hxxps://www[.]mediafire[.]com/file/lpvwoosgyfvh0w7/BootsStrapperV3[.]zip/file

Analysis

max time kernel
253s
max time network
252s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
10-08-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/lpvwoosgyfvh0w7/BootsStrapperV3.zip/file

Score

9^/10

credential_access defense_evasion discovery persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Drops startup file 6 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‍‎ .scr	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\‍   .scr	BootsStrapperV3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\‍   .scr	BootsStrapperV3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\‍   .scr	attrib.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‍‎ .scr	BootsStrapperV3.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‍‎ .scr	BootsStrapperV3.exe

Executes dropped EXE 2 IoCs

pid	Process
5116	bound.exe
5232	bound.exe

Loads dropped DLL 64 IoCs

pid	Process
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
2944	BootsStrapperV3.exe
2944	BootsStrapperV3.exe
2944	BootsStrapperV3.exe
2944	BootsStrapperV3.exe
2944	BootsStrapperV3.exe
2944	BootsStrapperV3.exe
2944	BootsStrapperV3.exe
2944	BootsStrapperV3.exe
2944	BootsStrapperV3.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000700000001b1ed-2889.dat	upx
behavioral1/memory/3172-2893-0x00007FF808F60000-0x00007FF809625000-memory.dmp	upx
behavioral1/files/0x000700000001acc2-2895.dat	upx
behavioral1/files/0x000700000001acfa-2900.dat	upx
behavioral1/memory/3172-2903-0x00007FF821C70000-0x00007FF821C7F000-memory.dmp	upx
behavioral1/memory/3172-2902-0x00007FF81BA90000-0x00007FF81BAB5000-memory.dmp	upx
behavioral1/files/0x000700000001acc0-2905.dat	upx
behavioral1/files/0x000700000001acf9-2911.dat	upx
behavioral1/files/0x000700000001accd-2930.dat	upx
behavioral1/files/0x000700000001accb-2928.dat	upx
behavioral1/files/0x000700000001acca-2927.dat	upx
behavioral1/files/0x000700000001acc9-2926.dat	upx
behavioral1/files/0x000700000001acc8-2925.dat	upx
behavioral1/files/0x000700000001acc7-2924.dat	upx
behavioral1/files/0x000700000001acc6-2923.dat	upx
behavioral1/files/0x000700000001acc4-2922.dat	upx
behavioral1/files/0x000700000001acc3-2921.dat	upx
behavioral1/files/0x000700000001acc1-2920.dat	upx
behavioral1/files/0x000700000001acbf-2919.dat	upx
behavioral1/files/0x0006000000022537-2917.dat	upx
behavioral1/files/0x00060000000224b7-2916.dat	upx
behavioral1/files/0x000700000001b1f9-2915.dat	upx
behavioral1/files/0x000700000001b1e8-2914.dat	upx
behavioral1/files/0x000700000001acfb-2912.dat	upx
behavioral1/memory/3172-2909-0x00007FF81B970000-0x00007FF81B99D000-memory.dmp	upx
behavioral1/memory/3172-2908-0x00007FF81BA70000-0x00007FF81BA8A000-memory.dmp	upx
behavioral1/files/0x000700000001acc5-2907.dat	upx
behavioral1/memory/3172-2935-0x00007FF81B630000-0x00007FF81B666000-memory.dmp	upx
behavioral1/memory/3172-2934-0x00007FF821620000-0x00007FF82162F000-memory.dmp	upx
behavioral1/memory/3172-2939-0x00007FF81F7A0000-0x00007FF81F7AD000-memory.dmp	upx
behavioral1/memory/3172-2938-0x00007FF81B610000-0x00007FF81B629000-memory.dmp	upx
behavioral1/memory/3172-2942-0x00007FF81D130000-0x00007FF81D13D000-memory.dmp	upx
behavioral1/memory/3172-2943-0x00007FF81B5F0000-0x00007FF81B604000-memory.dmp	upx
behavioral1/memory/3172-2945-0x00007FF808F60000-0x00007FF809625000-memory.dmp	upx
behavioral1/memory/3172-2946-0x00007FF808A30000-0x00007FF808F59000-memory.dmp	upx
behavioral1/memory/3172-2948-0x00007FF81AB40000-0x00007FF81AB73000-memory.dmp	upx
behavioral1/memory/3172-2951-0x00007FF808960000-0x00007FF808A2D000-memory.dmp	upx
behavioral1/memory/3172-2950-0x00007FF81BA90000-0x00007FF81BAB5000-memory.dmp	upx
behavioral1/files/0x000600000002263f-2953.dat	upx
behavioral1/memory/3172-2956-0x00007FF818780000-0x00007FF818807000-memory.dmp	upx
behavioral1/memory/3172-2955-0x00007FF81B970000-0x00007FF81B99D000-memory.dmp	upx
behavioral1/files/0x000700000001acd4-2957.dat	upx
behavioral1/files/0x000700000001acd5-2959.dat	upx
behavioral1/memory/3172-2961-0x00007FF821620000-0x00007FF82162F000-memory.dmp	upx
behavioral1/memory/3172-2962-0x00007FF81B630000-0x00007FF81B666000-memory.dmp	upx
behavioral1/memory/3172-2964-0x00007FF81AC70000-0x00007FF81AC97000-memory.dmp	upx
behavioral1/memory/3172-2963-0x00007FF81BB80000-0x00007FF81BB8B000-memory.dmp	upx
behavioral1/memory/3172-2966-0x00007FF808660000-0x00007FF80877A000-memory.dmp	upx
behavioral1/files/0x000700000001ad1e-2969.dat	upx
behavioral1/memory/3172-2971-0x00007FF8196A0000-0x00007FF8196B8000-memory.dmp	upx
behavioral1/memory/3172-2975-0x00007FF8084E0000-0x00007FF80865F000-memory.dmp	upx
behavioral1/memory/3172-2974-0x00007FF819540000-0x00007FF819564000-memory.dmp	upx
behavioral1/memory/3172-2977-0x00007FF81B7D0000-0x00007FF81B7DB000-memory.dmp	upx
behavioral1/memory/3172-2983-0x00007FF8194F0000-0x00007FF8194FC000-memory.dmp	upx
behavioral1/memory/3172-2982-0x00007FF819530000-0x00007FF81953B000-memory.dmp	upx
behavioral1/memory/3172-2993-0x00007FF816090000-0x00007FF81609C000-memory.dmp	upx
behavioral1/memory/3172-2994-0x00007FF80CBC0000-0x00007FF80CBE9000-memory.dmp	upx
behavioral1/memory/3172-2992-0x00007FF818850000-0x00007FF818862000-memory.dmp	upx
behavioral1/memory/3172-2991-0x00007FF819360000-0x00007FF81936D000-memory.dmp	upx
behavioral1/memory/3172-2990-0x00007FF819370000-0x00007FF81937C000-memory.dmp	upx
behavioral1/memory/3172-2989-0x00007FF819380000-0x00007FF81938C000-memory.dmp	upx
behavioral1/memory/3172-2995-0x00007FF80CB90000-0x00007FF80CBBE000-memory.dmp	upx
behavioral1/memory/3172-2997-0x00007FF81AB40000-0x00007FF81AB73000-memory.dmp	upx
behavioral1/memory/3172-2996-0x00007FF8194D0000-0x00007FF8194DE000-memory.dmp	upx

Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
212	discord.com
219	discord.com
226	discord.com
227	discord.com
205	raw.githubusercontent.com
206	raw.githubusercontent.com
211	discord.com
218	discord.com
222	raw.githubusercontent.com
224	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
216	ip-api.com

Hide Artifacts: Hidden Files and Directories 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
980	cmd.exe
5160	cmd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdge.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File created	C:\Windows\rescache\_merged\3720402701\1568373884.pri	MicrosoftEdgeCP.exe
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2856	netsh.exe
5324	netsh.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3148	WMIC.exe
5812	WMIC.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\Total	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpCleanupState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 5e812d4950ebda01	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total\ = "140"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = 49b34a4350ebda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\mediafire.com\NumberOfSubdoma = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\NextUpdateDate = "430078230"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\EdpDomStorage\mediafire.com\Total = "0"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DomStorageState\EdpState = "0"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate\Certificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = c0aead9382ebda01	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{C2DE5CB4-3960-4A96-9ADB-70BB28DF7E7 = "8320"	browser_broker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\Active = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\www.mediafire.com\ = "140"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\DOMStorage\Total	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$blogger	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\Root	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DomainSuggestion\FileNames\en-US = "en-US.1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{C2DE5CB4-3960-4A96-9ADB-70BB28DF7E7 = "\\\\?\\Volume{38FC2686-0000-0000-0000-D01200000000}\\Users\\Admin\\AppData\\Local\\Packages\\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\\TempState\\Downloads\\BootsStrapperV3.zip"	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\004\Internet Settings\Cache\History\CacheLimit = "1"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage\ProcessingFlag = 503e484350ebda01	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Cookies	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionLow = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-VersionLow = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\PivotIndex	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\PersistedStorageItemTable\System\{C2DE5CB4-3960-4A96-9ADB-70BB28DF7E7 = 0114020000000000c0000000000000464c0000000114020000000000c000000000000046830000002000000064fceb5950ebda0164fceb5950ebda01a47863af50ebda01805a5f030000000001000000000000000000000000000000ab0314001f50e04fd020ea3a6910a2d808002b30309d19002f433a5c0000000000000000000000000000000000000050003100000000000000000010005573657273003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005500730065007200730000001400500031000000000000000000100041646d696e003c0009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000410064006d0069006e000000140056003100000000000000000010004170704461746100400009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000041007000700044006100740061000000160050003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014005a003100000000000000000010005061636b616765730000420009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000005000610063006b00610067006500730000001800b0003100000000000000000010004d6963726f736f66742e4d6963726f736f6674456467655f3877656b796233643862627765007c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004d006900630072006f0073006f00660074002e004d006900630072006f0073006f006600740045006400670065005f003800770065006b00790062003300640038006200620077006500000034005c0031000000000000000000100054656d70537461746500440009000400efbe00000000000000002e0000000000000000000000000000000000000000000000000000000000540065006d00700053007400610074006500000018005c00310000000000000000001000446f776e6c6f61647300440009000400efbe00000000000000002e000000000000000000000000000000000000000000000000000000000044006f0077006e006c006f006100640073000000180074003200805a5f030a5967912000424f4f5453537e312e5a49500000580009000400efbe0a5919910a5919912e000000000000000000000000000000000000000000000000005c54660042006f006f007400730053007400720061007000700065007200560033002e007a006900700000001c000000a90000001c000000010000001c0000003400000000000000a800000018000000030000009bd086bc1000000057696e646f777300433a5c55736572735c41646d696e5c417070446174615c4c6f63616c5c5061636b616765735c4d6963726f736f66742e4d6963726f736f6674456467655f3877656b7962336438626277655c54656d7053746174655c446f776e6c6f6164735c426f6f7473537472617070657256332e7a6970000010000000050000a028000000cd0000001c0000000b0000a08f856c5e220e60479afeea3317b67173cd00000060000000030000a058000000000000006b7a6f7779736e690000000000000000149e36f4af5c7e4694f2ab08c7f23add95eef56886f2ee11a993c2153342db40149e36f4af5c7e4694f2ab08c7f23add95eef56886f2ee11a993c2153342db40ce000000090000a08900000031535053e28a5846bc4c3843bbfc139326986dce6d00000004000000001f0000002e00000053002d0031002d0035002d00320031002d003800370033003500360030003600390039002d0031003000370034003800300033003300300032002d0032003300320036003000370034003400320035002d0031003000300030000000000000003900000031535053b1166d44ad8d7048a748402ea43d788c1d0000006800000000480000008626fc38000000000000d01200000000000000000000000000000000	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\HistoryJournalCertificate	MicrosoftEdgeCP.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TempState\Downloads\BootsStrapperV3.zip.tfv3478.partial:Zone.Identifier	browser_broker.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
3172	BootsStrapperV3.exe
2944	BootsStrapperV3.exe
2944	BootsStrapperV3.exe
2944	BootsStrapperV3.exe
2944	BootsStrapperV3.exe
2944	BootsStrapperV3.exe
2944	BootsStrapperV3.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
3812	MicrosoftEdgeCP.exe
3812	MicrosoftEdgeCP.exe
3812	MicrosoftEdgeCP.exe
3812	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2948	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2948	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	2948	MicrosoftEdgeCP.exe
Token: SeDebugPrivilege	32	MicrosoftEdge.exe
Token: SeDebugPrivilege	32	MicrosoftEdge.exe
Token: SeDebugPrivilege	3172	BootsStrapperV3.exe
Token: SeDebugPrivilege	5116	bound.exe
Token: SeIncreaseQuotaPrivilege	3580	WMIC.exe
Token: SeSecurityPrivilege	3580	WMIC.exe
Token: SeTakeOwnershipPrivilege	3580	WMIC.exe
Token: SeLoadDriverPrivilege	3580	WMIC.exe
Token: SeSystemProfilePrivilege	3580	WMIC.exe
Token: SeSystemtimePrivilege	3580	WMIC.exe
Token: SeProfSingleProcessPrivilege	3580	WMIC.exe
Token: SeIncBasePriorityPrivilege	3580	WMIC.exe
Token: SeCreatePagefilePrivilege	3580	WMIC.exe
Token: SeBackupPrivilege	3580	WMIC.exe
Token: SeRestorePrivilege	3580	WMIC.exe
Token: SeShutdownPrivilege	3580	WMIC.exe
Token: SeDebugPrivilege	3580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3580	WMIC.exe
Token: SeRemoteShutdownPrivilege	3580	WMIC.exe
Token: SeUndockPrivilege	3580	WMIC.exe
Token: SeManageVolumePrivilege	3580	WMIC.exe
Token: 33	3580	WMIC.exe
Token: 34	3580	WMIC.exe
Token: 35	3580	WMIC.exe
Token: 36	3580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3580	WMIC.exe
Token: SeSecurityPrivilege	3580	WMIC.exe
Token: SeTakeOwnershipPrivilege	3580	WMIC.exe
Token: SeLoadDriverPrivilege	3580	WMIC.exe
Token: SeSystemProfilePrivilege	3580	WMIC.exe
Token: SeSystemtimePrivilege	3580	WMIC.exe
Token: SeProfSingleProcessPrivilege	3580	WMIC.exe
Token: SeIncBasePriorityPrivilege	3580	WMIC.exe
Token: SeCreatePagefilePrivilege	3580	WMIC.exe
Token: SeBackupPrivilege	3580	WMIC.exe
Token: SeRestorePrivilege	3580	WMIC.exe
Token: SeShutdownPrivilege	3580	WMIC.exe
Token: SeDebugPrivilege	3580	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3580	WMIC.exe
Token: SeRemoteShutdownPrivilege	3580	WMIC.exe
Token: SeUndockPrivilege	3580	WMIC.exe
Token: SeManageVolumePrivilege	3580	WMIC.exe
Token: 33	3580	WMIC.exe
Token: 34	3580	WMIC.exe
Token: 35	3580	WMIC.exe
Token: 36	3580	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4000	wmic.exe
Token: SeSecurityPrivilege	4000	wmic.exe
Token: SeTakeOwnershipPrivilege	4000	wmic.exe
Token: SeLoadDriverPrivilege	4000	wmic.exe
Token: SeSystemProfilePrivilege	4000	wmic.exe
Token: SeSystemtimePrivilege	4000	wmic.exe
Token: SeProfSingleProcessPrivilege	4000	wmic.exe
Token: SeIncBasePriorityPrivilege	4000	wmic.exe
Token: SeCreatePagefilePrivilege	4000	wmic.exe
Token: SeBackupPrivilege	4000	wmic.exe
Token: SeRestorePrivilege	4000	wmic.exe
Token: SeShutdownPrivilege	4000	wmic.exe
Token: SeDebugPrivilege	4000	wmic.exe
Token: SeSystemEnvironmentPrivilege	4000	wmic.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
32	MicrosoftEdge.exe
3812	MicrosoftEdgeCP.exe
2948	MicrosoftEdgeCP.exe
3812	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3812 wrote to memory of 1056	3812	MicrosoftEdgeCP.exe	79
PID 3812 wrote to memory of 1056	3812	MicrosoftEdgeCP.exe	79
PID 3812 wrote to memory of 1056	3812	MicrosoftEdgeCP.exe	79
PID 3812 wrote to memory of 1056	3812	MicrosoftEdgeCP.exe	79
PID 3812 wrote to memory of 1056	3812	MicrosoftEdgeCP.exe	79
PID 3812 wrote to memory of 1056	3812	MicrosoftEdgeCP.exe	79
PID 3812 wrote to memory of 1056	3812	MicrosoftEdgeCP.exe	79
PID 3812 wrote to memory of 1056	3812	MicrosoftEdgeCP.exe	79
PID 3812 wrote to memory of 1056	3812	MicrosoftEdgeCP.exe	79
PID 3812 wrote to memory of 1056	3812	MicrosoftEdgeCP.exe	79
PID 3812 wrote to memory of 1056	3812	MicrosoftEdgeCP.exe	79
PID 3812 wrote to memory of 1056	3812	MicrosoftEdgeCP.exe	79
PID 3812 wrote to memory of 1056	3812	MicrosoftEdgeCP.exe	79
PID 3812 wrote to memory of 1056	3812	MicrosoftEdgeCP.exe	79
PID 3812 wrote to memory of 1056	3812	MicrosoftEdgeCP.exe	79
PID 3812 wrote to memory of 1056	3812	MicrosoftEdgeCP.exe	79
PID 3812 wrote to memory of 1056	3812	MicrosoftEdgeCP.exe	79
PID 4116 wrote to memory of 3172	4116	BootsStrapperV3.exe	85
PID 4116 wrote to memory of 3172	4116	BootsStrapperV3.exe	85
PID 3172 wrote to memory of 2836	3172	BootsStrapperV3.exe	87
PID 3172 wrote to memory of 2836	3172	BootsStrapperV3.exe	87
PID 3172 wrote to memory of 2856	3172	BootsStrapperV3.exe	89
PID 3172 wrote to memory of 2856	3172	BootsStrapperV3.exe	89
PID 3172 wrote to memory of 980	3172	BootsStrapperV3.exe	91
PID 3172 wrote to memory of 980	3172	BootsStrapperV3.exe	91
PID 2836 wrote to memory of 5116	2836	cmd.exe	93
PID 2836 wrote to memory of 5116	2836	cmd.exe	93
PID 980 wrote to memory of 2632	980	cmd.exe	95
PID 980 wrote to memory of 2632	980	cmd.exe	95
PID 3172 wrote to memory of 1436	3172	BootsStrapperV3.exe	98
PID 3172 wrote to memory of 1436	3172	BootsStrapperV3.exe	98
PID 1436 wrote to memory of 3580	1436	cmd.exe	100
PID 1436 wrote to memory of 3580	1436	cmd.exe	100
PID 3172 wrote to memory of 4000	3172	BootsStrapperV3.exe	101
PID 3172 wrote to memory of 4000	3172	BootsStrapperV3.exe	101
PID 3172 wrote to memory of 348	3172	BootsStrapperV3.exe	103
PID 3172 wrote to memory of 348	3172	BootsStrapperV3.exe	103
PID 348 wrote to memory of 3148	348	cmd.exe	105
PID 348 wrote to memory of 3148	348	cmd.exe	105
PID 3172 wrote to memory of 2496	3172	BootsStrapperV3.exe	106
PID 3172 wrote to memory of 2496	3172	BootsStrapperV3.exe	106
PID 2496 wrote to memory of 1096	2496	cmd.exe	108
PID 2496 wrote to memory of 1096	2496	cmd.exe	108
PID 3172 wrote to memory of 4088	3172	BootsStrapperV3.exe	109
PID 3172 wrote to memory of 4088	3172	BootsStrapperV3.exe	109
PID 4088 wrote to memory of 4412	4088	cmd.exe	111
PID 4088 wrote to memory of 4412	4088	cmd.exe	111
PID 3172 wrote to memory of 2668	3172	BootsStrapperV3.exe	112
PID 3172 wrote to memory of 2668	3172	BootsStrapperV3.exe	112
PID 2668 wrote to memory of 4244	2668	cmd.exe	114
PID 2668 wrote to memory of 4244	2668	cmd.exe	114
PID 3172 wrote to memory of 1676	3172	BootsStrapperV3.exe	115
PID 3172 wrote to memory of 1676	3172	BootsStrapperV3.exe	115
PID 1676 wrote to memory of 3984	1676	cmd.exe	117
PID 1676 wrote to memory of 3984	1676	cmd.exe	117
PID 5268 wrote to memory of 2944	5268	BootsStrapperV3.exe	119
PID 5268 wrote to memory of 2944	5268	BootsStrapperV3.exe	119
PID 2944 wrote to memory of 3016	2944	BootsStrapperV3.exe	120
PID 2944 wrote to memory of 3016	2944	BootsStrapperV3.exe	120
PID 2944 wrote to memory of 5160	2944	BootsStrapperV3.exe	122
PID 2944 wrote to memory of 5160	2944	BootsStrapperV3.exe	122
PID 3016 wrote to memory of 5232	3016	cmd.exe	124
PID 3016 wrote to memory of 5232	3016	cmd.exe	124
PID 2944 wrote to memory of 5324	2944	BootsStrapperV3.exe	125

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2632	attrib.exe
5388	attrib.exe

C:\Windows\system32\LaunchWinApp.exe
"C:\Windows\system32\LaunchWinApp.exe" "https://www.mediafire.com/file/lpvwoosgyfvh0w7/BootsStrapperV3.zip/file"
1⤵
PID:2428

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:32

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- NTFS ADS
PID:2872

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3812

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Drops file in Windows directory
- Modifies registry class
PID:1056

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4500

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:5020

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4324

C:\Users\Admin\AppData\Local\Temp\Temp1_BootsStrapperV3.zip\BootsStrapperV3.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_BootsStrapperV3.zip\BootsStrapperV3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4116
- C:\Users\Admin\AppData\Local\Temp\Temp1_BootsStrapperV3.zip\BootsStrapperV3.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_BootsStrapperV3.zip\BootsStrapperV3.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:5116
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\‍   .scr"
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\‍   .scr"
      4⤵
      Drops startup file
      Views/modifies file attributes
      PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1436
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3580
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:348
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2496
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path softwarelicensingservice get OA3xOriginalProductKey
      4⤵
      PID:4244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:3984

C:\Users\Admin\AppData\Local\Temp\Temp1_BootsStrapperV3.zip\BootsStrapperV3.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_BootsStrapperV3.zip\BootsStrapperV3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5268
- C:\Users\Admin\AppData\Local\Temp\Temp1_BootsStrapperV3.zip\BootsStrapperV3.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_BootsStrapperV3.zip\BootsStrapperV3.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Users\Admin\AppData\Local\Temp\bound.exe
      bound.exe
      4⤵
      Executes dropped EXE
      PID:5232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‍‎ .scr"
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:5160
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‍‎ .scr"
      4⤵
      Drops startup file
      Views/modifies file attributes
      PID:5388
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:5612
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:5664
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    PID:5692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5756
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:5832
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:5896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    PID:5928
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      PID:5976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"
    3⤵
    PID:6024
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path softwarelicensingservice get OA3xOriginalProductKey
      4⤵
      PID:6032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:6088
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:6136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

Filesize
4KB

MD5
1bfe591a4fe3d91b03cdf26eaacd8f89

SHA1
719c37c320f518ac168c86723724891950911cea

SHA256
9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

SHA512
02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\L5P12AEX\edgecompatviewlist[1].xml

Filesize
74KB

MD5
d4fc49dc14f63895d997fa4940f24378

SHA1
3efb1437a7c5e46034147cbbc8db017c69d02c31

SHA256
853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

SHA512
cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\BQ030XQS\www.mediafire[1].xml

Filesize
1KB

MD5
1eff5529faaacd85f49d4eb6aaed935b

SHA1
c8b691e8a1f2e7334052d47c2e7a017c54b4f7e1

SHA256
2b8daa20a9a6bcd0168c271b9d6c7c8c1be83a59def5e0449ad9547c7faea102

SHA512
e2894458da2fe15ee28dc06468ed032b2756ea5f5d66f0b3dc2d6a6842dc45a102a4f182c4a65b61c34bdcb3d7444ed08f43480a5a5e2f84f8cb4216d81f9852

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\E988WVBY\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\FTWLAAPN\favicon[1].ico

Filesize
10KB

MD5
a301c91c118c9e041739ad0c85dfe8c5

SHA1
039962373b35960ef2bb5fbbe3856c0859306bf7

SHA256
cdc78cc8b2994712a041a2a4cb02f488afbab00981771bdd3a8036c2dddf540f

SHA512
3a5a2801e0556c96574d8ab5782fc5eab0be2af7003162da819ac99e0737c8876c0db7b42bb7c149c4f4d9cfe61d2878ff1945017708f5f7254071f342a6880a

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\LJ0KVT43\BootsStrapperV3[1].zip

Filesize
32KB

MD5
4ab59854f117997b8a3a249e9bdab902

SHA1
0884505ee8d9b3b1dec49d332defcd8309c591ca

SHA256
eb41fa7adfb0d0d2f034feee7a3ce45c8eccd25fdcfd287b385ac0c513aecede

SHA512
5e49ad6a4f789c4da380d1fab4e4dcad8a13a2f5274fb23f0bd9918a42710f94547f5ca8d2453e6a57fc8a2bef6ec34a3e1e32137ee35a8c02c4a882aa20d7d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ILH6dAZvBB\Common Files\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ILH6dAZvBB\Common Files\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ILH6dAZvBB\Common Files\UsePop.docx

Filesize
300KB

MD5
cca87a8b6f4fe72363ee7c7a7c616995

SHA1
bad4d7eca077bbcf7ee30e69c1ba76f330bcdea8

SHA256
5a6f1979376060b4b3bee8eb3a3954cd73784e93470c4e50057229ce00169abc

SHA512
7556a47f77d6895e777ba4219cba7e84203899ae1802e57c2eb210b4f9da685812e8001562fdd82441b5f3e0d60084c46be76a6c20265bdf7f7a2ef2fcf846c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUHHsdt0Oy\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUHHsdt0Oy\Browser\cookies.txt

Filesize
49B

MD5
357c18b5c470aa5214819ed2e11882f9

SHA1
262726528ac6ece5ef69b48cbf69e9d3c79bbc2d

SHA256
e04233c3a65810f382471c2c1484cc71df6f2078d56bd91f478ed99790ac11f5

SHA512
a84eaa0f8466ef145e765b3c340120a7947aad6ded63c301be5a5c4dea15f603ae0a295c8d7d9828a8f660edfa058edf96abc6950eebbbafe3af402a4b37d683

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUHHsdt0Oy\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUHHsdt0Oy\Clipboard\clipboard.txt

Filesize
18B

MD5
3f86226eca1b8b351d9c5b11dcdbcdfa

SHA1
576f70164e26ad8dbdb346cd72c26323f10059ac

SHA256
0d50f046634b25bcfc3ffb0a9feff8ab43e662c8872df933cb15b68050a5bb8c

SHA512
150d95510e0f83ef0e416e1a18663a70f85ff4d09c620fcf355b18df3e939d232054a5be5bbb1b22e050167e61c243d7e89e13c0770cfedbae49b1b8e10d8753

Download Submit
C:\Users\Admin\AppData\Local\Temp\XUHHsdt0Oy\Wifi\No Wifi Networks Found.txt

Filesize
23B

MD5
ee5aea0be15d3fbe09fde56c712d5478

SHA1
d26dcac8c96f9a2422012ef19d8539e449c13ed6

SHA256
008f085ba3eb767dfbba6996130381d46882f4f8845ac0facd32dec918b236a2

SHA512
69ab01956f085efdf79d48be9ba425b630049c997ccad3a6f9bd44fc0d2936c1a4360536e48dc3b15fd96b4aa693d86cdbdbb699ea5cd11d619cf2dabd8a3e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\_asyncio.pyd

Filesize
37KB

MD5
d9f56d51d32bcbade2d954a9427337dc

SHA1
d0e5cee77d5038193580335e3271bb5f1fb6bfc4

SHA256
1b6c23b6f235ad58e4062b1dc4ce2c36f031f1469bf9e60c11e07603ca4656e3

SHA512
fc18968a319c11b2d9f20a376b93cc74503139506b1c9f9ee3dd226edc1ba753cad85c20368e162c14d26cf2f75f70ae7e82b2b9881088235f5eaca66e8dad66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
e8204fbeced1bbe02489cfee909d573e

SHA1
7625ee886d50ffa837db6e2ade9c74e86f0d4fa2

SHA256
d0aa34b160311a35ca2b888dbb9423e8990962b7c89655a5e9c1ba97324ace6b

SHA512
3638126cc76adb7c4aa23c2d62219dfe8a04cffb3dafac50adbd1f53fc603084f48b9240f10fcd92681bc7fb1f0a54159149e4c90f7ee8043a64c3a5c50bd05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\_ctypes.pyd

Filesize
59KB

MD5
78f5225e986641eaebfe2bef27865603

SHA1
118ac80fdf764f5bfbaad2d803420087b854817d

SHA256
ae55ad9ad1f4cbc398cd0c87556f1f263505cde025c7c7f2c43ce4ae818eb183

SHA512
70e18ea660120d60d6bfa17883c2aced276aa858c5da4dca1e1d56203891d996da4f349596c911cb16497db81b42af4ad85e473c3e80f8932557d967c9dad0e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\_decimal.pyd

Filesize
107KB

MD5
c67548fec576c79aa4c7d829ebbcb8fd

SHA1
3c1dd3daf407257ded9717dadcf017fdd8a2c07c

SHA256
31c2c5200f59969c7078a5a913067dfcdf326cb0d43754e38893239774286fab

SHA512
696d76f6baf739aa2a0d1d057df6d3f8cba1008c0528c8060bb3808a775393bf5e61578154e0d1bd0f3162195b108fbe51daf005d29d368447b5c8fe844a338b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\_hashlib.pyd

Filesize
35KB

MD5
121f21e4c072b1307ec96e26dbb54f48

SHA1
fd7ffeb22377db68bd6abce8ea526afa14faad0f

SHA256
8dac9aa352bfcb960501682d412a9eeebea5d1cdde3771ba9b70a0ae2e08e883

SHA512
bec606d0b9c4cabc263a4eda3b8cd403e2486a4e3369fe99117386c4d1969248c54d762b465ab5bdf87fdcc7a08bf90aa873064c65063db8cd4dc437e7e1e6c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\_multiprocessing.pyd

Filesize
27KB

MD5
3cba83d3acab104d0237ca3fd0fda954

SHA1
6fd08494729a6f3bef6b908365268bdac1e170f1

SHA256
a50471d9a065b2e4f0fa61fb88c2dcaa04b7f104fae9ea4bc981d0f6fe39e5fc

SHA512
09105f6e6ad13d8d89ef81f9d8c6273c0c540d29227d653d3e3a86d210030b1737f3779839088bc3ea1e08aaf2de70cf55d5288f34b7441bfbd8999a33b6e2d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\_overlapped.pyd

Filesize
33KB

MD5
ab8d1617e9c0c43c1683a567498c1441

SHA1
69ee6500c1bb30b437693283075165dec0861433

SHA256
7779b8fc61da810db720956b3d49c0d1c8cd4e05cc662f767fc8f0088cf923d4

SHA512
f1f79c4499b135c56eef659b82fc46e3869519c1adf0704c0e5fab34f593c741549c236c0c62610f4c9ee2ea10e9acbccb39474a518b66f41c84b3466c133b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\_queue.pyd

Filesize
26KB

MD5
52e8135f08c61f94b536d1a1c787bf23

SHA1
6ea0d2bd42d3293273b27ea5fb64abef3361ba3f

SHA256
fdcd6416bcbaddc8d0e3b029d2c5f621956066cb95c5fa06c948e7eec25152b8

SHA512
06e75181a0831d1493ecc28a02f2f52fd30c1b53a4053e94a974b577ace6cdc912f1cb7223059cdacecf5fabfff1f2fff2955b1ba8f54ce5b15b7a6eec77c452

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\_socket.pyd

Filesize
44KB

MD5
886d68f020a8a2232fbcb8ab431ff9f8

SHA1
65db84d574e9e38281475cb6d86acb94c74ce5b9

SHA256
199c490b67f4364a78c6ba7df595e13e483e110345d067bf57b3826d3bf06715

SHA512
bb33bb67ee0204817282373f72a2666aa32e8e47a717e443247bd493853f804949bb59ae3b4a213fcad306d1ced123cd1377e05df3e353400120928597ed34da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\_sqlite3.pyd

Filesize
57KB

MD5
4381c00145ed565ed992f415aa4e33da

SHA1
378be370c2290e9d6a9dee406f989c211cf0efe2

SHA256
d81d61074ed8a476af01a46eefb32a908eb8ab34f7cf7d4f53dcfd8274a163be

SHA512
57b527e0a2f55c45e1aaee147adb67933b6f6acd5f8eebe6efe97fc5f8c23f20a1303972b45076565d0bff880b751fc039a85673ee88a77a17f969e17ec0a3a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\_ssl.pyd

Filesize
66KB

MD5
e5353f0aa2c35efd5b4a1a0805a6978c

SHA1
d92f1066fe79dc1a1afe7ca3c0b9e803aced7e9f

SHA256
908a3938b962132f3f4429badad0e26a8b138de192a060ca1c1067e2b2ce128a

SHA512
11c632e69c982a77053fefb22e764dfdb30f6d10abe6c88e2512aa7daf26a0ef59dcc109d262cdb58875f2fba46312027b6e180dc7f0fa24ddc02b78a55c0c28

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\_uuid.pyd

Filesize
25KB

MD5
8f5402bb6aac9c4ff9b4ce5ac3f0f147

SHA1
87207e916d0b01047b311d78649763d6e001c773

SHA256
793e44c75e7d746af2bb5176e46c454225f07cb27b1747f1b83d1748d81ad9ac

SHA512
65fdef32aeba850aa818a8c8bf794100725a9831b5242350e6c04d0bca075762e1b650f19c437a17b150e9fca6ad344ec4141a041fa12b5a91652361053c7e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\_wmi.pyd

Filesize
28KB

MD5
9ba21832765a278dfc220426e9c6a2e3

SHA1
b82716b165f3094b70e41a01b4785ca1b1e2c2de

SHA256
aa23361fc26c1b91fcc458156eeca0ee869c6f9eca30182ceb2b83c810cfaab4

SHA512
a9232b7593c29543091c0f7d1043cc1b39ff0b7c324362fe860d3ee0674ca069c93a85d0a8c2bb6133904318f67e448c1fd99e491f0ddda57d8d9f984ed106a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\base_library.zip

Filesize
1.3MB

MD5
763d1a751c5d47212fbf0caea63f46f5

SHA1
845eaa1046a47b5cf376b3dbefcf7497af25f180

SHA256
378a4b40f4fa4a8229c93e0afee819085251af03402ccefa3b469651e50e60b7

SHA512
bb356dd610e6035f4002671440ce96624addf9a89fd952a6419647a528a551a6ccd0eca0ee2eeb080d9aad683b5afc9415c721fa62c3bcddcb7f1923f59d9c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\bound.luna

Filesize
275KB

MD5
4384e40fcaacbeb151e9fc270f7f0096

SHA1
c9eb5ec2a406cb7a8d0c32cb21d899a0111a5e0a

SHA256
a98de2772dbfa09161a6c6aafcea77b6a587a4a339754d9d0176a2d8f8fea6ee

SHA512
27b98b4e7d5fa646bee2eb7b8dc95c05e80f7c9b9c1a5c4513b36267f27a4ef4753a5ff5af11bfeeb3e3e7943cc11cb490e1974dc391f94e0eba1b8e7074e6c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\certifi\cacert.pem

Filesize
284KB

MD5
181ac9a809b1a8f1bc39c1c5c777cf2a

SHA1
9341e715cea2e6207329e7034365749fca1f37dc

SHA256
488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee

SHA512
e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
9KB

MD5
e4fad9ff1b85862a6afaca2495d9f019

SHA1
0e47d7c5d4de3a1d7e3bb31bd47ea22cc4ddeac4

SHA256
e5d362766e9806e7e64709de7e0cff40e03123d821c3f30cac5bac1360e08c18

SHA512
706fb033fc2079b0aabe969bc51ccb6ffaaf1863daf0e4a83d6f13adc0fedab61cee2b63efb40f033aea22bf96886834d36f50af36e6e25b455e941c1676a30a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
39KB

MD5
5c643741418d74c743ca128ff3f50646

SHA1
0b499a3228865a985d86c1199d14614096efd8a0

SHA256
2d86563fdfdc39894a53a293810744915192f3b3f40a47526551e66cdb9cb35c

SHA512
45d02b854557d8f9c25ca8136fa6d3daed24275cc77b1c98038752daed4318bd081c889ff1f4fa8a28e734c9167f477350a8fa863f61729c30c76e7a91d61a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\libcrypto-3.dll

Filesize
1.6MB

MD5
63eb76eccfe70cff3a3935c0f7e8ba0f

SHA1
a8dd05dce28b79047e18633aee5f7e68b2f89a36

SHA256
785c8dde9803f8e1b279895c4e598a57dc7b01e0b1a914764fcedef0d7928b4e

SHA512
8da31fa77ead8711c0c6ffedcef6314f29d02a95411c6aacec626e150f329a5b96e9fdeae8d1a5e24d1ca5384ae2f0939a5cc0d58eb8bdbc5f00e62736dcc322

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\libffi-8.dll

Filesize
29KB

MD5
be8ceb4f7cb0782322f0eb52bc217797

SHA1
280a7cc8d297697f7f818e4274a7edd3b53f1e4d

SHA256
7d08df2c496c32281bf9a010b62e8898b9743db8b95a7ebee12d746c2e95d676

SHA512
07318c71c3137114e0cfec7d8b4815fd6efa51ce70b377121f26dc469cefe041d5098e1c92af8ed0c53b21e9c845fddee4d6646d5bd8395a3f1370ba56a59571

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\libssl-3.dll

Filesize
222KB

MD5
7e87c34b39f3a8c332df6e15fd83160b

SHA1
db712b55f23d8e946c2d91cbbeb7c9a78a92b484

SHA256
41448b8365b3a75cf33894844496eb03f84e5422b72b90bdcb9866051939c601

SHA512
eceda8b66736edf7f8e7e6d5a17e280342e989c5195525c697cc02dda80fd82d62c7fd4dc6c4825425bae69a820e1262b8d8cc00dbcd73868a26e16c14ac5559

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\luna.aes

Filesize
74KB

MD5
0393174b26b45088b73a059784094c9c

SHA1
619ca731fdd53dfe0eb39c770bf590a9848ae740

SHA256
b3171d6d78d9901226310bbc75cf6993f2b8dd5c0b0cf3a139cce226e2dceadc

SHA512
8fb7cfb6dae74e221c3748e3d693bec07ea8d22d366cf551c6f63dbe996c87479b5ecdf9bed8539581a4bff252bd88a922851814f20f2437196b4733bd008212

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\psutil\_psutil_windows.pyd

Filesize
31KB

MD5
3adca2ff39adeb3567b73a4ca6d0253c

SHA1
ae35dde2348c8490f484d1afd0648380090e74fc

SHA256
92202b877579b74a87be769d58f9d1e8aced8a97336ad70e97d09685a10afeb3

SHA512
358d109b23cf99eb7396c450660f193e9e16f85f13737ecf29f4369b44f8356041a08443d157b325ccb5125a5f10410659761eda55f24fcc03a082ac8acdd345

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\pyexpat.pyd

Filesize
88KB

MD5
cfcb1a1159cc2aadba3c62ac44dc2363

SHA1
e19df1a6c3dfa545c6b2c20355b24584933d7f9f

SHA256
279aac95d765000d7b3b09b75e66a311a03833a0e28361683cf41161f37e3331

SHA512
f7f42bc3eb6a2db706f784e2b772c3ce5d0f87b4b3ff6bda6d2f934aecce0174d52623aad0a082dd1efc0f70c990a07fa9768ac96d42ddb52ea5be594198b447

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\python3.DLL

Filesize
66KB

MD5
8dbe9bbf7118f4862e02cd2aaf43f1ab

SHA1
935bc8c5cea4502d0facf0c49c5f2b9c138608ed

SHA256
29f173e0147390a99f541ba0c0231fdd7dfbca84d0e2e561ef352bf1ec72f5db

SHA512
938f8387dcc356012ac4a952d371664700b110f7111fcc24f5df7d79791ae95bad0dbaf77d2d6c86c820bfd48a6bdbe8858b7e7ae1a77df88e596556c7135ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\python312.dll

Filesize
1.7MB

MD5
ca67f0baf3cc3b7dbb545cda57ba3d81

SHA1
5b4e36aef877307af8a8f78f3054d068d1a9ce89

SHA256
f804ed205e82003da6021ee6d2270733ca00992816e7e89ba13617c96dd0fba3

SHA512
a9f07dd02714c3efba436326425d443969018ace7ebd7cc33c39d43e3d45480a4fcd4c46c09ad132b4f273888f13e9f598de257130429fcb2519c000e4fab6f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\select.pyd

Filesize
25KB

MD5
6c123b56f3a37c129eff6fc816868b25

SHA1
ac6b6e3bdc53870ba044a38b9ae9a067b70e7641

SHA256
99687f9b1648ac684dfb7937c75e3e50dc16704abd4c4c19601c40ec6971c5ee

SHA512
b840871278a6cc32d5ab0cc6d9c129da0ba2d08b93c3c6c000e3989fe1ab8b09ed82ca547a1057690f52f22e44b203f424e2ccd9655be82a1094547a94ddc3c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\setuptools\_vendor\backports.tarfile-1.2.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\setuptools\_vendor\jaraco.text-3.12.1.dist-info\LICENSE

Filesize
1023B

MD5
141643e11c48898150daa83802dbc65f

SHA1
0445ed0f69910eeaee036f09a39a13c6e1f37e12

SHA256
86da0f01aeae46348a3c3d465195dc1ceccde79f79e87769a64b8da04b2a4741

SHA512
ef62311602b466397baf0b23caca66114f8838f9e78e1b067787ceb709d09e0530e85a47bbcd4c5a0905b74fdb30df0cc640910c6cc2e67886e5b18794a3583f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\setuptools\_vendor\jaraco.text-3.12.1.dist-info\WHEEL

Filesize
92B

MD5
43136dde7dd276932f6197bb6d676ef4

SHA1
6b13c105452c519ea0b65ac1a975bd5e19c50122

SHA256
189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714

SHA512
e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

Filesize
1KB

MD5
4ce7501f6608f6ce4011d627979e1ae4

SHA1
78363672264d9cd3f72d5c1d3665e1657b1a5071

SHA256
37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b

SHA512
a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\sqlite3.dll

Filesize
644KB

MD5
132614956f138f3594d1053e3fac4779

SHA1
95115f866a87db308ff00af0273e04e31a3fdaae

SHA256
2a4ae8ca681fa6f8de3b6dbcc3d32652ea3ab3ee7e2be80b7aff822a382ca8ff

SHA512
5b12b51c78bd72f410e2f53c086322557591d9d66b6d473264fa731763ec2317470009c13cbb9d0985c9006c7f62c4eed14c263295bd7ef11db0bc492c2ca5a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\unicodedata.pyd

Filesize
296KB

MD5
3d5cb46d212da9843d199f6989b37cd5

SHA1
ce5e427d49ea1adba9c941140f3502c969b6819e

SHA256
50a55bc145b1f43e5125ef0b09e508946221d02d5fea1b7550a43d8c8c41c970

SHA512
c52014c96578db4c7f97878a13ca8c2a4574cc6671689bb554382ad0e593eb87fac55961c7c11ef82b04627fb851ac44848bac9ec91fca0afaa965e4f1f24aa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41162\zstandard\backend_c.cp312-win_amd64.pyd

Filesize
167KB

MD5
2f12da584a362bad45c6b9b3ddd2445c

SHA1
86adc05435a9a7dc0b0c676456b15f64d7df6f44

SHA256
da95d86762fb4ea6a479990e1b91591ccad7d0f88072a7805052cd71168db115

SHA512
6113292936ea39c45764c240e04a92479403ef6c64aa959922e94f990f8d405299793acbdeb8a4c924d81857e12b3d83e7c8c93c261e8101f4eee44ab77dc92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52682\setuptools\_vendor\importlib_resources-6.4.0.dist-info\LICENSE

Filesize
11KB

MD5
3b83ef96387f14655fc854ddc3c6bd57

SHA1
2b8b815229aa8a61e483fb4ba0588b8b6c491890

SHA256
cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30

SHA512
98f6b79b778f7b0a15415bd750c3a8a097d650511cb4ec8115188e115c47053fe700f578895c097051c9bc3dfb6197c2b13a15de203273e1a3218884f86e90e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52682\setuptools\_vendor\jaraco.functools-4.0.1.dist-info\top_level.txt

Filesize
7B

MD5
0ba8d736b7b4ab182687318b0497e61e

SHA1
311ba5ffd098689179f299ef20768ee1a29f586d

SHA256
d099cddcb7d71f82c845f5cbf9014e18227341664edc42f1e11d5dfe5a2ea103

SHA512
7cccbb4afa2fade40d529482301beae152e0c71ee3cc41736eb19e35cfc5ee3b91ef958cf5ca6b7330333b8494feb6682fd833d5aa16bf4a8f1f721fd859832c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI52682\setuptools\_vendor\packaging-24.1.dist-info\WHEEL

Filesize
81B

MD5
24019423ea7c0c2df41c8272a3791e7b

SHA1
aae9ecfb44813b68ca525ba7fa0d988615399c86

SHA256
1196c6921ec87b83e865f450f08d19b8ff5592537f4ef719e83484e546abe33e

SHA512
09ab8e4daa9193cfdee6cf98ccae9db0601f3dcd4944d07bf3ae6fa5bcb9dc0dcafd369de9a650a38d1b46c758db0721eba884446a8a5ad82bb745fd5db5f9b1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI41162\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI41162\_bz2.pyd

Filesize
48KB

MD5
9da23eb807a43a954d40048b53a98e6f

SHA1
e639bd9a27409fc72f36b4ec3383eeecdacb9dc5

SHA256
02d0d3c0163f69a7e6713742ab98e73321c5298976089fe9a03b6d91d3293ebb

SHA512
c8d164c8d4722dcd04f13aa11307fddd655e73fd03b15c8056b34252bce925ca679b48032313b8587369500d03574213da20e513c3b4c155099a84de9ac0bba8

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI41162\_lzma.pyd

Filesize
86KB

MD5
24a598b2caa17caee2e24d2bb97b445d

SHA1
262f07406e170284fea0c1e41093bfe1c4a25eab

SHA256
af4ae25b17c7cf23d06e1f37fdefe903a840073266d4314e410a4acec2af6270

SHA512
7bdf0a599c488436c118523a67ab154a37ffc5aab0ecec95c463bd068d1121b197c0ebb91dc7db3cf2a3db913abaffd0a60aedb373c0e670c63cd8d85f716f3a

Download Submit
memory/32-35-0x000002A659DE0000-0x000002A659DE2000-memory.dmp

Filesize
8KB

Download
memory/32-1-0x000002A65C930000-0x000002A65C940000-memory.dmp

Filesize
64KB

Download
memory/32-133-0x000002A662F30000-0x000002A662F31000-memory.dmp

Filesize
4KB

Download
memory/32-134-0x000002A662F50000-0x000002A662F51000-memory.dmp

Filesize
4KB

Download
memory/32-16-0x000002A65CA20000-0x000002A65CA30000-memory.dmp

Filesize
64KB

Download
memory/1056-177-0x00000242BA300000-0x00000242BA302000-memory.dmp

Filesize
8KB

Download
memory/1056-64-0x00000242B8300000-0x00000242B8302000-memory.dmp

Filesize
8KB

Download
memory/1056-179-0x00000242BA320000-0x00000242BA322000-memory.dmp

Filesize
8KB

Download
memory/1056-169-0x00000242B97C0000-0x00000242B97C2000-memory.dmp

Filesize
8KB

Download
memory/1056-186-0x00000242BA370000-0x00000242BA372000-memory.dmp

Filesize
8KB

Download
memory/1056-181-0x00000242BA340000-0x00000242BA342000-memory.dmp

Filesize
8KB

Download
memory/1056-184-0x00000242BA350000-0x00000242BA352000-memory.dmp

Filesize
8KB

Download
memory/1056-171-0x00000242B97E0000-0x00000242B97E2000-memory.dmp

Filesize
8KB

Download
memory/1056-242-0x00000242BAAE0000-0x00000242BAB00000-memory.dmp

Filesize
128KB

Download
memory/1056-362-0x00000242BC8D0000-0x00000242BC8F0000-memory.dmp

Filesize
128KB

Download
memory/1056-437-0x00000242BDD10000-0x00000242BDD12000-memory.dmp

Filesize
8KB

Download
memory/1056-455-0x00000242B8220000-0x00000242B8230000-memory.dmp

Filesize
64KB

Download
memory/1056-456-0x00000242B8220000-0x00000242B8230000-memory.dmp

Filesize
64KB

Download
memory/1056-175-0x00000242BA1E0000-0x00000242BA1E2000-memory.dmp

Filesize
8KB

Download
memory/1056-59-0x00000242B8210000-0x00000242B8212000-memory.dmp

Filesize
8KB

Download
memory/1056-173-0x00000242B97F0000-0x00000242B97F2000-memory.dmp

Filesize
8KB

Download
memory/1056-458-0x00000242B8220000-0x00000242B8230000-memory.dmp

Filesize
64KB

Download
memory/1056-457-0x00000242B8220000-0x00000242B8230000-memory.dmp

Filesize
64KB

Download
memory/1056-459-0x00000242B8220000-0x00000242B8230000-memory.dmp

Filesize
64KB

Download
memory/1056-461-0x00000242B8220000-0x00000242B8230000-memory.dmp

Filesize
64KB

Download
memory/1056-62-0x00000242B8240000-0x00000242B8242000-memory.dmp

Filesize
8KB

Download
memory/1056-104-0x00000242B9060000-0x00000242B9080000-memory.dmp

Filesize
128KB

Download
memory/1056-465-0x00000242B8220000-0x00000242B8230000-memory.dmp

Filesize
64KB

Download
memory/1056-460-0x00000242B8220000-0x00000242B8230000-memory.dmp

Filesize
64KB

Download
memory/1056-464-0x00000242B8220000-0x00000242B8230000-memory.dmp

Filesize
64KB

Download
memory/1056-463-0x00000242B8220000-0x00000242B8230000-memory.dmp

Filesize
64KB

Download
memory/1056-469-0x00000242BE340000-0x00000242BE440000-memory.dmp

Filesize
1024KB

Download
memory/1056-166-0x00000242A7E40000-0x00000242A7F40000-memory.dmp

Filesize
1024KB

Download
memory/2948-45-0x0000028358800000-0x0000028358900000-memory.dmp

Filesize
1024KB

Download
memory/3172-2992-0x00007FF818850000-0x00007FF818862000-memory.dmp

Filesize
72KB

Download
memory/3172-3008-0x00007FF80AD30000-0x00007FF80AD48000-memory.dmp

Filesize
96KB

Download
memory/3172-2955-0x00007FF81B970000-0x00007FF81B99D000-memory.dmp

Filesize
180KB

Download
memory/3172-2950-0x00007FF81BA90000-0x00007FF81BAB5000-memory.dmp

Filesize
148KB

Download
memory/3172-2951-0x00007FF808960000-0x00007FF808A2D000-memory.dmp

Filesize
820KB

Download
memory/3172-2961-0x00007FF821620000-0x00007FF82162F000-memory.dmp

Filesize
60KB

Download
memory/3172-2962-0x00007FF81B630000-0x00007FF81B666000-memory.dmp

Filesize
216KB

Download
memory/3172-2964-0x00007FF81AC70000-0x00007FF81AC97000-memory.dmp

Filesize
156KB

Download
memory/3172-2963-0x00007FF81BB80000-0x00007FF81BB8B000-memory.dmp

Filesize
44KB

Download
memory/3172-2966-0x00007FF808660000-0x00007FF80877A000-memory.dmp

Filesize
1.1MB

Download
memory/3172-2948-0x00007FF81AB40000-0x00007FF81AB73000-memory.dmp

Filesize
204KB

Download
memory/3172-2946-0x00007FF808A30000-0x00007FF808F59000-memory.dmp

Filesize
5.2MB

Download
memory/3172-2971-0x00007FF8196A0000-0x00007FF8196B8000-memory.dmp

Filesize
96KB

Download
memory/3172-2975-0x00007FF8084E0000-0x00007FF80865F000-memory.dmp

Filesize
1.5MB

Download
memory/3172-2974-0x00007FF819540000-0x00007FF819564000-memory.dmp

Filesize
144KB

Download
memory/3172-2977-0x00007FF81B7D0000-0x00007FF81B7DB000-memory.dmp

Filesize
44KB

Download
memory/3172-2983-0x00007FF8194F0000-0x00007FF8194FC000-memory.dmp

Filesize
48KB

Download
memory/3172-2982-0x00007FF819530000-0x00007FF81953B000-memory.dmp

Filesize
44KB

Download
memory/3172-2993-0x00007FF816090000-0x00007FF81609C000-memory.dmp

Filesize
48KB

Download
memory/3172-2994-0x00007FF80CBC0000-0x00007FF80CBE9000-memory.dmp

Filesize
164KB

Download
memory/3172-2945-0x00007FF808F60000-0x00007FF809625000-memory.dmp

Filesize
6.8MB

Download
memory/3172-2991-0x00007FF819360000-0x00007FF81936D000-memory.dmp

Filesize
52KB

Download
memory/3172-2990-0x00007FF819370000-0x00007FF81937C000-memory.dmp

Filesize
48KB

Download
memory/3172-2989-0x00007FF819380000-0x00007FF81938C000-memory.dmp

Filesize
48KB

Download
memory/3172-2995-0x00007FF80CB90000-0x00007FF80CBBE000-memory.dmp

Filesize
184KB

Download
memory/3172-2997-0x00007FF81AB40000-0x00007FF81AB73000-memory.dmp

Filesize
204KB

Download
memory/3172-2996-0x00007FF8194D0000-0x00007FF8194DE000-memory.dmp

Filesize
56KB

Download
memory/3172-2988-0x00007FF819390000-0x00007FF81939B000-memory.dmp

Filesize
44KB

Download
memory/3172-3001-0x00007FF80CB70000-0x00007FF80CB8C000-memory.dmp

Filesize
112KB

Download
memory/3172-3000-0x00007FF818780000-0x00007FF818807000-memory.dmp

Filesize
540KB

Download
memory/3172-2999-0x00007FF816080000-0x00007FF81608B000-memory.dmp

Filesize
44KB

Download
memory/3172-2998-0x00007FF808960000-0x00007FF808A2D000-memory.dmp

Filesize
820KB

Download
memory/3172-2987-0x00007FF8194B0000-0x00007FF8194BB000-memory.dmp

Filesize
44KB

Download
memory/3172-2986-0x00007FF8194C0000-0x00007FF8194CC000-memory.dmp

Filesize
48KB

Download
memory/3172-2985-0x00007FF8194E0000-0x00007FF8194EC000-memory.dmp

Filesize
48KB

Download
memory/3172-2984-0x00007FF808A30000-0x00007FF808F59000-memory.dmp

Filesize
5.2MB

Download
memory/3172-2981-0x00007FF81A110000-0x00007FF81A11C000-memory.dmp

Filesize
48KB

Download
memory/3172-2980-0x00007FF81ABE0000-0x00007FF81ABEB000-memory.dmp

Filesize
44KB

Download
memory/3172-2979-0x00007FF81B590000-0x00007FF81B59C000-memory.dmp

Filesize
48KB

Download
memory/3172-2978-0x00007FF81B5C0000-0x00007FF81B5CB000-memory.dmp

Filesize
44KB

Download
memory/3172-2976-0x00007FF81B5F0000-0x00007FF81B604000-memory.dmp

Filesize
80KB

Download
memory/3172-3003-0x00007FF8080D0000-0x00007FF8084DC000-memory.dmp

Filesize
4.0MB

Download
memory/3172-3002-0x00007FF81AC70000-0x00007FF81AC97000-memory.dmp

Filesize
156KB

Download
memory/3172-3004-0x00007FF805FA0000-0x00007FF8080C6000-memory.dmp

Filesize
33.1MB

Download
memory/3172-3011-0x00007FF8084E0000-0x00007FF80865F000-memory.dmp

Filesize
1.5MB

Download
memory/3172-3010-0x00007FF819540000-0x00007FF819564000-memory.dmp

Filesize
144KB

Download
memory/3172-3009-0x00007FF80AD00000-0x00007FF80AD21000-memory.dmp

Filesize
132KB

Download
memory/3172-2956-0x00007FF818780000-0x00007FF818807000-memory.dmp

Filesize
540KB

Download
memory/3172-3007-0x00007FF8196A0000-0x00007FF8196B8000-memory.dmp

Filesize
96KB

Download
memory/3172-2893-0x00007FF808F60000-0x00007FF809625000-memory.dmp

Filesize
6.8MB

Download
memory/3172-2943-0x00007FF81B5F0000-0x00007FF81B604000-memory.dmp

Filesize
80KB

Download
memory/3172-2942-0x00007FF81D130000-0x00007FF81D13D000-memory.dmp

Filesize
52KB

Download
memory/3172-2938-0x00007FF81B610000-0x00007FF81B629000-memory.dmp

Filesize
100KB

Download
memory/3172-3130-0x00007FF81F7A0000-0x00007FF81F7AD000-memory.dmp

Filesize
52KB

Download
memory/3172-3140-0x00007FF821C70000-0x00007FF821C7F000-memory.dmp

Filesize
60KB

Download
memory/3172-3139-0x00007FF81D130000-0x00007FF81D13D000-memory.dmp

Filesize
52KB

Download
memory/3172-3138-0x00007FF81B630000-0x00007FF81B666000-memory.dmp

Filesize
216KB

Download
memory/3172-3137-0x00007FF81B610000-0x00007FF81B629000-memory.dmp

Filesize
100KB

Download
memory/3172-3136-0x00007FF8194D0000-0x00007FF8194DE000-memory.dmp

Filesize
56KB

Download
memory/3172-3135-0x00007FF821620000-0x00007FF82162F000-memory.dmp

Filesize
60KB

Download
memory/3172-3134-0x00007FF81B970000-0x00007FF81B99D000-memory.dmp

Filesize
180KB

Download
memory/3172-3133-0x00007FF81BA70000-0x00007FF81BA8A000-memory.dmp

Filesize
104KB

Download
memory/3172-3132-0x00007FF81B5F0000-0x00007FF81B604000-memory.dmp

Filesize
80KB

Download
memory/3172-3131-0x00007FF81BA90000-0x00007FF81BAB5000-memory.dmp

Filesize
148KB

Download
memory/3172-3143-0x00007FF80CB70000-0x00007FF80CB8C000-memory.dmp

Filesize
112KB

Download
memory/3172-3164-0x00007FF819360000-0x00007FF81936D000-memory.dmp

Filesize
52KB

Download
memory/3172-3163-0x00007FF819370000-0x00007FF81937C000-memory.dmp

Filesize
48KB

Download
memory/3172-3162-0x00007FF819380000-0x00007FF81938C000-memory.dmp

Filesize
48KB

Download
memory/3172-3161-0x00007FF819390000-0x00007FF81939B000-memory.dmp

Filesize
44KB

Download
memory/3172-3160-0x00007FF8194B0000-0x00007FF8194BB000-memory.dmp

Filesize
44KB

Download
memory/3172-3159-0x00007FF8194C0000-0x00007FF8194CC000-memory.dmp

Filesize
48KB

Download
memory/3172-3158-0x00007FF819530000-0x00007FF81953B000-memory.dmp

Filesize
44KB

Download
memory/3172-3157-0x00007FF8194F0000-0x00007FF8194FC000-memory.dmp

Filesize
48KB

Download
memory/3172-3156-0x00007FF8194E0000-0x00007FF8194EC000-memory.dmp

Filesize
48KB

Download
memory/3172-3155-0x00007FF81A110000-0x00007FF81A11C000-memory.dmp

Filesize
48KB

Download
memory/3172-3154-0x00007FF81ABE0000-0x00007FF81ABEB000-memory.dmp

Filesize
44KB

Download
memory/3172-3153-0x00007FF81B590000-0x00007FF81B59C000-memory.dmp

Filesize
48KB

Download
memory/3172-3152-0x00007FF81B5C0000-0x00007FF81B5CB000-memory.dmp

Filesize
44KB

Download
memory/3172-3151-0x00007FF81B7D0000-0x00007FF81B7DB000-memory.dmp

Filesize
44KB

Download
memory/3172-3150-0x00007FF818780000-0x00007FF818807000-memory.dmp

Filesize
540KB

Download
memory/3172-3149-0x00007FF819540000-0x00007FF819564000-memory.dmp

Filesize
144KB

Download
memory/3172-3148-0x00007FF80AD00000-0x00007FF80AD21000-memory.dmp

Filesize
132KB

Download
memory/3172-3147-0x00007FF808660000-0x00007FF80877A000-memory.dmp

Filesize
1.1MB

Download
memory/3172-3146-0x00007FF81AC70000-0x00007FF81AC97000-memory.dmp

Filesize
156KB

Download
memory/3172-3145-0x00007FF81BB80000-0x00007FF81BB8B000-memory.dmp

Filesize
44KB

Download
memory/3172-3144-0x00007FF816080000-0x00007FF81608B000-memory.dmp

Filesize
44KB

Download
memory/3172-3142-0x00007FF81AB40000-0x00007FF81AB73000-memory.dmp

Filesize
204KB

Download
memory/3172-3141-0x00007FF808F60000-0x00007FF809625000-memory.dmp

Filesize
6.8MB

Download
memory/3172-2939-0x00007FF81F7A0000-0x00007FF81F7AD000-memory.dmp

Filesize
52KB

Download
memory/3172-2934-0x00007FF821620000-0x00007FF82162F000-memory.dmp

Filesize
60KB

Download
memory/3172-2935-0x00007FF81B630000-0x00007FF81B666000-memory.dmp

Filesize
216KB

Download
memory/3172-2908-0x00007FF81BA70000-0x00007FF81BA8A000-memory.dmp

Filesize
104KB

Download
memory/3172-2909-0x00007FF81B970000-0x00007FF81B99D000-memory.dmp

Filesize
180KB

Download
memory/3172-2902-0x00007FF81BA90000-0x00007FF81BAB5000-memory.dmp

Filesize
148KB

Download
memory/3172-2903-0x00007FF821C70000-0x00007FF821C7F000-memory.dmp

Filesize
60KB

Download
memory/5116-3032-0x00000286928D0000-0x000002869299E000-memory.dmp

Filesize
824KB

Download