hxxps://drive[.]google[.]com/file/d/1vttMyisjEDrZKVemmJR9WMWP0l9eKxAt/view?usp=sharing

Analysis

max time kernel
84s
max time network
88s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2024 07:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/file/d/1vttMyisjEDrZKVemmJR9WMWP0l9eKxAt/view?usp=sharing

Score

8^/10

discovery execution upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
7284	powershell.exe
6188	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
1768	Bootstrapper.exe
2092	Bootstrapper.exe
5572	Bootstrapper.exe
5588	Bootstrapper.exe
6644	Bootstrapper.exe
7084	Bootstrapper.exe
7292	bound.exe
1192	Bootstrapper.exe
4900	Bootstrapper.exe
7944	bound.exe

Loads dropped DLL 64 IoCs

pid	Process
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
6644	Bootstrapper.exe
6644	Bootstrapper.exe
6644	Bootstrapper.exe
6644	Bootstrapper.exe
6644	Bootstrapper.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023924-871.dat	upx
behavioral1/memory/2092-875-0x00007FF81D810000-0x00007FF81DDF8000-memory.dmp	upx
behavioral1/files/0x0007000000023524-877.dat	upx
behavioral1/memory/2092-885-0x00007FF8347B0000-0x00007FF8347BF000-memory.dmp	upx
behavioral1/memory/2092-884-0x00007FF82C0B0000-0x00007FF82C0D4000-memory.dmp	upx
behavioral1/files/0x000700000002355b-883.dat	upx
behavioral1/files/0x0007000000023522-886.dat	upx
behavioral1/files/0x0007000000023527-888.dat	upx
behavioral1/memory/2092-891-0x00007FF821250000-0x00007FF82127D000-memory.dmp	upx
behavioral1/memory/2092-890-0x00007FF8274C0000-0x00007FF8274D9000-memory.dmp	upx
behavioral1/files/0x000700000002355a-893.dat	upx
behavioral1/files/0x000700000002355c-894.dat	upx
behavioral1/files/0x0007000000023922-896.dat	upx
behavioral1/files/0x0007000000023928-897.dat	upx
behavioral1/files/0x0007000000023932-898.dat	upx
behavioral1/files/0x0007000000023933-899.dat	upx
behavioral1/files/0x0007000000023525-903.dat	upx
behavioral1/files/0x000700000002352e-911.dat	upx
behavioral1/files/0x000700000002352d-910.dat	upx
behavioral1/files/0x000700000002352c-909.dat	upx
behavioral1/files/0x000700000002352b-908.dat	upx
behavioral1/files/0x000700000002352a-907.dat	upx
behavioral1/files/0x0007000000023529-906.dat	upx
behavioral1/files/0x0007000000023528-905.dat	upx
behavioral1/files/0x0007000000023526-904.dat	upx
behavioral1/files/0x0007000000023523-902.dat	upx
behavioral1/files/0x0007000000023521-901.dat	upx
behavioral1/memory/2092-915-0x00007FF81F330000-0x00007FF81F349000-memory.dmp	upx
behavioral1/memory/2092-914-0x00007FF81D7D0000-0x00007FF81D805000-memory.dmp	upx
behavioral1/files/0x0007000000023927-920.dat	upx
behavioral1/files/0x0007000000023926-923.dat	upx
behavioral1/memory/2092-924-0x00007FF81D7A0000-0x00007FF81D7CE000-memory.dmp	upx
behavioral1/memory/2092-919-0x00007FF8303E0000-0x00007FF8303ED000-memory.dmp	upx
behavioral1/memory/2092-918-0x00007FF8306F0000-0x00007FF8306FD000-memory.dmp	upx
behavioral1/memory/2092-926-0x00007FF81D810000-0x00007FF81DDF8000-memory.dmp	upx
behavioral1/memory/2092-928-0x00007FF81D6E0000-0x00007FF81D79C000-memory.dmp	upx
behavioral1/files/0x0007000000023936-927.dat	upx
behavioral1/memory/2092-929-0x00007FF81D6B0000-0x00007FF81D6DB000-memory.dmp	upx
behavioral1/memory/2092-930-0x00007FF82C0B0000-0x00007FF82C0D4000-memory.dmp	upx
behavioral1/memory/2092-931-0x00007FF81D680000-0x00007FF81D6AE000-memory.dmp	upx
behavioral1/memory/2092-933-0x00007FF81D240000-0x00007FF81D5B5000-memory.dmp	upx
behavioral1/memory/2092-932-0x00007FF81D5C0000-0x00007FF81D678000-memory.dmp	upx
behavioral1/memory/2092-936-0x00007FF81D220000-0x00007FF81D235000-memory.dmp	upx
behavioral1/memory/2092-935-0x00007FF821250000-0x00007FF82127D000-memory.dmp	upx
behavioral1/memory/2092-937-0x00007FF81D200000-0x00007FF81D212000-memory.dmp	upx
behavioral1/memory/2092-939-0x00007FF81D0E0000-0x00007FF81D1FC000-memory.dmp	upx
behavioral1/memory/2092-938-0x00007FF81F330000-0x00007FF81F349000-memory.dmp	upx
behavioral1/memory/2092-941-0x00007FF81D030000-0x00007FF81D044000-memory.dmp	upx
behavioral1/memory/2092-940-0x00007FF81D050000-0x00007FF81D0D7000-memory.dmp	upx
behavioral1/memory/2092-945-0x00007FF82F8A0000-0x00007FF82F8AA000-memory.dmp	upx
behavioral1/memory/2092-944-0x00007FF81D6E0000-0x00007FF81D79C000-memory.dmp	upx
behavioral1/memory/2092-943-0x00007FF81D000000-0x00007FF81D026000-memory.dmp	upx
behavioral1/memory/2092-942-0x00007FF82FF10000-0x00007FF82FF1B000-memory.dmp	upx
behavioral1/memory/2092-947-0x00007FF81CFE0000-0x00007FF81CFF8000-memory.dmp	upx
behavioral1/memory/2092-946-0x00007FF81D6B0000-0x00007FF81D6DB000-memory.dmp	upx
behavioral1/memory/2092-950-0x00007FF81CE30000-0x00007FF81CFA3000-memory.dmp	upx
behavioral1/memory/2092-949-0x00007FF81CFB0000-0x00007FF81CFD3000-memory.dmp	upx
behavioral1/memory/2092-948-0x00007FF81D680000-0x00007FF81D6AE000-memory.dmp	upx
behavioral1/memory/2092-951-0x00007FF81D5C0000-0x00007FF81D678000-memory.dmp	upx
behavioral1/memory/2092-964-0x00007FF81D0E0000-0x00007FF81D1FC000-memory.dmp	upx
behavioral1/memory/2092-975-0x00007FF81CCB0000-0x00007FF81CCBB000-memory.dmp	upx
behavioral1/memory/2092-974-0x00007FF81CD70000-0x00007FF81CD7C000-memory.dmp	upx
behavioral1/memory/2092-973-0x00007FF81CCC0000-0x00007FF81CCE9000-memory.dmp	upx
behavioral1/memory/2092-977-0x00007FF81CC90000-0x00007FF81CCAC000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
5	drive.google.com
103	raw.githubusercontent.com
104	raw.githubusercontent.com
114	pastebin.com
115	pastebin.com
2	drive.google.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 1 IoCs

pid	pid_target	Process	procid_target
7576	7292	WerFault.exe	142

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bound.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5452	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3700	msedge.exe
3700	msedge.exe
3192	msedge.exe
3192	msedge.exe
2492	identity_helper.exe
2492	identity_helper.exe
4400	msedge.exe
4400	msedge.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
2092	Bootstrapper.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
7284	powershell.exe
7284	powershell.exe
7284	powershell.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
6188	powershell.exe
6188	powershell.exe
6188	powershell.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3308	7zG.exe
Token: 35	3308	7zG.exe
Token: SeSecurityPrivilege	3308	7zG.exe
Token: SeSecurityPrivilege	3308	7zG.exe
Token: SeDebugPrivilege	2092	Bootstrapper.exe
Token: SeIncreaseQuotaPrivilege	5372	WMIC.exe
Token: SeSecurityPrivilege	5372	WMIC.exe
Token: SeTakeOwnershipPrivilege	5372	WMIC.exe
Token: SeLoadDriverPrivilege	5372	WMIC.exe
Token: SeSystemProfilePrivilege	5372	WMIC.exe
Token: SeSystemtimePrivilege	5372	WMIC.exe
Token: SeProfSingleProcessPrivilege	5372	WMIC.exe
Token: SeIncBasePriorityPrivilege	5372	WMIC.exe
Token: SeCreatePagefilePrivilege	5372	WMIC.exe
Token: SeBackupPrivilege	5372	WMIC.exe
Token: SeRestorePrivilege	5372	WMIC.exe
Token: SeShutdownPrivilege	5372	WMIC.exe
Token: SeDebugPrivilege	5372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5372	WMIC.exe
Token: SeRemoteShutdownPrivilege	5372	WMIC.exe
Token: SeUndockPrivilege	5372	WMIC.exe
Token: SeManageVolumePrivilege	5372	WMIC.exe
Token: 33	5372	WMIC.exe
Token: 34	5372	WMIC.exe
Token: 35	5372	WMIC.exe
Token: 36	5372	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5372	WMIC.exe
Token: SeSecurityPrivilege	5372	WMIC.exe
Token: SeTakeOwnershipPrivilege	5372	WMIC.exe
Token: SeLoadDriverPrivilege	5372	WMIC.exe
Token: SeSystemProfilePrivilege	5372	WMIC.exe
Token: SeSystemtimePrivilege	5372	WMIC.exe
Token: SeProfSingleProcessPrivilege	5372	WMIC.exe
Token: SeIncBasePriorityPrivilege	5372	WMIC.exe
Token: SeCreatePagefilePrivilege	5372	WMIC.exe
Token: SeBackupPrivilege	5372	WMIC.exe
Token: SeRestorePrivilege	5372	WMIC.exe
Token: SeShutdownPrivilege	5372	WMIC.exe
Token: SeDebugPrivilege	5372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5372	WMIC.exe
Token: SeRemoteShutdownPrivilege	5372	WMIC.exe
Token: SeUndockPrivilege	5372	WMIC.exe
Token: SeManageVolumePrivilege	5372	WMIC.exe
Token: 33	5372	WMIC.exe
Token: 34	5372	WMIC.exe
Token: 35	5372	WMIC.exe
Token: 36	5372	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5452	WMIC.exe
Token: SeSecurityPrivilege	5452	WMIC.exe
Token: SeTakeOwnershipPrivilege	5452	WMIC.exe
Token: SeLoadDriverPrivilege	5452	WMIC.exe
Token: SeSystemProfilePrivilege	5452	WMIC.exe
Token: SeSystemtimePrivilege	5452	WMIC.exe
Token: SeProfSingleProcessPrivilege	5452	WMIC.exe
Token: SeIncBasePriorityPrivilege	5452	WMIC.exe
Token: SeCreatePagefilePrivilege	5452	WMIC.exe
Token: SeBackupPrivilege	5452	WMIC.exe
Token: SeRestorePrivilege	5452	WMIC.exe
Token: SeShutdownPrivilege	5452	WMIC.exe
Token: SeDebugPrivilege	5452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5452	WMIC.exe
Token: SeRemoteShutdownPrivilege	5452	WMIC.exe
Token: SeUndockPrivilege	5452	WMIC.exe
Token: SeManageVolumePrivilege	5452	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3308	7zG.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe
5244	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 4100	3192	msedge.exe	83
PID 3192 wrote to memory of 4100	3192	msedge.exe	83
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 4204	3192	msedge.exe	84
PID 3192 wrote to memory of 3700	3192	msedge.exe	85
PID 3192 wrote to memory of 3700	3192	msedge.exe	85
PID 3192 wrote to memory of 556	3192	msedge.exe	86
PID 3192 wrote to memory of 556	3192	msedge.exe	86
PID 3192 wrote to memory of 556	3192	msedge.exe	86
PID 3192 wrote to memory of 556	3192	msedge.exe	86
PID 3192 wrote to memory of 556	3192	msedge.exe	86
PID 3192 wrote to memory of 556	3192	msedge.exe	86
PID 3192 wrote to memory of 556	3192	msedge.exe	86
PID 3192 wrote to memory of 556	3192	msedge.exe	86
PID 3192 wrote to memory of 556	3192	msedge.exe	86
PID 3192 wrote to memory of 556	3192	msedge.exe	86
PID 3192 wrote to memory of 556	3192	msedge.exe	86
PID 3192 wrote to memory of 556	3192	msedge.exe	86
PID 3192 wrote to memory of 556	3192	msedge.exe	86
PID 3192 wrote to memory of 556	3192	msedge.exe	86
PID 3192 wrote to memory of 556	3192	msedge.exe	86
PID 3192 wrote to memory of 556	3192	msedge.exe	86
PID 3192 wrote to memory of 556	3192	msedge.exe	86
PID 3192 wrote to memory of 556	3192	msedge.exe	86
PID 3192 wrote to memory of 556	3192	msedge.exe	86
PID 3192 wrote to memory of 556	3192	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://drive.google.com/file/d/1vttMyisjEDrZKVemmJR9WMWP0l9eKxAt/view?usp=sharing
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff82f8846f8,0x7ff82f884708,0x7ff82f884718
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,2052351328768097359,11878542683411625634,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
  2⤵
  PID:4204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,2052351328768097359,11878542683411625634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,2052351328768097359,11878542683411625634,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,2052351328768097359,11878542683411625634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,2052351328768097359,11878542683411625634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,2052351328768097359,11878542683411625634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,2052351328768097359,11878542683411625634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2224,2052351328768097359,11878542683411625634,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6008 /prefetch:8
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,2052351328768097359,11878542683411625634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,2052351328768097359,11878542683411625634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6600 /prefetch:8
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,2052351328768097359,11878542683411625634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2224,2052351328768097359,11878542683411625634,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,2052351328768097359,11878542683411625634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,2052351328768097359,11878542683411625634,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,2052351328768097359,11878542683411625634,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:3416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,2052351328768097359,11878542683411625634,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
  2⤵
  PID:4608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4244

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3668

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap4103:86:7zEvent18668
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3308

C:\Users\Admin\Downloads\Bootstrapper.exe
"C:\Users\Admin\Downloads\Bootstrapper.exe"
1⤵
- Executes dropped EXE
PID:1768
- C:\Users\Admin\Downloads\Bootstrapper.exe
  "C:\Users\Admin\Downloads\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    PID:5280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:5288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5312
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5404
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:5452

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5244

C:\Users\Admin\Downloads\Bootstrapper.exe
"C:\Users\Admin\Downloads\Bootstrapper.exe"
1⤵
- Executes dropped EXE
PID:5572
- C:\Users\Admin\Downloads\Bootstrapper.exe
  "C:\Users\Admin\Downloads\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:6644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    PID:7156
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:7284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:7160
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:7292
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7292 -s 1712
        5⤵
        Program crash
        
        PID:7576

C:\Users\Admin\Downloads\Bootstrapper.exe
"C:\Users\Admin\Downloads\Bootstrapper.exe"
1⤵
- Executes dropped EXE
PID:5588
- C:\Users\Admin\Downloads\Bootstrapper.exe
  "C:\Users\Admin\Downloads\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  PID:7084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:7052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 7292 -ip 7292
1⤵
PID:7552

C:\Users\Admin\Downloads\Bootstrapper.exe
"C:\Users\Admin\Downloads\Bootstrapper.exe"
1⤵
- Executes dropped EXE
PID:1192
- C:\Users\Admin\Downloads\Bootstrapper.exe
  "C:\Users\Admin\Downloads\Bootstrapper.exe"
  2⤵
  - Executes dropped EXE
  PID:4900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:5336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    PID:5448
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:6188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:5444
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:7944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7114a6cd851f9bf56cf771c37d664a2

SHA1
769c5d04fd83e583f15ab1ef659de8f883ecab8a

SHA256
d2c75c7d68c474d4b8847b4ba6cfd09fe90717f46dd398c86483d825a66e977e

SHA512
33bdae2305ae98e7c0de576de5a6600bd70a425e7b891d745cba9de992036df1b3d1df9572edb0f89f320e50962d06532dae9491985b6b57fd37d5f46f7a2ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
719923124ee00fb57378e0ebcbe894f7

SHA1
cc356a7d27b8b27dc33f21bd4990f286ee13a9f9

SHA256
aa22ab845fa08c786bd3366ec39f733d5be80e9ac933ed115ff048ff30090808

SHA512
a207b6646500d0d504cf70ee10f57948e58dab7f214ad2e7c4af0e7ca23ce1d37c8c745873137e6c55bdcf0f527031a66d9cc54805a0eac3678be6dd497a5bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
408B

MD5
5fc33f5807f9768bba06d5db4c7260ae

SHA1
3e3dd5478facaae86923a51c997a43bc31b383c1

SHA256
38d3b15898856be0739da09df6b99e1ecb949ed56438aebdceedcfb4235fc2ca

SHA512
1cf0a8d7136ca069bb49f161514ba9281e4146fca90be9e2a42adff13f3c2d0e86937799b358a73ed97a0b4ec0e6e95cffb36b458bdc7d0e39e7b3ef24eb0611

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
2f798d9fb01531d50ea4fe688b26d87c

SHA1
d517780c6fec42d2daf98aca6a64ca475f848fb6

SHA256
ac9fccf362cf74b68f4fe5bd982dd40bf9b64d292b8a9107f2b50dd0fef36da3

SHA512
6a09b7067ff9d16bb98e4085fe95ef8e6ffd4f25a20642e6f7a4e7d9c342cb15c055edd9aca2db89cb978ccd8dc5cb773afd69f0e26b1fd9de03d1b7b761595f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aca482d665e8540802ff99982f314f43

SHA1
39a012e754d0275524848d7de794ff778d403e4a

SHA256
e3a1e4ade064d8582156abb792cdb45fd5f14fa32aba7635478992bd032db7fb

SHA512
2f1736883b5ce5f4dab9bcde567db320c86808a9e36380f0bb0c61bacb06d0d202c5d853671b90d4c9f7d365b434a886da3aa64762f4ae6c1b858c4494ed41e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7fb872c5bb4a9e7f2b131d5a3598fe09

SHA1
6dffd67d2691fb7bbf94d31d4400fbe9b5c2af14

SHA256
db8187ed9ca818b0561e88bf86a60854fea741424350853c8a954328f317d8dc

SHA512
123c5291773f0d1e6d8966e4a4ba03485af3e2e5f5e7b5ad5ddf7ec60b77d4b9017ab85af69bc9af233956473ea99b4f525edb9541889441e5e83861a70fc0d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
50425fde3dd0974bab77e7e6b75a48c5

SHA1
3b0f5fcada2c46d670d20ac2017ac0292b0b7ae5

SHA256
19b1b66ceea31dd657238dd09158b66d86ac1d576891c414739d2ac4738eeb70

SHA512
ab227941e9bd1e2d77996b6f9397d23ecc9f473dd8338398d44ea25483d26b2d117745ab18a150148287722a5e358e95a0b9f1c1aad8bb257a029838efd4ddc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
08923a269c37dc36343e202b6475761f

SHA1
c8ee77b4be819d15467ee9f64148dca1c881453c

SHA256
a65ec9980958d47f8a3af8e897522d55a1d3055d21b032f2c6beb173afb6ae75

SHA512
4e3d0f93055d5752d92963d3a3ae309b9a493936f2e3447dcabf961d3cbdf5f375b6708b547f194bd40fce5e23fb588b2769706603f36bc1ec59dcfa1c7b08c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\VCRUNTIME140_1.dll

Filesize
37KB

MD5
75e78e4bf561031d39f86143753400ff

SHA1
324c2a99e39f8992459495182677e91656a05206

SHA256
1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e

SHA512
ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\_asyncio.pyd

Filesize
34KB

MD5
936e44a303a5957709434a0c6bf4532e

SHA1
e35f0b78f61797d9277741a1ee577b5fe7af3d62

SHA256
11f1062fafb4fbca92e3b2cef97ab66ec011142f5b0312e74815decd93be458b

SHA512
cebe905b718825c1841e9c0e83dfdac95d0ff50b116ab3b91b05ca21f86f1482f5b1e13988c969244c644d17bd378792ac4967caa721f0b0e858cd92859af154

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\_bz2.pyd

Filesize
46KB

MD5
af3d45698d379c97a90cca9625bc5926

SHA1
0783866af330c1029253859574c369901969208e

SHA256
47af0730824f96865b5e20f8bba34b0d5f3a330087411adba71269312bf7ccec

SHA512
117e95d2ba0432f5ece882ad67a3fbf2e2cd251b4327a0d66b3fffd444e2d1813ddb568321bde1636b4180d19607db6103df145153e4ff84e9be601fd2dd5691

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\_cffi_backend.cp311-win_amd64.pyd

Filesize
71KB

MD5
55ee36964cfb1cb5c4a13762722e6b8e

SHA1
b7337e1aeac9bec9daffac43bcb881011f9eded9

SHA256
b346624f456f5297696e9708fa44a5473c1dc53443d14e6b5330cf191ca2d766

SHA512
337462452c576fa1001c750df5af943a9efebf0409246849d700b6c2e2766ed2c4bf46ca7027d2e37bf1f949525fca682ee322ac7867e0b5525be9054c10c24a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\_ctypes.pyd

Filesize
57KB

MD5
2346cf6a1ad336f3ee23c4ec3ff7871c

SHA1
e36b759c0b78d2def431aa11bcbb7d7cf02f1eea

SHA256
490a11d03dd3aeb05a410eb0d285e3da788e73b643ea9914fffd5a2c102dc1df

SHA512
7a92de4937b23952e2a31bb09a58b2ad81c06da23704e4b4f964eb42948adad1a1e57920c021283da1b7154e7ac19e46031ffee6b69a73acbc85d95ef45bf8ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\_decimal.pyd

Filesize
104KB

MD5
9b801838394e97e30c99dcf5f9fcc8fa

SHA1
33fb049b2f98bcb2f2cb9508be2408a6698243be

SHA256
15668e03f9c55f07184ec9c048a8569f7d7ebd9ea6dbef145f1f3b581f8623f3

SHA512
5f074c82f344ca43a07a59132fab59e3504e314a2f7673bfec906782b947daf8fe45a1b956f72502eae72f01369a3bb1fbb73b10dc605d43b889a6700bd98a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\_hashlib.pyd

Filesize
33KB

MD5
7fd141630dfa2500f5bf4c61e2c2d034

SHA1
0f8d1dfae2cbce1ad714c93216f01bf7001aabda

SHA256
689f0ac1d44481688cd4ae90b6f801176a52ff4bb4170c62575ea58f44452e15

SHA512
c6b7b1aefb7280f38d63f4ab84a349ebb696ca7300b7a451e7a994baff7e0a83fb4488c43ed3160b94dec74e0d27417d68913056b3006c8c6da11e39681f512e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\_lzma.pyd

Filesize
84KB

MD5
ab6a735ad62592c7c8ea0b06cb57317a

SHA1
e27a0506800b5bbc2b350e39899d260164af2cd1

SHA256
0ebdf15c1c6d59e49716dfb4601f0abe6383449c70db1a349c6ad486742144a8

SHA512
9a285593cd8cc29844688723d8907e55a9f8a3109f9538cc4140912cc973f495de32779a4cd4a48dc62d680fdf81a5797e4e9c33f236a803082dfc3c00d02060

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\_multiprocessing.pyd

Filesize
25KB

MD5
241a977372d63b46b6ae4f7227579cc3

SHA1
21c8fa02217ec69c5cc9a1cc9edaa5de6f8d9f91

SHA256
04e56f1c6919f2987f205e9e3afa16d945eeaffa415c746104ccb7763c067f9c

SHA512
7aeaa94a5cd46d604370e430c72724b683e149af7e032c85708e33bfb94fb6a9ccc52c70bc701dfb94b4ae55d4e8acd8e394efb6cd81466fd9fa1a6addaa4ecc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\_overlapped.pyd

Filesize
30KB

MD5
ef52dc3e7d12795745e23487026a5b5e

SHA1
6c9f488a9eaabdc6db11ed2c32231d518a8b8f42

SHA256
b1b56328df4b19cf04586303f693979536253078fc7017b4ac4ae6d730296b1f

SHA512
8b3c311bf4a54eaa21fa1db058037b274bd3b9e838e844537269f8e0102ad47ca7181e73bbb4f5269100cfe82499bb0787bc04943b02e36ea0ab26bfa8e65326

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\_queue.pyd

Filesize
24KB

MD5
71955beaf83aca364ed64285021781ca

SHA1
cac93d08f9085079fb32e6fc6d8e4fc8cd9115e6

SHA256
3df280391d7275e73aef70af228bb21c03434147ae9fe31e8c620ea151e08b30

SHA512
9b055a0273ace0f9b673e015a20c8867689090608fffaf85c54636f061cf595de1e6c9bfc2d8ea75fa4dd247b4af0493022f24d6a931b53e7f60009a85b45601

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\_socket.pyd

Filesize
41KB

MD5
53dc1aa457a1e3b4f6c8baed19a6ca0a

SHA1
290a572e981cc5ce896dc52a53f112d9eaaefc39

SHA256
26200892f616f859e82c167701ab866b8291eabbe808dd18c434cc80ebeedf19

SHA512
460de92115288e0e95fd03837df775e5f34425784c18ab7e9ad0885511166371647a6f06d95ffa6c3437de69895d46cd4cddcda2841ccdb5ef268b1a857837e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\_sqlite3.pyd

Filesize
54KB

MD5
1c5e0718dce15682d32185f1e1f8df7d

SHA1
f59662db717663ed1589328c5749bb8b44a0d053

SHA256
56f74ec6490b916c513b618635edaa22cb2374a92e5f79549c1e2b7c5c37f31d

SHA512
702f8348d2fe08ec10e0120129e64c12368c971ea52852cd0c7d26fd159f5b34bc808b9b318168aaa81366ed4944909e305d4e9727f0374d921eddb54ea22cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\_ssl.pyd

Filesize
60KB

MD5
df5a6f6c547300a7c87005eb0fafcfa0

SHA1
c792342e964a1c8a776e5203f3eee7908e6cad09

SHA256
dea09b9750c26813130ca32db0b4455796e12a3d61bb52066d5a53302bcce0ce

SHA512
018a79871faa2cf6a1644e96f10750ddccccd56436720faf760808b1997940f9bcd2866a4533b903058ab608629ff8ed46fadb788e4a6714b19775d557dd69b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\_uuid.pyd

Filesize
21KB

MD5
cf378e1866edaa02db65a838f0e0ad8e

SHA1
cc66b98b3289a126fa4cf960d89cbbecff0f5aa8

SHA256
caabfac7123e70906fafe3a34d11c0c87c62695b2716a5f95b032bb54982744e

SHA512
cdb6fb5861fee4eeee49dd79ba164ef8538235b0b41e505dd59f1b5a79256390a4bb920ade9ff58abdc41c738ec6f316d387df4f588b673d8f324e5c1c32a9c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\base_library.zip

Filesize
1.4MB

MD5
481da210e644d6b317cafb5ddf09e1a5

SHA1
00fe8e1656e065d5cf897986c12ffb683f3a2422

SHA256
3242ea7a6c4c712f10108a619bf5213878146547838f7e2c1e80d2778eb0aaa0

SHA512
74d177794f0d7e67f64a4f0c9da4c3fd25a4d90eb909e942e42e5651cc1930b8a99eef6d40107aa8756e75ffbcc93284b916862e24262df897aaac97c5072210

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\bound.luna

Filesize
275KB

MD5
cc5282187e564cc7c7b3f5481ccd42a5

SHA1
084bc74cbd805391216e88e64efc78d94cfd1286

SHA256
4a5f7f4d53970bc34e7f47f4255b06bf5a66e794c4bba85d02fa9f1de8d9f6a4

SHA512
1de5678ff9617b59a504799dd7722b13ab665704fc8fba6e69791d1bcc5fe4bd13b308eef6d08670c8e53b4c4b01a841b4bc89e5a1545f6a1ef317e2b171f802

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\libcrypto-1_1.dll

Filesize
1.1MB

MD5
571796599d616a0d12aa34be09242c22

SHA1
0e0004ab828966f0c8a67b2f10311bb89b6b74ac

SHA256
6242d2e13aef871c4b8cfd75fc0f8530e8dccfeaba8f1b66280e9345f52b833b

SHA512
7362a6c887600fafc1a45413823f006589bb95a76ac052b6c7022356a7a9a6e8cd3e76f59cecf152e189323791d9626a6fdb7a98bf3a5250d517b746c3e84e84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\libffi-8.dll

Filesize
24KB

MD5
24ea21ebcc3bef497d2bd208e7986f88

SHA1
d936f79431517b9687ee54d837e9e4be7afc082d

SHA256
18c097ef19f3e502a025c1d63cfec73a4fa30c5482286f4000d40d4784a0070a

SHA512
1bdbeddd812ecc2cdfbbf3498b0a8ef551cc18ce73fc30eb40b415fab0cdd20b80057a25a33ca2f9247b08978838df3587a3caf6e1a8e108c5a9a4f67dd75a94

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\libssl-1_1.dll

Filesize
203KB

MD5
aabafc5d0e409123ae5e4523d9b3dee2

SHA1
4d0a1834ed4e4ceecb04206e203d916eb22e981b

SHA256
84e4c37fb28b6cf79e2386163fe6bb094a50c1e8825a4bcdb4cb216f4236d831

SHA512
163f29ad05e830367af3f2107e460a587f4710b8d9d909a01e04cd8cfee115d8f453515e089a727a6466ce0e2248a56f14815588f7df6d42fe1580e1b25369cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\luna.aes

Filesize
356KB

MD5
a26c91cfc3ed0b916ad7f5129282dfd4

SHA1
15d6a84a5cf4306702d379aeb179d8f77e1a6ee0

SHA256
c8ad4a5d91f36c1ff3661e94038efec25513610fd00d7c8f1a951ef453a55409

SHA512
2a7dfcd143ceb3253d715d5e85170d43f5cb5d02dc33fac3e99455ac49d0511107752f4947456161cced58eb74f6ec3c59a09658f8e5848e127fb906fc02d2bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\pyexpat.pyd

Filesize
86KB

MD5
c498ed10d7245560412f9df527508b5c

SHA1
b84b57a54a1a9c5631f4d0b8ac31694786cc822b

SHA256
297ec9e654500400ba5731101b65d29c14d0305ae9f6c05b9763f57ab150b07d

SHA512
ab8bcf6e4a395944316e19aa7aa598e8bfeaa038f4ae086fcede6d01747b670896d640dbf4992630fcbd737d2be3ab627b7be8ad36437629671387f4aaf85957

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\python3.DLL

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\python311.dll

Filesize
1.6MB

MD5
4fcf14c7837f8b127156b8a558db0bb2

SHA1
8de2711d00bef7b5f2dcf8a2c6871fa1db67cf1f

SHA256
a67df621a383f4ce5a408e0debe3ebc49ffc766d6a1d6d9a7942120b8ec054dc

SHA512
7a6195495b48f66c35b273a2c9d7ff59e96a4180ea8503f31c8b131167c6cdddd8d6fe77388a34096964a73c85eab504281a14ae3d05350cfee5c51d2491cec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\pywin32_system32\pythoncom311.dll

Filesize
193KB

MD5
471d17f08b66f1489516d271ebf831e3

SHA1
0296e3848de8e99c55bab82c7b181112fb30e840

SHA256
39f4e62d0366897e20eb849cdc78f4ea988605ba86a95c9c741f2797086a6788

SHA512
857a92588f3363ce9e139fe92222ece6d7d926fdcb2c5c1febfb6328389f3e5f8b82063aface5b61015de031e6bfda556067f49f9cc8103664749d8581da1587

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\pywin32_system32\pywintypes311.dll

Filesize
62KB

MD5
04ce7664658c9c18527594708550d59e

SHA1
1db7e6722aaea33d92fba441fca294600d904103

SHA256
e3be247830c23a1751e1bab98d02ba5da3721d2a85469eda3764fc583ca2a6ff

SHA512
e9744b2eee5fa848d5ac83622a6b1c1a1009d7ad8a944bda7a118dd75d8d24218fa2e4ef67718caabda0dd67efdd5be1497705afef8edec830f1b2402d0f0a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\select.pyd

Filesize
24KB

MD5
0dc8f694b3e6a3682b3ff098bd2468f6

SHA1
737252620116c6ac5c527f99d3914e608a0e5a74

SHA256
818120c08358b6b4d1234b7456c7b5c777af8473e26314a6a6c0f37237d53208

SHA512
d0e704d52b0c5e24c07447a60d71ccec490ec15ecb6b4532b2e93ac07036bda7f27051f80dac1ef3705b0186f35f9d6dfc05415412e483b68fd79f1098411123

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\sqlite3.dll

Filesize
608KB

MD5
605b722497acc50ffb33ebdb6afaf1f0

SHA1
e24c55472c827d4b519e5b6f0a3cfc49e10d1fa9

SHA256
a61016520a3f228285e32e40d878fe449450136c55aa9d4d7b54006a8dc7f339

SHA512
9611afc66cd1236cea1fce94e8ecf8e4d2168db3b51d8d9a799b574e8523ca0aea48da6b6c15fc863dd737b9c394ac6e56d2f3fa45e29792b630da389cb21dc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\unicodedata.pyd

Filesize
293KB

MD5
2b1809546e4bc9d67ea69d24f75edce0

SHA1
9d076445dfa2f58964a6a1fd1844f6fe82645952

SHA256
89cbb2814a75a5bd53acbfb1fe090ca8395c4a7f559acd4fe0187758c172623a

SHA512
5ae015add4697e8290eb881fa770bca2fa22ba8376b86b26f7880d4f92ad362e741042926a4c47cc3413c83f445e372ffda915bcf8567673d807bd2dac28fbbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17682\win32\win32api.pyd

Filesize
48KB

MD5
d2668458d3a33de3fbe931eb029a3628

SHA1
258351db3b6ce6ae80a428c2b5dc0a3f7cfa112a

SHA256
2c37610d165a3c3c0350b08a5d803928267aa69878f753d2e2b048de4f3a7413

SHA512
440b760300043938c1a3130baf667426d1dabdb6dab24581054c9d5ef213997183b0a317b4f846f277eabb07f7bd4d2cc42d90158511c904b7a78672869c641d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55722\cryptography-43.0.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\pycountry\locales\de\LC_MESSAGES\iso3166-2.mo

Filesize
207KB

MD5
fbc3184600f4c885296f36ab500adccd

SHA1
18db52aea5d8fa61653d091af853b19b2c3dd475

SHA256
466aab6a14a6aabfee4ce464f34b404c3252d0f6f28336f1dda972658ed7aa19

SHA512
b01c184aaecf7fc7101d40070314641d14d75ff47d22d01dba337d0941bddd084c30d7b9985fc376b2ce54c24b8c4de1ccc3227f2e322de6f3bfbc7838fd5cf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\pycountry\locales\fr\LC_MESSAGES\iso639-3.mo

Filesize
409KB

MD5
972591ca80602d1e82cf3d75d0729d0e

SHA1
94017f374fc09f3baceae08803c76f059b6dbe0d

SHA256
c28273b7da4ca5af1cfbabdd9070219a37afa2cb88bd859aa96ba71271a7dcee

SHA512
550b4e1f2b6540c1dbfbad2a43b15282204b80e2776075cfc3c20053e30c0b46fe205e71fa9a2258220ffd76443cf7f7296e86ffa39c6329dae4d413a0cdc357

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI55882\pycountry\locales\sr@latin\LC_MESSAGES\iso3166-2.mo

Filesize
118KB

MD5
540ca9b22149c3688036b7d0e0979a02

SHA1
aa908ea7c8e8583ea7b712a90e290ad085a69fd2

SHA256
8e85ae3da5e61a4b629ae3d2ac47898c361664ca1c4c01cd0617afe07c723a4d

SHA512
dbf239521d6da964a0b5dc98f4ec8e3d6312b24d02313874f64144137901d80e3b225d332f953c8ecf518fbeefcf8ad1a5e3b7c015828894f2721b719f585e79

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yuu0oowm.1re.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bound.exe

Filesize
796KB

MD5
fa65805dc79caefec703e1339141fc65

SHA1
9f2480739aac09dcf254d87f5f63deaea8296404

SHA256
d122b76e0739d706b0c3078136fd05d55e92b09dca92864c66b428fa8c0da748

SHA512
b2fd9027cf118727dc5688912a0909403afede90a6efcb5e616dcca575753b82a85ba48f3d08b63148f5c5795d1af35f69803dde2fef358f94dd367ec55f1b63

Download Submit
memory/2092-959-0x00007FF81CDA0000-0x00007FF81CDAC000-memory.dmp

Filesize
48KB

Download
memory/2092-1031-0x00007FF81CFE0000-0x00007FF81CFF8000-memory.dmp

Filesize
96KB

Download
memory/2092-926-0x00007FF81D810000-0x00007FF81DDF8000-memory.dmp

Filesize
5.9MB

Download
memory/2092-928-0x00007FF81D6E0000-0x00007FF81D79C000-memory.dmp

Filesize
752KB

Download
memory/2092-919-0x00007FF8303E0000-0x00007FF8303ED000-memory.dmp

Filesize
52KB

Download
memory/2092-929-0x00007FF81D6B0000-0x00007FF81D6DB000-memory.dmp

Filesize
172KB

Download
memory/2092-930-0x00007FF82C0B0000-0x00007FF82C0D4000-memory.dmp

Filesize
144KB

Download
memory/2092-931-0x00007FF81D680000-0x00007FF81D6AE000-memory.dmp

Filesize
184KB

Download
memory/2092-933-0x00007FF81D240000-0x00007FF81D5B5000-memory.dmp

Filesize
3.5MB

Download
memory/2092-932-0x00007FF81D5C0000-0x00007FF81D678000-memory.dmp

Filesize
736KB

Download
memory/2092-934-0x0000019A385A0000-0x0000019A38915000-memory.dmp

Filesize
3.5MB

Download
memory/2092-936-0x00007FF81D220000-0x00007FF81D235000-memory.dmp

Filesize
84KB

Download
memory/2092-935-0x00007FF821250000-0x00007FF82127D000-memory.dmp

Filesize
180KB

Download
memory/2092-937-0x00007FF81D200000-0x00007FF81D212000-memory.dmp

Filesize
72KB

Download
memory/2092-939-0x00007FF81D0E0000-0x00007FF81D1FC000-memory.dmp

Filesize
1.1MB

Download
memory/2092-938-0x00007FF81F330000-0x00007FF81F349000-memory.dmp

Filesize
100KB

Download
memory/2092-941-0x00007FF81D030000-0x00007FF81D044000-memory.dmp

Filesize
80KB

Download
memory/2092-940-0x00007FF81D050000-0x00007FF81D0D7000-memory.dmp

Filesize
540KB

Download
memory/2092-945-0x00007FF82F8A0000-0x00007FF82F8AA000-memory.dmp

Filesize
40KB

Download
memory/2092-944-0x00007FF81D6E0000-0x00007FF81D79C000-memory.dmp

Filesize
752KB

Download
memory/2092-943-0x00007FF81D000000-0x00007FF81D026000-memory.dmp

Filesize
152KB

Download
memory/2092-942-0x00007FF82FF10000-0x00007FF82FF1B000-memory.dmp

Filesize
44KB

Download
memory/2092-947-0x00007FF81CFE0000-0x00007FF81CFF8000-memory.dmp

Filesize
96KB

Download
memory/2092-946-0x00007FF81D6B0000-0x00007FF81D6DB000-memory.dmp

Filesize
172KB

Download
memory/2092-950-0x00007FF81CE30000-0x00007FF81CFA3000-memory.dmp

Filesize
1.4MB

Download
memory/2092-949-0x00007FF81CFB0000-0x00007FF81CFD3000-memory.dmp

Filesize
140KB

Download
memory/2092-948-0x00007FF81D680000-0x00007FF81D6AE000-memory.dmp

Filesize
184KB

Download
memory/2092-951-0x00007FF81D5C0000-0x00007FF81D678000-memory.dmp

Filesize
736KB

Download
memory/2092-964-0x00007FF81D0E0000-0x00007FF81D1FC000-memory.dmp

Filesize
1.1MB

Download
memory/2092-975-0x00007FF81CCB0000-0x00007FF81CCBB000-memory.dmp

Filesize
44KB

Download
memory/2092-974-0x00007FF81CD70000-0x00007FF81CD7C000-memory.dmp

Filesize
48KB

Download
memory/2092-973-0x00007FF81CCC0000-0x00007FF81CCE9000-memory.dmp

Filesize
164KB

Download
memory/2092-977-0x00007FF81CC90000-0x00007FF81CCAC000-memory.dmp

Filesize
112KB

Download
memory/2092-976-0x00007FF81D030000-0x00007FF81D044000-memory.dmp

Filesize
80KB

Download
memory/2092-972-0x00007FF81CCF0000-0x00007FF81CCFC000-memory.dmp

Filesize
48KB

Download
memory/2092-971-0x00007FF81CD00000-0x00007FF81CD12000-memory.dmp

Filesize
72KB

Download
memory/2092-970-0x00007FF81CD20000-0x00007FF81CD2D000-memory.dmp

Filesize
52KB

Download
memory/2092-969-0x00007FF81CD30000-0x00007FF81CD3C000-memory.dmp

Filesize
48KB

Download
memory/2092-968-0x00007FF81CD40000-0x00007FF81CD4C000-memory.dmp

Filesize
48KB

Download
memory/2092-967-0x00007FF81CD50000-0x00007FF81CD5B000-memory.dmp

Filesize
44KB

Download
memory/2092-966-0x00007FF81CD60000-0x00007FF81CD6B000-memory.dmp

Filesize
44KB

Download
memory/2092-965-0x00007FF81CD80000-0x00007FF81CD8E000-memory.dmp

Filesize
56KB

Download
memory/2092-963-0x00007FF81CD90000-0x00007FF81CD9C000-memory.dmp

Filesize
48KB

Download
memory/2092-962-0x00007FF81D220000-0x00007FF81D235000-memory.dmp

Filesize
84KB

Download
memory/2092-961-0x00007FF821B30000-0x00007FF821B3B000-memory.dmp

Filesize
44KB

Download
memory/2092-978-0x00007FF81C880000-0x00007FF81CC89000-memory.dmp

Filesize
4.0MB

Download
memory/2092-960-0x00007FF82F5E0000-0x00007FF82F5EB000-memory.dmp

Filesize
44KB

Download
memory/2092-924-0x00007FF81D7A0000-0x00007FF81D7CE000-memory.dmp

Filesize
184KB

Download
memory/2092-958-0x00007FF81F320000-0x00007FF81F32B000-memory.dmp

Filesize
44KB

Download
memory/2092-957-0x00007FF821240000-0x00007FF82124C000-memory.dmp

Filesize
48KB

Download
memory/2092-956-0x00007FF82EEF0000-0x00007FF82EEFC000-memory.dmp

Filesize
48KB

Download
memory/2092-955-0x00007FF82F150000-0x00007FF82F15B000-memory.dmp

Filesize
44KB

Download
memory/2092-954-0x00007FF81CDF0000-0x00007FF81CE28000-memory.dmp

Filesize
224KB

Download
memory/2092-953-0x0000019A385A0000-0x0000019A38915000-memory.dmp

Filesize
3.5MB

Download
memory/2092-952-0x00007FF81D240000-0x00007FF81D5B5000-memory.dmp

Filesize
3.5MB

Download
memory/2092-979-0x00007FF815770000-0x00007FF817896000-memory.dmp

Filesize
33.1MB

Download
memory/2092-981-0x00007FF81C560000-0x00007FF81C577000-memory.dmp

Filesize
92KB

Download
memory/2092-980-0x00007FF81C520000-0x00007FF81C541000-memory.dmp

Filesize
132KB

Download
memory/2092-1001-0x00007FF81D0E0000-0x00007FF81D1FC000-memory.dmp

Filesize
1.1MB

Download
memory/2092-1017-0x00007FF81D7D0000-0x00007FF81D805000-memory.dmp

Filesize
212KB

Download
memory/2092-1036-0x00007FF82EEF0000-0x00007FF82EEFC000-memory.dmp

Filesize
48KB

Download
memory/2092-1042-0x00007FF81CD40000-0x00007FF81CD4C000-memory.dmp

Filesize
48KB

Download
memory/2092-1041-0x00007FF81CD50000-0x00007FF81CD5B000-memory.dmp

Filesize
44KB

Download
memory/2092-1040-0x00007FF81CD60000-0x00007FF81CD6B000-memory.dmp

Filesize
44KB

Download
memory/2092-1039-0x00007FF81CDA0000-0x00007FF81CDAC000-memory.dmp

Filesize
48KB

Download
memory/2092-1038-0x00007FF81F320000-0x00007FF81F32B000-memory.dmp

Filesize
44KB

Download
memory/2092-1037-0x00007FF821240000-0x00007FF82124C000-memory.dmp

Filesize
48KB

Download
memory/2092-1035-0x00007FF82F150000-0x00007FF82F15B000-memory.dmp

Filesize
44KB

Download
memory/2092-1034-0x00007FF81CDF0000-0x00007FF81CE28000-memory.dmp

Filesize
224KB

Download
memory/2092-1033-0x00007FF81CE30000-0x00007FF81CFA3000-memory.dmp

Filesize
1.4MB

Download
memory/2092-1032-0x00007FF81CFB0000-0x00007FF81CFD3000-memory.dmp

Filesize
140KB

Download
memory/2092-918-0x00007FF8306F0000-0x00007FF8306FD000-memory.dmp

Filesize
52KB

Download
memory/2092-1030-0x00007FF81CD80000-0x00007FF81CD8E000-memory.dmp

Filesize
56KB

Download
memory/2092-1029-0x00007FF81D000000-0x00007FF81D026000-memory.dmp

Filesize
152KB

Download
memory/2092-1028-0x00007FF82FF10000-0x00007FF82FF1B000-memory.dmp

Filesize
44KB

Download
memory/2092-1027-0x00007FF81CD70000-0x00007FF81CD7C000-memory.dmp

Filesize
48KB

Download
memory/2092-1026-0x00007FF81D030000-0x00007FF81D044000-memory.dmp

Filesize
80KB

Download
memory/2092-1025-0x00007FF82F8A0000-0x00007FF82F8AA000-memory.dmp

Filesize
40KB

Download
memory/2092-1024-0x00007FF81D200000-0x00007FF81D212000-memory.dmp

Filesize
72KB

Download
memory/2092-1023-0x00007FF81CD90000-0x00007FF81CD9C000-memory.dmp

Filesize
48KB

Download
memory/2092-1022-0x00007FF821B30000-0x00007FF821B3B000-memory.dmp

Filesize
44KB

Download
memory/2092-1021-0x00007FF82F5E0000-0x00007FF82F5EB000-memory.dmp

Filesize
44KB

Download
memory/2092-1020-0x00007FF81D5C0000-0x00007FF81D678000-memory.dmp

Filesize
736KB

Download
memory/2092-1019-0x00007FF81D680000-0x00007FF81D6AE000-memory.dmp

Filesize
184KB

Download
memory/2092-1018-0x00007FF81D6B0000-0x00007FF81D6DB000-memory.dmp

Filesize
172KB

Download
memory/2092-1016-0x00007FF8274C0000-0x00007FF8274D9000-memory.dmp

Filesize
100KB

Download
memory/2092-1015-0x00007FF821250000-0x00007FF82127D000-memory.dmp

Filesize
180KB

Download
memory/2092-1014-0x00007FF8303E0000-0x00007FF8303ED000-memory.dmp

Filesize
52KB

Download
memory/2092-1013-0x00007FF82C0B0000-0x00007FF82C0D4000-memory.dmp

Filesize
144KB

Download
memory/2092-1012-0x00007FF81F330000-0x00007FF81F349000-memory.dmp

Filesize
100KB

Download
memory/2092-1002-0x00007FF81D050000-0x00007FF81D0D7000-memory.dmp

Filesize
540KB

Download
memory/2092-998-0x00007FF81D240000-0x00007FF81D5B5000-memory.dmp

Filesize
3.5MB

Download
memory/2092-993-0x00007FF81D7A0000-0x00007FF81D7CE000-memory.dmp

Filesize
184KB

Download
memory/2092-991-0x00007FF8306F0000-0x00007FF8306FD000-memory.dmp

Filesize
52KB

Download
memory/2092-986-0x00007FF8347B0000-0x00007FF8347BF000-memory.dmp

Filesize
60KB

Download
memory/2092-984-0x00007FF81D810000-0x00007FF81DDF8000-memory.dmp

Filesize
5.9MB

Download
memory/2092-999-0x00007FF81D220000-0x00007FF81D235000-memory.dmp

Filesize
84KB

Download
memory/2092-994-0x00007FF81D6E0000-0x00007FF81D79C000-memory.dmp

Filesize
752KB

Download
memory/2092-875-0x00007FF81D810000-0x00007FF81DDF8000-memory.dmp

Filesize
5.9MB

Download
memory/2092-885-0x00007FF8347B0000-0x00007FF8347BF000-memory.dmp

Filesize
60KB

Download
memory/2092-884-0x00007FF82C0B0000-0x00007FF82C0D4000-memory.dmp

Filesize
144KB

Download
memory/2092-891-0x00007FF821250000-0x00007FF82127D000-memory.dmp

Filesize
180KB

Download
memory/2092-890-0x00007FF8274C0000-0x00007FF8274D9000-memory.dmp

Filesize
100KB

Download
memory/2092-915-0x00007FF81F330000-0x00007FF81F349000-memory.dmp

Filesize
100KB

Download
memory/2092-914-0x00007FF81D7D0000-0x00007FF81D805000-memory.dmp

Filesize
212KB

Download
memory/5244-1721-0x00000197BA410000-0x00000197BA411000-memory.dmp

Filesize
4KB

Download
memory/5244-1720-0x00000197BA410000-0x00000197BA411000-memory.dmp

Filesize
4KB

Download
memory/5244-1719-0x00000197BA410000-0x00000197BA411000-memory.dmp

Filesize
4KB

Download
memory/5244-1722-0x00000197BA410000-0x00000197BA411000-memory.dmp

Filesize
4KB

Download
memory/5244-1723-0x00000197BA410000-0x00000197BA411000-memory.dmp

Filesize
4KB

Download
memory/5244-1724-0x00000197BA410000-0x00000197BA411000-memory.dmp

Filesize
4KB

Download
memory/5244-1725-0x00000197BA410000-0x00000197BA411000-memory.dmp

Filesize
4KB

Download
memory/5244-1713-0x00000197BA410000-0x00000197BA411000-memory.dmp

Filesize
4KB

Download
memory/5244-1714-0x00000197BA410000-0x00000197BA411000-memory.dmp

Filesize
4KB

Download
memory/5244-1715-0x00000197BA410000-0x00000197BA411000-memory.dmp

Filesize
4KB

Download
memory/6644-3229-0x00007FF81CB10000-0x00007FF81CB24000-memory.dmp

Filesize
80KB

Download
memory/6644-3223-0x00007FF81D520000-0x00007FF81D895000-memory.dmp

Filesize
3.5MB

Download
memory/6644-3235-0x00007FF81BDE0000-0x00007FF81BF53000-memory.dmp

Filesize
1.4MB

Download
memory/6644-3234-0x00007FF81C940000-0x00007FF81C963000-memory.dmp

Filesize
140KB

Download
memory/6644-3233-0x00007FF81C970000-0x00007FF81C988000-memory.dmp

Filesize
96KB

Download
memory/6644-3232-0x00007FF82C0B0000-0x00007FF82C0BA000-memory.dmp

Filesize
40KB

Download
memory/6644-3231-0x00007FF81CAA0000-0x00007FF81CAC6000-memory.dmp

Filesize
152KB

Download
memory/6644-3230-0x00007FF82F8A0000-0x00007FF82F8AB000-memory.dmp

Filesize
44KB

Download
memory/6644-3212-0x00007FF8347B0000-0x00007FF8347BF000-memory.dmp

Filesize
60KB

Download
memory/6644-3228-0x00007FF81CB30000-0x00007FF81CBB7000-memory.dmp

Filesize
540KB

Download
memory/6644-3227-0x00007FF81CC10000-0x00007FF81CD2C000-memory.dmp

Filesize
1.1MB

Download
memory/6644-3226-0x00007FF81D4E0000-0x00007FF81D4F2000-memory.dmp

Filesize
72KB

Download
memory/6644-3225-0x00007FF81D500000-0x00007FF81D515000-memory.dmp

Filesize
84KB

Download
memory/6644-3211-0x00007FF81F320000-0x00007FF81F344000-memory.dmp

Filesize
144KB

Download
memory/6644-3222-0x00007FF81D8A0000-0x00007FF81D8CE000-memory.dmp

Filesize
184KB

Download
memory/6644-3221-0x00007FF81D8D0000-0x00007FF81D8FB000-memory.dmp

Filesize
172KB

Download
memory/6644-3220-0x00007FF81D900000-0x00007FF81D9BC000-memory.dmp

Filesize
752KB

Download
memory/6644-3219-0x00007FF81D9C0000-0x00007FF81D9EE000-memory.dmp

Filesize
184KB

Download
memory/6644-3218-0x00007FF8303E0000-0x00007FF8303ED000-memory.dmp

Filesize
52KB

Download
memory/6644-3217-0x00007FF8306F0000-0x00007FF8306FD000-memory.dmp

Filesize
52KB

Download
memory/6644-3216-0x00007FF8274C0000-0x00007FF8274D9000-memory.dmp

Filesize
100KB

Download
memory/6644-3215-0x00007FF81D9F0000-0x00007FF81DA25000-memory.dmp

Filesize
212KB

Download
memory/6644-3210-0x00007FF81CDF0000-0x00007FF81D3D8000-memory.dmp

Filesize
5.9MB

Download
memory/6644-3213-0x00007FF830430000-0x00007FF830449000-memory.dmp

Filesize
100KB

Download
memory/6644-3214-0x00007FF81DA30000-0x00007FF81DA5D000-memory.dmp

Filesize
180KB

Download
memory/6644-3224-0x00007FF81CD30000-0x00007FF81CDE8000-memory.dmp

Filesize
736KB

Download