exelastealer | hxxps://mega[.]nz/file/4nlwxAqL#SRB6SE9FtsJVXmVM_OuUWGUL2GJM7t2fe08Ym2dbty8

Analysis

max time kernel
111s
max time network
112s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
09-11-2024 20:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/4nlwxAqL#SRB6SE9FtsJVXmVM_OuUWGUL2GJM7t2fe08Ym2dbty8

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

4652 netsh.exe
236 netsh.exe
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
collection

Clipboard Data
T1115

Processes:

powershell.execmd.exe

pid process

5856 powershell.exe
2080 cmd.exe
Executes dropped EXE 2 IoCs

Processes:

Tools.exeTools.exe

pid process

5620 Tools.exe
5888 Tools.exe

pid	process
4652	netsh.exe
236	netsh.exe

pid	process
5856	powershell.exe
2080	cmd.exe

pid	process
5620	Tools.exe
5888	Tools.exe

Loads dropped DLL 32 IoCs

Processes:

Tools.exe

pid	process
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe
5888	Tools.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

89 discord.com
124 discord.com
87 discord.com
88 discord.com
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

80 ip-api.com
Network Service Discovery 1 TTPs 2 IoCs
Attempt to gather information on host's network.
discovery

Network Service Discovery
T1046

Processes:

cmd.exeARP.EXE

pid process

5936 cmd.exe
6068 ARP.EXE
Enumerates processes with tasklist 1 TTPs 4 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid process

5940 tasklist.exe
2660 tasklist.exe
4300 tasklist.exe
5848 tasklist.exe
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
defense_evasion

Hidden Files and Directories
T1564.001

Processes:

cmd.exe

pid process

5496 cmd.exe

flow	ioc
89	discord.com
124	discord.com
87	discord.com
88	discord.com

flow	ioc
80	ip-api.com

pid	process
5936	cmd.exe
6068	ARP.EXE

pid	process
5940	tasklist.exe
2660	tasklist.exe
4300	tasklist.exe
5848	tasklist.exe

pid	process
5496	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI56202\python311.dll	upx
behavioral1/memory/5888-414-0x00007FF969590000-0x00007FF969B78000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_uuid.pyd	upx
behavioral1/memory/5888-455-0x00007FF96A1A0000-0x00007FF96A313000-memory.dmp	upx
behavioral1/memory/5888-457-0x00007FF96A170000-0x00007FF96A19E000-memory.dmp	upx
behavioral1/memory/5888-461-0x00007FF969590000-0x00007FF969B78000-memory.dmp	upx
behavioral1/memory/5888-465-0x00007FF97C140000-0x00007FF97C164000-memory.dmp	upx
behavioral1/memory/5888-481-0x00007FF9690D0000-0x00007FF9690EB000-memory.dmp	upx
behavioral1/memory/5888-491-0x00007FF96A0B0000-0x00007FF96A168000-memory.dmp	upx
behavioral1/memory/5888-494-0x00007FF968870000-0x00007FF968FFA000-memory.dmp	upx
behavioral1/memory/5888-496-0x00007FF968830000-0x00007FF968867000-memory.dmp	upx
behavioral1/memory/5888-503-0x00007FF97A770000-0x00007FF97A785000-memory.dmp	upx
behavioral1/memory/5888-495-0x00007FF974B90000-0x00007FF974BA2000-memory.dmp	upx
behavioral1/memory/5888-493-0x00007FF969210000-0x00007FF969585000-memory.dmp	upx
behavioral1/memory/5888-490-0x00007FF96A170000-0x00007FF96A19E000-memory.dmp	upx
behavioral1/memory/5888-489-0x00007FF969000000-0x00007FF96901E000-memory.dmp	upx
behavioral1/memory/5888-488-0x00007FF97C110000-0x00007FF97C11A000-memory.dmp	upx
behavioral1/memory/5888-487-0x00007FF969020000-0x00007FF969031000-memory.dmp	upx
behavioral1/memory/5888-486-0x00007FF969040000-0x00007FF96908D000-memory.dmp	upx
behavioral1/memory/5888-485-0x00007FF969090000-0x00007FF9690A9000-memory.dmp	upx
behavioral1/memory/5888-484-0x00007FF9690B0000-0x00007FF9690C6000-memory.dmp	upx
behavioral1/memory/5888-483-0x00007FF96A1A0000-0x00007FF96A313000-memory.dmp	upx
behavioral1/memory/5888-482-0x00007FF96A320000-0x00007FF96A343000-memory.dmp	upx
behavioral1/memory/5888-480-0x00007FF96A990000-0x00007FF96A9BD000-memory.dmp	upx
behavioral1/memory/5888-479-0x00007FF9690F0000-0x00007FF96920C000-memory.dmp	upx
behavioral1/memory/5888-478-0x00007FF96A060000-0x00007FF96A082000-memory.dmp	upx
behavioral1/memory/5888-477-0x00007FF96A970000-0x00007FF96A984000-memory.dmp	upx
behavioral1/memory/5888-476-0x00007FF97C120000-0x00007FF97C139000-memory.dmp	upx
behavioral1/memory/5888-475-0x00007FF96A090000-0x00007FF96A0A4000-memory.dmp	upx
behavioral1/memory/5888-474-0x00007FF974B90000-0x00007FF974BA2000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\yarl\_quoting_c.cp311-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\multidict\_multidict.cp311-win_amd64.pyd	upx
behavioral1/memory/5888-469-0x00007FF97A770000-0x00007FF97A785000-memory.dmp	upx
behavioral1/memory/5888-468-0x00007FF9801A0000-0x00007FF9801AF000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_overlapped.pyd	upx
behavioral1/memory/5888-464-0x00007FF969210000-0x00007FF969585000-memory.dmp	upx
behavioral1/memory/5888-462-0x00007FF96A0B0000-0x00007FF96A168000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_asyncio.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\sqlite3.dll	upx
behavioral1/memory/5888-453-0x00007FF96A320000-0x00007FF96A343000-memory.dmp	upx
behavioral1/memory/5888-451-0x00007FF96A990000-0x00007FF96A9BD000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_lzma.pyd	upx
behavioral1/memory/5888-449-0x00007FF97A790000-0x00007FF97A7A9000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_bz2.pyd	upx
behavioral1/memory/5888-447-0x00007FF97D840000-0x00007FF97D84D000-memory.dmp	upx
behavioral1/memory/5888-446-0x00007FF97C120000-0x00007FF97C139000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_socket.pyd	upx
behavioral1/memory/5888-516-0x00007FF96A060000-0x00007FF96A082000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_multiprocessing.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_cffi_backend.cp311-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\pyexpat.pyd	upx
behavioral1/memory/5888-424-0x00007FF9801A0000-0x00007FF9801AF000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI56202\libffi-8.dll	upx
behavioral1/memory/5888-422-0x00007FF97C140000-0x00007FF97C164000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

Processes:

setup.exe

description	ioc	process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\c7463fb2-6ffd-4419-ac8d-809398b1a0b3.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241109200056.pma	setup.exe

Drops file in Windows directory 2 IoCs

Processes:

TiWorker.exechrome.exe

description ioc process

File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe
File opened for modification C:\Windows\SystemTemp chrome.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

2340 sc.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

description	ioc	process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

pid	process
2340	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\Tools.exe	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

netsh.execmd.exe

pid process

808 netsh.exe
5932 cmd.exe
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
discovery

System Network Connections Discovery
T1049

Processes:

NETSTAT.EXE

pid process

4168 NETSTAT.EXE
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.

Data from Local System
T1005

Processes:

WMIC.exe

pid process

4812 WMIC.exe

pid	process
808	netsh.exe
5932	cmd.exe

pid	process
4168	NETSTAT.EXE

pid	process
4812	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid process

948 ipconfig.exe
4168 NETSTAT.EXE
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

2448 systeminfo.exe

pid	process
948	ipconfig.exe
4168	NETSTAT.EXE

pid	process
2448	systeminfo.exe

Kills process with taskkill 11 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
992	taskkill.exe
5544	taskkill.exe
3820	taskkill.exe
4832	taskkill.exe
6040	taskkill.exe
6136	taskkill.exe
5148	taskkill.exe
4212	taskkill.exe
5780	taskkill.exe
5860	taskkill.exe
3124	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133756561197074574"	chrome.exe

NTFS ADS 1 IoCs

Processes:

msedge.exe

description ioc process

File opened for modification C:\Users\Admin\Downloads\Unconfirmed 525939.crdownload:SmartScreen msedge.exe
Runs net.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 525939.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exeWMIC.exepowershell.exeWMIC.exeWMIC.exeWMIC.exeWMIC.exechrome.exe

pid	process
5108	msedge.exe
5108	msedge.exe
1208	msedge.exe
1208	msedge.exe
1188	identity_helper.exe
1188	identity_helper.exe
5364	msedge.exe
5364	msedge.exe
5100	WMIC.exe
5100	WMIC.exe
5100	WMIC.exe
5100	WMIC.exe
5856	powershell.exe
5856	powershell.exe
5856	powershell.exe
4812	WMIC.exe
4812	WMIC.exe
4812	WMIC.exe
4812	WMIC.exe
5992	WMIC.exe
5992	WMIC.exe
5992	WMIC.exe
5992	WMIC.exe
1592	WMIC.exe
1592	WMIC.exe
1592	WMIC.exe
1592	WMIC.exe
992	WMIC.exe
992	WMIC.exe
992	WMIC.exe
992	WMIC.exe
4692	chrome.exe
4692	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

Processes:

msedge.exechrome.exe

pid	process
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXEWMIC.exetasklist.exetasklist.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetasklist.exepowershell.exeTiWorker.exeWMIC.exe

description	pid	process
Token: 33	2256	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2256	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	5100	WMIC.exe
Token: SeSecurityPrivilege	5100	WMIC.exe
Token: SeTakeOwnershipPrivilege	5100	WMIC.exe
Token: SeLoadDriverPrivilege	5100	WMIC.exe
Token: SeSystemProfilePrivilege	5100	WMIC.exe
Token: SeSystemtimePrivilege	5100	WMIC.exe
Token: SeProfSingleProcessPrivilege	5100	WMIC.exe
Token: SeIncBasePriorityPrivilege	5100	WMIC.exe
Token: SeCreatePagefilePrivilege	5100	WMIC.exe
Token: SeBackupPrivilege	5100	WMIC.exe
Token: SeRestorePrivilege	5100	WMIC.exe
Token: SeShutdownPrivilege	5100	WMIC.exe
Token: SeDebugPrivilege	5100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5100	WMIC.exe
Token: SeRemoteShutdownPrivilege	5100	WMIC.exe
Token: SeUndockPrivilege	5100	WMIC.exe
Token: SeManageVolumePrivilege	5100	WMIC.exe
Token: 33	5100	WMIC.exe
Token: 34	5100	WMIC.exe
Token: 35	5100	WMIC.exe
Token: 36	5100	WMIC.exe
Token: SeDebugPrivilege	2660	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5100	WMIC.exe
Token: SeSecurityPrivilege	5100	WMIC.exe
Token: SeTakeOwnershipPrivilege	5100	WMIC.exe
Token: SeLoadDriverPrivilege	5100	WMIC.exe
Token: SeSystemProfilePrivilege	5100	WMIC.exe
Token: SeSystemtimePrivilege	5100	WMIC.exe
Token: SeProfSingleProcessPrivilege	5100	WMIC.exe
Token: SeIncBasePriorityPrivilege	5100	WMIC.exe
Token: SeCreatePagefilePrivilege	5100	WMIC.exe
Token: SeBackupPrivilege	5100	WMIC.exe
Token: SeRestorePrivilege	5100	WMIC.exe
Token: SeShutdownPrivilege	5100	WMIC.exe
Token: SeDebugPrivilege	5100	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5100	WMIC.exe
Token: SeRemoteShutdownPrivilege	5100	WMIC.exe
Token: SeUndockPrivilege	5100	WMIC.exe
Token: SeManageVolumePrivilege	5100	WMIC.exe
Token: 33	5100	WMIC.exe
Token: 34	5100	WMIC.exe
Token: 35	5100	WMIC.exe
Token: 36	5100	WMIC.exe
Token: SeDebugPrivilege	4300	tasklist.exe
Token: SeDebugPrivilege	5780	taskkill.exe
Token: SeDebugPrivilege	5860	taskkill.exe
Token: SeDebugPrivilege	6040	taskkill.exe
Token: SeDebugPrivilege	6136	taskkill.exe
Token: SeDebugPrivilege	5148	taskkill.exe
Token: SeDebugPrivilege	3124	taskkill.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeDebugPrivilege	4212	taskkill.exe
Token: SeDebugPrivilege	5544	taskkill.exe
Token: SeDebugPrivilege	3820	taskkill.exe
Token: SeDebugPrivilege	4832	taskkill.exe
Token: SeDebugPrivilege	5848	tasklist.exe
Token: SeDebugPrivilege	5856	powershell.exe
Token: SeSecurityPrivilege	5920	TiWorker.exe
Token: SeRestorePrivilege	5920	TiWorker.exe
Token: SeBackupPrivilege	5920	TiWorker.exe
Token: SeIncreaseQuotaPrivilege	4812	WMIC.exe
Token: SeSecurityPrivilege	4812	WMIC.exe

Suspicious use of FindShellTrayWindow 61 IoCs

Processes:

msedge.exechrome.exe

pid	process
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

msedge.exechrome.exe

pid	process
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
1208	msedge.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe
4692	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1208 wrote to memory of 1628	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 1628	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 2700	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 5108	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 5108	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe
PID 1208 wrote to memory of 4360	1208	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

5548 attrib.exe

pid	process
5548	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/4nlwxAqL#SRB6SE9FtsJVXmVM_OuUWGUL2GJM7t2fe08Ym2dbty8
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff97bf846f8,0x7ff97bf84708,0x7ff97bf84718
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:2700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
  2⤵
  PID:1772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:4536
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ff7ae035460,0x7ff7ae035470,0x7ff7ae035480
    3⤵
    PID:4972
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6384 /prefetch:8
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6116 /prefetch:8
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6684 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6836 /prefetch:8
  2⤵
  PID:5380
- C:\Users\Admin\Downloads\Tools.exe
  "C:\Users\Admin\Downloads\Tools.exe"
  2⤵
  - Executes dropped EXE
  PID:5620
- - C:\Users\Admin\Downloads\Tools.exe
    "C:\Users\Admin\Downloads\Tools.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5888
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:4016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:1260
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5100
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:1092
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:5496
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Views/modifies file attributes
        
        PID:5548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
      4⤵
      PID:5552
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        5⤵
        
        PID:5580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:5408
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1208"
      4⤵
      PID:5736
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1208
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1628"
      4⤵
      PID:5804
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1628
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2700"
      4⤵
      PID:6024
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2700
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5108"
      4⤵
      PID:6060
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5108
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6136
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4360"
      4⤵
      PID:5988
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4360
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4720"
      4⤵
      PID:420
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4720
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1140"
      4⤵
      PID:4384
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1140
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4884"
      4⤵
      PID:5428
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:2660
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4884
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2236"
      4⤵
      PID:4640
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2236
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5544
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5192"
      4⤵
      PID:5484
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5192
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:3820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5200"
      4⤵
      PID:5420
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5200
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:4832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:4100
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:2328
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:5884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:5056
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:2232
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:5832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5012
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      PID:2080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      PID:5936
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:2448
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:4852
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:2296
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:2236
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:2896
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:4128
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:4508
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:4884
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:5292
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:5264
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:5320
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:5276
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:6012
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:6036
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:5992
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:5940
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:948
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:4024
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:6068
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4168
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:2340
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4652
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5932
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:64
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:928
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2980

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4b4 0x2fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2256

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:5920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff96e36cc40,0x7ff96e36cc4c,0x7ff96e36cc58
  2⤵
  PID:5508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2028,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2024 /prefetch:2
  2⤵
  PID:5784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1912,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  PID:5788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2496 /prefetch:8
  2⤵
  PID:5492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:1552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3712,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3700 /prefetch:8
  2⤵
  PID:5864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3788,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  PID:5960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4944,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3700 /prefetch:1
  2⤵
  PID:6028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5020 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5132,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:5692

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
cd2dacffc275c8071fcde956de153272

SHA1
98953146e634d1e999baf09ceb9485edd175edf5

SHA256
271198889a5e286834e20e834b3a9a33a8505f2077e2bfc09b4dc3683c5b7bc4

SHA512
3d955334ed40b97f1a9a7d4048819fccce1c42163d4ab04e3c6b35ecb5cd4ddc8f0d9f4e32f8c9fa5b2e2cf570290bf502684d1123832e3799789ef693ed0e33

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
8cee74b8bf3e55857f3fff6e59a656e0

SHA1
9dc75ec8d277ebda5d48597f33d562ae4648a967

SHA256
1d7421e027a4196b3a487579ad7e1619d38946e8825f4392181a03a2d0042774

SHA512
245d519245d583eecc6ec0eca623d6908b26d7894962d00dbbfdb89d8f9334b57b2564a8457f064e77b306cc8314f83af558da707f0959d36fdbdd14f9a2c71e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6b074037473fee489fffc7eb2d24a257

SHA1
4c3160d727f0255b03104f267561d07faebda23c

SHA256
5475342061ffe579d89c700e48186991e567c4d06ca5e8c58d39a5fd78edec78

SHA512
b2a7225bdf9faba9abc5159cdbc5c252b7d32f404241f77e6e501e1d9e3afb973f47526a4243102ea9e96888a7127a9e5222ac2b9e943b5fa6677a8d9ca8e4ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
43911a6ffeaa35874ca541a21e66bf20

SHA1
f181b23dcf3f85c78950a2183fa45225b066d6fe

SHA256
fbb3cc8bc95dd3bd4afa16b3795d111ff984ef9f9c7565124bfab441f230b66c

SHA512
a2a8dba517e04911264d79b474d03316479f396d1614b28988b76b61331efa822fd0c3f93484d4fae710b252d08eb10b6c0a50953736092d1e725b4348da708d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7b5b9b494f0e8fc00e5b0bd39a7213d7

SHA1
e97cea936739dae5fb4c6a77dfd25772c0b85128

SHA256
6ebdd29129c520c0f3dfeed3e69da82d1b57802f07f7d1c78f8700242ad7538e

SHA512
75ba22bea60b0c9fcdd76c0fd3a81733f5c32d03321eec0b7d1db876ff667a5a6f51097225de05aea4f966ae5f4cb8eadab8df86dc3c3f6924cd7d486a859d81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
9b2a8d2d15c662128004b668f359f58b

SHA1
26aa26ab6a8b1b67b7019eea76f518d43e129c1f

SHA256
c1b5c302139f096820266794dfaa284c378ac0123d9f0408b1330f0a3c8dfdc6

SHA512
19e72ce43b3f86844d022da25d2ce0cea87f571a871d43cdc40c9eca9e96ce9c25c21ef5bd87dc5f03dae6429add39a6975c9220fe290240a8cb84d63cd757b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
abadc8379cec0bc27226d9b12898de4a

SHA1
17984b18a40d8ef2a532f62875739abb05f08b41

SHA256
dca9da4ffa855a6dab31ff50f79869b1fed4c79bc8405cd398138aacd1163cd5

SHA512
db458803936044f42c8a656ada4ff930a4da9bb12540872278b23a9268caa48be6bfbaafe6b3c9b0b54d7ce5793ae4a068d10f19ad7658353dbec45c36737f54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
234KB

MD5
1d42430e9378bd108d5e306facb79651

SHA1
05cb764caa3e6930deb3bbca9596c5d6cbca1e5f

SHA256
c1e45616f720502abc8fc51e5ea798a3de41bb111c69b49e91791ff91e35fd65

SHA512
95fb28b2ee55d668116e378ec9fcfc893447881df4018cebe3924b14d7370c5e98c87cf5d6b73c83b2a7c1bfd3b1c0521338f9cbed3e654d2c045bdaf4152501

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
467bc167b06cdf2998f79460b98fa8f6

SHA1
a66fc2b411b31cb853195013d4677f4a2e5b6d11

SHA256
3b19522cb9ce73332fa1c357c6138b97b928545d38d162733eba68c8c5e604bd

SHA512
0eb63e6cacbec78b434d976fa2fb6fb44b1f9bc31001857c9bcb68c041bb52df30fbc7e1353f81d336b8a716821876fcacf3b32a107b16cec217c3d5d9621286

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cc10dc6ba36bad31b4268762731a6c81

SHA1
9694d2aa8b119d674c27a1cfcaaf14ade8704e63

SHA256
d0d1f405097849f8203095f0d591e113145b1ce99df0545770138d772df4997f

SHA512
0ed193fdcc3f625221293bfd6af3132a5ce7d87138cd7df5e4b89353c89e237c1ff81920a2b17b7e0047f2cc8b2a976f667c7f12b0dcc273ddc3b4c8323b1b56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
40c08d56c5feaced74b97ce197f08750

SHA1
f71cfa4a4b48f984eb060106888867e8c17cd7e1

SHA256
ffcaf28ad64b5769cdf720bd804af7c5fb5563dd373e13954c8ac88e5247f543

SHA512
bd20fb8daa8844c72e2c8f855d64d76e116bf25e617454a8dda582e7520f62c325862230f600ae0f50b3556eb5934990bd1bda20c6b4a3d4c3b92bb023d7e79c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
6d6fa7e8b98e22a229f140a85a303322

SHA1
e11c3d97fd66fa24fc863274853ca8eb7197e665

SHA256
151d279fbfc89cc69f461ba4d50d048d4a977ad881ecd512b9dafc571e7e5dac

SHA512
72940adaffa94cf1653b7dc032c3b4ed7b12877618119f3241b39a76fec9770ef321762f73c6a3cdf57f40a2b8819bbcab188ee72589601c45cf112ec877933e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4d94b053ace1199438cd3f853f6b45af

SHA1
7e9c5b02dc67c59c0864b104e7ac7c5dbd41a6ea

SHA256
c7e647b0278bf2805c1a6106a6d3afbac0d7429135760971b4e4640665492c73

SHA512
23b43bbb775094a2eed06df331fbd34486e41f509eab2656ca6707aa4c978501475e5a217d2b69fef26aa2f258865272c3c9a0d431b57704a1249de69af55926

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f8defe7701720c812ae283f7fe6101ae

SHA1
d2713d27a5f668e56bf3e93d4f2246206d566574

SHA256
5d7e3b3dca48a5227b999a99dcce3bc8eb79ae9ca9bd996f59a3e8bf46fb3633

SHA512
ca508e16a0d8bd7438fe209b33fc303aef91507fe6e38a518f27b5466ca62e37dbdf7f93ef89570eeab90b9530235b47ad45a6db8bfabcbbb288650b76a52cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fcacdae72b723d06ede44142131945d1

SHA1
ca2158fe18e5cd5a3568b0c1d4b5d560add4d59c

SHA256
afcb5499beb28348ce5ee421903fa4a2a4352ce64ca48d2ec73ceddd088983d3

SHA512
588d5bdc4621e6db265fd675812d567d96064c7e9a7f353a30f9a505625d3ecac152910ea81b1feb327ea827ec379eb5b00512b1ad4e5543439f5d916cf255db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3b964859deef3a6f470b8021df49b34d

SHA1
62023dacf1e4019c9f204297c6be7e760f71a65d

SHA256
087debdcfba4666c03a5ea699e9bb31cf22ef4e0fad7c961cb0b500e5d262fb5

SHA512
c30b7e1b28820a5815b52634b46cb210c241704e33e41304400cb3ed29e82ec547a1068fc819350b368456bcabd27034afade5add3251dc74e4174f51b6c7adf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5c2d5c900312f44e72209416d45723cb

SHA1
68fb8909308589149399c3fb74605600833fbbc1

SHA256
56f7a77549e5fc45bd4b1f7c2db3e8b4bd1dd9234545207613a80342cee8e7d8

SHA512
07c2920cff7c1125e3a2fe66bf21d8606a1f2a3d36be2d8e136da0d2a21130242ac8324f18cedfb0040304cf804815861767c969a6923d8db851312bf9b4348b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
580d30a6d681949e596f05ce3ca93643

SHA1
042cc44e68a563f0c4eb269a8592103d7313d5f0

SHA256
60bcf5242a7d70e213c8c5626c4438287fba94c0fdbc256b86a44e9dfda077a8

SHA512
b70cfae648b3f55cba3eca54b5e6fa5310c7048f0163f111678350fa3220b2f3b54fd85f0aec4ab537645203f6dd8111a273776f1a85310bd3001ba70125d8bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c1e8.TMP

Filesize
48B

MD5
24649e46612a671375a1ab65ee29b5c3

SHA1
9cc1b5fd3108d9e81d4bfeab14add156ae55119f

SHA256
a656f4728e2d21532f30a015a662b689a762805ab30b23bceaf1b4207be6141e

SHA512
7bbd3eed84bd5fd4e13e00fbcf3345cce520b2d455ff4347351c00e445f8d7c2c2fa47bba3873111491320bf72638d8856389a6d595c509f1d261e9a1be4ea74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
f50cb573bf68fc7fdd739ba328fa61d6

SHA1
12d574bf118fa1cb4d1cfa1b314705a2209858df

SHA256
eb335cee61af7d0aae01f89740ac26ec9822cb155e924bc9d62b505f261b2551

SHA512
da09c678ba78bfd251c61ef109bb8df4a01c04dc5ccd6c0d8665beb5e1bcaeabc964670f7b2c13c12ea27363460ea7c1c01940b57bc4a289c972ce4ec67e6022

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
5163964754e61aea387d5ae647cee41e

SHA1
f37072bd81913515c8199cfef6bc58c89b547720

SHA256
24a38b2059bdf38820b3a55ac8414aacf386b4d0f5aff8fb4fa1d46b4ddeada9

SHA512
705dd1293022c886b19607699ea3fc1c543b7f3e62db1487292835289634a07408e4e86f38d41e4c7a2c73f20ab7904948410f0722315c0b4eed893ffabe1188

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\EnterOut.xlsx

Filesize
13KB

MD5
880dae70b2022931ac7259ff2b6cb587

SHA1
6d0e13222c5ac1b61470525885002c6a8a1ace5d

SHA256
03545ee011b3724f77ed178df31eab23d40b26c65be095ebef9bf73aabb682fa

SHA512
b0c770455431a673f8570b6f486b40db773afa0a1fac9938648374d2c5a2292b5ae52ed5a7ee153a111da59cc3c804296927f310e1391f9012acdc2554040994

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ShowComplete.docx

Filesize
19KB

MD5
bfd3c6838dd6567689830b0c99021718

SHA1
f7a15bbb3732c52bbf422a75c2f2e242dc1bafb7

SHA256
a6e3e745e6f5590f0e11c706999c7f71c9c560d93f13580cc34e10ca4feac748

SHA512
27d64e401a4606d6f2c86e52f0ec70ebfc066676aa092291a6cc170ab52b0588367d80dced7373af2188f6e341dec72660d26cb025137f5b309177927d8dddad

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UnregisterConfirm.docx

Filesize
14KB

MD5
3710aee34cc4b6cb3e89f8b2a52e17b1

SHA1
f00145afc0a4c83f06b38f6dbc9998ebfe115155

SHA256
b1d90554f94827be99762b40f1a266f42e8d09fb846aa3e0a4b3a60b2708db14

SHA512
0f79916b30fb3b3eeb548a96863483d2cafacc62dbaf06d3ec9636c94553561f05a1eaf486f579afd838dd9eec0e4486d79193f8ab3e501d1df22f1e169a3970

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\BackupConnect.vsdx

Filesize
547KB

MD5
008d9948364685c06f3456c4f3e7af80

SHA1
9bc6abc0d6a737ec2b12466686cdb2f64c3cd94f

SHA256
3107f161000b6e7940c08888c54add2d6a08ad4ad26e563245433d92987d8dc7

SHA512
dd03e3a053c5dc016b11ac1b618e28c947da9bc4b20e9e8425ee43e202a095eedb31d16ffc1ae1bbc735cfcf218cf425843800aa54f200fe3d9fcaad8ac8868c

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\BackupMeasure.xltm

Filesize
291KB

MD5
ace708a6df648a83b4a31bfd121b2ca1

SHA1
0dc4c32f31a3bc7efc263fb19154cddf3f0c74b6

SHA256
fc0cd8422ceb0892ceefbffbcbccad97af3bd8e813808c45bb391c340a4902d2

SHA512
cb16d19a2bc40c9463415b96057d4c0ba51294e350e9acf96d28c9df2b19e5f244bfff5f6eecf501a1a7a6190e373ca7eedbb9548cae762668ddbd0868e1980f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\LimitMount.txt

Filesize
504KB

MD5
967cec8a3a639ceed08e9018c1ac3ffe

SHA1
fad7e0a79ef7b5a0d59201468f3cc207c9f809cc

SHA256
ef54aad74251c872bc9a696373fce59f11c6a0b84ac1f1885317f0a0d963b75a

SHA512
7a27018544874e69e415c914c2c55fb9012e56edfafff74b203e5abb77c685d4d3c468db8386199949237f7940551cc280639405144ea28ef9d60c16d50b80f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RestartEdit.txt

Filesize
333KB

MD5
82cc37d43891ac36ec92652f207df547

SHA1
b6324c003257851b2c169c2a4910d36de58b03f2

SHA256
a71cb14875a3290904db852aa6fd14098705d82bc7cbc402e01aaeb415b09cde

SHA512
f798c4a237e60c0a8323c9974627ed5c70929c91d3747f0916db973d9081d259608232476b7a5f0cb4611bbcbbd9a041e71221dc95eae421af0e06f5298de54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\StopOut.docx

Filesize
476KB

MD5
366e7210ba3f85c4154110a8008791f3

SHA1
837f73de0ce93dc01a4ee36868dedda26ff5a9af

SHA256
1ede48099dd1dc48fac0b92f5cc15208d953f6c2f87fad35858d508ada125c6a

SHA512
8b4d31500be401d9f2e0df7757f28a010e02f77fe559a523f55af4b7c5d7c111f861f4e92ab7e5bad510e684cc5947d354d674004ec58cadcbefd12b00de2fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\BackupPing.m4a

Filesize
417KB

MD5
04ff1e93752556f04979a9aee3370556

SHA1
6bb3dccbb7761c84b2671d3fc7ab08fa90a9628a

SHA256
ccc86b624814960c33863aaf54324dd3b75c02c023e9bd579054fac81d5d9853

SHA512
4453acf6bb191fae3635bffc985d73914f53716b10cdccabc564f16b23aa40dc54142fb2a5fd63e6ab5b3f4d5d70b27b670bfd28ba271b3cf8d2714a148199bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\DisconnectReset.jpeg

Filesize
219KB

MD5
7b226696d6ade9a018bd174abab7b4ac

SHA1
0e4d69f70f4aa56a305afb07dcd59a0c3a71ac73

SHA256
39074d220f53ca9096f559ee7ac802c27d060615406217c228ca04dbb1ea8e63

SHA512
00980a8bf12031d9e81f18e7ea684fba599b2b78d306b5938c496c594eac3ee121605e6893ee03a2f4f248b94446989be54bcce53be55e666f054122fc6b40bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\NewEdit.mp3

Filesize
408KB

MD5
365077271d110ccc54476cb9f42245bd

SHA1
27985cded8f8396cb37cbbced051d33efc9c2e32

SHA256
7690f0cb21b285dfb17ab2db1a0318a96ea1fd4f3fa7e134774c8bbdb35f2022

SHA512
a412ef5876c82e640c93036e70c5ffd001f220cf2709906978b1fa86f96cb3ce8369b4febe981c0673bea4a5cf82928a9e6ef396c7d91aacfc8b0bf01dd658aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\SaveSelect.pdf

Filesize
309KB

MD5
7f2fd4e44967bc9a45a8b9a672d2b97d

SHA1
ebabb758440f6913ed998618df7c032dc76bc4a5

SHA256
1401507285fb7bc4e79b0bf85ada93860f91cfce55bff16247d9a3df0fbb4a56

SHA512
5fead157fce9bcd544b02992562f58f36bf43f6fd0a174dfa710df28efe9e196be5fc1c4845357f898d8e195e196f639bea6682af084eaf1ee935615d4ebddce

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\JoinApprove.png

Filesize
462KB

MD5
ca83ea35f7754990b1ad0b81b861778b

SHA1
1b0a8c1983cf1210914f4e00826ce87ae1314550

SHA256
97fafbaa0576782593ab6e8fd800b41c1ed10f9e4d05346683d882724b144aed

SHA512
5a14101862b0c29ada130f84a5078ca94aa6bbb74e792b15879a9b2aed660524be7aaa5063b7204ff2b573ecb3115ca29573d14faa829498da0ccb88aff3dc9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\StepGet.jpeg

Filesize
300KB

MD5
907275399c8aa22e53a532188dbf808c

SHA1
92c5e58de66cab99bb4383ec509954f342d17167

SHA256
6d507a07aa05af1c6383c68b17a2a3134be0ec2627be89c14eac7b8dda965f2d

SHA512
6d511f8a3873412d659810119bb69057272b00a7db0263599e6db902ca6c8e3afc8ba461b8d735275391ec4a6f934de1ec1afbae8c60542e7c750093fbcc0e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\MountCompare.jpeg

Filesize
545KB

MD5
e0f3efec69e6879c8a250e285f28d268

SHA1
904b420a88a9d1b13ccd492ab6a515d9ca069f07

SHA256
906c5b8a0e1f8a8deebfba62b43be5e02778ec0a07f95afb9fe358da2ba99975

SHA512
7617c18632ca83ab77dea1aa315dea917cf060d4c6fa6f7e5ccb0b3a8e9b17d6af6d0249b2bdd6054f2ae4a1c2add4e15815a7ffe4c6dd6080c4bc29cb69c555

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\MoveRead.jpeg

Filesize
763KB

MD5
5141279391c7c28776da496dfb71ab3a

SHA1
8ae654907adb66c51644a1eb71bdbc006723d601

SHA256
fd0e0062deaa097893d806ce2bd7c272bc9e0b251741c0dbad1d57a09b68b553

SHA512
92da427528024932e890d3ed8cf7b444cabfdea5d37e21f83899d9fe4f2f42bb98cebad6ab43c9d7b0ea1a91452869465cf15c605a5549ab5ae0760bb70a2eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\StepReset.jpg

Filesize
1008KB

MD5
f6802018860beab0e371d5bffa2c0329

SHA1
d3c2f68843921e8fb9f1e26b083a89c3a4275f3a

SHA256
90da474215a3c3ff24b08c098795d50891329685c1148831034f17f687ebd6bb

SHA512
95132b9a0227e15d89502d1ffaddb909063f7650c8f70f710bcbc94c9f84249e1698efca85d3360e7f5bcad636fad131c4c88256b7bcf5c07ead703e478d53f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\TraceSkip.png

Filesize
627KB

MD5
77b44a15785ed4445b2a564b5ea5c80a

SHA1
4aec53400cfc4ea9e0465adf5cd058a29af268bd

SHA256
cc8c130993fd054c0883383c534de5345c72e3b14a99286ff31f8b704ae22ccb

SHA512
ffda0603170c22e22699df5dc4b7c01d6232594ec56632043d685c497a3fd8354e6b9f69ca9dd3be1ebb679b2d4d089fa2a8211336a0a93eaba012563eb1e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_asyncio.pyd

Filesize
34KB

MD5
1b8ce772a230a5da8cbdccd8914080a5

SHA1
40d4faf1308d1af6ef9f3856a4f743046fd0ead5

SHA256
fa5a1e7031de5849ab2ab5a177e366b41e1df6bbd90c8d2418033a01c740771f

SHA512
d2fc21b9f58b57065b337c3513e7e6c3e2243b73c5a230e81c91dafcb6724b521ad766667848ba8d0a428d530691ffc4020de6ce9ce1eaa2bf5e15338114a603

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_bz2.pyd

Filesize
46KB

MD5
80c69a1d87f0c82d6c4268e5a8213b78

SHA1
bae059da91d48eaac4f1bb45ca6feee2c89a2c06

SHA256
307359f1b2552b60839385eb63d74cbfe75cd5efdb4e7cd0bb7d296fa67d8a87

SHA512
542cf4ba19dd6a91690340779873e0cb8864b28159f55917f98a192ff9c449aba2d617e9b2b3932ddfeee13021706577ab164e5394e0513fe4087af6bc39d40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_cffi_backend.cp311-win_amd64.pyd

Filesize
71KB

MD5
0f0f1c4e1d043f212b00473a81c012a3

SHA1
ff9ff3c257dceefc74551e4e2bacde0faaef5aec

SHA256
fda255664cbf627cb6a9cd327daf4e3eb06f4f0707ed2615e86e2e99b422ad0b

SHA512
fcfa42f417e319bddf721f298587d1b26e6974e5d7589dfe6ddd2b013bc554a53db3725741fbc4941f34079ed8cb96f05934f3c2b933cda6a7e19cda315591a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_ctypes.pyd

Filesize
57KB

MD5
b4c41a4a46e1d08206c109ce547480c7

SHA1
9588387007a49ec2304160f27376aedca5bc854d

SHA256
9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9

SHA512
30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_decimal.pyd

Filesize
104KB

MD5
e9501519a447b13dcca19e09140c9e84

SHA1
472b1aa072454d065dfe415a05036ffd8804c181

SHA256
6b5fe2dea13b84e40b0278d1702aa29e9e2091f9dc09b64bbff5fd419a604c3c

SHA512
ef481e0e4f9b277642652cd090634e1c04702df789e2267a87205e0fe12b00f1de6cdd4fafb51da01efa726606c0b57fcb2ea373533c772983fc4777dc0acc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_hashlib.pyd

Filesize
33KB

MD5
0629bdb5ff24ce5e88a2ddcede608aee

SHA1
47323370992b80dafb6f210b0d0229665b063afb

SHA256
f404bb8371618bbd782201f092a3bcd7a96d3c143787ebea1d8d86ded1f4b3b8

SHA512
3faeff1a19893257c17571b89963af37534c189421585ea03dd6a3017d28803e9d08b0e4daceee01ffeda21da60e68d10083fe7dbdbbde313a6b489a40e70952

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_lzma.pyd

Filesize
84KB

MD5
bfca96ed7647b31dd2919bedebb856b8

SHA1
7d802d5788784f8b6bfbb8be491c1f06600737ac

SHA256
032b1a139adcff84426b6e156f9987b501ad42ecfb18170b10fb54da0157392e

SHA512
3a2926b79c90c3153c88046d316a081c8ddfb181d5f7c849ea6ae55cb13c6adba3a0434f800c4a30017d2fbab79d459432a2e88487914b54a897c4301c778551

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_multiprocessing.pyd

Filesize
25KB

MD5
849b4203c5f9092db9022732d8247c97

SHA1
ed7bd0d6dcdcfa07f754b98acf44a7cfe5dcb353

SHA256
45bfbab1d2373cf7a8af19e5887579b8a306b3ad0c4f57e8f666339177f1f807

SHA512
cc618b4fc918b423e5dbdcbc45206653133df16bf2125fd53bafef8f7850d2403564cf80f8a5d4abb4a8928ff1262f80f23c633ea109a18556d1871aff81cd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_overlapped.pyd

Filesize
30KB

MD5
97a40f53a81c39469cc7c8dd00f51b5d

SHA1
6c3916fe42e7977d8a6b53bfbc5a579abcf22a83

SHA256
11879a429c996fee8be891af2bec7d00f966593f1e01ca0a60bd2005feb4176f

SHA512
02af654ab73b6c8bf15a81c0e9071c8faf064c529b1439a2ab476e1026c860cf7d01472945112d4583e5da8e4c57f1df2700331440be80066dbb6a7e89e1c5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_queue.pyd

Filesize
24KB

MD5
0614691624f99748ef1d971419bdb80d

SHA1
39c52450ed7e31e935b5b0e49d03330f2057747d

SHA256
ac7972502144e9e01e53001e8eec3fc9ab063564678b784d024da2036ba7384d

SHA512
184bc172c7bb8a1fb55c4c23950cbe5e0b5a3c96c1c555ed8476edf79c5c729ed297112ee01b45d771e5c0055d2dc402b566967d1900b5abf683ee8e668c5b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_socket.pyd

Filesize
41KB

MD5
04e7eb0b6861495233247ac5bb33a89a

SHA1
c4d43474e0b378a00845cca044f68e224455612a

SHA256
7efe25284a4663df9458603bf0988b0f47c7dcf56119e3e853e6bda80831a383

SHA512
d4ea0484363edf284ac08a1c3356cc3112d410dd80fe5010c1777acf88dbd830e9f668b593e252033d657a3431a79f7b68d09eb071d0c2ceb51632dbe9b8ed97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_sqlite3.pyd

Filesize
54KB

MD5
d9eeeeacc3a586cf2dbf6df366f6029e

SHA1
4ff9fb2842a13e9371ce7894ec4fe331b6af9219

SHA256
67649e1e8acd348834efb2c927ab6a7599cf76b2c0c0a50b137b3be89c482e29

SHA512
0b9f1d80fb92c796682dba94a75fbce0e4fbeaedccd50e21d42d4b9366463a830109a8cd4300aa62b41910655f8ca96ecc609ea8a1b84236250b6fd08c965830

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_ssl.pyd

Filesize
60KB

MD5
fd0f4aed22736098dc146936cbf0ad1d

SHA1
e520def83b8efdbca9dd4b384a15880b036ee0cf

SHA256
50404a6a3de89497e9a1a03ff3df65c6028125586dced1a006d2abb9009a9892

SHA512
c8f3c04d87da19041f28e1d474c8eb052fe8c03ffd88f0681ef4a2ffe29755cfd5b9c100a1b1d2fdb233cb0f70e367af500cbd3cd4ce77475f441f2b2aa0ab8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\_uuid.pyd

Filesize
21KB

MD5
3377ae26c2987cfee095dff160f2c86c

SHA1
0ca6aa60618950e6d91a7dea530a65a1cdf16625

SHA256
9534cb9c997a17f0004fb70116e0141bdd516373b37bbd526d91ad080daa3a2b

SHA512
8e408b84e2130ff48b8004154d1bdf6a08109d0b40f9fafb6f55e9f215e418e05dca819f411c802792a9d9936a55d6b90460121583e5568579a0fda6935852ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\libcrypto-1_1.dll

Filesize
1.1MB

MD5
86cfc84f8407ab1be6cc64a9702882ef

SHA1
86f3c502ed64df2a5e10b085103c2ffc9e3a4130

SHA256
11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307

SHA512
b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\libffi-8.dll

Filesize
24KB

MD5
decbba3add4c2246928ab385fb16a21e

SHA1
5f019eff11de3122ffa67a06d52d446a3448b75e

SHA256
4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d

SHA512
760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\libssl-1_1.dll

Filesize
203KB

MD5
6cd33578bc5629930329ca3303f0fae1

SHA1
f2f8e3248a72f98d27f0cfa0010e32175a18487f

SHA256
4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0

SHA512
c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\multidict\_multidict.cp311-win_amd64.pyd

Filesize
20KB

MD5
5587c32d9bf7f76e1a9565df8b1b649f

SHA1
52ae204a65c15a09ecc73e7031e3ac5c3dcb71b2

SHA256
7075185db068e3c8f1b7db75e5aa5c500fc76ed8270c6abc6f49681d7119a782

SHA512
f21d0530389138457d6fdcdb3487a3c8b030338c569b2742f9e691e43af1d9e779c98426bad81b152f343b324a9375fe1322ef74030b1c8f8ba606d19e562e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\pyexpat.pyd

Filesize
86KB

MD5
fe0e32bfe3764ed5321454e1a01c81ec

SHA1
7690690df0a73bdcc54f0f04b674fc8a9a8f45fb

SHA256
b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92

SHA512
d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\python3.DLL

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\select.pyd

Filesize
24KB

MD5
c39459806c712b3b3242f8376218c1e1

SHA1
85d254fb6cc5d6ed20a04026bff1158c8fd0a530

SHA256
7cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9

SHA512
b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\sqlite3.dll

Filesize
608KB

MD5
895f001ae969364432372329caf08b6a

SHA1
4567fc6672501648b277fe83e6b468a7a2155ddf

SHA256
f5dd29e1e99cf8967f7f81487dc624714dcbec79c1630f929d5507fc95cbfad7

SHA512
05b4559d283ea84174da72a6c11b8b93b1586b4e7d8cda8d745c814f8f6dff566e75f9d7890f32bd9dfe43485244973860f83f96ba39296e28127c9396453261

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\unicodedata.pyd

Filesize
293KB

MD5
06a5e52caf03426218f0c08fc02cc6b8

SHA1
ae232c63620546716fbb97452d73948ebfd06b35

SHA256
118c31faa930f2849a14c3133df36420a5832114df90d77b09cde0ad5f96f33a

SHA512
546b1a01f36d3689b0fdeeda8b1ce55e7d3451731ca70fffe6627d542fff19d7a70e27147cab1920aae8bed88272342908d4e9d671d7aba74abb5db398b90718

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI56202\yarl\_quoting_c.cp311-win_amd64.pyd

Filesize
41KB

MD5
1fa0ad3deb7f851a231c1a973b121b93

SHA1
65ae7bb5fec98da8665c70290c40082c8358b688

SHA256
0054d20391ebcd1ed30ef2d5aaa1efbbc5aceb7d8f716c16de0ac0d9d2680121

SHA512
64b6cf9d90daca0fb5e2d0eb91c853edaa2fb90edea064b96032ce968ee46961464772e353bf503e05b05471330c5afc8ffc72273e6ebdb6b1ad22fbce331fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fpiahoi5.jy3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
2df49e8e11448f089e879ae7b4f30577

SHA1
01216d23fce2cf14865e52a9951b4862a3aaef74

SHA256
2750685d210f1f3de4eba397a780568f9c939e2f933039027978298eecaa6a5e

SHA512
300509d02aa0ee67ebe4257eeb752105b79b1d41df996ad1e1e53a0cf156d02b847f277aa12a6f1999e8b3168d9826b595d9eb7eeddec3b7ea684a657546be0c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
f23c33eb347265e0c491cbbaa04d217f

SHA1
afbd9f7fc777632cd7b06025546c5070a18c5e63

SHA256
0aa9cd1d44966c48d3d1d70aeeab51d38800f714cbffaf15f5bbcbb1993d0bed

SHA512
3c0745e3e94161e8c8eecd3d9b2cb75940607ba8c69d6c7cf9611e83113b1349e77dfee1efe698f9bca80918091540dfacd5acdde9b7f1680461e785808be33b

Download Submit
C:\Users\Admin\Downloads\Tools.exe

Filesize
10.9MB

MD5
9ef872cbbbbc5bb4b1ee521ef0203930

SHA1
a0be1aff9a8feec9f847e6d1ef2a1f41eb5c062d

SHA256
41d0d7f4aeb95e0ef2b69f00b443b82f9cfab03dd47ca80cbb61ac8ae9b714ea

SHA512
4e250cd530e00b302082579fca6ae2a2d44058e5a288fc5fe809a040866702da84305060ced7f6fa89210e1e5811391142e4a4fe1917c71d60583378f4446dc1

Download Submit
\??\pipe\LOCAL\crashpad_1208_AECAEQESCLJNHFWO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5856-571-0x0000023C9B550000-0x0000023C9B572000-memory.dmp

Filesize
136KB

Download
memory/5888-495-0x00007FF974B90000-0x00007FF974BA2000-memory.dmp

Filesize
72KB

Download
memory/5888-478-0x00007FF96A060000-0x00007FF96A082000-memory.dmp

Filesize
136KB

Download
memory/5888-516-0x00007FF96A060000-0x00007FF96A082000-memory.dmp

Filesize
136KB

Download
memory/5888-482-0x00007FF96A320000-0x00007FF96A343000-memory.dmp

Filesize
140KB

Download
memory/5888-483-0x00007FF96A1A0000-0x00007FF96A313000-memory.dmp

Filesize
1.4MB

Download
memory/5888-484-0x00007FF9690B0000-0x00007FF9690C6000-memory.dmp

Filesize
88KB

Download
memory/5888-485-0x00007FF969090000-0x00007FF9690A9000-memory.dmp

Filesize
100KB

Download
memory/5888-447-0x00007FF97D840000-0x00007FF97D84D000-memory.dmp

Filesize
52KB

Download
memory/5888-480-0x00007FF96A990000-0x00007FF96A9BD000-memory.dmp

Filesize
180KB

Download
memory/5888-424-0x00007FF9801A0000-0x00007FF9801AF000-memory.dmp

Filesize
60KB

Download
memory/5888-449-0x00007FF97A790000-0x00007FF97A7A9000-memory.dmp

Filesize
100KB

Download
memory/5888-422-0x00007FF97C140000-0x00007FF97C164000-memory.dmp

Filesize
144KB

Download
memory/5888-520-0x00007FF9690F0000-0x00007FF96920C000-memory.dmp

Filesize
1.1MB

Download
memory/5888-559-0x00007FF9851B0000-0x00007FF9851BD000-memory.dmp

Filesize
52KB

Download
memory/5888-479-0x00007FF9690F0000-0x00007FF96920C000-memory.dmp

Filesize
1.1MB

Download
memory/5888-451-0x00007FF96A990000-0x00007FF96A9BD000-memory.dmp

Filesize
180KB

Download
memory/5888-576-0x00007FF968870000-0x00007FF968FFA000-memory.dmp

Filesize
7.5MB

Download
memory/5888-585-0x00007FF96A1A0000-0x00007FF96A313000-memory.dmp

Filesize
1.4MB

Download
memory/5888-577-0x00007FF969590000-0x00007FF969B78000-memory.dmp

Filesize
5.9MB

Download
memory/5888-598-0x00007FF969040000-0x00007FF96908D000-memory.dmp

Filesize
308KB

Download
memory/5888-590-0x00007FF974B90000-0x00007FF974BA2000-memory.dmp

Filesize
72KB

Download
memory/5888-589-0x00007FF97A770000-0x00007FF97A785000-memory.dmp

Filesize
84KB

Download
memory/5888-578-0x00007FF97C140000-0x00007FF97C164000-memory.dmp

Filesize
144KB

Download
memory/5888-605-0x00007FF968830000-0x00007FF968867000-memory.dmp

Filesize
220KB

Download
memory/5888-597-0x00007FF969090000-0x00007FF9690A9000-memory.dmp

Filesize
100KB

Download
memory/5888-486-0x00007FF969040000-0x00007FF96908D000-memory.dmp

Filesize
308KB

Download
memory/5888-487-0x00007FF969020000-0x00007FF969031000-memory.dmp

Filesize
68KB

Download
memory/5888-488-0x00007FF97C110000-0x00007FF97C11A000-memory.dmp

Filesize
40KB

Download
memory/5888-489-0x00007FF969000000-0x00007FF96901E000-memory.dmp

Filesize
120KB

Download
memory/5888-490-0x00007FF96A170000-0x00007FF96A19E000-memory.dmp

Filesize
184KB

Download
memory/5888-492-0x0000026261440000-0x00000262617B5000-memory.dmp

Filesize
3.5MB

Download
memory/5888-493-0x00007FF969210000-0x00007FF969585000-memory.dmp

Filesize
3.5MB

Download
memory/5888-475-0x00007FF96A090000-0x00007FF96A0A4000-memory.dmp

Filesize
80KB

Download
memory/5888-503-0x00007FF97A770000-0x00007FF97A785000-memory.dmp

Filesize
84KB

Download
memory/5888-496-0x00007FF968830000-0x00007FF968867000-memory.dmp

Filesize
220KB

Download
memory/5888-494-0x00007FF968870000-0x00007FF968FFA000-memory.dmp

Filesize
7.5MB

Download
memory/5888-491-0x00007FF96A0B0000-0x00007FF96A168000-memory.dmp

Filesize
736KB

Download
memory/5888-481-0x00007FF9690D0000-0x00007FF9690EB000-memory.dmp

Filesize
108KB

Download
memory/5888-465-0x00007FF97C140000-0x00007FF97C164000-memory.dmp

Filesize
144KB

Download
memory/5888-461-0x00007FF969590000-0x00007FF969B78000-memory.dmp

Filesize
5.9MB

Download
memory/5888-457-0x00007FF96A170000-0x00007FF96A19E000-memory.dmp

Filesize
184KB

Download
memory/5888-455-0x00007FF96A1A0000-0x00007FF96A313000-memory.dmp

Filesize
1.4MB

Download
memory/5888-453-0x00007FF96A320000-0x00007FF96A343000-memory.dmp

Filesize
140KB

Download
memory/5888-446-0x00007FF97C120000-0x00007FF97C139000-memory.dmp

Filesize
100KB

Download
memory/5888-462-0x00007FF96A0B0000-0x00007FF96A168000-memory.dmp

Filesize
736KB

Download
memory/5888-784-0x00007FF97A770000-0x00007FF97A785000-memory.dmp

Filesize
84KB

Download
memory/5888-793-0x00007FF969040000-0x00007FF96908D000-memory.dmp

Filesize
308KB

Download
memory/5888-792-0x00007FF969090000-0x00007FF9690A9000-memory.dmp

Filesize
100KB

Download
memory/5888-772-0x00007FF969590000-0x00007FF969B78000-memory.dmp

Filesize
5.9MB

Download
memory/5888-781-0x00007FF96A170000-0x00007FF96A19E000-memory.dmp

Filesize
184KB

Download
memory/5888-463-0x0000026261440000-0x00000262617B5000-memory.dmp

Filesize
3.5MB

Download
memory/5888-825-0x00007FF969590000-0x00007FF969B78000-memory.dmp

Filesize
5.9MB

Download
memory/5888-857-0x00007FF97D840000-0x00007FF97D84D000-memory.dmp

Filesize
52KB

Download
memory/5888-863-0x00007FF9690F0000-0x00007FF96920C000-memory.dmp

Filesize
1.1MB

Download
memory/5888-876-0x00007FF969210000-0x00007FF969585000-memory.dmp

Filesize
3.5MB

Download
memory/5888-875-0x00007FF97C110000-0x00007FF97C11A000-memory.dmp

Filesize
40KB

Download
memory/5888-874-0x00007FF969020000-0x00007FF969031000-memory.dmp

Filesize
68KB

Download
memory/5888-873-0x00007FF969040000-0x00007FF96908D000-memory.dmp

Filesize
308KB

Download
memory/5888-872-0x00007FF969090000-0x00007FF9690A9000-memory.dmp

Filesize
100KB

Download
memory/5888-871-0x00007FF9690B0000-0x00007FF9690C6000-memory.dmp

Filesize
88KB

Download
memory/5888-870-0x00007FF9690D0000-0x00007FF9690EB000-memory.dmp

Filesize
108KB

Download
memory/5888-869-0x00007FF96A0B0000-0x00007FF96A168000-memory.dmp

Filesize
736KB

Download
memory/5888-868-0x00007FF96A1A0000-0x00007FF96A313000-memory.dmp

Filesize
1.4MB

Download
memory/5888-867-0x00007FF974B90000-0x00007FF974BA2000-memory.dmp

Filesize
72KB

Download
memory/5888-866-0x00007FF96A090000-0x00007FF96A0A4000-memory.dmp

Filesize
80KB

Download
memory/5888-865-0x00007FF96A970000-0x00007FF96A984000-memory.dmp

Filesize
80KB

Download
memory/5888-864-0x00007FF97A770000-0x00007FF97A785000-memory.dmp

Filesize
84KB

Download
memory/5888-862-0x00007FF96A170000-0x00007FF96A19E000-memory.dmp

Filesize
184KB

Download
memory/5888-861-0x00007FF96A060000-0x00007FF96A082000-memory.dmp

Filesize
136KB

Download
memory/5888-860-0x00007FF96A320000-0x00007FF96A343000-memory.dmp

Filesize
140KB

Download
memory/5888-859-0x00007FF96A990000-0x00007FF96A9BD000-memory.dmp

Filesize
180KB

Download
memory/5888-858-0x00007FF97A790000-0x00007FF97A7A9000-memory.dmp

Filesize
100KB

Download
memory/5888-856-0x00007FF97C120000-0x00007FF97C139000-memory.dmp

Filesize
100KB

Download
memory/5888-464-0x00007FF969210000-0x00007FF969585000-memory.dmp

Filesize
3.5MB

Download
memory/5888-889-0x00007FF9851B0000-0x00007FF9851BD000-memory.dmp

Filesize
52KB

Download
memory/5888-888-0x00007FF968830000-0x00007FF968867000-memory.dmp

Filesize
220KB

Download
memory/5888-887-0x00007FF968870000-0x00007FF968FFA000-memory.dmp

Filesize
7.5MB

Download
memory/5888-414-0x00007FF969590000-0x00007FF969B78000-memory.dmp

Filesize
5.9MB

Download
memory/5888-855-0x00007FF9801A0000-0x00007FF9801AF000-memory.dmp

Filesize
60KB

Download
memory/5888-854-0x00007FF97C140000-0x00007FF97C164000-memory.dmp

Filesize
144KB

Download
memory/5888-853-0x00007FF969000000-0x00007FF96901E000-memory.dmp

Filesize
120KB

Download
memory/5888-477-0x00007FF96A970000-0x00007FF96A984000-memory.dmp

Filesize
80KB

Download
memory/5888-468-0x00007FF9801A0000-0x00007FF9801AF000-memory.dmp

Filesize
60KB

Download
memory/5888-469-0x00007FF97A770000-0x00007FF97A785000-memory.dmp

Filesize
84KB

Download
memory/5888-476-0x00007FF97C120000-0x00007FF97C139000-memory.dmp

Filesize
100KB

Download
memory/5888-474-0x00007FF974B90000-0x00007FF974BA2000-memory.dmp

Filesize
72KB

Download