exelastealer | hxxps://electronv3[.]net/#download

Analysis

max time kernel
321s
max time network
323s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
17-09-2024 03:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://electronv3.net/#download

Score

10^/10

exelastealer collection credential_access defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4976	netsh.exe
5632	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4564	cmd.exe
544	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
5528	winrar-x64-701.exe
6068	winrar-x64-701.exe
3572	ElectronV3.exe
540	ElectronV3.exe

Loads dropped DLL 27 IoCs

pid	Process
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe
540	ElectronV3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 55 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000235c0-815.dat	upx
behavioral1/memory/540-819-0x00007FFF2B170000-0x00007FFF2B758000-memory.dmp	upx
behavioral1/files/0x0007000000023598-821.dat	upx
behavioral1/memory/540-827-0x00007FFF430E0000-0x00007FFF43104000-memory.dmp	upx
behavioral1/files/0x00070000000235ba-826.dat	upx
behavioral1/files/0x00070000000235c1-833.dat	upx
behavioral1/files/0x00070000000235be-832.dat	upx
behavioral1/files/0x00070000000235bb-831.dat	upx
behavioral1/files/0x00070000000235b9-830.dat	upx
behavioral1/memory/540-829-0x00007FFF42FB0000-0x00007FFF42FBF000-memory.dmp	upx
behavioral1/memory/540-834-0x00007FFF42F00000-0x00007FFF42F19000-memory.dmp	upx
behavioral1/memory/540-835-0x00007FFF41B70000-0x00007FFF41B7D000-memory.dmp	upx
behavioral1/memory/540-836-0x00007FFF41A50000-0x00007FFF41A69000-memory.dmp	upx
behavioral1/memory/540-837-0x00007FFF3E330000-0x00007FFF3E35D000-memory.dmp	upx
behavioral1/memory/540-838-0x00007FFF3E0D0000-0x00007FFF3E0F3000-memory.dmp	upx
behavioral1/memory/540-839-0x00007FFF2CBB0000-0x00007FFF2CD23000-memory.dmp	upx
behavioral1/memory/540-840-0x00007FFF3DEC0000-0x00007FFF3DEEE000-memory.dmp	upx
behavioral1/memory/540-841-0x00007FFF2B170000-0x00007FFF2B758000-memory.dmp	upx
behavioral1/memory/540-842-0x00007FFF2D840000-0x00007FFF2D8F8000-memory.dmp	upx
behavioral1/memory/540-844-0x00007FFF2BDE0000-0x00007FFF2C155000-memory.dmp	upx
behavioral1/memory/540-845-0x00007FFF430E0000-0x00007FFF43104000-memory.dmp	upx
behavioral1/memory/540-846-0x00007FFF3E1B0000-0x00007FFF3E1C5000-memory.dmp	upx
behavioral1/memory/540-848-0x00007FFF3DE50000-0x00007FFF3DE62000-memory.dmp	upx
behavioral1/memory/540-847-0x00007FFF42F00000-0x00007FFF42F19000-memory.dmp	upx
behavioral1/memory/540-849-0x00007FFF41B70000-0x00007FFF41B7D000-memory.dmp	upx
behavioral1/memory/540-850-0x00007FFF397E0000-0x00007FFF397F4000-memory.dmp	upx
behavioral1/memory/540-852-0x00007FFF397C0000-0x00007FFF397D4000-memory.dmp	upx
behavioral1/memory/540-851-0x00007FFF41A50000-0x00007FFF41A69000-memory.dmp	upx
behavioral1/memory/540-854-0x00007FFF2D0A0000-0x00007FFF2D1BC000-memory.dmp	upx
behavioral1/memory/540-853-0x00007FFF3E330000-0x00007FFF3E35D000-memory.dmp	upx
behavioral1/memory/540-856-0x00007FFF2FAB0000-0x00007FFF2FAD2000-memory.dmp	upx
behavioral1/memory/540-855-0x00007FFF3E0D0000-0x00007FFF3E0F3000-memory.dmp	upx
behavioral1/memory/540-857-0x00007FFF2CBB0000-0x00007FFF2CD23000-memory.dmp	upx
behavioral1/memory/540-858-0x00007FFF2CAE0000-0x00007FFF2CBAF000-memory.dmp	upx
behavioral1/memory/540-860-0x00007FFF41B60000-0x00007FFF41B6A000-memory.dmp	upx
behavioral1/memory/540-859-0x00007FFF3DEC0000-0x00007FFF3DEEE000-memory.dmp	upx
behavioral1/memory/540-861-0x00007FFF2D840000-0x00007FFF2D8F8000-memory.dmp	upx
behavioral1/memory/540-863-0x00007FFF2A9C0000-0x00007FFF2B161000-memory.dmp	upx
behavioral1/memory/540-865-0x00007FFF2C4C0000-0x00007FFF2C4F8000-memory.dmp	upx
behavioral1/memory/540-864-0x00007FFF2BDE0000-0x00007FFF2C155000-memory.dmp	upx
behavioral1/memory/540-873-0x00007FFF3E1B0000-0x00007FFF3E1C5000-memory.dmp	upx
behavioral1/memory/540-880-0x00007FFF3DE50000-0x00007FFF3DE62000-memory.dmp	upx
behavioral1/memory/540-892-0x00007FFF397C0000-0x00007FFF397D4000-memory.dmp	upx
behavioral1/memory/540-900-0x00007FFF2D0A0000-0x00007FFF2D1BC000-memory.dmp	upx
behavioral1/memory/540-938-0x00007FFF45D90000-0x00007FFF45D9D000-memory.dmp	upx
behavioral1/memory/540-937-0x00007FFF2FAB0000-0x00007FFF2FAD2000-memory.dmp	upx
behavioral1/memory/540-955-0x00007FFF2CAE0000-0x00007FFF2CBAF000-memory.dmp	upx
behavioral1/memory/540-956-0x00007FFF41B60000-0x00007FFF41B6A000-memory.dmp	upx
behavioral1/memory/540-958-0x00007FFF430E0000-0x00007FFF43104000-memory.dmp	upx
behavioral1/memory/540-965-0x00007FFF2CBB0000-0x00007FFF2CD23000-memory.dmp	upx
behavioral1/memory/540-980-0x00007FFF2A9C0000-0x00007FFF2B161000-memory.dmp	upx
behavioral1/memory/540-974-0x00007FFF2FAB0000-0x00007FFF2FAD2000-memory.dmp	upx
behavioral1/memory/540-969-0x00007FFF3E1B0000-0x00007FFF3E1C5000-memory.dmp	upx
behavioral1/memory/540-957-0x00007FFF2B170000-0x00007FFF2B758000-memory.dmp	upx
behavioral1/memory/540-979-0x00007FFF45D90000-0x00007FFF45D9D000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
514	discord.com
515	discord.com
516	discord.com
513	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
87	api.ipify.org
89	api.ipify.org
506	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3544	cmd.exe
456	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4108	tasklist.exe
5928	tasklist.exe
5356	tasklist.exe
944	tasklist.exe
3292	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1604	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5116	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000b00000002358c-771.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4568	netsh.exe
1816	cmd.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3596	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4716	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5948	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4956	ipconfig.exe
3596	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2892	systeminfo.exe

Kills process with taskkill 21 IoCs

evasion

pid	Process
3844	taskkill.exe
5600	taskkill.exe
1064	taskkill.exe
2080	taskkill.exe
5720	taskkill.exe
2440	taskkill.exe
5100	taskkill.exe
1156	taskkill.exe
2168	taskkill.exe
5776	taskkill.exe
1428	taskkill.exe
4916	taskkill.exe
4952	taskkill.exe
2356	taskkill.exe
5460	taskkill.exe
2536	taskkill.exe
1496	taskkill.exe
5388	taskkill.exe
3872	taskkill.exe
4460	taskkill.exe
3448	taskkill.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2392887640-1187051047-2909758433-1000\{514144DB-6B1F-4293-8A32-64429ADF9E0C}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 781476.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1908	msedge.exe
1908	msedge.exe
2756	msedge.exe
2756	msedge.exe
2444	identity_helper.exe
2444	identity_helper.exe
3764	msedge.exe
3764	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
4972	msedge.exe
1880	msedge.exe
1880	msedge.exe
5264	msedge.exe
5264	msedge.exe
544	powershell.exe
544	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 31 IoCs

pid	Process
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2040	7zG.exe
Token: 35	2040	7zG.exe
Token: SeSecurityPrivilege	2040	7zG.exe
Token: SeSecurityPrivilege	2040	7zG.exe
Token: SeIncreaseQuotaPrivilege	5948	WMIC.exe
Token: SeSecurityPrivilege	5948	WMIC.exe
Token: SeTakeOwnershipPrivilege	5948	WMIC.exe
Token: SeLoadDriverPrivilege	5948	WMIC.exe
Token: SeSystemProfilePrivilege	5948	WMIC.exe
Token: SeSystemtimePrivilege	5948	WMIC.exe
Token: SeProfSingleProcessPrivilege	5948	WMIC.exe
Token: SeIncBasePriorityPrivilege	5948	WMIC.exe
Token: SeCreatePagefilePrivilege	5948	WMIC.exe
Token: SeBackupPrivilege	5948	WMIC.exe
Token: SeRestorePrivilege	5948	WMIC.exe
Token: SeShutdownPrivilege	5948	WMIC.exe
Token: SeDebugPrivilege	5948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5948	WMIC.exe
Token: SeRemoteShutdownPrivilege	5948	WMIC.exe
Token: SeUndockPrivilege	5948	WMIC.exe
Token: SeManageVolumePrivilege	5948	WMIC.exe
Token: 33	5948	WMIC.exe
Token: 34	5948	WMIC.exe
Token: 35	5948	WMIC.exe
Token: 36	5948	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5636	WMIC.exe
Token: SeSecurityPrivilege	5636	WMIC.exe
Token: SeTakeOwnershipPrivilege	5636	WMIC.exe
Token: SeLoadDriverPrivilege	5636	WMIC.exe
Token: SeSystemProfilePrivilege	5636	WMIC.exe
Token: SeSystemtimePrivilege	5636	WMIC.exe
Token: SeProfSingleProcessPrivilege	5636	WMIC.exe
Token: SeIncBasePriorityPrivilege	5636	WMIC.exe
Token: SeCreatePagefilePrivilege	5636	WMIC.exe
Token: SeBackupPrivilege	5636	WMIC.exe
Token: SeRestorePrivilege	5636	WMIC.exe
Token: SeShutdownPrivilege	5636	WMIC.exe
Token: SeDebugPrivilege	5636	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5636	WMIC.exe
Token: SeRemoteShutdownPrivilege	5636	WMIC.exe
Token: SeUndockPrivilege	5636	WMIC.exe
Token: SeManageVolumePrivilege	5636	WMIC.exe
Token: 33	5636	WMIC.exe
Token: 34	5636	WMIC.exe
Token: 35	5636	WMIC.exe
Token: 36	5636	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5948	WMIC.exe
Token: SeSecurityPrivilege	5948	WMIC.exe
Token: SeTakeOwnershipPrivilege	5948	WMIC.exe
Token: SeLoadDriverPrivilege	5948	WMIC.exe
Token: SeSystemProfilePrivilege	5948	WMIC.exe
Token: SeSystemtimePrivilege	5948	WMIC.exe
Token: SeProfSingleProcessPrivilege	5948	WMIC.exe
Token: SeIncBasePriorityPrivilege	5948	WMIC.exe
Token: SeCreatePagefilePrivilege	5948	WMIC.exe
Token: SeBackupPrivilege	5948	WMIC.exe
Token: SeRestorePrivilege	5948	WMIC.exe
Token: SeShutdownPrivilege	5948	WMIC.exe
Token: SeDebugPrivilege	5948	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5948	WMIC.exe
Token: SeRemoteShutdownPrivilege	5948	WMIC.exe
Token: SeUndockPrivilege	5948	WMIC.exe
Token: SeManageVolumePrivilege	5948	WMIC.exe
Token: 33	5948	WMIC.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2040	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe
2756	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
5528	winrar-x64-701.exe
5528	winrar-x64-701.exe
5528	winrar-x64-701.exe
6068	winrar-x64-701.exe
6068	winrar-x64-701.exe
6068	winrar-x64-701.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 3896	2756	msedge.exe	84
PID 2756 wrote to memory of 3896	2756	msedge.exe	84
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 640	2756	msedge.exe	85
PID 2756 wrote to memory of 1908	2756	msedge.exe	86
PID 2756 wrote to memory of 1908	2756	msedge.exe	86
PID 2756 wrote to memory of 372	2756	msedge.exe	87
PID 2756 wrote to memory of 372	2756	msedge.exe	87
PID 2756 wrote to memory of 372	2756	msedge.exe	87
PID 2756 wrote to memory of 372	2756	msedge.exe	87
PID 2756 wrote to memory of 372	2756	msedge.exe	87
PID 2756 wrote to memory of 372	2756	msedge.exe	87
PID 2756 wrote to memory of 372	2756	msedge.exe	87
PID 2756 wrote to memory of 372	2756	msedge.exe	87
PID 2756 wrote to memory of 372	2756	msedge.exe	87
PID 2756 wrote to memory of 372	2756	msedge.exe	87
PID 2756 wrote to memory of 372	2756	msedge.exe	87
PID 2756 wrote to memory of 372	2756	msedge.exe	87
PID 2756 wrote to memory of 372	2756	msedge.exe	87
PID 2756 wrote to memory of 372	2756	msedge.exe	87
PID 2756 wrote to memory of 372	2756	msedge.exe	87
PID 2756 wrote to memory of 372	2756	msedge.exe	87
PID 2756 wrote to memory of 372	2756	msedge.exe	87
PID 2756 wrote to memory of 372	2756	msedge.exe	87
PID 2756 wrote to memory of 372	2756	msedge.exe	87
PID 2756 wrote to memory of 372	2756	msedge.exe	87

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5148	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://electronv3.net/#download
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff3dd746f8,0x7fff3dd74708,0x7fff3dd74718
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
  2⤵
  PID:2060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:4068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5940 /prefetch:1
  2⤵
  PID:5100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6232 /prefetch:8
  2⤵
  PID:3480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6228 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6384 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5904 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:2872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6608 /prefetch:1
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4212 /prefetch:1
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6696 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6420 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6424 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5716 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7516 /prefetch:1
  2⤵
  PID:4000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7432 /prefetch:1
  2⤵
  PID:3992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7528 /prefetch:1
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7304 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7476 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8152 /prefetch:1
  2⤵
  PID:4108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6960 /prefetch:1
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
  2⤵
  PID:3996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7012 /prefetch:1
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8164 /prefetch:1
  2⤵
  PID:5084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6956 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6580 /prefetch:1
  2⤵
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6656 /prefetch:1
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8180 /prefetch:8
  2⤵
  PID:5124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,5517328367980152214,15355926622263105629,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5264
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:5528
- C:\Users\Admin\Downloads\winrar-x64-701.exe
  "C:\Users\Admin\Downloads\winrar-x64-701.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:6068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:728

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4140

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\fec7be87f59e4f42aee416f688f451ee /t 5532 /p 5528
1⤵
PID:5972

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\5b89ed4aebf94901887a44a71811aa96 /t 6072 /p 6068
1⤵
PID:3400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5452

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\ElectronV3\" -ad -an -ai#7zMap32134:82:7zEvent3175
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2040

C:\Users\Admin\Downloads\ElectronV3\ElectronV3\ElectronV3.exe
"C:\Users\Admin\Downloads\ElectronV3\ElectronV3\ElectronV3.exe"
1⤵
- Executes dropped EXE
PID:3572
- C:\Users\Admin\Downloads\ElectronV3\ElectronV3\ElectronV3.exe
  "C:\Users\Admin\Downloads\ElectronV3\ElectronV3\ElectronV3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1788
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:5948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:5556
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:5992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5984
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:4708
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:4168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2000
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2772
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:1604
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:5148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:5304
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5316
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2756"
    3⤵
    PID:3768
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2756
      4⤵
      Kills process with taskkill
      PID:5720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3896"
    3⤵
    PID:4628
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3896
      4⤵
      Kills process with taskkill
      PID:5776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 640"
    3⤵
    PID:5808
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 640
      4⤵
      Kills process with taskkill
      PID:1428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1908"
    3⤵
    PID:4320
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1908
      4⤵
      Kills process with taskkill
      PID:4916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 372"
    3⤵
    PID:3164
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 372
      4⤵
      Kills process with taskkill
      PID:2440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2060"
    3⤵
    PID:3964
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2060
      4⤵
      Kills process with taskkill
      PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3480"
    3⤵
    PID:6048
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3480
      4⤵
      Kills process with taskkill
      PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2872"
    3⤵
    PID:5972
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2872
      4⤵
      Kills process with taskkill
      PID:5600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1656"
    3⤵
    PID:4056
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1656
      4⤵
      Kills process with taskkill
      PID:1064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3304"
    3⤵
    PID:5900
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3304
      4⤵
      Kills process with taskkill
      PID:2080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1068"
    3⤵
    PID:428
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1068
      4⤵
      Kills process with taskkill
      PID:1496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2180"
    3⤵
    PID:5704
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2180
      4⤵
      Kills process with taskkill
      PID:2356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3328"
    3⤵
    PID:5928
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3328
      4⤵
      Kills process with taskkill
      PID:5388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4000"
    3⤵
    PID:1932
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4000
      4⤵
      Kills process with taskkill
      PID:5460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3992"
    3⤵
    PID:5356
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3992
      4⤵
      Kills process with taskkill
      PID:1156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1080"
    3⤵
    PID:5720
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1080
      4⤵
      Kills process with taskkill
      PID:2168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4164"
    3⤵
    PID:1424
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4164
      4⤵
      Kills process with taskkill
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2644"
    3⤵
    PID:3576
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2644
      4⤵
      Kills process with taskkill
      PID:3872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2340"
    3⤵
    PID:376
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2340
      4⤵
      Kills process with taskkill
      PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4332"
    3⤵
    PID:4672
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4332
      4⤵
      Kills process with taskkill
      PID:3448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4424"
    3⤵
    PID:5788
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4424
      4⤵
      Kills process with taskkill
      PID:2536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:4420
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:212
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:2784
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:1620
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:640
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:3544
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2892
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:592
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:4716
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:1784
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:1956
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:3228
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:2380
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:5016
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:880
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:4864
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:4828
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:4468
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:3792
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:4916
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:3428
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:4320
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:3292
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4956
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:228
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:456
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:3596
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:5116
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4976
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1816
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:6048
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5972
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eeaa8087eba2f63f31e599f6a7b46ef4

SHA1
f639519deee0766a39cfe258d2ac48e3a9d5ac03

SHA256
50fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9

SHA512
eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9569e123772ae290f9bac07e0d31748

SHA1
5806ed9b301d4178a959b26d7b7ccf2c0abc6741

SHA256
20ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b

SHA512
cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
7b1ce3b45a8422541bea9c33d123be7a

SHA1
c611edb40446c86777e44228dfee4d24501df434

SHA256
d77fcb1d20e22bb80b25c6978ef059bb29904e31fa30e4f8bf939e52df5fccfb

SHA512
dc8cd9d550c0a3d7593f4cd7dc7339905e9c7bd61d8e5692a9efdd631a257586edc0c71cbff246425af6c352487d4422f71371577cd0ca4e31abd6b19173e648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
894ed3bb530a54b20fac8c41c3dc8174

SHA1
406b2b1befb8b28ea96f32e6c971678e29ecb152

SHA256
6607939b463b2164da5ba2fbadbf2f472fde4e32f4f01c686bb7032678082ecf

SHA512
6196d93bc9436d91c13b6f7360dbae7bb8f4d3be03347108de046eec5c0435de079e50d7644be02f767a29f60e6ac50a496f44d8a2d911d340007f7171bf6ff8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
1eab0a76aec3a513c7c3f98a4a0f1b7a

SHA1
bf2bc1ded5fcfa0c6695940089d59cccfbb18ba7

SHA256
e48ef230bc63e18d72261f6297003fcf1f226c8a3bb8a07b525e94e18e10b52d

SHA512
1b692a54e6794446bbf11f905393ceb743c0ac88051588f772b7dd890dfadd48c02c4f423a9f59f0967873e80cb6d44c61028727fea1b0114e1df39a13c2a5ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
429f21387bc2fc212ee9c6329d92adba

SHA1
9812abc900d69a5d26628faa71cfe27c12aa18bd

SHA256
298157b1f13840b0428e96d48e929dd3d279d76569e68b8f20e46401c81bbbe7

SHA512
0f56beaf91bb777262206c5978f01f77e2a7d68ca483fedec17d0898cf96b88754ba5376492c77d7f2f8974e47ecad45cf5e5c6d3acf74981c5591317cb0cd86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
021c15e8255c2aa0f32372339f3788e4

SHA1
c593baa94e3e29e34b10e95c947035e03ab9360c

SHA256
a5f592c257fda9cac7a5a474b80f9df28eb6a4851096efc02602d95635dc28d9

SHA512
545216f4859a8d9bb3eff6bbdb1dabd8b88057980c37a8b7f998a854a7a26d76a8e5e29922b868920e2ac218dee6842ee1a9bdd1a7bd16799699848df9a3cb63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
12a8b91d0a6a7ce81b3987a347d17abd

SHA1
a809f31622f62de48229e8c651ddb0f95d112a9b

SHA256
4286941a1c4bdbb4fa47d09127b2bd2a401137fefe6dc9bad068e8bb271e0c68

SHA512
d537303e8959ab34809f66c547797f35c5db69ede6345eaf7106d6fd64aa7fa42b05e6b2c60365e9a68879f3b06258778ddcee620c0ce66292f9b115074116f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
13KB

MD5
e45e40142c7d226d560c7c6c18edd487

SHA1
340848d5b645b744a6025e06cbb07481e362b61c

SHA256
663331489dd7015e54878f14935c9f299f4eb3567b195a9e0c58bfa06eaa47ec

SHA512
b999abd9c0d6cd22d414539a73022c742d4120634a28adb5405ff04ff0683c71e8e2148acc674200a11cce94334b21c1f737b37dabefad8197375e706d80db55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
25d88251bf5e72d5022027d9c4cafaa4

SHA1
21fc515865b69b5b2947b83bbe6e5c378cdb9c22

SHA256
736a769c1e611029563151e4e50df86404068d530076737f97718b8a68002564

SHA512
b91c0fe788b5eb9865d2f7a61ec23b01061e8a0b4f5d31bf1b4ffea281a0992145c3d66f4fb9261bd1476b5ac1f7071c1933167e0944168c5d670d091bcf5d84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
461c31f790a15ff18ffa6fc2bb59218b

SHA1
c6e96dbc9992e5fd1848e9a2b38a7e23bcd734d3

SHA256
842bb5aca3abb164e7347ae942b40e411ab0d3805d65c7ad5affa0ab07a0dc16

SHA512
3d138a3229a78c440995f1350a7cfb1c3b4c22d6c9d84a3244e3a2674453cf8d5bfeeaafa88813fa0976035ba1fafbd2298f9461269b31a4dcbb54d70dfa2b73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
22596dea014ca5ed52e56f50dd4dd1d2

SHA1
38fd849dfe923ebf6a343aa831ada10c6e7cb175

SHA256
3965b21a5c78ffd5162b95da71ca6ac378e0a9e81969418d026e9f627265c4ca

SHA512
00612a2322bca47be5da160285b926042fac87dbbffd0f0a69731a246cf92bce48264fd24db3694cf8def9627b4f34618c786bc3e2bd4bd5cd2a58e5d54a6b89

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
2a730b9135fa7fa0d209bc740b9cfd62

SHA1
12e9fd137b0aff7b207a24e4f5f5d3fec7f63695

SHA256
5d8282748ce25095a128824716f8ea62ce3f8d7853bf5d7a56c6a5a7817bb139

SHA512
fbedd2b19326175a05925dd55ed30c18b8c3d4e3c078c3f9627fa1a9fb8fc2c64d443da78dcb8eef140635db94583243d30f4052cddf0a2012921e144a3c553f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
b4916d5d05fd83bc00c6bb06657cabe3

SHA1
c9fec59ffecd1b5348c45d68b8631ae4290ae315

SHA256
9986b2bcf16771d6925d569172566d6db55df48a3d38f727c51e9848d11b8bd6

SHA512
57a630bf728aecdcbbb0a85ef560b2e7b2431b026c28632457b81ac9d2189af5763db7aecb335dbaf24191d56d042e431824124b86fdcbb63a14a38f5227566e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59f505.TMP

Filesize
1KB

MD5
929f364496c624fc906432e747627b14

SHA1
874c31d4563526d981a4e622c6bddddc8babc766

SHA256
9e2117ecedc557b2240988fcbcea8b5b04db01d1668ab9c1b1061381e7614be9

SHA512
dd79dbefae0b5dc576c6b807f288ee25f3ae77d9f10c1a9fab9398fd7e39cfea0028df5ee55a8def98ea74caf2b222f69939013be859dcbf1325deb3bf3c6430

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cb572f9dce8647a77747edcf2ba573f7

SHA1
df33d178f87748b32daf8b4f26c4a8c736ecd10d

SHA256
d78e7d1fc915634b42bcdbf0f030a351cf041bafaca4c9307904d6707fc7d523

SHA512
6e46d3eca2c80b680b4a6eb6761a4767c295a6152246b1668627e6dc933677593803015ce852a1903ea16fa6fe11479c81f19c0534fafc4bfca69da233069e6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fb462d34aaa027403a5b9c4c958a71e5

SHA1
e445847b0365868a75cd9499acb9185642369c32

SHA256
3ec87e7b5beffc90fd572186994ab4eea06002d8f3a3edd99b968c172edab0e3

SHA512
0dd207ec62ee1e85af6be691221a5579da49cdc3dc8a0f6c158b3e6d0d599289f084c42cb3fe15efd02d34a49b1e73bedd00684aeeb1fa7c5a65cf04909d601c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\_ctypes.pyd

Filesize
57KB

MD5
b4c41a4a46e1d08206c109ce547480c7

SHA1
9588387007a49ec2304160f27376aedca5bc854d

SHA256
9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9

SHA512
30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\libcrypto-1_1.dll

Filesize
1.1MB

MD5
86cfc84f8407ab1be6cc64a9702882ef

SHA1
86f3c502ed64df2a5e10b085103c2ffc9e3a4130

SHA256
11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307

SHA512
b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\libffi-8.dll

Filesize
24KB

MD5
decbba3add4c2246928ab385fb16a21e

SHA1
5f019eff11de3122ffa67a06d52d446a3448b75e

SHA256
4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d

SHA512
760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\libssl-1_1.dll

Filesize
203KB

MD5
6cd33578bc5629930329ca3303f0fae1

SHA1
f2f8e3248a72f98d27f0cfa0010e32175a18487f

SHA256
4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0

SHA512
c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\pyexpat.pyd

Filesize
86KB

MD5
fe0e32bfe3764ed5321454e1a01c81ec

SHA1
7690690df0a73bdcc54f0f04b674fc8a9a8f45fb

SHA256
b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92

SHA512
d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\python3.DLL

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI35722\select.pyd

Filesize
24KB

MD5
c39459806c712b3b3242f8376218c1e1

SHA1
85d254fb6cc5d6ed20a04026bff1158c8fd0a530

SHA256
7cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9

SHA512
b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2awbmfzy.a23.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\ElectronV3\ElectronV3\ElectronV3.exe

Filesize
11.1MB

MD5
dd50ab40bc0ceeea383c132cc9ea965c

SHA1
c0ede9f69a2fcd7965e980654413854804e48ff9

SHA256
ebd33124981919a44841c9e215f91f622843ab2ea0c96cf1bcd44a82feb4dc1f

SHA512
fdec36007807500ae41b0afd400ef6727edb2ecd40646c41e76fbf4e6a86e49fab580fee57601972005adc0cbf7cda3be06d10e7da07deb7798dac8b887d098c

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 338859.crdownload

Filesize
11.0MB

MD5
8af03091e9f91f37561e20d7447e024e

SHA1
23a63441238796a4927a85180f6d1bac048dbb5f

SHA256
a8a33f6ec9f119dce68b9764baca7eac229be08bc888b661f26f2d2e31e9f2ba

SHA512
b8e78ea6f1951272a10599010875869a1994099550ff4d202ca4ce51ea1340da97ca76412fdc01788d1035dfa21e3a44f41eb3cfb8fb635865d6f3d3005bfe1e

Download Submit
C:\Users\Admin\Downloads\winrar-x64-701.exe

Filesize
3.7MB

MD5
3a2f16a044d8f6d2f9443dff6bd1c7d4

SHA1
48c6c0450af803b72a0caa7d5e3863c3f0240ef1

SHA256
31f7ba37180f820313b2d32e76252344598409cb932109dd84a071cd58b64aa6

SHA512
61daee2ce82c3b8e79f7598a79d72e337220ced7607e3ed878a3059ac03257542147dbd377e902cc95f04324e2fb7c5e07d1410f0a1815d5a05c5320e5715ef6

Download Submit
memory/540-841-0x00007FFF2B170000-0x00007FFF2B758000-memory.dmp

Filesize
5.9MB

Download
memory/540-857-0x00007FFF2CBB0000-0x00007FFF2CD23000-memory.dmp

Filesize
1.4MB

Download
memory/540-834-0x00007FFF42F00000-0x00007FFF42F19000-memory.dmp

Filesize
100KB

Download
memory/540-835-0x00007FFF41B70000-0x00007FFF41B7D000-memory.dmp

Filesize
52KB

Download
memory/540-836-0x00007FFF41A50000-0x00007FFF41A69000-memory.dmp

Filesize
100KB

Download
memory/540-837-0x00007FFF3E330000-0x00007FFF3E35D000-memory.dmp

Filesize
180KB

Download
memory/540-838-0x00007FFF3E0D0000-0x00007FFF3E0F3000-memory.dmp

Filesize
140KB

Download
memory/540-839-0x00007FFF2CBB0000-0x00007FFF2CD23000-memory.dmp

Filesize
1.4MB

Download
memory/540-840-0x00007FFF3DEC0000-0x00007FFF3DEEE000-memory.dmp

Filesize
184KB

Download
memory/540-827-0x00007FFF430E0000-0x00007FFF43104000-memory.dmp

Filesize
144KB

Download
memory/540-842-0x00007FFF2D840000-0x00007FFF2D8F8000-memory.dmp

Filesize
736KB

Download
memory/540-844-0x00007FFF2BDE0000-0x00007FFF2C155000-memory.dmp

Filesize
3.5MB

Download
memory/540-845-0x00007FFF430E0000-0x00007FFF43104000-memory.dmp

Filesize
144KB

Download
memory/540-843-0x0000027C477D0000-0x0000027C47B45000-memory.dmp

Filesize
3.5MB

Download
memory/540-846-0x00007FFF3E1B0000-0x00007FFF3E1C5000-memory.dmp

Filesize
84KB

Download
memory/540-848-0x00007FFF3DE50000-0x00007FFF3DE62000-memory.dmp

Filesize
72KB

Download
memory/540-847-0x00007FFF42F00000-0x00007FFF42F19000-memory.dmp

Filesize
100KB

Download
memory/540-849-0x00007FFF41B70000-0x00007FFF41B7D000-memory.dmp

Filesize
52KB

Download
memory/540-850-0x00007FFF397E0000-0x00007FFF397F4000-memory.dmp

Filesize
80KB

Download
memory/540-852-0x00007FFF397C0000-0x00007FFF397D4000-memory.dmp

Filesize
80KB

Download
memory/540-851-0x00007FFF41A50000-0x00007FFF41A69000-memory.dmp

Filesize
100KB

Download
memory/540-854-0x00007FFF2D0A0000-0x00007FFF2D1BC000-memory.dmp

Filesize
1.1MB

Download
memory/540-853-0x00007FFF3E330000-0x00007FFF3E35D000-memory.dmp

Filesize
180KB

Download
memory/540-856-0x00007FFF2FAB0000-0x00007FFF2FAD2000-memory.dmp

Filesize
136KB

Download
memory/540-855-0x00007FFF3E0D0000-0x00007FFF3E0F3000-memory.dmp

Filesize
140KB

Download
memory/540-829-0x00007FFF42FB0000-0x00007FFF42FBF000-memory.dmp

Filesize
60KB

Download
memory/540-858-0x00007FFF2CAE0000-0x00007FFF2CBAF000-memory.dmp

Filesize
828KB

Download
memory/540-860-0x00007FFF41B60000-0x00007FFF41B6A000-memory.dmp

Filesize
40KB

Download
memory/540-859-0x00007FFF3DEC0000-0x00007FFF3DEEE000-memory.dmp

Filesize
184KB

Download
memory/540-861-0x00007FFF2D840000-0x00007FFF2D8F8000-memory.dmp

Filesize
736KB

Download
memory/540-862-0x0000027C477D0000-0x0000027C47B45000-memory.dmp

Filesize
3.5MB

Download
memory/540-863-0x00007FFF2A9C0000-0x00007FFF2B161000-memory.dmp

Filesize
7.6MB

Download
memory/540-865-0x00007FFF2C4C0000-0x00007FFF2C4F8000-memory.dmp

Filesize
224KB

Download
memory/540-864-0x00007FFF2BDE0000-0x00007FFF2C155000-memory.dmp

Filesize
3.5MB

Download
memory/540-873-0x00007FFF3E1B0000-0x00007FFF3E1C5000-memory.dmp

Filesize
84KB

Download
memory/540-880-0x00007FFF3DE50000-0x00007FFF3DE62000-memory.dmp

Filesize
72KB

Download
memory/540-892-0x00007FFF397C0000-0x00007FFF397D4000-memory.dmp

Filesize
80KB

Download
memory/540-900-0x00007FFF2D0A0000-0x00007FFF2D1BC000-memory.dmp

Filesize
1.1MB

Download
memory/540-938-0x00007FFF45D90000-0x00007FFF45D9D000-memory.dmp

Filesize
52KB

Download
memory/540-937-0x00007FFF2FAB0000-0x00007FFF2FAD2000-memory.dmp

Filesize
136KB

Download
memory/540-979-0x00007FFF45D90000-0x00007FFF45D9D000-memory.dmp

Filesize
52KB

Download
memory/540-819-0x00007FFF2B170000-0x00007FFF2B758000-memory.dmp

Filesize
5.9MB

Download
memory/540-955-0x00007FFF2CAE0000-0x00007FFF2CBAF000-memory.dmp

Filesize
828KB

Download
memory/540-956-0x00007FFF41B60000-0x00007FFF41B6A000-memory.dmp

Filesize
40KB

Download
memory/540-958-0x00007FFF430E0000-0x00007FFF43104000-memory.dmp

Filesize
144KB

Download
memory/540-965-0x00007FFF2CBB0000-0x00007FFF2CD23000-memory.dmp

Filesize
1.4MB

Download
memory/540-980-0x00007FFF2A9C0000-0x00007FFF2B161000-memory.dmp

Filesize
7.6MB

Download
memory/540-974-0x00007FFF2FAB0000-0x00007FFF2FAD2000-memory.dmp

Filesize
136KB

Download
memory/540-969-0x00007FFF3E1B0000-0x00007FFF3E1C5000-memory.dmp

Filesize
84KB

Download
memory/540-957-0x00007FFF2B170000-0x00007FFF2B758000-memory.dmp

Filesize
5.9MB

Download
memory/544-944-0x00000245A3500000-0x00000245A3522000-memory.dmp

Filesize
136KB

Download