdddf07d1ea57d8ca10f9f7bf14fb071fe00a0c69947e179c7c39542d38c542d527a619903fad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\charset_normalizer\md.cp311-win_amd64.pyd

Filesize
9KB

MD5
542c223312c5dbe5d21fc216dfb8cb7e

SHA1
c2922363caf50c40ac079786af12141f69248d5d

SHA256
6864ce58854fc54853f557c218bddbb73fe457b704bee24da84579d82aee6509

SHA512
2eab599c5ca6eeb8b80bccce839b37ca42c949d45d12981a1efe43df980736ede7b4fd1a23d2dbba7895948a8dfa79136549dffb9fdbf7110430f53fea557c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\charset_normalizer\md__mypyc.cp311-win_amd64.pyd

Filesize
39KB

MD5
d28bf4b47504d9fa10214d284bf47bca

SHA1
8ab2d660f00d4b0db47da1d691cb27c044240940

SHA256
4609d4065b796165f71f15a17dc43307219acaac2248e48c15e8e0b3ae5685be

SHA512
e6dc5e31047ae7fbe81e80d86d42c6d34faa36c4812d6c640610fb5a679acd0890e10eae3d142dfed0b2b9474b83daf162b2bceb2cadc06a70a7115dd831e074

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\libcrypto-1_1.dll

Filesize
1.1MB

MD5
571796599d616a0d12aa34be09242c22

SHA1
0e0004ab828966f0c8a67b2f10311bb89b6b74ac

SHA256
6242d2e13aef871c4b8cfd75fc0f8530e8dccfeaba8f1b66280e9345f52b833b

SHA512
7362a6c887600fafc1a45413823f006589bb95a76ac052b6c7022356a7a9a6e8cd3e76f59cecf152e189323791d9626a6fdb7a98bf3a5250d517b746c3e84e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\libffi-8.dll

Filesize
24KB

MD5
24ea21ebcc3bef497d2bd208e7986f88

SHA1
d936f79431517b9687ee54d837e9e4be7afc082d

SHA256
18c097ef19f3e502a025c1d63cfec73a4fa30c5482286f4000d40d4784a0070a

SHA512
1bdbeddd812ecc2cdfbbf3498b0a8ef551cc18ce73fc30eb40b415fab0cdd20b80057a25a33ca2f9247b08978838df3587a3caf6e1a8e108c5a9a4f67dd75a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\libssl-1_1.dll

Filesize
203KB

MD5
aabafc5d0e409123ae5e4523d9b3dee2

SHA1
4d0a1834ed4e4ceecb04206e203d916eb22e981b

SHA256
84e4c37fb28b6cf79e2386163fe6bb094a50c1e8825a4bcdb4cb216f4236d831

SHA512
163f29ad05e830367af3f2107e460a587f4710b8d9d909a01e04cd8cfee115d8f453515e089a727a6466ce0e2248a56f14815588f7df6d42fe1580e1b25369cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\luna.aes

Filesize
336KB

MD5
65849136092d928eb45c4e4cdc351703

SHA1
2eee1587aa5553a077b1051e2803daffc132c902

SHA256
c3dc9b45f799c14605bd4a1efb1a49da743d6395c3602281c1f32b44591f2a92

SHA512
a6d21a740d4d1b01432cd1048f314305f9d040c1a78b6cbb10cd7b915642925fc062c3ece12b3a29fe369aaeb4db63fda4325842d949b11bc28c47cd59753f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\psutil\_psutil_windows.pyd

Filesize
31KB

MD5
3adca2ff39adeb3567b73a4ca6d0253c

SHA1
ae35dde2348c8490f484d1afd0648380090e74fc

SHA256
92202b877579b74a87be769d58f9d1e8aced8a97336ad70e97d09685a10afeb3

SHA512
358d109b23cf99eb7396c450660f193e9e16f85f13737ecf29f4369b44f8356041a08443d157b325ccb5125a5f10410659761eda55f24fcc03a082ac8acdd345

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\pyexpat.pyd

Filesize
86KB

MD5
c498ed10d7245560412f9df527508b5c

SHA1
b84b57a54a1a9c5631f4d0b8ac31694786cc822b

SHA256
297ec9e654500400ba5731101b65d29c14d0305ae9f6c05b9763f57ab150b07d

SHA512
ab8bcf6e4a395944316e19aa7aa598e8bfeaa038f4ae086fcede6d01747b670896d640dbf4992630fcbd737d2be3ab627b7be8ad36437629671387f4aaf85957

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\python3.dll

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\python311.dll

Filesize
1.6MB

MD5
4fcf14c7837f8b127156b8a558db0bb2

SHA1
8de2711d00bef7b5f2dcf8a2c6871fa1db67cf1f

SHA256
a67df621a383f4ce5a408e0debe3ebc49ffc766d6a1d6d9a7942120b8ec054dc

SHA512
7a6195495b48f66c35b273a2c9d7ff59e96a4180ea8503f31c8b131167c6cdddd8d6fe77388a34096964a73c85eab504281a14ae3d05350cfee5c51d2491cec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\pywin32_system32\pythoncom311.dll

Filesize
193KB

MD5
471d17f08b66f1489516d271ebf831e3

SHA1
0296e3848de8e99c55bab82c7b181112fb30e840

SHA256
39f4e62d0366897e20eb849cdc78f4ea988605ba86a95c9c741f2797086a6788

SHA512
857a92588f3363ce9e139fe92222ece6d7d926fdcb2c5c1febfb6328389f3e5f8b82063aface5b61015de031e6bfda556067f49f9cc8103664749d8581da1587

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\pywin32_system32\pywintypes311.dll

Filesize
62KB

MD5
04ce7664658c9c18527594708550d59e

SHA1
1db7e6722aaea33d92fba441fca294600d904103

SHA256
e3be247830c23a1751e1bab98d02ba5da3721d2a85469eda3764fc583ca2a6ff

SHA512
e9744b2eee5fa848d5ac83622a6b1c1a1009d7ad8a944bda7a118dd75d8d24218fa2e4ef67718caabda0dd67efdd5be1497705afef8edec830f1b2402d0f0a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\select.pyd

Filesize
24KB

MD5
0dc8f694b3e6a3682b3ff098bd2468f6

SHA1
737252620116c6ac5c527f99d3914e608a0e5a74

SHA256
818120c08358b6b4d1234b7456c7b5c777af8473e26314a6a6c0f37237d53208

SHA512
d0e704d52b0c5e24c07447a60d71ccec490ec15ecb6b4532b2e93ac07036bda7f27051f80dac1ef3705b0186f35f9d6dfc05415412e483b68fd79f1098411123

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\sqlite3.dll

Filesize
608KB

MD5
605b722497acc50ffb33ebdb6afaf1f0

SHA1
e24c55472c827d4b519e5b6f0a3cfc49e10d1fa9

SHA256
a61016520a3f228285e32e40d878fe449450136c55aa9d4d7b54006a8dc7f339

SHA512
9611afc66cd1236cea1fce94e8ecf8e4d2168db3b51d8d9a799b574e8523ca0aea48da6b6c15fc863dd737b9c394ac6e56d2f3fa45e29792b630da389cb21dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\unicodedata.pyd

Filesize
293KB

MD5
2b1809546e4bc9d67ea69d24f75edce0

SHA1
9d076445dfa2f58964a6a1fd1844f6fe82645952

SHA256
89cbb2814a75a5bd53acbfb1fe090ca8395c4a7f559acd4fe0187758c172623a

SHA512
5ae015add4697e8290eb881fa770bca2fa22ba8376b86b26f7880d4f92ad362e741042926a4c47cc3413c83f445e372ffda915bcf8567673d807bd2dac28fbbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\win32\win32api.pyd

Filesize
48KB

MD5
d2668458d3a33de3fbe931eb029a3628

SHA1
258351db3b6ce6ae80a428c2b5dc0a3f7cfa112a

SHA256
2c37610d165a3c3c0350b08a5d803928267aa69878f753d2e2b048de4f3a7413

SHA512
440b760300043938c1a3130baf667426d1dabdb6dab24581054c9d5ef213997183b0a317b4f846f277eabb07f7bd4d2cc42d90158511c904b7a78672869c641d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10682\zstandard\backend_c.cp311-win_amd64.pyd

Filesize
167KB

MD5
1604e9442e25b58376e370c33518cc80

SHA1
0bb8ff1cf47d5db3e413965a8964a391a7a19f9c

SHA256
cb400ea4c1949215aee3be519daca9d82c41e8f2ebfc7441d866326cf196fbe6

SHA512
2122b5db09351715a5b06f39d3870e3298905a2f6826a4a0f960268d116add200389b2add83f6c3d492c1cc792a895d813f2ca8eb8441e69c7a394cbffddfc72

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54562\cryptography-43.0.1.dist-info\WHEEL

Filesize
94B

MD5
c869d30012a100adeb75860f3810c8c9

SHA1
42fd5cfa75566e8a9525e087a2018e8666ed22cb

SHA256
f3fe049eb2ef6e1cc7db6e181fc5b2a6807b1c59febe96f0affcc796bdd75012

SHA512
b29feaf6587601bbe0edad3df9a87bfc82bb2c13e91103699babd7e039f05558c0ac1ef7d904bcfaf85d791b96bc26fa9e39988dd83a1ce8ecca85029c5109f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54562\cryptography-43.0.1.dist-info\license_files\LICENSE

Filesize
197B

MD5
8c3617db4fb6fae01f1d253ab91511e4

SHA1
e442040c26cd76d1b946822caf29011a51f75d6d

SHA256
3e0c7c091a948b82533ba98fd7cbb40432d6f1a9acbf85f5922d2f99a93ae6bb

SHA512
77a1919e380730bcce5b55d76fbffba2f95874254fad955bd2fe1de7fc0e4e25b5fdaab0feffd6f230fa5dc895f593cf8bfedf8fdc113efbd8e22fadab0b8998

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54562\cryptography-43.0.1.dist-info\license_files\LICENSE.APACHE

Filesize
11KB

MD5
4e168cce331e5c827d4c2b68a6200e1b

SHA1
de33ead2bee64352544ce0aa9e410c0c44fdf7d9

SHA256
aac73b3148f6d1d7111dbca32099f68d26c644c6813ae1e4f05f6579aa2663fe

SHA512
f451048e81a49fbfa11b49de16ff46c52a8e3042d1bcc3a50aaf7712b097bed9ae9aed9149c21476c2a1e12f1583d4810a6d36569e993fe1ad3879942e5b0d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI54562\cryptography-43.0.1.dist-info\license_files\LICENSE.BSD

Filesize
1KB

MD5
5ae30ba4123bc4f2fa49aa0b0dce887b

SHA1
ea5b412c09f3b29ba1d81a61b878c5c16ffe69d8

SHA256
602c4c7482de6479dd2e9793cda275e5e63d773dacd1eca689232ab7008fb4fb

SHA512
ddbb20c80adbc8f4118c10d3e116a5cd6536f72077c5916d87258e155be561b89eb45c6341a1e856ec308b49a4cb4dba1408eabd6a781fbe18d6c71c32b72c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58882\pycountry\locales\de\LC_MESSAGES\iso3166-2.mo

Filesize
207KB

MD5
fbc3184600f4c885296f36ab500adccd

SHA1
18db52aea5d8fa61653d091af853b19b2c3dd475

SHA256
466aab6a14a6aabfee4ce464f34b404c3252d0f6f28336f1dda972658ed7aa19

SHA512
b01c184aaecf7fc7101d40070314641d14d75ff47d22d01dba337d0941bddd084c30d7b9985fc376b2ce54c24b8c4de1ccc3227f2e322de6f3bfbc7838fd5cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58882\pycountry\locales\fr\LC_MESSAGES\iso639-3.mo

Filesize
409KB

MD5
972591ca80602d1e82cf3d75d0729d0e

SHA1
94017f374fc09f3baceae08803c76f059b6dbe0d

SHA256
c28273b7da4ca5af1cfbabdd9070219a37afa2cb88bd859aa96ba71271a7dcee

SHA512
550b4e1f2b6540c1dbfbad2a43b15282204b80e2776075cfc3c20053e30c0b46fe205e71fa9a2258220ffd76443cf7f7296e86ffa39c6329dae4d413a0cdc357

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI58882\pycountry\locales\sr@latin\LC_MESSAGES\iso3166-2.mo

Filesize
118KB

MD5
540ca9b22149c3688036b7d0e0979a02

SHA1
aa908ea7c8e8583ea7b712a90e290ad085a69fd2

SHA256
8e85ae3da5e61a4b629ae3d2ac47898c361664ca1c4c01cd0617afe07c723a4d

SHA512
dbf239521d6da964a0b5dc98f4ec8e3d6312b24d02313874f64144137901d80e3b225d332f953c8ecf518fbeefcf8ad1a5e3b7c015828894f2721b719f585e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI77642\cryptography-43.0.1.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oksrfm43.3ut.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

Filesize
8KB

MD5
ff61485778b62219d0761668609453c7

SHA1
826495e94791395488c1ed3639e8e712e0d4fb30

SHA256
6ba1cad144586c04b3119945dd143ede287eb2995ee55d67bbb984905bc48a08

SHA512
7f2007efda61b6b14e021e1d127448d67475311ffd1f0fa0af86a642ba763081a07d8f5504babaadab578098665bbc2faf9928cd07d4deb2089b38f17e5b0148

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\AlternateServices.bin

Filesize
11KB

MD5
98d2ede90b7ada4e2e8ce2fd71ad1da1

SHA1
fa443698df873a50bf68e34b023ece50b805f930

SHA256
22dc9f8349e6498b5ac45048b8d6530af56b3c9e4c6da7d239abdf029fcff493

SHA512
f50618205556c0f1aeef14600acc40fd2d660173ef6afbc974d99466e949c820790ce672165068a8547383e079fd9a3a9bef5977f5cf833f4778444ea54ffdea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
a1d31fd4a6ea5576630d603e626f4c08

SHA1
a70c6e71a61f43b964f70e84b2b941e011c1baf5

SHA256
8b60b95d41f75cad2e7558fd4ae53360b68eb1a35b858860bd1d699bbca5e011

SHA512
5fa7a4dbd500acf42d0a21b369066323058033663f51dc7da1b82b9ba9129052ff9d05aa6b31b1f137d5e4d918f5611e45d3ecc673e200b1d6384f7b99ed76b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
593ab0b6d7a9e30dbe836f88ed62681d

SHA1
75d1ff55fb82cddb8609bab2488aa474171f247f

SHA256
534332004ab7c9b541981d5ced9e47825c0312bc856a01c0d5a95307bc1885c9

SHA512
7f6dcaa764d8e04bf2f3dcf1a3073b9f66ab777903e446e0606602870bdb1dd0fa5b0d0ac952d09d9cac77d8c921f3987018678470a1864f126f769ad4437409

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
b4ce4bf7f30da15794fa02fa7c22c477

SHA1
db9ff897cbb5423bc95c993c51ae5f3e6556d81c

SHA256
86bea3feb4886c775f8fcda0971ecf91ffe67476fa5686d96e9a65dd689da2d5

SHA512
a5e07ce8275cb37e1be85ea4a1327b1c163360bbd79e270d8ef93b93d112287878a30215139c43aa375797715a26189059191b89a571d4f62a124a418534d405

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
086242716284a8af7f3bb6270c0d3495

SHA1
ae9f0aadb1ac4fd01c039cb35e9da0a331e08afd

SHA256
6a999877c9e2266777e3d011dbbb587ba6f4ecb8b579ef1ff0deecb0d0251f3c

SHA512
e6388ac8c30cae4d105e58bffe20dc9621cadddabbf1e2268f8761bac542a17a5127980c277d565785eb093dfabe31b45d930569a450b63f7df1d1c4cce33aaf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\14ac6ade-46ce-4c35-a16f-7fbdc8a980ae

Filesize
24KB

MD5
e2982fb092f7ea859270b3eaa096e4ce

SHA1
35f949974a70e8d915a539edacead6c1217271d9

SHA256
e2713eeffc7718c799ce502a3e655261933812b2359147cfdd3111a15849aff8

SHA512
a23754baec61ec0ba48ac87a85e6fe903e9f42d3c7fc45716bc8cd20989cf779d8afffc79aa3edb8ef296fd3fc66fadf7a319a6a267ad74f9f41f6f010ebe134

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\3b010fe5-2031-4caf-86bd-ef56a62e7a46

Filesize
671B

MD5
b7dafcc0eaf7a249771e4059e1857d6d

SHA1
4566ea4ec993f9da2c78b0dafa04205b316671d3

SHA256
38b1619910403660eff7e1751be95e870059cd5700674a3d33e9c883826798b5

SHA512
72ebdd2a1137b90223e76dfc9f3b9d2fc56dca40e6a239585c8033ea7fe4d17b1ee06be3d5ef642bf67843ef52aab3e0bb46462aa5978d3a1cf7567ebfe7f934

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\datareporting\glean\pending_pings\e494e16d-399a-45d2-abfc-2174fe4c32d5

Filesize
982B

MD5
82b56d18ba0c424b2bcf01c48f5f18f5

SHA1
aef20bba01d9a2f68a1e798c64297a4fc7bf5ea0

SHA256
e74c4fe7336d29dc7b73296b7c01921f2f4bc4663913c1fb15b58809fcac7ef0

SHA512
753fe87e8ed75186d4bfb54209dcfe969ade6511d3e129014350731e4c2a93a5437142733ef6670782c0b4e41450b74ef5ee3132059373095f2795b578e8b57e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs-1.js

Filesize
11KB

MD5
9e19c93487d78d2b86ebce539b4eb3d0

SHA1
a73e54257caea4808843f2dbd90ae12dc8be945f

SHA256
8aa3be5b1e0a00fc8c22f47d712425a171c5a025d7f9f3f6e76b60c00feb7622

SHA512
96e996b4d546410f8e1f671fa7562bb9d5c31b6dfb60e4eeea84e59a556ab79e1cb633c733c45d4490118f4963d86eac7a8e8bb7908e7908c44363a58bb7c4b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\prefs-1.js

Filesize
11KB

MD5
e84b6d7af54b75e131431d069dbca67b

SHA1
1dd4c0fde82c844d18a5b9d9e324102765f45d26

SHA256
c578438541bfaf5ac32758d4fa09838375216a9129d3104c6ba2dd8e902c062c

SHA512
108746d8d89f96fcf8fa2303364d158688310edea4700b40701b568ae0ed75bf87629b5c47a78d90e7e484c95d2310ddb85ecffdc9cc8d27b8c8f62c8e993383

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
777d120e76e2e1c224c238c3ec0599c0

SHA1
72d787035d26d1ab2869adf0f47c6d7a1ec7522f

SHA256
4c4fa012e0331c647636c57182cab70cb116f1dee80eb7033b505a1021b62928

SHA512
2457d5647eb8959f89536ec68760c1dd27c0348e2bb8d4e8f8ed3ab6473f7074e95d054026dfc63f2285166cbf31df2e8f65f3a46cc99d831077bc5938d3b277

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\sessionstore-backups\recovery.baklz4

Filesize
1KB

MD5
ef6a1aaf30b867a801f7176196655bd4

SHA1
2788eb88bd08e2c10216e8a077747498cb661b7b

SHA256
51d8f7d6f8b910878b8f36879d2aa319c15f4306babf5ce9e0458b7d286fe9c0

SHA512
e6bd0e9ae8270909f5f8966fca843777573430a53ada392832dc7dca0b62f17d2a1cbe406693318be7c3335f2bc936bfb051f759c098189e5315578d1a250c57

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\seoxtri5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
568KB

MD5
4c5a91a99b29dfa5e69ec9e0616aa234

SHA1
3f0eb5feaa25624febb75a60e391405a9a079827

SHA256
d780f6b534f5a0b08869fa27203797b5f9dfef72e055a1cbc2bfb11cd32ec8be

SHA512
59756b3352bdd568d09c1172be12b692becfc2c14a02fe48d7be1ac31ae2e4c3df6a9980eab3c0ce12b4c8256b4ee7466b87f7c3f3429dec52979aae3dd4f6f4

Download Submit
C:\Users\Admin\Downloads\Boostrapper.exe

Filesize
43.6MB

MD5
2df5a241043be6dc51d7946c3674799b

SHA1
e5f09815f0f49fdd776ec756d461ac88818ce4fb

SHA256
08bbe882d834f3a36a6e0030b4317e986a72c976b4bdb819df2b6ea9429c2c56

SHA512
7257f8ddde535a418c55075a2949ebae17ab805e30e16f8815fdabd13eb1257fa6ce249b584342b27661b78ff8f05424951e02d06862d779c6675624f49a5a22

Download Submit
memory/5580-5260-0x00007FF80A9C0000-0x00007FF80AFA8000-memory.dmp

Filesize
5.9MB

Download
memory/5580-5264-0x00007FF81D450000-0x00007FF81D47D000-memory.dmp

Filesize
180KB

Download
memory/5668-1395-0x00007FF807850000-0x00007FF80785B000-memory.dmp

Filesize
44KB

Download
memory/5668-1390-0x00007FF807870000-0x00007FF80787E000-memory.dmp

Filesize
56KB

Download
memory/5668-1335-0x00007FF8078C0000-0x00007FF8078F7000-memory.dmp

Filesize
220KB

Download
memory/5668-1334-0x00007FF807860000-0x00007FF80786C000-memory.dmp

Filesize
48KB

Download
memory/5668-1333-0x00007FF807830000-0x00007FF80783C000-memory.dmp

Filesize
48KB

Download
memory/5668-1332-0x00007FF807840000-0x00007FF80784B000-memory.dmp

Filesize
44KB

Download
memory/5668-1339-0x00007FF8077E0000-0x00007FF8077EC000-memory.dmp

Filesize
48KB

Download
memory/5668-1330-0x00007FF807900000-0x00007FF807A73000-memory.dmp

Filesize
1.4MB

Download
memory/5668-1329-0x00007FF807870000-0x00007FF80787E000-memory.dmp

Filesize
56KB

Download
memory/5668-1328-0x00007FF807A80000-0x00007FF807AA3000-memory.dmp

Filesize
140KB

Download
memory/5668-1327-0x00007FF807880000-0x00007FF80788C000-memory.dmp

Filesize
48KB

Download
memory/5668-1326-0x00007FF807890000-0x00007FF80789C000-memory.dmp

Filesize
48KB

Download
memory/5668-1324-0x00007FF8078B0000-0x00007FF8078BC000-memory.dmp

Filesize
48KB

Download
memory/5668-1323-0x00007FF80BD40000-0x00007FF80BD4B000-memory.dmp

Filesize
44KB

Download
memory/5668-1321-0x00007FF81BE10000-0x00007FF81BE24000-memory.dmp

Filesize
80KB

Download
memory/5668-1320-0x00007FF810C90000-0x00007FF810C9B000-memory.dmp

Filesize
44KB

Download
memory/5668-1319-0x00007FF812DE0000-0x00007FF812DEB000-memory.dmp

Filesize
44KB

Download
memory/5668-1318-0x00007FF807BC0000-0x00007FF807C78000-memory.dmp

Filesize
736KB

Download
memory/5668-1317-0x00007FF8078C0000-0x00007FF8078F7000-memory.dmp

Filesize
220KB

Download
memory/5668-1315-0x00007FF807A80000-0x00007FF807AA3000-memory.dmp

Filesize
140KB

Download
memory/5668-1314-0x00007FF807C80000-0x00007FF807FF5000-memory.dmp

Filesize
3.5MB

Download
memory/5668-1313-0x00007FF808000000-0x00007FF80802E000-memory.dmp

Filesize
184KB

Download
memory/5668-1312-0x00007FF808030000-0x00007FF80814C000-memory.dmp

Filesize
1.1MB

Download
memory/5668-1340-0x00007FF8077B0000-0x00007FF8077D9000-memory.dmp

Filesize
164KB

Download
memory/5668-1306-0x00007FF808150000-0x00007FF80820C000-memory.dmp

Filesize
752KB

Download
memory/5668-1305-0x00007FF80BD60000-0x00007FF80BD8E000-memory.dmp

Filesize
184KB

Download
memory/5668-1304-0x00007FF807B00000-0x00007FF807B26000-memory.dmp

Filesize
152KB

Download
memory/5668-1303-0x00007FF81C920000-0x00007FF81C92B000-memory.dmp

Filesize
44KB

Download
memory/5668-1302-0x00007FF81C170000-0x00007FF81C189000-memory.dmp

Filesize
100KB

Download
memory/5668-1341-0x00007FF8077A0000-0x00007FF8077AB000-memory.dmp

Filesize
44KB

Download
memory/5668-1296-0x00007FF807B30000-0x00007FF807BB7000-memory.dmp

Filesize
540KB

Download
memory/5668-1342-0x00007FF807780000-0x00007FF80779C000-memory.dmp

Filesize
112KB

Download
memory/5668-1338-0x00007FF8077F0000-0x00007FF807802000-memory.dmp

Filesize
72KB

Download
memory/5668-1336-0x00007FF807820000-0x00007FF80782C000-memory.dmp

Filesize
48KB

Download
memory/5668-1325-0x00007FF8078A0000-0x00007FF8078AB000-memory.dmp

Filesize
44KB

Download
memory/5668-1322-0x00007FF80BD50000-0x00007FF80BD5C000-memory.dmp

Filesize
48KB

Download
memory/5668-1316-0x00007FF807900000-0x00007FF807A73000-memory.dmp

Filesize
1.4MB

Download
memory/5668-1310-0x00007FF8180B0000-0x00007FF8180BA000-memory.dmp

Filesize
40KB

Download
memory/5668-1311-0x00007FF811AF0000-0x00007FF811B08000-memory.dmp

Filesize
96KB

Download
memory/5668-1236-0x00007FF81C240000-0x00007FF81C264000-memory.dmp

Filesize
144KB

Download
memory/5668-1244-0x00007FF810CA0000-0x00007FF810CCD000-memory.dmp

Filesize
180KB

Download
memory/5668-1297-0x00007FF81BE10000-0x00007FF81BE24000-memory.dmp

Filesize
80KB

Download
memory/5668-1331-0x00007FF807850000-0x00007FF80785B000-memory.dmp

Filesize
44KB

Download
memory/5668-1287-0x00007FF81C240000-0x00007FF81C264000-memory.dmp

Filesize
144KB

Download
memory/5668-1289-0x00007FF808000000-0x00007FF80802E000-memory.dmp

Filesize
184KB

Download
memory/5668-1291-0x00007FF807C80000-0x00007FF807FF5000-memory.dmp

Filesize
3.5MB

Download
memory/5668-1345-0x00007FF808210000-0x00007FF8087F8000-memory.dmp

Filesize
5.9MB

Download
memory/5668-1377-0x00007FF810CA0000-0x00007FF810CCD000-memory.dmp

Filesize
180KB

Download
memory/5668-1368-0x00007FF807900000-0x00007FF807A73000-memory.dmp

Filesize
1.4MB

Download
memory/5668-1397-0x00007FF807830000-0x00007FF80783C000-memory.dmp

Filesize
48KB

Download
memory/5668-1404-0x00007FF807780000-0x00007FF80779C000-memory.dmp

Filesize
112KB

Download
memory/5668-1403-0x00007FF8077A0000-0x00007FF8077AB000-memory.dmp

Filesize
44KB

Download
memory/5668-1402-0x00007FF8077B0000-0x00007FF8077D9000-memory.dmp

Filesize
164KB

Download
memory/5668-1401-0x00007FF8077E0000-0x00007FF8077EC000-memory.dmp

Filesize
48KB

Download
memory/5668-1400-0x00007FF8077F0000-0x00007FF807802000-memory.dmp

Filesize
72KB

Download
memory/5668-1399-0x00007FF807810000-0x00007FF80781D000-memory.dmp

Filesize
52KB

Download
memory/5668-1398-0x00007FF807820000-0x00007FF80782C000-memory.dmp

Filesize
48KB

Download
memory/5668-1396-0x00007FF807840000-0x00007FF80784B000-memory.dmp

Filesize
44KB

Download
memory/5668-1242-0x00007FF81D400000-0x00007FF81D419000-memory.dmp

Filesize
100KB

Download
memory/5668-1394-0x00007FF807860000-0x00007FF80786C000-memory.dmp

Filesize
48KB

Download
memory/5668-1393-0x00007FF807890000-0x00007FF80789C000-memory.dmp

Filesize
48KB

Download
memory/5668-1392-0x00007FF8078A0000-0x00007FF8078AB000-memory.dmp

Filesize
44KB

Download
memory/5668-1391-0x00007FF8078B0000-0x00007FF8078BC000-memory.dmp

Filesize
48KB

Download
memory/5668-1337-0x00007FF807810000-0x00007FF80781D000-memory.dmp

Filesize
52KB

Download
memory/5668-1389-0x00007FF80BD50000-0x00007FF80BD5C000-memory.dmp

Filesize
48KB

Download
memory/5668-1388-0x00007FF81BE10000-0x00007FF81BE24000-memory.dmp

Filesize
80KB

Download
memory/5668-1387-0x00007FF808000000-0x00007FF80802E000-memory.dmp

Filesize
184KB

Download
memory/5668-1386-0x00007FF810C90000-0x00007FF810C9B000-memory.dmp

Filesize
44KB

Download
memory/5668-1385-0x00007FF807880000-0x00007FF80788C000-memory.dmp

Filesize
48KB

Download
memory/5668-1384-0x00007FF80BBB0000-0x00007FF80BBDB000-memory.dmp

Filesize
172KB

Download
memory/5668-1383-0x00007FF808150000-0x00007FF80820C000-memory.dmp

Filesize
752KB

Download
memory/5668-1382-0x00007FF80BD60000-0x00007FF80BD8E000-memory.dmp

Filesize
184KB

Download
memory/5668-1381-0x00007FF8108F0000-0x00007FF810925000-memory.dmp

Filesize
212KB

Download
memory/5668-1380-0x00007FF821310000-0x00007FF82131D000-memory.dmp

Filesize
52KB

Download
memory/5668-1379-0x00007FF8213E0000-0x00007FF8213ED000-memory.dmp

Filesize
52KB

Download
memory/5668-1378-0x00007FF81C170000-0x00007FF81C189000-memory.dmp

Filesize
100KB

Download
memory/5668-1376-0x00007FF81D400000-0x00007FF81D419000-memory.dmp

Filesize
100KB

Download
memory/5668-1375-0x00007FF826C20000-0x00007FF826C2F000-memory.dmp

Filesize
60KB

Download
memory/5668-1374-0x00007FF81C240000-0x00007FF81C264000-memory.dmp

Filesize
144KB

Download
memory/5668-1373-0x00007FF80BD40000-0x00007FF80BD4B000-memory.dmp

Filesize
44KB

Download
memory/5668-1370-0x00007FF812DE0000-0x00007FF812DEB000-memory.dmp

Filesize
44KB

Download
memory/5668-1369-0x00007FF8078C0000-0x00007FF8078F7000-memory.dmp

Filesize
220KB

Download
memory/5668-1367-0x00007FF807A80000-0x00007FF807AA3000-memory.dmp

Filesize
140KB

Download
memory/5668-1359-0x00007FF807C80000-0x00007FF807FF5000-memory.dmp

Filesize
3.5MB

Download
memory/5668-1366-0x00007FF811AF0000-0x00007FF811B08000-memory.dmp

Filesize
96KB

Download
memory/5668-1365-0x00007FF8180B0000-0x00007FF8180BA000-memory.dmp

Filesize
40KB

Download
memory/5668-1364-0x00007FF807B00000-0x00007FF807B26000-memory.dmp

Filesize
152KB

Download
memory/5668-1363-0x00007FF81C920000-0x00007FF81C92B000-memory.dmp

Filesize
44KB

Download
memory/5668-1361-0x00007FF807B30000-0x00007FF807BB7000-memory.dmp

Filesize
540KB

Download
memory/5668-1360-0x00007FF807BC0000-0x00007FF807C78000-memory.dmp

Filesize
736KB

Download
memory/5668-1357-0x00007FF808030000-0x00007FF80814C000-memory.dmp

Filesize
1.1MB

Download
memory/5668-1292-0x00007FF807BC0000-0x00007FF807C78000-memory.dmp

Filesize
736KB

Download
memory/5668-1269-0x00007FF8108F0000-0x00007FF810925000-memory.dmp

Filesize
212KB

Download
memory/5668-1238-0x00007FF826C20000-0x00007FF826C2F000-memory.dmp

Filesize
60KB

Download
memory/5668-1228-0x00007FF808210000-0x00007FF8087F8000-memory.dmp

Filesize
5.9MB

Download
memory/5668-1279-0x00007FF808150000-0x00007FF80820C000-memory.dmp

Filesize
752KB

Download
memory/5668-1282-0x00007FF80BBB0000-0x00007FF80BBDB000-memory.dmp

Filesize
172KB

Download
memory/5668-1278-0x00007FF80BD60000-0x00007FF80BD8E000-memory.dmp

Filesize
184KB

Download
memory/5668-1285-0x00007FF808030000-0x00007FF80814C000-memory.dmp

Filesize
1.1MB

Download
memory/5668-1284-0x00007FF808210000-0x00007FF8087F8000-memory.dmp

Filesize
5.9MB

Download
memory/5668-1272-0x00007FF81C170000-0x00007FF81C189000-memory.dmp

Filesize
100KB

Download
memory/5668-1271-0x00007FF821310000-0x00007FF82131D000-memory.dmp

Filesize
52KB

Download
memory/5668-1270-0x00007FF8213E0000-0x00007FF8213ED000-memory.dmp

Filesize
52KB

Download
memory/7540-2869-0x00007FF809080000-0x00007FF8090AE000-memory.dmp

Filesize
184KB

Download
memory/7540-2877-0x00007FF811AF0000-0x00007FF811B08000-memory.dmp

Filesize
96KB

Download
memory/7540-2880-0x00007FF807A70000-0x00007FF807AA7000-memory.dmp

Filesize
220KB

Download
memory/7540-2878-0x00007FF807C30000-0x00007FF807C53000-memory.dmp

Filesize
140KB

Download
memory/7540-2858-0x00007FF826C20000-0x00007FF826C2F000-memory.dmp

Filesize
60KB

Download
memory/7540-2876-0x00007FF8180B0000-0x00007FF8180BA000-memory.dmp

Filesize
40KB

Download
memory/7540-2875-0x00007FF807CB0000-0x00007FF807CD6000-memory.dmp

Filesize
152KB

Download
memory/7540-2856-0x00007FF808210000-0x00007FF8087F8000-memory.dmp

Filesize
5.9MB

Download
memory/7540-2873-0x00007FF81BE10000-0x00007FF81BE24000-memory.dmp

Filesize
80KB

Download
memory/7540-2872-0x00007FF807CE0000-0x00007FF807D67000-memory.dmp

Filesize
540KB

Download
memory/7540-2871-0x00007FF808FC0000-0x00007FF809078000-memory.dmp

Filesize
736KB

Download
memory/7540-2868-0x00007FF8080F0000-0x00007FF80820C000-memory.dmp

Filesize
1.1MB

Download
memory/7540-2879-0x00007FF807AB0000-0x00007FF807C23000-memory.dmp

Filesize
1.4MB

Download
memory/7540-2870-0x00007FF807D70000-0x00007FF8080E5000-memory.dmp

Filesize
3.5MB

Download
memory/7540-2874-0x00007FF81C920000-0x00007FF81C92B000-memory.dmp

Filesize
44KB

Download
memory/7540-2881-0x00007FF812DE0000-0x00007FF812DEB000-memory.dmp

Filesize
44KB

Download
memory/7540-2883-0x00007FF80BD50000-0x00007FF80BD5C000-memory.dmp

Filesize
48KB

Download
memory/7540-2882-0x00007FF810C90000-0x00007FF810C9B000-memory.dmp

Filesize
44KB

Download
memory/7540-2803-0x00007FF81C170000-0x00007FF81C189000-memory.dmp

Filesize
100KB

Download
memory/7540-2804-0x00007FF8213E0000-0x00007FF8213ED000-memory.dmp

Filesize
52KB

Download
memory/7540-2802-0x00007FF8108F0000-0x00007FF810925000-memory.dmp

Filesize
212KB

Download
memory/7540-2801-0x00007FF810CA0000-0x00007FF810CCD000-memory.dmp

Filesize
180KB

Download
memory/7540-2800-0x00007FF81D400000-0x00007FF81D419000-memory.dmp

Filesize
100KB

Download
memory/7540-2799-0x00007FF826C20000-0x00007FF826C2F000-memory.dmp

Filesize
60KB

Download
memory/7540-2798-0x00007FF808210000-0x00007FF8087F8000-memory.dmp

Filesize
5.9MB

Download