hxxps://cdn[.]discordapp[.]com/attachments/1040687764573798402/1279923326101360670/W3jVp4f_1[.]zip?ex=66d634fc&is=66d4e37c&hm=a4457af32875de845d86967c20884eeaffa9f69b7d817a35ebfa5575571d573c&

Resubmissions

01/09/2024, 23:31

240901-3h2zgswbjh 9

01/09/2024, 21:59

240901-1v1wvasglj 3

Analysis

max time kernel
1496s
max time network
1446s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
01/09/2024, 23:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1040687764573798402/1279923326101360670/W3jVp4f_1.zip?ex=66d634fc&is=66d4e37c&hm=a4457af32875de845d86967c20884eeaffa9f69b7d817a35ebfa5575571d573c&

Score

9^/10

discovery evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	silly.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	silly.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	silly.exe

Executes dropped EXE 1 IoCs

pid	Process
5040	loader.exe

Loads dropped DLL 64 IoCs

pid	Process
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe
2084	silly.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
4	discord.com
33	raw.githubusercontent.com
51	discord.com
38	raw.githubusercontent.com
39	raw.githubusercontent.com
3	raw.githubusercontent.com
34	raw.githubusercontent.com
36	raw.githubusercontent.com
37	raw.githubusercontent.com
3	discord.com
50	discord.com
35	raw.githubusercontent.com
41	discord.com

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org
14	ipinfo.io
32	ipinfo.io
40	api.ipify.org

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	silly.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3007475212-2160282277-2943627620-1000\{E3268999-206B-4384-8EDC-C24C252FBDD5}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\W3jVp4f (1).zip:Zone.Identifier	msedge.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
2104	Winword.exe
2104	Winword.exe
1804	Winword.exe
1804	Winword.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2872	msedge.exe
2872	msedge.exe
1684	msedge.exe
1684	msedge.exe
980	msedge.exe
980	msedge.exe
488	msedge.exe
488	msedge.exe
1176	identity_helper.exe
1176	identity_helper.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
4756	msedge.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe
5040	loader.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1264	OpenWith.exe
5000	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5040	loader.exe
Token: SeDebugPrivilege	2084	silly.exe
Token: SeIncreaseQuotaPrivilege	3628	wmic.exe
Token: SeSecurityPrivilege	3628	wmic.exe
Token: SeTakeOwnershipPrivilege	3628	wmic.exe
Token: SeLoadDriverPrivilege	3628	wmic.exe
Token: SeSystemProfilePrivilege	3628	wmic.exe
Token: SeSystemtimePrivilege	3628	wmic.exe
Token: SeProfSingleProcessPrivilege	3628	wmic.exe
Token: SeIncBasePriorityPrivilege	3628	wmic.exe
Token: SeCreatePagefilePrivilege	3628	wmic.exe
Token: SeBackupPrivilege	3628	wmic.exe
Token: SeRestorePrivilege	3628	wmic.exe
Token: SeShutdownPrivilege	3628	wmic.exe
Token: SeDebugPrivilege	3628	wmic.exe
Token: SeSystemEnvironmentPrivilege	3628	wmic.exe
Token: SeRemoteShutdownPrivilege	3628	wmic.exe
Token: SeUndockPrivilege	3628	wmic.exe
Token: SeManageVolumePrivilege	3628	wmic.exe
Token: 33	3628	wmic.exe
Token: 34	3628	wmic.exe
Token: 35	3628	wmic.exe
Token: 36	3628	wmic.exe
Token: SeIncreaseQuotaPrivilege	3628	wmic.exe
Token: SeSecurityPrivilege	3628	wmic.exe
Token: SeTakeOwnershipPrivilege	3628	wmic.exe
Token: SeLoadDriverPrivilege	3628	wmic.exe
Token: SeSystemProfilePrivilege	3628	wmic.exe
Token: SeSystemtimePrivilege	3628	wmic.exe
Token: SeProfSingleProcessPrivilege	3628	wmic.exe
Token: SeIncBasePriorityPrivilege	3628	wmic.exe
Token: SeCreatePagefilePrivilege	3628	wmic.exe
Token: SeBackupPrivilege	3628	wmic.exe
Token: SeRestorePrivilege	3628	wmic.exe
Token: SeShutdownPrivilege	3628	wmic.exe
Token: SeDebugPrivilege	3628	wmic.exe
Token: SeSystemEnvironmentPrivilege	3628	wmic.exe
Token: SeRemoteShutdownPrivilege	3628	wmic.exe
Token: SeUndockPrivilege	3628	wmic.exe
Token: SeManageVolumePrivilege	3628	wmic.exe
Token: 33	3628	wmic.exe
Token: 34	3628	wmic.exe
Token: 35	3628	wmic.exe
Token: 36	3628	wmic.exe
Token: SeIncreaseQuotaPrivilege	4960	WMIC.exe
Token: SeSecurityPrivilege	4960	WMIC.exe
Token: SeTakeOwnershipPrivilege	4960	WMIC.exe
Token: SeLoadDriverPrivilege	4960	WMIC.exe
Token: SeSystemProfilePrivilege	4960	WMIC.exe
Token: SeSystemtimePrivilege	4960	WMIC.exe
Token: SeProfSingleProcessPrivilege	4960	WMIC.exe
Token: SeIncBasePriorityPrivilege	4960	WMIC.exe
Token: SeCreatePagefilePrivilege	4960	WMIC.exe
Token: SeBackupPrivilege	4960	WMIC.exe
Token: SeRestorePrivilege	4960	WMIC.exe
Token: SeShutdownPrivilege	4960	WMIC.exe
Token: SeDebugPrivilege	4960	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4960	WMIC.exe
Token: SeRemoteShutdownPrivilege	4960	WMIC.exe
Token: SeUndockPrivilege	4960	WMIC.exe
Token: SeManageVolumePrivilege	4960	WMIC.exe
Token: 33	4960	WMIC.exe
Token: 34	4960	WMIC.exe
Token: 35	4960	WMIC.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe

Suspicious use of SetWindowsHookEx 35 IoCs

pid	Process
3032	MiniSearchHost.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
1264	OpenWith.exe
2104	Winword.exe
2104	Winword.exe
2104	Winword.exe
2104	Winword.exe
2104	Winword.exe
2104	Winword.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
5000	OpenWith.exe
1804	Winword.exe
1804	Winword.exe
1804	Winword.exe
1804	Winword.exe
1804	Winword.exe
1804	Winword.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 2716	1684	msedge.exe	80
PID 1684 wrote to memory of 2716	1684	msedge.exe	80
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 4804	1684	msedge.exe	81
PID 1684 wrote to memory of 2872	1684	msedge.exe	82
PID 1684 wrote to memory of 2872	1684	msedge.exe	82
PID 1684 wrote to memory of 4808	1684	msedge.exe	83
PID 1684 wrote to memory of 4808	1684	msedge.exe	83
PID 1684 wrote to memory of 4808	1684	msedge.exe	83
PID 1684 wrote to memory of 4808	1684	msedge.exe	83
PID 1684 wrote to memory of 4808	1684	msedge.exe	83
PID 1684 wrote to memory of 4808	1684	msedge.exe	83
PID 1684 wrote to memory of 4808	1684	msedge.exe	83
PID 1684 wrote to memory of 4808	1684	msedge.exe	83
PID 1684 wrote to memory of 4808	1684	msedge.exe	83
PID 1684 wrote to memory of 4808	1684	msedge.exe	83
PID 1684 wrote to memory of 4808	1684	msedge.exe	83
PID 1684 wrote to memory of 4808	1684	msedge.exe	83
PID 1684 wrote to memory of 4808	1684	msedge.exe	83
PID 1684 wrote to memory of 4808	1684	msedge.exe	83
PID 1684 wrote to memory of 4808	1684	msedge.exe	83
PID 1684 wrote to memory of 4808	1684	msedge.exe	83
PID 1684 wrote to memory of 4808	1684	msedge.exe	83
PID 1684 wrote to memory of 4808	1684	msedge.exe	83
PID 1684 wrote to memory of 4808	1684	msedge.exe	83
PID 1684 wrote to memory of 4808	1684	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1040687764573798402/1279923326101360670/W3jVp4f_1.zip?ex=66d634fc&is=66d4e37c&hm=a4457af32875de845d86967c20884eeaffa9f69b7d817a35ebfa5575571d573c&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe9b9b3cb8,0x7ffe9b9b3cc8,0x7ffe9b9b3cd8
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5524 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:488
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:1616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
  2⤵
  PID:2788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4792 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1052 /prefetch:1
  2⤵
  PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
  2⤵
  PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6236 /prefetch:8
  2⤵
  PID:1984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6208 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3088 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6376 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6388 /prefetch:1
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,5997701498444950271,14016872802165508274,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6968 /prefetch:1
  2⤵
  PID:1548

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5036

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3032

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1264
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_W3jVp4f (1).zip\hahahaha\crack.dll"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2104

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5000
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\Downloads\W3jVp4f (1)\hahahaha\crack.dll"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:1804

C:\Users\Admin\Downloads\W3jVp4f (1)\hahahaha\loader.exe
"C:\Users\Admin\Downloads\W3jVp4f (1)\hahahaha\loader.exe"
1⤵
PID:1308
- C:\Users\Admin\AppData\Local\Temp\onefile_1308_133697073304932217\loader.exe
  "C:\Users\Admin\Downloads\W3jVp4f (1)\hahahaha\loader.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start silly.exe"
    3⤵
    PID:4708
  - - C:\Users\Admin\Downloads\W3jVp4f (1)\hahahaha\silly.exe
      silly.exe
      4⤵
      PID:4092
    - - C:\Users\Admin\Downloads\W3jVp4f (1)\hahahaha\silly.exe
        
        silly.exe
        5⤵
        Identifies VirtualBox via ACPI registry values (likely anti-VM)
        Checks BIOS information in registry
        Loads dropped DLL
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:468
      - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get uuid
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:2116
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title Silly Boost : Await authentication
        6⤵
        
        PID:4120
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c
        6⤵
        
        PID:1680
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c
        6⤵
        
        PID:2020
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title Silly Boost : Awaiting login
        6⤵
        
        PID:4132
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic useraccount where name='%username%' get sid"
        6⤵
        
        PID:4380
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic useraccount where name='Admin' get sid
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c title Silly Boost : Awaiting input!
        6⤵
        
        PID:4032
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:2044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        6⤵
        
        PID:4784
      - C:\Windows\system32\NOTEPAD.EXE
        
        "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\W3jVp4f (1)\hahahaha\storage\1m_tokens.txt
        6⤵
        
        PID:1440

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D8
1⤵
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
eeb3eb976c1a3a2dd98a29142222fb0f

SHA1
d8ed745b3bfada8aa4fe35eb6dcc640dbb6e23d8

SHA256
6e61390e5815a3b06414dd8799ea6a0c6c92402d986cd7e96e060c5dddac67a5

SHA512
cabb27f2f447c53da2b2cba518a25459982fd082d0685e0296d99eb4411025288a0d4c7c2bda9a106cdde21e203f2761dd87cf86c30beaa1db1f02aacec58e74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
8c27dabcc537b3630d537c4608d1925d

SHA1
ca92de0ef63482890e4d1c2257e8a0659c0253f8

SHA256
dbce6d2961973fe3b160ed585e568bee0af4af20faea66b7e13652a9059ad34c

SHA512
d4508592f926db14ffd2e4138b0860f6752298909e03a05c047c1947f08ebe792fe01df375ecc49d20f679af48c8890f46fe1702ae5c0ae73ae83c79271c01b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b4ae6009e2df12ce252d03722e8f4288

SHA1
44de96f65d69cbae416767040f887f68f8035928

SHA256
7778069a1493fdb62e6326ba673f03d9a8f46bc0eea949aabbbbc00dcdaddf9d

SHA512
bb810721e52c77793993470692bb2aab0466f13ed4576e4f4cfa6bc5fcfc59c13552299feb6dfd9642ea07b19a5513d90d0698d09ca1d15e0598133929c05fe1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4bf4b59c3deb1688a480f8e56aab059d

SHA1
612c83e7027b3bfb0e9d2c9efad43c5318e731bb

SHA256
867ab488aa793057395e9c10f237603cfb180689298871cdf0511132f9628c82

SHA512
2ec6c89f9653f810e9f80f532abaff2a3c0276f6d299dce1b1eadf6a59e8072ed601a4f9835db25d4d2610482a00dd5a0852d0ef828678f5c5ed33fe64dddca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
cf9c8846485c5996c3ebe639cb272e1d

SHA1
e700678abb13c5035f93eaffaa02aaa17ca28eb1

SHA256
af505a4d917bd837f6baf2556953714a369e974c5a743e7e948e78d70d426106

SHA512
34a0849aec7fb41b08c0d710fd4a427d4aa2377365dfcbdb5a19fcd2968b9b11e61ea85da464f9809846e9424db65bf7a1a07b1c5e22b6a97fbf57db8aa683a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
094ab275342c45551894b7940ae9ad0d

SHA1
2e7ce26fe2eb9be641ae929d0c9cc0dfa26c018e

SHA256
ef1739b833a1048ee1bd55dcbac5b1397396faca1ad771f4d6c2fe58899495a3

SHA512
19d0c688dc1121569247111e45de732b2ab86c71aecdde34b157cfd1b25c53473ed3ade49a97f8cb2ddc4711be78fa26c9330887094e031e9a71bb5c29080b0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
186B

MD5
859cf9cd77c9a6bd5b0af56f08fb5128

SHA1
d62387a78e8a1643ba3117187479da14bce1b65c

SHA256
d16c0bd72e9deb73d2e3a40eb21ac668477363c33e58765884b1663324a4eb05

SHA512
e60f5d7000507794a20316c7110fbee3f1d9b02efdba877bec150d5d63939eff3aa9fbba758709a8094c65a083b158840563a8e8399b64e16a077d12a1cb8fed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
21ad9f6b7f29a8b9e69cd4368538b5c0

SHA1
3a25494668be5f177dbdfc71666c2702985c526e

SHA256
4c4c1c2a836503f0e0041bafd6edf4a8967169bfd6fa213abfdf7b8348b15a39

SHA512
86e74d5576743b1007266897f4e5d352900f6a47f6a556cd651a4a1ead42a6273f7f93ef46f87a240a20723432c92aa409860faef94bc09f5a4ef49daeb5fc81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
86f8806232ea3f39832d846de96b6826

SHA1
1655aacca2ee64413b850dbb41fbe4b11aa6c7b8

SHA256
2b42e03e3b246a354474d497664bf5f68f27db9635f128809299034bbf2bba2d

SHA512
ee3df9b9347ca6b0064cb2f8712c72b197b2ecadf3e5d213c6b0fd4c8da110e3f1134af2d58f382d73a3f3def5851d1c034b9b11cf954c845b6f3a17b2fe9081

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c20b404aa2e27bc624eb68ae4a254560

SHA1
193571f503223ef1a339fdf6abb7536418239d9c

SHA256
3dd411e1eb805be03b26bb48b13a732a8c3f879caad8c08e4b8965d57dd15861

SHA512
9e95fb561b74b6e5417290a4ca9115b28e479f7a2345a150ec5b57240f0c52c293cfb227cec199f548ae60ed6b4c5cab6da13f049b1097fdfebbf18907b6a913

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
55345384605a6781edf5a0a29ace2698

SHA1
1ed3255ec90ff84f04b326791171e63d4d7deac2

SHA256
33e15d9257c4bbbb1e529f518d4ee17991c83081d995b3b98a9d2a6bfb3335c4

SHA512
9eb17b752bbd5176da9f339787052d75762e36043600367cb26997e2a1149517fe9bd9e1d26c49106775875e3f94596565d25a476e0498b6ee30c03c0278eeee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
0cef565ae39dd86d259671dc6bac2c23

SHA1
1bec7da0e8f27a156490a901957f4eaadac368a4

SHA256
f312c0ceccafcd2ffc86103fec36175226733f6c3a1f8289a3eccedad5f7ecb9

SHA512
bfe17e682ea4878795bfc1989e49c58f44a47b50bef6142fac03dc056bf744efdcc306bfbeb93b812573255493cd2db0a61849f5f8d44abf1a45a717b86b7ad9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7d41e067267f569fa3b7c3339b970c3c

SHA1
6c38399042d8f9ae2331a1bfdd50e194c2fb7eef

SHA256
89326a4e3ad00319dfd2381b0218fe891125595c66c9998cbd3f058a6734895a

SHA512
41469b6297f5ba55a57c007ce8aaeb5a1971b03857c4171a64198bfa23f5ed11976c0b88f51f8acbb31d6fb383e0696d7630fdb5e74c8663560523a505936e82

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
16fad5e1f46267b3774138434526468c

SHA1
6ebda5765211414e37a07db80d86e382f73014d3

SHA256
ed0f4c627209a0805bca943bdbf4b13fc6d4ae442f6bd496ff8cca53f30c53ff

SHA512
cafeb1503ca1f2c5d1942f42c861882b38d4b9fdf7a20d3ba02c3ae9041df1418257623edf93da9de6cfffc5dc512eac9b017019ee9e6a9fa24325ab9f615c9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
24f0ec3674bb0f26758c73ac4b6f09e5

SHA1
444a0f5791a00a785e757c4875b6f5e5595324b8

SHA256
4f5129ed97de2a2d34be9d9336c384ac47aad908689d6e847a57c27ebe54ca96

SHA512
e462e19f9e0efabded1237e59f16bdea5894b911a9ccdb50279a1b545b91ca9cf8fc967a59bc8d086c923043537d46dbbc8912d8d3da961286c1bb89e3c4be01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\3C36BDED-FD25-4F9F-A99A-E9E289CEAD6A

Filesize
170KB

MD5
ed7d663da7a105c43eb37efe25ad2ea4

SHA1
4e3d3556a7645c192faf1cce4c09129d98aa68ce

SHA256
d7825340877b39803211d40c422c772d7091d180f1391f9cd22d69756e7358ae

SHA512
1b9dee5597092b548ebbdec97bbb3c56a7af8a2f88b5bf0aff5985c2d86ab366450634c97fb94c877472c349962c7ac986695ceec3925b3ad8090cc5c94693e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
8665de22b67e46648a5a147c1ed296ca

SHA1
b289a96fee9fa77dd8e045ae8fd161debd376f48

SHA256
b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

SHA512
bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
c3e08121cabb9380e3d50cadde97d53a

SHA1
0e666954e83e97e3883e52092fe2be88a520e8f8

SHA256
76e1d3ab7320c4b863adb091b5b77205d81e13eafb539a18ebe3d8ea46b29433

SHA512
9a6ef7710781d2f3a1f873129b21990548c1b275720080d87fe4051b464b0aef4ad8625656c388a65163563c6fb2086c29c01ba5f518c5b9679e7227fcc7941f

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
d9c90cc81a3965139958ce95221b3e3f

SHA1
e1053a91bd6481e12b86b6a79aae7193e44875b4

SHA256
f99e8c101bde6270bec53e6c18f76fb0f7973acf74f15fac1462b85f2872b1ac

SHA512
a3d4907bcba240286c401ad824fba47f7d1029ddc0ccc776a52049fc2668a7503adf115fe013c1d536d7acb733610b68432a4ccf5069df06f5b7551605128e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
76KB

MD5
8140bdc5803a4893509f0e39b67158ce

SHA1
653cc1c82ba6240b0186623724aec3287e9bc232

SHA256
39715ef8d043354f0ab15f62878530a38518fb6192bc48da6a098498e8d35769

SHA512
d0878fee92e555b15e9f01ce39cfdc3d6122b41ce00ec3a4a7f0f661619f83ec520dca41e35a1e15650fb34ad238974fe8019577c42ca460dde76e3891b0e826

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
28KB

MD5
97ee623f1217a7b4b7de5769b7b665d6

SHA1
95b918f3f4c057fb9c878c8cc5e502c0bd9e54c0

SHA256
0046eb32f873cde62cf29af02687b1dd43154e9fd10e0aa3d8353d3debb38790

SHA512
20edc7eae5c0709af5c792f04a8a633d416da5a38fc69bd0409afe40b7fb1afa526de6fe25d8543ece9ea44fd6baa04a9d316ac71212ae9638bdef768e661e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\_bz2.pyd

Filesize
78KB

MD5
e877e39cc3c42ed1f5461e2d5e62fc0f

SHA1
156f62a163aca4c5c5f6e8f846a1edd9b073ed7e

SHA256
4b1d29f19adaf856727fa4a1f50eee0a86c893038dfba2e52f26c11ab5b3672f

SHA512
d6579d07ede093676cdca0fb15aa2de9fcd10ff4675919ab689d961de113f6543edbceecf29430da3f7121549f5450f4fe43d67b9eab117e2a7d403f88501d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\_ctypes.pyd

Filesize
116KB

MD5
c8f57695af24a4f71dafa887ce731ebc

SHA1
cc393263bafce2a37500e071acb44f78e3729939

SHA256
e3b69285f27a8ad97555bebea29628a93333de203ee2fae95b73b6b6d6c162b1

SHA512
44a1fb805d9ef1a2d39b8c7d80f3545e527ab3b6bfc7abd2f4b610f17c3e6af2ae1fed3688a7cc93da06938ae94e5e865b75937352d12f6b3c45e2d24b6ab731

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\_lzma.pyd

Filesize
149KB

MD5
80da699f55ca8ed4df2d154f17a08583

SHA1
fbd6c7f3c72a6ba4185394209e80373177c2f8d7

SHA256
2e3fd65c4e02c99a61344ce59e09ec7fde74c671db5f82a891732e1140910f20

SHA512
15ea7cd4075940096a4ab66778a0320964562aa4ae2f6e1acbe173cd5da8855977c66f019fd343cfe8dacc3e410edf933bce117a4e9b542182bad3023805fd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\_socket.pyd

Filesize
72KB

MD5
7f25ab4019e6c759fc77383f523ef9af

SHA1
5e6748ce7f6753195117fdc2820996b49fd8d3af

SHA256
d0497b79345b2c255f6274baea6ac44b74f345e111ab25bf6c91af9b2a3f3b95

SHA512
a179b22c61f661e4d9b17f56b6a7f66f2d8d8e1d2a9a8aca3c4d6a9cb7755ce6d223bfbca817c1098692a39b6fc20ffbdacefd9bfb47ff02ffa47badca437514

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\base_library.zip

Filesize
1.0MB

MD5
24115039775b4d406e1662552a435f5d

SHA1
8181d4365805aa3d9429765ab136b459ed0e8006

SHA256
1b8adf22b668bb63307c7fd7031c69b7453eba709c89f8f36d9acb686c0a0791

SHA512
d84f340d54f446c31eae28468be220da6dbd9ae8e9c56dbae7fb6dedf5a49c1dc459e88927339d7deb522aa4d2c11924ae718ab04b243a9f88e986ad2c2e1e0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\python3.DLL

Filesize
60KB

MD5
64a9384c6b329fb089e4d1657a06b175

SHA1
ba0e6fcc3b1406356a40b9d8577b2e7ce69c4aea

SHA256
ec655cc34819d6a9677c0541fd7e7b2b8a92804e8bf73aee692a9c44d1a24b5d

SHA512
9593d38abfd46bb94409838dd9cbe603fbe154fa0043959512afc264dceec50d846eefa409bcf9936ee1a7c7313604a578b4051eb6fd6918f2beb0da6c8ee532

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\python310.dll

Filesize
4.3MB

MD5
316ce972b0104d68847ab38aba3de06a

SHA1
ca1e227fd7f1cfb1382102320dadef683213024b

SHA256
34f0e44a0d089587e1ea48c1cc4c3164a1819c6db27a7c1b746af46d6388c26e

SHA512
a11da6590a71d977c62b1c26c275763413f6a455e6d85fa052654d05d845dbbe8122bbd8e0a23887f9873d4291382ebbd5df19674ad2dda1cf0ff3206054939b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40922\select.pyd

Filesize
24KB

MD5
589f030c0baa8c47f7f8082a92b834f5

SHA1
6c0f575c0556b41e35e7272f0f858dcf90c192a7

SHA256
b9ef1709ed4cd0fd72e4c4ba9b7702cb79d1619c11554ea06277f3dac21bd010

SHA512
6761c0e191795f504fc2d63fd866654869d8819c101de51df78ff071a8985541eec9a9659626dfcb31024d25fd47eff42caa2ae85cc0deb8a11113675fac8500

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1308_133697073304932217\_ctypes.pyd

Filesize
120KB

MD5
6a9ca97c039d9bbb7abf40b53c851198

SHA1
01bcbd134a76ccd4f3badb5f4056abedcff60734

SHA256
e662d2b35bb48c5f3432bde79c0d20313238af800968ba0faa6ea7e7e5ef4535

SHA512
dedf7f98afc0a94a248f12e4c4ca01b412da45b926da3f9c4cbc1d2cbb98c8899f43f5884b1bf1f0b941edaeef65612ea17438e67745962ff13761300910960d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1308_133697073304932217\libffi-8.dll

Filesize
34KB

MD5
32d36d2b0719db2b739af803c5e1c2f5

SHA1
023c4f1159a2a05420f68daf939b9ac2b04ab082

SHA256
128a583e821e52b595eb4b3dda17697d3ca456ee72945f7ecce48ededad0e93c

SHA512
a0a68cfc2f96cb1afd29db185c940e9838b6d097d2591b0a2e66830dd500e8b9538d170125a00ee8c22b8251181b73518b73de94beeedd421d3e888564a111c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1308_133697073304932217\loader.exe

Filesize
8.5MB

MD5
33310de4294631a069a6f4cdb587f4a3

SHA1
347a15cdd13c901b409d6434d24b0e7a0418917c

SHA256
77c0c00ed2f751f8759b1a8572b2081ce33d7b3c9c80228fc85d7408430594f5

SHA512
e496ef281a3ae113af0432e5141421ae472900cd7684e39f18706dd0ffa3170294fcb25d9f3134fab335836f217dac0f032132f266392097437bc6d885c06d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1308_133697073304932217\psutil\_psutil_windows.pyd

Filesize
76KB

MD5
ebefbc98d468560b222f2d2d30ebb95c

SHA1
ee267e3a6e5bed1a15055451efcccac327d2bc43

SHA256
67c17558b635d6027ddbb781ea4e79fc0618bbec7485bd6d84b0ebcd9ef6a478

SHA512
ab9f949adfe9475b0ba8c37fa14b0705923f79c8a10b81446abc448ad38d5d55516f729b570d641926610c99df834223567c1efde166e6a0f805c9e2a35556e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1308_133697073304932217\python3.dll

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1308_133697073304932217\python311.dll

Filesize
5.5MB

MD5
9a24c8c35e4ac4b1597124c1dcbebe0f

SHA1
f59782a4923a30118b97e01a7f8db69b92d8382a

SHA256
a0cf640e756875c25c12b4a38ba5f2772e8e512036e2ac59eb8567bf05ffbfb7

SHA512
9d9336bf1f0d3bc9ce4a636a5f4e52c5f9487f51f00614fc4a34854a315ce7ea8be328153812dbd67c45c75001818fa63317eba15a6c9a024fa9f2cab163165b

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1308_133697073304932217\vcruntime140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\Downloads\W3jVp4f (1).zip

Filesize
33.2MB

MD5
b08cbf6d33edbf33332cab6be9d7c0c5

SHA1
40abed6552222ccbdfadee863658065c06c74f69

SHA256
eaae1663388399c184ae8a9696d190436937e01a5bacdb86c9659c84e6bab4d9

SHA512
1273323f88e107827557e0e49ebf527d5530f90f777d65b1975852c52195915244fa7b86883471d772abdb2073af7cd1846f43b62fe891005f29e1f4d4f8a557

Download Submit
C:\Users\Admin\Downloads\W3jVp4f (1).zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\W3jVp4f (1)\hahahaha\crack.dll

Filesize
4.9MB

MD5
d8131fd472e3f921dca592b6c0872c26

SHA1
3be46fc189d169673e3f8779128b42f17be131d3

SHA256
e923fb5d56d8f8f7bb2f0b11be779ca5d87164c536d9f8c0c24a89b52a372c06

SHA512
9fa8978e2f6549b56cc077e8d857cbc5e106cb9da0cef976326110ce0f6dee11ca0fe72751e63d862e42cad80508a0747377e08b72cc4faaa9f614381ebdf6a9

Download Submit
memory/1804-220-0x00007FFE684C0000-0x00007FFE684D0000-memory.dmp

Filesize
64KB

Download
memory/1804-219-0x00007FFE684C0000-0x00007FFE684D0000-memory.dmp

Filesize
64KB

Download
memory/2084-463-0x0000000070C90000-0x0000000071663000-memory.dmp

Filesize
9.8MB

Download
memory/2084-466-0x0000000070C90000-0x0000000071663000-memory.dmp

Filesize
9.8MB

Download
memory/2084-525-0x00007FFE859B0000-0x00007FFE86857000-memory.dmp

Filesize
14.7MB

Download
memory/2084-460-0x0000000070C90000-0x0000000071663000-memory.dmp

Filesize
9.8MB

Download
memory/2084-465-0x0000000070C90000-0x0000000071663000-memory.dmp

Filesize
9.8MB

Download
memory/2084-462-0x0000000070C90000-0x0000000071663000-memory.dmp

Filesize
9.8MB

Download
memory/2084-464-0x0000000070C90000-0x0000000071663000-memory.dmp

Filesize
9.8MB

Download
memory/2084-461-0x0000000070C90000-0x0000000071663000-memory.dmp

Filesize
9.8MB

Download
memory/2104-180-0x00007FFE684C0000-0x00007FFE684D0000-memory.dmp

Filesize
64KB

Download
memory/2104-177-0x00007FFE6A7D0000-0x00007FFE6A7E0000-memory.dmp

Filesize
64KB

Download
memory/2104-179-0x00007FFE684C0000-0x00007FFE684D0000-memory.dmp

Filesize
64KB

Download
memory/2104-209-0x00007FFE6A7D0000-0x00007FFE6A7E0000-memory.dmp

Filesize
64KB

Download
memory/2104-175-0x00007FFE6A7D0000-0x00007FFE6A7E0000-memory.dmp

Filesize
64KB

Download
memory/2104-176-0x00007FFE6A7D0000-0x00007FFE6A7E0000-memory.dmp

Filesize
64KB

Download
memory/2104-178-0x00007FFE6A7D0000-0x00007FFE6A7E0000-memory.dmp

Filesize
64KB

Download
memory/2104-174-0x00007FFE6A7D0000-0x00007FFE6A7E0000-memory.dmp

Filesize
64KB

Download
memory/2104-210-0x00007FFE6A7D0000-0x00007FFE6A7E0000-memory.dmp

Filesize
64KB

Download
memory/2104-211-0x00007FFE6A7D0000-0x00007FFE6A7E0000-memory.dmp

Filesize
64KB

Download
memory/2104-208-0x00007FFE6A7D0000-0x00007FFE6A7E0000-memory.dmp

Filesize
64KB

Download