rhadamanthys | hxxps://www[.]youtube[.]com/redirect?event=video_description&redir_token=QUFFLUhqazg0bjh2anJzcUJDY00tVGdZUHZ4V2ZzazJ4Z3xBQ3Jtc0tsTG1tV1poWkpZMjE4RmpBVUxaNURjTnVOcXh0WGhIa0FvbHpGd1JiNWd0T3REZlhHU2ZPT09xakdOQld2OUM4alM0V29ROXdjUHp0Z01oNk92NG5oYmhDazBIUWtIR0s2OU1IOGtJQ2ZRRkZMcEZJSQ&q=https%3A%2F%2Fgithub[.]com%2FEXSoft1%2FExSofts%2Freleases%2Fdownload%2FSoft%2FExSoftware[.]zip&v=BcgATk46IqA

Analysis

max time kernel
117s
max time network
117s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqazg0bjh2anJzcUJDY00tVGdZUHZ4V2ZzazJ4Z3xBQ3Jtc0tsTG1tV1poWkpZMjE4RmpBVUxaNURjTnVOcXh0WGhIa0FvbHpGd1JiNWd0T3REZlhHU2ZPT09xakdOQld2OUM4alM0V29ROXdjUHp0Z01oNk92NG5oYmhDazBIUWtIR0s2OU1IOGtJQ2ZRRkZMcEZJSQ&q=https%3A%2F%2Fgithub.com%2FEXSoft1%2FExSofts%2Freleases%2Fdownload%2FSoft%2FExSoftware.zip&v=BcgATk46IqA

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Extracted

Family

rhadamanthys

https://144.76.133.166:8034/5502b8a765a7d7349/71q10f6c.xvxit

Signatures

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

RegAsm.exe

description	pid	Process	procid_target
PID 1700 created 2420	1700	RegAsm.exe	43

Executes dropped EXE 2 IoCs

Processes:

Set-up.exeSet-up.exe

pid	Process
4084	Set-up.exe
6048	Set-up.exe

Loads dropped DLL 2 IoCs

Processes:

Set-up.exeSet-up.exe

pid	Process
4084	Set-up.exe
6048	Set-up.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Set-up.exeMSBuild.exeSet-up.exeMSBuild.exe

description	pid	Process	procid_target
PID 4084 set thread context of 2548	4084	Set-up.exe	116
PID 2548 set thread context of 1700	2548	MSBuild.exe	117
PID 6048 set thread context of 5168	6048	Set-up.exe	144
PID 5168 set thread context of 5456	5168	MSBuild.exe	147

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 4 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
3116	1700	WerFault.exe	117
2312	1700	WerFault.exe	117
5572	5456	WerFault.exe	147
5624	5456	WerFault.exe	147

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Set-up.exeMSBuild.exeRegAsm.exeopenwith.exeSet-up.exeMSBuild.exeRegAsm.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	openwith.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Set-up.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

taskmgr.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133690637642447481"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exeRegAsm.exeopenwith.exemsedge.exetaskmgr.exe

pid	Process
2400	chrome.exe
2400	chrome.exe
1700	RegAsm.exe
1700	RegAsm.exe
1916	openwith.exe
1916	openwith.exe
1916	openwith.exe
1916	openwith.exe
5316	msedge.exe
5316	msedge.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

taskmgr.exe

pid	Process
5816	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid	Process
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zG.exe

description	pid	Process
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe
Token: SeRestorePrivilege	1148	7zG.exe
Token: 35	1148	7zG.exe
Token: SeSecurityPrivilege	1148	7zG.exe
Token: SeSecurityPrivilege	1148	7zG.exe
Token: SeShutdownPrivilege	2400	chrome.exe
Token: SeCreatePagefilePrivilege	2400	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe7zG.exe7zG.exetaskmgr.exe

pid	Process
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
1148	7zG.exe
4836	7zG.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

Processes:

chrome.exetaskmgr.exe

pid	Process
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
2400	chrome.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe
5816	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	Process	procid_target
PID 2400 wrote to memory of 684	2400	chrome.exe	84
PID 2400 wrote to memory of 684	2400	chrome.exe	84
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4700	2400	chrome.exe	85
PID 2400 wrote to memory of 4460	2400	chrome.exe	86
PID 2400 wrote to memory of 4460	2400	chrome.exe	86
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87
PID 2400 wrote to memory of 3836	2400	chrome.exe	87

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2420
- C:\Windows\SysWOW64\openwith.exe
  "C:\Windows\system32\openwith.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefaulta1e28c42h2122h477bhb6c3h8ec2e3faf1e3
  2⤵
  PID:3452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb4a7746f8,0x7ffb4a774708,0x7ffb4a774718
    3⤵
    PID:4840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,935076482736693114,226728554452765181,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
    3⤵
    PID:5308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,935076482736693114,226728554452765181,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:5316
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,935076482736693114,226728554452765181,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
    3⤵
    PID:5404
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /6
  2⤵
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:5816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqazg0bjh2anJzcUJDY00tVGdZUHZ4V2ZzazJ4Z3xBQ3Jtc0tsTG1tV1poWkpZMjE4RmpBVUxaNURjTnVOcXh0WGhIa0FvbHpGd1JiNWd0T3REZlhHU2ZPT09xakdOQld2OUM4alM0V29ROXdjUHp0Z01oNk92NG5oYmhDazBIUWtIR0s2OU1IOGtJQ2ZRRkZMcEZJSQ&q=https%3A%2F%2Fgithub.com%2FEXSoft1%2FExSofts%2Freleases%2Fdownload%2FSoft%2FExSoftware.zip&v=BcgATk46IqA
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb61a5cc40,0x7ffb61a5cc4c,0x7ffb61a5cc58
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2032,i,2644341689304486680,7827191787385848503,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2028 /prefetch:2
  2⤵
  PID:4700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1892,i,2644341689304486680,7827191787385848503,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2004 /prefetch:3
  2⤵
  PID:4460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,2644341689304486680,7827191787385848503,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2280 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3140,i,2644341689304486680,7827191787385848503,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3148 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,2644341689304486680,7827191787385848503,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4604,i,2644341689304486680,7827191787385848503,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4616 /prefetch:8
  2⤵
  PID:2800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4848,i,2644341689304486680,7827191787385848503,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5080,i,2644341689304486680,7827191787385848503,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:4084

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3956

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4044

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1184

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap25663:82:7zEvent2182
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1148

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap15091:82:7zEvent19229
1⤵
- Suspicious use of FindShellTrayWindow
PID:4836

C:\Users\Admin\Downloads\ExSoftware\Set-up.exe
"C:\Users\Admin\Downloads\ExSoftware\Set-up.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:2548
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1700
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 588
      4⤵
      Program crash
      PID:3116
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1700 -s 604
      4⤵
      Program crash
      PID:2312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1700 -ip 1700
1⤵
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 1700 -ip 1700
1⤵
PID:3656

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5624

C:\Users\Admin\Downloads\ExSoftware\Set-up.exe
"C:\Users\Admin\Downloads\ExSoftware\Set-up.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:6048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5168
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5396
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:5436
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5456
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 572
      4⤵
      Program crash
      PID:5572
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5456 -s 596
      4⤵
      Program crash
      PID:5624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 5456 -ip 5456
1⤵
PID:5600

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5456 -ip 5456
1⤵
PID:5644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\32ca1a93-5017-4d88-afc1-32c47506543d.tmp

Filesize
99KB

MD5
aae580afd0843ca019844fc6a16c60e6

SHA1
bd64d97916796da8b5b3f6ff858580ea4d7c1979

SHA256
2b2545c3e8797b20d74059a165779aece3eeae5c43426ff1cdcb29f33a767953

SHA512
97819e7dfdf11e0100794fbe88942f512bb761249c349fe5d2cb5070410df9039db431e72f619f91e5680f5db8ca1138c8b8d31b0d551991a2f0b298349a7ce4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
2cca8821ab7d2bfef425c2c880bc6ddd

SHA1
af69028e41d545d7c746a37bc80a3d48c5cfe8ed

SHA256
7c138becd4db6fc2b694b6dcc258af7c03c80cce8f3f165ffc44a4d05db1c964

SHA512
c2f518e6b53c2b2931886fb5dbbccba82f03d0dac504794d4d5b9bbd2a8a1be4a6333a55227029382b1d54854a64f3edcea3721f51221ac3d415bc9f772a7ac5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
84b9e6628e8010d6e1842651213adc75

SHA1
a5beb7c905a8e7f13658e32fc65e9095e7026fae

SHA256
370d50099e8c6595507e40d090867ad6a09d489523d74448fea6c3618fb80379

SHA512
a90ad7239a093202c20e3483c6ec98b0de1e7201e64db2274315055437cd64205db6f95d21d9220fc8b98db2456f7cbb9af12ffaa7935f6ef63f81f917a544c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
4d1543dfbb8402d7f080460b318724ab

SHA1
4f123a67af08e533ba7ae04c41e3aa5a764fe0c1

SHA256
394a728f35cc4e8dad0113aeec8a9ad97d48c89ff52fddbb2815ecdcb9641a3e

SHA512
110b4653a0adb102d524a69ec4f3bc3f982ed78db4862f3efb294889277f53c1c035823af6c865cd0245ed0fab713211e2e36e23f5a87fd360cc3aa314364f13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1a5378de9c2d6a41a635134eb52c2d50

SHA1
bc4ffdc785c12785d79f838ce484c67be4376d65

SHA256
57d8fcf300626e8653ea210367dfa1c87f90fbb6d4e939fb3850235662c812d2

SHA512
2f333f929491c9c32fb1fd54a6f190e44ad91384433f89fc069977144cc5e1846a96f216247a1a574f8585d367d7949a6bd60101765533d787a23a59a647c893

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c9e66dec82e390568521dfe2633e241c

SHA1
b54022b889dc5416361e71c752aa20dbf1f51422

SHA256
84bff73883a8fa6202c74a675cce2852b1fa694896b08a661b03f7ead1b82d4f

SHA512
b41e55d6aff4ebbba2e64450e6250679dde0a5cfc762df19921fc8efbfb88c018a09fc54cb8b3938d66bb1b6c7ed728f7d2eacb26adf87a7b1f5e03c1f17d72b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1afc5c11b100df53b27c729450516bf4

SHA1
9a48627f1627c735f734d501bbe64b048bee1583

SHA256
32d092205195a7c9b16d80b3b1d4fcf2d5bd06327e8722f7b24655eeca563c77

SHA512
c52f82404c7743e5bf095c8eb8ca8dc12a96b7ef0258cc5f2e0a8303f4c91f8d31039ca93f8b6e98964c12ecedb3b310ca422b8bd9702479d93ac0a81ee35530

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
56c7f5eeb4a13c52a2fd40d4f2e6330f

SHA1
7df32b73dd937723a405d8049d110582ada7e48c

SHA256
0a52094a1d80a2d297f647dcb20e526e57ac74f6b93640a8e731e6c80c8d3964

SHA512
8b8f895a7e078b7958568ce689433a218d729333ee6992e822b8694b183f55822adec43d9eeab4ece0d190e9a4cc8e327baffce8df0133956fe176efd9d6f51c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4b130c8c05d0689136f06c18180f932e

SHA1
03824c6200ead080ab23935419eb571ba9375c42

SHA256
c33d24759541b5a12c309d24f088da768303e189c36f87f0f09689825652f0a6

SHA512
fe22ae21d0f5a6933735ded23de1769dd7d66c97ce48df832c22a2c7a3fe84ac021412bc90eb42e7646119c3c178afa318c28f92439fd582abf45ded147d3ded

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cea6af3842940375cd4c85098282fc48

SHA1
66e927b81c98165c84338dd25196505d31a263d7

SHA256
d83304caa8cac7bb52f68808d58bdcfe4ec867f3152e827bbc34fd7c65e5078b

SHA512
5bb1c9ab6f32b846dd0b95e79d450f48239ef860fa7b7ba9f322ab96e573f261fa1293dff92e508e87356590dad06f8c249cd28300c7e86590440c77e5d4a076

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
57b39a850480d85505e546d293e8bf79

SHA1
4395bf165ff24e036d33b168f0936e74ac3cc219

SHA256
7d63dd95d1d08b1d578fe63e5b9d48638992f9971048e04cd06243421767135e

SHA512
ce280f5583b7e21f93e4aabf9acb2412877e934832b83aa1fdcb912f5e04d0e3cd7657ddaf4529095d6f621c5ed36fa7f5e5cd6b9dc24aacd1dbe0ecfe2180e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d44847299eb07ed100b98bbc22939c5c

SHA1
87eb474735baf645fd805ad79ec608821f74aea9

SHA256
6024d03f18898bff738b843c6d060820e7ab6b8b98863186b7154a1ba9fdd251

SHA512
e68f9b8266af059488309a9b144dc8d61cc4a630be1ed0a44a512526d519be4170211b67f62d34e802642ade451c240a3599a5c81e46ab3cc6db8749ca644e9f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
1f0255b7dff9e0bfc11882a510173f02

SHA1
3ced9cb3a6abe3fe24646e64375a9bdf35ab45fd

SHA256
bf680012b28a6adc6df61baf375cb3a126f99c981d11e56eb722313d3616e75d

SHA512
4bd7c327e7c280b19fa913ebc3b4415684f47517c7f4c13017b203deb7b6c3ce0df9cc5fc17add2980189c3b530cfa2f5445a87e308e1966942993ad303bef58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Set-up.exe.log

Filesize
42B

MD5
84cfdb4b995b1dbf543b26b86c863adc

SHA1
d2f47764908bf30036cf8248b9ff5541e2711fa2

SHA256
d8988d672d6915b46946b28c06ad8066c50041f6152a91d37ffa5cf129cc146b

SHA512
485f0ed45e13f00a93762cbf15b4b8f996553baa021152fae5aba051e3736bcd3ca8f4328f0e6d9e3e1f910c96c4a9ae055331123ee08e3c2ce3a99ac2e177ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e765f3d75e6b0e4a7119c8b14d47d8da

SHA1
cc9f7c7826c2e1a129e7d98884926076c3714fc0

SHA256
986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

SHA512
a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
db6a3df824e4059fcebb3e34f4f9c254

SHA1
03a2c1ebbaf0039c6cab0ab75cf428a737811b50

SHA256
975238235958a2f6db75aafde825798972e39c56010b347e46239ead736266f1

SHA512
5ab5b04a16173e0bab34951bb6ff3a76d9fcb471017dc3f1c72cada17b65957e757a43e531a99e919aedb86ce3dd2d03ef0dfce093e2ecde67482f2f7aace992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
e2317753eb5d7d301caf3f7ddc54dd7e

SHA1
3140adaec506b0407d940155eb15df03c6e35f3d

SHA256
4fa549947f490982fdd32f0e05601c87cf2630c0977d8940a32d64b3fe0b1c9e

SHA512
2291e0847822277d15f4c8753be65b00ff8b7ef412105c65962fe3ae829d78c7032b52de32a059a643a541ee75a5d7c04e9dee9cbb46cc3aa293788760ae8f87

Download Submit
C:\Users\Admin\AppData\Roaming\d3d9x.dll

Filesize
646KB

MD5
a47e8672e15a0433b308037351a10112

SHA1
5b9e2181a7e4c9a1930f97a93e2f91c198b5d837

SHA256
a0c9fa8e4256fb8b0784562349b5cb9e596e7cf8f7af9f21790bb2294a3761ba

SHA512
09cedeb0abbe234dfb53b2a838f39c8370dc18f1636686b8bf1ab5d4e48c92bbedb2d56b03654b212f0f753eb6622b10d9fff3888d5419054545139665713bd7

Download Submit
C:\Users\Admin\Downloads\ExSoftware.rar

Filesize
11.0MB

MD5
2c0ca23bd01a588a758400a0be4f09f6

SHA1
8266ec777df10b66da138af74f1e9f9cd5d91077

SHA256
40d6da3dbf41a3c410f4430fbffed4bd94cbd7a897e81a465d8349ec4f481ec3

SHA512
317f133c5f39eabcfbec066ae95e89eebeb3e9167dc9c59c7bcbfc1575d069703ccf358f4e2dda742a69741e39b9fb5c817b82ddd8560cff1f44490da28aa707

Download Submit
C:\Users\Admin\Downloads\ExSoftware.zip.crdownload

Filesize
11.0MB

MD5
21869daf5acee6bdd2e06e90dd144391

SHA1
02a85907e92d8b07011d8c5511dfd26d19e8d424

SHA256
80d73d0c906f9968dc304b1775e9bcebbef08631dd8b79571b51304c5b401f68

SHA512
25f427c50e10c8ce5782384f02907be38e15e7db5d2cbc4b0d312a48dba598abcf3704088e001844ad95830a7a0f34359e94d89f51b09f7442e549d0fb891d7d

Download Submit
\??\pipe\crashpad_2400_USVTSBDAIVHAELWS

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1700-241-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1700-246-0x0000000075C30000-0x0000000075E45000-memory.dmp

Filesize
2.1MB

Download
memory/1700-244-0x00007FFB6FDD0000-0x00007FFB6FFC5000-memory.dmp

Filesize
2.0MB

Download
memory/1700-243-0x00000000034A0000-0x00000000038A0000-memory.dmp

Filesize
4.0MB

Download
memory/1700-242-0x00000000034A0000-0x00000000038A0000-memory.dmp

Filesize
4.0MB

Download
memory/1700-239-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1700-237-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/1916-252-0x0000000075C30000-0x0000000075E45000-memory.dmp

Filesize
2.1MB

Download
memory/1916-249-0x0000000002AA0000-0x0000000002EA0000-memory.dmp

Filesize
4.0MB

Download
memory/1916-250-0x00007FFB6FDD0000-0x00007FFB6FFC5000-memory.dmp

Filesize
2.0MB

Download
memory/1916-247-0x0000000000BE0000-0x0000000000BE9000-memory.dmp

Filesize
36KB

Download
memory/2548-234-0x0000000000530000-0x00000000005A2000-memory.dmp

Filesize
456KB

Download
memory/4084-227-0x0000000000490000-0x0000000000580000-memory.dmp

Filesize
960KB

Download
memory/5456-351-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5456-355-0x0000000003A70000-0x0000000003E70000-memory.dmp

Filesize
4.0MB

Download
memory/5456-353-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/5816-325-0x000002EA86360000-0x000002EA86361000-memory.dmp

Filesize
4KB

Download
memory/5816-324-0x000002EA86360000-0x000002EA86361000-memory.dmp

Filesize
4KB

Download
memory/5816-323-0x000002EA86360000-0x000002EA86361000-memory.dmp

Filesize
4KB

Download
memory/5816-329-0x000002EA86360000-0x000002EA86361000-memory.dmp

Filesize
4KB

Download
memory/5816-319-0x000002EA86360000-0x000002EA86361000-memory.dmp

Filesize
4KB

Download
memory/5816-328-0x000002EA86360000-0x000002EA86361000-memory.dmp

Filesize
4KB

Download
memory/5816-326-0x000002EA86360000-0x000002EA86361000-memory.dmp

Filesize
4KB

Download
memory/5816-327-0x000002EA86360000-0x000002EA86361000-memory.dmp

Filesize
4KB

Download
memory/5816-318-0x000002EA86360000-0x000002EA86361000-memory.dmp

Filesize
4KB

Download
memory/5816-317-0x000002EA86360000-0x000002EA86361000-memory.dmp

Filesize
4KB

Download