acc52d74dd3c426fd3834b8dcf5e3d7ce92868a33694eabc80b6c94d15756f79

Analysis

max time kernel
140s
max time network
156s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
24-11-2024 23:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

main.exe
Size

22.3MB
MD5

d195c646a63c09620250dc45c253708e
SHA1

81569dd51ec6a0265e9d639a6ef21a7e9803cf4e
SHA256

acc52d74dd3c426fd3834b8dcf5e3d7ce92868a33694eabc80b6c94d15756f79
SHA512

b7e46884525a12a498a9e6ef7ba79335ade1165c69fb6406adb820c6311f4f65518dd536dafe49c48a1c0cc6fc1dc02a68387c0b8ebeeff77d0f8823b2eea780
SSDEEP

393216:EqPnLFXllRMYoaK9Qc8nAB3Q3GGG3gQUJ6ZjODn1klH4flNXJ:lPLFXtNoaK9QFkA3mRJNQ1klHUX

Score

8^/10

defense_evasion discovery persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3416	main.exe
1532	main.exe

Loads dropped DLL 64 IoCs

pid	Process
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
1532	main.exe
1532	main.exe
1532	main.exe
1532	main.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000\Software\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
1	discord.com
3	discord.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
13	discord.com
57	discord.com
58	raw.githubusercontent.com
65	discord.com

Looks up external IP address via web service 9 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
64	ipapi.co
1	ipapi.co
2	ipapi.co
8	ipapi.co
10	ipapi.co
12	ipapi.co
56	ipapi.co
60	ipapi.co
62	ipapi.co

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ab89-174.dat	upx
behavioral1/memory/2772-178-0x00007FFD61AD0000-0x00007FFD61F36000-memory.dmp	upx
behavioral1/files/0x001900000002ab79-185.dat	upx
behavioral1/files/0x001900000002ab13-180.dat	upx
behavioral1/memory/2772-189-0x00007FFD78BA0000-0x00007FFD78BAF000-memory.dmp	upx
behavioral1/files/0x001900000002ab16-191.dat	upx
behavioral1/memory/2772-194-0x00007FFD736A0000-0x00007FFD736CC000-memory.dmp	upx
behavioral1/memory/2772-192-0x00007FFD73850000-0x00007FFD73868000-memory.dmp	upx
behavioral1/files/0x001900000002ab11-190.dat	upx
behavioral1/memory/2772-186-0x00007FFD76410000-0x00007FFD76434000-memory.dmp	upx
behavioral1/files/0x001900000002ab87-196.dat	upx
behavioral1/memory/2772-198-0x00007FFD730E0000-0x00007FFD73115000-memory.dmp	upx
behavioral1/files/0x001900000002ab1a-199.dat	upx
behavioral1/files/0x001900000002ab8c-200.dat	upx
behavioral1/files/0x001900000002ab19-205.dat	upx
behavioral1/files/0x001900000002ab8a-213.dat	upx
behavioral1/files/0x001900000002ab90-215.dat	upx
behavioral1/memory/2772-216-0x00007FFD61AD0000-0x00007FFD61F36000-memory.dmp	upx
behavioral1/memory/2772-219-0x00007FFD76410000-0x00007FFD76434000-memory.dmp	upx
behavioral1/memory/2772-218-0x00007FFD72800000-0x00007FFD7282B000-memory.dmp	upx
behavioral1/memory/2772-217-0x00007FFD61470000-0x00007FFD6152C000-memory.dmp	upx
behavioral1/memory/2772-210-0x00007FFD72830000-0x00007FFD7285E000-memory.dmp	upx
behavioral1/memory/2772-209-0x00007FFD76280000-0x00007FFD7628D000-memory.dmp	upx
behavioral1/files/0x001900000002ab8b-207.dat	upx
behavioral1/memory/2772-204-0x00007FFD76400000-0x00007FFD7640D000-memory.dmp	upx
behavioral1/memory/2772-201-0x00007FFD73330000-0x00007FFD73349000-memory.dmp	upx
behavioral1/files/0x001900000002ab14-222.dat	upx
behavioral1/memory/2772-224-0x00007FFD72720000-0x00007FFD72763000-memory.dmp	upx
behavioral1/files/0x001900000002ab86-227.dat	upx
behavioral1/memory/2772-229-0x00007FFD730C0000-0x00007FFD730DC000-memory.dmp	upx
behavioral1/files/0x001900000002ab21-230.dat	upx
behavioral1/memory/2772-233-0x00007FFD726D0000-0x00007FFD726FE000-memory.dmp	upx
behavioral1/files/0x001900000002ab78-232.dat	upx
behavioral1/files/0x001900000002ab7f-234.dat	upx
behavioral1/memory/2772-239-0x00007FFD61030000-0x00007FFD610E8000-memory.dmp	upx
behavioral1/memory/2772-238-0x00007FFD73330000-0x00007FFD73349000-memory.dmp	upx
behavioral1/memory/2772-237-0x00007FFD610F0000-0x00007FFD61469000-memory.dmp	upx
behavioral1/files/0x001900000002ab15-240.dat	upx
behavioral1/memory/2772-242-0x00007FFD71D70000-0x00007FFD71D85000-memory.dmp	upx
behavioral1/files/0x001900000002ab70-243.dat	upx
behavioral1/files/0x001900000002ab71-245.dat	upx
behavioral1/memory/2772-246-0x00007FFD72830000-0x00007FFD7285E000-memory.dmp	upx
behavioral1/memory/2772-249-0x00007FFD68D90000-0x00007FFD68DB7000-memory.dmp	upx
behavioral1/memory/2772-248-0x00007FFD727F0000-0x00007FFD727FB000-memory.dmp	upx
behavioral1/files/0x001900000002ab8f-251.dat	upx
behavioral1/memory/2772-252-0x00007FFD60F10000-0x00007FFD61028000-memory.dmp	upx
behavioral1/files/0x001900000002ab1b-253.dat	upx
behavioral1/files/0x001900000002ab8d-255.dat	upx
behavioral1/memory/2772-256-0x00007FFD68D70000-0x00007FFD68D8F000-memory.dmp	upx
behavioral1/memory/2772-258-0x00007FFD72720000-0x00007FFD72763000-memory.dmp	upx
behavioral1/memory/2772-259-0x00007FFD60D90000-0x00007FFD60F0A000-memory.dmp	upx
behavioral1/files/0x001900000002ab12-260.dat	upx
behavioral1/memory/2772-263-0x00007FFD67C00000-0x00007FFD67C37000-memory.dmp	upx
behavioral1/memory/2772-262-0x00007FFD730C0000-0x00007FFD730DC000-memory.dmp	upx
behavioral1/files/0x001c00000002aad5-264.dat	upx
behavioral1/files/0x001900000002aace-267.dat	upx
behavioral1/memory/2772-278-0x00007FFD67AB0000-0x00007FFD67ABE000-memory.dmp	upx
behavioral1/memory/2772-277-0x00007FFD67AE0000-0x00007FFD67AEB000-memory.dmp	upx
behavioral1/memory/2772-276-0x00007FFD6C000000-0x00007FFD6C00C000-memory.dmp	upx
behavioral1/memory/2772-275-0x00007FFD67AC0000-0x00007FFD67ACD000-memory.dmp	upx
behavioral1/memory/2772-274-0x00007FFD67AD0000-0x00007FFD67ADC000-memory.dmp	upx
behavioral1/memory/2772-273-0x00007FFD68D50000-0x00007FFD68D5C000-memory.dmp	upx
behavioral1/memory/2772-272-0x00007FFD68D60000-0x00007FFD68D6B000-memory.dmp	upx
behavioral1/memory/2772-271-0x00007FFD6ED30000-0x00007FFD6ED3B000-memory.dmp	upx

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\main.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000300000002a491-798.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 12 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2792	netsh.exe
1504	cmd.exe
4780	netsh.exe
5056	netsh.exe
5052	cmd.exe
764	netsh.exe
1880	cmd.exe
3368	cmd.exe
3680	netsh.exe
4408	netsh.exe
1976	cmd.exe
2096	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry key 1 TTPs 4 IoCs

Modify Registry

T1112

pid	Process
2960	reg.exe
4844	reg.exe
3168	reg.exe
4076	reg.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 5865.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\main.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
2772	main.exe
3868	msedge.exe
3868	msedge.exe
4788	msedge.exe
4788	msedge.exe
4344	msedge.exe
4344	msedge.exe
4600	identity_helper.exe
4600	identity_helper.exe
1840	msedge.exe
1840	msedge.exe
1532	main.exe
1532	main.exe
1532	main.exe
1532	main.exe
1532	main.exe
1532	main.exe
1532	main.exe
1532	main.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe
4612	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	main.exe
Token: SeIncreaseQuotaPrivilege	3916	WMIC.exe
Token: SeSecurityPrivilege	3916	WMIC.exe
Token: SeTakeOwnershipPrivilege	3916	WMIC.exe
Token: SeLoadDriverPrivilege	3916	WMIC.exe
Token: SeSystemProfilePrivilege	3916	WMIC.exe
Token: SeSystemtimePrivilege	3916	WMIC.exe
Token: SeProfSingleProcessPrivilege	3916	WMIC.exe
Token: SeIncBasePriorityPrivilege	3916	WMIC.exe
Token: SeCreatePagefilePrivilege	3916	WMIC.exe
Token: SeBackupPrivilege	3916	WMIC.exe
Token: SeRestorePrivilege	3916	WMIC.exe
Token: SeShutdownPrivilege	3916	WMIC.exe
Token: SeDebugPrivilege	3916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3916	WMIC.exe
Token: SeRemoteShutdownPrivilege	3916	WMIC.exe
Token: SeUndockPrivilege	3916	WMIC.exe
Token: SeManageVolumePrivilege	3916	WMIC.exe
Token: 33	3916	WMIC.exe
Token: 34	3916	WMIC.exe
Token: 35	3916	WMIC.exe
Token: 36	3916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3916	WMIC.exe
Token: SeSecurityPrivilege	3916	WMIC.exe
Token: SeTakeOwnershipPrivilege	3916	WMIC.exe
Token: SeLoadDriverPrivilege	3916	WMIC.exe
Token: SeSystemProfilePrivilege	3916	WMIC.exe
Token: SeSystemtimePrivilege	3916	WMIC.exe
Token: SeProfSingleProcessPrivilege	3916	WMIC.exe
Token: SeIncBasePriorityPrivilege	3916	WMIC.exe
Token: SeCreatePagefilePrivilege	3916	WMIC.exe
Token: SeBackupPrivilege	3916	WMIC.exe
Token: SeRestorePrivilege	3916	WMIC.exe
Token: SeShutdownPrivilege	3916	WMIC.exe
Token: SeDebugPrivilege	3916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3916	WMIC.exe
Token: SeRemoteShutdownPrivilege	3916	WMIC.exe
Token: SeUndockPrivilege	3916	WMIC.exe
Token: SeManageVolumePrivilege	3916	WMIC.exe
Token: 33	3916	WMIC.exe
Token: 34	3916	WMIC.exe
Token: 35	3916	WMIC.exe
Token: 36	3916	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3748	WMIC.exe
Token: SeSecurityPrivilege	3748	WMIC.exe
Token: SeTakeOwnershipPrivilege	3748	WMIC.exe
Token: SeLoadDriverPrivilege	3748	WMIC.exe
Token: SeSystemProfilePrivilege	3748	WMIC.exe
Token: SeSystemtimePrivilege	3748	WMIC.exe
Token: SeProfSingleProcessPrivilege	3748	WMIC.exe
Token: SeIncBasePriorityPrivilege	3748	WMIC.exe
Token: SeCreatePagefilePrivilege	3748	WMIC.exe
Token: SeBackupPrivilege	3748	WMIC.exe
Token: SeRestorePrivilege	3748	WMIC.exe
Token: SeShutdownPrivilege	3748	WMIC.exe
Token: SeDebugPrivilege	3748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3748	WMIC.exe
Token: SeRemoteShutdownPrivilege	3748	WMIC.exe
Token: SeUndockPrivilege	3748	WMIC.exe
Token: SeManageVolumePrivilege	3748	WMIC.exe
Token: 33	3748	WMIC.exe
Token: 34	3748	WMIC.exe
Token: 35	3748	WMIC.exe
Token: 36	3748	WMIC.exe

Suspicious use of FindShellTrayWindow 44 IoCs

pid	Process
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe
3868	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2772	2968	main.exe	79
PID 2968 wrote to memory of 2772	2968	main.exe	79
PID 2772 wrote to memory of 3576	2772	main.exe	81
PID 2772 wrote to memory of 3576	2772	main.exe	81
PID 2772 wrote to memory of 2564	2772	main.exe	83
PID 2772 wrote to memory of 2564	2772	main.exe	83
PID 2564 wrote to memory of 3916	2564	cmd.exe	85
PID 2564 wrote to memory of 3916	2564	cmd.exe	85
PID 2772 wrote to memory of 4532	2772	main.exe	87
PID 2772 wrote to memory of 4532	2772	main.exe	87
PID 4532 wrote to memory of 3168	4532	cmd.exe	89
PID 4532 wrote to memory of 3168	4532	cmd.exe	89
PID 2772 wrote to memory of 1624	2772	main.exe	90
PID 2772 wrote to memory of 1624	2772	main.exe	90
PID 1624 wrote to memory of 4076	1624	cmd.exe	92
PID 1624 wrote to memory of 4076	1624	cmd.exe	92
PID 2772 wrote to memory of 2556	2772	main.exe	93
PID 2772 wrote to memory of 2556	2772	main.exe	93
PID 2556 wrote to memory of 3748	2556	cmd.exe	95
PID 2556 wrote to memory of 3748	2556	cmd.exe	95
PID 2772 wrote to memory of 2516	2772	main.exe	96
PID 2772 wrote to memory of 2516	2772	main.exe	96
PID 2516 wrote to memory of 748	2516	cmd.exe	98
PID 2516 wrote to memory of 748	2516	cmd.exe	98
PID 2772 wrote to memory of 4576	2772	main.exe	99
PID 2772 wrote to memory of 4576	2772	main.exe	99
PID 4576 wrote to memory of 1220	4576	cmd.exe	101
PID 4576 wrote to memory of 1220	4576	cmd.exe	101
PID 2772 wrote to memory of 1976	2772	main.exe	102
PID 2772 wrote to memory of 1976	2772	main.exe	102
PID 1976 wrote to memory of 764	1976	cmd.exe	104
PID 1976 wrote to memory of 764	1976	cmd.exe	104
PID 2772 wrote to memory of 1880	2772	main.exe	105
PID 2772 wrote to memory of 1880	2772	main.exe	105
PID 1880 wrote to memory of 2792	1880	cmd.exe	107
PID 1880 wrote to memory of 2792	1880	cmd.exe	107
PID 2772 wrote to memory of 1504	2772	main.exe	108
PID 2772 wrote to memory of 1504	2772	main.exe	108
PID 1504 wrote to memory of 4780	1504	cmd.exe	110
PID 1504 wrote to memory of 4780	1504	cmd.exe	110
PID 3868 wrote to memory of 1576	3868	msedge.exe	114
PID 3868 wrote to memory of 1576	3868	msedge.exe	114
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115
PID 3868 wrote to memory of 2984	3868	msedge.exe	115

C:\Users\Admin\AppData\Local\Temp\main.exe
"C:\Users\Admin\AppData\Local\Temp\main.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\main.exe
  "C:\Users\Admin\AppData\Local\Temp\main.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Windows\system32\reg.exe
      reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
      4⤵
      Modifies registry key
      PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1624
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:4076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      PID:748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4576
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
      4⤵
      PID:1220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1504
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd72983cb8,0x7ffd72983cc8,0x7ffd72983cd8
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2560 /prefetch:8
  2⤵
  PID:1316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4872 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4520 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4540 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:4680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:1
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5804 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:1296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2964 /prefetch:1
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6332 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6148 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1840
- C:\Users\Admin\Downloads\main.exe
  "C:\Users\Admin\Downloads\main.exe"
  2⤵
  - Executes dropped EXE
  PID:3416
- - C:\Users\Admin\Downloads\main.exe
    "C:\Users\Admin\Downloads\main.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:2276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:5088
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:1876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
      4⤵
      PID:3800
    - - C:\Windows\system32\reg.exe
        
        reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
        5⤵
        Modifies registry key
        
        PID:2960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
      4⤵
      PID:1976
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
        5⤵
        Adds Run key to start application
        Modifies registry key
        
        PID:4844
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:4968
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:2696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:2364
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:5104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
      4⤵
      PID:2100
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        5⤵
        
        PID:2952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2096
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:5056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3368
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3680
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5052
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1816,2647708783474603032,15807044233837804320,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6104 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9314124f4f0ad9f845a0d7906fd8dfd8

SHA1
0d4f67fb1a11453551514f230941bdd7ef95693c

SHA256
cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e

SHA512
87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1544690d41d950f9c1358068301cfb5

SHA1
ae3ff81363fcbe33c419e49cabef61fb6837bffa

SHA256
53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724

SHA512
1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
432B

MD5
0a4e3d565952aafe2eb08797753878e1

SHA1
325c88ec86db4602b2b169e732bee20a6821f909

SHA256
86c72adb7274a64621dafc56f1a5fe71499e946dffb9dfc09636e0e419cd5e47

SHA512
e1d522079ee9ec2f06c2a7e7f0e799c1220a4f62f6232afcc82e86e7aa34c969e440c303c4aaf090c9eec6e5ce834125bcd21cb8a7c17e57547b31c33346260d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
b148be2620441bb6921343b11c993e34

SHA1
88fcf04131a595c0ae0da45080469a6c0931237b

SHA256
d61edefef295798c071da45072ec3de2dbf0e4aebc6ead465cb5cf8b21dbef90

SHA512
75dfad797179f6f2d3db9b928e4d5968caf031d58a59b9b75e0fbd143d4e1883bef6a215ecba65cb40cc7f28f0e0162db7f7da61ba2284be10a269e8b5e43967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
462489a1bc1bccbaa39d87ddab92febe

SHA1
d0ad0ad1c30d8ea5b6bf25fa050f60dce0e79cf4

SHA256
c9b1c1a7e16c564cd7731126ff1b7f3e6c77778e4fc19cae47b42d2c570effbc

SHA512
37e8ae2b77926f3aafe020f2b64d9b76cd17b6d077e44b57525b12a11d5f29dc7858eadf6c9a9e3ae72c230621f074b48efd9f6e138552186226e20601382a33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
72a8cd68e1475c43f3ef53253243cabd

SHA1
c36c5e7d88fa07092b5a64b4dd7f5f63067754eb

SHA256
ff285c71b7874c4b9fc45012f23702f0a77a068c9578caf1e65b5e595c21042b

SHA512
7ad155b7a93b738120d43af4bcb26c6370165cedc7809060b7f186fed56a7ae86b057ea4e41addcf6ece3732041119bee5c60b5821b6c2fde79d515c37c7ad4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f24c405b4a80fb1bbbddc6e056a06de3

SHA1
08ebaa10bed10557a0f25980daffc74beff5b041

SHA256
b4b1784487413cce31b9b8db2ae00d24c0761884581f60f4073b78c69462532c

SHA512
0ea5090c82a9e9d455c6c56a9d703acea0288082a64fab8deaaeb6945c724d7e5dcb63e9ef6fb277950accd39bb7619adb439403ba047f31fa6817ec69b636cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9e540f971208d351181309c2c91c99ea

SHA1
75d036dfde037a5d669fa7ba64b8d2d5b6af78fe

SHA256
06b018dc064170a086ad4b6ade2d28df6b81774ada0930c7a15566b48d9da25d

SHA512
edd77b2de8647a42a4b0b550686cfd86bebe06096a0a38eb2350d46bbe6d6745ce452dc0bb6a30f223a8f1b9053d23e15436e240ef9fc523b639b9803bc92202

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
806d4cc086c015f83ddf2b59e7bfe3f6

SHA1
2e1ca296b6c32af1aa6388fcea0c485eb6c3e662

SHA256
c1c8bc65716b07a41c6a90b5f9cf855691c213414e2fefd25b36ffbacfaa6204

SHA512
ad669b055e7472249189a094fdfeb586ce56b9779585e667365b260e7bada453cd7bf5ffe3cefb4d1f4212a38961610c4bd8372fbcb5287f5dd098067d82626d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7cfcb81ed280361e31d2f5510e8c5011

SHA1
1f340c08136feaf2ee2d3255e4771e8baf86db7e

SHA256
39d3cb3c973f5114e4ac25d96195ec2118ce1e99077625501e3073b2ff7b85d5

SHA512
eff78c044cfadeeeea364dc9508baab6d372c5a47aa0c46fce12e45f2d15ea21eddc3c8fe987c74c10e590e58c44fc1c5f61203f48ed8fb54abf795f375f6dbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9fae88a0e4c7d6e2b8f2c9e2444d72fd

SHA1
01a3eeb49e64b854ca5c69a7b409c0ba5924eda9

SHA256
ab637694b1dc7b40995efa0c3e1936ecc16190a0d26eddfe02cb5828626f3edb

SHA512
cd4892b9efeabfe27251b7a8ddbd334b99d7f4cd36525f88b1b7a5a1fc54b68ca0827c6af41655ac1e6a7467eb01e4ebcdbc5e4771a9474de7c3a1d741e5e4d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3fdadef784ab23def4f6ec235ceaf608

SHA1
f525e6fb2060024b1fd4e0d6ed1581b311bb0b4b

SHA256
8fc1dd78627e854f56f9f90688b62b38b5951626be970a1bc2181ed011a65a27

SHA512
a291c3800bffc4dc29b1c04ab7857cce14f9ccb067227d259ae578e0206f627729b9be7842e6145933dce8a1dfb6ea3050b4ad66e8c527c11b4962697dbd2c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\Crypto\Cipher\_raw_cbc.pyd

Filesize
10KB

MD5
fe44f698198190de574dc193a0e1b967

SHA1
5bad88c7cc50e61487ec47734877b31f201c5668

SHA256
32fa416a29802eb0017a2c7360bf942edb132d4671168de26bd4c3e94d8de919

SHA512
c841885dd7696f337635ef759e3f61ee7f4286b622a9fb8b695988d93219089e997b944321ca49ca3bd19d41440ee7c8e1d735bd3558052f67f762bf4d1f5fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\Crypto\Cipher\_raw_ecb.pyd

Filesize
9KB

MD5
f94726f6b584647142ea6d5818b0349d

SHA1
4aa9931c0ff214bf520c5e82d8e73ceeb08af27c

SHA256
b98297fd093e8af7fca2628c23a9916e767540c3c6fa8894394b5b97ffec3174

SHA512
2b40a9b39f5d09eb8d7ddad849c8a08ab2e73574ee0d5db132fe8c8c3772e60298e0545516c9c26ee0b257ebda59cfe1f56ef6c4357ef5be9017c4db4770d238

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\VCRUNTIME140_1.dll

Filesize
36KB

MD5
135359d350f72ad4bf716b764d39e749

SHA1
2e59d9bbcce356f0fece56c9c4917a5cacec63d7

SHA256
34048abaa070ecc13b318cea31425f4ca3edd133d350318ac65259e6058c8b32

SHA512
cf23513d63ab2192c78cae98bd3fea67d933212b630be111fa7e03be3e92af38e247eb2d3804437fd0fda70fdc87916cd24cf1d3911e9f3bfb2cc4ab72b459ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_bz2.pyd

Filesize
47KB

MD5
07dcd3f7bebd3b0b08bcaf5a3c32459c

SHA1
69db03a9197ee05aee279103e5e8d42ef3eb20d8

SHA256
6b4aef345ba8a57b1126e64988e65e8629737be05ddd729b690ca688efbda130

SHA512
f8ff665e68fcec339477d28d4b714708afdea2b5c0138714966d486a814805bc98acfd6b1e547654c820589a9bd1c126e34c8e7a33d910d7f0269efb1e794e57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
d5c2262b923d6b91c7685dc2473d0908

SHA1
2b95b8671d77b2a7c70cd976d418c42b32319c91

SHA256
af3c5d39317f0b02dbf3a40337602d3dae149918643aabeb264d586d52315b28

SHA512
e4d244740179e78234424b1efe3c5aad0c2843c523443ec2747b9b8dda030746ac684374027ba60a544730c39ad50117b1aff6648425b26d2a9356087cc37c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_ctypes.pyd

Filesize
58KB

MD5
53cd0ccedfdc38165c277029510de6b8

SHA1
6a17f2ce783bfc2cdfb6bfb147ee465422506e4e

SHA256
7278f3d334e36294fbd81ffcc4330280d3787d17a4fc71dacd2da4408bd5136a

SHA512
7b2cd56c6d46ba5b6b78fa2ef45553e759e64583b14176c4f08da8a623b39bbc2b641152f0e238218d5403fee3da8a3ab99b613cab751d1c3db37691799c752c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_decimal.pyd

Filesize
106KB

MD5
c97bcb3d8983f896e21f1779b93498ae

SHA1
5c0413e82f94d4a557e25e0d13e9b03ff7b85ce1

SHA256
09012644e225e511bae07aceafd631d508b4ee4efcd42492bb3470f56344804f

SHA512
045b95aa8daf0b36c3d84b0fd6b209d047e3cd28aa2717fef42c71a080fe74fcd41e7762eeebe96d3cc5d91bdc44989ffb8d33269854242d3baf8d253a82b8d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_hashlib.pyd

Filesize
35KB

MD5
7a48ea2b3aa94cfaa8992d2850f34057

SHA1
dca5c52f668d1077d1ecc497230ed7bc9d1677e6

SHA256
dc41c07fbf97c53ce3f666ecee1b77f1101ce7365d8ab9edd18109a7ff0569c7

SHA512
f305b717c8484539d59ac10a727a6796575d5d017c6ea7f0744f4ef1314be95bc361a03cfbb87ad6105c245c6cab06149077b17fc7cc63cc6a5c9dbd39d3ae7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_lzma.pyd

Filesize
85KB

MD5
491b794b840ea147f88d26c54e66c751

SHA1
8aa37814aa95151dcd49a6ef2cfd453b91ed30e9

SHA256
fbec4bc9b7adac154ba9f316a0c8fdfb22e16ac6c1376716bc33f399ad0875ea

SHA512
aa700a627622f0c416d37216006f708ffcbeef6ddd4419cfb0f0edacf91e4b29362f0cf24d3965764fdf47c0864eb1636007121f612fa5d8ea1ade7d09b9cd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_queue.pyd

Filesize
25KB

MD5
c341eaecc02c68b8469fc3e2a675a654

SHA1
8e039602eb975e0ce13528da2694926e77fe4760

SHA256
6692f25b92cef3534079687e17142a716d71e02deb820ec94f3e3a60d44424d5

SHA512
07afa210fc633787f7c7bb52534f24c648538bea3093cc880676d9d58a2fe3e3e9e64189455db74112b14fe109dbbb3efa20f011c3e8aee01612904a8b97ee38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_socket.pyd

Filesize
42KB

MD5
8d1ea62241be70d4ff3af6c455cba777

SHA1
02d845595c8020b39ebb08667cfa753807da4680

SHA256
645ae93e057061b8bdadaf743c718430a60b5511df54df843f929d3346abc2b5

SHA512
ec8ca703c3c0dccaf590b1e7922bce0124e7861dd110a8c67adf85510772385829f5c81c91a3d5ad438ae6616b3ccb1c898698388be62880165dc615ef07f404

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_sqlite3.pyd

Filesize
50KB

MD5
edefdc2ed2c050440d7c7495ba1ec232

SHA1
cd5a886f994c08c8fd1666c1d92c64c8b6bc5a96

SHA256
a9de81d7a5f83060fbdd73934d12fcb66f1c6de8f61346b4b263ad0299414cec

SHA512
4ffa357a6f507a63b3c6b043e54cf23c749a730d29e06fa8406b590d1f059efc9270c28977a219132d39b9da4d9283ced09a7f422bb4fcb7d5edb0d947d30c1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_ssl.pyd

Filesize
62KB

MD5
aedfa885a1f7566dd0955675c5d87d6c

SHA1
e047404c9b0a1e28a5ef0825b3edeaacc843c965

SHA256
709f85cb8775af1db6990b91f4232cf4c097dbe9f9297ae4e3eeed0a3b506557

SHA512
8f7fb5135394750443eeb092628dfa07daf8622f306847dcb748d3fceefdbf6a7c8884e120e1ead2b0dd209b27feb981b29fdbcd6bebddf2d7a8a500e33de866

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_uuid.pyd

Filesize
24KB

MD5
b68c98113c8e7e83af56ba98ff3ac84a

SHA1
448938564559570b269e05e745d9c52ecda37154

SHA256
990586f2a2ba00d48b59bdd03d3c223b8e9fb7d7fab6d414bac2833eb1241ca2

SHA512
33c69199cba8e58e235b96684346e748a17cc7f03fc068cfa8a7ec7b5f9f6fa90d90b5cdb43285abf8b4108e71098d4e87fb0d06b28e2132357964b3eea3a4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\base_library.zip

Filesize
812KB

MD5
678d03034d0a29770e881bcb5ce31720

SHA1
a55befcf5cd76ceb98719bafc0e3dfb20c0640e3

SHA256
9c0e49af57460f5a550044ff40436615d848616b87cff155fcad0a7d609fd3cb

SHA512
19a6e2dc2df81ffc4f9af19df0a75cf2531ba1002dca00cd1e60bdc58ede08747dafa3778ab78781a88c93a3ece4e5a46c5676250ed624f70d8a38af2c75395f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\charset_normalizer\md.cp310-win_amd64.pyd

Filesize
9KB

MD5
ac03714161da507e824756742a877da9

SHA1
702dbd2296ca50f6502bc5aac5b826b63cf9e200

SHA256
cafc9c2befc85af6cc0f9cf0fa7681bae89c9acf511cadc39a0cee77d174b2c2

SHA512
6b773b2f31512211a0944391733b77f25ef720d07a4057ab8432941950403faced50c8bc3166b36f648e6394bdf0d9943ccd81e689622558719dfe782c59bb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

Filesize
39KB

MD5
150731368d678f5b2f9ea8cb1a966b8a

SHA1
8263055aee278b6724e30aff7bd4bd471bb1c904

SHA256
08bbccf9be3982bbb356e5df1e6fddaa94bb5f12b765bca7bd5701c86141f814

SHA512
a5e984f9995e13fefd8a1750b8fef7670cfef11ff019880af06d4dff453416b43e077084f529e37fc24f4a70c1951cfc101f2611d7c860924bbf2922a98027a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\libcrypto-1_1.dll

Filesize
1.1MB

MD5
403736309b3b5d082712916898fd1354

SHA1
1c31f475bf0e8ff7e5aabc3631c36abd2f30d837

SHA256
a6447002ef1fa01747e76353e8a94d296300d845e172cc3153586af23f28e6e3

SHA512
76aab5b2860b465badf5e777c52ce409ce4662c5b9690b1ffada140c5e470716fc2b30fb30162c40952946ac5757428b16b9bdeea4476a5c41cf8c88bbb4f16a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\libffi-7.dll

Filesize
23KB

MD5
b5150b41ca910f212a1dd236832eb472

SHA1
a17809732c562524b185953ffe60dfa91ba3ce7d

SHA256
1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

SHA512
9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\libssl-1_1.dll

Filesize
204KB

MD5
11f23756f8727a80dfcde795d5e43a3f

SHA1
67a0dcc7f90104cfce59cb3cc0815dc80070579c

SHA256
18b703afec83722f6dc78ccb63662296b9c186a830746dd9e57ef279da519446

SHA512
b6acc6c27ef27f2ccb9157dd2b921edee603d28434bcb688cf814deb98231bdee14465f55ae1fa37d741dfa62e13ddec60b1dcaa5d820e011abcf62e2f1864d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\psutil\_psutil_windows.pyd

Filesize
34KB

MD5
fb17b2f2f09725c3ffca6345acd7f0a8

SHA1
b8d747cc0cb9f7646181536d9451d91d83b9fc61

SHA256
9c7d401418db14353db85b54ff8c7773ee5d17cbf9a20085fde4af652bd24fc4

SHA512
b4acb60045da8639779b6bb01175b13344c3705c92ea55f9c2942f06c89e5f43cedae8c691836d63183cacf2d0a98aa3bcb0354528f1707956b252206991bf63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\pyexpat.pyd

Filesize
87KB

MD5
54683379c2419972818d53a7dbab049a

SHA1
af0a301b049bf2c5408156059eb4cd38c28226cd

SHA256
a4d7e93cffe266879a283abce61c0ba47072ba3ae6a83e3411c7eae71a24c834

SHA512
906df0deb11a0b1a227a4c97fa658c9ac863a95c5f57d7c55f4184028163f72cf5e90f4010fec2fdee995ed4d40ef839ab7468bda48e54bf21a46a8e69837e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\python3.DLL

Filesize
64KB

MD5
fd4a39e7c1f7f07cf635145a2af0dc3a

SHA1
05292ba14acc978bb195818499a294028ab644bd

SHA256
dc909eb798a23ba8ee9f8e3f307d97755bc0d2dc0cb342cedae81fbbad32a8a9

SHA512
37d3218bc767c44e8197555d3fa18d5aad43a536cfe24ac17bf8a3084fb70bd4763ccfd16d2df405538b657f720871e0cd312dfeb7f592f3aac34d9d00d5a643

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\python310.dll

Filesize
1.4MB

MD5
cb0b4cf4ee16344ab13914c95e2ef4ce

SHA1
ba7a0b9d76e9dccdc6097d7e98ec0d20879e1c61

SHA256
a2b591ecadbd12bd1cd6e1c231bff1e814b71e9e99ffca450ece2f736e5ef1b6

SHA512
cdc9ad107a275bbe8e93c06f6dd0d2a2c1ac13df92a216fb98485583ecfb6e3d92f2c87c4dd80aceb05f3e9a4113468e60891ef4e3245386eb30201927384dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\pythoncom310.dll

Filesize
193KB

MD5
9051abae01a41ea13febdea7d93470c0

SHA1
b06bd4cd4fd453eb827a108e137320d5dc3a002f

SHA256
f12c8141d4795719035c89ff459823ed6174564136020739c106f08a6257b399

SHA512
58d8277ec4101ad468dd8c4b4a9353ab684ecc391e5f9db37de44d5c3316c17d4c7a5ffd547ce9b9a08c56e3dd6d3c87428eae12144dfb72fc448b0f2cfc47da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\pywintypes310.dll

Filesize
62KB

MD5
6f2aa8fa02f59671f99083f9cef12cda

SHA1
9fd0716bcde6ac01cd916be28aa4297c5d4791cd

SHA256
1a15d98d4f9622fa81b60876a5f359707a88fbbbae3ae4e0c799192c378ef8c6

SHA512
f5d5112e63307068cdb1d0670fe24b65a9f4942a39416f537bdbc17dedfd99963861bf0f4e94299cdce874816f27b3d86c4bebb889c3162c666d5ee92229c211

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\select.pyd

Filesize
25KB

MD5
d8d4a3b58e4cab8f4efab64fb04340f8

SHA1
e07653ec07d1819c389b142809bc2736d8c13db2

SHA256
6be05319f6bcd1bb956db273cbcfcfc555e5ecff87b106f4f56e014a0ce5826c

SHA512
c0e4769efe79b494238b7d836a70313ef75f97a43ca2c17610cc355caa2923d73f999975bd86bec95c064abaf494c7d78b5396a53fa4ebf67b1c72c4600923fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\setuptools-65.5.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\sqlite3.dll

Filesize
622KB

MD5
a5c0bfd25539dbefc0360c139eb6c82c

SHA1
373f3680a18d74a68549ecab5cadfc8abfdf8172

SHA256
43ca2f3a0f933e7ffe593635b51288277c0d85ae3cd3c0647120b9cc51e4831f

SHA512
0274ea610613c2009e0beac00e4d84e35b903b1f5d59a90ea55c8326ceeb89ac5f2b842b43290c4327e5512ca1478547d9910fcbd19b28b52d303818a9d172f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\ucrtbase.dll

Filesize
1.3MB

MD5
b03be769e6765278ba40fe3fd6896d96

SHA1
5dddad1bcc1195e4873228bb8991717d02bde47c

SHA256
84e058a8abf480fd3dba06ea9e40a40103566632eb3d0d24b91e4f213780b284

SHA512
4e8470f5744074a1e2722624b810141bdc710be7ff333b7a992dd3afac9dfd225edb80bc545b122327efebd9a9f4d85f94c911b8aeec2addab789d0f5850e0b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\unicodedata.pyd

Filesize
289KB

MD5
828fb207ceaea84a54141cf2acbd27af

SHA1
4cf236f44f1b8646abc4a8061926fa979ce781db

SHA256
6d36a9e7294374dffe3231cd9887351aec8e78c5c0d496ba6f7aac57baefe007

SHA512
5171cbfdf39a4adb3a57bb6a06a0073134c8982d7e1e7fd4804bf86ed78046db38aae51a883d59c7d40a7488b8a6d2a0c77614e10d9c01ec818a752a090698e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\win32api.pyd

Filesize
48KB

MD5
561f419a2b44158646ee13cd9af44c60

SHA1
93212788de48e0a91e603d74f071a7c8f42fe39b

SHA256
631465da2a1dad0cb11cd86b14b4a0e4c7708d5b1e8d6f40ae9e794520c3aaf7

SHA512
d76ab089f6dc1beffd5247e81d267f826706e60604a157676e6cbc3b3447f5bcee66a84bf35c21696c020362fadd814c3e0945942cdc5e0dfe44c0bca169945c

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloads_db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\downloads_db

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\vault\cookies.txt

Filesize
258B

MD5
f010426d478a15562ce7ebeadfbebc2a

SHA1
c26a74ae35c229e47fe22a2efc94e491c6c9d68f

SHA256
45ab212b3c4537513df187684f07fe466f29752321ae2f765c35d896a5b28503

SHA512
e4d9ce0c3effd0f379bc890ade4c2c424274076387ca7026d6d2796e058ae72a9d2f4689c4b119d6c46798c6ebce82038b073f02970f0c6abe9184050f4f8315

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 5865.crdownload

Filesize
22.3MB

MD5
d195c646a63c09620250dc45c253708e

SHA1
81569dd51ec6a0265e9d639a6ef21a7e9803cf4e

SHA256
acc52d74dd3c426fd3834b8dcf5e3d7ce92868a33694eabc80b6c94d15756f79

SHA512
b7e46884525a12a498a9e6ef7ba79335ade1165c69fb6406adb820c6311f4f65518dd536dafe49c48a1c0cc6fc1dc02a68387c0b8ebeeff77d0f8823b2eea780

Download Submit
C:\Users\Admin\Downloads\cards_db

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\Downloads\cards_db

Filesize
114KB

MD5
a8d76122219e7c8a069dd18e5a355aa4

SHA1
11f5a037ed0f3d8b0f4ff1755a62a94429337942

SHA256
1a9c71db5bdfe22c58fc8ed8a80ed0b24277f676dcb548cc79adb6e45a8d0a6f

SHA512
fd4ee2089dda5fe7fd5f23d67e1d19b8c1f2a270b39a65f8b3612049c72687c07bc3e957a27ab1b3e7f1af849743189ec814a4e0392f40fe89c14a4aa45688f9

Download Submit
C:\Users\Admin\Downloads\cookie_db

Filesize
20KB

MD5
c3382f2d673fd7b725483ccaf284dcad

SHA1
63b7fb62788eacedcc2a8fc0d0796e9374469a46

SHA256
bcf28f65ae7e8abd076dc6d25ba79f16c6c05839a0014066b164f6f1724ed27a

SHA512
4d17daa4984c3f0b646051e057293ee20be568f9a16876541b47a503d2f18f2c4559d39a50d291d224d1a07bbd183c31c7e5cdca05f871b914f10b889ed01181

Download Submit
C:\Users\Admin\Downloads\downloads_db

Filesize
116KB

MD5
4a6c27c0a844b9f36d880619f835a84b

SHA1
12edb55634a2c35c0fa5d5fd80e6ed32e17018ff

SHA256
c69a6ab0865c7cb635bc0188cdb22899a37e0ec0e91063caec6cdc897a584099

SHA512
936a666f78523ee4ab939d14a71e69c045f51534cb1635c850369f44f0fe8f83176afca343d8f4816099880408db8150c447f1dbb8a2a75b28336d1e2e7aedb8

Download Submit
C:\Users\Admin\Downloads\login_db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\Downloads\login_db

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\Downloads\vault\downloads.txt

Filesize
60B

MD5
56c54fb79920e348c903fdf16f29259f

SHA1
c2f590c1e7a6d23e10a65f2d80b72f0e1e42ee33

SHA256
ffc02f83cb0df03dee01e62d028909f943325ee919cdfcf6757fccf8ff7cfb91

SHA512
c9e7539dd4af74892330ae38006def8611898e30af82619cde6839ce9b9b2d9633a6fd0288021b49dad56537cfb5882ffb5e7531f972e6aa06313e589b0bd880

Download Submit
C:\Users\Admin\Downloads\vault\web_history.txt

Filesize
880B

MD5
529c8f1492a285f6612d111fd8c7aad7

SHA1
7cfac842186c41195a476e5437f980534efda2fd

SHA256
985631774b0de60da7c6e3b4917178679cba9c34296837931ae898558cfae6a5

SHA512
8ac355917590ce787e6cd3c0e289b21f55ae25e4f7e878f5f5d6b3d06ced906c9eb12df693105ef8a721d7aa660c64eb1faf997cda0b96173275153b38c61f2c

Download Submit
memory/1532-1186-0x00007FFD61580000-0x00007FFD61638000-memory.dmp

Filesize
736KB

Download
memory/1532-1177-0x00007FFD72AF0000-0x00007FFD72B09000-memory.dmp

Filesize
100KB

Download
memory/1532-1171-0x00007FFD5F060000-0x00007FFD5F4C6000-memory.dmp

Filesize
4.4MB

Download
memory/1532-1172-0x00007FFD73240000-0x00007FFD73264000-memory.dmp

Filesize
144KB

Download
memory/1532-1180-0x00007FFD727F0000-0x00007FFD7281E000-memory.dmp

Filesize
184KB

Download
memory/1532-1185-0x00007FFD726D0000-0x00007FFD726FE000-memory.dmp

Filesize
184KB

Download
memory/1532-1181-0x00007FFD61640000-0x00007FFD616FC000-memory.dmp

Filesize
752KB

Download
memory/1532-1187-0x0000016AD57F0000-0x0000016AD5B69000-memory.dmp

Filesize
3.5MB

Download
memory/1532-1184-0x00007FFD72720000-0x00007FFD7273C000-memory.dmp

Filesize
112KB

Download
memory/2772-296-0x00007FFD67C00000-0x00007FFD67C37000-memory.dmp

Filesize
220KB

Download
memory/2772-435-0x00007FFD60D80000-0x00007FFD60D90000-memory.dmp

Filesize
64KB

Download
memory/2772-271-0x00007FFD6ED30000-0x00007FFD6ED3B000-memory.dmp

Filesize
44KB

Download
memory/2772-270-0x00007FFD726C0000-0x00007FFD726CB000-memory.dmp

Filesize
44KB

Download
memory/2772-269-0x00007FFD610F0000-0x00007FFD61469000-memory.dmp

Filesize
3.5MB

Download
memory/2772-268-0x00007FFD726D0000-0x00007FFD726FE000-memory.dmp

Filesize
184KB

Download
memory/2772-284-0x00007FFD71D70000-0x00007FFD71D85000-memory.dmp

Filesize
84KB

Download
memory/2772-289-0x00007FFD62030000-0x00007FFD6203C000-memory.dmp

Filesize
48KB

Download
memory/2772-290-0x00007FFD68D90000-0x00007FFD68DB7000-memory.dmp

Filesize
156KB

Download
memory/2772-288-0x00007FFD62070000-0x00007FFD6207C000-memory.dmp

Filesize
48KB

Download
memory/2772-287-0x00007FFD62040000-0x00007FFD62052000-memory.dmp

Filesize
72KB

Download
memory/2772-286-0x00007FFD62060000-0x00007FFD6206D000-memory.dmp

Filesize
52KB

Download
memory/2772-285-0x00007FFD62090000-0x00007FFD6209B000-memory.dmp

Filesize
44KB

Download
memory/2772-283-0x00007FFD67A80000-0x00007FFD67A8B000-memory.dmp

Filesize
44KB

Download
memory/2772-282-0x00007FFD62080000-0x00007FFD6208C000-memory.dmp

Filesize
48KB

Download
memory/2772-281-0x00007FFD67A90000-0x00007FFD67A9C000-memory.dmp

Filesize
48KB

Download
memory/2772-280-0x00007FFD67AA0000-0x00007FFD67AAC000-memory.dmp

Filesize
48KB

Download
memory/2772-279-0x00007FFD61030000-0x00007FFD610E8000-memory.dmp

Filesize
736KB

Download
memory/2772-291-0x00007FFD62010000-0x00007FFD62024000-memory.dmp

Filesize
80KB

Download
memory/2772-292-0x00007FFD60D80000-0x00007FFD60D90000-memory.dmp

Filesize
64KB

Download
memory/2772-294-0x00007FFD60D60000-0x00007FFD60D74000-memory.dmp

Filesize
80KB

Download
memory/2772-293-0x00007FFD68D70000-0x00007FFD68D8F000-memory.dmp

Filesize
124KB

Download
memory/2772-298-0x00007FFD60D10000-0x00007FFD60D2B000-memory.dmp

Filesize
108KB

Download
memory/2772-297-0x00007FFD60D30000-0x00007FFD60D52000-memory.dmp

Filesize
136KB

Download
memory/2772-273-0x00007FFD68D50000-0x00007FFD68D5C000-memory.dmp

Filesize
48KB

Download
memory/2772-295-0x00007FFD60D90000-0x00007FFD60F0A000-memory.dmp

Filesize
1.5MB

Download
memory/2772-299-0x00007FFD60CF0000-0x00007FFD60D08000-memory.dmp

Filesize
96KB

Download
memory/2772-302-0x00007FFD60C40000-0x00007FFD60C72000-memory.dmp

Filesize
200KB

Download
memory/2772-301-0x00007FFD60C80000-0x00007FFD60C91000-memory.dmp

Filesize
68KB

Download
memory/2772-300-0x00007FFD60CA0000-0x00007FFD60CED000-memory.dmp

Filesize
308KB

Download
memory/2772-303-0x00007FFD60C20000-0x00007FFD60C3E000-memory.dmp

Filesize
120KB

Download
memory/2772-304-0x00007FFD60BF0000-0x00007FFD60C19000-memory.dmp

Filesize
164KB

Download
memory/2772-307-0x00007FFD60940000-0x00007FFD60B92000-memory.dmp

Filesize
2.3MB

Download
memory/2772-274-0x00007FFD67AD0000-0x00007FFD67ADC000-memory.dmp

Filesize
48KB

Download
memory/2772-275-0x00007FFD67AC0000-0x00007FFD67ACD000-memory.dmp

Filesize
52KB

Download
memory/2772-276-0x00007FFD6C000000-0x00007FFD6C00C000-memory.dmp

Filesize
48KB

Download
memory/2772-350-0x00007FFD62010000-0x00007FFD62024000-memory.dmp

Filesize
80KB

Download
memory/2772-358-0x00007FFD60D30000-0x00007FFD60D52000-memory.dmp

Filesize
136KB

Download
memory/2772-360-0x00007FFD60CA0000-0x00007FFD60CED000-memory.dmp

Filesize
308KB

Download
memory/2772-359-0x00007FFD60D10000-0x00007FFD60D2B000-memory.dmp

Filesize
108KB

Download
memory/2772-362-0x00007FFD76410000-0x00007FFD76434000-memory.dmp

Filesize
144KB

Download
memory/2772-384-0x00007FFD60C40000-0x00007FFD60C72000-memory.dmp

Filesize
200KB

Download
memory/2772-383-0x00007FFD60D90000-0x00007FFD60F0A000-memory.dmp

Filesize
1.5MB

Download
memory/2772-382-0x00007FFD68D70000-0x00007FFD68D8F000-memory.dmp

Filesize
124KB

Download
memory/2772-377-0x00007FFD61030000-0x00007FFD610E8000-memory.dmp

Filesize
736KB

Download
memory/2772-371-0x00007FFD61470000-0x00007FFD6152C000-memory.dmp

Filesize
752KB

Download
memory/2772-375-0x00007FFD726D0000-0x00007FFD726FE000-memory.dmp

Filesize
184KB

Download
memory/2772-374-0x00007FFD730C0000-0x00007FFD730DC000-memory.dmp

Filesize
112KB

Download
memory/2772-370-0x00007FFD72830000-0x00007FFD7285E000-memory.dmp

Filesize
184KB

Download
memory/2772-367-0x00007FFD73330000-0x00007FFD73349000-memory.dmp

Filesize
100KB

Download
memory/2772-361-0x00007FFD61AD0000-0x00007FFD61F36000-memory.dmp

Filesize
4.4MB

Download
memory/2772-376-0x00007FFD610F0000-0x00007FFD61469000-memory.dmp

Filesize
3.5MB

Download
memory/2772-385-0x00007FFD60C20000-0x00007FFD60C3E000-memory.dmp

Filesize
120KB

Download
memory/2772-386-0x00007FFD60940000-0x00007FFD60B92000-memory.dmp

Filesize
2.3MB

Download
memory/2772-393-0x00007FFD61AD0000-0x00007FFD61F36000-memory.dmp

Filesize
4.4MB

Download
memory/2772-426-0x00007FFD61470000-0x00007FFD6152C000-memory.dmp

Filesize
752KB

Download
memory/2772-429-0x00007FFD727F0000-0x00007FFD727FB000-memory.dmp

Filesize
44KB

Download
memory/2772-272-0x00007FFD68D60000-0x00007FFD68D6B000-memory.dmp

Filesize
44KB

Download
memory/2772-434-0x00007FFD60D60000-0x00007FFD60D74000-memory.dmp

Filesize
80KB

Download
memory/2772-433-0x00007FFD62010000-0x00007FFD62024000-memory.dmp

Filesize
80KB

Download
memory/2772-432-0x00007FFD67C00000-0x00007FFD67C37000-memory.dmp

Filesize
220KB

Download
memory/2772-431-0x00007FFD60C80000-0x00007FFD60C91000-memory.dmp

Filesize
68KB

Download
memory/2772-430-0x00007FFD60D10000-0x00007FFD60D2B000-memory.dmp

Filesize
108KB

Download
memory/2772-428-0x00007FFD71D70000-0x00007FFD71D85000-memory.dmp

Filesize
84KB

Download
memory/2772-427-0x00007FFD730C0000-0x00007FFD730DC000-memory.dmp

Filesize
112KB

Download
memory/2772-425-0x00007FFD72830000-0x00007FFD7285E000-memory.dmp

Filesize
184KB

Download
memory/2772-424-0x00007FFD76280000-0x00007FFD7628D000-memory.dmp

Filesize
52KB

Download
memory/2772-423-0x00007FFD76400000-0x00007FFD7640D000-memory.dmp

Filesize
52KB

Download
memory/2772-422-0x00007FFD73330000-0x00007FFD73349000-memory.dmp

Filesize
100KB

Download
memory/2772-421-0x00007FFD730E0000-0x00007FFD73115000-memory.dmp

Filesize
212KB

Download
memory/2772-420-0x00007FFD736A0000-0x00007FFD736CC000-memory.dmp

Filesize
176KB

Download
memory/2772-419-0x00007FFD73850000-0x00007FFD73868000-memory.dmp

Filesize
96KB

Download
memory/2772-418-0x00007FFD78BA0000-0x00007FFD78BAF000-memory.dmp

Filesize
60KB

Download
memory/2772-417-0x00007FFD76410000-0x00007FFD76434000-memory.dmp

Filesize
144KB

Download
memory/2772-416-0x00007FFD72800000-0x00007FFD7282B000-memory.dmp

Filesize
172KB

Download
memory/2772-415-0x00007FFD60D90000-0x00007FFD60F0A000-memory.dmp

Filesize
1.5MB

Download
memory/2772-414-0x00007FFD68D70000-0x00007FFD68D8F000-memory.dmp

Filesize
124KB

Download
memory/2772-413-0x00007FFD60F10000-0x00007FFD61028000-memory.dmp

Filesize
1.1MB

Download
memory/2772-412-0x00007FFD68D90000-0x00007FFD68DB7000-memory.dmp

Filesize
156KB

Download
memory/2772-409-0x00007FFD61030000-0x00007FFD610E8000-memory.dmp

Filesize
736KB

Download
memory/2772-407-0x00007FFD726D0000-0x00007FFD726FE000-memory.dmp

Filesize
184KB

Download
memory/2772-408-0x00007FFD610F0000-0x00007FFD61469000-memory.dmp

Filesize
3.5MB

Download
memory/2772-405-0x00007FFD72720000-0x00007FFD72763000-memory.dmp

Filesize
268KB

Download
memory/2772-436-0x00007FFD60D30000-0x00007FFD60D52000-memory.dmp

Filesize
136KB

Download
memory/2772-277-0x00007FFD67AE0000-0x00007FFD67AEB000-memory.dmp

Filesize
44KB

Download
memory/2772-278-0x00007FFD67AB0000-0x00007FFD67ABE000-memory.dmp

Filesize
56KB

Download
memory/2772-262-0x00007FFD730C0000-0x00007FFD730DC000-memory.dmp

Filesize
112KB

Download
memory/2772-263-0x00007FFD67C00000-0x00007FFD67C37000-memory.dmp

Filesize
220KB

Download
memory/2772-259-0x00007FFD60D90000-0x00007FFD60F0A000-memory.dmp

Filesize
1.5MB

Download
memory/2772-258-0x00007FFD72720000-0x00007FFD72763000-memory.dmp

Filesize
268KB

Download
memory/2772-256-0x00007FFD68D70000-0x00007FFD68D8F000-memory.dmp

Filesize
124KB

Download
memory/2772-252-0x00007FFD60F10000-0x00007FFD61028000-memory.dmp

Filesize
1.1MB

Download
memory/2772-248-0x00007FFD727F0000-0x00007FFD727FB000-memory.dmp

Filesize
44KB

Download
memory/2772-249-0x00007FFD68D90000-0x00007FFD68DB7000-memory.dmp

Filesize
156KB

Download
memory/2772-246-0x00007FFD72830000-0x00007FFD7285E000-memory.dmp

Filesize
184KB

Download
memory/2772-242-0x00007FFD71D70000-0x00007FFD71D85000-memory.dmp

Filesize
84KB

Download
memory/2772-237-0x00007FFD610F0000-0x00007FFD61469000-memory.dmp

Filesize
3.5MB

Download
memory/2772-238-0x00007FFD73330000-0x00007FFD73349000-memory.dmp

Filesize
100KB

Download
memory/2772-239-0x00007FFD61030000-0x00007FFD610E8000-memory.dmp

Filesize
736KB

Download
memory/2772-233-0x00007FFD726D0000-0x00007FFD726FE000-memory.dmp

Filesize
184KB

Download
memory/2772-229-0x00007FFD730C0000-0x00007FFD730DC000-memory.dmp

Filesize
112KB

Download
memory/2772-224-0x00007FFD72720000-0x00007FFD72763000-memory.dmp

Filesize
268KB

Download
memory/2772-201-0x00007FFD73330000-0x00007FFD73349000-memory.dmp

Filesize
100KB

Download
memory/2772-204-0x00007FFD76400000-0x00007FFD7640D000-memory.dmp

Filesize
52KB

Download
memory/2772-209-0x00007FFD76280000-0x00007FFD7628D000-memory.dmp

Filesize
52KB

Download
memory/2772-210-0x00007FFD72830000-0x00007FFD7285E000-memory.dmp

Filesize
184KB

Download
memory/2772-217-0x00007FFD61470000-0x00007FFD6152C000-memory.dmp

Filesize
752KB

Download
memory/2772-218-0x00007FFD72800000-0x00007FFD7282B000-memory.dmp

Filesize
172KB

Download
memory/2772-219-0x00007FFD76410000-0x00007FFD76434000-memory.dmp

Filesize
144KB

Download
memory/2772-216-0x00007FFD61AD0000-0x00007FFD61F36000-memory.dmp

Filesize
4.4MB

Download
memory/2772-198-0x00007FFD730E0000-0x00007FFD73115000-memory.dmp

Filesize
212KB

Download
memory/2772-186-0x00007FFD76410000-0x00007FFD76434000-memory.dmp

Filesize
144KB

Download
memory/2772-192-0x00007FFD73850000-0x00007FFD73868000-memory.dmp

Filesize
96KB

Download
memory/2772-194-0x00007FFD736A0000-0x00007FFD736CC000-memory.dmp

Filesize
176KB

Download
memory/2772-189-0x00007FFD78BA0000-0x00007FFD78BAF000-memory.dmp

Filesize
60KB

Download
memory/2772-178-0x00007FFD61AD0000-0x00007FFD61F36000-memory.dmp

Filesize
4.4MB

Download