exelastealer | 13aeace4f0c58a6d847d2d1f2453af9c7b21f385d20b81d8f5b59fc4422de5a2

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2025 04:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

crack.exe
Size

25.6MB
MD5

5b4d546657c9621ddb73d0211673b8a3
SHA1

98cdd61918e58e8aef7d7c9f39b063a7e8edba57
SHA256

13aeace4f0c58a6d847d2d1f2453af9c7b21f385d20b81d8f5b59fc4422de5a2
SHA512

ddd25072b68d5722d50dd4e3f902b43d140fbeb25811b265ce0bf17e0f8d069aa3cd309d642fdefdeceef21501980bffea6f6f76b943c47f89ab59537c4497cf
SSDEEP

786432:IlprwYaj31AxBb6wPUj4Vu6a3zy5bxxEhcMzMw5FpsD:eprwYaA5UjMAyxchcm5UD

Score

10^/10

exelastealer xworm collection defense_evasion discovery execution persistence privilege_escalation pyinstaller rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

success-evans.gl.at.ply.gg:27566

Attributes

Install_directory
%Userprofile%
install_file
System.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023ca0-25.dat	family_xworm
behavioral1/memory/396-30-0x0000000000770000-0x0000000000788000-memory.dmp	family_xworm

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3200	powershell.exe
4240	powershell.exe
3592	powershell.exe
4004	powershell.exe

Downloads MZ/PE file
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 2 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2168	netsh.exe
3552	netsh.exe

Checks computer location settings 2 TTPs 7 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	crack.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	XClient.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Nursultan.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	msedgewebview2.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2856	cmd.exe
4124	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	XClient.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk	XClient.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 29 IoCs

pid	Process
2380	Client.exe
396	XClient.exe
4860	Exela.exe
1232	Exela.exe
1896	Nursultan.exe
920	MicrosoftEdgeWebview2Setup.exe
4516	MicrosoftEdgeUpdate.exe
4576	MicrosoftEdgeUpdate.exe
3132	MicrosoftEdgeUpdate.exe
2092	MicrosoftEdgeUpdateComRegisterShell64.exe
2564	MicrosoftEdgeUpdateComRegisterShell64.exe
2804	MicrosoftEdgeUpdateComRegisterShell64.exe
1684	MicrosoftEdgeUpdate.exe
4088	MicrosoftEdgeUpdate.exe
2524	MicrosoftEdgeUpdate.exe
4488	MicrosoftEdgeUpdate.exe
3444	System.exe
3940	MicrosoftEdge_X64_132.0.2957.115.exe
1660	setup.exe
712	setup.exe
5072	System.exe
4980	MicrosoftEdgeUpdate.exe
3660	msedgewebview2.exe
3312	msedgewebview2.exe
832	msedgewebview2.exe
4740	msedgewebview2.exe
2564	msedgewebview2.exe
2884	msedgewebview2.exe
5452	System.exe

Loads dropped DLL 64 IoCs

pid	Process
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
1232	Exela.exe
4516	MicrosoftEdgeUpdate.exe
4576	MicrosoftEdgeUpdate.exe
3132	MicrosoftEdgeUpdate.exe
2092	MicrosoftEdgeUpdateComRegisterShell64.exe
3132	MicrosoftEdgeUpdate.exe
2564	MicrosoftEdgeUpdateComRegisterShell64.exe
3132	MicrosoftEdgeUpdate.exe
2804	MicrosoftEdgeUpdateComRegisterShell64.exe
3132	MicrosoftEdgeUpdate.exe
1684	MicrosoftEdgeUpdate.exe
4088	MicrosoftEdgeUpdate.exe
2524	MicrosoftEdgeUpdate.exe
2524	MicrosoftEdgeUpdate.exe
4088	MicrosoftEdgeUpdate.exe
4488	MicrosoftEdgeUpdate.exe
1492	Process not Found
2068	WMIC.exe
2552	Process not Found
3060	WMIC.exe
2744	Process not Found
4632	mousocoreworker.exe
3940	MicrosoftEdge_X64_132.0.2957.115.exe
1660	setup.exe
4800	Process not Found
712	setup.exe
5072	System.exe
4980	MicrosoftEdgeUpdate.exe
1896	Nursultan.exe
3660	msedgewebview2.exe
3660	msedgewebview2.exe
3312	msedgewebview2.exe
3312	msedgewebview2.exe
3660	msedgewebview2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "C:\\Users\\Admin\\System.exe"	XClient.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Nursultan.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	Nursultan.exe
File opened (read-only)	\??\F:	Nursultan.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
90	discord.com
49	discord.com
50	discord.com
54	discord.com
83	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
20	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3872	cmd.exe
4464	ARP.EXE

Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

Checks system information in the registry 2 TTPs 12 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	msedgewebview2.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
4208	tasklist.exe
756	tasklist.exe
2492	tasklist.exe
1276	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1160	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1896	Nursultan.exe
1896	Nursultan.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023cd9-91.dat	upx
behavioral1/memory/1232-96-0x00007FFFBDDE0000-0x00007FFFBE3C8000-memory.dmp	upx
behavioral1/files/0x0007000000023cd1-109.dat	upx
behavioral1/files/0x0007000000023cae-131.dat	upx
behavioral1/memory/1232-137-0x00007FFFD1470000-0x00007FFFD1489000-memory.dmp	upx
behavioral1/files/0x0007000000023cdb-143.dat	upx
behavioral1/files/0x0007000000023cd2-149.dat	upx
behavioral1/files/0x0007000000023cac-156.dat	upx
behavioral1/files/0x0007000000023cdc-167.dat	upx
behavioral1/memory/1232-172-0x00007FFFCE160000-0x00007FFFCE17B000-memory.dmp	upx
behavioral1/memory/1232-181-0x00007FFFC84D0000-0x00007FFFC851D000-memory.dmp	upx
behavioral1/memory/1232-186-0x00007FFFD0700000-0x00007FFFD0715000-memory.dmp	upx
behavioral1/memory/1232-187-0x00007FFFBCEF0000-0x00007FFFBD6EB000-memory.dmp	upx
behavioral1/memory/1232-185-0x00007FFFD7D70000-0x00007FFFD7D7A000-memory.dmp	upx
behavioral1/memory/1232-188-0x00007FFFC3210000-0x00007FFFC3247000-memory.dmp	upx
behavioral1/memory/1232-184-0x00007FFFCD680000-0x00007FFFCD69E000-memory.dmp	upx
behavioral1/memory/1232-183-0x00007FFFCC030000-0x00007FFFCC062000-memory.dmp	upx
behavioral1/memory/1232-182-0x00007FFFBD6F0000-0x00007FFFBDA65000-memory.dmp	upx
behavioral1/memory/1232-180-0x00007FFFCEA00000-0x00007FFFCEA2E000-memory.dmp	upx
behavioral1/memory/1232-179-0x00007FFFCDC00000-0x00007FFFCDC11000-memory.dmp	upx
behavioral1/memory/1232-178-0x00007FFFCDC20000-0x00007FFFCDC39000-memory.dmp	upx
behavioral1/files/0x0007000000023cb6-177.dat	upx
behavioral1/files/0x0007000000023cb3-176.dat	upx
behavioral1/files/0x0007000000023cb4-174.dat	upx
behavioral1/memory/1232-171-0x00007FFFD1230000-0x00007FFFD1253000-memory.dmp	upx
behavioral1/files/0x0007000000023cd6-170.dat	upx
behavioral1/memory/1232-169-0x00007FFFC2BA0000-0x00007FFFC2CBC000-memory.dmp	upx
behavioral1/memory/1232-166-0x00007FFFCDDC0000-0x00007FFFCDDE2000-memory.dmp	upx
behavioral1/files/0x0007000000023cde-165.dat	upx
behavioral1/memory/1232-164-0x00007FFFCE910000-0x00007FFFCE924000-memory.dmp	upx
behavioral1/memory/1232-163-0x00007FFFD1FC0000-0x00007FFFD1FD9000-memory.dmp	upx
behavioral1/files/0x0007000000023ca9-161.dat	upx
behavioral1/memory/1232-160-0x00007FFFCECA0000-0x00007FFFCECB4000-memory.dmp	upx
behavioral1/files/0x0007000000023cd4-159.dat	upx
behavioral1/memory/1232-158-0x00007FFFCF2D0000-0x00007FFFCF2E2000-memory.dmp	upx
behavioral1/memory/1232-155-0x00007FFFD0700000-0x00007FFFD0715000-memory.dmp	upx
behavioral1/files/0x0007000000023ca4-154.dat	upx
behavioral1/memory/1232-153-0x00007FFFBDDE0000-0x00007FFFBE3C8000-memory.dmp	upx
behavioral1/memory/1232-152-0x00007FFFC2EE0000-0x00007FFFC2F98000-memory.dmp	upx
behavioral1/memory/1232-151-0x00007FFFBD6F0000-0x00007FFFBDA65000-memory.dmp	upx
behavioral1/memory/1232-148-0x00007FFFCEA00000-0x00007FFFCEA2E000-memory.dmp	upx
behavioral1/files/0x0007000000023cd0-147.dat	upx
behavioral1/memory/1232-146-0x00007FFFBDA70000-0x00007FFFBDBE3000-memory.dmp	upx
behavioral1/files/0x0007000000023cb0-144.dat	upx
behavioral1/memory/1232-142-0x00007FFFD1230000-0x00007FFFD1253000-memory.dmp	upx
behavioral1/files/0x0007000000023caf-141.dat	upx
behavioral1/memory/1232-140-0x00007FFFD1440000-0x00007FFFD146D000-memory.dmp	upx
behavioral1/files/0x0007000000023caa-139.dat	upx
behavioral1/memory/1232-136-0x00007FFFD2190000-0x00007FFFD219D000-memory.dmp	upx
behavioral1/memory/1232-135-0x00007FFFD1FC0000-0x00007FFFD1FD9000-memory.dmp	upx
behavioral1/files/0x0007000000023ca5-134.dat	upx
behavioral1/files/0x0007000000023cda-132.dat	upx
behavioral1/memory/1232-130-0x00007FFFD24C0000-0x00007FFFD24CF000-memory.dmp	upx
behavioral1/memory/1232-129-0x00007FFFD1A10000-0x00007FFFD1A34000-memory.dmp	upx
behavioral1/files/0x0007000000023cb1-128.dat	upx
behavioral1/files/0x0007000000023cad-124.dat	upx
behavioral1/files/0x0007000000023cab-122.dat	upx
behavioral1/files/0x0007000000023ca8-119.dat	upx
behavioral1/files/0x0007000000023ca6-118.dat	upx
behavioral1/files/0x0007000000023cd7-112.dat	upx
behavioral1/files/0x0007000000023ca7-107.dat	upx
behavioral1/memory/1232-191-0x00007FFFCDDC0000-0x00007FFFCDDE2000-memory.dmp	upx
behavioral1/memory/1232-217-0x00007FFFCE160000-0x00007FFFCE17B000-memory.dmp	upx
behavioral1/memory/1232-300-0x00007FFFBCEF0000-0x00007FFFBD6EB000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\MEIPreload\preloaded_data.pb	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Trust Protection Lists\Sigma\Advertising	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Trust Protection Lists\Mu\Fingerprinting	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE975.tmp\msedgeupdateres_mi.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\wdag.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\VisualElements\SmallLogoDev.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Trust Protection Lists\Mu\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\ne.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\VisualElements\LogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Trust Protection Lists\Mu\LICENSE	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\el.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE975.tmp\MicrosoftEdgeComRegisterShellARM64.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\cs.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\sr-Cyrl-BA.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\AdSelectionAttestationsPreloaded\manifest.json	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE975.tmp\msedgeupdateres_mt.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Trust Protection Lists\Sigma\Content	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\gl.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\msedge_pwa_launcher.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\pwahelper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\ca.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE975.tmp\msedgeupdateres_fi.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE975.tmp\msedgeupdateres_ga.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\VisualElements\Logo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\VisualElements\SmallLogo.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\de.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\sk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\ga.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\hr.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE975.tmp\msedgeupdateres_it.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\it.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\mt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\edge_game_assist\EdgeGameAssist.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE975.tmp\psuser_64.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\EBWebView\x64\EmbeddedBrowserWebView.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\bn-IN.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\msedge_200_percent.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Trust Protection Lists\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\identity_proxy\stable.identity_helper.exe.manifest	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\identity_proxy\win10\identity_helper.Sparse.Beta.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE975.tmp\msedgeupdateres_nb.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\hi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\EdgeWebView.dat	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\VisualElements\LogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\bs.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\sr-Cyrl-BA.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\ur.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE975.tmp\msedgeupdateres_ca-Es-VALENCIA.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\identity_proxy\win10\identity_helper.Sparse.Canary.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\msvcp140_codecvt_ids.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\cy.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\ga.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\WidevineCdm\_platform_specific\win_x64\widevinecdm.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\msvcp140.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\mk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\lb.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\mip_protection_sdk.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Trust Protection Lists\Mu\LICENSE	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\msedge_proxy.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Locales\pt-PT.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\identity_proxy\win11\identity_helper.Sparse.Internal.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\eu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\Locales\ml.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUE975.tmp\msedgeupdateres_ro.dll	MicrosoftEdgeWebview2Setup.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\cmd.exe	Client.exe
File opened for modification	C:\Windows\cmd.exe	Client.exe
File created	C:\Windows\xdwd.dll	Client.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3096	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000023ca1-32.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeWebview2Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1684	MicrosoftEdgeUpdate.exe
4488	MicrosoftEdgeUpdate.exe
4980	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4144	cmd.exe
388	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2564	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
2576	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedgewebview2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedgewebview2.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3468	ipconfig.exe
2564	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4936	systeminfo.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedgewebview2.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133820818113879871"	msedgewebview2.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods\ = "12"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\APPID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods\ = "11"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CredentialDialogMachine\ = "Microsoft Edge Update CredentialDialog"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\LocalService = "edgeupdatem"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}\ = "IApp2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ = "IProcessLauncher"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\APPID\{A6B716CB-028B-404D-B72C-50E153DD68DA}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\NumMethods\ = "41"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B5977F34-9264-4AC3-9B31-1224827FF6E8}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.195.43\\MicrosoftEdgeUpdateBroker.exe\""	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{79E0C401-B7BC-4DE5-8104-71350F3A9B67}\ = "IGoogleUpdate"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ = "IJobObserver"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods\ = "8"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5135E58-384F-4244-9A5F-30FA9259413C}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E55B90F1-DA33-400B-B09E-3AFF7D46BD83}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassSvc\CurVer\ = "MicrosoftEdgeUpdate.OnDemandCOMClassSvc.1.0"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachine\CurVer\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachine.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{492E1C30-A1A2-4695-87C8-7A8CAD6F936F}\ProgID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback\CurVer\ = "MicrosoftEdgeUpdate.OnDemandCOMClassMachineFallback.1.0"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ = "IJobObserver2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ = "IPolicyStatus"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3COMClassService.1.0\CLSID\ = "{CECDDD22-2E72-4832-9606-A9B0E5E344B2}"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods\ = "8"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DDD4B5D4-FD54-497C-8789-0830F29A60EE}\NumMethods\ = "10"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3805CA06-AC83-4F00-8A02-271DCD89BDEB}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{177CAE89-4AD6-42F4-A458-00EC3389E3FE}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C20433B3-0D4B-49F6-9B6C-6EE0FAE07837}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\PROGID	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{60355531-5BFD-45AB-942C-7912628752C7}\ProxyStubClsid32\ = "{A0B482A5-71D4-4395-857C-1F3B57FB8809}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\NumMethods\ = "11"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ = "IJobObserver2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher.1.0\ = "Microsoft Edge Update Process Launcher Class"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4EE1FC-0A81-4F56-B0E2-248FB78051AF}\NumMethods\ = "23"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}	MicrosoftEdgeUpdate.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2916	schtasks.exe
2864	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1896	Nursultan.exe
1896	Nursultan.exe
4004	powershell.exe
4004	powershell.exe
3200	powershell.exe
3200	powershell.exe
4240	powershell.exe
4240	powershell.exe
4240	powershell.exe
4124	powershell.exe
4124	powershell.exe
4124	powershell.exe
3592	powershell.exe
3592	powershell.exe
3592	powershell.exe
4516	MicrosoftEdgeUpdate.exe
4516	MicrosoftEdgeUpdate.exe
396	XClient.exe
396	XClient.exe
2380	Client.exe
2380	Client.exe
2068	WMIC.exe
2068	WMIC.exe
2380	Client.exe
2380	Client.exe
3060	WMIC.exe
3060	WMIC.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe
2380	Client.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 1 IoCs

pid	Process
3660	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2380	Client.exe
Token: SeDebugPrivilege	396	XClient.exe
Token: SeIncreaseQuotaPrivilege	2508	WMIC.exe
Token: SeSecurityPrivilege	2508	WMIC.exe
Token: SeTakeOwnershipPrivilege	2508	WMIC.exe
Token: SeLoadDriverPrivilege	2508	WMIC.exe
Token: SeSystemProfilePrivilege	2508	WMIC.exe
Token: SeSystemtimePrivilege	2508	WMIC.exe
Token: SeProfSingleProcessPrivilege	2508	WMIC.exe
Token: SeIncBasePriorityPrivilege	2508	WMIC.exe
Token: SeCreatePagefilePrivilege	2508	WMIC.exe
Token: SeBackupPrivilege	2508	WMIC.exe
Token: SeRestorePrivilege	2508	WMIC.exe
Token: SeShutdownPrivilege	2508	WMIC.exe
Token: SeDebugPrivilege	2508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2508	WMIC.exe
Token: SeRemoteShutdownPrivilege	2508	WMIC.exe
Token: SeUndockPrivilege	2508	WMIC.exe
Token: SeManageVolumePrivilege	2508	WMIC.exe
Token: 33	2508	WMIC.exe
Token: 34	2508	WMIC.exe
Token: 35	2508	WMIC.exe
Token: 36	2508	WMIC.exe
Token: SeDebugPrivilege	1276	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2508	WMIC.exe
Token: SeSecurityPrivilege	2508	WMIC.exe
Token: SeTakeOwnershipPrivilege	2508	WMIC.exe
Token: SeLoadDriverPrivilege	2508	WMIC.exe
Token: SeSystemProfilePrivilege	2508	WMIC.exe
Token: SeSystemtimePrivilege	2508	WMIC.exe
Token: SeProfSingleProcessPrivilege	2508	WMIC.exe
Token: SeIncBasePriorityPrivilege	2508	WMIC.exe
Token: SeCreatePagefilePrivilege	2508	WMIC.exe
Token: SeBackupPrivilege	2508	WMIC.exe
Token: SeRestorePrivilege	2508	WMIC.exe
Token: SeShutdownPrivilege	2508	WMIC.exe
Token: SeDebugPrivilege	2508	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2508	WMIC.exe
Token: SeRemoteShutdownPrivilege	2508	WMIC.exe
Token: SeUndockPrivilege	2508	WMIC.exe
Token: SeManageVolumePrivilege	2508	WMIC.exe
Token: 33	2508	WMIC.exe
Token: 34	2508	WMIC.exe
Token: 35	2508	WMIC.exe
Token: 36	2508	WMIC.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	4208	tasklist.exe
Token: SeDebugPrivilege	3200	powershell.exe
Token: SeDebugPrivilege	4240	powershell.exe
Token: SeDebugPrivilege	756	tasklist.exe
Token: SeDebugPrivilege	4124	powershell.exe
Token: SeDebugPrivilege	3592	powershell.exe
Token: SeDebugPrivilege	4516	MicrosoftEdgeUpdate.exe
Token: SeDebugPrivilege	396	XClient.exe
Token: SeIncreaseQuotaPrivilege	2576	WMIC.exe
Token: SeSecurityPrivilege	2576	WMIC.exe
Token: SeTakeOwnershipPrivilege	2576	WMIC.exe
Token: SeLoadDriverPrivilege	2576	WMIC.exe
Token: SeSystemProfilePrivilege	2576	WMIC.exe
Token: SeSystemtimePrivilege	2576	WMIC.exe
Token: SeProfSingleProcessPrivilege	2576	WMIC.exe
Token: SeIncBasePriorityPrivilege	2576	WMIC.exe
Token: SeCreatePagefilePrivilege	2576	WMIC.exe
Token: SeBackupPrivilege	2576	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
396	XClient.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5084 wrote to memory of 2380	5084	crack.exe	84
PID 5084 wrote to memory of 2380	5084	crack.exe	84
PID 5084 wrote to memory of 396	5084	crack.exe	85
PID 5084 wrote to memory of 396	5084	crack.exe	85
PID 5084 wrote to memory of 4860	5084	crack.exe	86
PID 5084 wrote to memory of 4860	5084	crack.exe	86
PID 4860 wrote to memory of 1232	4860	Exela.exe	88
PID 4860 wrote to memory of 1232	4860	Exela.exe	88
PID 5084 wrote to memory of 1896	5084	crack.exe	89
PID 5084 wrote to memory of 1896	5084	crack.exe	89
PID 1232 wrote to memory of 2272	1232	Exela.exe	90
PID 1232 wrote to memory of 2272	1232	Exela.exe	90
PID 1232 wrote to memory of 4324	1232	Exela.exe	92
PID 1232 wrote to memory of 4324	1232	Exela.exe	92
PID 1232 wrote to memory of 2232	1232	Exela.exe	93
PID 1232 wrote to memory of 2232	1232	Exela.exe	93
PID 4324 wrote to memory of 2508	4324	cmd.exe	96
PID 4324 wrote to memory of 2508	4324	cmd.exe	96
PID 2232 wrote to memory of 1276	2232	cmd.exe	97
PID 2232 wrote to memory of 1276	2232	cmd.exe	97
PID 396 wrote to memory of 4004	396	XClient.exe	99
PID 396 wrote to memory of 4004	396	XClient.exe	99
PID 1232 wrote to memory of 1160	1232	Exela.exe	100
PID 1232 wrote to memory of 1160	1232	Exela.exe	100
PID 1160 wrote to memory of 2560	1160	cmd.exe	103
PID 1160 wrote to memory of 2560	1160	cmd.exe	103
PID 1232 wrote to memory of 4340	1232	Exela.exe	104
PID 1232 wrote to memory of 4340	1232	Exela.exe	104
PID 4340 wrote to memory of 4208	4340	cmd.exe	108
PID 4340 wrote to memory of 4208	4340	cmd.exe	108
PID 396 wrote to memory of 3200	396	XClient.exe	109
PID 396 wrote to memory of 3200	396	XClient.exe	109
PID 1232 wrote to memory of 3664	1232	Exela.exe	184
PID 1232 wrote to memory of 3664	1232	Exela.exe	184
PID 1232 wrote to memory of 5080	1232	Exela.exe	112
PID 1232 wrote to memory of 5080	1232	Exela.exe	112
PID 1232 wrote to memory of 4800	1232	Exela.exe	114
PID 1232 wrote to memory of 4800	1232	Exela.exe	114
PID 1232 wrote to memory of 2856	1232	Exela.exe	116
PID 1232 wrote to memory of 2856	1232	Exela.exe	116
PID 1896 wrote to memory of 920	1896	Nursultan.exe	115
PID 1896 wrote to memory of 920	1896	Nursultan.exe	115
PID 1896 wrote to memory of 920	1896	Nursultan.exe	115
PID 396 wrote to memory of 4240	396	XClient.exe	121
PID 396 wrote to memory of 4240	396	XClient.exe	121
PID 4800 wrote to memory of 756	4800	cmd.exe	123
PID 4800 wrote to memory of 756	4800	cmd.exe	123
PID 5080 wrote to memory of 1068	5080	cmd.exe	124
PID 5080 wrote to memory of 1068	5080	cmd.exe	124
PID 3664 wrote to memory of 764	3664	cmd.exe	125
PID 3664 wrote to memory of 764	3664	cmd.exe	125
PID 2856 wrote to memory of 4124	2856	cmd.exe	126
PID 2856 wrote to memory of 4124	2856	cmd.exe	126
PID 764 wrote to memory of 2464	764	cmd.exe	127
PID 764 wrote to memory of 2464	764	cmd.exe	127
PID 1068 wrote to memory of 5000	1068	cmd.exe	128
PID 1068 wrote to memory of 5000	1068	cmd.exe	128
PID 1232 wrote to memory of 4144	1232	Exela.exe	129
PID 1232 wrote to memory of 4144	1232	Exela.exe	129
PID 1232 wrote to memory of 3872	1232	Exela.exe	131
PID 1232 wrote to memory of 3872	1232	Exela.exe	131
PID 4144 wrote to memory of 388	4144	cmd.exe	134
PID 4144 wrote to memory of 388	4144	cmd.exe	134
PID 3872 wrote to memory of 4936	3872	cmd.exe	133

System policy modification 1 TTPs 1 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedgewebview2.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2560	attrib.exe

C:\Users\Admin\AppData\Local\Temp\crack.exe
"C:\Users\Admin\AppData\Local\Temp\crack.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5084
- C:\Users\Admin\AppData\Local\Temp\Client.exe
  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- - C:\Windows\SYSTEM32\CMD.exe
    "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "cheat" /tr "C:\Windows\cmd.exe" & exit
    3⤵
    PID:4816
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3664
  - - C:\Windows\system32\schtasks.exe
      SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "cheat" /tr "C:\Windows\cmd.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2864
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:396
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3200
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4240
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3592
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System" /tr "C:\Users\Admin\System.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2916
- C:\Users\Admin\AppData\Local\Temp\Exela.exe
  "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4860
- - C:\Users\Admin\AppData\Local\Temp\Exela.exe
    "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:2272
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      Suspicious use of WriteProcessMemory
      PID:1160
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Views/modifies file attributes
        
        PID:2560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4340
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3664
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:764
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:2464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5080
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1068
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:5000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4124
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      Suspicious use of WriteProcessMemory
      PID:4144
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:388
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      Suspicious use of WriteProcessMemory
      PID:3872
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:4936
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:1456
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:2868
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:3996
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:2460
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:1328
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:2068
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:4880
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:1520
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:4328
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:1276
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:4736
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:1308
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:3704
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:3332
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:2492
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:3468
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:4632
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:4464
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:2564
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:3096
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3552
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:2488
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:2068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:4540
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Loads dropped DLL
        Suspicious behavior: EnumeratesProcesses
        
        PID:3060
- C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
  "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - Enumerates connected drives
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe" /install
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:920
  - - C:\Program Files (x86)\Microsoft\Temp\EUE975.tmp\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\Temp\EUE975.tmp\MicrosoftEdgeUpdate.exe" /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers"
      4⤵
      Event Triggered Execution: Image File Execution Options Injection
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      Checks system information in the registry
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4516
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4576
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3132
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2092
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2564
      - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.195.43\MicrosoftEdgeUpdateComRegisterShell64.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies registry class
        
        PID:2804
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTRDMkIwN0EtOUI4Qi00M0U5LThFRTAtMjYyRjEwRDMxOTE1fSIgdXNlcmlkPSJ7MkQ3NDcxMDctMUVGNC00RjFGLTlDNDItRjMxMzE3QzEwNDhDfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9IntGNTZFQ0M2Qy0yQkVELTRDNEItOUEzMC1GQ0UxQjQzM0E5NDV9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iIi8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNDcuMzciIG5leHR2ZXJzaW9uPSIxLjMuMTk1LjQzIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0OTkzMTcwNDMyIiBpbnN0YWxsX3RpbWVfbXM9IjU5NCIvPjwvYXBwPjwvcmVxdWVzdD4
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks system information in the registry
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1684
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=prefers" /installsource otherinstallcmd /sessionid "{14C2B07A-9B8B-43E9-8EE0-262F10D31915}"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:4088
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=Nursultan.exe --user-data-dir="C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=2 --mojo-named-platform-channel-pipe=1896.3192.17450491582083029480
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks system information in the registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    - System policy modification
    PID:3660
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.84 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=132.0.2957.115 --initial-client-data=0x15c,0x160,0x164,0x138,0x16c,0x7fffbe59b078,0x7fffbe59b084,0x7fffbe59b090
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3312
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --type=gpu-process --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView" --webview-exe-name=Nursultan.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=1780,i,11406149136645384909,13892987901180863630,262144 --variations-seed-version --mojo-platform-channel-handle=1776 /prefetch:2
      4⤵
      Executes dropped EXE
      PID:832
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView" --webview-exe-name=Nursultan.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=2044,i,11406149136645384909,13892987901180863630,262144 --variations-seed-version --mojo-platform-channel-handle=2020 /prefetch:3
      4⤵
      Executes dropped EXE
      PID:4740
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView" --webview-exe-name=Nursultan.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --always-read-main-dll --field-trial-handle=2308,i,11406149136645384909,13892987901180863630,262144 --variations-seed-version --mojo-platform-channel-handle=2408 /prefetch:8
      4⤵
      Executes dropped EXE
      PID:2564
  - - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe
      "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.115\msedgewebview2.exe" --type=renderer --string-annotations --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView" --webview-exe-name=Nursultan.exe --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=2 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --always-read-main-dll --field-trial-handle=3940,i,11406149136645384909,13892987901180863630,262144 --variations-seed-version --mojo-platform-channel-handle=3952 /prefetch:1
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:2884

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks system information in the registry
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
PID:2524
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTRDMkIwN0EtOUI4Qi00M0U5LThFRTAtMjYyRjEwRDMxOTE1fSIgdXNlcmlkPSJ7MkQ3NDcxMDctMUVGNC00RjFGLTlDNDItRjMxMzE3QzEwNDhDfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7RTA1NjAyOTQtMDZFQi00NUVBLThFNkYtRjk2QUJENzcwRjFBfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjgiIHBoeXNtZW1vcnk9IjgiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSIxMDciIGluc3RhbGxkYXRldGltZT0iMTcyODI5Mjg4MSIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzcyNzY1NDYxNzAxMDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ5OTgwMTQxNzgiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4488
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CE5B361E-B8E9-4834-BCA6-8A251607AAB3}\MicrosoftEdge_X64_132.0.2957.115.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CE5B361E-B8E9-4834-BCA6-8A251607AAB3}\MicrosoftEdge_X64_132.0.2957.115.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3940
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CE5B361E-B8E9-4834-BCA6-8A251607AAB3}\EDGEMITMP_96C76.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CE5B361E-B8E9-4834-BCA6-8A251607AAB3}\EDGEMITMP_96C76.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CE5B361E-B8E9-4834-BCA6-8A251607AAB3}\MicrosoftEdge_X64_132.0.2957.115.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    PID:1660
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CE5B361E-B8E9-4834-BCA6-8A251607AAB3}\EDGEMITMP_96C76.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CE5B361E-B8E9-4834-BCA6-8A251607AAB3}\EDGEMITMP_96C76.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Program Files\MsEdgeCrashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=132.0.6834.84 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{CE5B361E-B8E9-4834-BCA6-8A251607AAB3}\EDGEMITMP_96C76.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=132.0.2957.115 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff67c54a818,0x7ff67c54a824,0x7ff67c54a830
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:712
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7MTRDMkIwN0EtOUI4Qi00M0U5LThFRTAtMjYyRjEwRDMxOTE1fSIgdXNlcmlkPSJ7MkQ3NDcxMDctMUVGNC00RjFGLTlDNDItRjMxMzE3QzEwNDhDfSIgaW5zdGFsbHNvdXJjZT0ib3RoZXJpbnN0YWxsY21kIiByZXF1ZXN0aWQ9Ins4NkVCMTFDMC1FOTI4LTRDMjMtOEIzQS04OUJDREQzNzA3QUN9IiBkZWR1cD0iY3IiIGRvbWFpbmpvaW5lZD0iMCI-PGh3IGxvZ2ljYWxfY3B1cz0iOCIgcGh5c21lbW9yeT0iOCIgZGlza190eXBlPSIyIiBzc2U9IjEiIHNzZTI9IjEiIHNzZTM9IjEiIHNzc2UzPSIxIiBzc2U0MT0iMSIgc3NlNDI9IjEiIGF2eD0iMSIvPjxvcyBwbGF0Zm9ybT0id2luIiB2ZXJzaW9uPSIxMC4wLjE5MDQxLjEyODgiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7VlBRb1AxRitmcTE1d1J6aDFrUEw0UE1wV2g4T1JNQjVpenZyT0MvY2hqUT0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7RjMwMTcyMjYtRkUyQS00Mjk1LThCREYtMDBDM0E5QTdFNEM1fSIgdmVyc2lvbj0iIiBuZXh0dmVyc2lvbj0iMTMyLjAuMjk1Ny4xMTUiIGxhbmc9IiIgYnJhbmQ9IiIgY2xpZW50PSIiIGV4cGVyaW1lbnRzPSJjb25zZW50PWZhbHNlIiBpbnN0YWxsYWdlPSItMSIgaW5zdGFsbGRhdGU9Ii0xIj48dXBkYXRlY2hlY2svPjxldmVudCBldmVudHR5cGU9IjkiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHN5c3RlbV91cHRpbWVfdGlja3M9IjUwMDk0MjAzODkiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSI1IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MDA5NDIwMzg5IiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTIzMjgwNTE5OCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgZG93bmxvYWRlcj0iYml0cyIgdXJsPSJodHRwOi8vbXNlZGdlLmYudGx1LmRsLmRlbGl2ZXJ5Lm1wLm1pY3Jvc29mdC5jb20vZmlsZXN0cmVhbWluZ3NlcnZpY2UvZmlsZXMvNzI3MmIwY2ItY2E0NS00NDYzLWE4OTUtZjc0NWJmZmRmNDdhP1AxPTE3MzgyMTI5MDImYW1wO1AyPTQwNCZhbXA7UDM9MiZhbXA7UDQ9WUhjMCUyYkkyTVNRRkxlV3N3Rmg5Q0NJMkVENTM4YXF3Mk1nenN1RnlidUxZanRWR1NUaFlzVGJlZjAlMmI5aE5YckhSSjcyckl5STElMmZiJTJiaU1Dd2d0ZXpsZyUzZCUzZCIgc2VydmVyX2lwX2hpbnQ9IiIgY2RuX2NpZD0iLTEiIGNkbl9jY2M9IiIgY2RuX21zZWRnZV9yZWY9IiIgY2RuX2F6dXJlX3JlZl9vcmlnaW5fc2hpZWxkPSIiIGNkbl9jYWNoZT0iIiBjZG5fcDNwPSIiIGRvd25sb2FkZWQ9IjE3NzA5ODMzNiIgdG90YWw9IjE3NzA5ODMzNiIgZG93bmxvYWRfdGltZV9tcz0iMTQ0MDIiLz48ZXZlbnQgZXZlbnR0eXBlPSIxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI1MjMyOTYxMjA0IiBzb3VyY2VfdXJsX2luZGV4PSIwIiBkb25lX2JlZm9yZV9vb2JlX2NvbXBsZXRlPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNiIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTI0ODI3MzcwNCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIvPjxldmVudCBldmVudHR5cGU9IjIiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjE5Njc1NyIgc3lzdGVtX3VwdGltZV90aWNrcz0iNTg3NTA0ODE3MCIgc291cmNlX3VybF9pbmRleD0iMCIgZG9uZV9iZWZvcmVfb29iZV9jb21wbGV0ZT0iMCIgdXBkYXRlX2NoZWNrX3RpbWVfbXM9Ijc2NSIgZG93bmxvYWRfdGltZV9tcz0iMjIzMzgiIGRvd25sb2FkZWQ9IjE3NzA5ODMzNiIgdG90YWw9IjE3NzA5ODMzNiIgcGFja2FnZV9jYWNoZV9yZXN1bHQ9IjAiIGluc3RhbGxfdGltZV9tcz0iNjI2NzciLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks system information in the registry
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  PID:4980

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:2092

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:2804

C:\Users\Admin\System.exe
C:\Users\Admin\System.exe
1⤵
- Executes dropped EXE
PID:3444

C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
1⤵
- Loads dropped DLL
PID:4632

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv T6IlkkWJZUKv0FB9nT+oGw.0.2
1⤵
PID:1308

C:\Users\Admin\System.exe
C:\Users\Admin\System.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5072

C:\Users\Admin\System.exe
C:\Users\Admin\System.exe
1⤵
- Executes dropped EXE
PID:5452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Component Object Model Hijacking

T1546.015

Image File Execution Options Injection

T1546.012

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Network Share Discovery

T1135

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.115\Installer\setup.exe

Filesize
6.6MB

MD5
c2f035293e07aaa688bc9457e695f0f9

SHA1
c5531aa40349601a23b01f8f24f4162958b7ab72

SHA256
704df2272e51fce395c576e4090270e0db7c7562f5b59779d36ca0563505cc91

SHA512
70228567ef097bee2b3e04a5300437adb3615d4217d3a2d08fbef364afbb54e43ffb5dd0e5f3931737d648f56f912ebe35121cc8421354d8c2292fe48f5efc51

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
201KB

MD5
70cc35c7fb88d650902e7a5611219931

SHA1
85a28c8f49e36583a2fa9969e616ec85da1345b8

SHA256
7eca199201273f0bcff1e26778cb535e69c74a69064e7759ff8dad86954d42b1

SHA512
3906ddb96b4b1b68b8c2acc940a62c856e8c3415a1b459f17cf2afc09e05751e0086f8e4e5e0ddd8e45cfb61f811bbe4dd96198db68072b45b6379c88d9ea055

Download Submit
C:\Program Files\MsEdgeCrashpad\settings.dat

Filesize
280B

MD5
ef11ff1f8b7615ac5c08d1e3bdebc1b9

SHA1
1aa8654747d76014002ae8b020844d6d1e5dcd2e

SHA256
0d1b135e8a517b2b9a00b7214d711e55db5edaa7051c966ee07c65d94fb70ad0

SHA512
866415555ab068520e4e40249905964fc318161321c823ac9813ff87e91778ac7c19eb19e255f982b612829d8605b8c900c481697f71dddd0a6a64b9d17ce42b

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
63KB

MD5
85368cf926f03c7751b4780282bc571c

SHA1
8ce0dd6f4b193200679bc24462c51c239801c1c2

SHA256
3723b58cc6a123936e2d147aba68eda79143c59645a94636a8b4717af4ddea5d

SHA512
ca669b6167a8a21af98b252ea8e7729149ac56b58b1969f09cadbab06273452c380f2ec08c8cffe0d0612b382c39c8a83bf26b07ae7effdf25f6c12b85caf55f

Download Submit
C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
26c8dad3326bf1c422f26b6a7bd0e0f5

SHA1
037c928fb1570e7c871d3300cc70ab5d056e2f74

SHA256
72378db4cb737cdea9fb7804de34385f4b63190883f1a903162ea676ce4488a2

SHA512
a1744268a2759381bdf293598e2379f7c99b371864b94f8aa67525b46b2a29d9b6ab639b3bcfb05a831e0511103708f774347c05a457aecb4944d9907394560c

Download Submit
C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView\Default\Extension Scripts\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView\Default\ExtensionActivityComp

Filesize
4KB

MD5
d25d5e1dc1d93430e64ee17e48ce442e

SHA1
d5c7ca9a57e6cc68927a249fe8e601d52680ac7a

SHA256
8c471cab38a1696289186d01b06ff6af2a888852dc18d6fb8d2a0e54898104ed

SHA512
f4cff7510b4ad81090e0b1842652f8eb7995f7aefd0ce651151bc24ca3a4305d34ecae41cf193d9b846e8f6359ccf545e5d05e63e6e766fa9761ccebce620f6c

Download Submit
C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView\Default\Shared Dictionary\cache\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView\Default\Sync Data\LevelDB\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView\Local State

Filesize
2KB

MD5
445d587d961196b1fe0969607b31b316

SHA1
40e5b9986cc5d1b659c83814fd37fe0cfb733b21

SHA256
b5d6ed69f2a8f2c9d1982195e09dee37080e4e5ac2ba3c4671f5d0e9bf5c5c54

SHA512
0303aaee7b9c49121957b740c3cb7a97706d4a212961e4469221849f61748f6fa638320d4c18ae94fbf701f1ee5ec8a6bd80eb4920cb00251402a70b515318d0

Download Submit
C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView\Local State

Filesize
1KB

MD5
89ed28a53eb02ea44cffadd45623098a

SHA1
d6afaa85f2564adbc0bb94b6f3edaf195044b694

SHA256
c3dd5623bf933057f4120312bf5b7010fd37ff3ab8be753c9b259307ee56017c

SHA512
b45c675457a504c21a5c97d485466c2c4cc54ce345e563c4ef09178db02476a0c8515deaee904bb897ee420f1b1593efcceea061d4e03df76660005e22770562

Download Submit
C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView\Local State

Filesize
3KB

MD5
f5b439de20b9bd8312656b818797c560

SHA1
1feacf3c8124abed43f6e60a911c290b1720e773

SHA256
2421b0111d0af69e915a405f636e52fb2f43803da45bb416b9e7312c278cbda6

SHA512
30e629ae2b9baf3b013c771a924e70c82f120adf350c034dd0db88992393ebc1ca5ac0698e6ba0cc0ad966bc96f5364d15251c89c10aab4d127f805a506ee3f3

Download Submit
C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView\Local State

Filesize
17KB

MD5
6d5b22171fc3ea26ed0631a05c8f86b0

SHA1
b6a89200e7b0b1cf65ee8a40994c3adddcc30624

SHA256
df248c9bd7676cfeeb9f5c4038263f71bb959b78868cfdf83c3230473fafaf77

SHA512
1152c6972da5ce70c5d68cad77bf92a8c41c7ea971105313c174d7523f3ef91ee54e4441bab17ecd7074849c7f2630f5c6d243a9274be6b8e0845c78c174fd24

Download Submit
C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView\Local State~RFe599be8.TMP

Filesize
1KB

MD5
dafc5dadde3e6eb438c9bf05412f6030

SHA1
77184d0da3ac1f98e7708556168a573937a53cc6

SHA256
0f1e0357622237c58ac6727b37c3ddc78ed273d31ee2d0d7ca5086d47021aa2a

SHA512
6719abb267621b2162d32fafcdbd0faf72fa5f5195cdbe2953b41ad5a13ab4e1731cafaa581906d62cdada4d64f5d704659a9a20440b0f18b0355b210800c2d8

Download Submit
C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView\WV2Profile_nursultan\DawnGraphiteCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView\WV2Profile_nursultan\DawnWebGPUCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView\WV2Profile_nursultan\DawnWebGPUCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\LocalLow\NTFLoader\EBWebView\WV2Profile_nursultan\DawnWebGPUCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Client.exe

Filesize
636KB

MD5
948553d180228a7653a13508142bf92d

SHA1
66001de9645dab9f86847f7debc868cc76ad90c5

SHA256
961910226972da704214840df219e70941808c1c068b1b26412befcac8b632df

SHA512
7eaba205900259b24288f7c2bcc5c1bf9405a83ad153a1e055980a5b8e8bedefc532753cc945709c64b876f4e35e12f5ca558e6a4fd5093cff61a77d19d6bc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exela.exe

Filesize
10.8MB

MD5
b75dadf5c93485ec3e6d9dfe1e4e4202

SHA1
9b6414dc1d7b2cc03039afd852243232b1ebdc7a

SHA256
d4b740107e2c09db6af68d2baff9ebd252fd282608e3a0b7aabc4dca4477dbde

SHA512
5f2c5ca025a82eaabd286686f1ab50fa1f3c9609a9ee0baffe963d7efd7f7f6d3ac78192cbc2985a19b02932376a6ab7725d3755df29713837af6303bf0df21a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MicrosoftEdgeWebview2Setup.exe

Filesize
1.6MB

MD5
b49d269a231bcf719d6de10f6dcf0692

SHA1
5de6eb9c7091df08529692650224d89cae8695c3

SHA256
bde514014b95c447301d9060a221efb439c3c1f5db53415f080d4419db75b27e

SHA512
8f7c76f9c8f422e80ade13ed60f9d1fabd66fef447018a19f0398f4501c0ecc9cc2c9af3cc4f55d56df8c460a755d70699634c96093885780fc2114449784b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe

Filesize
16.1MB

MD5
981196fd1a024aa93de8d671cb4f66f6

SHA1
7cca3ed98a752359ccf93af39fd08609b1273912

SHA256
f8fba45ce7e00b527540f96707338b7adc8ee5ccc23924145a155fdd87d4ce2f

SHA512
23321f61bf28370634f1ab25b8082535225ac9f255ae39b77e9b11c5c5c92caeb23f7ceaec1ad7e9bdcf27548305176659a80fde53658b74bd603740c1c96470

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\BackupImport.mpg

Filesize
146KB

MD5
63234a5a44fd6ca12b71c54738dd5866

SHA1
b193280bd4512b95bb0a7dc5870502bff23c4fd5

SHA256
e0cc28b644b1d1f37fbaf8f54440e4ada378aa536f3fcdc09b5fa5943ad6eaf3

SHA512
b4546276faef984c4fe5872d1b2567b3deb3ad021eda2ba338ad55967470ab5cbacdf242cb19dbd46ab21fa9bad1095884c4007124f7e6a1ca9249b278de806b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\EnableHide.docx

Filesize
15KB

MD5
0e3ab3c96047daca815156a6bca37fd6

SHA1
69c49e96926448ce66cb79d67a431770a8c076d6

SHA256
15106b7a1c4118ad1b9ce7f9219d430b8c867c3beae41f6ffb73523b6da493d1

SHA512
379433192b66bbb65689769063aa025ce00d6e52b9ace37a2607a4d6a0f0c18c7df0277348498986a637542736bc3c889942e879037d3fde9d71db9baec4e561

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ResizeUnpublish.xls

Filesize
191KB

MD5
8f39a7b30b1d3026fbf9d3e17bb9a4aa

SHA1
84abda230da03a37c988badd74bd1c30b60d4c12

SHA256
61a858861b24c1181b7c8fc9832264b5cb0463e94927367be07671aae01216d9

SHA512
7e8388256c199efc7bda550168a9762925aa95d9dca5a168fa526275b448be0036495a52c9b01c24f3c04993a78666ab838bbb82307238b17f3b31d6f873ba75

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\SyncRepair.docx

Filesize
13KB

MD5
a35d98979bec22b25cf0bac04176a2bf

SHA1
0aee7e48f5e472e229d085d1f564860de15cdcfe

SHA256
6baa93da385727e2e0db52f90d9836dd7d590e6f006d58c12f88060d2488c735

SHA512
d0797ff0f4556ff0e156cc8cafb1b33750530309fbedebdcfaaef46cbb5db2ce383e3f9bbf4d8ea2cb6b6857751c138db390b52acd60001bcbb32dd358a61539

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\SyncUnregister.png

Filesize
164KB

MD5
fbec3e251a56386a20d7493c399f34f9

SHA1
9d1d80f3d5532ceb9c70d9c4ce63334ca2f28227

SHA256
62aee3438454ef9ac5a07b92ca222a6be6407585182c212a80e32c89817b94f3

SHA512
24211945e0bf12aaf4e04e83f7dab2f0c7a579b461bec4d89c377a2ca93946acb5309e07c04c52e16caf568291b5b8ad57aa4b03e2d4011c95c5aa8496e32069

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UnpublishPublish.xlsx

Filesize
13KB

MD5
3f0b7056bd51326272d15680deadf177

SHA1
6efa115035e9bf15cf774022197165c0a79c7913

SHA256
56da5d45e40a3556e15166ffb8e3d184853ef04f476827e0f4da78a57f9dc0e9

SHA512
962f35cee4806b860be4e3d62d5347a5550062b7e77e02c0990023f318a1b17fb9c79f65e65a1dd2f9d9a4389b0472edc2510633100abffdce31b8a7dd8ea238

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ConnectSet.docx

Filesize
13KB

MD5
9a475c278aef7cd4ad54b1f0eaac2afd

SHA1
f74c2ba736646f90c779d83b6f6b3c2d5d7b6714

SHA256
616c64e636904dedc111aca8b809068cbab0263bb8350798f7115516b00a344e

SHA512
71e1dbc561af776fe8394c90e1bb2aa34273d331490cfa2b6796f2ea6960f635a94ea418d46057acf524e8a482b00aa3a31e11c7c97a664bc91fd2b54c38b529

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\DismountPing.xlsx

Filesize
12KB

MD5
bcbf75761bb0da69d5121770cc489a8d

SHA1
63bb5316cabf43beb2e4d91c9c92057ec94d3191

SHA256
0698cf18138610ee3e1ed70aee3170ffb1fe62b191f122e63833596e7f46f88b

SHA512
a39509c81f62fd14af3cbd8679a6af37aab36577a299cd14b5397af86dcf1b0ccfdb7147239d4c0c9cfef4b66cf3ef5e3575a0f42361c96777b171395785ef68

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\EditSwitch.xlsx

Filesize
965KB

MD5
0ca39a662f0d2429844dab75608f8e34

SHA1
53b1cb1fb9d1d9f87537f9f88683a53302c6b76e

SHA256
47011b8818a8e3cc0d9a91f013faf9bbda3fe421e4cda2cb3a2f60e26afe4b74

SHA512
5e248ecb814a9642d3cf7747d907b4dc161eca397b8cb676b6e93fdbb256ee4efb84be48e5381264da73261835aae4701822888143773c9b075d494103ac1dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ExitSubmit.docx

Filesize
1.1MB

MD5
86c28da012537ca8fa6e7a9259e2cbc3

SHA1
30786023829d194705000c7bf0ec22e014dbe9f1

SHA256
1e861f821a2e51600029da3d443be3f772316e1620f779b7ed8a87dbdba42267

SHA512
fb5596c313ce84dbeb51e43f5462277bc9a7304444c581dbab85351d0da0768b0d8eda7d226d2496b0f0149ae4682b0ae6ccfd1f20f77d322d974e3e014b05ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RepairSplit.docx

Filesize
14KB

MD5
67c6fa155f1d3dc92a998a64455810f4

SHA1
8b8247a0b6860eafe9049017be7061ec1f5530c8

SHA256
70d829e94bb568cc97d87515088ff9e9e162589fa4e78025c36de5f87e33ef37

SHA512
7f6d3c33ed93705dfb6cd427acfdf91c79eb083172ffedefb77cb979144619ac68e524a962f02d9d179f95aafa5e8ddfa3fe10962a0a457ac584e535b86ca146

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ResizeExit.docx

Filesize
16KB

MD5
ff43f55c67b84e7f902b13aca7d15573

SHA1
3056cf50708080fa5669635b1dd38abbffd84f9d

SHA256
575747c79172be1c4262ab8db61d20490fa2d1a93292880931c8f00829038ef4

SHA512
69ce7ff95859cb3825d77c1db43e7e5ba48c2e2ed5ee86962da67fddb28307b2415972d430291e635c2c939bab498c1f207877c457113b901d0c3b93522f37e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RestartRedo.doc

Filesize
1.9MB

MD5
172400411f646c803305f070097342b2

SHA1
c69285cdee5227f55273650d9c01a423413d82d1

SHA256
40cfe8a08b3e0fd8e0ac12f6a1b15d44452fcd4dc4142e96d1221244a850e832

SHA512
01bed545b3f6ab7a2334db219576d2e695b212b7c853af6f29fadd23529c6e5af60511d1face90c810779e00f27f6bcef603b9ab6a01054550c187ac1534ddc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\SearchRestart.docx

Filesize
12KB

MD5
44e07cef98e301ccd80f42c6598b6fa5

SHA1
8f243ddca65e448f5193a0c5a2f9595e3a45f996

SHA256
2c662d0b25ffec2fe90674a0515f3a8e119295c5426e2c29dd4fcbe22a83028e

SHA512
a10bd4b33b00541dc66e9c515e93d5e540c170c441236f95a706d1c33fdac172160f68bbd09d1f980cb7a68b8ec254e571b70a40219d1959ab65a045cdb5baa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\UnprotectBackup.docx

Filesize
14KB

MD5
77a6d08bdad1513cb789ba7c369c1b31

SHA1
5ff1d345b727e05001357190d8224c8054b2a741

SHA256
a3f8dc952298a0223d0a514a8d429d98d6aa1aeffc1af15a21ac9d6a11efda53

SHA512
ec9153ede1c7fb8d7f858ef29927a0511fd109a2722603d5f94f2436c0806e271dc6448732f2c9cff902e05cf26b3fae7d39be50651cfd20827c00b59ba27190

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\CompressUnblock.xlsx

Filesize
447KB

MD5
7aa9537487cefd51f69c8eb3a9445ae7

SHA1
00112bc72a871f93b8d654dc3514caed5f98423f

SHA256
caac50592c989ccd63a83b5f16df2d265e8677abddb8f1875393df8c2718e1df

SHA512
9a51ab506107b77b89541684195d54e7aecbe184e3b370e8bca7a16e6de3abc52d37b8508d3086844d12c3237a1910e62db3d25e1e738248c9fbb00c8a8a0367

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\InstallUse.png

Filesize
714KB

MD5
2a8fb5ca9ae7f302297630921ea0340a

SHA1
b8868a3f70ea56c266ee6ba6875af5760dcda830

SHA256
21936e83293e28390dcd9c706e2710971886754f78bae7d5c8c5388b3e533163

SHA512
32f90f5f16c2c26e8abf12c26b7ef259a92515a046be8d82759f3d3a92b1b4721b4a7ceae1c34d668b7466c41c84fd26881aa78df9a2caca487d40fa363321ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\RenameNew.mp4

Filesize
824KB

MD5
77fba2e263599792f90c1a1cdfa77f4f

SHA1
2a55f8274e0e720044dc583acea91c31aad62bb9

SHA256
522bcf93ed3572337b893e0c2f4ce48b7d07123202d13f7882a8cdfad2deb55e

SHA512
6bb6ec76e3f9cce9fd6cef9d02424ff6c98e161cca8fd21dfdbb529e3d8f27472d8164479de1d37d74b68e8c4675c380730c7b5e2ef5496388dc47adbc0a28c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\DenyWatch.xls

Filesize
191KB

MD5
d855b4f94bd2a677bc4613f44e58e0ee

SHA1
19cfc412ed84dca3bfe3e6b265733f9f7776d225

SHA256
335c793b687b6977bdc05e383755eb27e67de683f34191813f2fae1811dd8db1

SHA512
1757fdf4abb1206555e2b85506f642604c69843c8f46696b6fe218bd784b44babec109df8ff8e8080b4bd1bdb8f403adb3a5c1b296eb8708687af811d2973cc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\RedoCheckpoint.zip

Filesize
287KB

MD5
7b36e32cf9ad65818005d4a601511206

SHA1
1fc960f5905fce05913acbce6acaa707967a493f

SHA256
36ad96194659c014938fb2c88cf7541137c2ff84f2d66ab0d20163bc8fb34f6e

SHA512
303505cbe58f5e1602a39ac6685b39a2ba27c8616236b48620eee29b971160b564d3def27640213a7d09898a987d1b336eb466f1f1af27c0f1dda1a4809174b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\BackupDisable.ico

Filesize
317KB

MD5
fa802ebe84a3e749fce2f755a3a26f56

SHA1
97dd6c05a1fa7ff6be90875254977b3220c7d5a9

SHA256
b2951f83556543f50ac5cfde979e39db7fe041e8573f67ff06fb31b9a8581abf

SHA512
6d43f4f8ec8cc45387d0f5ada4c36eae4b7e5c88a798e1958f68110cd45189744e90ac6680ec070d6d1c872a0529c62d3d73fbe749e3f25377a87b0a6b5afa6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\ResetApprove.jpg

Filesize
285KB

MD5
1b4ec26796db340618308c91f1bb4424

SHA1
2b4aebff92b221a547fcf884c6697f35875b18f3

SHA256
6ef034bf10ac300e11797f89ed7a6f3f2dc163d86cf3b27deb8be37e72d3db25

SHA512
cf63ee0add942832c3ed867a30c50014c8a247327e78d5a55a5b9731fae90e9ee524db4f94b0b7c6dbcf5e299e8616f65c5fdc51457cb170ddfe9f59ba212c58

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\WriteGrant.png

Filesize
126KB

MD5
ca4141bcd6942fed7fed7a965a36318e

SHA1
310d1608b1081ebd8fc14415159f53652486f396

SHA256
be07406720dfaca30c744efd81f3448d4d6c6099f69b350de6376086059a6ae3

SHA512
78ab6376f9b8bb6f4c0ba57559d51b75b88bb8992cbb4e7ebaf2a63df0f2579b12ec3a1c514694c5e0f5596bc67df3e3da67bc5da5cdd258f98de3f8922cac36

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
70KB

MD5
a1e022936394ad7c9c4cf84c182871a8

SHA1
32a71ffe867533139e1754265c80db07a64295c2

SHA256
014658c132eeb1c3ac92d9b762eff0f644f6fa9f84e9cc4ebe496fc9ebe0aed3

SHA512
993ed8e3b71df75e6ef29880a5cb8d4c375b1993788a3853c348b9ce41ffd2f750711b0a4b4401f3a29cb3f911a8acc6d528f24ffa6b887b299189d4ab7a2576

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_asyncio.pyd

Filesize
34KB

MD5
1b8ce772a230a5da8cbdccd8914080a5

SHA1
40d4faf1308d1af6ef9f3856a4f743046fd0ead5

SHA256
fa5a1e7031de5849ab2ab5a177e366b41e1df6bbd90c8d2418033a01c740771f

SHA512
d2fc21b9f58b57065b337c3513e7e6c3e2243b73c5a230e81c91dafcb6724b521ad766667848ba8d0a428d530691ffc4020de6ce9ce1eaa2bf5e15338114a603

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_bz2.pyd

Filesize
46KB

MD5
80c69a1d87f0c82d6c4268e5a8213b78

SHA1
bae059da91d48eaac4f1bb45ca6feee2c89a2c06

SHA256
307359f1b2552b60839385eb63d74cbfe75cd5efdb4e7cd0bb7d296fa67d8a87

SHA512
542cf4ba19dd6a91690340779873e0cb8864b28159f55917f98a192ff9c449aba2d617e9b2b3932ddfeee13021706577ab164e5394e0513fe4087af6bc39d40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_cffi_backend.cp311-win_amd64.pyd

Filesize
71KB

MD5
0f0f1c4e1d043f212b00473a81c012a3

SHA1
ff9ff3c257dceefc74551e4e2bacde0faaef5aec

SHA256
fda255664cbf627cb6a9cd327daf4e3eb06f4f0707ed2615e86e2e99b422ad0b

SHA512
fcfa42f417e319bddf721f298587d1b26e6974e5d7589dfe6ddd2b013bc554a53db3725741fbc4941f34079ed8cb96f05934f3c2b933cda6a7e19cda315591a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_ctypes.pyd

Filesize
57KB

MD5
b4c41a4a46e1d08206c109ce547480c7

SHA1
9588387007a49ec2304160f27376aedca5bc854d

SHA256
9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9

SHA512
30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_decimal.pyd

Filesize
104KB

MD5
e9501519a447b13dcca19e09140c9e84

SHA1
472b1aa072454d065dfe415a05036ffd8804c181

SHA256
6b5fe2dea13b84e40b0278d1702aa29e9e2091f9dc09b64bbff5fd419a604c3c

SHA512
ef481e0e4f9b277642652cd090634e1c04702df789e2267a87205e0fe12b00f1de6cdd4fafb51da01efa726606c0b57fcb2ea373533c772983fc4777dc0acc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_hashlib.pyd

Filesize
33KB

MD5
0629bdb5ff24ce5e88a2ddcede608aee

SHA1
47323370992b80dafb6f210b0d0229665b063afb

SHA256
f404bb8371618bbd782201f092a3bcd7a96d3c143787ebea1d8d86ded1f4b3b8

SHA512
3faeff1a19893257c17571b89963af37534c189421585ea03dd6a3017d28803e9d08b0e4daceee01ffeda21da60e68d10083fe7dbdbbde313a6b489a40e70952

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_lzma.pyd

Filesize
84KB

MD5
bfca96ed7647b31dd2919bedebb856b8

SHA1
7d802d5788784f8b6bfbb8be491c1f06600737ac

SHA256
032b1a139adcff84426b6e156f9987b501ad42ecfb18170b10fb54da0157392e

SHA512
3a2926b79c90c3153c88046d316a081c8ddfb181d5f7c849ea6ae55cb13c6adba3a0434f800c4a30017d2fbab79d459432a2e88487914b54a897c4301c778551

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_multiprocessing.pyd

Filesize
25KB

MD5
849b4203c5f9092db9022732d8247c97

SHA1
ed7bd0d6dcdcfa07f754b98acf44a7cfe5dcb353

SHA256
45bfbab1d2373cf7a8af19e5887579b8a306b3ad0c4f57e8f666339177f1f807

SHA512
cc618b4fc918b423e5dbdcbc45206653133df16bf2125fd53bafef8f7850d2403564cf80f8a5d4abb4a8928ff1262f80f23c633ea109a18556d1871aff81cd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_overlapped.pyd

Filesize
30KB

MD5
97a40f53a81c39469cc7c8dd00f51b5d

SHA1
6c3916fe42e7977d8a6b53bfbc5a579abcf22a83

SHA256
11879a429c996fee8be891af2bec7d00f966593f1e01ca0a60bd2005feb4176f

SHA512
02af654ab73b6c8bf15a81c0e9071c8faf064c529b1439a2ab476e1026c860cf7d01472945112d4583e5da8e4c57f1df2700331440be80066dbb6a7e89e1c5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_queue.pyd

Filesize
24KB

MD5
0614691624f99748ef1d971419bdb80d

SHA1
39c52450ed7e31e935b5b0e49d03330f2057747d

SHA256
ac7972502144e9e01e53001e8eec3fc9ab063564678b784d024da2036ba7384d

SHA512
184bc172c7bb8a1fb55c4c23950cbe5e0b5a3c96c1c555ed8476edf79c5c729ed297112ee01b45d771e5c0055d2dc402b566967d1900b5abf683ee8e668c5b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_socket.pyd

Filesize
41KB

MD5
04e7eb0b6861495233247ac5bb33a89a

SHA1
c4d43474e0b378a00845cca044f68e224455612a

SHA256
7efe25284a4663df9458603bf0988b0f47c7dcf56119e3e853e6bda80831a383

SHA512
d4ea0484363edf284ac08a1c3356cc3112d410dd80fe5010c1777acf88dbd830e9f668b593e252033d657a3431a79f7b68d09eb071d0c2ceb51632dbe9b8ed97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_sqlite3.pyd

Filesize
54KB

MD5
d9eeeeacc3a586cf2dbf6df366f6029e

SHA1
4ff9fb2842a13e9371ce7894ec4fe331b6af9219

SHA256
67649e1e8acd348834efb2c927ab6a7599cf76b2c0c0a50b137b3be89c482e29

SHA512
0b9f1d80fb92c796682dba94a75fbce0e4fbeaedccd50e21d42d4b9366463a830109a8cd4300aa62b41910655f8ca96ecc609ea8a1b84236250b6fd08c965830

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_ssl.pyd

Filesize
60KB

MD5
fd0f4aed22736098dc146936cbf0ad1d

SHA1
e520def83b8efdbca9dd4b384a15880b036ee0cf

SHA256
50404a6a3de89497e9a1a03ff3df65c6028125586dced1a006d2abb9009a9892

SHA512
c8f3c04d87da19041f28e1d474c8eb052fe8c03ffd88f0681ef4a2ffe29755cfd5b9c100a1b1d2fdb233cb0f70e367af500cbd3cd4ce77475f441f2b2aa0ab8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_uuid.pyd

Filesize
21KB

MD5
3377ae26c2987cfee095dff160f2c86c

SHA1
0ca6aa60618950e6d91a7dea530a65a1cdf16625

SHA256
9534cb9c997a17f0004fb70116e0141bdd516373b37bbd526d91ad080daa3a2b

SHA512
8e408b84e2130ff48b8004154d1bdf6a08109d0b40f9fafb6f55e9f215e418e05dca819f411c802792a9d9936a55d6b90460121583e5568579a0fda6935852ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\aiohttp\_http_parser.cp311-win_amd64.pyd

Filesize
81KB

MD5
d0015cdc0b5784fd149496e288c92b12

SHA1
df08b6934096525334803f0553200b571eb409d8

SHA256
53b2b23a54a04ba3166a703f95f66f97b480c5e292ba132dea1c5aa27a5b79fc

SHA512
a0bce0570b47c4b903cfb02a9525d179d9dcc1ac72e8f399c4d68eba8bbfe1aa7ed5a479c792371e7fbc3d5e83d6367ee88753c032f0699f4a596e258924aaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\aiohttp\_http_writer.cp311-win_amd64.pyd

Filesize
24KB

MD5
01ad6d465ae412a90ffc4182859c6ed3

SHA1
3507f55ac173a3c7d79abed35751c7e0b8657d9e

SHA256
a265bc3961a251f72fa6517fc63fa776a23906a042b273d0b6237296dfe8d85f

SHA512
838b849b4d5f4881a6718a18470654050f78d48624bd480a8721e9f478d91497f60b75c61edc8bf356270e39597fe0f8ff61b2a518ef41a5565712b8885cc1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\aiohttp\_websocket\mask.cp311-win_amd64.pyd

Filesize
19KB

MD5
986372efcb4a82c018492e96c9555acb

SHA1
8bee8140632511694cf79e932f41fe34a7057d4e

SHA256
8eff46f03756da5183fde6aacaeaaff8a503545fb2142e449db42dc0d9be7480

SHA512
f696fd1c75015bbd784c47e900b16c3234992c781287f71cf98f47b5994e1c2898cc5e63c2f02594ccc41f7173873699a10aa01fd23f3abc76d65fb6230087f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\libcrypto-1_1.dll

Filesize
1.1MB

MD5
86cfc84f8407ab1be6cc64a9702882ef

SHA1
86f3c502ed64df2a5e10b085103c2ffc9e3a4130

SHA256
11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307

SHA512
b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\libffi-8.dll

Filesize
24KB

MD5
decbba3add4c2246928ab385fb16a21e

SHA1
5f019eff11de3122ffa67a06d52d446a3448b75e

SHA256
4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d

SHA512
760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\libssl-1_1.dll

Filesize
203KB

MD5
6cd33578bc5629930329ca3303f0fae1

SHA1
f2f8e3248a72f98d27f0cfa0010e32175a18487f

SHA256
4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0

SHA512
c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\multidict\_multidict.cp311-win_amd64.pyd

Filesize
20KB

MD5
5587c32d9bf7f76e1a9565df8b1b649f

SHA1
52ae204a65c15a09ecc73e7031e3ac5c3dcb71b2

SHA256
7075185db068e3c8f1b7db75e5aa5c500fc76ed8270c6abc6f49681d7119a782

SHA512
f21d0530389138457d6fdcdb3487a3c8b030338c569b2742f9e691e43af1d9e779c98426bad81b152f343b324a9375fe1322ef74030b1c8f8ba606d19e562e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\propcache\_helpers_c.cp311-win_amd64.pyd

Filesize
31KB

MD5
51f012d736c71a681948623455617995

SHA1
e6b5954870c90a81da9bf274df6ceac62d471ad8

SHA256
b495db6bac375f948efa2830073bf1b4496086e2b572b5353ebd07bcd07e200f

SHA512
a409f3ef69887761620403ca4bd2ebfbb8f3648139dd654d5da47f4fa61ff6d3e73557b3a19aefe59eb7ab9eb39d59048115c0bc2046bc09b3fdc7108b91dc3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\pyexpat.pyd

Filesize
86KB

MD5
fe0e32bfe3764ed5321454e1a01c81ec

SHA1
7690690df0a73bdcc54f0f04b674fc8a9a8f45fb

SHA256
b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92

SHA512
d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\python3.DLL

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\select.pyd

Filesize
24KB

MD5
c39459806c712b3b3242f8376218c1e1

SHA1
85d254fb6cc5d6ed20a04026bff1158c8fd0a530

SHA256
7cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9

SHA512
b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\sqlite3.dll

Filesize
608KB

MD5
895f001ae969364432372329caf08b6a

SHA1
4567fc6672501648b277fe83e6b468a7a2155ddf

SHA256
f5dd29e1e99cf8967f7f81487dc624714dcbec79c1630f929d5507fc95cbfad7

SHA512
05b4559d283ea84174da72a6c11b8b93b1586b4e7d8cda8d745c814f8f6dff566e75f9d7890f32bd9dfe43485244973860f83f96ba39296e28127c9396453261

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\unicodedata.pyd

Filesize
293KB

MD5
06a5e52caf03426218f0c08fc02cc6b8

SHA1
ae232c63620546716fbb97452d73948ebfd06b35

SHA256
118c31faa930f2849a14c3133df36420a5832114df90d77b09cde0ad5f96f33a

SHA512
546b1a01f36d3689b0fdeeda8b1ce55e7d3451731ca70fffe6627d542fff19d7a70e27147cab1920aae8bed88272342908d4e9d671d7aba74abb5db398b90718

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\yarl\_quoting_c.cp311-win_amd64.pyd

Filesize
41KB

MD5
99569b47d3a55086013a5760a28ac6af

SHA1
9e5017979fb646b00c98f4fe2cf8c8f7d5dd3664

SHA256
469f039bfa377890b95c9d3413ece8ca296d156ad4ec194d8ec78d6b81a9d0b6

SHA512
8425d38d3b69472e5e41e4ece08ba2dbdd2d871c1bf083d859edec006a4ee9441796d53f1373f030c8ccf32b74bdaee2a9b3a32457cc53024d15322e5920895e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lfo03elu.rup.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/396-150-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/396-38-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/396-30-0x0000000000770000-0x0000000000788000-memory.dmp

Filesize
96KB

Download
memory/1232-164-0x00007FFFCE910000-0x00007FFFCE924000-memory.dmp

Filesize
80KB

Download
memory/1232-1549-0x00007FFFD0700000-0x00007FFFD0715000-memory.dmp

Filesize
84KB

Download
memory/1232-96-0x00007FFFBDDE0000-0x00007FFFBE3C8000-memory.dmp

Filesize
5.9MB

Download
memory/1232-300-0x00007FFFBCEF0000-0x00007FFFBD6EB000-memory.dmp

Filesize
8.0MB

Download
memory/1232-303-0x00007FFFD16F0000-0x00007FFFD16FD000-memory.dmp

Filesize
52KB

Download
memory/1232-301-0x00007FFFC3210000-0x00007FFFC3247000-memory.dmp

Filesize
220KB

Download
memory/1232-295-0x00007FFFC84D0000-0x00007FFFC851D000-memory.dmp

Filesize
308KB

Download
memory/1232-288-0x00007FFFCF2D0000-0x00007FFFCF2E2000-memory.dmp

Filesize
72KB

Download
memory/1232-287-0x00007FFFD0700000-0x00007FFFD0715000-memory.dmp

Filesize
84KB

Download
memory/1232-286-0x00007FFFC2EE0000-0x00007FFFC2F98000-memory.dmp

Filesize
736KB

Download
memory/1232-284-0x00007FFFCEA00000-0x00007FFFCEA2E000-memory.dmp

Filesize
184KB

Download
memory/1232-283-0x00007FFFBDA70000-0x00007FFFBDBE3000-memory.dmp

Filesize
1.4MB

Download
memory/1232-276-0x00007FFFD1A10000-0x00007FFFD1A34000-memory.dmp

Filesize
144KB

Download
memory/1232-285-0x00007FFFBD6F0000-0x00007FFFBDA65000-memory.dmp

Filesize
3.5MB

Download
memory/1232-275-0x00007FFFBDDE0000-0x00007FFFBE3C8000-memory.dmp

Filesize
5.9MB

Download
memory/1232-137-0x00007FFFD1470000-0x00007FFFD1489000-memory.dmp

Filesize
100KB

Download
memory/1232-172-0x00007FFFCE160000-0x00007FFFCE17B000-memory.dmp

Filesize
108KB

Download
memory/1232-571-0x00007FFFCDC20000-0x00007FFFCDC39000-memory.dmp

Filesize
100KB

Download
memory/1232-564-0x00007FFFD0700000-0x00007FFFD0715000-memory.dmp

Filesize
84KB

Download
memory/1232-552-0x00007FFFBDDE0000-0x00007FFFBE3C8000-memory.dmp

Filesize
5.9MB

Download
memory/1232-580-0x00007FFFD16F0000-0x00007FFFD16FD000-memory.dmp

Filesize
52KB

Download
memory/1232-572-0x00007FFFC84D0000-0x00007FFFC851D000-memory.dmp

Filesize
308KB

Download
memory/1232-181-0x00007FFFC84D0000-0x00007FFFC851D000-memory.dmp

Filesize
308KB

Download
memory/1232-186-0x00007FFFD0700000-0x00007FFFD0715000-memory.dmp

Filesize
84KB

Download
memory/1232-187-0x00007FFFBCEF0000-0x00007FFFBD6EB000-memory.dmp

Filesize
8.0MB

Download
memory/1232-191-0x00007FFFCDDC0000-0x00007FFFCDDE2000-memory.dmp

Filesize
136KB

Download
memory/1232-129-0x00007FFFD1A10000-0x00007FFFD1A34000-memory.dmp

Filesize
144KB

Download
memory/1232-130-0x00007FFFD24C0000-0x00007FFFD24CF000-memory.dmp

Filesize
60KB

Download
memory/1232-135-0x00007FFFD1FC0000-0x00007FFFD1FD9000-memory.dmp

Filesize
100KB

Download
memory/1232-136-0x00007FFFD2190000-0x00007FFFD219D000-memory.dmp

Filesize
52KB

Download
memory/1232-185-0x00007FFFD7D70000-0x00007FFFD7D7A000-memory.dmp

Filesize
40KB

Download
memory/1232-140-0x00007FFFD1440000-0x00007FFFD146D000-memory.dmp

Filesize
180KB

Download
memory/1232-142-0x00007FFFD1230000-0x00007FFFD1253000-memory.dmp

Filesize
140KB

Download
memory/1232-146-0x00007FFFBDA70000-0x00007FFFBDBE3000-memory.dmp

Filesize
1.4MB

Download
memory/1232-148-0x00007FFFCEA00000-0x00007FFFCEA2E000-memory.dmp

Filesize
184KB

Download
memory/1232-151-0x00007FFFBD6F0000-0x00007FFFBDA65000-memory.dmp

Filesize
3.5MB

Download
memory/1232-152-0x00007FFFC2EE0000-0x00007FFFC2F98000-memory.dmp

Filesize
736KB

Download
memory/1232-153-0x00007FFFBDDE0000-0x00007FFFBE3C8000-memory.dmp

Filesize
5.9MB

Download
memory/1232-155-0x00007FFFD0700000-0x00007FFFD0715000-memory.dmp

Filesize
84KB

Download
memory/1232-158-0x00007FFFCF2D0000-0x00007FFFCF2E2000-memory.dmp

Filesize
72KB

Download
memory/1232-160-0x00007FFFCECA0000-0x00007FFFCECB4000-memory.dmp

Filesize
80KB

Download
memory/1232-163-0x00007FFFD1FC0000-0x00007FFFD1FD9000-memory.dmp

Filesize
100KB

Download
memory/1232-188-0x00007FFFC3210000-0x00007FFFC3247000-memory.dmp

Filesize
220KB

Download
memory/1232-166-0x00007FFFCDDC0000-0x00007FFFCDDE2000-memory.dmp

Filesize
136KB

Download
memory/1232-169-0x00007FFFC2BA0000-0x00007FFFC2CBC000-memory.dmp

Filesize
1.1MB

Download
memory/1232-171-0x00007FFFD1230000-0x00007FFFD1253000-memory.dmp

Filesize
140KB

Download
memory/1232-178-0x00007FFFCDC20000-0x00007FFFCDC39000-memory.dmp

Filesize
100KB

Download
memory/1232-179-0x00007FFFCDC00000-0x00007FFFCDC11000-memory.dmp

Filesize
68KB

Download
memory/1232-180-0x00007FFFCEA00000-0x00007FFFCEA2E000-memory.dmp

Filesize
184KB

Download
memory/1232-182-0x00007FFFBD6F0000-0x00007FFFBDA65000-memory.dmp

Filesize
3.5MB

Download
memory/1232-1546-0x00007FFFD1230000-0x00007FFFD1253000-memory.dmp

Filesize
140KB

Download
memory/1232-1539-0x00007FFFC2EE0000-0x00007FFFC2F98000-memory.dmp

Filesize
736KB

Download
memory/1232-1538-0x00007FFFCEA00000-0x00007FFFCEA2E000-memory.dmp

Filesize
184KB

Download
memory/1232-1537-0x00007FFFD7D70000-0x00007FFFD7D7A000-memory.dmp

Filesize
40KB

Download
memory/1232-1545-0x00007FFFD1440000-0x00007FFFD146D000-memory.dmp

Filesize
180KB

Download
memory/1232-1557-0x00007FFFCDC00000-0x00007FFFCDC11000-memory.dmp

Filesize
68KB

Download
memory/1232-1556-0x00007FFFCDC20000-0x00007FFFCDC39000-memory.dmp

Filesize
100KB

Download
memory/1232-1564-0x00007FFFD16F0000-0x00007FFFD16FD000-memory.dmp

Filesize
52KB

Download
memory/1232-1563-0x00007FFFC3210000-0x00007FFFC3247000-memory.dmp

Filesize
220KB

Download
memory/1232-1562-0x00007FFFBCEF0000-0x00007FFFBD6EB000-memory.dmp

Filesize
8.0MB

Download
memory/1232-1561-0x00007FFFBD6F0000-0x00007FFFBDA65000-memory.dmp

Filesize
3.5MB

Download
memory/1232-1560-0x00007FFFCD680000-0x00007FFFCD69E000-memory.dmp

Filesize
120KB

Download
memory/1232-1559-0x00007FFFCC030000-0x00007FFFCC062000-memory.dmp

Filesize
200KB

Download
memory/1232-1558-0x00007FFFBDA70000-0x00007FFFBDBE3000-memory.dmp

Filesize
1.4MB

Download
memory/1232-1555-0x00007FFFCE160000-0x00007FFFCE17B000-memory.dmp

Filesize
108KB

Download
memory/1232-1554-0x00007FFFC2BA0000-0x00007FFFC2CBC000-memory.dmp

Filesize
1.1MB

Download
memory/1232-1553-0x00007FFFCDDC0000-0x00007FFFCDDE2000-memory.dmp

Filesize
136KB

Download
memory/1232-1552-0x00007FFFCE910000-0x00007FFFCE924000-memory.dmp

Filesize
80KB

Download
memory/1232-1551-0x00007FFFCECA0000-0x00007FFFCECB4000-memory.dmp

Filesize
80KB

Download
memory/1232-1550-0x00007FFFCF2D0000-0x00007FFFCF2E2000-memory.dmp

Filesize
72KB

Download
memory/1232-217-0x00007FFFCE160000-0x00007FFFCE17B000-memory.dmp

Filesize
108KB

Download
memory/1232-1544-0x00007FFFD1470000-0x00007FFFD1489000-memory.dmp

Filesize
100KB

Download
memory/1232-1543-0x00007FFFD2190000-0x00007FFFD219D000-memory.dmp

Filesize
52KB

Download
memory/1232-1542-0x00007FFFD1FC0000-0x00007FFFD1FD9000-memory.dmp

Filesize
100KB

Download
memory/1232-1541-0x00007FFFD24C0000-0x00007FFFD24CF000-memory.dmp

Filesize
60KB

Download
memory/1232-1540-0x00007FFFD1A10000-0x00007FFFD1A34000-memory.dmp

Filesize
144KB

Download
memory/1232-1548-0x00007FFFBDDE0000-0x00007FFFBE3C8000-memory.dmp

Filesize
5.9MB

Download
memory/1232-1547-0x00007FFFC84D0000-0x00007FFFC851D000-memory.dmp

Filesize
308KB

Download
memory/1232-183-0x00007FFFCC030000-0x00007FFFCC062000-memory.dmp

Filesize
200KB

Download
memory/1232-184-0x00007FFFCD680000-0x00007FFFCD69E000-memory.dmp

Filesize
120KB

Download
memory/1896-192-0x00007FFFE06D0000-0x00007FFFE06D2000-memory.dmp

Filesize
8KB

Download
memory/1896-200-0x0000000140000000-0x0000000141F18000-memory.dmp

Filesize
31.1MB

Download
memory/1896-193-0x00007FFFE06E0000-0x00007FFFE06E2000-memory.dmp

Filesize
8KB

Download
memory/2380-26-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/2380-145-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/2380-22-0x0000000000220000-0x00000000002C6000-memory.dmp

Filesize
664KB

Download
memory/4004-208-0x00000250710C0000-0x00000250710E2000-memory.dmp

Filesize
136KB

Download
memory/4516-597-0x00000000751F0000-0x0000000075416000-memory.dmp

Filesize
2.1MB

Download
memory/4516-596-0x0000000000CA0000-0x0000000000CD5000-memory.dmp

Filesize
212KB

Download
memory/5084-138-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/5084-0-0x00007FFFC1E73000-0x00007FFFC1E75000-memory.dmp

Filesize
8KB

Download
memory/5084-3-0x00007FFFC1E70000-0x00007FFFC2931000-memory.dmp

Filesize
10.8MB

Download
memory/5084-1-0x00000000004A0000-0x0000000001E36000-memory.dmp

Filesize
25.6MB

Download