2115a3bcca4d1396f20bccb83edc159181713981fe2258795199ef0e20b48658

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20250207-en
resource tags

arch:x64arch:x86image:win10v2004-20250207-enlocale:en-usos:windows10-2004-x64system
submitted
16-02-2025 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

29.9MB
MD5

2bf7a91152bef1ad1612024cd9ed291b
SHA1

131e31ceb448532e92cce9be36939f2ffc2b19e8
SHA256

2115a3bcca4d1396f20bccb83edc159181713981fe2258795199ef0e20b48658
SHA512

3db56487d529fde1c977b05bf7b38b15e573acdc7a2554bd4ec7736cbd30cd1b234fa258014efd41f4b1bb86aa81aca76361adf0f99135bdf4ebab9e8009a2fa
SSDEEP

786432:Row/lOW8ClOEl8dPXAflso7wFieDNVQe:vlOW5lzlmPUlsmoNX

Score

8^/10

adware discovery persistence privilege_escalation stealer upx

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
37	1196	Process not Found

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 10 IoCs

pid	Process
3188	setup.exe
4952	setup.exe
432	setup.exe
4768	setup.exe
4356	setup.exe
3096	setup.exe
3064	setup.exe
532	setup.exe
2648	setup.exe
1876	setup.exe

Loads dropped DLL 48 IoCs

pid	Process
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe
4404	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x00070000000242b5-1155.dat	upx
behavioral2/memory/4404-1159-0x00007FF847690000-0x00007FF847CF4000-memory.dmp	upx
behavioral2/files/0x0007000000023e93-1161.dat	upx
behavioral2/memory/4404-1169-0x00007FF85F590000-0x00007FF85F59F000-memory.dmp	upx
behavioral2/files/0x0007000000024273-1168.dat	upx
behavioral2/memory/4404-1167-0x00007FF85A650000-0x00007FF85A677000-memory.dmp	upx
behavioral2/memory/4404-1172-0x00007FF85E5E0000-0x00007FF85E5F9000-memory.dmp	upx
behavioral2/files/0x0007000000023e91-1171.dat	upx
behavioral2/files/0x0007000000023e97-1173.dat	upx
behavioral2/files/0x000700000002424b-1215.dat	upx
behavioral2/memory/4404-1217-0x00007FF85C9F0000-0x00007FF85CA04000-memory.dmp	upx
behavioral2/files/0x0007000000024249-1213.dat	upx
behavioral2/files/0x0007000000023ea2-1212.dat	upx
behavioral2/files/0x0007000000023ea1-1211.dat	upx
behavioral2/files/0x0007000000023e9b-1210.dat	upx
behavioral2/files/0x0007000000023e9a-1209.dat	upx
behavioral2/files/0x0007000000023e96-1216.dat	upx
behavioral2/files/0x0007000000024272-1218.dat	upx
behavioral2/memory/4404-1219-0x00007FF847150000-0x00007FF847683000-memory.dmp	upx
behavioral2/memory/4404-1223-0x00007FF85A0B0000-0x00007FF85A0BD000-memory.dmp	upx
behavioral2/memory/4404-1227-0x00007FF847690000-0x00007FF847CF4000-memory.dmp	upx
behavioral2/memory/4404-1231-0x00007FF856850000-0x00007FF85685D000-memory.dmp	upx
behavioral2/memory/4404-1236-0x00007FF8563D0000-0x00007FF8563F8000-memory.dmp	upx
behavioral2/memory/4404-1235-0x00007FF85E5E0000-0x00007FF85E5F9000-memory.dmp	upx
behavioral2/memory/4404-1234-0x00007FF8565A0000-0x00007FF8565AB000-memory.dmp	upx
behavioral2/memory/4404-1237-0x00007FF855C80000-0x00007FF855D33000-memory.dmp	upx
behavioral2/memory/4404-1233-0x00007FF85F590000-0x00007FF85F59F000-memory.dmp	upx
behavioral2/files/0x000700000002425e-1232.dat	upx
behavioral2/memory/4404-1230-0x00007FF85A650000-0x00007FF85A677000-memory.dmp	upx
behavioral2/memory/4404-1229-0x00007FF856400000-0x00007FF8564CE000-memory.dmp	upx
behavioral2/files/0x000700000002427b-1226.dat	upx
behavioral2/memory/4404-1225-0x00007FF8565B0000-0x00007FF8565E3000-memory.dmp	upx
behavioral2/files/0x00070000000242b9-1222.dat	upx
behavioral2/memory/4404-1221-0x00007FF85ABF0000-0x00007FF85AC09000-memory.dmp	upx
behavioral2/files/0x0007000000023e99-1208.dat	upx
behavioral2/files/0x0007000000023e98-1207.dat	upx
behavioral2/files/0x0007000000023e95-1205.dat	upx
behavioral2/files/0x0007000000023e94-1204.dat	upx
behavioral2/files/0x0007000000023e92-1203.dat	upx
behavioral2/files/0x0007000000023e90-1202.dat	upx
behavioral2/files/0x00070000000242e6-1201.dat	upx
behavioral2/memory/4404-1239-0x00007FF856590000-0x00007FF85659F000-memory.dmp	upx
behavioral2/memory/4404-1238-0x00007FF85C9F0000-0x00007FF85CA04000-memory.dmp	upx
behavioral2/files/0x00070000000242dc-1199.dat	upx
behavioral2/files/0x00070000000242db-1198.dat	upx
behavioral2/files/0x00070000000242d0-1197.dat	upx
behavioral2/memory/4404-1246-0x00007FF8565B0000-0x00007FF8565E3000-memory.dmp	upx
behavioral2/memory/4404-1251-0x00007FF8561D0000-0x00007FF8561DE000-memory.dmp	upx
behavioral2/memory/4404-1250-0x00007FF8561E0000-0x00007FF8561ED000-memory.dmp	upx
behavioral2/memory/4404-1249-0x00007FF856400000-0x00007FF8564CE000-memory.dmp	upx
behavioral2/memory/4404-1258-0x00007FF856590000-0x00007FF85659F000-memory.dmp	upx
behavioral2/memory/4404-1262-0x00007FF8560E0000-0x00007FF8560EC000-memory.dmp	upx
behavioral2/memory/4404-1261-0x00007FF8560F0000-0x00007FF856102000-memory.dmp	upx
behavioral2/memory/4404-1260-0x00007FF856110000-0x00007FF85611D000-memory.dmp	upx
behavioral2/memory/4404-1259-0x00007FF856120000-0x00007FF85612B000-memory.dmp	upx
behavioral2/memory/4404-1266-0x00007FF856030000-0x00007FF856044000-memory.dmp	upx
behavioral2/memory/4404-1265-0x00007FF856050000-0x00007FF856062000-memory.dmp	upx
behavioral2/memory/4404-1264-0x00007FF8561D0000-0x00007FF8561DE000-memory.dmp	upx
behavioral2/memory/4404-1263-0x00007FF856070000-0x00007FF856086000-memory.dmp	upx
behavioral2/memory/4404-1257-0x00007FF856190000-0x00007FF85619C000-memory.dmp	upx
behavioral2/memory/4404-1268-0x00007FF855C60000-0x00007FF855C7B000-memory.dmp	upx
behavioral2/memory/4404-1267-0x00007FF856000000-0x00007FF856022000-memory.dmp	upx
behavioral2/memory/4404-1256-0x00007FF8561A0000-0x00007FF8561AB000-memory.dmp	upx
behavioral2/memory/4404-1269-0x00007FF855990000-0x00007FF8559A8000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ko.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_feedback\mf_trace.wprp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\AdSelectionAttestationsPreloaded\ad-selection-attestations.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\pt-PT.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\WidevineCdm\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Mu\Content	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\bg.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\es.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\et.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\mt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\pa.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\prefs_enclave_x64.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\da.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\identity_proxy\win11\identity_helper.Sparse.Canary.msix	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\edge_game_assist\EdgeGameAssist.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_feedback\mf_trace.wprp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\dxcompiler.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\nb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\fr-CA.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\SmallLogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\edge_game_assist\VERSION	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\SmallLogoDev.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\fil.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\metadata	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedgewebview2.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\resources.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\hr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\lo.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\icudtl.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\identity_proxy\win10\identity_helper.Sparse.Internal.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\edge_game_assist\VERSION	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\lo.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\uk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\cs.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\uk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3188_13384143822889518_3188.pma	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\pt-PT.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\VisualElements\Logo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\as.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\sq.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\MEIPreload\preloaded_data.pb	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\microsoft_shell_integration.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Trust Protection Lists\Sigma\Cryptomining	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\gd.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\delegatedWebFeatures.sccd	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\qu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\VisualElements\LogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\tt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\he.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\ko.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\nb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Locales\th.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\EBWebView\x86\EmbeddedBrowserWebView.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\nb.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\or.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\vk_swiftshader.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Locales\ne.pak	setup.exe
File opened for modification	C:\Program Files\MsEdgeCrashpad\settings.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\msedge_elf.dll	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2628	MicrosoftEdgeUpdate.exe

Modifies Internet Explorer settings 1 TTPs 26 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\Software\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	wwahost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\ = "IEToEdgeBHO Class"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\MSEdgePDF	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FCBE96C-1697-43AF-9140-2897C7C69767}\AppID = "{1FCBE96C-1697-43AF-9140-2897C7C69767}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\URL Protocol	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\Application	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\AppUserModelId = "MSEdge"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\Application\ApplicationCompany = "Microsoft Corporation"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas\command	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mht\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\shell\open\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" \"%1\""	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\EnablePreviewHandler = "1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.webp\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xht	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\microsoft-edge\ = "URL:microsoft-edge"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mht	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	wwahost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\AppUserModelId = "MSEdge"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Programmable\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mhtml\OpenWithProgIds\MSEdgeMHT	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{B54934CD-71A6-4698-BDC2-AFEA5B86504C}\InprocServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\image/svg+xml\Extension = ".svg"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DomStorageState\EdpState = "0"	wwahost.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.59\\PdfPreview\\PdfPreviewHandler.dll"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeHTM\shell\runas\command	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\shell\runas\ProgrammaticAccessOnly	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.htm\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\AppId = "{628ACE20-B77A-456F-A88D-547DB6CEEDD5}"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\InProcServer32	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database\Content Type\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO.1\CLSID\ = "{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Settings\Cache\Content	wwahost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas\ProgrammaticAccessOnly	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationDescription = "Browse the web"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\MSEdgeHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib\ = "{C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-194335498-2604837297-537231065-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftofficehub_8wekyb3d8bbwe\Internet Explorer\DOMStorage\office.com\ = "0"	wwahost.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4356	setup.exe
4356	setup.exe
180	LocalBridge.exe
180	LocalBridge.exe
180	LocalBridge.exe
180	LocalBridge.exe
180	LocalBridge.exe
180	LocalBridge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	3188	setup.exe
Token: SeIncBasePriorityPrivilege	3188	setup.exe
Token: SeDebugPrivilege	4468	wwahost.exe
Token: SeDebugPrivilege	4468	wwahost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4468	wwahost.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 456 wrote to memory of 4404	456	setup.exe	90
PID 456 wrote to memory of 4404	456	setup.exe	90
PID 5040 wrote to memory of 3188	5040	MicrosoftEdge_X64_133.0.3065.59.exe	110
PID 5040 wrote to memory of 3188	5040	MicrosoftEdge_X64_133.0.3065.59.exe	110
PID 3188 wrote to memory of 4952	3188	setup.exe	111
PID 3188 wrote to memory of 4952	3188	setup.exe	111
PID 3188 wrote to memory of 432	3188	setup.exe	112
PID 3188 wrote to memory of 432	3188	setup.exe	112
PID 432 wrote to memory of 4768	432	setup.exe	113
PID 432 wrote to memory of 4768	432	setup.exe	113
PID 3188 wrote to memory of 4356	3188	setup.exe	114
PID 3188 wrote to memory of 4356	3188	setup.exe	114
PID 3188 wrote to memory of 3096	3188	setup.exe	115
PID 3188 wrote to memory of 3096	3188	setup.exe	115
PID 4356 wrote to memory of 3064	4356	setup.exe	116
PID 4356 wrote to memory of 3064	4356	setup.exe	116
PID 3188 wrote to memory of 532	3188	setup.exe	117
PID 3188 wrote to memory of 532	3188	setup.exe	117
PID 3096 wrote to memory of 2648	3096	setup.exe	118
PID 3096 wrote to memory of 2648	3096	setup.exe	118
PID 532 wrote to memory of 1876	532	setup.exe	119
PID 532 wrote to memory of 1876	532	setup.exe	119

System policy modification 1 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:456
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Loads dropped DLL
  PID:4404

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QjZDNjEzMTQtOEFDMy00OTdGLUI5Q0EtM0IwMTNGQTk3ODIyfSIgdXNlcmlkPSJ7M0Y5QzI5OTAtQTFDQy00NDUxLTlDM0YtN0IwNDA1QjQzRjI1fSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MzE2RDFGRjAtRUI0Mi00NTQyLUEwOTgtOERBQ0VEM0RFQjdCfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI4IiBpbnN0YWxsZGF0ZXRpbWU9IjE3Mzg5NDcxNzgiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4MzQxOTY4MDM3MTAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDE4NzA1MDkwIi8-PC9hcHA-PC9yZXF1ZXN0Pg
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:2628

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E9166EE2-DC6B-4B7F-87AC-49860D61C726}\MicrosoftEdge_X64_133.0.3065.59.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E9166EE2-DC6B-4B7F-87AC-49860D61C726}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E9166EE2-DC6B-4B7F-87AC-49860D61C726}\EDGEMITMP_2D4D1.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E9166EE2-DC6B-4B7F-87AC-49860D61C726}\EDGEMITMP_2D4D1.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E9166EE2-DC6B-4B7F-87AC-49860D61C726}\MicrosoftEdge_X64_133.0.3065.59.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:3188
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E9166EE2-DC6B-4B7F-87AC-49860D61C726}\EDGEMITMP_2D4D1.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E9166EE2-DC6B-4B7F-87AC-49860D61C726}\EDGEMITMP_2D4D1.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E9166EE2-DC6B-4B7F-87AC-49860D61C726}\EDGEMITMP_2D4D1.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff741236a68,0x7ff741236a74,0x7ff741236a80
    3⤵
    - Executes dropped EXE
    PID:4952
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E9166EE2-DC6B-4B7F-87AC-49860D61C726}\EDGEMITMP_2D4D1.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E9166EE2-DC6B-4B7F-87AC-49860D61C726}\EDGEMITMP_2D4D1.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E9166EE2-DC6B-4B7F-87AC-49860D61C726}\EDGEMITMP_2D4D1.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E9166EE2-DC6B-4B7F-87AC-49860D61C726}\EDGEMITMP_2D4D1.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{E9166EE2-DC6B-4B7F-87AC-49860D61C726}\EDGEMITMP_2D4D1.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff741236a68,0x7ff741236a74,0x7ff741236a80
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:4768
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7903e6a68,0x7ff7903e6a74,0x7ff7903e6a80
      4⤵
      Executes dropped EXE
      PID:3064
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7903e6a68,0x7ff7903e6a74,0x7ff7903e6a80
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:2648
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious use of WriteProcessMemory
    PID:532
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.60 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.59\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.59 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7903e6a68,0x7ff7903e6a74,0x7ff7903e6a80
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1876

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k AppReadiness -p -s AppReadiness
1⤵
PID:692

C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe
"C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\LocalBridge.exe" /InvokerPRAID: Microsoft.MicrosoftOfficeHub prelaunch
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:180

C:\Windows\system32\wwahost.exe
"C:\Windows\system32\wwahost.exe" -ServerName:Microsoft.MicrosoftOfficeHub.wwa
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.59\Installer\setup.exe

Filesize
6.8MB

MD5
1b3e9c59f9c7a134ec630ada1eb76a39

SHA1
a7e831d392e99f3d37847dcc561dd2e017065439

SHA256
ce78ccfb0c9cdb06ea61116bc57e50690650b6b5cf37c1aebfb30c19458ee4ae

SHA512
c0e50410dc92d80ff7bc854907774fc551564e078a8d38ca6421f15cea50282c25efac4f357b52b066c4371f9b8d4900fa8122dd80ab06ecbd851c6e049f7a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\SDL2.dll

Filesize
635KB

MD5
ec3c1d17b379968a4890be9eaab73548

SHA1
7dbc6acee3b9860b46c0290a9b94a344d1927578

SHA256
aaa11e97c3621ed680ff2388b91acb394173b96a6e8ffbf3b656079cd00a0b9f

SHA512
06a7880ec80174b48156acd6614ab42fb4422cd89c62d11a7723a3c872f213bfc6c1006df8bdc918bb79009943d2b65c6a5c5e89ad824d1a940ddd41b88a1edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\SDL2_image.dll

Filesize
58KB

MD5
25e2a737dcda9b99666da75e945227ea

SHA1
d38e086a6a0bacbce095db79411c50739f3acea4

SHA256
22b27380d4f1f217f0e5d5c767e5c244256386cd9d87f8ddf303baaf9239fc4c

SHA512
63de988387047c17fd028a894465286fd8f6f8bd3a1321b104c0ceb5473e3e0b923153b4999143efbdd28684329a33a5b468e43f25214037f6cddd4d1884adb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\SDL2_mixer.dll

Filesize
124KB

MD5
b7b45f61e3bb00ccd4ca92b2a003e3a3

SHA1
5018a7c95dc6d01ba6e3a7e77dd26c2c74fd69bc

SHA256
1327f84e3509f3ccefeef1c12578faf04e9921c145233687710253bf903ba095

SHA512
d3449019824124f3edbda57b3b578713e9c9915e173d31566cd8e4d18f307ac0f710250fe6a906dd53e748db14bfa76ec1b58a6aef7d074c913679a47c5fdbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\SDL2_ttf.dll

Filesize
601KB

MD5
eb0ce62f775f8bd6209bde245a8d0b93

SHA1
5a5d039e0c2a9d763bb65082e09f64c8f3696a71

SHA256
74591aab94bb87fc9a2c45264930439bbc0d1525bf2571025cd9804e5a1cd11a

SHA512
34993240f14a89179ac95c461353b102ea74e4180f52c206250bb42c4c8427a019ea804b09a6903674ac00ab2a3c4c686a86334e483110e79733696aa17f4eb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\VCRUNTIME140_1.dll

Filesize
48KB

MD5
68156f41ae9a04d89bb6625a5cd222d4

SHA1
3be29d5c53808186eba3a024be377ee6f267c983

SHA256
82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd

SHA512
f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\_asyncio.pyd

Filesize
38KB

MD5
7f59c16979faddfc2f032d0e94bfd8fe

SHA1
c2c319d0727c20ab71594b04c34bdae7823b2ad3

SHA256
bb405bb73362b4820b7f387e5372df5aabcdb4e4dc2797481beb2f8be6e6373b

SHA512
9be4e48d3531c2845b6fcfc0f6fbbd9cdddf31c857e2a73830ad1a6afec66e0037810a1da4b36816dc9d0e6f5ad77b6e51b85551d392ef5ebbb5c4fa055a5ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\_bz2.pyd

Filesize
50KB

MD5
c4e64cbe6b9379f3474f6046dd9cec3d

SHA1
f1987343d5f8454e705e5688eeceb78f560b9f1d

SHA256
7796bf2d1603f012afdd9f2c62e206a785ea86babd9ef95d4bd1239b44f3cbf5

SHA512
5bee050c4947d312b1078a403c691efefe61100e69c65154c2642d77f4ef2005325672713d54bfac152652ca7dd9ac2a8a105a901db521fc70e226177fa70e46

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\_cffi_backend.cp313-win_amd64.pyd

Filesize
71KB

MD5
345b9e4fe71e70b8188a739bab2f6163

SHA1
3c88da659602a8dfb07602e36221ab4185010530

SHA256
56dd9d1092fffdefc47b5963ee9d8ba2a9a8270d959fe00d43e927300abdee94

SHA512
dd929cf31678924435736011cdb06a2cf77cbac300874621bda1f67f7857d1aa84523d15231891eb74f66019efa4d0e7aee640f92293436205cddc74062ef899

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\_ctypes.pyd

Filesize
64KB

MD5
037060b590de06056635185f8e1c01e0

SHA1
4ba375457c23e6a259091a9f5ebbbadd46b5baaa

SHA256
2b6a9ee332704d5c32876534d52cd547af983090fff5a1f7f7893284ec86b237

SHA512
01553bd5d0f56edeb5995c42a6ecd64163fef7b144ba7ec38e6fac0a32f651263373419c3ebe4f646d4967edc2a7b60455d35bb2a450f700b601f369f2ccf134

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\_decimal.pyd

Filesize
119KB

MD5
c79ad2a39b1c2c492018a2136fcfe09b

SHA1
1835ace8afb490e7b13f717c1b87d0909315549a

SHA256
28975ef6e43de7060b41bfc725ce21caacab55c368ab2193c41f809ed22c1dee

SHA512
e3710174c2f8caeec0bf89db62f91ffd903b1921bf0c14b5c1b639ce30d658f6716551e4dfac34137466caae17ee366951b66213f0ecb125990b61123b271531

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\_elementtree.pyd

Filesize
61KB

MD5
214370927d31ba80cac972fe49d264cb

SHA1
eb927e9a5b2f3db829a2181271f35abac1dfb7af

SHA256
10fa9a8662844a6c0213b032242548a21e1a67acdb2764a69f2bd6829bc7984f

SHA512
a4908f89e33f53283e993612b076c2e0e8e62724f2aa1a7cce970e0ee0ddcd4b267790a1c18dd6b16f4eb3bab8af0b8f85f823e5f4cf43b5e28c672c108abae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\_hashlib.pyd

Filesize
36KB

MD5
4276f79bceec3e2c22dcf6b08168aa8b

SHA1
abf7e43856d09769ac2732f2c7213db5a1afb25b

SHA256
9f2a7b98dcd8d60268f84e9107a66d41a912d8935470c842fa316467965a96db

SHA512
982fde172b6b0aebf145d360e33ce23e5b54a72a4f69183c73c8b00552edce2ece14e673811397f468e7422a279d94e84b875acf2a2c4d6d0406c5e9f0536a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\_lzma.pyd

Filesize
87KB

MD5
d23d7a900c19a7240e74f8250e587939

SHA1
1f3e06eca9391f95b4265cf22e469d9bdcb7566c

SHA256
a85ade4ce4a955f789cc03b965930dfce6130e15c4ad998629f0a430861c8c1a

SHA512
df8b1b9980ddd90cb91ecb5462c74d8d8fa34838f8187471f350d2e5875efc59200c0acbd4cc821ade0061a0ce729aca2701ca9b289203d8bef988d42ff92791

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\_multiprocessing.pyd

Filesize
29KB

MD5
eeab027eb533a71710e4a4c4e2fa81f5

SHA1
03205932bf5de8f6747d2978ac9262d8eeef895f

SHA256
b7afd23c4c19abd518ce04f45c55008636dcc837088c3b39e33ac2ecb0e42f6e

SHA512
ea14ba911069efa12052292aa0652b5cc883f2686fb6bd8b9bd8735e5114a3fa5298ef78656d20f87f3b6e4dda185447ebef94e222ddf4d9e70e83f4c3e9ad5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\_overlapped.pyd

Filesize
35KB

MD5
ec52defd68e1214e6d284e27c4cf46e9

SHA1
c581b0b1576f893a2930fb10b1df4c6dc82ecf0c

SHA256
5e6a86bc5d0a348408fe921dcebff835a834940fa299e2cfb81061e93410f006

SHA512
62995e58337122ef48594c9cdfb31dacde4db54c57a9afd785a4cc344ed840240530103bc05d5af7160de849ecd5c61825733ff7afdc71944afd452c2d10d36e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\_queue.pyd

Filesize
27KB

MD5
9701e2d0bd0317ad2ebb42d502b76b82

SHA1
868b2cc959e36407dabfe285c9904fa83945758e

SHA256
e2516ae86522c20bc0550006e69ab02dab4fe3e516472ab9ff8fda556908f9a2

SHA512
d14dfddb1f78c68b656671620064c187edcb4ed79443411366e05507ce1582dbf460be7cbb85645f63d58ace176a070b013770bfed4e77dc1847d88e7393ef9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\_socket.pyd

Filesize
45KB

MD5
699d6563183bcae9e9d2175724ff755b

SHA1
92c65dfa028097b694ffff26a3e2679f1662e3f2

SHA256
9c10c27c1f551cb6d7b5ae0383b4844af129a6cb55028a9e0d87bf60fe01c8e4

SHA512
3e8641a68076301f74e137d6e7710618b2ea3974bc2e5c7325ee34d07d5e2c684f475692588b47e19afe408b3f4e1dcdfd383fafdc21115ad777d39484814749

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\_sqlite3.pyd

Filesize
59KB

MD5
23b94c287b22e6a317123694ef0663c1

SHA1
78c553e42222f2afe3f5bfc2cfdc345a144ec03e

SHA256
0ae8c1bcd0d93d41d2aa881094b42083222bc94493cec12d1b68e4e572b69c4e

SHA512
c62d43b1196c5751235843aac63c69d2802ab1da25879839c7a9a2faaed97f67c3951f78f09a571fd5cd7bc7271226403088a8342730936460c86779b0eee9b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\_ssl.pyd

Filesize
68KB

MD5
8d3b1a1ac22b6a02eb8584acf0b78b9d

SHA1
eed4c961b617e5e23d6adda3936990a50a523e6d

SHA256
d9515555b162d59f9e75b8ab4019033c2d51aca7e4b3ef3a62dcd8ff251886ba

SHA512
65c52e49291d99d56c076ff700d3a71aad48b47f9799a534c8d7e21de1fd6e5c1108c9e387631076849fa36315d10b8d667500d48ce26268fad731005db18ec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\_tkinter.pyd

Filesize
40KB

MD5
0b0d437cc1f778086ec4a9be2c56fb6c

SHA1
049b846bab3f4c3cb9379ea941ea8914cfe729c2

SHA256
a78f45ed8dda40723e69ad5a36a455c375b383c723aab23d230e6ec5dec2f618

SHA512
d303bbb66a3ed9fb286bbd58e1c3fcd4e7a7a1bf6ec9229ab60961766592da5f5a06388c48597b5aa518f35a60cf536b2a07aae85402c0ebef68793751f1db2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\_uuid.pyd

Filesize
27KB

MD5
ccf609ae4416f13fcb80a122c4345348

SHA1
be60263e7cbb2702733a37513d5fb717f6b30216

SHA256
99e97e0af615f43150778aaa44d82bc58b70bf595a8412cfafcc5d38be38bdfb

SHA512
9dfe0e4aa31e50e5b799cdc86a276c6576ffc44c919657e4230e17c9b739b8e69e0865eed38ab9ec0b07e77090a6f2c03c415e68fa431fde108d2d92cb3e8987

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\_wmi.pyd

Filesize
30KB

MD5
b05038e355519e16b555d405e9c19927

SHA1
f3b2468b3d16fcaaf4c4d28ab2dd9ad7b31b9b3b

SHA256
ef3e38977c56a5d7e941ff89a86420fa2ae11e53a8837272b38d75462e684bf6

SHA512
e1da404f1e56828ab63afe9c29fddd0300295703d2528727b13f49d896eac6a55411b217cad55053c540caffcac0312aee22d7d3288c12ebe0a39a15a7c1b50b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\base_library.zip

Filesize
1.3MB

MD5
ff28ffc0eaa6d065a089be95499ed420

SHA1
50760f037e8b41e5aca03454bbfae14d52cb3744

SHA256
3c962eafc5a4389d434d6f506f03b107bf0d52db81db49fe8684e919b9ca847e

SHA512
ec6584352a4fea82499960913fb0d99ce22c09cac989b39acf93bd5013dc2650c4ad8d85f69993f618b4b42bbeef772b925c7eb8e37eaeb3a0936f991f3ce86e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\charset_normalizer\md.cp313-win_amd64.pyd

Filesize
9KB

MD5
499b4daf2025955396752d47aa542cbf

SHA1
40eda0bfe656c8dedad6483ff6dfcde4a3c09dee

SHA256
2d500e623d0050012e3b029b6c1814e2464ea9941d07208d6daf0ddcd5adbd99

SHA512
6e39a8b0ce27eede4d866b793c74c8e40c98739d3862f68aad28100f33f681e7a94e21942e0d03e1f06ee5d54d500796f54873b5ab149ef1428a831a7d367c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\crypto_clipper.json

Filesize
155B

MD5
8bff94a9573315a9d1820d9bb710d97f

SHA1
e69a43d343794524b771d0a07fd4cb263e5464d5

SHA256
3f7446866f42bcbeb8426324d3ea58f386f3171abe94279ea7ec773a4adde7d7

SHA512
d5ece1ea9630488245c578cb22d6d9d902839e53b4550c6232b4fb9389ef6c5d5392426ea4a9e3c461979d6d6aa94ddf3b2755f48e9988864788b530cdfcf80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\freetype.dll

Filesize
292KB

MD5
04a9825dc286549ee3fa29e2b06ca944

SHA1
5bed779bf591752bb7aa9428189ec7f3c1137461

SHA256
50249f68b4faf85e7cd8d1220b7626a86bc507af9ae400d08c8e365f9ab97cde

SHA512
0e937e4de6cbc9d40035b94c289c2798c77c44fc1dc7097201f9fab97c7ff9e56113c06c51693f09908283eda92945b36de67351f893d4e3162e67c078cff4ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\libcrypto-3.dll

Filesize
1.6MB

MD5
ecf92d1e849c1a4b89ed9dac0c2d732d

SHA1
bd2dbf194e9c891f27ef5b4521318d3804f76425

SHA256
afc166f8f1906cd75b4de9f7c72e92e36e4282437a02fedadb5ec3145c33c3a1

SHA512
44e3d6b37a11b715efb77c28c1c4fca4c25ba7f663183bcef4ba52e9c5271715f43f7b22b6307c6d8788c1ea4e8b709060b0a711aeae249164ba7bfd1d571f89

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\libffi-8.dll

Filesize
29KB

MD5
013a0b2653aa0eb6075419217a1ed6bd

SHA1
1b58ff8e160b29a43397499801cf8ab0344371e7

SHA256
e9d8eb01bb9b02ce3859ba4527938a71b4668f98897d46f29e94b27014036523

SHA512
0bd13fa1d55133ee2a96387e0756f48133987bacd99d1f58bab3be7bffdf868092060c17ab792dcfbb4680f984f40d3f7cc24abdd657b756496aa8884b8f6099

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\libjpeg-9.dll

Filesize
108KB

MD5
c22b781bb21bffbea478b76ad6ed1a28

SHA1
66cc6495ba5e531b0fe22731875250c720262db1

SHA256
1eed2385030348c84bbdb75d41d64891be910c27fab8d20fc9e85485fcb569dd

SHA512
9b42cad4a715680a27cd79f466fd2913649b80657ff042528cba2946631387ed9fb027014d215e1baf05839509ca5915d533b91aa958ae0525dea6e2a869b9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\libmodplug-1.dll

Filesize
117KB

MD5
2bb2e7fa60884113f23dcb4fd266c4a6

SHA1
36bbd1e8f7ee1747c7007a3c297d429500183d73

SHA256
9319bf867ed6007f3c61da139c2ab8b74a4cb68bf56265a101e79396941f6d3b

SHA512
1ddd4b9b9238c1744e0a1fe403f136a1def8df94814b405e7b01dd871b3f22a2afe819a26e08752142f127c3efe4ebae8bfd1bd63563d5eb98b4644426f576b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\libogg-0.dll

Filesize
16KB

MD5
0d65168162287df89af79bb9be79f65b

SHA1
3e5af700b8c3e1a558105284ecd21b73b765a6dc

SHA256
2ec2322aec756b795c2e614dab467ef02c3d67d527ad117f905b3ab0968ccf24

SHA512
69af81fd2293c31f456b3c78588bb6a372fe4a449244d74bfe5bfaa3134a0709a685725fa05055cfd261c51a96df4b7ebd8b9e143f0e9312c374e54392f8a2c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\libopus-0.dll

Filesize
181KB

MD5
3fb9d9e8daa2326aad43a5fc5ddab689

SHA1
55523c665414233863356d14452146a760747165

SHA256
fd8de9169ccf53c5968eec0c90e9ff3a66fb451a5bf063868f3e82007106b491

SHA512
f263ea6e0fab84a65fe3a9b6c0fe860919eee828c84b888a5aa52dea540434248d1e810a883a2aff273cd9f22c607db966dd8776e965be6d2cfe1b50a1af1f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\libopus-0.x64.dll

Filesize
217KB

MD5
e56f1b8c782d39fd19b5c9ade735b51b

SHA1
3d1dc7e70a655ba9058958a17efabe76953a00b4

SHA256
fa8715dd0df84fdedbe4aa17763b2ab0db8941fa33421b6d42e25e59c4ae8732

SHA512
b7702e48b20a8991a5c537f5ba22834de8bb4ba55862b75024eace299263963b953606ee29e64d68b438bb0904273c4c20e71f22ccef3f93552c36fb2d1b2c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\libopusfile-0.dll

Filesize
26KB

MD5
2d5274bea7ef82f6158716d392b1be52

SHA1
ce2ff6e211450352eec7417a195b74fbd736eb24

SHA256
6dea07c27c0cc5763347357e10c3b17af318268f0f17c7b165325ce524a0e8d5

SHA512
9973d68b23396b3aa09d2079d18f2c463e807c9c1fdf4b1a5f29d561e8d5e62153e0c7be23b63975ad179b9599ff6b0cf08ebdbe843d194483e7ec3e7aeb232a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\libpng16-16.dll

Filesize
98KB

MD5
55009dd953f500022c102cfb3f6a8a6c

SHA1
07af9f4d456ddf86a51da1e4e4c5b54b0cf06ddb

SHA256
20391787cba331cfbe32fbf22f328a0fd48924e944e80de20ba32886bf4b6fd2

SHA512
4423d3ec8fef29782f3d4a21feeac9ba24c9c765d770b2920d47b4fb847a96ff5c793b20373833b4ff8bc3d8fa422159c64beffb78ce5768ed22742740a8c6c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\libssl-3.dll

Filesize
221KB

MD5
5b63295552454d570281d321e4ca7266

SHA1
d849e5c470d63953ec55f2d732fd6f611cb2c655

SHA256
cff180ce2bcf7daa19d6f3702e416f54a55eebfaff382f4b6d8ee00c0954b861

SHA512
a2286ca195b5a8287e8fbee6d20678e3bbefc7eb20f89e510bc94801239d08c8ea620603254fbfc6c6c0d5306dc38dc1f78a675d62e9bbb8a625ec4f7b894930

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\libtiff-5.dll

Filesize
127KB

MD5
ebad1fa14342d14a6b30e01ebc6d23c1

SHA1
9c4718e98e90f176c57648fa4ed5476f438b80a7

SHA256
4f50820827ac76042752809479c357063fe5653188654a6ba4df639da2fbf3ca

SHA512
91872eaa1f3f45232ab2d753585e650ded24c6cc8cc1d2a476fa98a61210177bd83570c52594b5ad562fc27cb76e034122f16a922c6910e4ed486da1d3c45c24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\libwebp-7.dll

Filesize
192KB

MD5
b0dd211ec05b441767ea7f65a6f87235

SHA1
280f45a676c40bd85ed5541ceb4bafc94d7895f3

SHA256
fc06b8f92e86b848a17eaf7ed93464f54ed1f129a869868a74a75105ff8ce56e

SHA512
eaeb83e46c8ca261e79b3432ec2199f163c44f180eb483d66a71ad530ba488eb4cdbd911633e34696a4ccc035e238bc250a8247f318aa2f0cd9759cad4f90fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\portmidi.dll

Filesize
18KB

MD5
0df0699727e9d2179f7fd85a61c58bdf

SHA1
82397ee85472c355725955257c0da207fa19bf59

SHA256
97a53e8de3f1b2512f0295b5de98fa7a23023a0e4c4008ae534acdba54110c61

SHA512
196e41a34a60de83cb24caa5fc95820fd36371719487350bc2768354edf39eeb6c7860ff3fd9ecf570abb4288523d7ab934e86e85202b9753b135d07180678cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\pyexpat.pyd

Filesize
89KB

MD5
46c06ec5b8f34ba97f7903a5d4e86a94

SHA1
bb9de5d26854c2481a014de43bde33b4d0ab6829

SHA256
e304d3d2baf8e9f7c967b7326c85c6035cedb15954b61200b68ab4131775b51b

SHA512
e7e08b04adaa4540ddfbcc734759246df0e287b4974fab8f38715a390e49e877699b1ee2cdc555942429a5bcae7de35548476613eeffb8064f844a566b4411fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\python3.DLL

Filesize
70KB

MD5
98b008be9834bfc362b4c2eef4e8cdb9

SHA1
a4a50ced1329c3986e3c1576f089b25aff5ffdf2

SHA256
4f93342b59addedbe45ebd973e6449ab85b11c0aab6ad7962124e293c5d03638

SHA512
d594ffd7d44d4d862475711973df87b08fb63a900ddfd87c7771ad27f0cc71e5fbdce92da4d4ad5856fe3cfb803257ce0b71cd8dc24ca5c421ddb1b9b44c7881

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\python313.dll

Filesize
1.8MB

MD5
6b3a16dc31065257b7845d9ff611e3c6

SHA1
8cf971ee772193a93e49f4701f817bc6245cf81c

SHA256
3cdc6a436aa16671deb975af8290654a134bb916299677a08438fc7e91e6f7e6

SHA512
1d219471032c882b2e624ec1df951f6a59ee8ba39459d8eb917aaeec6899d0af6782580a5dc43ed1bbe852587c52bea32ba93ea195940335e2a19cc120c53aec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\select.pyd

Filesize
26KB

MD5
27567abf9d4bc0b3e2d436d22e067cf0

SHA1
af0d35d561ed02c1dfb78be63da7a5e273a47274

SHA256
bb7627bdb7a2709f886c1f8336c805a549dec581c494fee6300a4f5ca7d68a87

SHA512
72d92dbb1bae7048c355108dc50a6622e4f32801a4bc754ae5a7b2b3a61ad3caf21831c261a3858c22c08d1c981902df00aa5b729683ed0dbc1db6f8a885e542

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\sqlite3.dll

Filesize
645KB

MD5
b5eef554c8aa0d25dd646e67a3d7cb8c

SHA1
fd485cbabbe68f85d7f62432e78acb9bcd23f8bc

SHA256
c0558cebfbe8e42bf22afcc61fe9307488d3d0de8936b3c0c025e6d4735b27c3

SHA512
cd8acc9bf8bda9570b37d3a97710e34c7bbaf44c2c0582ae81127ed5001d0513bcf38e13837903a4354ddb552403f4fb448de89809d20e99eb513aff6f7db521

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\tcl86t.dll

Filesize
661KB

MD5
85e80ff00391700f9a2070834b0e33a8

SHA1
728a04d86d2411f277ddbaef9add929c5f4cdfc1

SHA256
0e412a521c89dda73bdd5539dd0fd203576d17de4126e925597f6b531f0e4acd

SHA512
d703a5eb72b760059b88a90c4a9193b594a58279625bdc653d16cdfde43fe1f90efe59a3744854f83cf7fb9d40c4482703f32ccbdac28bc0b506739765e60bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\tk86t.dll

Filesize
637KB

MD5
9831f1324f9deb5b1fd835ab89eb1cfe

SHA1
f8f59a57fb44042642343da95e44c20f9b16d916

SHA256
7ebf6781c4f7dbefa440feb44cc87673fb42d117422b8ab2fea7de43c4eccf01

SHA512
8248509d6ddf99b87cf0f43f50cf5b6cbe1e2997449931f078d6def152970e3994fc3cf7ce31e916dd27d4b6c97b7825a0b5131c2a9f085e1fcc1876c7d16f35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\unicodedata.pyd

Filesize
261KB

MD5
d593ae5590e48e4da29af62f820c16cb

SHA1
4b3d5e087413dffee2f827851b39a05aa3756b54

SHA256
f56f152182af29d6e77c5a76de7255741606b7d0bbb60b475d190ef25ec43df8

SHA512
5f20f6e13978d707f13973eeb545a72cc64438247d4c1809a454a0987e74055f75e9c7b40542dbf9ac8d612350be3b68a040153c8bd6566498698ed5878091d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4562\zlib1.dll

Filesize
52KB

MD5
ee06185c239216ad4c70f74e7c011aa6

SHA1
40e66b92ff38c9b1216511d5b1119fe9da6c2703

SHA256
0391066f3e6385a9c0fe7218c38f7bd0b3e0da0f15a98ebb07f1ac38d6175466

SHA512
baae562a53d491e19dbf7ee2cff4c13d42de6833036bfdaed9ed441bcbf004b68e4088bd453b7413d60faaf1b334aee71241ba468437d49050b8ccfa9232425d

Download Submit
memory/180-2472-0x00000216AC770000-0x00000216AC778000-memory.dmp

Filesize
32KB

Download
memory/180-2471-0x00000216AC740000-0x00000216AC74A000-memory.dmp

Filesize
40KB

Download
memory/180-2470-0x0000021692230000-0x000002169223E000-memory.dmp

Filesize
56KB

Download
memory/180-2473-0x00000216ACA00000-0x00000216ACC49000-memory.dmp

Filesize
2.3MB

Download
memory/4404-1271-0x00007FF855940000-0x00007FF85598D000-memory.dmp

Filesize
308KB

Download
memory/4404-1223-0x00007FF85A0B0000-0x00007FF85A0BD000-memory.dmp

Filesize
52KB

Download
memory/4404-1262-0x00007FF8560E0000-0x00007FF8560EC000-memory.dmp

Filesize
48KB

Download
memory/4404-1261-0x00007FF8560F0000-0x00007FF856102000-memory.dmp

Filesize
72KB

Download
memory/4404-1260-0x00007FF856110000-0x00007FF85611D000-memory.dmp

Filesize
52KB

Download
memory/4404-1259-0x00007FF856120000-0x00007FF85612B000-memory.dmp

Filesize
44KB

Download
memory/4404-1266-0x00007FF856030000-0x00007FF856044000-memory.dmp

Filesize
80KB

Download
memory/4404-1265-0x00007FF856050000-0x00007FF856062000-memory.dmp

Filesize
72KB

Download
memory/4404-1264-0x00007FF8561D0000-0x00007FF8561DE000-memory.dmp

Filesize
56KB

Download
memory/4404-1263-0x00007FF856070000-0x00007FF856086000-memory.dmp

Filesize
88KB

Download
memory/4404-1257-0x00007FF856190000-0x00007FF85619C000-memory.dmp

Filesize
48KB

Download
memory/4404-1268-0x00007FF855C60000-0x00007FF855C7B000-memory.dmp

Filesize
108KB

Download
memory/4404-1267-0x00007FF856000000-0x00007FF856022000-memory.dmp

Filesize
136KB

Download
memory/4404-1256-0x00007FF8561A0000-0x00007FF8561AB000-memory.dmp

Filesize
44KB

Download
memory/4404-1269-0x00007FF855990000-0x00007FF8559A8000-memory.dmp

Filesize
96KB

Download
memory/4404-1255-0x00007FF855C80000-0x00007FF855D33000-memory.dmp

Filesize
716KB

Download
memory/4404-1254-0x00007FF8561B0000-0x00007FF8561BB000-memory.dmp

Filesize
44KB

Download
memory/4404-1270-0x00007FF856120000-0x00007FF85612B000-memory.dmp

Filesize
44KB

Download
memory/4404-1275-0x00007FF8558E0000-0x00007FF855912000-memory.dmp

Filesize
200KB

Download
memory/4404-1274-0x00007FF8560F0000-0x00007FF856102000-memory.dmp

Filesize
72KB

Download
memory/4404-1273-0x00007FF855920000-0x00007FF855931000-memory.dmp

Filesize
68KB

Download
memory/4404-1277-0x00007FF8558C0000-0x00007FF8558DE000-memory.dmp

Filesize
120KB

Download
memory/4404-1276-0x00007FF8560E0000-0x00007FF8560EC000-memory.dmp

Filesize
48KB

Download
memory/4404-1272-0x00007FF856110000-0x00007FF85611D000-memory.dmp

Filesize
52KB

Download
memory/4404-1249-0x00007FF856400000-0x00007FF8564CE000-memory.dmp

Filesize
824KB

Download
memory/4404-1253-0x00007FF8563D0000-0x00007FF8563F8000-memory.dmp

Filesize
160KB

Download
memory/4404-1252-0x00007FF8561C0000-0x00007FF8561CC000-memory.dmp

Filesize
48KB

Download
memory/4404-1248-0x00007FF8561F0000-0x00007FF8561FC000-memory.dmp

Filesize
48KB

Download
memory/4404-1247-0x00007FF856200000-0x00007FF85620B000-memory.dmp

Filesize
44KB

Download
memory/4404-1245-0x00007FF856380000-0x00007FF85638B000-memory.dmp

Filesize
44KB

Download
memory/4404-1244-0x00007FF856210000-0x00007FF85621C000-memory.dmp

Filesize
48KB

Download
memory/4404-1243-0x00007FF856220000-0x00007FF85622B000-memory.dmp

Filesize
44KB

Download
memory/4404-1242-0x00007FF856370000-0x00007FF85637C000-memory.dmp

Filesize
48KB

Download
memory/4404-1241-0x00007FF856390000-0x00007FF85639B000-memory.dmp

Filesize
44KB

Download
memory/4404-1240-0x00007FF847150000-0x00007FF847683000-memory.dmp

Filesize
5.2MB

Download
memory/4404-1250-0x00007FF8561E0000-0x00007FF8561ED000-memory.dmp

Filesize
52KB

Download
memory/4404-1251-0x00007FF8561D0000-0x00007FF8561DE000-memory.dmp

Filesize
56KB

Download
memory/4404-1246-0x00007FF8565B0000-0x00007FF8565E3000-memory.dmp

Filesize
204KB

Download
memory/4404-1238-0x00007FF85C9F0000-0x00007FF85CA04000-memory.dmp

Filesize
80KB

Download
memory/4404-1239-0x00007FF856590000-0x00007FF85659F000-memory.dmp

Filesize
60KB

Download
memory/4404-1221-0x00007FF85ABF0000-0x00007FF85AC09000-memory.dmp

Filesize
100KB

Download
memory/4404-1225-0x00007FF8565B0000-0x00007FF8565E3000-memory.dmp

Filesize
204KB

Download
memory/4404-1229-0x00007FF856400000-0x00007FF8564CE000-memory.dmp

Filesize
824KB

Download
memory/4404-1230-0x00007FF85A650000-0x00007FF85A677000-memory.dmp

Filesize
156KB

Download
memory/4404-1233-0x00007FF85F590000-0x00007FF85F59F000-memory.dmp

Filesize
60KB

Download
memory/4404-1237-0x00007FF855C80000-0x00007FF855D33000-memory.dmp

Filesize
716KB

Download
memory/4404-1234-0x00007FF8565A0000-0x00007FF8565AB000-memory.dmp

Filesize
44KB

Download
memory/4404-1235-0x00007FF85E5E0000-0x00007FF85E5F9000-memory.dmp

Filesize
100KB

Download
memory/4404-1236-0x00007FF8563D0000-0x00007FF8563F8000-memory.dmp

Filesize
160KB

Download
memory/4404-1231-0x00007FF856850000-0x00007FF85685D000-memory.dmp

Filesize
52KB

Download
memory/4404-1227-0x00007FF847690000-0x00007FF847CF4000-memory.dmp

Filesize
6.4MB

Download
memory/4404-1258-0x00007FF856590000-0x00007FF85659F000-memory.dmp

Filesize
60KB

Download
memory/4404-1219-0x00007FF847150000-0x00007FF847683000-memory.dmp

Filesize
5.2MB

Download
memory/4404-1175-0x00007FF856860000-0x00007FF85688B000-memory.dmp

Filesize
172KB

Download
memory/4404-1278-0x00007FF856030000-0x00007FF856044000-memory.dmp

Filesize
80KB

Download
memory/4404-1316-0x00007FF855C60000-0x00007FF855C7B000-memory.dmp

Filesize
108KB

Download
memory/4404-1320-0x00007FF8558E0000-0x00007FF855912000-memory.dmp

Filesize
200KB

Download
memory/4404-1334-0x00007FF856210000-0x00007FF85621C000-memory.dmp

Filesize
48KB

Download
memory/4404-1335-0x00007FF8558C0000-0x00007FF8558DE000-memory.dmp

Filesize
120KB

Download
memory/4404-1333-0x00007FF856220000-0x00007FF85622B000-memory.dmp

Filesize
44KB

Download
memory/4404-1332-0x00007FF856370000-0x00007FF85637C000-memory.dmp

Filesize
48KB

Download
memory/4404-1331-0x00007FF856390000-0x00007FF85639B000-memory.dmp

Filesize
44KB

Download
memory/4404-1330-0x00007FF856590000-0x00007FF85659F000-memory.dmp

Filesize
60KB

Download
memory/4404-1329-0x00007FF855C80000-0x00007FF855D33000-memory.dmp

Filesize
716KB

Download
memory/4404-1328-0x00007FF8563D0000-0x00007FF8563F8000-memory.dmp

Filesize
160KB

Download
memory/4404-1327-0x00007FF8565A0000-0x00007FF8565AB000-memory.dmp

Filesize
44KB

Download
memory/4404-1326-0x00007FF8561D0000-0x00007FF8561DE000-memory.dmp

Filesize
56KB

Download
memory/4404-1325-0x00007FF8565B0000-0x00007FF8565E3000-memory.dmp

Filesize
204KB

Download
memory/4404-1324-0x00007FF856850000-0x00007FF85685D000-memory.dmp

Filesize
52KB

Download
memory/4404-1323-0x00007FF8561F0000-0x00007FF8561FC000-memory.dmp

Filesize
48KB

Download
memory/4404-1322-0x00007FF85ABF0000-0x00007FF85AC09000-memory.dmp

Filesize
100KB

Download
memory/4404-1321-0x00007FF856380000-0x00007FF85638B000-memory.dmp

Filesize
44KB

Download
memory/4404-1319-0x00007FF855920000-0x00007FF855931000-memory.dmp

Filesize
68KB

Download
memory/4404-1318-0x00007FF855940000-0x00007FF85598D000-memory.dmp

Filesize
308KB

Download
memory/4404-1317-0x00007FF855990000-0x00007FF8559A8000-memory.dmp

Filesize
96KB

Download
memory/4404-1315-0x00007FF856000000-0x00007FF856022000-memory.dmp

Filesize
136KB

Download
memory/4404-1314-0x00007FF856030000-0x00007FF856044000-memory.dmp

Filesize
80KB

Download
memory/4404-1313-0x00007FF856050000-0x00007FF856062000-memory.dmp

Filesize
72KB

Download
memory/4404-1312-0x00007FF856070000-0x00007FF856086000-memory.dmp

Filesize
88KB

Download
memory/4404-1310-0x00007FF8560F0000-0x00007FF856102000-memory.dmp

Filesize
72KB

Download
memory/4404-1309-0x00007FF856110000-0x00007FF85611D000-memory.dmp

Filesize
52KB

Download
memory/4404-1308-0x00007FF856120000-0x00007FF85612B000-memory.dmp

Filesize
44KB

Download
memory/4404-1307-0x00007FF856190000-0x00007FF85619C000-memory.dmp

Filesize
48KB

Download
memory/4404-1306-0x00007FF8561A0000-0x00007FF8561AB000-memory.dmp

Filesize
44KB

Download
memory/4404-1305-0x00007FF8561B0000-0x00007FF8561BB000-memory.dmp

Filesize
44KB

Download
memory/4404-1304-0x00007FF8561C0000-0x00007FF8561CC000-memory.dmp

Filesize
48KB

Download
memory/4404-1300-0x00007FF856200000-0x00007FF85620B000-memory.dmp

Filesize
44KB

Download
memory/4404-1289-0x00007FF856400000-0x00007FF8564CE000-memory.dmp

Filesize
824KB

Download
memory/4404-1287-0x00007FF85A0B0000-0x00007FF85A0BD000-memory.dmp

Filesize
52KB

Download
memory/4404-1285-0x00007FF847150000-0x00007FF847683000-memory.dmp

Filesize
5.2MB

Download
memory/4404-1281-0x00007FF85F590000-0x00007FF85F59F000-memory.dmp

Filesize
60KB

Download
memory/4404-1280-0x00007FF85A650000-0x00007FF85A677000-memory.dmp

Filesize
156KB

Download
memory/4404-1279-0x00007FF847690000-0x00007FF847CF4000-memory.dmp

Filesize
6.4MB

Download
memory/4404-1311-0x00007FF8560E0000-0x00007FF8560EC000-memory.dmp

Filesize
48KB

Download
memory/4404-1302-0x00007FF8561E0000-0x00007FF8561ED000-memory.dmp

Filesize
52KB

Download
memory/4404-1284-0x00007FF85C9F0000-0x00007FF85CA04000-memory.dmp

Filesize
80KB

Download
memory/4404-1283-0x00007FF856860000-0x00007FF85688B000-memory.dmp

Filesize
172KB

Download
memory/4404-1282-0x00007FF85E5E0000-0x00007FF85E5F9000-memory.dmp

Filesize
100KB

Download
memory/4404-1217-0x00007FF85C9F0000-0x00007FF85CA04000-memory.dmp

Filesize
80KB

Download
memory/4404-1172-0x00007FF85E5E0000-0x00007FF85E5F9000-memory.dmp

Filesize
100KB

Download
memory/4404-1167-0x00007FF85A650000-0x00007FF85A677000-memory.dmp

Filesize
156KB

Download
memory/4404-1169-0x00007FF85F590000-0x00007FF85F59F000-memory.dmp

Filesize
60KB

Download
memory/4404-1159-0x00007FF847690000-0x00007FF847CF4000-memory.dmp

Filesize
6.4MB

Download