exelastealer | bba2d6bfae4be91d6ad87d5ab7791ec443d2b0f07515247d451341fce7eaab40

Resubmissions

31/03/2025, 18:00

250331-wlak3svtby 10

31/03/2025, 17:58

250331-wkcztavtbt 10

28/03/2025, 19:30

250328-x72gcsskw6 10

Analysis

max time kernel
86s
max time network
90s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
31/03/2025, 18:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Grabberhydra.exe
Size

9.4MB
MD5

1a0e1a239d2d4f4d9f9e2f968eed9f27
SHA1

6e1da96ce51570a3f158500390d1148f2cbc2f77
SHA256

0f3b73e169942ba5ed7d17ad2965f821b8939fe23b6422a1284982b72db2fff8
SHA512

7c48f6ec212b74aa5502cbc612932d56dd02ab9ecbabf9f0c090840e12180a09c31f8d46377157a23c39f568a5f52fba986b1cee0b614191b2a1cc39a11ddc77
SSDEEP

196608:2W2cxg3+cemXyuSyTde8BRHvUWvofhxjno/w3iFCxHQbRpXDugkn:n2N3GtByxjBRHdAxro/w3uCxHQbzu3n

Score

10^/10

exelastealer collection defense_evasion discovery persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4388	netsh.exe
3304	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5356	cmd.exe
5528	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
1612	Exela.exe
5480	Exela.exe

Loads dropped DLL 63 IoCs

pid	Process
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
1136	Grabberhydra.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
1136	Grabberhydra.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe
5480	Exela.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
26	discord.com
27	discord.com
28	discord.com
209	discord.com
210	discord.com
211	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1372	cmd.exe
5544	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3976	tasklist.exe
3968	tasklist.exe
5348	tasklist.exe
5140	tasklist.exe
1944	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4660	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000281af-46.dat	upx
behavioral1/memory/1136-50-0x00007FFCE04F0000-0x00007FFCE0955000-memory.dmp	upx
behavioral1/files/0x0008000000028175-52.dat	upx
behavioral1/memory/1136-58-0x00007FFCF2710000-0x00007FFCF2734000-memory.dmp	upx
behavioral1/files/0x0007000000028187-78.dat	upx
behavioral1/files/0x00070000000281b0-63.dat	upx
behavioral1/memory/1136-83-0x00007FFCF5D00000-0x00007FFCF5D0D000-memory.dmp	upx
behavioral1/files/0x00070000000281b1-87.dat	upx
behavioral1/files/0x0007000000028185-86.dat	upx
behavioral1/files/0x0007000000028180-85.dat	upx
behavioral1/memory/1136-82-0x00007FFCF5E40000-0x00007FFCF5E59000-memory.dmp	upx
behavioral1/files/0x0007000000028184-80.dat	upx
behavioral1/files/0x0007000000028186-77.dat	upx
behavioral1/files/0x0007000000028183-74.dat	upx
behavioral1/files/0x0007000000028182-73.dat	upx
behavioral1/files/0x0007000000028181-72.dat	upx
behavioral1/files/0x000700000002817f-70.dat	upx
behavioral1/files/0x000700000002817e-69.dat	upx
behavioral1/files/0x0008000000028174-68.dat	upx
behavioral1/files/0x0008000000028173-67.dat	upx
behavioral1/files/0x0008000000028172-66.dat	upx
behavioral1/files/0x00070000000281b2-65.dat	upx
behavioral1/files/0x00070000000281ad-62.dat	upx
behavioral1/files/0x00070000000281a8-61.dat	upx
behavioral1/memory/1136-79-0x00007FFCF8B70000-0x00007FFCF8B7F000-memory.dmp	upx
behavioral1/files/0x00070000000281a7-57.dat	upx
behavioral1/files/0x00070000000281a6-60.dat	upx
behavioral1/memory/1136-91-0x00007FFCEE8B0000-0x00007FFCEEA1D000-memory.dmp	upx
behavioral1/memory/1136-93-0x00007FFCEF5B0000-0x00007FFCEF5DE000-memory.dmp	upx
behavioral1/memory/1136-90-0x00007FFCEFF90000-0x00007FFCEFFAE000-memory.dmp	upx
behavioral1/memory/1136-89-0x00007FFCEF610000-0x00007FFCEF63C000-memory.dmp	upx
behavioral1/memory/1136-88-0x00007FFCF4F70000-0x00007FFCF4F89000-memory.dmp	upx
behavioral1/memory/1136-95-0x00007FFCEF240000-0x00007FFCEF2F6000-memory.dmp	upx
behavioral1/memory/1136-98-0x00007FFCE0170000-0x00007FFCE04E4000-memory.dmp	upx
behavioral1/memory/1136-99-0x00007FFCE04F0000-0x00007FFCE0955000-memory.dmp	upx
behavioral1/memory/1136-114-0x00007FFCEEED0000-0x00007FFCEEEF2000-memory.dmp	upx
behavioral1/memory/1136-113-0x00007FFCEF140000-0x00007FFCEF155000-memory.dmp	upx
behavioral1/memory/1136-112-0x00007FFCF5E40000-0x00007FFCF5E59000-memory.dmp	upx
behavioral1/files/0x00070000000281b4-110.dat	upx
behavioral1/memory/1136-108-0x00007FFCEF180000-0x00007FFCEF194000-memory.dmp	upx
behavioral1/memory/1136-107-0x00007FFCEF350000-0x00007FFCEF360000-memory.dmp	upx
behavioral1/files/0x00070000000281aa-106.dat	upx
behavioral1/memory/1136-105-0x00007FFCEF5F0000-0x00007FFCEF604000-memory.dmp	upx
behavioral1/memory/1136-103-0x00007FFCF2710000-0x00007FFCF2734000-memory.dmp	upx
behavioral1/memory/1136-118-0x00007FFCEFF90000-0x00007FFCEFFAE000-memory.dmp	upx
behavioral1/memory/1136-121-0x00007FFCEEEB0000-0x00007FFCEEECB000-memory.dmp	upx
behavioral1/memory/1136-120-0x00007FFCE0050000-0x00007FFCE0168000-memory.dmp	upx
behavioral1/memory/1136-119-0x00007FFCEE8B0000-0x00007FFCEEA1D000-memory.dmp	upx
behavioral1/files/0x00070000000281ac-117.dat	upx
behavioral1/files/0x0007000000028189-122.dat	upx
behavioral1/files/0x000700000002818b-124.dat	upx
behavioral1/memory/1136-125-0x00007FFCEF5B0000-0x00007FFCEF5DE000-memory.dmp	upx
behavioral1/memory/1136-138-0x00007FFCEE860000-0x00007FFCEE8AD000-memory.dmp	upx
behavioral1/memory/1136-137-0x00007FFCEEE40000-0x00007FFCEEE4A000-memory.dmp	upx
behavioral1/files/0x00070000000281a5-139.dat	upx
behavioral1/files/0x00070000000281a3-141.dat	upx
behavioral1/memory/1136-143-0x00007FFCEE840000-0x00007FFCEE85E000-memory.dmp	upx
behavioral1/memory/1136-136-0x00007FFCEEC30000-0x00007FFCEEC41000-memory.dmp	upx
behavioral1/memory/1136-135-0x00007FFCE0170000-0x00007FFCE04E4000-memory.dmp	upx
behavioral1/files/0x000700000002818c-133.dat	upx
behavioral1/files/0x000700000002818a-131.dat	upx
behavioral1/memory/1136-129-0x00007FFCEEC50000-0x00007FFCEEC69000-memory.dmp	upx
behavioral1/memory/1136-128-0x00007FFCEEC70000-0x00007FFCEEC86000-memory.dmp	upx
behavioral1/memory/1136-127-0x00007FFCEF240000-0x00007FFCEF2F6000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2432	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
6116	cmd.exe
4344	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
5688	NETSTAT.EXE

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
5140	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1072	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2600	ipconfig.exe
5688	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
5804	systeminfo.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	firefox.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
4940	WMIC.exe
4940	WMIC.exe
4940	WMIC.exe
4940	WMIC.exe
1072	WMIC.exe
1072	WMIC.exe
1072	WMIC.exe
1072	WMIC.exe
1912	WMIC.exe
1912	WMIC.exe
1912	WMIC.exe
1912	WMIC.exe
5180	WMIC.exe
5180	WMIC.exe
5180	WMIC.exe
5180	WMIC.exe
5528	powershell.exe
5528	powershell.exe
5528	powershell.exe
5140	WMIC.exe
5140	WMIC.exe
5140	WMIC.exe
5140	WMIC.exe
4580	WMIC.exe
4580	WMIC.exe
4580	WMIC.exe
4580	WMIC.exe
4528	WMIC.exe
4528	WMIC.exe
4528	WMIC.exe
4528	WMIC.exe
4608	WMIC.exe
4608	WMIC.exe
4608	WMIC.exe
4608	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4940	WMIC.exe
Token: SeSecurityPrivilege	4940	WMIC.exe
Token: SeTakeOwnershipPrivilege	4940	WMIC.exe
Token: SeLoadDriverPrivilege	4940	WMIC.exe
Token: SeSystemProfilePrivilege	4940	WMIC.exe
Token: SeSystemtimePrivilege	4940	WMIC.exe
Token: SeProfSingleProcessPrivilege	4940	WMIC.exe
Token: SeIncBasePriorityPrivilege	4940	WMIC.exe
Token: SeCreatePagefilePrivilege	4940	WMIC.exe
Token: SeBackupPrivilege	4940	WMIC.exe
Token: SeRestorePrivilege	4940	WMIC.exe
Token: SeShutdownPrivilege	4940	WMIC.exe
Token: SeDebugPrivilege	4940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4940	WMIC.exe
Token: SeRemoteShutdownPrivilege	4940	WMIC.exe
Token: SeUndockPrivilege	4940	WMIC.exe
Token: SeManageVolumePrivilege	4940	WMIC.exe
Token: 33	4940	WMIC.exe
Token: 34	4940	WMIC.exe
Token: 35	4940	WMIC.exe
Token: 36	4940	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1072	WMIC.exe
Token: SeSecurityPrivilege	1072	WMIC.exe
Token: SeTakeOwnershipPrivilege	1072	WMIC.exe
Token: SeLoadDriverPrivilege	1072	WMIC.exe
Token: SeSystemProfilePrivilege	1072	WMIC.exe
Token: SeSystemtimePrivilege	1072	WMIC.exe
Token: SeProfSingleProcessPrivilege	1072	WMIC.exe
Token: SeIncBasePriorityPrivilege	1072	WMIC.exe
Token: SeCreatePagefilePrivilege	1072	WMIC.exe
Token: SeBackupPrivilege	1072	WMIC.exe
Token: SeRestorePrivilege	1072	WMIC.exe
Token: SeShutdownPrivilege	1072	WMIC.exe
Token: SeDebugPrivilege	1072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1072	WMIC.exe
Token: SeRemoteShutdownPrivilege	1072	WMIC.exe
Token: SeUndockPrivilege	1072	WMIC.exe
Token: SeManageVolumePrivilege	1072	WMIC.exe
Token: 33	1072	WMIC.exe
Token: 34	1072	WMIC.exe
Token: 35	1072	WMIC.exe
Token: 36	1072	WMIC.exe
Token: SeDebugPrivilege	5348	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1072	WMIC.exe
Token: SeSecurityPrivilege	1072	WMIC.exe
Token: SeTakeOwnershipPrivilege	1072	WMIC.exe
Token: SeLoadDriverPrivilege	1072	WMIC.exe
Token: SeSystemProfilePrivilege	1072	WMIC.exe
Token: SeSystemtimePrivilege	1072	WMIC.exe
Token: SeProfSingleProcessPrivilege	1072	WMIC.exe
Token: SeIncBasePriorityPrivilege	1072	WMIC.exe
Token: SeCreatePagefilePrivilege	1072	WMIC.exe
Token: SeBackupPrivilege	1072	WMIC.exe
Token: SeRestorePrivilege	1072	WMIC.exe
Token: SeShutdownPrivilege	1072	WMIC.exe
Token: SeDebugPrivilege	1072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1072	WMIC.exe
Token: SeRemoteShutdownPrivilege	1072	WMIC.exe
Token: SeUndockPrivilege	1072	WMIC.exe
Token: SeManageVolumePrivilege	1072	WMIC.exe
Token: 33	1072	WMIC.exe
Token: 34	1072	WMIC.exe
Token: 35	1072	WMIC.exe
Token: 36	1072	WMIC.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe
696	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3680 wrote to memory of 1136	3680	Grabberhydra.exe	83
PID 3680 wrote to memory of 1136	3680	Grabberhydra.exe	83
PID 1136 wrote to memory of 6140	1136	Grabberhydra.exe	86
PID 1136 wrote to memory of 6140	1136	Grabberhydra.exe	86
PID 1136 wrote to memory of 6100	1136	Grabberhydra.exe	89
PID 1136 wrote to memory of 6100	1136	Grabberhydra.exe	89
PID 1136 wrote to memory of 1988	1136	Grabberhydra.exe	90
PID 1136 wrote to memory of 1988	1136	Grabberhydra.exe	90
PID 1136 wrote to memory of 4652	1136	Grabberhydra.exe	91
PID 1136 wrote to memory of 4652	1136	Grabberhydra.exe	91
PID 1136 wrote to memory of 5400	1136	Grabberhydra.exe	92
PID 1136 wrote to memory of 5400	1136	Grabberhydra.exe	92
PID 1988 wrote to memory of 4940	1988	cmd.exe	98
PID 1988 wrote to memory of 4940	1988	cmd.exe	98
PID 5400 wrote to memory of 5348	5400	cmd.exe	99
PID 5400 wrote to memory of 5348	5400	cmd.exe	99
PID 6100 wrote to memory of 1072	6100	cmd.exe	100
PID 6100 wrote to memory of 1072	6100	cmd.exe	100
PID 1136 wrote to memory of 2508	1136	Grabberhydra.exe	102
PID 1136 wrote to memory of 2508	1136	Grabberhydra.exe	102
PID 2508 wrote to memory of 1912	2508	cmd.exe	104
PID 2508 wrote to memory of 1912	2508	cmd.exe	104
PID 1136 wrote to memory of 2836	1136	Grabberhydra.exe	105
PID 1136 wrote to memory of 2836	1136	Grabberhydra.exe	105
PID 1136 wrote to memory of 2924	1136	Grabberhydra.exe	106
PID 1136 wrote to memory of 2924	1136	Grabberhydra.exe	106
PID 2924 wrote to memory of 5140	2924	cmd.exe	109
PID 2924 wrote to memory of 5140	2924	cmd.exe	109
PID 2836 wrote to memory of 5180	2836	cmd.exe	110
PID 2836 wrote to memory of 5180	2836	cmd.exe	110
PID 1136 wrote to memory of 4660	1136	Grabberhydra.exe	111
PID 1136 wrote to memory of 4660	1136	Grabberhydra.exe	111
PID 4660 wrote to memory of 2576	4660	cmd.exe	113
PID 4660 wrote to memory of 2576	4660	cmd.exe	113
PID 1136 wrote to memory of 3096	1136	Grabberhydra.exe	114
PID 1136 wrote to memory of 3096	1136	Grabberhydra.exe	114
PID 3096 wrote to memory of 2060	3096	cmd.exe	116
PID 3096 wrote to memory of 2060	3096	cmd.exe	116
PID 1136 wrote to memory of 2184	1136	Grabberhydra.exe	119
PID 1136 wrote to memory of 2184	1136	Grabberhydra.exe	119
PID 1136 wrote to memory of 904	1136	Grabberhydra.exe	120
PID 1136 wrote to memory of 904	1136	Grabberhydra.exe	120
PID 904 wrote to memory of 1944	904	cmd.exe	124
PID 904 wrote to memory of 1944	904	cmd.exe	124
PID 2184 wrote to memory of 996	2184	cmd.exe	125
PID 2184 wrote to memory of 996	2184	cmd.exe	125
PID 3164 wrote to memory of 1612	3164	cmd.exe	123
PID 3164 wrote to memory of 1612	3164	cmd.exe	123
PID 1612 wrote to memory of 5480	1612	Exela.exe	126
PID 1612 wrote to memory of 5480	1612	Exela.exe	126
PID 1136 wrote to memory of 3112	1136	Grabberhydra.exe	127
PID 1136 wrote to memory of 3112	1136	Grabberhydra.exe	127
PID 1136 wrote to memory of 5352	1136	Grabberhydra.exe	128
PID 1136 wrote to memory of 5352	1136	Grabberhydra.exe	128
PID 1136 wrote to memory of 5660	1136	Grabberhydra.exe	129
PID 1136 wrote to memory of 5660	1136	Grabberhydra.exe	129
PID 1136 wrote to memory of 5356	1136	Grabberhydra.exe	130
PID 1136 wrote to memory of 5356	1136	Grabberhydra.exe	130
PID 5356 wrote to memory of 5528	5356	cmd.exe	135
PID 5356 wrote to memory of 5528	5356	cmd.exe	135
PID 5660 wrote to memory of 3976	5660	cmd.exe	136
PID 5660 wrote to memory of 3976	5660	cmd.exe	136
PID 5480 wrote to memory of 5864	5480	Exela.exe	137
PID 5480 wrote to memory of 5864	5480	Exela.exe	137

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2576	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Grabberhydra.exe
"C:\Users\Admin\AppData\Local\Temp\Grabberhydra.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3680
- C:\Users\Admin\AppData\Local\Temp\Grabberhydra.exe
  "C:\Users\Admin\AppData\Local\Temp\Grabberhydra.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:6140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:6100
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1988
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:4652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5400
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4660
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:2576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
      4⤵
      Adds Run key to start application
      PID:2060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:904
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:3112
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:2144
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:5352
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4204
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5660
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:5356
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:5528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:1372
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5804
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:4200
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious behavior: EnumeratesProcesses
      PID:5140
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:5160
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4104
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:2576
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:2516
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:3612
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:2012
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:2232
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1512
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:4124
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:2392
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:4412
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:2164
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4580
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:3968
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2600
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:4052
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:5544
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:5688
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:2432
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4388
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:6116
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4620
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2716
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:3164
- C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe
  C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe
    C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5864

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4848

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:3192
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:696
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2016 -prefsLen 27100 -prefMapHandle 2020 -prefMapSize 270279 -ipcHandle 2088 -initialChannelId {43bd14e8-5d32-427f-989b-e28b8251509d} -parentPid 696 -crashReporter "\\.\pipe\gecko-crash-server-pipe.696" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:3156
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2464 -prefsLen 27136 -prefMapHandle 2468 -prefMapSize 270279 -ipcHandle 2476 -initialChannelId {b47922f7-613e-42aa-9654-1c97dd7e63d4} -parentPid 696 -crashReporter "\\.\pipe\gecko-crash-server-pipe.696" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:3760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3864 -prefsLen 27277 -prefMapHandle 3868 -prefMapSize 270279 -jsInitHandle 3872 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3776 -initialChannelId {f7853505-9958-4da5-9090-49ebd78eaf63} -parentPid 696 -crashReporter "\\.\pipe\gecko-crash-server-pipe.696" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:4036
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4052 -prefsLen 27277 -prefMapHandle 4056 -prefMapSize 270279 -ipcHandle 4072 -initialChannelId {20a3e039-afa2-4126-acc6-9d1d9c6970f5} -parentPid 696 -crashReporter "\\.\pipe\gecko-crash-server-pipe.696" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:5332
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2896 -prefsLen 34776 -prefMapHandle 3244 -prefMapSize 270279 -jsInitHandle 3284 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3324 -initialChannelId {53fbdc9d-dbc5-42ff-bf12-0bb90994bb87} -parentPid 696 -crashReporter "\\.\pipe\gecko-crash-server-pipe.696" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:2044
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5056 -prefsLen 35013 -prefMapHandle 5060 -prefMapSize 270279 -ipcHandle 5068 -initialChannelId {8a2e5465-b320-47b5-9ef9-08b629ce8236} -parentPid 696 -crashReporter "\\.\pipe\gecko-crash-server-pipe.696" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:1844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5348 -prefsLen 32952 -prefMapHandle 5352 -prefMapSize 270279 -jsInitHandle 5356 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5368 -initialChannelId {6fb78bf6-5ed3-456d-b23a-da817bf02453} -parentPid 696 -crashReporter "\\.\pipe\gecko-crash-server-pipe.696" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:2740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2848 -prefsLen 32952 -prefMapHandle 5544 -prefMapSize 270279 -jsInitHandle 5548 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5556 -initialChannelId {0543b118-b6c8-4575-ae53-cfffc413b023} -parentPid 696 -crashReporter "\\.\pipe\gecko-crash-server-pipe.696" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:3968
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5756 -prefsLen 32952 -prefMapHandle 5760 -prefMapSize 270279 -jsInitHandle 5764 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5544 -initialChannelId {fc0b9e40-5895-43ac-8eb3-c568be24e7b0} -parentPid 696 -crashReporter "\\.\pipe\gecko-crash-server-pipe.696" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:3552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 6324 -prefsLen 33031 -prefMapHandle 6328 -prefMapSize 270279 -jsInitHandle 6320 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 6356 -initialChannelId {99e41f0f-3e80-4ce4-84fd-ca920ba64b55} -parentPid 696 -crashReporter "\\.\pipe\gecko-crash-server-pipe.696" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 10 tab
    3⤵
    - Checks processor information in registry
    PID:5316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3l8u00om.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
1b1d979db6c1e9393f2fbcccfeaff0b8

SHA1
775aaae9f8c0a58e7bb5340498622372ed80c2e3

SHA256
b64d35c957a6651de40a147a41dcc3b8b811663a2e6075a9aa795f152f372c46

SHA512
71f127271228881623d68461df22ef9c3bc45ce7e736c7b1f84fa2c2259b065988cca73f710d523ed3eabb699230d253b3a0abca92dfe60b0f21ba9e4e9177f4

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3l8u00om.default-release\cache2\entries\A585344A45AF937E3AB7D706291A9A3ED8D581D9

Filesize
13KB

MD5
801432f3ada92b80f2ae3837e5ccb773

SHA1
b414cd29d96bd4c92666977cc901c7190fc79925

SHA256
61ce26cb0f8ee8035861ccdc993b67798032f80e79d0771274b458d106169ddc

SHA512
21fe343ffbc119bec632c5133c1f2eaf2a78282ec9dbc4d79b27c6592908a6b22b0b64a416cfed1e36d5b63cf2dfa1be8d4302acf7a55fc8310c42aac0547a83

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_asyncio.pyd

Filesize
31KB

MD5
480d3f4496e16d54bb5313d206164134

SHA1
3db3a9f21be88e0b759855bf4f937d0bbfdf1734

SHA256
568fb5c3d9b170ce1081ad12818b9a12f44ab1577449425a3ef30c2efbee613d

SHA512
8e887e8de9c31dbb6d0a85b4d6d4157e917707e63ce5f119bb4b03cb28d41af90d087e3843f3a4c2509bca70cdac3941e00b8a5144ade8532a97166a5d0a7bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_bz2.pyd

Filesize
43KB

MD5
39b487c3e69816bd473e93653dbd9b7f

SHA1
bdce6fde092a3f421193ddb65df893c40542a4e2

SHA256
a1629c455be2cf55e36021704716f4b16a96330fe993aae9e818f67c4026fcdc

SHA512
7543c1555e8897d15c952b89427e7d06c32e250223e85fafae570f8a0fa13c39fb6fc322d043324a31b2f2f08d2f36e0da59dfd741d09c035d0429173b6badc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
7727212e7bdbf63b1a39fb7faad24265

SHA1
a8fdec19d6690081b2bf55247e8e17657a68ac97

SHA256
b0116303e1e903d6eb02a69d05879f38af1640813f4b110cb733ffff6e4e985c

SHA512
2b1a27642118dd228791d0d8ba307aa39ab2d9c7d3799cff9f3c0744fe270eeaefe5545a4fda6e74e86fee747e45bf5f6c9ac799950c2b483a16eb3ce85d816a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_ctypes.pyd

Filesize
53KB

MD5
b1f12f4bfc0bd49a6646a0786bc5bc00

SHA1
acb7d8c665bb8ca93e5f21e178870e3d141d7cbc

SHA256
1fe61645ed626fc1dec56b2e90e8e551066a7ff86edbd67b41cb92211358f3d7

SHA512
a3fb041bd122638873c395b95f1a541007123f271572a8a988c9d01d2b2d7bb20d70e1d97fc3abffd28cb704990b41d8984974c344faea98dd0c6b07472b5731

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_decimal.pyd

Filesize
101KB

MD5
b7f498da5aec35140a6d928a8f792911

SHA1
95ab794a2d4cb8074a23d84b10cd62f7d12a4cd0

SHA256
b15f0dc3ce6955336162c9428077dcedfa1c52e60296251521819f3239c26ee8

SHA512
5fcb2d5325a6a4b7aff047091957ba7f13de548c5330f0149682d44140ac0af06837465871c598db71830fd3b2958220f80ae8744ef16fdb7336b3d6a5039e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_hashlib.pyd

Filesize
30KB

MD5
31dfa2caaee02cc38adf4897b192d6d1

SHA1
9be57a9bad1cb420675f5b9e04c48b76d18f4a19

SHA256
dc045ac7d4bde60b0f122d307fcd2bbaf5e1261a280c4fb67cfc43de5c0c2a0f

SHA512
3e58c083e1e3201a9fbbf6a4fcbc2b0273cf22badabab8701b10b3f8fdd20b11758cdcfead557420393948434e340aad751a4c7aa740097ab29d1773ea3a0100

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_lzma.pyd

Filesize
81KB

MD5
95badb08cd77e563c9753fadc39a34dd

SHA1
b3c3dfe64e89b5e7afb5f064bbf9d8d458f626a0

SHA256
5545627b465d780b6107680922ef44144a22939dd406deae44858b79747e301a

SHA512
eb36934b73f36ba2162e75f0866435f57088777dc40379f766366c26d40f185de5be3da55d17f5b82cb498025d8d90bc16152900502eb7f5de88bbef84ace2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_multiprocessing.pyd

Filesize
22KB

MD5
28f6fcc0b7bb10a45ff1370c9e1b9561

SHA1
c7669f406b5ec2306a402e872dec17380219907a

SHA256
6dd33d49554ee61490725ea2c9129c15544791ab7a65fb523cc9b4f88d38744b

SHA512
2aef40344e80c3518afc07bf6ad4c96c4fff44434f8307e2efa544290d59504d7b014d7ea94af0377e342a632d6c4c74bfdf16d26f92ccc7062be618ea4dbee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_overlapped.pyd

Filesize
27KB

MD5
745706ab482fe9c9f92383292f121072

SHA1
439f00978795d0845aceaf007fd76ff5947567fd

SHA256
4d98e7d1b74bd209f8c66e1a276f60b470f6a5d6f519f76a91eb75be157a903d

SHA512
52fe3dfc45c380dfb1d9b6e453bdffcd92d57ad7b7312d0b9a86a76d437c512a17da33822f8e81760710d8ff4fd6a4b702d2abfffc600c9350d4d463451d38d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_queue.pyd

Filesize
21KB

MD5
18b8b2b0aefcee9527299c464b7f6d3d

SHA1
a565216faee2534bbda5b3f65aeb2eef5fd9bcda

SHA256
6f334fa1474116dd499a125f3b5ca4cd698039446faf50340f9a3f7af3adb8c2

SHA512
0b56e9d89f4dd3da830954b6561c49c06775854e0b27bc2b07ea8e9c79829d66dae186b95209c8c4cc7c3a7ba6b03cdf134b2e0036cea929e61d755d4709abcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_socket.pyd

Filesize
38KB

MD5
f675cf3cdd836cacfab9c89ab9f97108

SHA1
3e077bf518f7a4cb30ea4607338cff025d4d476e

SHA256
bb82a23d8dc6bf4c9aeb91d3f3bef069276ae3b14eeca100b988b85dd21e2dd3

SHA512
e2344b5f59bd0fad3570977edf0505aa2e05618e66d07c9f93b163fc151c4e1d6fbc0e25b7c989505c1270f8cd4840c6120a73a7ad64591ee3c4fb282375465e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_sqlite3.pyd

Filesize
45KB

MD5
1dbec8753e5cd062cd71a8bb294f28f9

SHA1
c32e9b577f588408a732047863e04a1db6ca231e

SHA256
6d95d41a36b5c9e3a895eff91149978aa383b6a8617d542accef2080737c3cad

SHA512
a1c95dbb1a9e2ffbcc9422f53780b35fbc77cb56ac3562afb8753161a233e5efa8da8ad67f5bde5a094beb8331d9dab5c3d5e673a8d09fd6d0383a8a6ffda087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_ssl.pyd

Filesize
57KB

MD5
2edf5c4e534a45966a68033e7395f40d

SHA1
478ef27474eec0fd966d1663d2397e8fb47fec17

SHA256
7abc2b326f5b7c3011827eb7a5a4d896cc6b2619246826519b3f57d2bb99d3bd

SHA512
f83b698cfe702a15eb0267f254c593b90fa155ad2aefe75e5ba0ee5d4f38976882796cba2a027b42a910f244360177ac809891d505b3d0ae9276156b64850b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\_uuid.pyd

Filesize
18KB

MD5
b3e7fc44f12d2db5bad6922e0b1d927f

SHA1
3fe8ef4b6fb0bc590a1c0c0f5710453e8e340f8f

SHA256
6b93290a74fb288489405044a7dee7cca7c25fa854be9112427930dd739ebace

SHA512
a0465a38aaac2d501e9a12a67d5d71c9eeeb425f535c473fc27ac13c2bb307641cc3cef540472f916e341d7bada80a84b99d78850d94c95ee14139f8540d0c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\aiohttp\_helpers.cp310-win_amd64.pyd

Filesize
25KB

MD5
785031e18bb4c52889cb92a1b43af777

SHA1
fab7ee02bd57218ef6043455c3c275afa99b981f

SHA256
e3a028c10a2dbb4e9a8e04d35637d1e2aa7639c73ff9650f3218be455442b7dc

SHA512
525d0a8fc4074ae3f5c50e78445528fe90419af5cdcb7579f5d556f3616bbd9f632b184e3400e1cff551c7dc646c5e38c44b5575b323910264b83b4395906ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\aiohttp\_http_parser.cp310-win_amd64.pyd

Filesize
81KB

MD5
70e66a7159a10ad5673e5d91cb5b7c55

SHA1
158497a3d11a410f277e813a55ee1b64936d95c2

SHA256
60ceeb87549dc017bd151ae1b840e08386f3b9a65079356d108c85295c578510

SHA512
518d094ee366a54652ed001bd832d95365a99be30e3ccd45f2b19ce8611d4fcc8911172ccfac714496e2b553813f49e85cdda6c094e2e42bb96c078b3f072421

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\aiohttp\_http_writer.cp310-win_amd64.pyd

Filesize
24KB

MD5
633e3269e2c42ec6a4518864e799300b

SHA1
4abc0d717f537980efcbc5c847e0f00ff2727dfb

SHA256
7f33f7e480270df70363a8510ea2c68bc8d9d0b34d46f73759a7833b89df3129

SHA512
983c6eaa301876be356c15fa28e01815f75e8086d25c9a8db9110523217bcab58ffcbe28d24fd31fd3ac6b142862a9c6314427a58e96968e0c050bd84b46568c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\aiohttp\_websocket.cp310-win_amd64.pyd

Filesize
20KB

MD5
e64158ae2cf875156756f22ccd54b292

SHA1
346b3ebd5e7f270dddb1cae228fe56145f096193

SHA256
2f1d5c8eac0b485e38d8afefeb759586666ece4e963af9adcf0f1abfe99c56ce

SHA512
4a09d91700c7175d05dfa00dc81a99482ae2bfc80c60514ca33f6bd31998ba6eb8fa04c5ea1dae877e248df38a050b3d23a560a9a078747dc1d3ef06da13a8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\base_library.zip

Filesize
858KB

MD5
4bb4e9fbd23477ba38e3d18636483678

SHA1
c76c5fbd15104f2800400205ef7925e36d59d88a

SHA256
12851c5f8d56bf0b22c4693180ca630f13d5be7bdea5e1e3fc0b012269a69ac9

SHA512
7aad6a4c4c252e53ddf4f7999638726b2c479457e553042351da70bf110c5bf72b09b56276dd0b8f63896738556fa30e2d658574a3a1b53a25f4005264201cf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.1MB

MD5
27bfdc1a00eb382f490991a6507cc3f2

SHA1
162bc0ddf111968bfd69246660cf650f89b5b7bc

SHA256
788d5c28a70e2bc4e695c827aec70e0869ad7bfdd1f0f4f75231d6f8d83450c2

SHA512
6fcc538c0f901f8543cf296b981a68eb6271f72ddcd106b69b45e0ebd166a355299ce23e999aa855d23edd69f95f53b653f92772435a42c72001386cdb423899

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\frozenlist\_frozenlist.cp310-win_amd64.pyd

Filesize
36KB

MD5
6106b4d1eec11d2a71def28d2a2afa46

SHA1
e10039eff42f88a2cd8dfe11d428c35f6178c6ce

SHA256
19b144f1bfeb38f5a88da4471d0e9eeefcee979e0d574ecf13a28d06bdf7f1da

SHA512
d08ba0cf57d533ce2df7027158329da66518fb1bf10220d836ce39bdf8bc0436dfc3a649cf937b3b3e2bb9ff0d3c9e964416e9ac965cff4b24bd203067f53d43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\libcrypto-1_1.dll

Filesize
1.1MB

MD5
700f32459dca0f54c982cd1c1ddd6b8b

SHA1
2538711c091ac3f572cb0f13539a68df0f228f28

SHA256
1de22bd1a0154d49f48b3fab94fb1fb1abd8bfed37d18e79a86ecd7cdab893c9

SHA512
99de1f5cb78c83fc6af0a475fb556f1ac58a1ba734efc69d507bf5dc1b0535a401d901324be845d7a59db021f8967cf33a7b105b2ddcb2e02a39dc0311e7c36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\libssl-1_1.dll

Filesize
198KB

MD5
45498cefc9ead03a63c2822581cd11c6

SHA1
f96b6373237317e606b3715705a71db47e2cafad

SHA256
a84174a00dc98c98240ad5ee16c35e6ef932cebd5b8048ff418d3dd80f20deca

SHA512
4d3d8d33e7f3c2bf1cad3afbfba6ba53852d1314713ad60eeae1d51cc299a52b73da2c629273f9e0b7983ca01544c3645451cfa247911af4f81ca88a82cf6a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\multidict\_multidict.cp310-win_amd64.pyd

Filesize
20KB

MD5
7f691747ce66d3ed05a7c2c53220c8b5

SHA1
1d3f247042030cf8cf7c859002941beba5d15776

SHA256
7d6472a0d7f1a0740c7fc0d0d0ea6f7c6e7cb2b11b8c623c46a6fae1adb4e228

SHA512
b01f0e91039fc5b2782caaa0b3d56d5d1fe9e94424cc536cde9eca73a76747736060042e345af9edc5ef5bf5c154705d2c2dddf35536f305306be25a955a9f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\propcache\_helpers_c.cp310-win_amd64.pyd

Filesize
32KB

MD5
fd362fc501ddbfa28004e0d5c8df6dd2

SHA1
7ddef836354bee5222c2bf65ed321e4e6254310a

SHA256
cc2d201dfa2dfa430505e88be8d61f69b275cb3eb27e7a32ebf2f95d890709b3

SHA512
a9d87b27454640b8f78e934baf0f8d4781739fc1bb6de2b82b9ad0e11df7aca5d291ea6395289e4313bf5ab89225db5ef3085c945e01dde81bc2a73ce6591761

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\pyexpat.pyd

Filesize
81KB

MD5
b4cf065f5e5b7a5bc2dd2b2e09bea305

SHA1
d289a500ffd399053767ee7339e48c161655b532

SHA256
9b5f407a2a1feaa76c6d3058a2f04c023b1c50b31d417bbfee69024098e4938b

SHA512
ddd9e216b11152d6a50481e06bb409335d36ce7fe63072aa0c7789c541593f2d7e8b4373be67a018c59f5e418e5a39a3ad729b732f11fa253f6275a64e125989

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\python3.DLL

Filesize
60KB

MD5
a5471f05fd616b0f8e582211ea470a15

SHA1
cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

SHA256
8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

SHA512
e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\python310.dll

Filesize
1.4MB

MD5
90d5b8ba675bbb23f01048712813c746

SHA1
f2906160f9fc2fa719fea7d37e145156742ea8a7

SHA256
3a7d497d779ff13082835834a1512b0c11185dd499ab86be830858e7f8aaeb3e

SHA512
872c2bf56c3fe180d9b4fb835a92e1dc188822e9d9183aab34b305408bb82fba1ead04711e8ad2bef1534e86cd49f2445d728851206d7899c1a7a83e5a62058e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\select.pyd

Filesize
21KB

MD5
740424368fb6339d67941015e7ac4096

SHA1
64f3fab24f469a027ddfcf0329eca121f4164e45

SHA256
a389eae40188282c91e0cdf38c79819f475375860225b6963deb11623485b76d

SHA512
6d17dc3f294f245b4ca2eca8e62f4c070c7b8a5325349bc25ebaeea291a5a5ebd268bd1321c08755141aa58de0f985adc67335b4f83bc1aeec4b398d0f538e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\sqlite3.dll

Filesize
605KB

MD5
7055e9008e847cb6015b1bb89f26c7ac

SHA1
c7c844cb46f8287a88bec3bd5d02647f5a07ae80

SHA256
2884d8e9007461ab6e8bbdd37c6bc4f6de472bbd52ec5b53e0a635075d86b871

SHA512
651b7b8c2518e4826d84c89be5052fd944f58f558c51cc905da181049850186d0a87fd2e05734fbe6a69618a6e48261a9fdd043ab17eb01620c6510e96d57008

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\unicodedata.pyd

Filesize
285KB

MD5
0c26e9925bea49d7cf03cfc371283a9b

SHA1
89290d3e43e18165cb07a7a4f99855b9e8466b21

SHA256
13c2ea04a1d40588536f1d7027c8d0ea228a9fb328ca720d6c53b96a8e1ae724

SHA512
6a3cd4b48f7c0087f4a1bdc1241df71d56bd90226759481f17f56baa1b991d1af0ba5798a2b7ba57d9ffa9ec03a12bfac81df2fba88765bd369435ff21a941e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI36802\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
41KB

MD5
66c8816ab9b6040ed5d45c5432f93c96

SHA1
78b73258e6fff699b8b345a54e8a7c868b10da53

SHA256
d28d9808d80b6bee274f7e553168b1d42ad806b9d767a92e189678bc81b329d6

SHA512
847e39ad6b490b5901e07187d6dafa8fcc50d654ae6faedbefaa9759bc328581a1d9b03f0d7b997d00c3de1a752de451fc91837ea4700561f93389ae10766295

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jdqqgotj.fap.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
11KB

MD5
25e8156b7f7ca8dad999ee2b93a32b71

SHA1
db587e9e9559b433cee57435cb97a83963659430

SHA256
ddf3ba4e25a622276755133e0cce5605b83719c7cab3546e09acbfed00d6a986

SHA512
1211b2fa997ba13ff926aec58b6b35a81d7fe108b0caa8f4d6369d0a37f8481373b78a4b201651243adde9e2b2699ce929482a46226ff6299b0a0e40fe2ddc56

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
502KB

MD5
e690f995973164fe425f76589b1be2d9

SHA1
e947c4dad203aab37a003194dddc7980c74fa712

SHA256
87862f4bc8559fbe578389a9501dc01c4c585edb4bb03b238493327296d60171

SHA512
77991110c1d195616e936d27151d02e4d957be6c20a4f3b3511567868b5ddffc6abbfdc668d17672f5d681f12b20237c7905f9b0daaa6d71dcdac4b38f2448b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
14.0MB

MD5
bcceccab13375513a6e8ab48e7b63496

SHA1
63d8a68cf562424d3fc3be1297d83f8247e24142

SHA256
a6af95a209b2e652ed6766804b9b8ad6b6a68f2c610b8f14713cd40df0d62bf9

SHA512
d94483deaae98bf9212699f1ab0bd913f6151a63e65ebc1ea644ab98d5e3ebd74ecaa08f70aca31e11a5d2c64d1504b723817af35bbe9d7b05c758dd6945d484

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\AlternateServices.bin

Filesize
12KB

MD5
2c1324d61e3f6748c62b637c47d74185

SHA1
82d02db4a2aca4c49b36e9b00c7d3c2549dd9f3f

SHA256
38123de98d71db9a7896bfc9b60807189135a4f3ee1c1bbd8b77ac105f4e512b

SHA512
cdbba3ddb1e6eba877996e0740d9e832b9aec87f687f4e72b79ac656c9d50169217be26eca64e51894f3e7debd543f9fd03e42db3a19e3a6cfb28c6e662dea04

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\AlternateServices.bin

Filesize
7KB

MD5
4f7c8aba22086808b2d0fcf294b0532d

SHA1
a95c251ac6d913270cd7d978152f629d15dba053

SHA256
ccb2a6052da87482591885e2a454086e48e2e1226a143e72b643f2220191d99c

SHA512
9325a0dab2c05ff7beac8f0e2fb6298b3f8fa058f5881dbc2acafd4d2502210a09286261a118bc836eb3c472a3595faa792d2ec7b564a0b8711ca8822fa5c547

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
c51b601678cf8304451155fd9d6ec0e7

SHA1
66ff0aa8c25134d35ec84331e55ee8016960d4cb

SHA256
ee39fdca6039d8b445cc1cf81d326d0772c2daf8a99ef48758edcc32e1056830

SHA512
c2bc66a47e64ee444191093caa6cdad872a9ea29966f3008d39f87ed0ec8c39bf95f7607191ceb72af20a34640651051a4890edf37849b1c92a29aec3a1d7691

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
dc0da52bce55893bc2f4cccac99e79cb

SHA1
ad0cc64911aa60a4ef4387ce7adacc2c83105542

SHA256
673a4f1b1a5269b5c00ae1943358178d467354bc987cf1ce909eb5d5d4ecb60e

SHA512
24f68b40554c6c7a4d3cc655d76ef2be935aa9286fa1afd1cbf349b066ee37ce3e6746e10ae05c9a90fc548b13b95abe6e97ce441b2f2fa6c70211767f0ba7f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\datareporting\glean\db\data.safe.tmp

Filesize
7KB

MD5
128cb52a805b7cd25aed02910c6419cc

SHA1
5a5ed35cb47513708c96719efec5a381a0c21d30

SHA256
65d6ca3dbcc9a199bd05da17d449146021f8804f4674ff2f4428962f445d68bf

SHA512
3d57ea3eaeebb0b6b96ae850623b7c83b6d7050524c795d00db01fe245f695d6d223a30762b9630ced9fc4e1a7bf800c7c18a506598af446770efacd5510e6b9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
7335edbab0754ff91398116cdd1da066

SHA1
fbc48aeacc706942cf44354c2ae28da246ef7e15

SHA256
d8adb123e4e05872b9d6acac76592cd032dbaa922d655be101645b47e1c577ae

SHA512
b6b86030378f14e7729d8af98e6a6c583fa4abc78092458d60ef016c8a27c6f6fabe942a8244f1c1595839ddc1a55b5e2965a8d5a9ab228a69592aa462377927

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\datareporting\glean\pending_pings\47bc2ce9-9345-4722-bf08-3c4b40e2d4d9

Filesize
2KB

MD5
5584d503363d9de38578a5ff2d4e8ab6

SHA1
0468388ef5fde0f88df1218cb00ac6267c40b58a

SHA256
befc623d7e5d5fc8481700cf556e305a3626e1f8459b844fd9139d2fef10205c

SHA512
2ae2a4052ad6bc03a9642453bf5ffa325942bc05f69aff6dbc7e7c32050ae79faf4801f6028122410f26a708e481eb2915286133f5c20d332966f42e6d7920da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\datareporting\glean\pending_pings\c880e950-6838-4d01-8a69-38ab3cb8903e

Filesize
883B

MD5
11c22417c05dbf9eebb6665ef896ebc5

SHA1
8b537868974693d43b122f7012f829b798e4cef2

SHA256
602e8e1627950bac9a1636bd9b4c74aab7db55ef9fd363c775be893187a95afb

SHA512
bd4f349eb4db923f913b1d3e8684afc90745c72506e0861ec0ee9933dfe29369139fb30a2a4af747b80c09ca3e196f85546f4213ef0dfcf47dac3ea9954d6d9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\datareporting\glean\pending_pings\c8a4cde1-68f6-4225-a581-f1ab379ffbf3

Filesize
16KB

MD5
b57616344fd1d4573703f2be6bb6ceb8

SHA1
55a77d8ffdce141a4937223c1c112baedbd84c26

SHA256
a4498e026493b89e97a4df28d88d8b8644817b2cd791c416ca0c8ed8e1dc875f

SHA512
32f7383fcdc941269a767c235faa483fb1bc8308c0f5c8e0fd2e97450328b5fe7998a6c58d5b6e6e21a7e3306b8c24085d59b20b0e8a6862f8650e07c3f5b6f7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\datareporting\glean\pending_pings\dd421706-afa9-43bf-b462-d3f7f7fa9dbd

Filesize
235B

MD5
80e4075c0984699d8f2ac401061cea96

SHA1
5604c00f855c94334fe89e3d945656c1f8d069f7

SHA256
4ebc60ce3c1c5bbf8a546a66b94cb18e8e432e6e377299fd8626670794468fa6

SHA512
2dcc2806857b522cc7439cf76266c255a95ad11b15cd1e8eed57a38002cd1446133bbd581c76cd974d0ac012377c0e1c7211df8d3a97eab36d335f1513e0230b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\datareporting\glean\pending_pings\dd660f6e-2113-49c7-8a8e-a74ae9fc408e

Filesize
235B

MD5
737c8efa8f098317b1973cd6a0c13c6f

SHA1
fcdc64610c10cd52d8013163c9b03bd7707b499b

SHA256
46cb1f192653a1c3424e138496061522c4ea191591ca6b778f1f3d3c003f03f0

SHA512
001e7590af907eb80d8f6eca6d2723549c3c8b5bd6d92b271d1b547461090b2c7ac6d79dce70c22d2c2f87931fc09e9e53b22d3b00e24228188bd1c0fe13e81f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\datareporting\glean\pending_pings\ea062445-6212-46e7-a225-00482b057886

Filesize
886B

MD5
c89fb416bcdc2a06dcf337fc7bd6c7dc

SHA1
f01fdad9e6528a9072432d922e3922224022dfd1

SHA256
b918a68af6e8eb80c259a9321f07ea42bbeea019dc50f56e72b88576884ec52d

SHA512
61d3802e7e221d9e5769fb9df79a871f316dfb1e524ec4560c2f540f8b69cd4a68a2e251ab76ed3b3bd414f68e0b719036cd60eb452341fc7d1ea23bdcf81c1e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\extensions.json

Filesize
16KB

MD5
f0df258e34a3a8c00f6e9232176e3398

SHA1
3ecadffc12639f8e26aed8f7b24e4b4e6e762ab7

SHA256
143bc8dfb51d6373dcd22f97ecebac53cb7a4f74d3ebcf64a2692dbca5891dc5

SHA512
50b565348ee97568e2321f1240ad10b592df89d08e67096fb32af8debc4388f722063f4c839ba9db29a929c1fddeb8a6fb88fd7a98f3c354756a02eab8c76e50

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.dll

Filesize
1.1MB

MD5
626073e8dcf656ac4130e3283c51cbba

SHA1
7e3197e5792e34a67bfef9727ce1dd7dc151284c

SHA256
37c005a7789747b412d6c0a6a4c30d15732da3d857b4f94b744be1a67231b651

SHA512
eebdeef5e47aeadfeebdbab8625f4ec91e15c4c4e4db4be91ea41be4a3da1e1afeed305f6470e5d6b2a31c41cbfb5548b35a15fccd7896d3fde7cdf402d7a339

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\gmp-gmpopenh264\2.6.0\gmpopenh264.info

Filesize
116B

MD5
ae29912407dfadf0d683982d4fb57293

SHA1
0542053f5a6ce07dc206f69230109be4a5e25775

SHA256
fe7686a6281f0ab519c32c788ce0da0d01640425018dcffcfcb81105757f6fe6

SHA512
6f9083152c02f93a900cb69b1ce879e0c0d69453f1046280ca549a0301ae7925facdda6329f7ccb61726addee78ba2fffc5ba3491a185f139f3155716caf0a8d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\gmp-widevinecdm\4.10.2891.0\manifest.json

Filesize
1001B

MD5
32aeacedce82bafbcba8d1ade9e88d5a

SHA1
a9b4858d2ae0b6595705634fd024f7e076426a24

SHA256
4ed3c6389f6f7cd94db5cd0f870c34a296fc0de3b1e707fccf01645b455790ce

SHA512
67dfe5632188714ec87f3c79dbe217a0ae4dfb784f3fac63affd20fef8b8ef1978c28b3bf7955f3daaf3004ac5316b1ffa964683b0676841bab4274c325c6e2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\gmp-widevinecdm\4.10.2891.0\widevinecdm.dll

Filesize
18.5MB

MD5
1b32d1ec35a7ead1671efc0782b7edf0

SHA1
8e3274b9f2938ff2252ed74779dd6322c601a0c8

SHA256
3ed0dec36754402707c2ae4fbfa887fe3089945f6f7c1a8a3e6c1e64ad1c2648

SHA512
ab452caa2a529b5bf3874c291f1ffb2a30d9ea43dae5df6a6995dde4bc3506648c749317f0d8e94c31214e62f18f855d933b6d0b6b44634b01e058d3c5fcb499

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\prefs-1.js

Filesize
8KB

MD5
6d43080e00053bf737ab725bc0dcb880

SHA1
1350d360de864bc17d8785a848a1b971e8736527

SHA256
148433b13f410d6d4849f24e262cf40dd7874505a08b6bd9ced8046be03f12ab

SHA512
cc68cb24986fdac66f2c12788af97ef35bbc6b66a80185509f597ffacfb4d9fac9038a109f3e20b5b47c497669508d4206ad0c36baa1d31c3044feff6cea5f59

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\prefs.js

Filesize
6KB

MD5
cd6b727480a0204421470e253c148c92

SHA1
55ea1f54569f248709c9fab0d0c0280ca6a462e4

SHA256
e80ec259c7fbb292aacfb130858b87cd0b8c297447cdf9bb5ea311c2214fd7ce

SHA512
ebe4f826c3ba7def7776eed82020714367de1e78df1080a4aaff426d644dcc10eca2b8b4a8c724e3decc9fbef473177910a2a612477ff0f9c6492c5465a122a5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\prefs.js

Filesize
6KB

MD5
68d8c51e37f9a461a8b81ec9cf6a07a1

SHA1
f64060c3b47ce551790ad361933e7e88cd7e2e86

SHA256
6e45aadab4459e7eff48c20d584e3e030cf4266fab875f5b157364a1f53631d5

SHA512
5f7437d76c10c9ecdeb38a0a6e4ca1e54f868b1d160f30fd7de6658f955a2df55ed7ae9ca6cc8941882a487b466661c439a9a4760e0744510360839001a86100

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
37ff3bfb36288cc05482bfbf00fb468a

SHA1
e64a0d3ba680e9a8a38670a41ab30f8a60d850e2

SHA256
1b4b02e7f9be0e70b4390c1f1574d24139c5229b4b7851a119748d4fd07fa958

SHA512
d8e9e62f23840a3bc56d1622045b2d8a1ccc86616885444a03b03302b5b2c842ac997582b3fa297a24bd2ff2fa6ccf14a0302c5ef9a1f50482429691810fa32e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
1ba67528de36d6a9b3a904637e1302e6

SHA1
dfd428e48e78430d10bb2fec3fb179190ec424f6

SHA256
9ab1d29bdb6eb2abcc95e931ed657abd185af34c177d6bd482a636e0e04a59ab

SHA512
72b63535b09e3ed95efbfd5265298c60244b90960bd497a3204d90667c06255830396ff125ec1104bf03b20cf8e198c57664351ceb3d697d8803b3a8e8d860fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\sessionstore-backups\recovery.baklz4

Filesize
3KB

MD5
b464d647b40c2f4352977ce7cc91feb8

SHA1
da736a058e6fbe204520a0c1700fc0117fabe11a

SHA256
23c86f03011a0a263c383a2e516fa81cf8f99a4bcbc960aadd2b3aa00b5ee659

SHA512
d5896012f76ad75e3b1f5db243353d78252d0135942c759e58b9d82a26a1c01c51e810dae8b17d74c2ae60634da7b0e8754e53f41e103865520a14e884015040

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3l8u00om.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.8MB

MD5
0d282922e5e195b0f9476a94b1fe4056

SHA1
5595b64dc24306e9639aaab05d1f044db9268566

SHA256
a22c2432c4bfbeb4af117c2f5c1d267d08f44eec049536cff1c8c0969fef6737

SHA512
da72c54222e4df2c667c5930b662f97f69694a40ccadc424c18d520cd8c09488cb4a9f63af53c3933a9f616f9b4964f208cd3c55f612490ca1fd3ea23cbceed3

Download Submit
memory/1136-91-0x00007FFCEE8B0000-0x00007FFCEEA1D000-memory.dmp

Filesize
1.4MB

Download
memory/1136-135-0x00007FFCE0170000-0x00007FFCE04E4000-memory.dmp

Filesize
3.5MB

Download
memory/1136-129-0x00007FFCEEC50000-0x00007FFCEEC69000-memory.dmp

Filesize
100KB

Download
memory/1136-128-0x00007FFCEEC70000-0x00007FFCEEC86000-memory.dmp

Filesize
88KB

Download
memory/1136-127-0x00007FFCEF240000-0x00007FFCEF2F6000-memory.dmp

Filesize
728KB

Download
memory/1136-145-0x00007FFCDF490000-0x00007FFCDFC1A000-memory.dmp

Filesize
7.5MB

Download
memory/1136-146-0x00007FFCEF180000-0x00007FFCEF194000-memory.dmp

Filesize
80KB

Download
memory/1136-147-0x00007FFCE9200000-0x00007FFCE9237000-memory.dmp

Filesize
220KB

Download
memory/1136-153-0x00007FFCEEED0000-0x00007FFCEEEF2000-memory.dmp

Filesize
136KB

Download
memory/1136-136-0x00007FFCEEC30000-0x00007FFCEEC41000-memory.dmp

Filesize
68KB

Download
memory/1136-142-0x0000015BFA250000-0x0000015BFA5C4000-memory.dmp

Filesize
3.5MB

Download
memory/1136-143-0x00007FFCEE840000-0x00007FFCEE85E000-memory.dmp

Filesize
120KB

Download
memory/1136-210-0x00007FFCEEC70000-0x00007FFCEEC86000-memory.dmp

Filesize
88KB

Download
memory/1136-137-0x00007FFCEEE40000-0x00007FFCEEE4A000-memory.dmp

Filesize
40KB

Download
memory/1136-138-0x00007FFCEE860000-0x00007FFCEE8AD000-memory.dmp

Filesize
308KB

Download
memory/1136-214-0x00007FFCEE860000-0x00007FFCEE8AD000-memory.dmp

Filesize
308KB

Download
memory/1136-125-0x00007FFCEF5B0000-0x00007FFCEF5DE000-memory.dmp

Filesize
184KB

Download
memory/1136-119-0x00007FFCEE8B0000-0x00007FFCEEA1D000-memory.dmp

Filesize
1.4MB

Download
memory/1136-120-0x00007FFCE0050000-0x00007FFCE0168000-memory.dmp

Filesize
1.1MB

Download
memory/1136-121-0x00007FFCEEEB0000-0x00007FFCEEECB000-memory.dmp

Filesize
108KB

Download
memory/1136-118-0x00007FFCEFF90000-0x00007FFCEFFAE000-memory.dmp

Filesize
120KB

Download
memory/1136-217-0x00007FFCDF490000-0x00007FFCDFC1A000-memory.dmp

Filesize
7.5MB

Download
memory/1136-103-0x00007FFCF2710000-0x00007FFCF2734000-memory.dmp

Filesize
144KB

Download
memory/1136-105-0x00007FFCEF5F0000-0x00007FFCEF604000-memory.dmp

Filesize
80KB

Download
memory/1136-107-0x00007FFCEF350000-0x00007FFCEF360000-memory.dmp

Filesize
64KB

Download
memory/1136-108-0x00007FFCEF180000-0x00007FFCEF194000-memory.dmp

Filesize
80KB

Download
memory/1136-263-0x00007FFCE0C90000-0x00007FFCE0C9D000-memory.dmp

Filesize
52KB

Download
memory/1136-112-0x00007FFCF5E40000-0x00007FFCF5E59000-memory.dmp

Filesize
100KB

Download
memory/1136-113-0x00007FFCEF140000-0x00007FFCEF155000-memory.dmp

Filesize
84KB

Download
memory/1136-114-0x00007FFCEEED0000-0x00007FFCEEEF2000-memory.dmp

Filesize
136KB

Download
memory/1136-99-0x00007FFCE04F0000-0x00007FFCE0955000-memory.dmp

Filesize
4.4MB

Download
memory/1136-100-0x0000015BFA250000-0x0000015BFA5C4000-memory.dmp

Filesize
3.5MB

Download
memory/1136-98-0x00007FFCE0170000-0x00007FFCE04E4000-memory.dmp

Filesize
3.5MB

Download
memory/1136-95-0x00007FFCEF240000-0x00007FFCEF2F6000-memory.dmp

Filesize
728KB

Download
memory/1136-88-0x00007FFCF4F70000-0x00007FFCF4F89000-memory.dmp

Filesize
100KB

Download
memory/1136-89-0x00007FFCEF610000-0x00007FFCEF63C000-memory.dmp

Filesize
176KB

Download
memory/1136-90-0x00007FFCEFF90000-0x00007FFCEFFAE000-memory.dmp

Filesize
120KB

Download
memory/1136-93-0x00007FFCEF5B0000-0x00007FFCEF5DE000-memory.dmp

Filesize
184KB

Download
memory/1136-354-0x00007FFCE0170000-0x00007FFCE04E4000-memory.dmp

Filesize
3.5MB

Download
memory/1136-283-0x00007FFCE0C90000-0x00007FFCE0C9D000-memory.dmp

Filesize
52KB

Download
memory/1136-79-0x00007FFCF8B70000-0x00007FFCF8B7F000-memory.dmp

Filesize
60KB

Download
memory/1136-82-0x00007FFCF5E40000-0x00007FFCF5E59000-memory.dmp

Filesize
100KB

Download
memory/1136-83-0x00007FFCF5D00000-0x00007FFCF5D0D000-memory.dmp

Filesize
52KB

Download
memory/1136-58-0x00007FFCF2710000-0x00007FFCF2734000-memory.dmp

Filesize
144KB

Download
memory/1136-50-0x00007FFCE04F0000-0x00007FFCE0955000-memory.dmp

Filesize
4.4MB

Download
memory/1136-377-0x00007FFCE04F0000-0x00007FFCE0955000-memory.dmp

Filesize
4.4MB

Download
memory/1136-386-0x00007FFCEF5B0000-0x00007FFCEF5DE000-memory.dmp

Filesize
184KB

Download
memory/1136-363-0x00007FFCEEC50000-0x00007FFCEEC69000-memory.dmp

Filesize
100KB

Download
memory/1136-343-0x00007FFCE04F0000-0x00007FFCE0955000-memory.dmp

Filesize
4.4MB

Download
memory/1136-344-0x00007FFCF2710000-0x00007FFCF2734000-memory.dmp

Filesize
144KB

Download
memory/1136-350-0x00007FFCEFF90000-0x00007FFCEFFAE000-memory.dmp

Filesize
120KB

Download
memory/1136-351-0x00007FFCEE8B0000-0x00007FFCEEA1D000-memory.dmp

Filesize
1.4MB

Download
memory/1136-352-0x00007FFCEF5B0000-0x00007FFCEF5DE000-memory.dmp

Filesize
184KB

Download
memory/1136-353-0x00007FFCEF240000-0x00007FFCEF2F6000-memory.dmp

Filesize
728KB

Download
memory/1136-356-0x00007FFCEF350000-0x00007FFCEF360000-memory.dmp

Filesize
64KB

Download
memory/1136-355-0x00007FFCEF5F0000-0x00007FFCEF604000-memory.dmp

Filesize
80KB

Download
memory/1136-364-0x00007FFCEE860000-0x00007FFCEE8AD000-memory.dmp

Filesize
308KB

Download
memory/5480-265-0x00007FFCE0C80000-0x00007FFCE0C90000-memory.dmp

Filesize
64KB

Download
memory/5480-311-0x00007FFCDFC30000-0x00007FFCDFC44000-memory.dmp

Filesize
80KB

Download
memory/5480-309-0x00007FFCDEFB0000-0x00007FFCDF066000-memory.dmp

Filesize
728KB

Download
memory/5480-308-0x00007FFCDFC50000-0x00007FFCDFC7E000-memory.dmp

Filesize
184KB

Download
memory/5480-305-0x00007FFCDEED0000-0x00007FFCDEEFC000-memory.dmp

Filesize
176KB

Download
memory/5480-304-0x00007FFCDEF00000-0x00007FFCDEF19000-memory.dmp

Filesize
100KB

Download
memory/5480-303-0x00007FFCDFC20000-0x00007FFCDFC2D000-memory.dmp

Filesize
52KB

Download
memory/5480-302-0x00007FFCDEF90000-0x00007FFCDEFA9000-memory.dmp

Filesize
100KB

Download
memory/5480-301-0x00007FFCE0E20000-0x00007FFCE0E2F000-memory.dmp

Filesize
60KB

Download
memory/5480-300-0x00007FFCE0C50000-0x00007FFCE0C74000-memory.dmp

Filesize
144KB

Download
memory/5480-324-0x00007FFCD5AF0000-0x00007FFCD627A000-memory.dmp

Filesize
7.5MB

Download
memory/5480-318-0x00007FFCDEE50000-0x00007FFCDEE66000-memory.dmp

Filesize
88KB

Download
memory/5480-317-0x00007FFCDEE90000-0x00007FFCDEEAB000-memory.dmp

Filesize
108KB

Download
memory/5480-310-0x00007FFCDBF70000-0x00007FFCDC2E4000-memory.dmp

Filesize
3.5MB

Download
memory/5480-299-0x00007FFCDCB40000-0x00007FFCDCFA5000-memory.dmp

Filesize
4.4MB

Download
memory/5480-277-0x00007FFCD84A0000-0x00007FFCD84ED000-memory.dmp

Filesize
308KB

Download
memory/5480-276-0x00007FFCDEE50000-0x00007FFCDEE66000-memory.dmp

Filesize
88KB

Download
memory/5480-275-0x000001D84F6B0000-0x000001D84FA24000-memory.dmp

Filesize
3.5MB

Download
memory/5480-273-0x00007FFCDEFB0000-0x00007FFCDF066000-memory.dmp

Filesize
728KB

Download
memory/5480-272-0x00007FFCDFC50000-0x00007FFCDFC7E000-memory.dmp

Filesize
184KB

Download
memory/5480-270-0x00007FFCDC2F0000-0x00007FFCDC45D000-memory.dmp

Filesize
1.4MB

Download
memory/5480-268-0x00007FFCDEEB0000-0x00007FFCDEECE000-memory.dmp

Filesize
120KB

Download
memory/5480-264-0x00007FFCDFC30000-0x00007FFCDFC44000-memory.dmp

Filesize
80KB

Download
memory/5480-312-0x00007FFCE0C80000-0x00007FFCE0C90000-memory.dmp

Filesize
64KB

Download
memory/5480-313-0x00007FFCDF1E0000-0x00007FFCDF1F4000-memory.dmp

Filesize
80KB

Download
memory/5480-314-0x00007FFCDF1C0000-0x00007FFCDF1D5000-memory.dmp

Filesize
84KB

Download
memory/5480-315-0x00007FFCDF190000-0x00007FFCDF1B2000-memory.dmp

Filesize
136KB

Download
memory/5480-316-0x00007FFCDF070000-0x00007FFCDF188000-memory.dmp

Filesize
1.1MB

Download
memory/5480-319-0x00007FFCD85A0000-0x00007FFCD85B9000-memory.dmp

Filesize
100KB

Download
memory/5480-320-0x00007FFCD84A0000-0x00007FFCD84ED000-memory.dmp

Filesize
308KB

Download
memory/5480-321-0x00007FFCD8480000-0x00007FFCD8491000-memory.dmp

Filesize
68KB

Download
memory/5480-322-0x00007FFCDC920000-0x00007FFCDC92A000-memory.dmp

Filesize
40KB

Download
memory/5480-323-0x00007FFCD6280000-0x00007FFCD629E000-memory.dmp

Filesize
120KB

Download
memory/5480-325-0x00007FFCD5AB0000-0x00007FFCD5AE7000-memory.dmp

Filesize
220KB

Download
memory/5480-326-0x00007FFCDC2F0000-0x00007FFCDC45D000-memory.dmp

Filesize
1.4MB

Download
memory/5480-306-0x00007FFCDEEB0000-0x00007FFCDEECE000-memory.dmp

Filesize
120KB

Download
memory/5480-278-0x00007FFCDBF70000-0x00007FFCDC2E4000-memory.dmp

Filesize
3.5MB

Download
memory/5480-279-0x00007FFCD85A0000-0x00007FFCD85B9000-memory.dmp

Filesize
100KB

Download
memory/5480-280-0x00007FFCDC920000-0x00007FFCDC92A000-memory.dmp

Filesize
40KB

Download
memory/5480-281-0x00007FFCD6280000-0x00007FFCD629E000-memory.dmp

Filesize
120KB

Download
memory/5480-282-0x00007FFCD8480000-0x00007FFCD8491000-memory.dmp

Filesize
68KB

Download
memory/5480-284-0x00007FFCDFC30000-0x00007FFCDFC44000-memory.dmp

Filesize
80KB

Download
memory/5480-287-0x00007FFCD5AF0000-0x00007FFCD627A000-memory.dmp

Filesize
7.5MB

Download
memory/5480-288-0x00007FFCD5AB0000-0x00007FFCD5AE7000-memory.dmp

Filesize
220KB

Download
memory/5480-274-0x00007FFCDEE90000-0x00007FFCDEEAB000-memory.dmp

Filesize
108KB

Download
memory/5480-271-0x00007FFCDF070000-0x00007FFCDF188000-memory.dmp

Filesize
1.1MB

Download
memory/5480-269-0x00007FFCDF190000-0x00007FFCDF1B2000-memory.dmp

Filesize
136KB

Download
memory/5480-267-0x00007FFCDF1C0000-0x00007FFCDF1D5000-memory.dmp

Filesize
84KB

Download
memory/5480-266-0x00007FFCDF1E0000-0x00007FFCDF1F4000-memory.dmp

Filesize
80KB

Download
memory/5480-262-0x00007FFCE0C50000-0x00007FFCE0C74000-memory.dmp

Filesize
144KB

Download
memory/5480-221-0x00007FFCDEFB0000-0x00007FFCDF066000-memory.dmp

Filesize
728KB

Download
memory/5480-222-0x000001D84F6B0000-0x000001D84FA24000-memory.dmp

Filesize
3.5MB

Download
memory/5480-223-0x00007FFCDCB40000-0x00007FFCDCFA5000-memory.dmp

Filesize
4.4MB

Download
memory/5480-224-0x00007FFCDBF70000-0x00007FFCDC2E4000-memory.dmp

Filesize
3.5MB

Download
memory/5480-220-0x00007FFCDFC50000-0x00007FFCDFC7E000-memory.dmp

Filesize
184KB

Download
memory/5480-218-0x00007FFCDEEB0000-0x00007FFCDEECE000-memory.dmp

Filesize
120KB

Download
memory/5480-219-0x00007FFCDC2F0000-0x00007FFCDC45D000-memory.dmp

Filesize
1.4MB

Download
memory/5480-216-0x00007FFCDEED0000-0x00007FFCDEEFC000-memory.dmp

Filesize
176KB

Download
memory/5480-213-0x00007FFCDFC20000-0x00007FFCDFC2D000-memory.dmp

Filesize
52KB

Download
memory/5480-215-0x00007FFCDEF00000-0x00007FFCDEF19000-memory.dmp

Filesize
100KB

Download
memory/5480-212-0x00007FFCDEF90000-0x00007FFCDEFA9000-memory.dmp

Filesize
100KB

Download
memory/5480-211-0x00007FFCE0E20000-0x00007FFCE0E2F000-memory.dmp

Filesize
60KB

Download
memory/5480-209-0x00007FFCE0C50000-0x00007FFCE0C74000-memory.dmp

Filesize
144KB

Download
memory/5480-208-0x00007FFCDCB40000-0x00007FFCDCFA5000-memory.dmp

Filesize
4.4MB

Download
memory/5528-298-0x0000020FED410000-0x0000020FED432000-memory.dmp

Filesize
136KB

Download