exelastealer | 482c560821dff63e878f6a8adf9e900a4e3756bd392ff92d37c135bd62e47de1

Analysis

max time kernel
579s
max time network
556s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
03-07-2024 13:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Updater.zip
Size

10.7MB
MD5

26827c9792689b74098834a6d8c20aab
SHA1

07e2be92ae5393afcd690fb822130535a6d2c17e
SHA256

482c560821dff63e878f6a8adf9e900a4e3756bd392ff92d37c135bd62e47de1
SHA512

90941280d2260fca8fb5c16b49819dd10d1940936cc5e48bb0b4a1bb0ff692670c85905bb1dee9f44cedd6577df26fc339ce5703eab3c4a4a43c3c00e0483a30
SSDEEP

196608:+ELj55Zei3SoDqxe6j5Wx2XfTmXRroRyc5LmeHH7+O7US1IxwH1/:rdui3FDqNj5FXfyhkRbKeHH7+4pICHx

Score

10^/10

exelastealer defense_evasion evasion persistence privilege_escalation stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 10 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3416	netsh.exe
2588	netsh.exe
5092	netsh.exe
1572	netsh.exe
2004	netsh.exe
3876	netsh.exe
460	netsh.exe
2464	netsh.exe
1632	netsh.exe
2964	netsh.exe

Deletes itself 1 IoCs

pid	Process
3128	updater.exe

Loads dropped DLL 64 IoCs

pid	Process
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
3128	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
572	updater.exe
3872	updater.exe
3872	updater.exe
3872	updater.exe
3872	updater.exe
3872	updater.exe
3872	updater.exe
3872	updater.exe
3872	updater.exe
3872	updater.exe
3872	updater.exe
3872	updater.exe
3872	updater.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3128-780-0x00007FFE54420000-0x00007FFE54A08000-memory.dmp	upx
behavioral1/memory/3128-782-0x00007FFE6C1B0000-0x00007FFE6C1BF000-memory.dmp	upx
behavioral1/memory/3128-781-0x00007FFE68750000-0x00007FFE68774000-memory.dmp	upx
behavioral1/memory/3128-783-0x00007FFE682A0000-0x00007FFE682B9000-memory.dmp	upx
behavioral1/memory/3128-784-0x00007FFE696E0000-0x00007FFE696ED000-memory.dmp	upx
behavioral1/memory/3128-785-0x00007FFE65A10000-0x00007FFE65A29000-memory.dmp	upx
behavioral1/memory/3128-787-0x00007FFE5D8A0000-0x00007FFE5D8C3000-memory.dmp	upx
behavioral1/memory/3128-788-0x00007FFE555E0000-0x00007FFE55753000-memory.dmp	upx
behavioral1/memory/3128-786-0x00007FFE659E0000-0x00007FFE65A0D000-memory.dmp	upx
behavioral1/memory/3128-790-0x00007FFE54360000-0x00007FFE54418000-memory.dmp	upx
behavioral1/memory/3128-789-0x00007FFE574A0000-0x00007FFE574CE000-memory.dmp	upx
behavioral1/memory/3128-793-0x00007FFE54420000-0x00007FFE54A08000-memory.dmp	upx
behavioral1/memory/3128-798-0x00007FFE682A0000-0x00007FFE682B9000-memory.dmp	upx
behavioral1/memory/3128-797-0x00007FFE57460000-0x00007FFE57474000-memory.dmp	upx
behavioral1/memory/3128-796-0x00007FFE57480000-0x00007FFE57494000-memory.dmp	upx
behavioral1/memory/3128-799-0x00007FFE53EC0000-0x00007FFE53FDC000-memory.dmp	upx
behavioral1/memory/3128-800-0x00007FFE55A10000-0x00007FFE55A32000-memory.dmp	upx
behavioral1/memory/3128-795-0x00007FFE57E90000-0x00007FFE57EA2000-memory.dmp	upx
behavioral1/memory/3128-794-0x00007FFE5EB90000-0x00007FFE5EBA5000-memory.dmp	upx
behavioral1/memory/3128-802-0x00007FFE69400000-0x00007FFE6940A000-memory.dmp	upx
behavioral1/memory/3128-801-0x00007FFE5D8A0000-0x00007FFE5D8C3000-memory.dmp	upx
behavioral1/memory/3128-792-0x00007FFE53FE0000-0x00007FFE54355000-memory.dmp	upx
behavioral1/memory/3128-804-0x00007FFE537C0000-0x00007FFE53EB5000-memory.dmp	upx
behavioral1/memory/3128-803-0x00007FFE555E0000-0x00007FFE55753000-memory.dmp	upx
behavioral1/memory/3128-805-0x00007FFE574A0000-0x00007FFE574CE000-memory.dmp	upx
behavioral1/memory/3128-807-0x00007FFE555A0000-0x00007FFE555D8000-memory.dmp	upx
behavioral1/memory/3128-806-0x00007FFE54360000-0x00007FFE54418000-memory.dmp	upx
behavioral1/memory/3128-888-0x00007FFE6E700000-0x00007FFE6E70D000-memory.dmp	upx
behavioral1/memory/3128-887-0x00007FFE53FE0000-0x00007FFE54355000-memory.dmp	upx
behavioral1/memory/3128-918-0x00007FFE57E90000-0x00007FFE57EA2000-memory.dmp	upx
behavioral1/memory/3128-917-0x00007FFE5EB90000-0x00007FFE5EBA5000-memory.dmp	upx
behavioral1/memory/3128-1030-0x00007FFE68750000-0x00007FFE68774000-memory.dmp	upx
behavioral1/memory/3128-1049-0x00007FFE555A0000-0x00007FFE555D8000-memory.dmp	upx
behavioral1/memory/3128-1040-0x00007FFE53FE0000-0x00007FFE54355000-memory.dmp	upx
behavioral1/memory/3128-1048-0x00007FFE537C0000-0x00007FFE53EB5000-memory.dmp	upx
behavioral1/memory/3128-1041-0x00007FFE5EB90000-0x00007FFE5EBA5000-memory.dmp	upx
behavioral1/memory/3128-1039-0x00007FFE54360000-0x00007FFE54418000-memory.dmp	upx
behavioral1/memory/3128-1037-0x00007FFE555E0000-0x00007FFE55753000-memory.dmp	upx
behavioral1/memory/3128-1046-0x00007FFE55A10000-0x00007FFE55A32000-memory.dmp	upx
behavioral1/memory/3128-1045-0x00007FFE53EC0000-0x00007FFE53FDC000-memory.dmp	upx
behavioral1/memory/3128-1038-0x00007FFE574A0000-0x00007FFE574CE000-memory.dmp	upx
behavioral1/memory/3128-1029-0x00007FFE54420000-0x00007FFE54A08000-memory.dmp	upx
behavioral1/memory/3128-1068-0x00007FFE53EC0000-0x00007FFE53FDC000-memory.dmp	upx
behavioral1/memory/3128-1070-0x00007FFE69400000-0x00007FFE6940A000-memory.dmp	upx
behavioral1/memory/3128-1071-0x00007FFE537C0000-0x00007FFE53EB5000-memory.dmp	upx
behavioral1/memory/3128-1086-0x00007FFE57480000-0x00007FFE57494000-memory.dmp	upx
behavioral1/memory/3128-1085-0x00007FFE57E90000-0x00007FFE57EA2000-memory.dmp	upx
behavioral1/memory/3128-1084-0x00007FFE5EB90000-0x00007FFE5EBA5000-memory.dmp	upx
behavioral1/memory/3128-1083-0x00007FFE574A0000-0x00007FFE574CE000-memory.dmp	upx
behavioral1/memory/3128-1082-0x00007FFE555E0000-0x00007FFE55753000-memory.dmp	upx
behavioral1/memory/3128-1081-0x00007FFE5D8A0000-0x00007FFE5D8C3000-memory.dmp	upx
behavioral1/memory/3128-1080-0x00007FFE659E0000-0x00007FFE65A0D000-memory.dmp	upx
behavioral1/memory/3128-1079-0x00007FFE65A10000-0x00007FFE65A29000-memory.dmp	upx
behavioral1/memory/3128-1078-0x00007FFE696E0000-0x00007FFE696ED000-memory.dmp	upx
behavioral1/memory/3128-1077-0x00007FFE682A0000-0x00007FFE682B9000-memory.dmp	upx
behavioral1/memory/3128-1076-0x00007FFE6C1B0000-0x00007FFE6C1BF000-memory.dmp	upx
behavioral1/memory/3128-1075-0x00007FFE68750000-0x00007FFE68774000-memory.dmp	upx
behavioral1/memory/3128-1074-0x00007FFE57460000-0x00007FFE57474000-memory.dmp	upx
behavioral1/memory/3128-1073-0x00007FFE6E700000-0x00007FFE6E70D000-memory.dmp	upx
behavioral1/memory/3128-1072-0x00007FFE555A0000-0x00007FFE555D8000-memory.dmp	upx
behavioral1/memory/3128-1069-0x00007FFE55A10000-0x00007FFE55A32000-memory.dmp	upx
behavioral1/memory/3128-1063-0x00007FFE53FE0000-0x00007FFE54355000-memory.dmp	upx
behavioral1/memory/3128-1062-0x00007FFE54360000-0x00007FFE54418000-memory.dmp	upx
behavioral1/memory/3128-1052-0x00007FFE54420000-0x00007FFE54A08000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 36 IoCs

Web Service

T1102

flow	ioc
78	discord.com
118	discord.com
155	discord.com
69	discord.com
70	discord.com
92	discord.com
98	discord.com
138	discord.com
175	discord.com
58	discord.com
91	discord.com
97	discord.com
153	discord.com
154	discord.com
173	discord.com
74	discord.com
151	discord.com
152	discord.com
164	discord.com
75	discord.com
112	discord.com
137	discord.com
88	discord.com
93	discord.com
121	discord.com
176	discord.com
76	discord.com
119	discord.com
120	discord.com
172	discord.com
77	discord.com
87	discord.com
111	discord.com
117	discord.com
163	discord.com
174	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
59	ip-api.com
79	ip-api.com
158	ip-api.com

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4696	cmd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Launches sc.exe 5 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4496	sc.exe
4260	sc.exe
2196	sc.exe
3492	sc.exe
5104	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 45 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe

Collects information from the system 1 TTPs 5 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3408	WMIC.exe
3064	WMIC.exe
4152	WMIC.exe
5076	WMIC.exe
3604	WMIC.exe

Detects videocard installed 1 TTPs 5 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3872	WMIC.exe
1108	WMIC.exe
4724	WMIC.exe
5092	WMIC.exe
2804	WMIC.exe

Enumerates processes with tasklist 1 TTPs 25 IoCs

Process Discovery

T1057

pid	Process
1484	tasklist.exe
3400	tasklist.exe
3368	tasklist.exe
1068	tasklist.exe
3628	tasklist.exe
5092	tasklist.exe
8	tasklist.exe
1956	tasklist.exe
1036	tasklist.exe
2568	tasklist.exe
4472	tasklist.exe
2588	tasklist.exe
4444	tasklist.exe
4628	tasklist.exe
1372	tasklist.exe
3728	tasklist.exe
3248	tasklist.exe
4864	tasklist.exe
724	tasklist.exe
3180	tasklist.exe
2732	tasklist.exe
5024	tasklist.exe
3264	tasklist.exe
1040	tasklist.exe
1176	tasklist.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 10 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1980	NETSTAT.EXE
3864	ipconfig.exe
4808	NETSTAT.EXE
464	ipconfig.exe
3260	NETSTAT.EXE
4212	ipconfig.exe
4260	NETSTAT.EXE
2788	ipconfig.exe
2992	NETSTAT.EXE
4464	ipconfig.exe

Gathers system information 1 TTPs 5 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
992	systeminfo.exe
5076	systeminfo.exe
1464	systeminfo.exe
2012	systeminfo.exe
2964	systeminfo.exe

Kills process with taskkill 11 IoCs

evasion

pid	Process
2084	taskkill.exe
4080	taskkill.exe
2992	taskkill.exe
4444	taskkill.exe
2732	taskkill.exe
3344	taskkill.exe
3672	taskkill.exe
2428	taskkill.exe
3920	taskkill.exe
464	taskkill.exe
2460	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 32 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31116676"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "2616653457"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1474490143-3221292397-4168103503-1000\{8BC1B8B0-8524-4655-AC5B-226D247F3BAC}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1474490143-3221292397-4168103503-1000_Classes\Local Settings	taskmgr.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Updater.zip:Zone.Identifier	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4536	msedge.exe
4536	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
4168	identity_helper.exe
4168	identity_helper.exe
3608	msedge.exe
3608	msedge.exe
4040	msedge.exe
4040	msedge.exe
4724	identity_helper.exe
4724	identity_helper.exe
2508	msedge.exe
2508	msedge.exe
240	msedge.exe
240	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
3528	msedge.exe
4708	msedge.exe
4708	msedge.exe
3252	powershell.exe
3252	powershell.exe
1484	powershell.exe
1484	powershell.exe
2356	powershell.exe
2356	powershell.exe
3724	powershell.exe
3724	powershell.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
976	taskmgr.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
668	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 21 IoCs

pid	Process
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3872	WMIC.exe
Token: SeSecurityPrivilege	3872	WMIC.exe
Token: SeTakeOwnershipPrivilege	3872	WMIC.exe
Token: SeLoadDriverPrivilege	3872	WMIC.exe
Token: SeSystemProfilePrivilege	3872	WMIC.exe
Token: SeSystemtimePrivilege	3872	WMIC.exe
Token: SeProfSingleProcessPrivilege	3872	WMIC.exe
Token: SeIncBasePriorityPrivilege	3872	WMIC.exe
Token: SeCreatePagefilePrivilege	3872	WMIC.exe
Token: SeBackupPrivilege	3872	WMIC.exe
Token: SeRestorePrivilege	3872	WMIC.exe
Token: SeShutdownPrivilege	3872	WMIC.exe
Token: SeDebugPrivilege	3872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3872	WMIC.exe
Token: SeRemoteShutdownPrivilege	3872	WMIC.exe
Token: SeUndockPrivilege	3872	WMIC.exe
Token: SeManageVolumePrivilege	3872	WMIC.exe
Token: 33	3872	WMIC.exe
Token: 34	3872	WMIC.exe
Token: 35	3872	WMIC.exe
Token: 36	3872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4088	WMIC.exe
Token: SeSecurityPrivilege	4088	WMIC.exe
Token: SeTakeOwnershipPrivilege	4088	WMIC.exe
Token: SeLoadDriverPrivilege	4088	WMIC.exe
Token: SeSystemProfilePrivilege	4088	WMIC.exe
Token: SeSystemtimePrivilege	4088	WMIC.exe
Token: SeProfSingleProcessPrivilege	4088	WMIC.exe
Token: SeIncBasePriorityPrivilege	4088	WMIC.exe
Token: SeCreatePagefilePrivilege	4088	WMIC.exe
Token: SeBackupPrivilege	4088	WMIC.exe
Token: SeRestorePrivilege	4088	WMIC.exe
Token: SeShutdownPrivilege	4088	WMIC.exe
Token: SeDebugPrivilege	4088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4088	WMIC.exe
Token: SeRemoteShutdownPrivilege	4088	WMIC.exe
Token: SeUndockPrivilege	4088	WMIC.exe
Token: SeManageVolumePrivilege	4088	WMIC.exe
Token: 33	4088	WMIC.exe
Token: 34	4088	WMIC.exe
Token: 35	4088	WMIC.exe
Token: 36	4088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3872	WMIC.exe
Token: SeSecurityPrivilege	3872	WMIC.exe
Token: SeTakeOwnershipPrivilege	3872	WMIC.exe
Token: SeLoadDriverPrivilege	3872	WMIC.exe
Token: SeSystemProfilePrivilege	3872	WMIC.exe
Token: SeSystemtimePrivilege	3872	WMIC.exe
Token: SeProfSingleProcessPrivilege	3872	WMIC.exe
Token: SeIncBasePriorityPrivilege	3872	WMIC.exe
Token: SeCreatePagefilePrivilege	3872	WMIC.exe
Token: SeBackupPrivilege	3872	WMIC.exe
Token: SeRestorePrivilege	3872	WMIC.exe
Token: SeShutdownPrivilege	3872	WMIC.exe
Token: SeDebugPrivilege	3872	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3872	WMIC.exe
Token: SeRemoteShutdownPrivilege	3872	WMIC.exe
Token: SeUndockPrivilege	3872	WMIC.exe
Token: SeManageVolumePrivilege	3872	WMIC.exe
Token: 33	3872	WMIC.exe
Token: 34	3872	WMIC.exe
Token: 35	3872	WMIC.exe
Token: 36	3872	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4088	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
3608	msedge.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe
2964	taskmgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1200	MiniSearchHost.exe
2296	SystemSettingsAdminFlows.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2988	2100	msedge.exe	82
PID 2100 wrote to memory of 2988	2100	msedge.exe	82
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4292	2100	msedge.exe	83
PID 2100 wrote to memory of 4536	2100	msedge.exe	84
PID 2100 wrote to memory of 4536	2100	msedge.exe	84
PID 2100 wrote to memory of 4784	2100	msedge.exe	85
PID 2100 wrote to memory of 4784	2100	msedge.exe	85
PID 2100 wrote to memory of 4784	2100	msedge.exe	85
PID 2100 wrote to memory of 4784	2100	msedge.exe	85
PID 2100 wrote to memory of 4784	2100	msedge.exe	85
PID 2100 wrote to memory of 4784	2100	msedge.exe	85
PID 2100 wrote to memory of 4784	2100	msedge.exe	85
PID 2100 wrote to memory of 4784	2100	msedge.exe	85
PID 2100 wrote to memory of 4784	2100	msedge.exe	85
PID 2100 wrote to memory of 4784	2100	msedge.exe	85
PID 2100 wrote to memory of 4784	2100	msedge.exe	85
PID 2100 wrote to memory of 4784	2100	msedge.exe	85
PID 2100 wrote to memory of 4784	2100	msedge.exe	85
PID 2100 wrote to memory of 4784	2100	msedge.exe	85
PID 2100 wrote to memory of 4784	2100	msedge.exe	85
PID 2100 wrote to memory of 4784	2100	msedge.exe	85
PID 2100 wrote to memory of 4784	2100	msedge.exe	85
PID 2100 wrote to memory of 4784	2100	msedge.exe	85
PID 2100 wrote to memory of 4784	2100	msedge.exe	85
PID 2100 wrote to memory of 4784	2100	msedge.exe	85

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3272	attrib.exe

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Updater.zip
1⤵
PID:3136

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2732

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\TestUse.gif
1⤵
- Modifies Internet Explorer settings
PID:3452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe57433cb8,0x7ffe57433cc8,0x7ffe57433cd8
  2⤵
  PID:2988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1876,18315279147729539666,16708765413280995091,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:2
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1876,18315279147729539666,16708765413280995091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1876,18315279147729539666,16708765413280995091,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:4784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,18315279147729539666,16708765413280995091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,18315279147729539666,16708765413280995091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,18315279147729539666,16708765413280995091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3712 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1876,18315279147729539666,16708765413280995091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
  2⤵
  PID:2312
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1876,18315279147729539666,16708765413280995091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1644

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Downloads\TestUse.gif
1⤵
- Modifies Internet Explorer settings
PID:2512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe57433cb8,0x7ffe57433cc8,0x7ffe57433cd8
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2456 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:4620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2036 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:2712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5984 /prefetch:8
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1720 /prefetch:1
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:2760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5688 /prefetch:8
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2084 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4700 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:2516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6168 /prefetch:1
  2⤵
  PID:580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,12280341282558673327,13776217905621941174,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4736

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2960

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:1272
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  - Deletes itself
  - Loads dropped DLL
  PID:3128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5116
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:768
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:3340
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4708
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:1976
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:748
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3536
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2212
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:4696
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:3272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:388
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:3136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:1464
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2988"
    3⤵
    PID:2500
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2988
      4⤵
      Kills process with taskkill
      PID:4080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3608"
    3⤵
    PID:4600
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3608
      4⤵
      Kills process with taskkill
      PID:2992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4460"
    3⤵
    PID:3612
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4460
      4⤵
      Kills process with taskkill
      PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4756"
    3⤵
    PID:3368
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4756
      4⤵
      Kills process with taskkill
      PID:3672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4040"
    3⤵
    PID:3536
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4040
      4⤵
      Kills process with taskkill
      PID:2428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2800"
    3⤵
    PID:4240
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2800
      4⤵
      Kills process with taskkill
      PID:3920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 788"
    3⤵
    PID:3632
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 788
      4⤵
      Kills process with taskkill
      PID:3344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5084"
    3⤵
    PID:240
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5084
      4⤵
      Kills process with taskkill
      PID:464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1020"
    3⤵
    PID:1320
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4080
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1020
      4⤵
      Kills process with taskkill
      PID:2460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2416"
    3⤵
    PID:2384
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2416
      4⤵
      Kills process with taskkill
      PID:2084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1388"
    3⤵
    PID:2908
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1388
      4⤵
      Kills process with taskkill
      PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:3476
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4220
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:1044
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4224
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3320
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    PID:1268
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:2496
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:1356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    PID:4452
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:992
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:3772
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:3604
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:1096
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:3104
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:3864
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:5108
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:4696
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:1192
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:3920
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1964
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:3740
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:436
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:4628
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:3344
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:1824
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:4864
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:464
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:3860
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      PID:4828
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      PID:3260
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:3492
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2004
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2232
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2908
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4436

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:568
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  - Loads dropped DLL
  PID:572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1592
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:4600
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:5096
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      PID:2348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:2332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:3340
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:1632
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:8
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:1280
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:1864
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:3328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:4620
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1044
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:4504
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:432
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:2008
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:5020
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4264
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    PID:2496
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:1224
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3536
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:1196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    PID:3368
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:5076
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:720
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:3408
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:4928
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:3260
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:5116
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:2500
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:2460
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:2704
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:4492
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:2232
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:1056
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:780
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:4880
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:3032
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:3880
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:5092
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4212
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:3084
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      PID:2272
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      PID:4260
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:5104
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3416
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1572
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3964
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3248

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:2988
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  - Loads dropped DLL
  PID:3872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5092
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:2348
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      PID:1240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:4092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5072
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:8
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:2196
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3100
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:3544
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:2896
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:1696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2620
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:3808
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:2192
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:5032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:4132
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4264
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2916
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    PID:416
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    PID:1200
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1464
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:3860
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:3064
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:2500
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:3056
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:2704
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:2516
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:4492
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:2332
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:3944
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:4880
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:2564
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4712
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:3864
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:3868
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:2700
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:1956
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2788
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:4092
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      PID:1488
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      PID:2992
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:4496
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5092
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:1192
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:4208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4220
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2588
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1248

C:\Users\Admin\AppData\Local\Temp\Temp1_Updater.zip\updater.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Updater.zip\updater.exe"
1⤵
PID:5116
- C:\Users\Admin\AppData\Local\Temp\Temp1_Updater.zip\updater.exe
  "C:\Users\Admin\AppData\Local\Temp\Temp1_Updater.zip\updater.exe"
  2⤵
  PID:228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1588
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:836
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      PID:3008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:1796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:1572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2272
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:2784
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:5072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3328
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:1768
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:2268
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:2472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2932
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:4896
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:2216
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:4628
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:3344
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:688
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    PID:3136
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:3904
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:3696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    PID:4828
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2012
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:4228
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:4152
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:2632
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4652
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:1480
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:4648
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:4436
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:2332
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:3032
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:4880
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:3880
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4600
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:984
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:716
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:4212
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:3368
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4464
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:896
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      PID:1452
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      PID:1980
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:4260
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1572
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1960
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2268
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4236
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4728

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:1200

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:744

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
1⤵
PID:1056

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2964

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:3712
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:2396

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:1388
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:3100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4596
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:324
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      PID:4196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:3396
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2356
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:2424
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:2908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3948
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2296
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:432
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:4532
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:2736
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4452
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:2492
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4800
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1484
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    PID:4736
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    PID:2388
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2964
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:3876
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:5076
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:2732
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:3804
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:1940
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:3992
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:2712
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:1372
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:1692
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1408
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:3084
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4896
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:1868
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:1632
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:5048
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:3180
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:3864
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:2296
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      PID:2788
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      PID:4808
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:2196
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:460
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:2192
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:3920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2516
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:324
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4864

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:3944
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:2504

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:3804
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:2772

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:1772
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:1840

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:968
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:1548

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:5092
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:1320

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:3136
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:3084

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:324
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:4696

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:4704
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:2832

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:3960
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:2472

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:3020
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:2772

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:3868
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:4732

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:1796
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:3216

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:2468
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:2896

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:4808
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:708

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:2460
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:4756

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:4272
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:5000

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:4028
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:1076

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:1320
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:5112

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:5096
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:4444

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:4452
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:3472

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:332
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:2588

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:2964
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:3556

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: GetForegroundWindowSpam
PID:976

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:1272
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:2512

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:784
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:2376

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:1704
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:1596

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:2716
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:2456

C:\Users\Admin\Desktop\updater.exe
"C:\Users\Admin\Desktop\updater.exe"
1⤵
PID:572
- C:\Users\Admin\Desktop\updater.exe
  "C:\Users\Admin\Desktop\updater.exe"
  2⤵
  PID:1372

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4864

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:2908

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:324

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" TroubleshootActivation
1⤵
- Suspicious use of SetWindowsHookEx
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56c95c6c92ea801765ae28b24223b211

SHA1
5001f5b0fad22c31c80b75f2f336367d1af5317a

SHA256
d9e2804b144f2f907907bbd75d6648f8f41608bcabd63ae9faaf7de5e786e499

SHA512
ff9430425982585b9e08a94dbe2b904a7af4a865a654a67e1b6a2c70e611f5dd5ce7d2cf63dc99245f967c59a4cd41814d78af8b55da7475787366fbee34654e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6d802ede2944b26c3707372daef6ef21

SHA1
bce073d43701c643a6e804eec3b12231ad9be33a

SHA256
afe76edca99bc58670a8bb98f632cdc67406a62d04624fc90b8098bf5c7693c5

SHA512
4e1f824a74759a25182027076c7cf526aa1b51089a33cac3b55c5c544c82dbb281ccd9f9209f8d716048594da61a5436fe2690d19a5d4208a9ec72273618749a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ade01a8cdbbf61f66497f88012a684d1

SHA1
9ff2e8985d9a101a77c85b37c4ac9d4df2525a1f

SHA256
f49e20af78caf0d737f6dbcfc5cc32701a35eb092b3f0ab24cf339604cb049b5

SHA512
fa024bd58e63402b06503679a396b8b4b1bc67dc041d473785957f56f7d972317ec8560827c8008989d2754b90e23fc984a85ed7496f05cb4edc2d8000ae622b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d0f84c55517d34a91f12cccf1d3af583

SHA1
52bd01e6ab1037d31106f8bf6e2552617c201cea

SHA256
9a24c67c3ec89f5cf8810eba1fdefc7775044c71ed78a8eb51c8d2225ad1bc4c

SHA512
94764fe7f6d8c182beec398fa8c3a1948d706ab63121b8c9f933eef50172c506a1fd015172b7b6bac898ecbfd33e00a4a0758b1c8f2f4534794c39f076cd6171

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
e74d0828c0e3f4ee1018fa31f5c22780

SHA1
8f9487e212168a0f7ee26184e7c0da0fa8351393

SHA256
78789c5b6bcee4b9eee6d69dcf2e144e94db94554bb118b1c38654e5c09c5cc1

SHA512
b15bdeceb83990ffeb21f1184f4060084155f4cbf37eb4577cd888c352e7507c2ae1ebfa57fae476c022ce067e7bd69fdb04312a03f12dfee1dea1e4851809a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
5291f6148c5f58de757fa9e1c4207276

SHA1
3a7cc2e5ff428531bef65711cad0da56d2d3d28f

SHA256
72725e4146e374cb72d573d05c37333488be70cd8c042a602aa46a4377b4adbf

SHA512
237756c3bd6cb508c2981e34986288593bf4187dcfe7f760c66cb540a9ba82d4462ce8e8f21d27e202ec3dac1f26876b89dbaff0aa68c9ccad465fe5dcc71d73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
36KB

MD5
6e0dfe11e95944da94e70a99c169c81e

SHA1
f8cd534a059869e65a5e800ed4ff693539c7bd65

SHA256
72863be7491063b6198044605fae19e03c2bf5ca0f3282dcba49e0adff86b900

SHA512
f51ddb326f3fd0b898f29b0759b0f40d1490af0e374b50a323523ddbbb8336c08e832992274a45610bc09361f2883f8f95c67c29d5a9bc7b4a77d18e100913d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
d6a40716591c5ff495f3a4274a793194

SHA1
af909f228d2ccd3fa958667a3b9d8effe0ef32dd

SHA256
5b11c5b38c7b1909a081c23d65881b0db704f5a86ebf7db897b32857ce2de8f5

SHA512
11a96568d3396df660878b00f8e771c4f79405f682548a03ee88705c939fdad2086786305a513a614478e0459725005bd676a83f644ea9ae51756587d1366c33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
f34cefc910923c6f63d9ec30501c87e3

SHA1
4a91b3bb6e3d2ee7535b74891cf7e9829457b463

SHA256
1b7576555c2a5c02c6147afd31d0c311f0ce7e7caa893b1e86f9b25ea91c9dff

SHA512
f9287057a185bb8dc7811551bd48fbf813a330a567a6c2ba9bd21c4c531eb2c309699ac1e53b5f914736d4d7b3801decf9b5fb59f185c395441333c578616417

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
13311d90061cd184b8770e400ea3ead3

SHA1
6835d2f25d5f244988ef9b4b6660317e45c530df

SHA256
639b39a36c21cf050aba6e6d396d3fce207ad6ae99ff876b7f155114636440f8

SHA512
9fa3bb6e85e4601396d1289242f348927f7b0a9e7dd4ad62fa7c99fef09f36fa08bf70ce33d7d6335b077359679573fbba900d84308b1667f264723e1c703f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extension State\LOG

Filesize
322B

MD5
714f38bf5613475c3551759de23189f7

SHA1
ec08cfc9d8694ed2d9df6a6c3053820ab76059b1

SHA256
ba3addeb66903da35977c54f9c5f193c817a8b578788b901f9a389d8dad6446a

SHA512
737a9377eca4be09a84fbcb51298625f4dd3f8db422e3eff1e83ab161371e10105b0b5a6614573dcf77a7bb8aba172c78df31e23b5d9a2b07ebf6332a1d5d91e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
334B

MD5
7a8d7319c700b5fc04fe606fc7043360

SHA1
fd375b4f6a65d171411da32c61b7b9ac81f1ab6c

SHA256
055ffa1171ef37ac4b59484198256dfc70b86e40b2fe7db2184ec543f19b782a

SHA512
90620088be4fd786586f647004b668ed0e3516c623b1ed4a348824d0d8cbe55ff4366b07413e3b86520f6daa7368c268aa0ed3294146a54bf1970c05f6c448ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Action Predictor

Filesize
36KB

MD5
5d352a03280eba57cb274d27ba6c6b7e

SHA1
8887766642a81a1248dd5f93239ce63e93839900

SHA256
3b358849502f5cfd881dd035ff274a5753f90047a131884838c677e22f2305ab

SHA512
b8037a046c4be7be120bbfddedc780a4175fc8e6c863e9095e39a4e16d2e8ced27c40f38c569a79df990057175e3db6aa35eac645598af3647caa5744052bb1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
387B

MD5
be85dd7e4209817ad69c4ab75b73a828

SHA1
e12c9185e662b6edc9c549c84235dfcb6ee4abbd

SHA256
60bd468523184c0ae15f90026a25d41b4fa44ac579d07d99f015a64589d40889

SHA512
7ce3d0f9c14490e15333e0f0c7a8a889a67ab44a8743e8c3dffcd26ed9c62ec5790aab06c9c00b503b6b5dc1176bf57d296b953633333943b903f692ed39d543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
809f32302d985cc4f90f75ce3f842cc1

SHA1
cc3a692257180dcab9e4025f737c204dc125f056

SHA256
def500dd5776902cf898ca0557d361655e10966e50268d64d795f964bb280d9d

SHA512
89e2ebdb3815d292720917fe355d920f825f272ebd6b671b047a7e9db71713b0b0ee90fc1990304ea2e80d1d1365e71bdb05df563e16cd6e107675272c080013

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4803f8589da8ccd9f6dd33b433254fc7

SHA1
12c2a2bb3c9d0e05cb40d3ef69b95eb55006e70b

SHA256
3c06f69e5d2ac483ea42553568b96581fe9607e61c826a8ef9955f57142c34c5

SHA512
4e827692e897639486f8486ea56bf54c03f885d43d42ce70ad098a6384e6250a9fa27274d0e4a0dca7a46f3942293dfc2a6d9af344008e5ca8d9c5784fc51188

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
33b3682591d3e4ae3b3ff417151fd250

SHA1
3641bd34ea70680982454727009888847b5acd75

SHA256
4ceee23e1d24fa632638b3ff55cf15aee3db51009c19f32bc2af0e2131c14ea2

SHA512
4ae9b7e1d278908c21496bdf3b872119f641de7432736a8cb378b644e55294b38337f42a0674fa243ba4d51ff968d08a7cc3bf0bfe834041b89b545ec2149496

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
51146ae34e383909ee675ddbc35b49bc

SHA1
86c782253ffd97a0cf5ed9588527fef636ea7a2a

SHA256
8414b06a6a2c52613562b14551ef52f42ee0a38427c7c01d5b58194af8bad373

SHA512
6a864ef9bbbe6879bd7a9ccea66866bf76fd185b85800b2e6025db1096bdf3cc87372d7cbcc2d8113f3fc6bd297541694d6f9b9bc62179b0c8ae0e66fc8f3629

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5a748712919d0401a919f946a43edc80

SHA1
620a8ae071c12e6f82cf885b90b54153bac1eebd

SHA256
97955d80ed9da1c86c2aca61e5a5ce4643c861fe01a7b0e540902b66dfd69be0

SHA512
fcca5e3eb099515cacd895a6ee3cc978e8dd3ac660488831b2b351ea1aaf1d67254ab4ef135171948f4ebb85072bc6dd37f0c4f364ecf5797c05033d25ee5add

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c5796ef7b6415b4c9b83cf3f6a0e2038

SHA1
c80cade1124fc3c21013e513f1481b7359181dc5

SHA256
2deb3edebb84e6b2f78e2c5d37cf6b00b33e26c3550fa8849ca28ac11b715126

SHA512
642deddfcf77fa814730a5d2ef374ba310f79e1865579d4cd102a3a0fec0d07d2206a11d419078a44b60621f4f5e78e3d9334414f5d834af78c69198ce2a4e83

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c6acee88f1901c71ffed8b302fd8a988

SHA1
2ab8888280f487c1136cd3627d8b747fbc8fb42c

SHA256
d0fcb5dac2fb5ab864b6dbce504d88b3fbe2491d74575367522553d1ec34a35b

SHA512
d782dddda022585d6bdf320bf552bdb045a513ce9f3e902c5a64faaa0507ceae5fc29bb8228839b7b93ad86e6d994c68a01e1424b7fcadb8f5b4b810494c75e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b134d8cf891c5630973c22d733ba50ca

SHA1
4b81c389b20107461a79ed8748160324243f56ae

SHA256
b97e2971f2d9b28489b3e2d4219f1713f84694214868ac13a31675cd6ee01b08

SHA512
9c15556143869911d8d9fdebf889cd03d2efc6edea6c3ccede2a22f62a146352bfa903e8d45fd0cdb4b40bd05b8ec6361a2eca4d5c90a70e601103f357dc539a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
abc57342d5b741e214d71b8db8868199

SHA1
9ab82857301b34a4a0047cd9b68237047b0b9e93

SHA256
4dc804c5bfe04201437cc08bc3e98c45feb38ca0b27475cc81e6207b49ad3eaa

SHA512
fe8b63c41fe2e17f2d669d4cc78f369c56512629b470fe8debebd9cc7a02415f06fbf7ebcbed4c047565fc0437d33df61d9d2b6755a0bb46db622317b55efcc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b7dcea6371587c8c7a853623f85a4986

SHA1
fb47748bbc106028229ca624c4c6e3c790fca7f5

SHA256
0eff5fd4f7bb98029b79821fa0c05f75f3580aec4f5d0547ee5763cdb60afb4d

SHA512
f25fa63c43db8818fa07436386ac0be686558a0f49bb37e01dbcbf53a904402f6b0d278070fcca96e1ba880e311b1f3629021e6285c3ba4fbcf5b2971010a5f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferredApps

Filesize
33B

MD5
2b432fef211c69c745aca86de4f8e4ab

SHA1
4b92da8d4c0188cf2409500adcd2200444a82fcc

SHA256
42b55d126d1e640b1ed7a6bdcb9a46c81df461fa7e131f4f8c7108c2c61c14de

SHA512
948502de4dc89a7e9d2e1660451fcd0f44fd3816072924a44f145d821d0363233cc92a377dba3a0a9f849e3c17b1893070025c369c8120083a622d025fe1eacf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
60c0ed5ad52c50cdf1156a4f7ae5c32d

SHA1
94a1ce41487ab8c2feb69d7855a144cb93eb5adb

SHA256
1f4904cbf853a143be394f7864a32e35d1d8eb73e5f7e9c8e05669a6ebe43a89

SHA512
dfccbbb61a4f15d982d8233a179437ce433f63fc9dc89a374dc82fb614451d12679c14f49384614069693cd84a16de7515c8d68757725b0e63d937bf2ec24c8b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Session_13364487670658644

Filesize
1KB

MD5
63a6b00a56e3b939042a381332637ca0

SHA1
b91ff127fa2c3d066ed0ee498c63702b6b41cfc6

SHA256
1ec99be1cf94b1c6284e91477785d50941996b30f47f315f034bcc8497a549f0

SHA512
96a3291d30ef4ac7dce5b96056bba7981ccdbfc5e7f362c8057e5f941f7da2a33fec29a18197616ac0035bf794641631d638b06cac73dd83f9b72c364af7751a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13364487670751644

Filesize
1KB

MD5
116cd1e1bfafa1134812f2bb62b1adac

SHA1
c07c301cd5ec938a840df6fdcbf52e8a804fc64c

SHA256
6f5473ae80e1d450f3de594be51052c8a557e04d69e8864adc30703b06a9c2d1

SHA512
902503072d5b16699e3ca4f37b8bc2ec0cde9501fdfc4f4a6d0c358e7c6bd3c7951acba170e7fba3808e122af86b242be3550eca2a7e6d4cf032e9dc5cbdb739

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Shortcuts

Filesize
20KB

MD5
8be985ece811ba0a3f10087f5f4e6fd4

SHA1
c87c84d4fe182ffb8362f3cabd33349af94e9b55

SHA256
da78d36c765d3248b1a72ead5f83b7a58cba7d361f17a6831332ee994cee939a

SHA512
901932baea8712e89188cfce00a6b2388ba38697bcbfeebcf8b83b88b0cb26c7323b098ba6983c312ded1041f6e297412010113a32e99a9350aa4492ca40efa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
347B

MD5
1c03678a53852b1ee1e7500bc7ebe678

SHA1
98b5fbaaa4f58d94b35374fd3761f3ba1d53bfd2

SHA256
b077fae1cfac8c10d74ee95e18d966d05825ebedfc75f41d67bdf93044b47df5

SHA512
4da7d15103ec99e1b4cb0ae42d991e55fd51577c75367bc1b25235db9726a3e0d002e61d7eb8cb7143c82ef1e33037820fe1a3ddc7f7276b8a77fc7826b225cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
323B

MD5
f744d50d600f91054b32b2ab8e984df8

SHA1
ef163b4b1d7059c8471eaa7538b9a3b860e007a6

SHA256
802bc2187a67f21353e8ae9dcbcb34cbfcf292b387fc022995bb64710fe7fed1

SHA512
ae3cf6b8aa8a0b34e6df8f3b11eadbefe5efda82de0ac800b0116f8465d3b9dfa60a9135473171d91db16a24aec5639dbfd15a3f6ef925190306c29c904edf42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
a6140f904fdae14849c6532b63658984

SHA1
e1ae3eb9276244f504e0efa041c6ea86774f84d0

SHA256
50bad0c7a3e05abc71b9d266e4c6a39aec14ea7aae48d728766ff6ea8e6c090f

SHA512
06a6498d34da4ed5b7eaa73f03fbf8e29a5f97d541785ce73f4f59c6d0d2a5760c7cce07c6255e6821bf61d461d3fb15e401aff9fd59b73a8cb54152dbb26988

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
0c84f37bf29aa5f9ced3c336da63d896

SHA1
58623c85b9a0678227c3bbbf6e39a4a3d13e5ff6

SHA256
78f05e46c0d1e9a78d3f26a844e28200214cdc85dcf50ebe01af8d7851f77d8a

SHA512
f2efb03de2984580cdd129d057293dd9583242c447b27742c8bd9931a80372f4bde8692a38af80cae75ca1c2e9efe24e7e4d6103bbca2ae431a8e986afab0f24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
4d2f5959cfdd93cbc0219b85fd8eac2d

SHA1
eaf7636df968dfd6ac5e9c600f04b502a6459b28

SHA256
c82bd1df315aa7f57427ae7ea0a86f00e9a884200fed2aea299159383a5d2b8f

SHA512
aeb9db232b883f709868db4f3b57aeeecd7f37648c3ac990b09e41d1f945213815d67931327a0d7f3421c704bef243230737ae891117492abdc1fd7883054626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
872B

MD5
0057af8bce72257da45773b68a2c856e

SHA1
a3cac32d7bcfbb9939024ea87480f972ddb5aa13

SHA256
54f0297fb17d483e9b347eb8ee84ae06ce1ea2d2c8d586545d16e91dc9daf4b0

SHA512
24a174a45fdf6bf73d519844151496a357a3476b1421057552b4e201d96d3f24c267a6462abdd00e42b905810b5ab8e9e0da834693178a5f6461e743317358df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591b8d.TMP

Filesize
370B

MD5
d18dbc3860453b5ae5035c4c6352ee58

SHA1
d4feb34ea4a199e8f80d04c3b12f5a3aedd40930

SHA256
4704a21e13ae8f1e999f8e1cc5dfbeaae7e417eef3083dc519f41cfdbcdd2d91

SHA512
b6e50bab03201673500bda91b520c5024dc21207704dda78492c3703fd2f2ff9c28d963e9f65cb8e6e2c59766dd5daec54d2a0f4b4ba45101df0c2478695bcb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\LOG

Filesize
198B

MD5
8c9f31e3feed45b30a50e15ab774aa06

SHA1
4ff3ef899446662888121e5be533535cd5b1a3d1

SHA256
3861a15025510e68fd6bb07c3402ab9edbfa4dc6a2f2b6ccd8d7d0adf7024cc0

SHA512
6a55468618eee936dd7d31bec52d9cf2f52b7457321731d689c08da4ea3dad2042a46f9f6a168624d48ccba26fd7aed662aed389b590997769b00f7c626f13b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\MANIFEST-000002

Filesize
50B

MD5
22bf0e81636b1b45051b138f48b3d148

SHA1
56755d203579ab356e5620ce7e85519ad69d614a

SHA256
e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97

SHA512
a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
5cb72f2f4e9b1932bcd81121cf2375a6

SHA1
9f2a5e17e2affec2567fa2c55fdf7a47fa94f197

SHA256
e41b07fc6dc0689e93a7e09f0e1cfd2b6c6ca28bfde1bda734a549200580a727

SHA512
20129e893bef09fac4aae01ccb6cac2ee5c590d5cdd44c07e04ca7731befd38e86bcf6438031aaf9142c1867f2b7909bd2808c4360f659352424555d449b05dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\previews_opt_out.db

Filesize
16KB

MD5
d926f072b41774f50da6b28384e0fed1

SHA1
237dfa5fa72af61f8c38a1e46618a4de59bd6f10

SHA256
4f7b0e525d4bfc53d5df49589e25a0bccf2fcf6a1a0ca3f94d3285bb9cf0a249

SHA512
a140df6ec0d3099ef374e8f3ece09bf91bc896ac4a1d251799a521543fe9bdea796ba09fa47932bd54fa939118495078f9258557b32c31d3d4011b0666a4723f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\000003.log

Filesize
19B

MD5
0407b455f23e3655661ba46a574cfca4

SHA1
855cb7cc8eac30458b4207614d046cb09ee3a591

SHA256
ab5c71347d95f319781df230012713c7819ac0d69373e8c9a7302cae3f9a04b7

SHA512
3020f7c87dc5201589fa43e03b1591ed8beb64523b37eb3736557f3ab7d654980fb42284115a69d91de44204cefab751b60466c0ef677608467de43d41bfb939

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
e872fac4cbc2f50fe05a96a57b1ad376

SHA1
bb53594c60cf0315f84ba4cc79a100cc91de2745

SHA256
56d5b9d50e8459a1d9764b2e860e0312b552dc53d6b26fd398d1be728dbfd3ab

SHA512
412e26709717a5d1637f4fd4bff4b35514d2d41a249ca8d04567454ab03ba0789a556282348636eeec19081ac59e60c9b27b6ef87c4caa6c5d5a788e4ce26dc7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\000003.log

Filesize
318B

MD5
cbc17bb48b28c8d0752a359e46e926d6

SHA1
c9b5abde39d0eb13d64225faf38e43c6dcf7f542

SHA256
5cb50a22d12ce65995c55f6a490ae995ac850cbf8caac58540f01ce8db40c19b

SHA512
f1cb51a1ca1ab0d19633ef07879e5f58dc1394168c3003bcdbedbc5968a9bd45e53cfc48a35951dbc9b15e62c40f64e5cde8add60784e70d17d5d5acc059e89b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
a5ba521ce99c26b012dc752f99b019bc

SHA1
825d73c538d1187b3e655f00dc44800a2f242219

SHA256
e0502a082b5c3597e72dfb1dd78ebba6dcf252d983b71b75a99ecfd3addf4de8

SHA512
6db2291be45a1bae718f5e637fbb6128d796c6f75d600d13bb967ef67d237f70d50122e223b5ec4e680d3d866ce6a0492c4fff8b5a7e3c0acb6dc45b304d9f36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_0

Filesize
44KB

MD5
a0837a2831d6cae041ff74eff5402ed8

SHA1
b8c029dba69e171b788328955ca1e2df75c2c65b

SHA256
66b791c3e8e04d4abc8401ef6f1cd3075d4473e93d1dedde8979b528cf63c6d8

SHA512
59dbb91eec9c00d9529ba6a0e93227353d13a6b82b99e6ffa48c196df5981639f40c610bc66b5b703f73c5058001b2976cabbd6bc4ede6ad713c49233ba873ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1

Filesize
264KB

MD5
a181477b0563089af756676871cc058e

SHA1
dbf299a940a616e0ebcde7cb3adb394037e77bd6

SHA256
4879d133e1995852d2e456ffcf34fe4f02fe6306d95038f8b25fd6e3b0eaa4b3

SHA512
3f65a02015c32d222ab6f8d0ee6bb3b8eb3b6341a34ed64adc336d767306bb5abc95788ce164d9bd5e3b6aa01bb51a2afa48aa6bb5fbc1fac1e261ae9d650455

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_3

Filesize
4.0MB

MD5
45b4c697003ed95f4765209afd18dce9

SHA1
8074588f17e0767275f5050315d0b63d61008b90

SHA256
76a4b15e5f87ed6cb74191f94172beb8d8f0db15e9f258d8c4a58e8ee92000a8

SHA512
05bcf2f79c2e3a4e66e847243b6e69062651563c7bd775f8b96b9682d41da44bff2b8d4dee2b9c38d9a27033c4e5a95e334a2a2de30e7f6a9825159e15beaf58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\f_000001

Filesize
20KB

MD5
ef9588ca82f853399e5968af99985e74

SHA1
80d9df4f75c3e789ddf10584d9ff9de2b6154cb0

SHA256
9d550015f47a4d5d502f8a2f5b33bd9cbd136f4fea7c64754c8cc5a9651f7fe5

SHA512
a77b6b0bcea459ab4fc1e5d0983e85b86a6b0835849345f6afbfb27a5e84d8d1a38ff16e21ecf862e95d0a74e3fe97fda28bea66752b8bd64fd44c8ba680a5c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Browser

Filesize
120B

MD5
a397e5983d4a1619e36143b4d804b870

SHA1
aa135a8cc2469cfd1ef2d7955f027d95be5dfbd4

SHA256
9c70f766d3b84fc2bb298efa37cc9191f28bec336329cc11468cfadbc3b137f4

SHA512
4159ea654152d2810c95648694dd71957c84ea825fcca87b36f7e3282a72b30ef741805c610c5fa847ca186e34bde9c289aaa7b6931c5b257f1d11255cd2a816

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5b893ef9c5aab547adfc53f050e875cb

SHA1
6f36898f41a0762b7d7a75725ac59deef5d62c6b

SHA256
672de37e48ea3d4e74120fb7ce987cf219af7dbfaefa347121342fd5140984a2

SHA512
ff3e895650b9f7d640f22457cc1fe833d704058191399834839921bc8d40b83976ccb9d770ee58e2bc29b4a027672807fcfea299d50616d1da137367a0eca69b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b1135e3e4b2182315a4729a3a2c591ab

SHA1
8b6c983c536459186275ea4d28543b2db62ccb02

SHA256
19cf12e4b390000ee5c5e9a6f0539565e831e933a331895fea32ca3188bbddcb

SHA512
68e0e342914b978369a8a85574e7cbe07684b9b2c1cd52699807407cae5db96d31d385e4fa53437387a4e1296b7fbea2f504dd0ed2bfceb626f6ff5697b5405b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
68b9a8a7c2c5a4b37c4da12469a604cf

SHA1
668703b450bb1c8e55b11a949e914bc6b960994f

SHA256
6a0330a747287e158c8d46997395b4c3219bc75397e5e49e28a1c4db03b1d829

SHA512
b930c55fa2643d45b7dfb5b0aae071d92b4279acee99530961973e6bf98f449dd60f3c8ebf0b67e4edcd60558b18cb5f17a19397f1607efc62507aa950e336d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2aed66e799782585b93d1adb75f55d17

SHA1
337a4dcf409b28a3eb10ff8ac5e5206047f907f3

SHA256
a1225e6ab3e97c16bcb570895a3deb5c3d44cde6913d60962688f4caee957365

SHA512
9cae1b9ebfc0e955627768442c0131bbbc5bbca2407ffa388d3eae605157806b8db1c4cd3b155a51c3b0a83d9875f67db6c9a76e70be532836f1f99099e041f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\edge_shutdown_ms.txt

Filesize
5B

MD5
a72c877a8e866a6397c9f389b54d24de

SHA1
1b809fff027996718df5cde89b57fbfd33b57570

SHA256
e5f2e177854b0dba24984f670786253850d05ad32f7eb0703e720936b26d07a3

SHA512
973a39d6397f3f7c86fabf082105224ef8f82b8c923d51bc83054b8f6ec6cc67c4f795e8a6b6ee41c9f6cf6fe0b54cd0482c401363feacfe03ec4fe72685ba3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies.db

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
116KB

MD5
4c2aedd7e82139d8be26e4e3b396706e

SHA1
23c2746c997835308412e5ef2a84d424b25050df

SHA256
a5c5f32cfc02669c783cbcb11d78b7a520f18a59212c84641dcf911cb6f2ec96

SHA512
dadd1332dac178b9a324beb78f3b74362be194bae5776e56bba87a3c5be8a71576a1a2438bf898a798e8e48f9c956bef8c37e316ca668981957d2b58d07435ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\OptimizeNew.png

Filesize
221KB

MD5
fce0948ee41c438bbdedea231f4c590c

SHA1
54f0666e1082d19acc88c8b54962b8358580da09

SHA256
bc21d763e79c8681e06d0898442401ce58d5f3bd33d30228f3d00753ada2c1e4

SHA512
80d1b0efae2cf2dddd3909ec27aab5a07456bb48ace97d2f51640ca44f2eda6a10cd5c1f9464f5b8672daff60cbda9581d972e547d8aff2ce0ea8b0969109a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\Opened.docx

Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\OutCopy.docx

Filesize
912KB

MD5
ba832df3409dd3f446966d9906a99dd1

SHA1
bfc0cf54239d7860dbbadd5797289020fbca45d7

SHA256
98ee5f8bbcccc066d59243ae536384db2699e1ef32a8e32cc8acac84f907688d

SHA512
dc5cff575d3edd1c93d8fd597c19af9722db3c095fbf70f1e8cfa85b9b258af7452dabe8382c573155369f09e8c1a6ab9bebc0ccc5bbd5a7af4cd61a0091551a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\Recently.docx

Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\StartSet.docx

Filesize
1008KB

MD5
dfb021a8968ee6884a0d52f839454802

SHA1
1d33a11a593b1c5f389e102bf40893dcfcef21f6

SHA256
4575a2e67ffba61bddd3693c183e0dde28a4661a0aac4f08cd5f0be8714addbe

SHA512
6e776659c35d9e7807d3048b20d5619d6c04877021fc15a3e385a7083260c3a92722635244994df3fa338c4499335c45b4358d6366e14600418cab17b3274f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\StopOpen.pdf

Filesize
864KB

MD5
dc5f7b79e4e666e289271b6b63f2d6ea

SHA1
20d7c6ac8843635f78cf9c7f06128f44e76dbbbd

SHA256
3610060ec5929884846d4b4c995ef8ef40509750ded0402fda08d567c5d8846d

SHA512
ab0a1569c677e0ece8059678743cbe283de242fff744c09718a0f67ade40c8dfff88780fc93d816fd98e1c850b71575bd20795acb4bf9e25e4408d75a11cb36b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\These.docx

Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\CompareSearch.mp4

Filesize
309KB

MD5
0ae9d7c0a9c976c3738ae99a7a34137e

SHA1
53ed0d0846045c018a0ed01ef35beac0c66b6e6c

SHA256
1ee1fa7066e2f984ed89bc618d0147c6aa4a80fabdd81c2a999591cb77d558fd

SHA512
9917e3a789f12b4be053e9b52938e8aea91b16214e547068ed5d1aaa26bf6ef922f7ec71c42ffa3385ee88063d5cbd1523703a46e0415e81e035bc13ef0c27ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ConvertDisconnect.txt

Filesize
527KB

MD5
8199c1ea70bb61b7a2082b53d349eea4

SHA1
f3f8f1532a2211f694fa577ad7a0526083a08131

SHA256
2bf47fb345cf90a998cf56b1f4c46ca3d6af36a24cecf57f4c06671db2c79336

SHA512
b0217c6be70f8f66fce2791dd2dc3843010cfe65f303a3048ceed3236e1552b0fc6933d19770b29eb760cf7a8f9a0d46192fdbfaf1b8b6d5fc2d37198e68cb01

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ConvertToUninstall.xlsx

Filesize
587KB

MD5
793c5d8afbf1cf195f08fad780332a35

SHA1
4ed7a20e98f8807bc0e005f21165124f1908a035

SHA256
622354c1e51da5eeabc3ad7634b8633b8320e1e2e8f1be8acd36e74df1c1f936

SHA512
f4cafc19e78c847a49b8233145ba0f16d76555aea7f0d3a3bc9b1cced1933f3620ec2df582c8f3be17fd809563721126ae57e88c40384f56d05605b801f9a852

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\GrantRegister.zip

Filesize
284KB

MD5
cbe9cac639b64f034e7373f5b79f7ed7

SHA1
681ceab39e27a7d0607e7624fb6e0095bf1b8346

SHA256
1964349f88e5a0e50ad2d9c1d6223eed8e45a539d8bcbf0f9d65a9b63a92ad83

SHA512
c568f27a97cda6c8ba0ef08e74557a510e6d605abebb12cfee8c2bda47fce69c6e2772e25e9bc12aaf012514c45d72007170f3800a61ad3d86e3941d09ae2b85

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\HideBackup.jpeg

Filesize
689KB

MD5
62fb3d447eb80ed27ed41784659c996e

SHA1
f963878f408500b89fd8e66159dd183647cfea4f

SHA256
22c267089496d8d6006417bb8901ab50f48e89f03b3ff417c7991fe9991bf425

SHA512
41890d4e35b589f2df4a41c1f4481703f980e575b96771cc931055693453361f1ebfcf6feac6bc7555ea976eb08fdcfb009756911699ba52cb300c6318cb4da7

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\WriteOptimize.xls

Filesize
501KB

MD5
b9faa409042f96d92b2f4fafb94ef916

SHA1
be6dfc0d54b074dd117a8fd089e9cbc219016839

SHA256
7f7257cd60029a1fd921a99ffcbed289fcfb89bbbec2d15dc7b34d4451f577ab

SHA512
508401ee33bc8cbed824d3ffa548da9398f31ddea2d3b272f79519f9f192d6c5f3054d098bf0c8cf01d5dfd862d8ce5bbd10d2380a23381986767f05321b5ac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\CloseWait.png

Filesize
797KB

MD5
3a1e97fac619d2da2d5b2beed7f742ef

SHA1
8dd350e1f70aaae6e58f6bed85340d8f87784880

SHA256
c77bb375a50b026aa8f60cf9d82c8ed7df8656a262aabe1c63022490e86a83b0

SHA512
c3105a1c456bf6d522f7772e2551932d33e2f7e9765bbe4ada1611d4e14bc16511d35aebf1c4c18375d2f1f587c2e479c642370640b0537ee1bfea094619fd06

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\OptimizeSend.jpeg

Filesize
542KB

MD5
a436e1c8de13b0c38b7ec8ae998e4ecb

SHA1
bcf1f9bbe1cede42c781c79576cff39da4ef967c

SHA256
2fb594182f8a9eae8f6e9de85db6ad75abb23766b5f5672af8eac8bb3b9b59c7

SHA512
00a27d27b9a78198aa747bd4da3010a451ac280d95c3d749be9dcf064a444b02f98ac832cb5081ff776130670be056db792c0b8269a8dcf6f21d9d756abc7cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
112KB

MD5
c80e42a00ff0946530325f758c795d9b

SHA1
a89dc92f8743e923ae4a6cd4aa8136b86a43d4ce

SHA256
a1205f0985ae879e6d5f905cbc0944826a2fce8ff1ee15a607252d1b0d5613fe

SHA512
50ff4cdb282a5cd3e9d6af3804165b0bf30b9b9af6a10cfe5338b41f90298cefe80135275746380dd33890d118ef920bbc3f79449e450dbe21047fb787129c52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
114KB

MD5
ea3bbda11253a0ddfa0bd6d750a7c9fc

SHA1
6b920bcafd8036b42657e50c84a1da2cea4d1307

SHA256
0a2bfcd7ad484f317f01b03ed4475015a2182137cb3daf7cd5717a9f8d081f89

SHA512
d885aeb00d919689b020bbf541d548578fa415150c2a7a160603a7d397bdb4238fa518eb076bdbbc3401325e517334a5da361e894939954d9bc29560d5d13268

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29882\attrs-23.2.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_asyncio.pyd

Filesize
34KB

MD5
1b8ce772a230a5da8cbdccd8914080a5

SHA1
40d4faf1308d1af6ef9f3856a4f743046fd0ead5

SHA256
fa5a1e7031de5849ab2ab5a177e366b41e1df6bbd90c8d2418033a01c740771f

SHA512
d2fc21b9f58b57065b337c3513e7e6c3e2243b73c5a230e81c91dafcb6724b521ad766667848ba8d0a428d530691ffc4020de6ce9ce1eaa2bf5e15338114a603

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_bz2.pyd

Filesize
46KB

MD5
80c69a1d87f0c82d6c4268e5a8213b78

SHA1
bae059da91d48eaac4f1bb45ca6feee2c89a2c06

SHA256
307359f1b2552b60839385eb63d74cbfe75cd5efdb4e7cd0bb7d296fa67d8a87

SHA512
542cf4ba19dd6a91690340779873e0cb8864b28159f55917f98a192ff9c449aba2d617e9b2b3932ddfeee13021706577ab164e5394e0513fe4087af6bc39d40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_cffi_backend.cp311-win_amd64.pyd

Filesize
71KB

MD5
2443ecaddfe40ee5130539024324e7fc

SHA1
ea74aaf7848de0a078a1510c3430246708631108

SHA256
9a5892ac0cd00c44cd7744d60c9459f302d5984ddb395caea52e4d8fd9bca2da

SHA512
5896af78cf208e1350cf2c31f913aa100098dd1cf4bae77cd2a36ec7695015986ec9913df8d2ebc9992f8f7d48bba102647dc5ee7f776593ae7be36f46bd5c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_ctypes.pyd

Filesize
57KB

MD5
b4c41a4a46e1d08206c109ce547480c7

SHA1
9588387007a49ec2304160f27376aedca5bc854d

SHA256
9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9

SHA512
30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_decimal.pyd

Filesize
104KB

MD5
e9501519a447b13dcca19e09140c9e84

SHA1
472b1aa072454d065dfe415a05036ffd8804c181

SHA256
6b5fe2dea13b84e40b0278d1702aa29e9e2091f9dc09b64bbff5fd419a604c3c

SHA512
ef481e0e4f9b277642652cd090634e1c04702df789e2267a87205e0fe12b00f1de6cdd4fafb51da01efa726606c0b57fcb2ea373533c772983fc4777dc0acc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_hashlib.pyd

Filesize
33KB

MD5
0629bdb5ff24ce5e88a2ddcede608aee

SHA1
47323370992b80dafb6f210b0d0229665b063afb

SHA256
f404bb8371618bbd782201f092a3bcd7a96d3c143787ebea1d8d86ded1f4b3b8

SHA512
3faeff1a19893257c17571b89963af37534c189421585ea03dd6a3017d28803e9d08b0e4daceee01ffeda21da60e68d10083fe7dbdbbde313a6b489a40e70952

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_lzma.pyd

Filesize
84KB

MD5
bfca96ed7647b31dd2919bedebb856b8

SHA1
7d802d5788784f8b6bfbb8be491c1f06600737ac

SHA256
032b1a139adcff84426b6e156f9987b501ad42ecfb18170b10fb54da0157392e

SHA512
3a2926b79c90c3153c88046d316a081c8ddfb181d5f7c849ea6ae55cb13c6adba3a0434f800c4a30017d2fbab79d459432a2e88487914b54a897c4301c778551

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_multiprocessing.pyd

Filesize
25KB

MD5
849b4203c5f9092db9022732d8247c97

SHA1
ed7bd0d6dcdcfa07f754b98acf44a7cfe5dcb353

SHA256
45bfbab1d2373cf7a8af19e5887579b8a306b3ad0c4f57e8f666339177f1f807

SHA512
cc618b4fc918b423e5dbdcbc45206653133df16bf2125fd53bafef8f7850d2403564cf80f8a5d4abb4a8928ff1262f80f23c633ea109a18556d1871aff81cd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_overlapped.pyd

Filesize
30KB

MD5
97a40f53a81c39469cc7c8dd00f51b5d

SHA1
6c3916fe42e7977d8a6b53bfbc5a579abcf22a83

SHA256
11879a429c996fee8be891af2bec7d00f966593f1e01ca0a60bd2005feb4176f

SHA512
02af654ab73b6c8bf15a81c0e9071c8faf064c529b1439a2ab476e1026c860cf7d01472945112d4583e5da8e4c57f1df2700331440be80066dbb6a7e89e1c5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_queue.pyd

Filesize
24KB

MD5
0614691624f99748ef1d971419bdb80d

SHA1
39c52450ed7e31e935b5b0e49d03330f2057747d

SHA256
ac7972502144e9e01e53001e8eec3fc9ab063564678b784d024da2036ba7384d

SHA512
184bc172c7bb8a1fb55c4c23950cbe5e0b5a3c96c1c555ed8476edf79c5c729ed297112ee01b45d771e5c0055d2dc402b566967d1900b5abf683ee8e668c5b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_socket.pyd

Filesize
41KB

MD5
04e7eb0b6861495233247ac5bb33a89a

SHA1
c4d43474e0b378a00845cca044f68e224455612a

SHA256
7efe25284a4663df9458603bf0988b0f47c7dcf56119e3e853e6bda80831a383

SHA512
d4ea0484363edf284ac08a1c3356cc3112d410dd80fe5010c1777acf88dbd830e9f668b593e252033d657a3431a79f7b68d09eb071d0c2ceb51632dbe9b8ed97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_sqlite3.pyd

Filesize
54KB

MD5
d9eeeeacc3a586cf2dbf6df366f6029e

SHA1
4ff9fb2842a13e9371ce7894ec4fe331b6af9219

SHA256
67649e1e8acd348834efb2c927ab6a7599cf76b2c0c0a50b137b3be89c482e29

SHA512
0b9f1d80fb92c796682dba94a75fbce0e4fbeaedccd50e21d42d4b9366463a830109a8cd4300aa62b41910655f8ca96ecc609ea8a1b84236250b6fd08c965830

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_ssl.pyd

Filesize
60KB

MD5
fd0f4aed22736098dc146936cbf0ad1d

SHA1
e520def83b8efdbca9dd4b384a15880b036ee0cf

SHA256
50404a6a3de89497e9a1a03ff3df65c6028125586dced1a006d2abb9009a9892

SHA512
c8f3c04d87da19041f28e1d474c8eb052fe8c03ffd88f0681ef4a2ffe29755cfd5b9c100a1b1d2fdb233cb0f70e367af500cbd3cd4ce77475f441f2b2aa0ab8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\_uuid.pyd

Filesize
21KB

MD5
3377ae26c2987cfee095dff160f2c86c

SHA1
0ca6aa60618950e6d91a7dea530a65a1cdf16625

SHA256
9534cb9c997a17f0004fb70116e0141bdd516373b37bbd526d91ad080daa3a2b

SHA512
8e408b84e2130ff48b8004154d1bdf6a08109d0b40f9fafb6f55e9f215e418e05dca819f411c802792a9d9936a55d6b90460121583e5568579a0fda6935852ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\attrs-23.2.0.dist-info\METADATA

Filesize
9KB

MD5
e32d387a89f0114b8f9b9a809905299d

SHA1
a055c9fbf5416c83d5150d49ca16c58762b8b84a

SHA256
5b0bc6ece1f22a310fa72154642098b759f413f09ca9d45bedb96218475c9be0

SHA512
6eee3e19af46a79e2110678f8d3d15ea4b2eb1355d0fc9581da2c8e91d28926a2771394ea447e15cbc311a9dd9de2a20e2ac0e0abf9db6d4d51982199a12e881

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\attrs-23.2.0.dist-info\RECORD

Filesize
3KB

MD5
0461ab56c7d588c2d9596f91e16658ec

SHA1
013e2923cac817d68ee9ecf9a812e41707c4c7fd

SHA256
a6de30062543c20b137871403f784f12622118583313e9288a9389c005de59af

SHA512
dd217fccdd005ec00c34621edd879a6dac57f11065ddd628d0166fc3f2d78f32e282cca86aeab71d80928d834657a1e1d8d704f2a3bef98410ee2d2e614a9590

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\attrs-23.2.0.dist-info\WHEEL

Filesize
87B

MD5
c58f7d318baa542f6bfd220f837ab63f

SHA1
f655fc3c0eb1bf12629c5750b2892bd896c3e7d9

SHA256
99161210bdc887a8396bf095308730885fffd007b8fe02d8874d5814dc22ab59

SHA512
3da6980a39c368ab7f7527fcd5fcdaa9d321060174baae163bf73f8052a2ac1a73f476c3882855965dfc2cb13c7c3ec1a012882201389dac887f9be59540c80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\attrs-23.2.0.dist-info\licenses\LICENSE

Filesize
1KB

MD5
5e55731824cf9205cfabeab9a0600887

SHA1
243e9dd038d3d68c67d42c0c4ba80622c2a56246

SHA256
882115c95dfc2af1eeb6714f8ec6d5cbcabf667caff8729f42420da63f714e9f

SHA512
21b242bf6dcbafa16336d77a40e69685d7e64a43cc30e13e484c72a93cd4496a7276e18137dc601b6a8c3c193cb775db89853ecc6d6eb2956deee36826d5ebfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\cryptography-42.0.8.dist-info\LICENSE

Filesize
197B

MD5
8c3617db4fb6fae01f1d253ab91511e4

SHA1
e442040c26cd76d1b946822caf29011a51f75d6d

SHA256
3e0c7c091a948b82533ba98fd7cbb40432d6f1a9acbf85f5922d2f99a93ae6bb

SHA512
77a1919e380730bcce5b55d76fbffba2f95874254fad955bd2fe1de7fc0e4e25b5fdaab0feffd6f230fa5dc895f593cf8bfedf8fdc113efbd8e22fadab0b8998

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\cryptography-42.0.8.dist-info\LICENSE.APACHE

Filesize
11KB

MD5
4e168cce331e5c827d4c2b68a6200e1b

SHA1
de33ead2bee64352544ce0aa9e410c0c44fdf7d9

SHA256
aac73b3148f6d1d7111dbca32099f68d26c644c6813ae1e4f05f6579aa2663fe

SHA512
f451048e81a49fbfa11b49de16ff46c52a8e3042d1bcc3a50aaf7712b097bed9ae9aed9149c21476c2a1e12f1583d4810a6d36569e993fe1ad3879942e5b0d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\cryptography-42.0.8.dist-info\LICENSE.BSD

Filesize
1KB

MD5
5ae30ba4123bc4f2fa49aa0b0dce887b

SHA1
ea5b412c09f3b29ba1d81a61b878c5c16ffe69d8

SHA256
602c4c7482de6479dd2e9793cda275e5e63d773dacd1eca689232ab7008fb4fb

SHA512
ddbb20c80adbc8f4118c10d3e116a5cd6536f72077c5916d87258e155be561b89eb45c6341a1e856ec308b49a4cb4dba1408eabd6a781fbe18d6c71c32b72c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\cryptography-42.0.8.dist-info\METADATA

Filesize
5KB

MD5
07e3eea441a0e6f99247d353bd664ea1

SHA1
99c8f9c2dd2d02be18d50551ed4488325906c769

SHA256
04fe672bf2aa70ff8e6b959defe7d676dcdfd34ee9062030ba352a40db5e2d37

SHA512
24f458c831f7a459d12e0217f4bd57f82a034fec9ea154cac303200e241a52838a1962612c5aaff5cd837f668fdc810606624dca901f4274973f84a9adba8d66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\cryptography-42.0.8.dist-info\RECORD

Filesize
14KB

MD5
d642b5d5bb864006d0457f1cb8e41197

SHA1
81f98e289cf8320701353bfbba8255c6460edd3b

SHA256
3909dbbe41f046b701cc362332c28020c25a20963e3b8587d1c453402c106859

SHA512
0397c2c71045e0f9fce25fd5a350a3f4fa3a230937ecd659d9955d1fd75d1d5a21370a88d9a7f9f44111e4d3df7578c2ef7a16b43b542aedf7b65dbd484886dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\cryptography-42.0.8.dist-info\WHEEL

Filesize
100B

MD5
c48772ff6f9f408d7160fe9537e150e0

SHA1
79d4978b413f7051c3721164812885381de2fdf5

SHA256
67325f22d7654f051b7a1d92bd644f6ebaa00df5bf7638a48219f07d19aa1484

SHA512
a817107d9f70177ea9ca6a370a2a0cb795346c9025388808402797f33144c1baf7e3de6406ff9e3d8a3486bdfaa630b90b63935925a36302ab19e4c78179674f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\cryptography-42.0.8.dist-info\top_level.txt

Filesize
13B

MD5
e7274bd06ff93210298e7117d11ea631

SHA1
7132c9ec1fd99924d658cc672f3afe98afefab8a

SHA256
28d693f929f62b8bb135a11b7ba9987439f7a960cc969e32f8cb567c1ef79c97

SHA512
aa6021c4e60a6382630bebc1e16944f9b312359d645fc61219e9a3f19d876fd600e07dca6932dcd7a1e15bfdeac7dbdceb9fffcd5ca0e5377b82268ed19de225

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.0MB

MD5
b77c7de3d1f9bf06ecad3a1f8417f435

SHA1
ab60a744f8614ea68fd522ce6aeb125f9fc2f2d8

SHA256
a59a933def9329ccbcac18135ec2976599a42ebd8ffdaeed650dc185b47b11fb

SHA512
1afaf8c42d41d03e47a671325215452fcb8b4ea6576acac056ae18297829fb1f67c24f367ad20d825b0c5cb6d7997529d796bd947ff03b89154e7c5686335879

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\libcrypto-1_1.dll

Filesize
1.1MB

MD5
86cfc84f8407ab1be6cc64a9702882ef

SHA1
86f3c502ed64df2a5e10b085103c2ffc9e3a4130

SHA256
11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307

SHA512
b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\libffi-8.dll

Filesize
24KB

MD5
decbba3add4c2246928ab385fb16a21e

SHA1
5f019eff11de3122ffa67a06d52d446a3448b75e

SHA256
4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d

SHA512
760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\libssl-1_1.dll

Filesize
203KB

MD5
6cd33578bc5629930329ca3303f0fae1

SHA1
f2f8e3248a72f98d27f0cfa0010e32175a18487f

SHA256
4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0

SHA512
c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\multidict\_multidict.cp311-win_amd64.pyd

Filesize
20KB

MD5
eeaded775eabfaaede5ca025f55fd273

SHA1
8eefb3b9d85b4d5ad4033308f8af2a24e8792e02

SHA256
db4d6a74a3301788d32905b2ccc525e9a8e2219f1a36924464871cf211f115a0

SHA512
a6055d5604cc53428d89b308c223634cd94082be0ba4081513974e1826775d6e9fc26180c816d9a38fead89b5e04c5e7cf729c056bfae0ed74d6885c921b70ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\pyexpat.pyd

Filesize
86KB

MD5
fe0e32bfe3764ed5321454e1a01c81ec

SHA1
7690690df0a73bdcc54f0f04b674fc8a9a8f45fb

SHA256
b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92

SHA512
d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\python3.dll

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\select.pyd

Filesize
24KB

MD5
c39459806c712b3b3242f8376218c1e1

SHA1
85d254fb6cc5d6ed20a04026bff1158c8fd0a530

SHA256
7cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9

SHA512
b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\sqlite3.dll

Filesize
608KB

MD5
895f001ae969364432372329caf08b6a

SHA1
4567fc6672501648b277fe83e6b468a7a2155ddf

SHA256
f5dd29e1e99cf8967f7f81487dc624714dcbec79c1630f929d5507fc95cbfad7

SHA512
05b4559d283ea84174da72a6c11b8b93b1586b4e7d8cda8d745c814f8f6dff566e75f9d7890f32bd9dfe43485244973860f83f96ba39296e28127c9396453261

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\unicodedata.pyd

Filesize
293KB

MD5
06a5e52caf03426218f0c08fc02cc6b8

SHA1
ae232c63620546716fbb97452d73948ebfd06b35

SHA256
118c31faa930f2849a14c3133df36420a5832114df90d77b09cde0ad5f96f33a

SHA512
546b1a01f36d3689b0fdeeda8b1ce55e7d3451731ca70fffe6627d542fff19d7a70e27147cab1920aae8bed88272342908d4e9d671d7aba74abb5db398b90718

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37122\yarl\_quoting_c.cp311-win_amd64.pyd

Filesize
40KB

MD5
9a8f969ecdf0c15734c1d582d2ae35d8

SHA1
a40691e81982f610a062e49a5ad29cffb5a2f5a8

SHA256
874e52cceae9a3c967bac7b628f4144c32e51fc77f519542fc1bac19045ecde8

SHA512
e0deb59abef7440f30effb1aab6295b5a50c817f685be30b21a3c453e3099b97fd71984e6ca6a6c6e0021abb6e906838566f402b00a11813e67a4e00b119619f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jzubbp0f.ktu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\wr5hknnz

Filesize
4B

MD5
3f1d1d8d87177d3d8d897d7e421f84d6

SHA1
dd082d742a5cb751290f1db2bd519c286aa86d95

SHA256
f02285fb90ed8c81531fe78cf4e2abb68a62be73ee7d317623e2c3e3aefdfff2

SHA512
2ae2b3936f31756332ca7a4b877d18f3fcc50e41e9472b5cd45a70bea82e29a0fa956ee6a9ee0e02f23d9db56b41d19cb51d88aac06e9c923a820a21023752a9

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 653199.crdownload

Filesize
10.7MB

MD5
26827c9792689b74098834a6d8c20aab

SHA1
07e2be92ae5393afcd690fb822130535a6d2c17e

SHA256
482c560821dff63e878f6a8adf9e900a4e3756bd392ff92d37c135bd62e47de1

SHA512
90941280d2260fca8fb5c16b49819dd10d1940936cc5e48bb0b4a1bb0ff692670c85905bb1dee9f44cedd6577df26fc339ce5703eab3c4a4a43c3c00e0483a30

Download Submit
memory/572-1353-0x00007FFE65A30000-0x00007FFE65AE8000-memory.dmp

Filesize
736KB

Download
memory/572-1140-0x0000019FBF060000-0x0000019FBF3D5000-memory.dmp

Filesize
3.5MB

Download
memory/572-1396-0x00007FFE69400000-0x00007FFE6942D000-memory.dmp

Filesize
180KB

Download
memory/572-1397-0x00007FFE68840000-0x00007FFE68863000-memory.dmp

Filesize
140KB

Download
memory/572-1398-0x00007FFE56D60000-0x00007FFE56ED3000-memory.dmp

Filesize
1.4MB

Download
memory/572-1399-0x00007FFE68810000-0x00007FFE6883E000-memory.dmp

Filesize
184KB

Download
memory/572-1400-0x00007FFE65A30000-0x00007FFE65AE8000-memory.dmp

Filesize
736KB

Download
memory/572-1401-0x00007FFE569E0000-0x00007FFE56D55000-memory.dmp

Filesize
3.5MB

Download
memory/572-1402-0x00007FFE71470000-0x00007FFE71485000-memory.dmp

Filesize
84KB

Download
memory/572-1391-0x00007FFE71570000-0x00007FFE71594000-memory.dmp

Filesize
144KB

Download
memory/572-1351-0x00007FFE56D60000-0x00007FFE56ED3000-memory.dmp

Filesize
1.4MB

Download
memory/572-1363-0x00007FFE659F0000-0x00007FFE65A28000-memory.dmp

Filesize
224KB

Download
memory/572-1344-0x00007FFE71570000-0x00007FFE71594000-memory.dmp

Filesize
144KB

Download
memory/572-1352-0x00007FFE68810000-0x00007FFE6883E000-memory.dmp

Filesize
184KB

Download
memory/572-1366-0x00007FFE57CA0000-0x00007FFE57DBC000-memory.dmp

Filesize
1.1MB

Download
memory/572-1354-0x00007FFE569E0000-0x00007FFE56D55000-memory.dmp

Filesize
3.5MB

Download
memory/572-1355-0x00007FFE71470000-0x00007FFE71485000-memory.dmp

Filesize
84KB

Download
memory/572-1360-0x00007FFE68750000-0x00007FFE68772000-memory.dmp

Filesize
136KB

Download
memory/572-1343-0x00007FFE56EE0000-0x00007FFE574C8000-memory.dmp

Filesize
5.9MB

Download
memory/572-1128-0x00007FFE56EE0000-0x00007FFE574C8000-memory.dmp

Filesize
5.9MB

Download
memory/572-1130-0x00007FFE71560000-0x00007FFE7156F000-memory.dmp

Filesize
60KB

Download
memory/572-1129-0x00007FFE71570000-0x00007FFE71594000-memory.dmp

Filesize
144KB

Download
memory/572-1131-0x00007FFE71540000-0x00007FFE71559000-memory.dmp

Filesize
100KB

Download
memory/572-1134-0x00007FFE69400000-0x00007FFE6942D000-memory.dmp

Filesize
180KB

Download
memory/572-1135-0x00007FFE68840000-0x00007FFE68863000-memory.dmp

Filesize
140KB

Download
memory/572-1133-0x00007FFE71510000-0x00007FFE71529000-memory.dmp

Filesize
100KB

Download
memory/572-1132-0x00007FFE71530000-0x00007FFE7153D000-memory.dmp

Filesize
52KB

Download
memory/572-1136-0x00007FFE56D60000-0x00007FFE56ED3000-memory.dmp

Filesize
1.4MB

Download
memory/572-1137-0x00007FFE68810000-0x00007FFE6883E000-memory.dmp

Filesize
184KB

Download
memory/572-1395-0x00007FFE71510000-0x00007FFE71529000-memory.dmp

Filesize
100KB

Download
memory/572-1139-0x00007FFE569E0000-0x00007FFE56D55000-memory.dmp

Filesize
3.5MB

Download
memory/572-1138-0x00007FFE65A30000-0x00007FFE65AE8000-memory.dmp

Filesize
736KB

Download
memory/572-1141-0x00007FFE71470000-0x00007FFE71485000-memory.dmp

Filesize
84KB

Download
memory/572-1143-0x00007FFE6E6F0000-0x00007FFE6E702000-memory.dmp

Filesize
72KB

Download
memory/572-1147-0x00007FFE71570000-0x00007FFE71594000-memory.dmp

Filesize
144KB

Download
memory/572-1146-0x00007FFE68A70000-0x00007FFE68A84000-memory.dmp

Filesize
80KB

Download
memory/572-1149-0x00007FFE68750000-0x00007FFE68772000-memory.dmp

Filesize
136KB

Download
memory/572-1148-0x00007FFE71540000-0x00007FFE71559000-memory.dmp

Filesize
100KB

Download
memory/572-1150-0x00007FFE6C1B0000-0x00007FFE6C1BA000-memory.dmp

Filesize
40KB

Download
memory/572-1152-0x00007FFE562E0000-0x00007FFE569D5000-memory.dmp

Filesize
7.0MB

Download
memory/572-1151-0x00007FFE69400000-0x00007FFE6942D000-memory.dmp

Filesize
180KB

Download
memory/572-1145-0x00007FFE57CA0000-0x00007FFE57DBC000-memory.dmp

Filesize
1.1MB

Download
memory/572-1144-0x00007FFE687F0000-0x00007FFE68804000-memory.dmp

Filesize
80KB

Download
memory/572-1142-0x00007FFE56EE0000-0x00007FFE574C8000-memory.dmp

Filesize
5.9MB

Download
memory/572-1154-0x00007FFE659F0000-0x00007FFE65A28000-memory.dmp

Filesize
224KB

Download
memory/572-1153-0x00007FFE68840000-0x00007FFE68863000-memory.dmp

Filesize
140KB

Download
memory/572-1394-0x00007FFE71530000-0x00007FFE7153D000-memory.dmp

Filesize
52KB

Download
memory/572-1393-0x00007FFE71540000-0x00007FFE71559000-memory.dmp

Filesize
100KB

Download
memory/572-1201-0x00007FFE696E0000-0x00007FFE696ED000-memory.dmp

Filesize
52KB

Download
memory/572-1200-0x00007FFE56D60000-0x00007FFE56ED3000-memory.dmp

Filesize
1.4MB

Download
memory/572-1392-0x00007FFE71560000-0x00007FFE7156F000-memory.dmp

Filesize
60KB

Download
memory/572-1390-0x00007FFE68A70000-0x00007FFE68A84000-memory.dmp

Filesize
80KB

Download
memory/572-1217-0x00007FFE68810000-0x00007FFE6883E000-memory.dmp

Filesize
184KB

Download
memory/572-1220-0x0000019FBF060000-0x0000019FBF3D5000-memory.dmp

Filesize
3.5MB

Download
memory/572-1219-0x00007FFE569E0000-0x00007FFE56D55000-memory.dmp

Filesize
3.5MB

Download
memory/572-1218-0x00007FFE65A30000-0x00007FFE65AE8000-memory.dmp

Filesize
736KB

Download
memory/572-1232-0x00007FFE71470000-0x00007FFE71485000-memory.dmp

Filesize
84KB

Download
memory/572-1365-0x00007FFE6E6F0000-0x00007FFE6E702000-memory.dmp

Filesize
72KB

Download
memory/3128-780-0x00007FFE54420000-0x00007FFE54A08000-memory.dmp

Filesize
5.9MB

Download
memory/3128-1052-0x00007FFE54420000-0x00007FFE54A08000-memory.dmp

Filesize
5.9MB

Download
memory/3128-1062-0x00007FFE54360000-0x00007FFE54418000-memory.dmp

Filesize
736KB

Download
memory/3128-1063-0x00007FFE53FE0000-0x00007FFE54355000-memory.dmp

Filesize
3.5MB

Download
memory/3128-1069-0x00007FFE55A10000-0x00007FFE55A32000-memory.dmp

Filesize
136KB

Download
memory/3128-1072-0x00007FFE555A0000-0x00007FFE555D8000-memory.dmp

Filesize
224KB

Download
memory/3128-1073-0x00007FFE6E700000-0x00007FFE6E70D000-memory.dmp

Filesize
52KB

Download
memory/3128-1074-0x00007FFE57460000-0x00007FFE57474000-memory.dmp

Filesize
80KB

Download
memory/3128-1075-0x00007FFE68750000-0x00007FFE68774000-memory.dmp

Filesize
144KB

Download
memory/3128-1076-0x00007FFE6C1B0000-0x00007FFE6C1BF000-memory.dmp

Filesize
60KB

Download
memory/3128-1077-0x00007FFE682A0000-0x00007FFE682B9000-memory.dmp

Filesize
100KB

Download
memory/3128-1078-0x00007FFE696E0000-0x00007FFE696ED000-memory.dmp

Filesize
52KB

Download
memory/3128-1079-0x00007FFE65A10000-0x00007FFE65A29000-memory.dmp

Filesize
100KB

Download
memory/3128-1080-0x00007FFE659E0000-0x00007FFE65A0D000-memory.dmp

Filesize
180KB

Download
memory/3128-1081-0x00007FFE5D8A0000-0x00007FFE5D8C3000-memory.dmp

Filesize
140KB

Download
memory/3128-1082-0x00007FFE555E0000-0x00007FFE55753000-memory.dmp

Filesize
1.4MB

Download
memory/3128-1083-0x00007FFE574A0000-0x00007FFE574CE000-memory.dmp

Filesize
184KB

Download
memory/3128-1084-0x00007FFE5EB90000-0x00007FFE5EBA5000-memory.dmp

Filesize
84KB

Download
memory/3128-1085-0x00007FFE57E90000-0x00007FFE57EA2000-memory.dmp

Filesize
72KB

Download
memory/3128-1086-0x00007FFE57480000-0x00007FFE57494000-memory.dmp

Filesize
80KB

Download
memory/3128-1071-0x00007FFE537C0000-0x00007FFE53EB5000-memory.dmp

Filesize
7.0MB

Download
memory/3128-1070-0x00007FFE69400000-0x00007FFE6940A000-memory.dmp

Filesize
40KB

Download
memory/3128-1068-0x00007FFE53EC0000-0x00007FFE53FDC000-memory.dmp

Filesize
1.1MB

Download
memory/3128-1029-0x00007FFE54420000-0x00007FFE54A08000-memory.dmp

Filesize
5.9MB

Download
memory/3128-1038-0x00007FFE574A0000-0x00007FFE574CE000-memory.dmp

Filesize
184KB

Download
memory/3128-1045-0x00007FFE53EC0000-0x00007FFE53FDC000-memory.dmp

Filesize
1.1MB

Download
memory/3128-1046-0x00007FFE55A10000-0x00007FFE55A32000-memory.dmp

Filesize
136KB

Download
memory/3128-1037-0x00007FFE555E0000-0x00007FFE55753000-memory.dmp

Filesize
1.4MB

Download
memory/3128-1039-0x00007FFE54360000-0x00007FFE54418000-memory.dmp

Filesize
736KB

Download
memory/3128-1041-0x00007FFE5EB90000-0x00007FFE5EBA5000-memory.dmp

Filesize
84KB

Download
memory/3128-1048-0x00007FFE537C0000-0x00007FFE53EB5000-memory.dmp

Filesize
7.0MB

Download
memory/3128-1040-0x00007FFE53FE0000-0x00007FFE54355000-memory.dmp

Filesize
3.5MB

Download
memory/3128-1049-0x00007FFE555A0000-0x00007FFE555D8000-memory.dmp

Filesize
224KB

Download
memory/3128-1030-0x00007FFE68750000-0x00007FFE68774000-memory.dmp

Filesize
144KB

Download
memory/3128-917-0x00007FFE5EB90000-0x00007FFE5EBA5000-memory.dmp

Filesize
84KB

Download
memory/3128-918-0x00007FFE57E90000-0x00007FFE57EA2000-memory.dmp

Filesize
72KB

Download
memory/3128-886-0x00000274D93A0000-0x00000274D9715000-memory.dmp

Filesize
3.5MB

Download
memory/3128-887-0x00007FFE53FE0000-0x00007FFE54355000-memory.dmp

Filesize
3.5MB

Download
memory/3128-888-0x00007FFE6E700000-0x00007FFE6E70D000-memory.dmp

Filesize
52KB

Download
memory/3128-806-0x00007FFE54360000-0x00007FFE54418000-memory.dmp

Filesize
736KB

Download
memory/3128-807-0x00007FFE555A0000-0x00007FFE555D8000-memory.dmp

Filesize
224KB

Download
memory/3128-805-0x00007FFE574A0000-0x00007FFE574CE000-memory.dmp

Filesize
184KB

Download
memory/3128-803-0x00007FFE555E0000-0x00007FFE55753000-memory.dmp

Filesize
1.4MB

Download
memory/3128-804-0x00007FFE537C0000-0x00007FFE53EB5000-memory.dmp

Filesize
7.0MB

Download
memory/3128-792-0x00007FFE53FE0000-0x00007FFE54355000-memory.dmp

Filesize
3.5MB

Download
memory/3128-801-0x00007FFE5D8A0000-0x00007FFE5D8C3000-memory.dmp

Filesize
140KB

Download
memory/3128-802-0x00007FFE69400000-0x00007FFE6940A000-memory.dmp

Filesize
40KB

Download
memory/3128-794-0x00007FFE5EB90000-0x00007FFE5EBA5000-memory.dmp

Filesize
84KB

Download
memory/3128-795-0x00007FFE57E90000-0x00007FFE57EA2000-memory.dmp

Filesize
72KB

Download
memory/3128-800-0x00007FFE55A10000-0x00007FFE55A32000-memory.dmp

Filesize
136KB

Download
memory/3128-799-0x00007FFE53EC0000-0x00007FFE53FDC000-memory.dmp

Filesize
1.1MB

Download
memory/3128-796-0x00007FFE57480000-0x00007FFE57494000-memory.dmp

Filesize
80KB

Download
memory/3128-797-0x00007FFE57460000-0x00007FFE57474000-memory.dmp

Filesize
80KB

Download
memory/3128-798-0x00007FFE682A0000-0x00007FFE682B9000-memory.dmp

Filesize
100KB

Download
memory/3128-793-0x00007FFE54420000-0x00007FFE54A08000-memory.dmp

Filesize
5.9MB

Download
memory/3128-791-0x00000274D93A0000-0x00000274D9715000-memory.dmp

Filesize
3.5MB

Download
memory/3128-789-0x00007FFE574A0000-0x00007FFE574CE000-memory.dmp

Filesize
184KB

Download
memory/3128-790-0x00007FFE54360000-0x00007FFE54418000-memory.dmp

Filesize
736KB

Download
memory/3128-786-0x00007FFE659E0000-0x00007FFE65A0D000-memory.dmp

Filesize
180KB

Download
memory/3128-788-0x00007FFE555E0000-0x00007FFE55753000-memory.dmp

Filesize
1.4MB

Download
memory/3128-787-0x00007FFE5D8A0000-0x00007FFE5D8C3000-memory.dmp

Filesize
140KB

Download
memory/3128-785-0x00007FFE65A10000-0x00007FFE65A29000-memory.dmp

Filesize
100KB

Download
memory/3128-784-0x00007FFE696E0000-0x00007FFE696ED000-memory.dmp

Filesize
52KB

Download
memory/3128-783-0x00007FFE682A0000-0x00007FFE682B9000-memory.dmp

Filesize
100KB

Download
memory/3128-781-0x00007FFE68750000-0x00007FFE68774000-memory.dmp

Filesize
144KB

Download
memory/3128-782-0x00007FFE6C1B0000-0x00007FFE6C1BF000-memory.dmp

Filesize
60KB

Download
memory/3252-896-0x000001E5F8740000-0x000001E5F8762000-memory.dmp

Filesize
136KB

Download