hxxp://mega[.]nz/file/ILpgVCBQ#JYh6vWV8VLZENOQgSGBOjmCwCLT8BtVv93L0GthHx_w

Analysis

max time kernel
1800s
max time network
1178s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
23-04-2024 19:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://mega.nz/file/ILpgVCBQ#JYh6vWV8VLZENOQgSGBOjmCwCLT8BtVv93L0GthHx_w

Score

7^/10

persistence pyinstaller spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 4 IoCs

Processes:

Vape v4.exeVape v4.exeVape v4.exeVape v4.exe

pid process

5952 Vape v4.exe
5408 Vape v4.exe
1188 Vape v4.exe
3120 Vape v4.exe

pid	process
5952	Vape v4.exe
5408	Vape v4.exe
1188	Vape v4.exe
3120	Vape v4.exe

Loads dropped DLL 64 IoCs

Processes:

Vape v4.exeVape v4.exe

pid	process
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
3120	Vape v4.exe
3120	Vape v4.exe
3120	Vape v4.exe
3120	Vape v4.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI59522\python310.dll	upx
behavioral1/memory/5408-463-0x00007FF9EB2C0000-0x00007FF9EB72E000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI59522\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI59522\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI59522\pywin32_system32\pywintypes310.dll	upx
behavioral1/memory/5408-498-0x00007FF9EB0F0000-0x00007FF9EB1AC000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI59522\libcrypto-1_1.dll	upx
behavioral1/memory/5408-514-0x00007FF9EAC20000-0x00007FF9EAF95000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI59522\_queue.pyd	upx
behavioral1/memory/5408-519-0x00007FF9EABF0000-0x00007FF9EABFD000-memory.dmp	upx
behavioral1/memory/5408-520-0x00007FF9EABE0000-0x00007FF9EABEB000-memory.dmp	upx
behavioral1/memory/5408-521-0x00007FF9EAA90000-0x00007FF9EABA8000-memory.dmp	upx
behavioral1/memory/5408-522-0x00007FF9EA8F0000-0x00007FF9EAA61000-memory.dmp	upx
behavioral1/memory/5408-524-0x00007FF9EB060000-0x00007FF9EB08E000-memory.dmp	upx
behavioral1/memory/5408-525-0x00007FF9EAFA0000-0x00007FF9EB058000-memory.dmp	upx
behavioral1/memory/5408-527-0x00007FF9EABB0000-0x00007FF9EABD5000-memory.dmp	upx
behavioral1/memory/5408-529-0x00007FF9EA8D0000-0x00007FF9EA8DB000-memory.dmp	upx
behavioral1/memory/5408-533-0x00007FF9EA890000-0x00007FF9EA89B000-memory.dmp	upx
behavioral1/memory/5408-535-0x00007FF9EA870000-0x00007FF9EA87D000-memory.dmp	upx
behavioral1/memory/5408-538-0x00007FF9EA820000-0x00007FF9EA82B000-memory.dmp	upx
behavioral1/memory/5408-539-0x00007FF9EA810000-0x00007FF9EA81C000-memory.dmp	upx
behavioral1/memory/5408-542-0x00007FF9EA800000-0x00007FF9EA80C000-memory.dmp	upx
behavioral1/memory/5408-546-0x00007FF9EA770000-0x00007FF9EA784000-memory.dmp	upx
behavioral1/memory/5408-548-0x00007FF9EA6D0000-0x00007FF9EA70F000-memory.dmp	upx
behavioral1/memory/5408-549-0x00007FF9EA6A0000-0x00007FF9EA6B6000-memory.dmp	upx
behavioral1/memory/5408-550-0x00007FF9EA8E0000-0x00007FF9EA8EB000-memory.dmp	upx
behavioral1/memory/5408-552-0x00007FF9EA830000-0x00007FF9EA83B000-memory.dmp	upx
behavioral1/memory/5408-553-0x00007FF9EA7A0000-0x00007FF9EA7B5000-memory.dmp	upx
behavioral1/memory/5408-554-0x00007FF9EA790000-0x00007FF9EA7A0000-memory.dmp	upx
behavioral1/memory/5408-555-0x00007FF9EA750000-0x00007FF9EA76B000-memory.dmp	upx
behavioral1/memory/5408-556-0x00007FF9EA730000-0x00007FF9EA743000-memory.dmp	upx
behavioral1/memory/5408-557-0x00007FF9EA6C0000-0x00007FF9EA6CE000-memory.dmp	upx
behavioral1/memory/5408-558-0x00007FF9EA670000-0x00007FF9EA699000-memory.dmp	upx
behavioral1/memory/5408-559-0x00007FF9EA3D0000-0x00007FF9EA620000-memory.dmp	upx
behavioral1/memory/5408-551-0x00007FF9EA840000-0x00007FF9EA84C000-memory.dmp	upx
behavioral1/memory/5408-547-0x00007FF9EA710000-0x00007FF9EA725000-memory.dmp	upx
behavioral1/memory/5408-545-0x00007FF9EA7C0000-0x00007FF9EA7CC000-memory.dmp	upx
behavioral1/memory/5408-544-0x00007FF9EA7D0000-0x00007FF9EA7E2000-memory.dmp	upx
behavioral1/memory/5408-543-0x00007FF9EA7F0000-0x00007FF9EA7FD000-memory.dmp	upx
behavioral1/memory/5408-537-0x00007FF9EA850000-0x00007FF9EA85C000-memory.dmp	upx
behavioral1/memory/5408-536-0x00007FF9EA860000-0x00007FF9EA86E000-memory.dmp	upx
behavioral1/memory/5408-534-0x00007FF9EA880000-0x00007FF9EA88C000-memory.dmp	upx
behavioral1/memory/5408-532-0x00007FF9EA8A0000-0x00007FF9EA8AC000-memory.dmp	upx
behavioral1/memory/5408-531-0x00007FF9EA8B0000-0x00007FF9EA8BB000-memory.dmp	upx
behavioral1/memory/5408-530-0x00007FF9EA8C0000-0x00007FF9EA8CC000-memory.dmp	upx
behavioral1/memory/5408-528-0x00007FF9EAA70000-0x00007FF9EAA8F000-memory.dmp	upx
behavioral1/memory/5408-526-0x00007FF9EAC00000-0x00007FF9EAC14000-memory.dmp	upx
behavioral1/memory/5408-523-0x00007FF9EB090000-0x00007FF9EB0AC000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI59522\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI59522\libssl-1_1.dll	upx
behavioral1/memory/5408-510-0x00007FF9EB0B0000-0x00007FF9EB0BA000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI59522\_ssl.pyd	upx
behavioral1/memory/5408-505-0x00007FF9EB0C0000-0x00007FF9EB0EB000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI59522\psutil\_psutil_windows.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI59522\_uuid.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI59522\win32api.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI59522\pywin32_system32\pythoncom310.dll	upx
behavioral1/memory/5408-494-0x00007FF9EB1C0000-0x00007FF9EB1EE000-memory.dmp	upx
behavioral1/memory/5408-493-0x000002883AC00000-0x000002883AC0D000-memory.dmp	upx
behavioral1/memory/5408-492-0x000002883ABD0000-0x000002883ABE9000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI59522\select.pyd	upx
behavioral1/memory/5408-480-0x00007FFA000F0000-0x00007FFA000FF000-memory.dmp	upx
behavioral1/memory/5408-479-0x000002883A790000-0x000002883A7BD000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI59522\_lzma.pyd	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

Processes:

flow	ioc
457	discord.com
469	raw.githubusercontent.com
512	discord.com
278	discord.com
279	discord.com
282	raw.githubusercontent.com
283	raw.githubusercontent.com
327	discord.com

Looks up external IP address via web service 10 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
308	api.ipify.org
316	api.ipify.org
488	api.ipify.org
274	api.ipify.org
310	ip-api.com
313	api.ipify.org
451	api.ipify.org
493	api.ipify.org
497	api.ipify.org
273	api.ipify.org

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Vape v4.exe	pyinstaller

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "168"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry
T1112

Processes:

reg.exereg.exereg.exereg.exe

pid process

4836 reg.exe
1200 reg.exe
2880 reg.exe
3700 reg.exe
NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 600198.crdownload:SmartScreen msedge.exe
Opens file in notepad (likely ransom note) 2 IoCs
ransomware

Processes:

NOTEPAD.EXENOTEPAD.EXE

pid process

3724 NOTEPAD.EXE
1984 NOTEPAD.EXE

pid	process
4836	reg.exe
1200	reg.exe
2880	reg.exe
3700	reg.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 600198.crdownload:SmartScreen	msedge.exe

pid	process
3724	NOTEPAD.EXE
1984	NOTEPAD.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeVape v4.exeVape v4.exemsedge.exe

pid	process
2936	msedge.exe
2936	msedge.exe
3728	msedge.exe
3728	msedge.exe
4764	identity_helper.exe
4764	identity_helper.exe
5748	msedge.exe
5748	msedge.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
5408	Vape v4.exe
3120	Vape v4.exe
3120	Vape v4.exe
3120	Vape v4.exe
3120	Vape v4.exe
3120	Vape v4.exe
3120	Vape v4.exe
3120	Vape v4.exe
3120	Vape v4.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe
4052	msedge.exe

Suspicious behavior: LoadsDriver 64 IoCs

Processes:

pid	process
5764
2768
1288
2004
4296
3712
516
5928
4052
3120
264
4060
5048
3272
3496
5140
5080
2888
3724
1156
628
6108
216
5820
5224
5152
6100
5684
5960
4880
3372
5792
1188
2464
888
4304
3228
4764
844
6072
3368
2712
1816
4772
1344
400
1448
3816
3872
6088
5272
4356
3352
1432
3784
2936
3664
4260
4492
2680
3972
396
3584
4784

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

Processes:

msedge.exe

pid process

3728 msedge.exe
3728 msedge.exe
3728 msedge.exe
3728 msedge.exe
3728 msedge.exe
3728 msedge.exe
3728 msedge.exe
3728 msedge.exe
3728 msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXEVape v4.exeWMIC.exeWMIC.exe

description	pid	process
Token: 33	4780	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4780	AUDIODG.EXE
Token: SeDebugPrivilege	5408	Vape v4.exe
Token: SeIncreaseQuotaPrivilege	4060	WMIC.exe
Token: SeSecurityPrivilege	4060	WMIC.exe
Token: SeTakeOwnershipPrivilege	4060	WMIC.exe
Token: SeLoadDriverPrivilege	4060	WMIC.exe
Token: SeSystemProfilePrivilege	4060	WMIC.exe
Token: SeSystemtimePrivilege	4060	WMIC.exe
Token: SeProfSingleProcessPrivilege	4060	WMIC.exe
Token: SeIncBasePriorityPrivilege	4060	WMIC.exe
Token: SeCreatePagefilePrivilege	4060	WMIC.exe
Token: SeBackupPrivilege	4060	WMIC.exe
Token: SeRestorePrivilege	4060	WMIC.exe
Token: SeShutdownPrivilege	4060	WMIC.exe
Token: SeDebugPrivilege	4060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4060	WMIC.exe
Token: SeRemoteShutdownPrivilege	4060	WMIC.exe
Token: SeUndockPrivilege	4060	WMIC.exe
Token: SeManageVolumePrivilege	4060	WMIC.exe
Token: 33	4060	WMIC.exe
Token: 34	4060	WMIC.exe
Token: 35	4060	WMIC.exe
Token: 36	4060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4060	WMIC.exe
Token: SeSecurityPrivilege	4060	WMIC.exe
Token: SeTakeOwnershipPrivilege	4060	WMIC.exe
Token: SeLoadDriverPrivilege	4060	WMIC.exe
Token: SeSystemProfilePrivilege	4060	WMIC.exe
Token: SeSystemtimePrivilege	4060	WMIC.exe
Token: SeProfSingleProcessPrivilege	4060	WMIC.exe
Token: SeIncBasePriorityPrivilege	4060	WMIC.exe
Token: SeCreatePagefilePrivilege	4060	WMIC.exe
Token: SeBackupPrivilege	4060	WMIC.exe
Token: SeRestorePrivilege	4060	WMIC.exe
Token: SeShutdownPrivilege	4060	WMIC.exe
Token: SeDebugPrivilege	4060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4060	WMIC.exe
Token: SeRemoteShutdownPrivilege	4060	WMIC.exe
Token: SeUndockPrivilege	4060	WMIC.exe
Token: SeManageVolumePrivilege	4060	WMIC.exe
Token: 33	4060	WMIC.exe
Token: 34	4060	WMIC.exe
Token: 35	4060	WMIC.exe
Token: 36	4060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5812	WMIC.exe
Token: SeSecurityPrivilege	5812	WMIC.exe
Token: SeTakeOwnershipPrivilege	5812	WMIC.exe
Token: SeLoadDriverPrivilege	5812	WMIC.exe
Token: SeSystemProfilePrivilege	5812	WMIC.exe
Token: SeSystemtimePrivilege	5812	WMIC.exe
Token: SeProfSingleProcessPrivilege	5812	WMIC.exe
Token: SeIncBasePriorityPrivilege	5812	WMIC.exe
Token: SeCreatePagefilePrivilege	5812	WMIC.exe
Token: SeBackupPrivilege	5812	WMIC.exe
Token: SeRestorePrivilege	5812	WMIC.exe
Token: SeShutdownPrivilege	5812	WMIC.exe
Token: SeDebugPrivilege	5812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5812	WMIC.exe
Token: SeRemoteShutdownPrivilege	5812	WMIC.exe
Token: SeUndockPrivilege	5812	WMIC.exe
Token: SeManageVolumePrivilege	5812	WMIC.exe
Token: 33	5812	WMIC.exe
Token: 34	5812	WMIC.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

msedge.exe

pid	process
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe
3728	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

LogonUI.exe

pid process

5076 LogonUI.exe

pid	process
5076	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3728 wrote to memory of 3928	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3928	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 1312	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 2936	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 2936	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe
PID 3728 wrote to memory of 3472	3728	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://mega.nz/file/ILpgVCBQ#JYh6vWV8VLZENOQgSGBOjmCwCLT8BtVv93L0GthHx_w
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xe0,0xe4,0xd8,0xdc,0x108,0x7ffa000046f8,0x7ffa00004708,0x7ffa00004718
2⤵
PID:3928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,6200731691622273599,10469775948038669416,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
2⤵
PID:1312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,6200731691622273599,10469775948038669416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,6200731691622273599,10469775948038669416,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
2⤵
PID:3472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6200731691622273599,10469775948038669416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
2⤵
PID:3012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6200731691622273599,10469775948038669416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
2⤵
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6200731691622273599,10469775948038669416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4624 /prefetch:1
2⤵
PID:2752

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,6200731691622273599,10469775948038669416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
2⤵
PID:1148

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,6200731691622273599,10469775948038669416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5672 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6200731691622273599,10469775948038669416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
2⤵
PID:732

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6200731691622273599,10469775948038669416,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
2⤵
PID:2716

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6200731691622273599,10469775948038669416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
2⤵
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6200731691622273599,10469775948038669416,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:1
2⤵
PID:2108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6200731691622273599,10469775948038669416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
2⤵
PID:5652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,6200731691622273599,10469775948038669416,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5112 /prefetch:8
2⤵
PID:6064

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,6200731691622273599,10469775948038669416,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5328 /prefetch:8
2⤵
PID:1636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,6200731691622273599,10469775948038669416,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5084 /prefetch:1
2⤵
PID:2972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,6200731691622273599,10469775948038669416,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6188 /prefetch:8
2⤵
PID:2628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,6200731691622273599,10469775948038669416,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6604 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5748

C:\Users\Admin\Downloads\Vape v4.exe
"C:\Users\Admin\Downloads\Vape v4.exe"
2⤵
- Executes dropped EXE
PID:5952

C:\Users\Admin\Downloads\Vape v4.exe
"C:\Users\Admin\Downloads\Vape v4.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
4⤵
PID:5816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
4⤵
PID:6012

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
4⤵
PID:5352

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
5⤵
- Modifies registry key
PID:4836

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
4⤵
PID:4740

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
5⤵
- Adds Run key to start application
- Modifies registry key
PID:1200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
4⤵
PID:2504

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:5812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
4⤵
PID:6028

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
5⤵
PID:5808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
4⤵
PID:5968

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
5⤵
PID:2616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
4⤵
PID:5592

C:\Windows\system32\netsh.exe
netsh wlan show profiles
5⤵
PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
4⤵
PID:2524

C:\Windows\system32\netsh.exe
netsh wlan show profiles
5⤵
PID:5828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
4⤵
PID:5816

C:\Windows\system32\netsh.exe
netsh wlan show profiles
5⤵
PID:6040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,6200731691622273599,10469775948038669416,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3536 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1384

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x46c 0x248
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4780

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1244

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\vault\web_history.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:3724

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\vault\downloads.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1984

C:\Users\Admin\Downloads\Vape v4.exe
"C:\Users\Admin\Downloads\Vape v4.exe"
1⤵
- Executes dropped EXE
PID:1188

C:\Users\Admin\Downloads\Vape v4.exe
"C:\Users\Admin\Downloads\Vape v4.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:3616

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
3⤵
PID:5692

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
4⤵
PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
3⤵
PID:4880

C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
4⤵
- Modifies registry key
PID:2880

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
3⤵
PID:3032

C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
4⤵
- Adds Run key to start application
- Modifies registry key
PID:3700

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
3⤵
PID:2308

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
4⤵
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
3⤵
PID:2240

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
4⤵
PID:4980

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
3⤵
PID:5924

C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
4⤵
PID:5688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
3⤵
PID:1532

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
3⤵
PID:5868

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:5284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
3⤵
PID:5848

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:2232

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38b4855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:5076

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
cff358b013d6f9f633bc1587f6f54ffa

SHA1
6cb7852e096be24695ff1bc213abde42d35bb376

SHA256
39205cdf989e3a86822b3f473c5fc223d7290b98c2a3fb7f75e366fc8e3ecbe9

SHA512
8831c223a1f0cf5f71fa851cdd82f4a9f03e5f267513e05b936756c116997f749ffa563623b4724de921d049de34a8f277cc539f58997cda4d178ea205be2259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
dc629a750e345390344524fe0ea7dcd7

SHA1
5f9f00a358caaef0321707c4f6f38d52bd7e0399

SHA256
38b634f3fedcf2a9dc3280aa76bd1ea93e192200b8a48904664fac5c9944636a

SHA512
2a941fe90b748d0326e011258fa9b494dc2f47ac047767455ed16a41d523f04370f818316503a5bad0ff5c5699e92a0aaf3952748b09287c5328354bfa6cc902

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001
Filesize
91KB

MD5
490895201897f3998bd1781ef94f2e6f

SHA1
c729e12956dd2e698f1b13b322f53479a735e280

SHA256
c87e8dfb669d99e59011b3e76a7aa30f1a4a41a2697e44b52bedc238b2487956

SHA512
4346d2ef6091183bfcf7d792c8decfc7c125e4df1de7962668b444e3a06b021e4f4d296700dbe48e49dfe7258eed8586310f7676a86def061098f293a542d1ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
112KB

MD5
52bb8e99b446a189c2e986489d6601cf

SHA1
dc14ef03262606d3094d1552500955769e7366f8

SHA256
510ecfa5518bbb3dc2c8c1840a338148b9b4a36006e382498d36d875c45cd656

SHA512
7691017cd96f264910b7dce7206aec8da63b0eac57549dcbf22bb6d198dd5df6e1770b71615106722adc0e112cc84089c5e56afbb828454e386fa045269a3a74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003
Filesize
108KB

MD5
fce6a39cab6e5409a5d86d0209bdf0cf

SHA1
56788ab969d32bdac77f7d3b9ef1b69d7b432601

SHA256
a66140e7cc5eaa59470797e261f9d68c2227d3adfa8331008b24db62d010714b

SHA512
dcaa1e06f4cf843be276a16015bb42c99d50925a6e86b1bdddee33bfd310e61073b6dabdaa6e2b394bea3a795501c0b7e2d4763f253b9d648a54e05788d6a735

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004
Filesize
80KB

MD5
6daf8bec74b526ce2b5b9129516a5829

SHA1
555af83d1c363186babcb871e235259352bf4648

SHA256
f5e5170ebed93614dc52564d10d88017f107b0f0a70bf68d34636b1cd3f8f652

SHA512
00eff7f32e4dfaaf06aac138753e58cfd82771adb1096512f4e0a2d39f0bc26ecd0ea7e6db9e48966ec70acdacec64bacdd86e2284f294196858371725a62ab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005
Filesize
113KB

MD5
5d797d7c1637f133a1bcf06677da2239

SHA1
1bb740bae3345d1c04a52a890d528e1e8925db8a

SHA256
c9faae92f029e7ac74778b01a3193080c0309a255e157b9b2990310259116211

SHA512
5031858d5cf1d2bee69f385e12c1d75951bea916ac36cdcb6adeb46ddd82383108f26171b6dd17adeb6395b91a35057adae35867932d5bfd7bc579dd30632b39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006
Filesize
97KB

MD5
089d5e818569f20b10f465557565ec2e

SHA1
e5c7ccd7d1a87448a6889048f0f9b2478feae66a

SHA256
7d0bebc1737dff0dcb95dac882ab7a4a5d3a88659d42bf1623e074b5de510a63

SHA512
61a988152e0a6a0e416dbf7dd232559e4994fc77a4f6417b5f3a07fdb7cd6109c31e52a07c47302bc0d057ef965e61176b0773658a2db5584c314182cb9c795a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
Filesize
113KB

MD5
34faf75c08f171e2e0e2b398668aaa48

SHA1
cc4a6b48f3d194533cf7e41b6934ecc3e0503bb9

SHA256
e52abc17e793764479bda0c04d599bbada582e5f301a723943ec306c326da7b5

SHA512
0a865081bc06c973d92cfef5f5721103a069b11a416caa093bfe0a26c1173ba87c2f8785f887060fe783f0133872cd1cc34305bedff91bdf4321064e264b1d5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008
Filesize
111KB

MD5
348c304dfc47395dce9ae0c0ca3d7590

SHA1
94d2e9bdd9f56e6106f86538d9e0f29efc1f74e9

SHA256
b8f8b89a3d0f770964233c4069896f7e66fed1326eae4573c3701fefe1ce3294

SHA512
f5e637d91d8001a2cd9e8608f90256a32e5fb810252506abce16886f83656468212ce0abf03c3b762bfcf4529f5cdbdfa39176f0eab9c3ec236056b8b26b6b2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009
Filesize
75KB

MD5
0db49cebf470da7a1f4b4bde296bb57d

SHA1
c8073c5bd75b36bab31f5824c8204c69330c3edc

SHA256
a5ca837d8bbcac81687254d409582043b49970e26883b94ca036c9aaeedb0c38

SHA512
c64a31f1c137dc58afadd93b755f383559d5aca8afbdca789d523ba8678878f36648fe003db7b1d0d49460e918bab76e0fee1abf044faebe23b29d4e1f825495

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a
Filesize
103KB

MD5
d6b51daf1ad99787e4372db814de6fe7

SHA1
7e1473e629b4ced9fcd045ead06ca672aea0dcae

SHA256
bb7cdb539e2e07f3cae2c9fd03a16a8422b6e14f945d03e51bcc7ca493439112

SHA512
5e623d03f75f3a9775e31f534309ce7ca3ad5aad165deac47add58a083da16d0b4ad01f72e989c9724bd986d57786cc03baa4b41c9e8dacbe4fd833f1c2dfcba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b
Filesize
82KB

MD5
e295cae8eae4cbf801d6675912788aa9

SHA1
33f99cdc7db70b3299ac368800afbf65cf8f6ad3

SHA256
30939b9ac26212c4a98a37a3db0ef9b81c0d7ea6e06e18e969484ddcad85e405

SHA512
dec47d67e0b8c6e63ecc65721a02f2e25be5f3f8532f4fb78e3d5ccf2820044e90ee2ddd30c22fe832727f115b291704b61c06b7f163d6d10f56a5fc4205a554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c
Filesize
115KB

MD5
bbb2cd89b538266814579e885e9f5d4a

SHA1
c569ba715bd0173a049de73b8915735572df1afd

SHA256
87a1fe1b1ed2b1140d43469c5ab922551cea2f74a2ae4d1aede6b21d744db79c

SHA512
562afcaa0f4dd10c705ade4860176ac3f7d8323e47e51a51c6afd7c58c539d42ec24583e5f6aa466ecab0653f18bc2dd8b3a96fc516729773a6a6350131bfc76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000d
Filesize
27KB

MD5
2f478378714a2019d38afa95e2972e45

SHA1
f1d1385b3d3cf6cac52d4b54f417de368a8126c8

SHA256
1a034a787de6557de5179839f66a0cae83b2a8d3ac6668d775e6a1c11d81098b

SHA512
aef812c2f968b523fcc6f97a0238757035a2a8d529451fcb72f5fb9c93eff3819788e0b484f53f0fde16fafb40142a782b50f0ed6de6b93000236ce54b426a61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000e
Filesize
98KB

MD5
224ee385073c76381d2f809cab5e4f8f

SHA1
c6c6c6925b61fb83f116bd46694603bec0a5cf07

SHA256
53f657fab88f4cc82bf3008b207b2bff048108cb214c4efce538f064994341a0

SHA512
e50bad3beda3d5f7025d2cfacabfb4c297b559f0291240397abcf11674801d59f16755b268845cabcf6bb1142f4e3755727a8b9a9ec448ab860226f4ca6fa1eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000f
Filesize
68KB

MD5
8819ed0b85d9f6d8f4f933db50303a4a

SHA1
5ed6a165aae75600dd2a5f4b69f8b0746a6fe384

SHA256
e1c5ef1e902492e88ff447da7a7d753fc5d33c833e50260255d58f29e70cbf52

SHA512
d44ffac39ddfd145d8a0fe8ba9bd703d0a7734dde73aaddad200feb28da0fbfc32dfbcad8d549314000920a87217a4e1ee75199db039956a2937c1e244d1f337

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000010
Filesize
114KB

MD5
c88e0c59b4957c0fcc3d0ddfa8cd4140

SHA1
2f504116de6a8a09b3510c6f8198973da5fb1421

SHA256
091bfd58fdfa60298748c8fef5ab54992d4e463a7e7dbd27906520b75d2d2a8a

SHA512
f34caa74035d41c0d25a4a7e91ebfa8a1ccfcbaf6f4af41b968d5f7239f8fb692b311445726770d7c570a75a9bc5e459a6cdb01b8dca9077e44aedaaae96977f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011
Filesize
101KB

MD5
559e13d2e6c0e8a3d7f0cf25e91f627b

SHA1
771c93eeeb70569d33875e5433f81cd4e30dcb42

SHA256
4bb6116663f7b5ad378cccfec604ad1413657505da0ef5550baa5b6338bc1139

SHA512
0540aa78cbc9292e3370221675db7711a4c737817d08f5e8b06e4117a6cca9fe32fc51d2fc29c4683fb7cae31662b3dec02afcb194db0b3d5cfeaaae39e929c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012
Filesize
82KB

MD5
acefc267d1335a9f0fceaee15f556b72

SHA1
c24359fc2bf0599d12f45ff776aebecf96fbf60c

SHA256
bd2636e1d5ebb8609e9e6876fc60a5ce0b9e8cf00bd7ae629d78f72882952234

SHA512
f4b82614065da84de39fb16769ca0b56ceb11cb93f05ec86307653e300c56be452bad14c1cc5b1809192f26207f9b678095fc1336750f6fd38abb3870bb2ccf5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013
Filesize
83KB

MD5
65c53cfa275fffa2d33b97e937b3d0f9

SHA1
72dd6c6c13401719697e2627e117262b7a4fe9f2

SHA256
eb66dabffe4e369892a0732ce1f704bf2629b1c732ea40a84d09af9b8cd0c441

SHA512
39dfdaa777e5a63e5ba35f6e1dd0501a799c77452a4065acc9f648d7baa6669021f042cf78062eb933d794cf76ab88cece046ae655a6f3685f634197c62c42b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014
Filesize
39KB

MD5
2f23ea484fbc9e43579167712747ff56

SHA1
7f9916930ffcb15d3f37e9fee4160b3f5d638c75

SHA256
5a38a6d5860ad1e64ed1db779ff402fdd345b990a69e0f4b1894524b90fd61a9

SHA512
a6a681ee5e1e77e3eb96bfd4f2e8f7f1672280763628e22dde35e3c64b19d0e8bb8dac516864889ef62c265302722ddc96e9902ebcf5e5a1ffea9726561cc227

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015
Filesize
86KB

MD5
7b701fda94bc74b516c485a7b320d398

SHA1
e7de34d7410d1e2ac16578f7d101d36ae14eb62b

SHA256
7fe865d30ab81f86522001c052d331a5911ca626808f66a9f8aa0fa02602f058

SHA512
fe5dcf2dc8e7520b99ab211ff266837573ba1e12a24a4ff9b1b97b434d8fae30a4f8b6dcfaa4e8f3165e07baa7af85bc337e5a5c836f1d0cea05b6412e2b0236

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016
Filesize
96KB

MD5
2554ffb0776eedad78f40bbbc1f0c29c

SHA1
ccdeab9b48b7fe47396683fb5eca79fd44f258af

SHA256
28d45805ab9e38e7c2fb92683501d96cdac149dffa692d19352f2791acc93633

SHA512
1557a71901b539284da236fd6cfddc62aac3ab770ff20b8b7c41c70033db5e3ddfc4d7c701197d1445603ebb8ea18cb27692f5ca9a09d998cd6a41f13ae653a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017
Filesize
48KB

MD5
940dae054832643fffd567fbb62b853c

SHA1
b95a266aa6bec5ae28986f49c7d7ec5169bb09cd

SHA256
d0227d7352985765e274d522350943674e6cca58ba38463ecc40f541e2c53184

SHA512
30dff77f9b7f44b4ecf327c2710a8d248b4107a56774544cf821fd817684f6714eaec3d1b9d9fd672b4feb88cb4561e598686ab71ced041b4a5d5fe1cc720282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
b9fa511f77ade30a1e0b56073c9f22ed

SHA1
5d3f7403db96d3322913d7a420b318782f93c819

SHA256
d1f6c6ead695122ec5badde1f715322d1cb5a0f649e9e282f91467a0c78babcf

SHA512
8e712e5bd132dbda939ba58b55181b9be9551f2b157db6826e8638bdd6a6d62fede9fb4d65e5efc8b0e023b7c60ff659cf228fc027bf578067d9f5bb65aa423d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
bb9065953ed5e7cea984f8c902d2cf13

SHA1
353ece068cb8fd46a5a83d085fec88e1a2389fed

SHA256
b828c631196fb767db60179e4d6595c59b55824ad93a538510f5bbe8f2cb637b

SHA512
5fcecf4a6a7310bcaf12d7f432c7ba4dcce7b457d094c082b931c0c0f0188008c0b800c1fea244719edd5e3bedd682fd00c8d104f5a318d5c274cb442477a86c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\MANIFEST-000001
Filesize
23B

MD5
3fd11ff447c1ee23538dc4d9724427a3

SHA1
1335e6f71cc4e3cf7025233523b4760f8893e9c9

SHA256
720a78803b84cbcc8eb204d5cf8ea6ee2f693be0ab2124ddf2b81455de02a3ed

SHA512
10a3bd3813014eb6f8c2993182e1fa382d745372f8921519e1d25f70d76f08640e84cb8d0b554ccd329a6b4e6de6872328650fefa91f98c3c0cfc204899ee824

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
258B

MD5
52f54408f73dff022cd0f55af561aa06

SHA1
74a916221e9e3e20e2822ebd0a0c9566c048cbc7

SHA256
557ae00786147ceae4ed8a20bd62bf9bb294a79934fef591c81207f571b2c9d2

SHA512
2cc332790ca397e93e84bd6eff33723ec72321dda5eccf9343e2d2ba9e1906b868383034499eb53fcd7e335718faaf3cf3f1d2b97e340135dc5195701de810e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
428c4ffb9d275e6dcb38bad225f89326

SHA1
0605b1f7102f59b5a95d14a2f0ae3aabeace0129

SHA256
4e6f830c2bf222e935e9f4ece03c3782c26026d8178c9ee8d3c3f0b4b56a5ddb

SHA512
f427bdfaa55c36cc22a95ae51640945f04e1ff295fa5cd569fd8e21e19791c7702b4ff3c96c9e1a3b5688724e82f9e44d2d2914f4ac0b9f7d2a0245f3dd8ceaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
2896598d5054381420294b61894f13c3

SHA1
c150472b97da4a760a1e0d64dfa0bec7ff3e7681

SHA256
ee40a581d8966e6ab53892da0669096046986e32d91172065c1df5d456b5161c

SHA512
9f072e3282a65be87fe46924c7e085284535390ab0c3b4a7ea9ca420915271224c8d5e47cf9b764e460d5188405bda1b4a2eabee09d7dcdd9eb4f8ae3adef117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
3d4c2c05de3622e9830846e904f0a958

SHA1
0da84199b2b5987bbfaf453c2057fb21e3966ff5

SHA256
718ddc70ec81501322ce2781bf780f61c6de1c17963fc054fcefe4257f080479

SHA512
ee8161438547d9f70d28ad7ff32582d85f6dfb98c17bb47805e52bdcfd521db39585e175406905667b1568178e9e8a48e474302b0883f3609ff07ca95704a0df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
17d8f65ba3d37440a29a6914b2ee43d8

SHA1
1797b6e60fe53c4353477a20a47b9bb33c541960

SHA256
2ede9ee1907611268aa605bca5a11638cc0231f5243c623a9257e04370452d49

SHA512
db3c61e14ae50e603d8257bbad29d8adf4b7b7a9429144276bedb9476453f4b74c283c98e6ef20321b16232ee7641db51d61cd05389111844785368e60a550cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
4ef7b0647263fedea54f4904a2fb1f05

SHA1
64f20887ebd3d4b82d8c73f7117163d723c48498

SHA256
8b0f6a2449a5414e58d3d51855b7d3643748b9265b51d6379e062e88a4be4d96

SHA512
c0de418870b4be564a693ce544984d64636fc212c94a226d609dabfc4c97a551040588a473d8d42d3d4d5786e216f842188036cd6186b8274d8e495b3f22e0a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
5f5e335bc856cdead7e9b7357ef6690e

SHA1
b139e8ee9ead55fe3fd3a382f4ddc6662f73c0d6

SHA256
c6d4679a334f3d4bf29ede9c1e749169ea205511f60cbc22a88567476c4fe702

SHA512
aa26a27cb820afb4ddefd4e330f198663fa07895597245578ddfae20b554e8eefc2ff051c0a139565e6cad5902889715a794f2c7d32c2bf7be486ffe9ada8400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe579f9b.TMP
Filesize
48B

MD5
c2218bfa1b4e18bc5f841c5b38e8dab0

SHA1
c19d45099680cd64b501c95c4a6da160ba39f084

SHA256
e16d1ddd0b797eb58ed968c1066ffe949477747b46a1f2c017637ce6865327af

SHA512
ed899a7f4580568cb11412d82c2b01852e1e59d7226510c9e1f7f121651b1ccbe38a29eaf7708b7f3898d829b87868b17c079e483235c45376348ddea1acf48d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
201B

MD5
372715113661946bf2cb80bcdf3f26ea

SHA1
4f98a23341bda99d90b344e76933751a46eaf5c8

SHA256
104347b3a762a4091cde8478632b12f3350b25b73d1bbc0c07b39aaffccc6a7a

SHA512
af0e7b970ae66ffaea7e269975586d986f722f6aa1e79186d91ac1320ad3ba0971a9b43c0ea256b9127005765de59d937ccbb5c4e925f13e4efedcbf4cc409eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581f3b.TMP
Filesize
201B

MD5
b7cf6d4d9d0d8c7e75f7ceaebab9c726

SHA1
8ff714c162c20b4eab005f37a8b0e02823b55558

SHA256
87a58af446234e989830710b8b174e32640793284ebc0d648b18ab87edd2b182

SHA512
686a5082c9044e5a656174e4eb0c103fd0aad1798d90b46f78a2ba41bcbb6ffa42bd47a7cac951433a7b78678389bf2db02581a2f345144b919c46a401438929

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
e4c777edc8829871a90193c66531b1a8

SHA1
f1f629abb02cf64fb6576ebc87b0a724b7dd30cc

SHA256
a9799f55403050c18e468ddd58f14a4abd32891f9b3a360def6497163f08a9fc

SHA512
d767b2e4a40f5d887598bb994cbeffd0a5d81a14a992362955b55150f58d105588753a237564f17667f410d45a42227e0fd2fc450b40eea72d352cd269c50321

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
89bc981ba93d3b2fd328f8d7723e3767

SHA1
5bc91970f08d4a49da763d80b6bc13f0512b29b1

SHA256
486d2a97647bd49107f237d658342189f1571011fabf0180f80d1be32a26c869

SHA512
b5d4bb68705b23cc9df292f422069e19b3d5314a5cc915b1b91d492b86d5a56c586e294ad67583138c2c60e868d675dd7554b1d8a4400027e8af79d548018cc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
12KB

MD5
a075893f785993a96422eb60b9b84379

SHA1
47651b3d87f76234ab7528c36b482e9307e1c831

SHA256
91249cf8ec7166a94af879cf6d6a58729c9c9c78250f324d813f10b5259a5656

SHA512
246a0dea6e2a5e0b46dfa924a60ba82a82dc239197a4327c8ca2918884137e63d910f1ae1bc12a590c873b0b7dc2b2458dcec7687116ab2fa0934dab1f319031

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\VCRUNTIME140_1.dll
Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\_bz2.pyd
Filesize
47KB

MD5
758fff1d194a7ac7a1e3d98bcf143a44

SHA1
de1c61a8e1fb90666340f8b0a34e4d8bfc56da07

SHA256
f5e913a9f2adf7d599ea9bb105e144ba11699bbcb1514e73edcf7e062354e708

SHA512
468d7c52f14812d5bde1e505c95cb630e22d71282bda05bf66324f31560bfa06095cf60fc0d34877f8b361ccd65a1b61d0fd1f91d52facb0baf8e74f3fed31cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\_ctypes.pyd
Filesize
56KB

MD5
6ca9a99c75a0b7b6a22681aa8e5ad77b

SHA1
dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8

SHA256
d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8

SHA512
b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\_hashlib.pyd
Filesize
33KB

MD5
0d723bc34592d5bb2b32cf259858d80e

SHA1
eacfabd037ba5890885656f2485c2d7226a19d17

SHA256
f2b927aaa856d23f628b01380d5a19bfe9233db39c9078c0e0585d376948c13f

SHA512
3e79455554d527d380adca39ac10dbf3914ca4980d8ee009b7daf30aeb4e9359d9d890403da9cc2b69327c695c57374c390fa780a8fd6148bbea3136138ead33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\_lzma.pyd
Filesize
84KB

MD5
abceeceaeff3798b5b0de412af610f58

SHA1
c3c94c120b5bed8bccf8104d933e96ac6e42ca90

SHA256
216aa4bb6f62dd250fd6d2dcde14709aa82e320b946a21edeec7344ed6c2c62e

SHA512
3e1a2eb86605aa851a0c5153f7be399f6259ecaad86dbcbf12eeae5f985dc2ea2ab25683285e02b787a5b75f7df70b4182ae8f1567946f99ad2ec7b27d4c7955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\_queue.pyd
Filesize
24KB

MD5
0d267bb65918b55839a9400b0fb11aa2

SHA1
54e66a14bea8ae551ab6f8f48d81560b2add1afc

SHA256
13ee41980b7d0fb9ce07f8e41ee6a309e69a30bbf5b801942f41cbc357d59e9c

SHA512
c2375f46a98e44f54e2dd0a5cc5f016098500090bb78de520dc5e05aef8e6f11405d8f6964850a03060caed3628d0a6303091cba1f28a0aa9b3b814217d71e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\_socket.pyd
Filesize
41KB

MD5
afd296823375e106c4b1ac8b39927f8b

SHA1
b05d811e5a5921d5b5cc90b9e4763fd63783587b

SHA256
e423a7c2ce5825dfdd41cfc99c049ff92abfb2aa394c85d0a9a11de7f8673007

SHA512
95e98a24be9e603b2870b787349e2aa7734014ac088c691063e4078e11a04898c9c547d6998224b1b171fc4802039c3078a28c7e81d59f6497f2f9230d8c9369

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\_ssl.pyd
Filesize
60KB

MD5
1e643c629f993a63045b0ff70d6cf7c6

SHA1
9af2d22226e57dc16c199cad002e3beb6a0a0058

SHA256
4a50b4b77bf9e5d6f62c7850589b80b4caa775c81856b0d84cb1a73d397eb38a

SHA512
9d8cd6e9c03880cc015e87059db28ff588881679f8e3f5a26a90f13e2c34a5bd03fb7329d9a4e33c4a01209c85a36fc999e77d9ece42cebdb738c2f1fd6775af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\_uuid.pyd
Filesize
21KB

MD5
81dfa68ca3cb20ced73316dbc78423f6

SHA1
8841cf22938aa6ee373ff770716bb9c6d9bc3e26

SHA256
d0cb6dd98a2c9d4134c6ec74e521bad734bc722d6a3b4722428bf79e7b66f190

SHA512
e24288ae627488251682cd47c1884f2dc5f4cd834d7959b9881e5739c42d91fd0a30e75f0de77f5b5a0d63d9baebcafa56851e7e40812df367fd433421c0ccdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\base_library.zip
Filesize
1.0MB

MD5
58859625f9dd5659b4d2509ff85c07eb

SHA1
fbf2f04c85ff25ec1acb52a39d9bded155192581

SHA256
9bdf63df02baa3bc9e864f3a02f0d7a5dd13e42f780318f369f1329484f2b419

SHA512
33442cb2695b31ae2766dfd2ad4fef9df365626d3f89b7efe6965fd2caf572b26a7702aad15a8b61bd3972d278e497b83a4ae835b5e46e2c1e18b5388bf91fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\libcrypto-1_1.dll
Filesize
1.1MB

MD5
da5fe6e5cfc41381025994f261df7148

SHA1
13998e241464952d2d34eb6e8ecfcd2eb1f19a64

SHA256
de045c36ae437a5b40fc90a8a7cc037facd5b7e307cfcf9a9087c5f1a6a2cf18

SHA512
a0d7ebf83204065236439d495eb3c97be093c41daac2e6cfbbb1aa8ffeac049402a3dea7139b1770d2e1a45e08623a56a94d64c8f0c5be74c5bae039a2bc6ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\libffi-7.dll
Filesize
23KB

MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\libssl-1_1.dll
Filesize
203KB

MD5
48d792202922fffe8ea12798f03d94de

SHA1
f8818be47becb8ccf2907399f62019c3be0efeb5

SHA256
8221a76831a103b2b2ae01c3702d0bba4f82f2afd4390a3727056e60b28650cc

SHA512
69f3a8b556dd517ae89084623f499ef89bd0f97031e3006677ceed330ed13fcc56bf3cde5c9ed0fc6c440487d13899ffda775e6a967966294cadfd70069b2833

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\psutil\_psutil_windows.pyd
Filesize
34KB

MD5
04d71bdd54b4c79cfaf21c1aa0a80132

SHA1
12bec0411eee3dbed5146696ca17857a4d49cf0d

SHA256
ea7faaa075c0ca0747be4fef7d19bda21b05f6d176d1cbad2611f481f49efe23

SHA512
c7712b271681327fc1a20c8ae3d06fed940c0ac37fe24c60e2424f9e9e152227998e0c229e7409c0d0a7538c9aa12699665fbdf0ed50d42c6577cd4fb3efd6d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\python3.dll
Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\python310.dll
Filesize
1.4MB

MD5
69d4f13fbaeee9b551c2d9a4a94d4458

SHA1
69540d8dfc0ee299a7ff6585018c7db0662aa629

SHA256
801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046

SHA512
8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\pywin32_system32\pythoncom310.dll
Filesize
193KB

MD5
9051abae01a41ea13febdea7d93470c0

SHA1
b06bd4cd4fd453eb827a108e137320d5dc3a002f

SHA256
f12c8141d4795719035c89ff459823ed6174564136020739c106f08a6257b399

SHA512
58d8277ec4101ad468dd8c4b4a9353ab684ecc391e5f9db37de44d5c3316c17d4c7a5ffd547ce9b9a08c56e3dd6d3c87428eae12144dfb72fc448b0f2cfc47da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\pywin32_system32\pywintypes310.dll
Filesize
62KB

MD5
6f2aa8fa02f59671f99083f9cef12cda

SHA1
9fd0716bcde6ac01cd916be28aa4297c5d4791cd

SHA256
1a15d98d4f9622fa81b60876a5f359707a88fbbbae3ae4e0c799192c378ef8c6

SHA512
f5d5112e63307068cdb1d0670fe24b65a9f4942a39416f537bdbc17dedfd99963861bf0f4e94299cdce874816f27b3d86c4bebb889c3162c666d5ee92229c211

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\select.pyd
Filesize
24KB

MD5
72009cde5945de0673a11efb521c8ccd

SHA1
bddb47ac13c6302a871a53ba303001837939f837

SHA256
5aaa15868421a46461156e7817a69eeeb10b29c1e826a9155b5f8854facf3dca

SHA512
d00a42700c9201f23a44fd9407fea7ea9df1014c976133f33ff711150727bf160941373d53f3a973f7dd6ca7b5502e178c2b88ea1815ca8bce1a239ed5d8256d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI59522\win32api.pyd
Filesize
48KB

MD5
561f419a2b44158646ee13cd9af44c60

SHA1
93212788de48e0a91e603d74f071a7c8f42fe39b

SHA256
631465da2a1dad0cb11cd86b14b4a0e4c7708d5b1e8d6f40ae9e794520c3aaf7

SHA512
d76ab089f6dc1beffd5247e81d267f826706e60604a157676e6cbc3b3447f5bcee66a84bf35c21696c020362fadd814c3e0945942cdc5e0dfe44c0bca169945c

Download Submit
C:\Users\Admin\Downloads\Vape v4.exe
Filesize
13.9MB

MD5
5a300b66a5a4e10f8cb1737dff87150c

SHA1
ea74f8de38b6d4a5a5edfb15ac27e8b3f7885738

SHA256
b2f354c0290b0ca165e85367b00e6cf9642d6a8c83e425c2681119537640f094

SHA512
d3a4b6d79873dc4fd05acd5f03079da888dbdb440c4ae9f99249c1739fbd85ae58927a0c70979e9b539d1e23d0084215fc2b846623698249791b81c2fec2e778

Download Submit
C:\Users\Admin\Downloads\cards_db
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\Downloads\cards_db
Filesize
100KB

MD5
834e0fd6fe45252795b31467cf2a4255

SHA1
f7ba8a9d4195be3e3ff13231dc0d99b76c5a7380

SHA256
59e6025ad3ab5b49a79f76dee59277735c31f9cca32bec5d57f85cde9b876b23

SHA512
1db02bebc1d50e29503a1f394ae260f238e2c4d12ed4e9579dbe03d707db7a023e21259be91ba07faee021f02e746035316a2a8722698fa48de844aa456d8546

Download Submit
C:\Users\Admin\Downloads\cookie_db
Filesize
20KB

MD5
42c395b8db48b6ce3d34c301d1eba9d5

SHA1
b7cfa3de344814bec105391663c0df4a74310996

SHA256
5644546ecefc6786c7be5b1a89e935e640963ccd34b130f21baab9370cb9055d

SHA512
7b9214db96e9bec8745b4161a41c4c0520cdda9950f0cd3f12c7744227a25d639d07c0dd68b552cf1e032181c2e4f8297747f27bad6c7447b0f415a86bd82845

Download Submit
C:\Users\Admin\Downloads\downloads_db
Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\Downloads\downloads_db
Filesize
124KB

MD5
43a56984e9c8eca2a3bebe29e923025c

SHA1
fa8117eb9b7224260ab28cf96859fe151282f9af

SHA256
3f44e7c53b891f72ff5aa48726c8e78200c5209c2ee21c666d637d929d5bf00b

SHA512
7d3a8f4cbff619e4f56e420696b1fc50d520b556a692a0dcc970153080ac29bec5de4b8d29ce79a4a210a70e65a3962112ffb062f1bb5f612acff3e6a924fe17

Download Submit
C:\Users\Admin\Downloads\login_db
Filesize
46KB

MD5
8f5942354d3809f865f9767eddf51314

SHA1
20be11c0d42fc0cef53931ea9152b55082d1a11e

SHA256
776ecf8411b1b0167bea724409ac9d3f8479973df223ecc6e60e3302b3b2b8ea

SHA512
fde8dfae8a862cf106b0cb55e02d73e4e4c0527c744c20886681245c8160287f722612a6de9d0046ed1156b1771229c8950b9ac036b39c988d75aa20b7bac218

Download Submit
C:\Users\Admin\Downloads\login_db
Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\Downloads\vault\downloads.txt
Filesize
110B

MD5
57e3e2f43a4dbc48a73f27e34183361a

SHA1
39341bf963696a721d42f720081c185f1d58eb1b

SHA256
78189ce4cadaf90d7e6f0647902e482d2166be380f487ec9b3ca9f799c2c6983

SHA512
00443b48ae6e6ffacd253764b19a2842856b635f10ef0d77bcc7912227d17df721210f023ac099d30e03d503f845e4d7be9b585bb7ffdfe9750929b649a70f40

Download Submit
C:\Users\Admin\Downloads\vault\web_history.txt
Filesize
446B

MD5
fd41a6905d15d15a299eded43fe77f80

SHA1
54d16dd7de2f3739769abcfcfd84f90fa1391f24

SHA256
50fb7ca7210eed867fa666f622c46027b8337386e9c968ab1ded951d5e94a2aa

SHA512
fbfd2c0ca42786ccf2ca6735278fba30528717e6f37807b49e80ff0c826ba8943b3053ae1f027808ee06604f51dbf76e47000d434b670c5a88107ff37ca66707

Download Submit
\??\pipe\LOCAL\crashpad_3728_WUUYCZHPYRSWOFSH
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5408-543-0x00007FF9EA7F0000-0x00007FF9EA7FD000-memory.dmp

Filesize
52KB

Download
memory/5408-525-0x00007FF9EAFA0000-0x00007FF9EB058000-memory.dmp

Filesize
736KB

Download
memory/5408-551-0x00007FF9EA840000-0x00007FF9EA84C000-memory.dmp

Filesize
48KB

Download
memory/5408-547-0x00007FF9EA710000-0x00007FF9EA725000-memory.dmp

Filesize
84KB

Download
memory/5408-545-0x00007FF9EA7C0000-0x00007FF9EA7CC000-memory.dmp

Filesize
48KB

Download
memory/5408-544-0x00007FF9EA7D0000-0x00007FF9EA7E2000-memory.dmp

Filesize
72KB

Download
memory/5408-558-0x00007FF9EA670000-0x00007FF9EA699000-memory.dmp

Filesize
164KB

Download
memory/5408-537-0x00007FF9EA850000-0x00007FF9EA85C000-memory.dmp

Filesize
48KB

Download
memory/5408-536-0x00007FF9EA860000-0x00007FF9EA86E000-memory.dmp

Filesize
56KB

Download
memory/5408-534-0x00007FF9EA880000-0x00007FF9EA88C000-memory.dmp

Filesize
48KB

Download
memory/5408-532-0x00007FF9EA8A0000-0x00007FF9EA8AC000-memory.dmp

Filesize
48KB

Download
memory/5408-531-0x00007FF9EA8B0000-0x00007FF9EA8BB000-memory.dmp

Filesize
44KB

Download
memory/5408-530-0x00007FF9EA8C0000-0x00007FF9EA8CC000-memory.dmp

Filesize
48KB

Download
memory/5408-528-0x00007FF9EAA70000-0x00007FF9EAA8F000-memory.dmp

Filesize
124KB

Download
memory/5408-526-0x00007FF9EAC00000-0x00007FF9EAC14000-memory.dmp

Filesize
80KB

Download
memory/5408-523-0x00007FF9EB090000-0x00007FF9EB0AC000-memory.dmp

Filesize
112KB

Download
memory/5408-557-0x00007FF9EA6C0000-0x00007FF9EA6CE000-memory.dmp

Filesize
56KB

Download
memory/5408-515-0x000002883AF10000-0x000002883B285000-memory.dmp

Filesize
3.5MB

Download
memory/5408-556-0x00007FF9EA730000-0x00007FF9EA743000-memory.dmp

Filesize
76KB

Download
memory/5408-510-0x00007FF9EB0B0000-0x00007FF9EB0BA000-memory.dmp

Filesize
40KB

Download
memory/5408-555-0x00007FF9EA750000-0x00007FF9EA76B000-memory.dmp

Filesize
108KB

Download
memory/5408-505-0x00007FF9EB0C0000-0x00007FF9EB0EB000-memory.dmp

Filesize
172KB

Download
memory/5408-554-0x00007FF9EA790000-0x00007FF9EA7A0000-memory.dmp

Filesize
64KB

Download
memory/5408-553-0x00007FF9EA7A0000-0x00007FF9EA7B5000-memory.dmp

Filesize
84KB

Download
memory/5408-552-0x00007FF9EA830000-0x00007FF9EA83B000-memory.dmp

Filesize
44KB

Download
memory/5408-550-0x00007FF9EA8E0000-0x00007FF9EA8EB000-memory.dmp

Filesize
44KB

Download
memory/5408-549-0x00007FF9EA6A0000-0x00007FF9EA6B6000-memory.dmp

Filesize
88KB

Download
memory/5408-494-0x00007FF9EB1C0000-0x00007FF9EB1EE000-memory.dmp

Filesize
184KB

Download
memory/5408-493-0x000002883AC00000-0x000002883AC0D000-memory.dmp

Filesize
52KB

Download
memory/5408-492-0x000002883ABD0000-0x000002883ABE9000-memory.dmp

Filesize
100KB

Download
memory/5408-548-0x00007FF9EA6D0000-0x00007FF9EA70F000-memory.dmp

Filesize
252KB

Download
memory/5408-480-0x00007FFA000F0000-0x00007FFA000FF000-memory.dmp

Filesize
60KB

Download
memory/5408-479-0x000002883A790000-0x000002883A7BD000-memory.dmp

Filesize
180KB

Download
memory/5408-546-0x00007FF9EA770000-0x00007FF9EA784000-memory.dmp

Filesize
80KB

Download
memory/5408-476-0x00007FF9EB250000-0x00007FF9EB269000-memory.dmp

Filesize
100KB

Download
memory/5408-472-0x00007FF9EB270000-0x00007FF9EB294000-memory.dmp

Filesize
144KB

Download
memory/5408-542-0x00007FF9EA800000-0x00007FF9EA80C000-memory.dmp

Filesize
48KB

Download
memory/5408-539-0x00007FF9EA810000-0x00007FF9EA81C000-memory.dmp

Filesize
48KB

Download
memory/5408-538-0x00007FF9EA820000-0x00007FF9EA82B000-memory.dmp

Filesize
44KB

Download
memory/5408-535-0x00007FF9EA870000-0x00007FF9EA87D000-memory.dmp

Filesize
52KB

Download
memory/5408-533-0x00007FF9EA890000-0x00007FF9EA89B000-memory.dmp

Filesize
44KB

Download
memory/5408-529-0x00007FF9EA8D0000-0x00007FF9EA8DB000-memory.dmp

Filesize
44KB

Download
memory/5408-527-0x00007FF9EABB0000-0x00007FF9EABD5000-memory.dmp

Filesize
148KB

Download
memory/5408-559-0x00007FF9EA3D0000-0x00007FF9EA620000-memory.dmp

Filesize
2.3MB

Download
memory/5408-524-0x00007FF9EB060000-0x00007FF9EB08E000-memory.dmp

Filesize
184KB

Download
memory/5408-631-0x00007FF9EB2C0000-0x00007FF9EB72E000-memory.dmp

Filesize
4.4MB

Download
memory/5408-632-0x00007FF9EB270000-0x00007FF9EB294000-memory.dmp

Filesize
144KB

Download
memory/5408-634-0x00007FF9EB270000-0x00007FF9EB294000-memory.dmp

Filesize
144KB

Download
memory/5408-642-0x00007FF9EB0F0000-0x00007FF9EB1AC000-memory.dmp

Filesize
752KB

Download
memory/5408-641-0x00007FF9EB1C0000-0x00007FF9EB1EE000-memory.dmp

Filesize
184KB

Download
memory/5408-639-0x000002883ABD0000-0x000002883ABE9000-memory.dmp

Filesize
100KB

Download
memory/5408-633-0x00007FF9EB2C0000-0x00007FF9EB72E000-memory.dmp

Filesize
4.4MB

Download
memory/5408-646-0x00007FF9EB060000-0x00007FF9EB08E000-memory.dmp

Filesize
184KB

Download
memory/5408-648-0x00007FF9EAC20000-0x00007FF9EAF95000-memory.dmp

Filesize
3.5MB

Download
memory/5408-647-0x00007FF9EAFA0000-0x00007FF9EB058000-memory.dmp

Filesize
736KB

Download
memory/5408-654-0x00007FF9EAA70000-0x00007FF9EAA8F000-memory.dmp

Filesize
124KB

Download
memory/5408-655-0x00007FF9EA8F0000-0x00007FF9EAA61000-memory.dmp

Filesize
1.4MB

Download
memory/5408-685-0x00007FFA003F0000-0x00007FFA00432000-memory.dmp

Filesize
264KB

Download
memory/5408-684-0x00007FF9EA3D0000-0x00007FF9EA620000-memory.dmp

Filesize
2.3MB

Download
memory/5408-691-0x00007FF9EB2C0000-0x00007FF9EB72E000-memory.dmp

Filesize
4.4MB

Download
memory/5408-692-0x00007FF9EB270000-0x00007FF9EB294000-memory.dmp

Filesize
144KB

Download
memory/5408-693-0x00007FFA000F0000-0x00007FFA000FF000-memory.dmp

Filesize
60KB

Download
memory/5408-695-0x000002883A790000-0x000002883A7BD000-memory.dmp

Filesize
180KB

Download
memory/5408-696-0x000002883ABD0000-0x000002883ABE9000-memory.dmp

Filesize
100KB

Download
memory/5408-697-0x000002883AC00000-0x000002883AC0D000-memory.dmp

Filesize
52KB

Download
memory/5408-698-0x00007FF9EB1C0000-0x00007FF9EB1EE000-memory.dmp

Filesize
184KB

Download
memory/5408-702-0x00007FF9EB090000-0x00007FF9EB0AC000-memory.dmp

Filesize
112KB

Download
memory/5408-701-0x00007FF9EB0B0000-0x00007FF9EB0BA000-memory.dmp

Filesize
40KB

Download
memory/5408-700-0x00007FF9EB0C0000-0x00007FF9EB0EB000-memory.dmp

Filesize
172KB

Download
memory/5408-699-0x00007FF9EB0F0000-0x00007FF9EB1AC000-memory.dmp

Filesize
752KB

Download
memory/5408-694-0x00007FF9EB250000-0x00007FF9EB269000-memory.dmp

Filesize
100KB

Download
memory/5408-743-0x00007FF9EA8E0000-0x00007FF9EA8EB000-memory.dmp

Filesize
44KB

Download
memory/5408-745-0x00007FF9EA830000-0x00007FF9EA83B000-memory.dmp

Filesize
44KB

Download
memory/5408-744-0x00007FF9EA840000-0x00007FF9EA84C000-memory.dmp

Filesize
48KB

Download
memory/5408-747-0x00007FF9EA7A0000-0x00007FF9EA7B5000-memory.dmp

Filesize
84KB

Download
memory/5408-748-0x00007FF9EA790000-0x00007FF9EA7A0000-memory.dmp

Filesize
64KB

Download
memory/5408-749-0x00007FF9EABE0000-0x00007FF9EABEB000-memory.dmp

Filesize
44KB

Download
memory/5408-750-0x00007FF9EA750000-0x00007FF9EA76B000-memory.dmp

Filesize
108KB

Download
memory/5408-751-0x00007FF9EABF0000-0x00007FF9EABFD000-memory.dmp

Filesize
52KB

Download
memory/5408-752-0x00007FF9EA8F0000-0x00007FF9EAA61000-memory.dmp

Filesize
1.4MB

Download
memory/5408-746-0x00007FF9EAC20000-0x00007FF9EAF95000-memory.dmp

Filesize
3.5MB

Download
memory/5408-522-0x00007FF9EA8F0000-0x00007FF9EAA61000-memory.dmp

Filesize
1.4MB

Download
memory/5408-521-0x00007FF9EAA90000-0x00007FF9EABA8000-memory.dmp

Filesize
1.1MB

Download
memory/5408-520-0x00007FF9EABE0000-0x00007FF9EABEB000-memory.dmp

Filesize
44KB

Download
memory/5408-519-0x00007FF9EABF0000-0x00007FF9EABFD000-memory.dmp

Filesize
52KB

Download
memory/5408-514-0x00007FF9EAC20000-0x00007FF9EAF95000-memory.dmp

Filesize
3.5MB

Download
memory/5408-498-0x00007FF9EB0F0000-0x00007FF9EB1AC000-memory.dmp

Filesize
752KB

Download
memory/5408-463-0x00007FF9EB2C0000-0x00007FF9EB72E000-memory.dmp

Filesize
4.4MB

Download