hxxps://github[.]com/Dani-Flo/ImageLoggerV2[.]github[.]io/releases/download/ImageLogger/ImageLogger[.]exe

Analysis

max time kernel
66s
max time network
70s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
27-05-2024 00:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Dani-Flo/ImageLoggerV2.github.io/releases/download/ImageLogger/ImageLogger.exe

Score

9^/10

evasion execution persistence pyinstaller upx

Malware Config

Signatures

Enumerates VirtualBox DLL files 2 TTPs 2 IoCs

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

Processes:

ImageLogger.exe

description	ioc	process
File opened (read-only)	C:\windows\system32\vboxhook.dll	ImageLogger.exe
File opened (read-only)	C:\windows\system32\vboxmrxnp.dll	ImageLogger.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2976 powershell.exe
Downloads MZ/PE file
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1304 attrib.exe
Executes dropped EXE 3 IoCs

Processes:

ImageLogger.exeImageLogger.exeImageLogger.exe

pid process

208 ImageLogger.exe
4260 ImageLogger.exe
5072 ImageLogger.exe

pid	process
2976	powershell.exe

pid	process
1304	attrib.exe

pid	process
208	ImageLogger.exe
4260	ImageLogger.exe
5072	ImageLogger.exe

Loads dropped DLL 64 IoCs

Processes:

ImageLogger.exe

pid	process
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI2082\python312.dll	upx
behavioral1/memory/4260-1382-0x00007FFE6C510000-0x00007FFE6CBD5000-memory.dmp	upx
behavioral1/memory/4260-1390-0x00007FFE7CF70000-0x00007FFE7CF95000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_MEI2082\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libffi-8.dll	upx
behavioral1/memory/4260-1392-0x00007FFE7D160000-0x00007FFE7D16F000-memory.dmp	upx
\Users\Admin\AppData\Local\Temp\_MEI2082\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_lzma.pyd	upx
behavioral1/memory/4260-1395-0x00007FFE7CE20000-0x00007FFE7CE3A000-memory.dmp	upx
behavioral1/memory/4260-1398-0x00007FFE7CCD0000-0x00007FFE7CCFD000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\freetype.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libcrypto-3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libopus-0.x64.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libwebp-7.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\portmidi.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libtiff-5.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libssl-3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libpng16-16.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libopusfile-0.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libopus-0.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libogg-0.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libmodplug-1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libjpeg-9.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\SDL2.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_wmi.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_tkinter.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_overlapped.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_multiprocessing.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_elementtree.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_cffi_backend.cp312-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_asyncio.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\zlib1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\tk86t.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\tcl86t.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\SDL2_ttf.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\SDL2_mixer.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\SDL2_image.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI2082\pyexpat.pyd	upx
behavioral1/memory/4260-1440-0x00007FFE7CCB0000-0x00007FFE7CCC4000-memory.dmp	upx
behavioral1/memory/4260-1442-0x00007FFE6B3F0000-0x00007FFE6B919000-memory.dmp	upx
behavioral1/memory/4260-1445-0x00007FFE7CF60000-0x00007FFE7CF6D000-memory.dmp	upx
behavioral1/memory/4260-1444-0x00007FFE7CC90000-0x00007FFE7CCA9000-memory.dmp	upx
behavioral1/memory/4260-1447-0x00007FFE7C610000-0x00007FFE7C6DD000-memory.dmp	upx
behavioral1/memory/4260-1446-0x00007FFE7CAA0000-0x00007FFE7CAD3000-memory.dmp	upx
behavioral1/memory/4260-1451-0x00007FFE7CA70000-0x00007FFE7CA97000-memory.dmp	upx
behavioral1/memory/4260-1453-0x00007FFE7CF70000-0x00007FFE7CF95000-memory.dmp	upx
behavioral1/memory/4260-1452-0x00007FFE7C4F0000-0x00007FFE7C60B000-memory.dmp	upx
behavioral1/memory/4260-1450-0x00007FFE7CC80000-0x00007FFE7CC8B000-memory.dmp	upx
behavioral1/memory/4260-1449-0x00007FFE7CE10000-0x00007FFE7CE1D000-memory.dmp	upx
behavioral1/memory/4260-1448-0x00007FFE6C510000-0x00007FFE6CBD5000-memory.dmp	upx
behavioral1/memory/4260-1475-0x00007FFE7B800000-0x00007FFE7B822000-memory.dmp	upx
behavioral1/memory/4260-1474-0x00007FFE7B830000-0x00007FFE7B844000-memory.dmp	upx
behavioral1/memory/4260-1473-0x00007FFE7B850000-0x00007FFE7B862000-memory.dmp	upx
behavioral1/memory/4260-1472-0x00007FFE7BE90000-0x00007FFE7BEA6000-memory.dmp	upx
behavioral1/memory/4260-1471-0x00007FFE7BEB0000-0x00007FFE7BEBC000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ImageLogger.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RAT bot by Daniel = "C:\\Users\\Admin\\ImageLogger\\ImageLogger.exe"	ImageLogger.exe

Drops file in Windows directory 5 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\4QTUY2JV\ImageLogger[1].exe	pyinstaller

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

6040 taskkill.exe

pid	process
6040	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

browser_broker.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exebrowser_broker.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{5BF2BB01-09EB-4F06-A42C-B9547EFB2D = "0"	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\NextPromptBuild = "15063"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IETld\LowMic	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 45a893a6ceafda01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\LastCleanup = d1e0cca6ceafda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\CIStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = bd4772a6ceafda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\JumpListInPrivateBrowsingAllowed = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Next Rating Prompt = e021c5fd81d2da01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\CIPolicyState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionHigh = "268435456"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{64A791B8-3FE3-4F37-A6EB-3DE7DC9A7CB7} = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 211d74a0ceafda01	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus\SignaturePolicy = 06000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content\CacheLimit = "256000"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\LowMic	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "423535468"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{5BF2BB01-09EB-4F06-A42C-B9547EFB2D = "8320"	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListDOSTime = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\IECompatVersionHigh = "268435456"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe

NTFS ADS 2 IoCs

Processes:

browser_broker.exeImageLogger.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\ImageLogger.exe.mb1ec1a.partial:Zone.Identifier	browser_broker.exe
File created	C:\Users\Admin\ImageLogger\ImageLogger.exe\:Zone.Identifier:$DATA	ImageLogger.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

ImageLogger.exepowershell.exe

pid	process
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
4260	ImageLogger.exe
2976	powershell.exe
2976	powershell.exe
2976	powershell.exe
2976	powershell.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

MicrosoftEdgeCP.exe

pid process

3784 MicrosoftEdgeCP.exe
3784 MicrosoftEdgeCP.exe
3784 MicrosoftEdgeCP.exe
3784 MicrosoftEdgeCP.exe

pid	process
3784	MicrosoftEdgeCP.exe
3784	MicrosoftEdgeCP.exe
3784	MicrosoftEdgeCP.exe
3784	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

Processes:

MicrosoftEdgeCP.exeMicrosoftEdgeCP.exeMicrosoftEdge.exeImageLogger.exepowershell.exetaskkill.exe

description	pid	process
Token: SeDebugPrivilege	5020	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5020	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5020	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	5020	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4980	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	4980	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	440	MicrosoftEdge.exe
Token: SeDebugPrivilege	440	MicrosoftEdge.exe
Token: SeDebugPrivilege	4260	ImageLogger.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeIncreaseQuotaPrivilege	2976	powershell.exe
Token: SeSecurityPrivilege	2976	powershell.exe
Token: SeTakeOwnershipPrivilege	2976	powershell.exe
Token: SeLoadDriverPrivilege	2976	powershell.exe
Token: SeSystemProfilePrivilege	2976	powershell.exe
Token: SeSystemtimePrivilege	2976	powershell.exe
Token: SeProfSingleProcessPrivilege	2976	powershell.exe
Token: SeIncBasePriorityPrivilege	2976	powershell.exe
Token: SeCreatePagefilePrivilege	2976	powershell.exe
Token: SeBackupPrivilege	2976	powershell.exe
Token: SeRestorePrivilege	2976	powershell.exe
Token: SeShutdownPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeSystemEnvironmentPrivilege	2976	powershell.exe
Token: SeRemoteShutdownPrivilege	2976	powershell.exe
Token: SeUndockPrivilege	2976	powershell.exe
Token: SeManageVolumePrivilege	2976	powershell.exe
Token: 33	2976	powershell.exe
Token: 34	2976	powershell.exe
Token: 35	2976	powershell.exe
Token: 36	2976	powershell.exe
Token: SeDebugPrivilege	6040	taskkill.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exeMicrosoftEdgeCP.exe

pid process

440 MicrosoftEdge.exe
3784 MicrosoftEdgeCP.exe
5020 MicrosoftEdgeCP.exe
3784 MicrosoftEdgeCP.exe

pid	process
440	MicrosoftEdge.exe
3784	MicrosoftEdgeCP.exe
5020	MicrosoftEdgeCP.exe
3784	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

MicrosoftEdgeCP.exebrowser_broker.exeImageLogger.exeImageLogger.execmd.exe

description	pid	process	target process
PID 3784 wrote to memory of 4936	3784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3784 wrote to memory of 4936	3784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3784 wrote to memory of 4936	3784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3784 wrote to memory of 4996	3784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3784 wrote to memory of 4996	3784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3784 wrote to memory of 4996	3784	MicrosoftEdgeCP.exe	MicrosoftEdgeCP.exe
PID 3468 wrote to memory of 208	3468	browser_broker.exe	ImageLogger.exe
PID 3468 wrote to memory of 208	3468	browser_broker.exe	ImageLogger.exe
PID 208 wrote to memory of 4260	208	ImageLogger.exe	ImageLogger.exe
PID 208 wrote to memory of 4260	208	ImageLogger.exe	ImageLogger.exe
PID 4260 wrote to memory of 2976	4260	ImageLogger.exe	powershell.exe
PID 4260 wrote to memory of 2976	4260	ImageLogger.exe	powershell.exe
PID 4260 wrote to memory of 3592	4260	ImageLogger.exe	cmd.exe
PID 4260 wrote to memory of 3592	4260	ImageLogger.exe	cmd.exe
PID 3592 wrote to memory of 1304	3592	cmd.exe	attrib.exe
PID 3592 wrote to memory of 1304	3592	cmd.exe	attrib.exe
PID 3592 wrote to memory of 5072	3592	cmd.exe	ImageLogger.exe
PID 3592 wrote to memory of 5072	3592	cmd.exe	ImageLogger.exe
PID 3592 wrote to memory of 6040	3592	cmd.exe	taskkill.exe
PID 3592 wrote to memory of 6040	3592	cmd.exe	taskkill.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

1304 attrib.exe

pid	process
1304	attrib.exe

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://github.com/Dani-Flo/ImageLoggerV2.github.io/releases/download/ImageLogger/ImageLogger.exe"
1⤵
PID:2220

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:440

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
- Suspicious use of WriteProcessMemory
PID:3468

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\ImageLogger.exe
"C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\ImageLogger.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208

C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\ImageLogger.exe
"C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\ImageLogger.exe"
3⤵
- Enumerates VirtualBox DLL files
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Add-MpPreference -ExclusionPath \"C:\Users\Admin\ImageLogger\""
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\ImageLogger\activate.bat
4⤵
- Suspicious use of WriteProcessMemory
PID:3592

C:\Windows\system32\attrib.exe
attrib +s +h .
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1304

C:\Users\Admin\ImageLogger\ImageLogger.exe
"ImageLogger.exe"
5⤵
- Executes dropped EXE
PID:5072

C:\Windows\system32\taskkill.exe
taskkill /f /im "ImageLogger.exe"
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6040

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3784

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5020

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4936

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:4996

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x40c
1⤵
PID:3116

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

File and Directory Discovery

T1083

Virtualization/Sandbox Evasion

T1497

Query Registry

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\VSH5XF98\edgecompatviewlist[1].xml
Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\0S6VZEZ6\suggestions[1].en-US
Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\Temp\~DF6862F5FEC1E3E63B.TMP
Filesize
20KB

MD5
60e9e21fb5dfaaf827414cc4136d1392

SHA1
c77780d27a2f560ad49e6719fb44985e889d7aea

SHA256
e65600b33f8f6242e9b98b7321862e281796e43f9a358d38d070f7b4feb34b30

SHA512
bd91c4ed581380ccd10c894c4556de1c8ec1ca2a08769f80c0831873d558441015e8a7bba45a1bc274ce344938551431ec40dc43796350281bbdeb9b688f5012

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\4QTUY2JV\ImageLogger[1].exe
Filesize
1.5MB

MD5
e4134f5a245253c400340708ded803e5

SHA1
5da210d8f3f27160c709acfbcfab968f207b25a8

SHA256
c8828f2ddcd85e76c1000cba89bcc0d4c390b37b8b4463403ccd4f9cb4a51488

SHA512
4622560aedca11d36725425218848475c46310090c5bb2b48016b124328e616f96ce7d25a8e2beaec34386194b5cbfe387253b6127eb7b4283a614964a9c18da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\SDL2.dll
Filesize
635KB

MD5
2b13a3f2fc8f9cdb3161374c4bc85f86

SHA1
9039a90804dba7d6abb2bcf3068647ba8cab8901

SHA256
110567f1e5008c6d453732083b568b6a8d8da8077b9cb859f57b550fd3b05fb6

SHA512
2ee8e35624cb8d78baefafd6878c862b510200974bef265a9856e399578610362c7c46121a9f44d7ece6715e68475db6513e96bea3e26cdccbd333b0e14ccfd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\SDL2_image.dll
Filesize
58KB

MD5
25e2a737dcda9b99666da75e945227ea

SHA1
d38e086a6a0bacbce095db79411c50739f3acea4

SHA256
22b27380d4f1f217f0e5d5c767e5c244256386cd9d87f8ddf303baaf9239fc4c

SHA512
63de988387047c17fd028a894465286fd8f6f8bd3a1321b104c0ceb5473e3e0b923153b4999143efbdd28684329a33a5b468e43f25214037f6cddd4d1884adb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\SDL2_mixer.dll
Filesize
124KB

MD5
b7b45f61e3bb00ccd4ca92b2a003e3a3

SHA1
5018a7c95dc6d01ba6e3a7e77dd26c2c74fd69bc

SHA256
1327f84e3509f3ccefeef1c12578faf04e9921c145233687710253bf903ba095

SHA512
d3449019824124f3edbda57b3b578713e9c9915e173d31566cd8e4d18f307ac0f710250fe6a906dd53e748db14bfa76ec1b58a6aef7d074c913679a47c5fdbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\SDL2_ttf.dll
Filesize
601KB

MD5
eb0ce62f775f8bd6209bde245a8d0b93

SHA1
5a5d039e0c2a9d763bb65082e09f64c8f3696a71

SHA256
74591aab94bb87fc9a2c45264930439bbc0d1525bf2571025cd9804e5a1cd11a

SHA512
34993240f14a89179ac95c461353b102ea74e4180f52c206250bb42c4c8427a019ea804b09a6903674ac00ab2a3c4c686a86334e483110e79733696aa17f4eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\VCRUNTIME140_1.dll
Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_asyncio.pyd
Filesize
37KB

MD5
65ffe17a5a5839db64cc63c1c31b87a7

SHA1
b0c5d26cdd50309b830c598f3b17b9fd30628b2c

SHA256
a2c140b0a6d6d83eaf09b66e3cb891df99b8ba3a661259d8161992bff70c66e4

SHA512
2d71aa40835c8126f0a2137e25ccd693cd581fdbda77949cf7d9b4343f85c9025e7532af7ff4175eebbaef4ec69eb015cdf7547c0005e5359bbf98c828a0cad2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_cffi_backend.cp312-win_amd64.pyd
Filesize
71KB

MD5
6e8500d570b12d9e76c94ad5a22b6f21

SHA1
702b6310c0fa791d3901a8372782c6bf387f1adb

SHA256
e320d83858d951b1dc97a8260e54d0c760706dd2d5471f22642926ec69881e04

SHA512
9cf0a44baebe4eb01f02d5596bbc7b4fd09ac81d4b345da3d52159226462f27abcbf6f6aab43f549a57ef34bf437c1f3e4b1fb78cd7a7bb5c1f291495d2dff58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_decimal.pyd
Filesize
105KB

MD5
2dc37264f3cd7bdad52787f0f8eb4385

SHA1
9949b9004dcf66d922672dbc6343cb0e406f944c

SHA256
4ce6df62b7445aac3f7f6f6e00445a3968898003a547d185ae62bc462dfb555c

SHA512
4e73f2d9c245733a6edc6c0f401b91cfa4c88a075bc03c026c5441ccc4181eb9bf3753e5d8aa2c53e7064b39f67069209d8c7544c974b1e81284917cfc7e058a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_elementtree.pyd
Filesize
59KB

MD5
a4699636312058ad7ce50ae654c8e0cf

SHA1
7e4f25cf9d9eede3c99e7c66f885b578bd7224bd

SHA256
756231a20b9197e9c3782997388c71148863798b73e1d4680c532da5d8cb7030

SHA512
4441cb5ea2c04a87022c1426cf6d3648650fe4fadc4b813b005ee3e300ceaf07f79f4b9e68647500657f2f70aae7c9e2c579833b1f085dc4603df0770878102d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_hashlib.pyd
Filesize
35KB

MD5
50807c50d7c392a0d5fbcdffdbcdb600

SHA1
1661517488af0c6be1ef9d856ff09fa6dbcd3dd5

SHA256
c300a7f5e2f51f7a507d7cbc92d024b6189c135aee7e6fb67c15229f7c992ffd

SHA512
0aaa81b30c11bb619d179417e58f28b357b04ceb9515ce22a0c9497866bb382e2a6a4b0b1d1f294858d56ea7027c136e3ea54091a83c94c84be3da4bfe475343

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_lzma.pyd
Filesize
86KB

MD5
16cc6150bc7d1769580d3250b7b41c7f

SHA1
6f2b6e6a6c071ab5ee0f2592451115a872ac2531

SHA256
c07e1c5415c651a08d9c1a90c367136874eced47a35d3f988190218d2f43118e

SHA512
ccfe0dc086d49b755505919894c4eda55a8c0242b3ab9471a3bbc205362409f845635618bd6165af8a2ef36e55583d55982eb389c27218676379dba43eaef3b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_multiprocessing.pyd
Filesize
27KB

MD5
537f125ccdf3f288170d098699f24a02

SHA1
316afe72232f83a8222fc2d0b48dc9e6d8718c9c

SHA256
f4a535732cd57d94f752ce99a8072e0875e180feb90f9248ba8ccab5353da867

SHA512
3e3d7eb501b570f5b84604cf0a101dcfaa55eea4801b83fb74bf9cbe9ddddae711a8284fcd2c79a241dc70abf032491e490791d2423fe5cb5d9a0050e914dfb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_overlapped.pyd
Filesize
33KB

MD5
59ed3d257c210434d28b84063115545c

SHA1
a766cfa0dc70f3785819d4deaef4f2b9dbc9cd85

SHA256
70e656592c21023b650d8dad45e261ff0489c219eb2f4abb163cb5c5d7efc325

SHA512
0a41be3906c83cfbdb238632bc1af733c3333cf4118e1b64e1596cdadf65fa56aeeba82cd638fcb682f8c216d0b24940ca628b078167df99fa43340c39944db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_queue.pyd
Filesize
26KB

MD5
c148cb6e535fd528ded253493ad9cd9e

SHA1
d58af9bcc5dcf9d656e6ae5416cbc2ea93504544

SHA256
e14270e46167dac520178eda76f32caceae783d0dd589f10423fb9b1f80fc4fc

SHA512
d561e8566f9f61f0572a2a5a7c093fc9d07d43ff9412e4d6f7cb7145fa0ab3f030488e24f2c3583b26ad3ea6df27c5db871fa6d9146dd3faab3c63bff8a6a317

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_socket.pyd
Filesize
44KB

MD5
d58bb5978bb4ff8c26c6356fc67f4506

SHA1
99c3f245d21325d41e71c4ac626c2203109c8e85

SHA256
9f7fe7e142472f7e491285e0b0a4e00e29175b7d917836b36ecb3ac1265332c5

SHA512
bc85dcadcdcaac54f18ceb833e955cf836cdf037d3fae57c973dc72d76aefa0d08d6caed09894486401a44068dfcd94b83809569ba61a84e87241c931154d5a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_sqlite3.pyd
Filesize
57KB

MD5
b1254d6e5c62435b583c3abf4d3f859b

SHA1
4ac394ecc8528c940bcd5c11f63dd8c30d3c0879

SHA256
b9892dd45f0b63c463aadaeb30befea59f7e21413a7f22afe725f27b4b7c5262

SHA512
07b2187fd59a5816943604a2bb7aa6404aa01a57ea937aff8cf49827fb9d3ff44058aaf709b3cfd78c8c07b7f44976395b5971a81ae67246c313287164b4d0db

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_ssl.pyd
Filesize
65KB

MD5
8c963aae2410879d9820a54e94c12ced

SHA1
9b0c410fd02ce91b161f0ebebf807daf694ab3d2

SHA256
071d0f87084ce2eced5b385fa0c22b72ff002045d7d238d6d6b64a12ac6e6fc8

SHA512
2dadec0ab79be4e0f823ea5d5f79d27dc49b5998cf1563f43d08d6483ab7712901af1f6bf96ff341a71b3a1a1786def2f0a784c066e302b23fb41f0b623dae93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_tkinter.pyd
Filesize
38KB

MD5
0ef70d836126b891ec7040913e7570d4

SHA1
3cb380cde55af28e36dc8448b18961c0512b38fb

SHA256
7372ca7272d5575ddf6e6abb04add5ae82d2f70e8973cd05e9296c270e42510e

SHA512
89a3bf9e38ae22ba058fe993d3d4f931984fb0f5f0c2f6aa481d38abd10903372aaa79308be9c5ed1f2f0191d2dd3f584952998917fa093744c3d33a9a22e74e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_uuid.pyd
Filesize
24KB

MD5
353e11301ea38261e6b1cb261a81e0fe

SHA1
607c5ebe67e29eabc61978fb52e4ec23b9a3348e

SHA256
d132f754471bd8a6f6d7816453c2e542f250a4d8089b657392fe61a500ae7899

SHA512
fa990b3e9619d59ae3ad0aeffca7a3513ab143bfd0ac9277e711519010f7c453258a4b041be86a275f3c365e980fc857c23563f3b393d1e3a223973a673e88c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\_wmi.pyd
Filesize
28KB

MD5
a180bf3e0d3c50e9c16e9de691ab5281

SHA1
e8f17616aa2ec453cb129aa08c16f19661c7272f

SHA256
da33e471a1229419da5690b0b32b5d2137f732ac0b4a8dec82fe4e5952d19048

SHA512
d9799175cb45ff0079355f01a3a6d0a8eaeb50fcec5de7564abac2d1032e45f7d7cc449fac156ae9e5b9773e77fb5d817bb5fc748857c25084a2ca4b20d079de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\base_library.zip
Filesize
1.3MB

MD5
8dad91add129dca41dd17a332a64d593

SHA1
70a4ec5a17ed63caf2407bd76dc116aca7765c0d

SHA256
8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783

SHA512
2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\crypto_clipper.json
Filesize
167B

MD5
6f7984b7fffe835d59f387ec567b62ad

SHA1
8eb4ed9ea86bf696ef77cbe0ffeeee76f0b39ee0

SHA256
519fc78e5abcdba889647540ca681f4bcb75ab57624675fc60d60ab0e8e6b1c5

SHA512
51d11368f704920fa5d993a73e3528037b5416213eed5cf1fbbea2817c7c0694518f08a272ad812166e15fcc5223be1bf766e38d3ee23e2528b58500f4c4932a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\freetype.dll
Filesize
292KB

MD5
04a9825dc286549ee3fa29e2b06ca944

SHA1
5bed779bf591752bb7aa9428189ec7f3c1137461

SHA256
50249f68b4faf85e7cd8d1220b7626a86bc507af9ae400d08c8e365f9ab97cde

SHA512
0e937e4de6cbc9d40035b94c289c2798c77c44fc1dc7097201f9fab97c7ff9e56113c06c51693f09908283eda92945b36de67351f893d4e3162e67c078cff4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libcrypto-3.dll
Filesize
1.6MB

MD5
8fed6a2bbb718bb44240a84662c79b53

SHA1
2cd169a573922b3a0e35d0f9f252b55638a16bca

SHA256
f8de79a5dd7eeb4b2a053315ab4c719cd48fe90b0533949f94b6a291e6bc70fd

SHA512
87787593e6a7d0556a4d05f07a276ffdbef551802eb2e4b07104362cb5af0b32bffd911fd9237799e10e0c8685e9e7a7345c3bce2ad966843c269b4c9bd83e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libffi-8.dll
Filesize
29KB

MD5
013a0b2653aa0eb6075419217a1ed6bd

SHA1
1b58ff8e160b29a43397499801cf8ab0344371e7

SHA256
e9d8eb01bb9b02ce3859ba4527938a71b4668f98897d46f29e94b27014036523

SHA512
0bd13fa1d55133ee2a96387e0756f48133987bacd99d1f58bab3be7bffdf868092060c17ab792dcfbb4680f984f40d3f7cc24abdd657b756496aa8884b8f6099

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libjpeg-9.dll
Filesize
108KB

MD5
c22b781bb21bffbea478b76ad6ed1a28

SHA1
66cc6495ba5e531b0fe22731875250c720262db1

SHA256
1eed2385030348c84bbdb75d41d64891be910c27fab8d20fc9e85485fcb569dd

SHA512
9b42cad4a715680a27cd79f466fd2913649b80657ff042528cba2946631387ed9fb027014d215e1baf05839509ca5915d533b91aa958ae0525dea6e2a869b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libmodplug-1.dll
Filesize
117KB

MD5
2bb2e7fa60884113f23dcb4fd266c4a6

SHA1
36bbd1e8f7ee1747c7007a3c297d429500183d73

SHA256
9319bf867ed6007f3c61da139c2ab8b74a4cb68bf56265a101e79396941f6d3b

SHA512
1ddd4b9b9238c1744e0a1fe403f136a1def8df94814b405e7b01dd871b3f22a2afe819a26e08752142f127c3efe4ebae8bfd1bd63563d5eb98b4644426f576b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libogg-0.dll
Filesize
16KB

MD5
0d65168162287df89af79bb9be79f65b

SHA1
3e5af700b8c3e1a558105284ecd21b73b765a6dc

SHA256
2ec2322aec756b795c2e614dab467ef02c3d67d527ad117f905b3ab0968ccf24

SHA512
69af81fd2293c31f456b3c78588bb6a372fe4a449244d74bfe5bfaa3134a0709a685725fa05055cfd261c51a96df4b7ebd8b9e143f0e9312c374e54392f8a2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libopus-0.dll
Filesize
181KB

MD5
3fb9d9e8daa2326aad43a5fc5ddab689

SHA1
55523c665414233863356d14452146a760747165

SHA256
fd8de9169ccf53c5968eec0c90e9ff3a66fb451a5bf063868f3e82007106b491

SHA512
f263ea6e0fab84a65fe3a9b6c0fe860919eee828c84b888a5aa52dea540434248d1e810a883a2aff273cd9f22c607db966dd8776e965be6d2cfe1b50a1af1f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libopus-0.x64.dll
Filesize
217KB

MD5
e56f1b8c782d39fd19b5c9ade735b51b

SHA1
3d1dc7e70a655ba9058958a17efabe76953a00b4

SHA256
fa8715dd0df84fdedbe4aa17763b2ab0db8941fa33421b6d42e25e59c4ae8732

SHA512
b7702e48b20a8991a5c537f5ba22834de8bb4ba55862b75024eace299263963b953606ee29e64d68b438bb0904273c4c20e71f22ccef3f93552c36fb2d1b2c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libopusfile-0.dll
Filesize
26KB

MD5
2d5274bea7ef82f6158716d392b1be52

SHA1
ce2ff6e211450352eec7417a195b74fbd736eb24

SHA256
6dea07c27c0cc5763347357e10c3b17af318268f0f17c7b165325ce524a0e8d5

SHA512
9973d68b23396b3aa09d2079d18f2c463e807c9c1fdf4b1a5f29d561e8d5e62153e0c7be23b63975ad179b9599ff6b0cf08ebdbe843d194483e7ec3e7aeb232a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libpng16-16.dll
Filesize
98KB

MD5
55009dd953f500022c102cfb3f6a8a6c

SHA1
07af9f4d456ddf86a51da1e4e4c5b54b0cf06ddb

SHA256
20391787cba331cfbe32fbf22f328a0fd48924e944e80de20ba32886bf4b6fd2

SHA512
4423d3ec8fef29782f3d4a21feeac9ba24c9c765d770b2920d47b4fb847a96ff5c793b20373833b4ff8bc3d8fa422159c64beffb78ce5768ed22742740a8c6c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libssl-3.dll
Filesize
222KB

MD5
37c7f14cd439a0c40d496421343f96d5

SHA1
1b6d68159e566f3011087befdcf64f6ee176085c

SHA256
b9c8276a3122cacba65cfa78217fef8a6d4f0204548fcacce66018cb91cb1b2a

SHA512
f446fd4bd351d391006d82198f7f679718a6e17f14ca5400ba23886275ed5363739bfd5bc01ca07cb2af19668dd8ab0b403bcae139d81a245db2b775770953ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libtiff-5.dll
Filesize
127KB

MD5
ebad1fa14342d14a6b30e01ebc6d23c1

SHA1
9c4718e98e90f176c57648fa4ed5476f438b80a7

SHA256
4f50820827ac76042752809479c357063fe5653188654a6ba4df639da2fbf3ca

SHA512
91872eaa1f3f45232ab2d753585e650ded24c6cc8cc1d2a476fa98a61210177bd83570c52594b5ad562fc27cb76e034122f16a922c6910e4ed486da1d3c45c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\libwebp-7.dll
Filesize
192KB

MD5
b0dd211ec05b441767ea7f65a6f87235

SHA1
280f45a676c40bd85ed5541ceb4bafc94d7895f3

SHA256
fc06b8f92e86b848a17eaf7ed93464f54ed1f129a869868a74a75105ff8ce56e

SHA512
eaeb83e46c8ca261e79b3432ec2199f163c44f180eb483d66a71ad530ba488eb4cdbd911633e34696a4ccc035e238bc250a8247f318aa2f0cd9759cad4f90fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\portmidi.dll
Filesize
18KB

MD5
0df0699727e9d2179f7fd85a61c58bdf

SHA1
82397ee85472c355725955257c0da207fa19bf59

SHA256
97a53e8de3f1b2512f0295b5de98fa7a23023a0e4c4008ae534acdba54110c61

SHA512
196e41a34a60de83cb24caa5fc95820fd36371719487350bc2768354edf39eeb6c7860ff3fd9ecf570abb4288523d7ab934e86e85202b9753b135d07180678cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\pyexpat.pyd
Filesize
88KB

MD5
98f5a84c3643ba404db59660c8ba2c37

SHA1
44c926b810398c3021c50993c10e44313c455fdf

SHA256
62392a5f10ffc061bcd2ffa6b619baa3dbb23eaf744f329aaef1967d7be60842

SHA512
28984b3af727f53cef17c7d508035b54affe22c9340af8ccd5d744f32aaafde1157ad644844d2b8e78d094718b2a77d5b9826c6699fe068c06e4361b001f5e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\python3.DLL
Filesize
66KB

MD5
79b02450d6ca4852165036c8d4eaed1f

SHA1
ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4

SHA256
d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123

SHA512
47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\python312.dll
Filesize
1.7MB

MD5
73ecc8d4decf6f198d6505bde482e37a

SHA1
ed30f5bd628b4a5de079062ea9b909b99807021c

SHA256
b598545be6c99f7db852a510768ecf80ed353fad3989af342bc6faf66fd64648

SHA512
56923c477d35680aed73980e0404768f841da868ca11f39888caff0fc06f4ae906551b4bd47f98dda2cc2d81ea9eed17fa7c17aa59d4d7c37510ba24d7ac5976

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\select.pyd
Filesize
25KB

MD5
ac35d9dfc2f9853cebb8248175630dfd

SHA1
3dabea23c9d687717fc7dfdb7b160f4b5cc0eb87

SHA256
b77fdbef26fd8ac0798e29adb37667cf7df523a96b8496328dc056ae568b0476

SHA512
fd5e13ad72b8c605b5c79b1b87c7b5d119517fad7e5b94901bb294d1f9d9ef75e71e079991f0710729cba34fdb7e3f13cd628134070dc509f52bc7caec5f4fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\sqlite3.dll
Filesize
644KB

MD5
1af99cff748d6cc7a2e70c6c4540b077

SHA1
c2b598ff6e35cd9ba454205f4a936933acd496fb

SHA256
70d6219a6b36eaebdf36f54d661772d0864eb4bc14c9dbf0175143841ec61e6c

SHA512
9e876283535cee2912b6ea676dd63eaf57b3c4fa9c9e2c0a9592b908e91359ac0bc2b1c5ee9016bf76fe5f61a90f61afcc623c330a85673e281968fde300c12f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\tcl86t.dll
Filesize
652KB

MD5
1af892b6d5d1b85ae83ead8dd68c7951

SHA1
1b4577acd488972fbe6660f810ee5ec208378f26

SHA256
902b2523edae3994c00d52612df0d2244891e3a2c805c6a3714a38a7e03a36af

SHA512
bfbede74e6cf46666ed6b7ea4d5ac9ccce69efb5646122ad77862ebf9c539f51161379158c2ad7fa66f6ae8c0f0311267cff05b3d16544103adc76c85fb33a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\tk86t.dll
Filesize
626KB

MD5
6223a850b687827314f72f645c86beb5

SHA1
4c03d817cfa3544115cd5aac1cf6edd4646d811b

SHA256
ff4c451c3a230106539caaf0ba63383889541019f1b72e0e1613f2217a515dda

SHA512
8a1bc29b736d5d66bd66a0f11aa952b257041314d27e96fef91a60e472b26a6f7b61374457b04097a9e851ddc4aed4030c1ecd9d9d12266a3c4efa1454bc174e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\unicodedata.pyd
Filesize
295KB

MD5
520a7a2e9ea3e52906b5c3860010a80e

SHA1
456ffc8f5d045ce9b120f429fdbc8e03938bebee

SHA256
ba320a95d7b53ce2c6a5bca87069cdcad3f4ea7c68bd4a95ff972e269f28bce3

SHA512
e144a65a1a1835392d8b12faada9088dfe3981376a9b9688fc43892a156b85307f291c475452163c38ae21bd1a79548905549587dd2660503e11be29c931ce3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2082\zlib1.dll
Filesize
52KB

MD5
ee06185c239216ad4c70f74e7c011aa6

SHA1
40e66b92ff38c9b1216511d5b1119fe9da6c2703

SHA256
0391066f3e6385a9c0fe7218c38f7bd0b3e0da0f15a98ebb07f1ac38d6175466

SHA512
baae562a53d491e19dbf7ee2cff4c13d42de6833036bfdaed9ed441bcbf004b68e4088bd453b7413d60faaf1b334aee71241ba468437d49050b8ccfa9232425d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p300txun.glq.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2082\VCRUNTIME140.dll
Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2082\_bz2.pyd
Filesize
48KB

MD5
1916e124d881dddf17becd37517da0a8

SHA1
bd1a68de06c69c3c38b530bcbae12e1c1ebfb742

SHA256
aa9f1aec45672f34a2cceb550cd04a75f2d7d3929d65a3dbad71e11bb42e5162

SHA512
ad15e7c8dbb027579541edd8cf4f9cfcb6b70094e59cb7b92571dac1932c523c1e08b269600c15f4018cbfd2889959b639a2c4f85a188ec2b1244dbccc4918b2

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI2082\_ctypes.pyd
Filesize
59KB

MD5
a31cba32537e0bcbcfe7f8ccc747797d

SHA1
681b6148a6383d501361321c0760ca0e3c2e2340

SHA256
5290520258fbc100decc59432b20ee2c178923919e1c46995b925cf7081c72a4

SHA512
215267232c87a60be914eaf084eae018624230afbf176640a6164ad6eb417f7ed4abcf53415d904b982a0fec8de8dcea94463a023d27fc0d28a1bcdbbaf4b668

Download Submit
memory/440-0-0x000001D05AC20000-0x000001D05AC30000-memory.dmp

Filesize
64KB

Download
memory/440-35-0x000001D059DA0000-0x000001D059DA2000-memory.dmp

Filesize
8KB

Download
memory/440-16-0x000001D05AD20000-0x000001D05AD30000-memory.dmp

Filesize
64KB

Download
memory/4260-1463-0x00007FFE7C3C0000-0x00007FFE7C3CE000-memory.dmp

Filesize
56KB

Download
memory/4260-1494-0x00007FFE7B770000-0x00007FFE7B787000-memory.dmp

Filesize
92KB

Download
memory/4260-1395-0x00007FFE7CE20000-0x00007FFE7CE3A000-memory.dmp

Filesize
104KB

Download
memory/4260-1392-0x00007FFE7D160000-0x00007FFE7D16F000-memory.dmp

Filesize
60KB

Download
memory/4260-1390-0x00007FFE7CF70000-0x00007FFE7CF95000-memory.dmp

Filesize
148KB

Download
memory/4260-1382-0x00007FFE6C510000-0x00007FFE6CBD5000-memory.dmp

Filesize
6.8MB

Download
memory/4260-1637-0x00007FFE6C510000-0x00007FFE6CBD5000-memory.dmp

Filesize
6.8MB

Download
memory/4260-1638-0x00007FFE7CF70000-0x00007FFE7CF95000-memory.dmp

Filesize
148KB

Download
memory/4260-1440-0x00007FFE7CCB0000-0x00007FFE7CCC4000-memory.dmp

Filesize
80KB

Download
memory/4260-1442-0x00007FFE6B3F0000-0x00007FFE6B919000-memory.dmp

Filesize
5.2MB

Download
memory/4260-1445-0x00007FFE7CF60000-0x00007FFE7CF6D000-memory.dmp

Filesize
52KB

Download
memory/4260-1444-0x00007FFE7CC90000-0x00007FFE7CCA9000-memory.dmp

Filesize
100KB

Download
memory/4260-1447-0x00007FFE7C610000-0x00007FFE7C6DD000-memory.dmp

Filesize
820KB

Download
memory/4260-1446-0x00007FFE7CAA0000-0x00007FFE7CAD3000-memory.dmp

Filesize
204KB

Download
memory/4260-1451-0x00007FFE7CA70000-0x00007FFE7CA97000-memory.dmp

Filesize
156KB

Download
memory/4260-1453-0x00007FFE7CF70000-0x00007FFE7CF95000-memory.dmp

Filesize
148KB

Download
memory/4260-1452-0x00007FFE7C4F0000-0x00007FFE7C60B000-memory.dmp

Filesize
1.1MB

Download
memory/4260-1450-0x00007FFE7CC80000-0x00007FFE7CC8B000-memory.dmp

Filesize
44KB

Download
memory/4260-1449-0x00007FFE7CE10000-0x00007FFE7CE1D000-memory.dmp

Filesize
52KB

Download
memory/4260-1448-0x00007FFE6C510000-0x00007FFE6CBD5000-memory.dmp

Filesize
6.8MB

Download
memory/4260-1475-0x00007FFE7B800000-0x00007FFE7B822000-memory.dmp

Filesize
136KB

Download
memory/4260-1474-0x00007FFE7B830000-0x00007FFE7B844000-memory.dmp

Filesize
80KB

Download
memory/4260-1473-0x00007FFE7B850000-0x00007FFE7B862000-memory.dmp

Filesize
72KB

Download
memory/4260-1472-0x00007FFE7BE90000-0x00007FFE7BEA6000-memory.dmp

Filesize
88KB

Download
memory/4260-1471-0x00007FFE7BEB0000-0x00007FFE7BEBC000-memory.dmp

Filesize
48KB

Download
memory/4260-1470-0x00007FFE7BEC0000-0x00007FFE7BED2000-memory.dmp

Filesize
72KB

Download
memory/4260-1469-0x00007FFE7BEE0000-0x00007FFE7BEED000-memory.dmp

Filesize
52KB

Download
memory/4260-1468-0x00007FFE7BEF0000-0x00007FFE7BEFC000-memory.dmp

Filesize
48KB

Download
memory/4260-1467-0x00007FFE7BF00000-0x00007FFE7BF0C000-memory.dmp

Filesize
48KB

Download
memory/4260-1466-0x00007FFE7BF10000-0x00007FFE7BF1B000-memory.dmp

Filesize
44KB

Download
memory/4260-1465-0x00007FFE7BF20000-0x00007FFE7BF2B000-memory.dmp

Filesize
44KB

Download
memory/4260-1464-0x00007FFE7BF30000-0x00007FFE7BF3C000-memory.dmp

Filesize
48KB

Download
memory/4260-1639-0x00007FFE7D160000-0x00007FFE7D16F000-memory.dmp

Filesize
60KB

Download
memory/4260-1462-0x00007FFE7C450000-0x00007FFE7C45C000-memory.dmp

Filesize
48KB

Download
memory/4260-1461-0x00007FFE7C460000-0x00007FFE7C46C000-memory.dmp

Filesize
48KB

Download
memory/4260-1460-0x00007FFE7C470000-0x00007FFE7C47B000-memory.dmp

Filesize
44KB

Download
memory/4260-1459-0x00007FFE7C480000-0x00007FFE7C48C000-memory.dmp

Filesize
48KB

Download
memory/4260-1458-0x00007FFE7C490000-0x00007FFE7C49B000-memory.dmp

Filesize
44KB

Download
memory/4260-1457-0x00007FFE7C4A0000-0x00007FFE7C4AC000-memory.dmp

Filesize
48KB

Download
memory/4260-1456-0x00007FFE7C4B0000-0x00007FFE7C4BB000-memory.dmp

Filesize
44KB

Download
memory/4260-1455-0x00007FFE7C4C0000-0x00007FFE7C4CB000-memory.dmp

Filesize
44KB

Download
memory/4260-1454-0x00007FFE7C4E0000-0x00007FFE7C4ED000-memory.dmp

Filesize
52KB

Download
memory/4260-1477-0x00007FFE7B770000-0x00007FFE7B787000-memory.dmp

Filesize
92KB

Download
memory/4260-1476-0x00007FFE7CCD0000-0x00007FFE7CCFD000-memory.dmp

Filesize
180KB

Download
memory/4260-1479-0x00007FFE7B750000-0x00007FFE7B769000-memory.dmp

Filesize
100KB

Download
memory/4260-1478-0x00007FFE7CCB0000-0x00007FFE7CCC4000-memory.dmp

Filesize
80KB

Download
memory/4260-1483-0x00007FFE7CAA0000-0x00007FFE7CAD3000-memory.dmp

Filesize
204KB

Download
memory/4260-1482-0x00007FFE7B730000-0x00007FFE7B741000-memory.dmp

Filesize
68KB

Download
memory/4260-1481-0x00007FFE7B020000-0x00007FFE7B06C000-memory.dmp

Filesize
304KB

Download
memory/4260-1480-0x00007FFE6B3F0000-0x00007FFE6B919000-memory.dmp

Filesize
5.2MB

Download
memory/4260-1484-0x00007FFE7B000000-0x00007FFE7B01E000-memory.dmp

Filesize
120KB

Download
memory/4260-1487-0x00007FFE7A6B0000-0x00007FFE7A6E9000-memory.dmp

Filesize
228KB

Download
memory/4260-1486-0x00007FFE7A6F0000-0x00007FFE7A74D000-memory.dmp

Filesize
372KB

Download
memory/4260-1485-0x00007FFE7C610000-0x00007FFE7C6DD000-memory.dmp

Filesize
820KB

Download
memory/4260-1490-0x00007FFE7C4E0000-0x00007FFE7C4ED000-memory.dmp

Filesize
52KB

Download
memory/4260-1493-0x00007FFE77F40000-0x00007FFE780BE000-memory.dmp

Filesize
1.5MB

Download
memory/4260-1492-0x00007FFE7B800000-0x00007FFE7B822000-memory.dmp

Filesize
136KB

Download
memory/4260-1491-0x00007FFE7A5E0000-0x00007FFE7A604000-memory.dmp

Filesize
144KB

Download
memory/4260-1489-0x00007FFE7A650000-0x00007FFE7A67E000-memory.dmp

Filesize
184KB

Download
memory/4260-1488-0x00007FFE7A680000-0x00007FFE7A6A9000-memory.dmp

Filesize
164KB

Download
memory/4260-1495-0x00007FFE7A5C0000-0x00007FFE7A5D8000-memory.dmp

Filesize
96KB

Download
memory/4260-1398-0x00007FFE7CCD0000-0x00007FFE7CCFD000-memory.dmp

Filesize
180KB

Download
memory/4260-1497-0x00007FFE7A640000-0x00007FFE7A64B000-memory.dmp

Filesize
44KB

Download
memory/4260-1504-0x00007FFE79BE0000-0x00007FFE79BEC000-memory.dmp

Filesize
48KB

Download
memory/4260-1503-0x00007FFE7B020000-0x00007FFE7B06C000-memory.dmp

Filesize
304KB

Download
memory/4260-1502-0x00007FFE79C00000-0x00007FFE79C0B000-memory.dmp

Filesize
44KB

Download
memory/4260-1501-0x00007FFE79BF0000-0x00007FFE79BFC000-memory.dmp

Filesize
48KB

Download
memory/4260-1500-0x00007FFE7A490000-0x00007FFE7A49C000-memory.dmp

Filesize
48KB

Download
memory/4260-1499-0x00007FFE7A4A0000-0x00007FFE7A4AB000-memory.dmp

Filesize
44KB

Download
memory/4260-1498-0x00007FFE7A4B0000-0x00007FFE7A4BC000-memory.dmp

Filesize
48KB

Download
memory/4260-1496-0x00007FFE7AFF0000-0x00007FFE7AFFB000-memory.dmp

Filesize
44KB

Download
memory/4260-1516-0x00007FFE76AC0000-0x00007FFE76ACC000-memory.dmp

Filesize
48KB

Download
memory/4260-1515-0x00007FFE76BC0000-0x00007FFE76BD2000-memory.dmp

Filesize
72KB

Download
memory/4260-1514-0x00007FFE76BE0000-0x00007FFE76BED000-memory.dmp

Filesize
52KB

Download
memory/4260-1513-0x00007FFE7A6B0000-0x00007FFE7A6E9000-memory.dmp

Filesize
228KB

Download
memory/4260-1512-0x00007FFE76BF0000-0x00007FFE76BFC000-memory.dmp

Filesize
48KB

Download
memory/4260-1511-0x00007FFE77F00000-0x00007FFE77F0C000-memory.dmp

Filesize
48KB

Download
memory/4260-1510-0x00007FFE77F10000-0x00007FFE77F1B000-memory.dmp

Filesize
44KB

Download
memory/4260-1509-0x00007FFE7A6F0000-0x00007FFE7A74D000-memory.dmp

Filesize
372KB

Download
memory/4260-1508-0x00007FFE77F20000-0x00007FFE77F2B000-memory.dmp

Filesize
44KB

Download
memory/4260-1507-0x00007FFE77F30000-0x00007FFE77F3C000-memory.dmp

Filesize
48KB

Download
memory/4260-1506-0x00007FFE79BD0000-0x00007FFE79BDE000-memory.dmp

Filesize
56KB

Download
memory/4260-1505-0x00007FFE7B000000-0x00007FFE7B01E000-memory.dmp

Filesize
120KB

Download
memory/4260-1517-0x00007FFE76A80000-0x00007FFE76AB5000-memory.dmp

Filesize
212KB

Download
memory/4260-1519-0x00007FFE77F40000-0x00007FFE780BE000-memory.dmp

Filesize
1.5MB

Download
memory/4260-1520-0x00007FFE6AFC0000-0x00007FFE6B205000-memory.dmp

Filesize
2.3MB

Download
memory/4260-1518-0x00007FFE7A5E0000-0x00007FFE7A604000-memory.dmp

Filesize
144KB

Download
memory/4260-1521-0x00007FFE6A8C0000-0x00007FFE6AFB5000-memory.dmp

Filesize
7.0MB

Download
memory/4260-1523-0x00007FFE6D320000-0x00007FFE6D375000-memory.dmp

Filesize
340KB

Download
memory/4260-1522-0x00007FFE7A5C0000-0x00007FFE7A5D8000-memory.dmp

Filesize
96KB

Download
memory/4260-1524-0x00007FFE6A5E0000-0x00007FFE6A8C0000-memory.dmp

Filesize
2.9MB

Download
memory/4260-1525-0x00007FFE684E0000-0x00007FFE6A5D3000-memory.dmp

Filesize
32.9MB

Download
memory/4260-1527-0x00007FFE76A60000-0x00007FFE76A77000-memory.dmp

Filesize
92KB

Download
memory/4260-1528-0x00007FFE6C4E0000-0x00007FFE6C501000-memory.dmp

Filesize
132KB

Download
memory/4260-1529-0x00007FFE6C4B0000-0x00007FFE6C4D2000-memory.dmp

Filesize
136KB

Download
memory/4260-1530-0x00007FFE6C410000-0x00007FFE6C4A9000-memory.dmp

Filesize
612KB

Download
memory/4260-1531-0x00007FFE6C3E0000-0x00007FFE6C410000-memory.dmp

Filesize
192KB

Download
memory/4260-1532-0x00007FFE68490000-0x00007FFE684D1000-memory.dmp

Filesize
260KB

Download
memory/4260-1533-0x00007FFE6C380000-0x00007FFE6C399000-memory.dmp

Filesize
100KB

Download
memory/4260-1642-0x00007FFE7CCB0000-0x00007FFE7CCC4000-memory.dmp

Filesize
80KB

Download
memory/4260-1643-0x00007FFE6B3F0000-0x00007FFE6B919000-memory.dmp

Filesize
5.2MB

Download
memory/4260-1641-0x00007FFE7CCD0000-0x00007FFE7CCFD000-memory.dmp

Filesize
180KB

Download
memory/4260-1640-0x00007FFE7CE20000-0x00007FFE7CE3A000-memory.dmp

Filesize
104KB

Download
memory/4260-1656-0x00007FFE7C490000-0x00007FFE7C49B000-memory.dmp

Filesize
44KB

Download
memory/4260-1655-0x00007FFE7C4A0000-0x00007FFE7C4AC000-memory.dmp

Filesize
48KB

Download
memory/4260-1654-0x00007FFE7C4B0000-0x00007FFE7C4BB000-memory.dmp

Filesize
44KB

Download
memory/4260-1653-0x00007FFE7C4C0000-0x00007FFE7C4CB000-memory.dmp

Filesize
44KB

Download
memory/4260-1652-0x00007FFE7C4E0000-0x00007FFE7C4ED000-memory.dmp

Filesize
52KB

Download
memory/4260-1651-0x00007FFE7C4F0000-0x00007FFE7C60B000-memory.dmp

Filesize
1.1MB

Download
memory/4260-1650-0x00007FFE7CA70000-0x00007FFE7CA97000-memory.dmp

Filesize
156KB

Download
memory/4260-1649-0x00007FFE7CC80000-0x00007FFE7CC8B000-memory.dmp

Filesize
44KB

Download
memory/4260-1648-0x00007FFE7CE10000-0x00007FFE7CE1D000-memory.dmp

Filesize
52KB

Download
memory/4260-1647-0x00007FFE7C610000-0x00007FFE7C6DD000-memory.dmp

Filesize
820KB

Download
memory/4260-1646-0x00007FFE7CAA0000-0x00007FFE7CAD3000-memory.dmp

Filesize
204KB

Download
memory/4260-1645-0x00007FFE7CF60000-0x00007FFE7CF6D000-memory.dmp

Filesize
52KB

Download
memory/4260-1644-0x00007FFE7CC90000-0x00007FFE7CCA9000-memory.dmp

Filesize
100KB

Download
memory/4936-72-0x0000027FF4560000-0x0000027FF4562000-memory.dmp

Filesize
8KB

Download
memory/4936-70-0x0000027FF4540000-0x0000027FF4542000-memory.dmp

Filesize
8KB

Download
memory/4936-67-0x0000027FF4510000-0x0000027FF4512000-memory.dmp

Filesize
8KB

Download
memory/4936-74-0x0000027FF5210000-0x0000027FF5310000-memory.dmp

Filesize
1024KB

Download
memory/4996-86-0x000001F791300000-0x000001F791400000-memory.dmp

Filesize
1024KB

Download
memory/5020-45-0x000001E684400000-0x000001E684500000-memory.dmp

Filesize
1024KB

Download