exelastealer | a3d7cd217684a58df277f072e1b7e1a4e00448f1b7530fdae13af3903d1327a5

Resubmissions

30-01-2025 06:53

250130-hnt6ls1rb1 10

30-01-2025 06:51

250130-hmx6wa1rat 10

30-01-2025 06:45

250130-hh5p6a1pgt 10

Analysis

max time kernel
232s
max time network
242s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
30-01-2025 06:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Wave.exe
Size

9.8MB
MD5

708932216a4a65b3e560893a115673f2
SHA1

e9aeef34258854948f50f1c6bbd8eb69772d0e59
SHA256

a3d7cd217684a58df277f072e1b7e1a4e00448f1b7530fdae13af3903d1327a5
SHA512

78ce6826fa7d3d561ce69d395b62e5178ab7333a510652b614fa7864ac61bf3901a07d49b39bd43968f5f54ef6f04fd9c6aa7af7a435d05c1a3833bf61272992
SSDEEP

196608:QNnP/g2ys0VxNQMiLP8qJEdHvHMeNxHFJMIDJ+gsAGKkRWyHEWzsT:/JBukqJEdPHTlFqy+gs1WYzs

Score

10^/10

exelastealer collection defense_evasion discovery persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
852	netsh.exe
3616	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3320	cmd.exe
3216	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
832	install.exe
4144	install.exe
1912	Setup.exe
4644	Setup.exe
1376	vcredist2015_2017_2019_2022_x86.exe
4956	VC_redist.x86.exe
4796	vcredist2015_2017_2019_2022_x64.exe
4688	VC_redist.x64.exe

Loads dropped DLL 61 IoCs

pid	Process
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
2004	Wave.exe
1640	MsiExec.exe
3216	MsiExec.exe
3216	MsiExec.exe
832	install.exe
4144	install.exe
1912	Setup.exe
1912	Setup.exe
1912	Setup.exe
1912	Setup.exe
1912	Setup.exe
4644	Setup.exe
4644	Setup.exe
4644	Setup.exe
4644	Setup.exe
4644	Setup.exe
2164	vcredist2012_x86.exe
4648	vcredist2012_x64.exe
2144	vcredist2013_x86.exe
1048	vcredist_x86.exe
1552	vcredist2013_x64.exe
1912	vcredist_x64.exe
1376	vcredist2015_2017_2019_2022_x86.exe
1912	VC_redist.x86.exe
4796	vcredist2015_2017_2019_2022_x64.exe
1912	VC_redist.x64.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6} = "\"C:\\ProgramData\\Package Cache\\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\\vcredist_x64.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_amd64_20250130065713.log\" /passive /norestart ignored /burn.runonce"	vcredist2012_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{9dff3540-fc85-4ed5-ac84-9e3c7fd8bece} = "\"C:\\ProgramData\\Package Cache\\{9dff3540-fc85-4ed5-ac84-9e3c7fd8bece}\\vcredist_x86.exe\" /burn.runonce"	vcredist2013_x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7} = "\"C:\\ProgramData\\Package Cache\\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\\vcredist_x64.exe\" /burn.runonce"	vcredist2013_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{e7802eac-3305-4da0-9378-e55d1ed05518} = "\"C:\\ProgramData\\Package Cache\\{e7802eac-3305-4da0-9378-e55d1ed05518}\\VC_redist.x86.exe\" /burn.runonce"	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{804e7d66-ccc2-4c12-84ba-476da31d103d} = "\"C:\\ProgramData\\Package Cache\\{804e7d66-ccc2-4c12-84ba-476da31d103d}\\VC_redist.x64.exe\" /burn.runonce"	VC_redist.x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	vcredist2005_x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	vcredist2005_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f} = "\"C:\\ProgramData\\Package Cache\\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\\vcredist_x86.exe\" /burn.log.append \"C:\\Users\\Admin\\AppData\\Local\\Temp\\dd_vcredist_x86_20250130065712.log\" /passive /norestart ignored /burn.runonce"	vcredist2012_x86.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4988	cmd.exe
2852	ARP.EXE

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120ita.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120rus.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120kor.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140enu.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp140_atomic_wait.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140fra.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_atomic_wait.dll	msiexec.exe
File created	C:\Windows\system32\mfc140kor.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp120.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc120rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc100enu.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc120jpn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp100.dll	msiexec.exe
File opened for modification	C:\Windows\system32\atl100.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc100.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140_threads.dll	msiexec.exe
File created	C:\Windows\system32\mfc140deu.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib120.dll	msiexec.exe
File created	C:\Windows\SysWOW64\concrt140.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp140_codecvt_ids.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120esn.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc120kor.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcr120.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100rus.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcomp100.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcomp120.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfc140chs.dll	msiexec.exe
File created	C:\Windows\SysWOW64\mfcm120.dll	msiexec.exe
File created	C:\Windows\system32\mfc120esn.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcamp140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcr120.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcruntime140_threads.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc140cht.dll	msiexec.exe
File created	C:\Windows\system32\vcruntime140.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100esn.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm100.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfcm120u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\vcamp120.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc100u.dll	msiexec.exe
File created	C:\Windows\SysWOW64\vcamp120.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc120chs.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\vcomp100.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp140_2.dll	msiexec.exe
File opened for modification	C:\Windows\system32\concrt140.dll	msiexec.exe
File created	C:\Windows\system32\mfcm140u.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\mfc120deu.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc120ita.dll	msiexec.exe
File created	C:\Windows\system32\mfc120cht.dll	msiexec.exe
File created	C:\Windows\system32\vccorlib140.dll	msiexec.exe
File created	C:\Windows\system32\mfc140chs.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc100u.dll	msiexec.exe
File opened for modification	C:\Windows\system32\mfc100jpn.dll	msiexec.exe
File created	C:\Windows\system32\mfc120u.dll	msiexec.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3240	tasklist.exe
3736	tasklist.exe
2772	tasklist.exe
4776	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4656	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002abe9-47.dat	upx
behavioral1/memory/2004-52-0x00007FFF31C00000-0x00007FFF3206E000-memory.dmp	upx
behavioral1/files/0x001900000002abe3-61.dat	upx
behavioral1/memory/2004-84-0x00007FFF3B640000-0x00007FFF3B64F000-memory.dmp	upx
behavioral1/files/0x001000000002abc3-83.dat	upx
behavioral1/files/0x001900000002abeb-87.dat	upx
behavioral1/memory/2004-94-0x00007FFF368A0000-0x00007FFF368BF000-memory.dmp	upx
behavioral1/memory/2004-96-0x00007FFF24DE0000-0x00007FFF24F51000-memory.dmp	upx
behavioral1/memory/2004-98-0x00007FFF36330000-0x00007FFF3635E000-memory.dmp	upx
behavioral1/files/0x001900000002abe2-101.dat	upx
behavioral1/memory/2004-103-0x00007FFF35C70000-0x00007FFF35D28000-memory.dmp	upx
behavioral1/files/0x001900000002abb7-109.dat	upx
behavioral1/memory/2004-116-0x00007FFF36720000-0x00007FFF36735000-memory.dmp	upx
behavioral1/files/0x001900000002abc5-122.dat	upx
behavioral1/memory/2004-143-0x00007FFF35C70000-0x00007FFF35D28000-memory.dmp	upx
behavioral1/memory/2004-148-0x00007FFF35BF0000-0x00007FFF35C43000-memory.dmp	upx
behavioral1/memory/2004-147-0x00007FFF248C0000-0x00007FFF24A53000-memory.dmp	upx
behavioral1/memory/2004-150-0x00007FFF35950000-0x00007FFF35989000-memory.dmp	upx
behavioral1/memory/2004-149-0x00007FFF244E0000-0x00007FFF248B7000-memory.dmp	upx
behavioral1/memory/2004-146-0x00007FFF35C50000-0x00007FFF35C66000-memory.dmp	upx
behavioral1/memory/2004-157-0x00007FFF35E20000-0x00007FFF35E33000-memory.dmp	upx
behavioral1/memory/2004-145-0x00007FFF24A60000-0x00007FFF24DD5000-memory.dmp	upx
behavioral1/memory/2004-142-0x00007FFF36330000-0x00007FFF3635E000-memory.dmp	upx
behavioral1/memory/2004-141-0x00007FFF39800000-0x00007FFF3980A000-memory.dmp	upx
behavioral1/memory/2004-140-0x00007FFF39F80000-0x00007FFF39F8E000-memory.dmp	upx
behavioral1/memory/2004-139-0x00007FFF24DE0000-0x00007FFF24F51000-memory.dmp	upx
behavioral1/files/0x001900000002abc8-137.dat	upx
behavioral1/memory/2004-136-0x00007FFF35DC0000-0x00007FFF35DFF000-memory.dmp	upx
behavioral1/memory/2004-135-0x00007FFF368A0000-0x00007FFF368BF000-memory.dmp	upx
behavioral1/files/0x001900000002abc6-133.dat	upx
behavioral1/memory/2004-129-0x00007FFF2F140000-0x00007FFF2F21F000-memory.dmp	upx
behavioral1/files/0x001900000002abae-128.dat	upx
behavioral1/memory/2004-127-0x00007FFF35E00000-0x00007FFF35E15000-memory.dmp	upx
behavioral1/files/0x001900000002abc7-126.dat	upx
behavioral1/memory/2004-125-0x00007FFF35E20000-0x00007FFF35E33000-memory.dmp	upx
behavioral1/memory/2004-121-0x00007FFF35E40000-0x00007FFF35E5B000-memory.dmp	upx
behavioral1/memory/2004-120-0x00007FFF368E0000-0x00007FFF368F9000-memory.dmp	upx
behavioral1/memory/2004-119-0x00007FFF31AE0000-0x00007FFF31BF8000-memory.dmp	upx
behavioral1/files/0x001900000002abf1-118.dat	upx
behavioral1/memory/2004-115-0x00007FFF36310000-0x00007FFF36324000-memory.dmp	upx
behavioral1/files/0x001900000002abef-114.dat	upx
behavioral1/memory/2004-113-0x00007FFF366C0000-0x00007FFF366D4000-memory.dmp	upx
behavioral1/memory/2004-164-0x00007FFF2F140000-0x00007FFF2F21F000-memory.dmp	upx
behavioral1/memory/2004-112-0x00007FFF3A790000-0x00007FFF3A7A0000-memory.dmp	upx
behavioral1/memory/2004-111-0x00007FFF369E0000-0x00007FFF36A04000-memory.dmp	upx
behavioral1/memory/2004-110-0x00007FFF24A60000-0x00007FFF24DD5000-memory.dmp	upx
behavioral1/files/0x001900000002abe6-108.dat	upx
behavioral1/files/0x001900000002abba-106.dat	upx
behavioral1/files/0x001900000002abad-105.dat	upx
behavioral1/memory/2004-102-0x00007FFF31C00000-0x00007FFF3206E000-memory.dmp	upx
behavioral1/files/0x001900000002abe4-99.dat	upx
behavioral1/files/0x001900000002abc0-97.dat	upx
behavioral1/files/0x001900000002abec-95.dat	upx
behavioral1/files/0x001900000002abbf-93.dat	upx
behavioral1/memory/2004-92-0x00007FFF36360000-0x00007FFF3638D000-memory.dmp	upx
behavioral1/files/0x001c00000002abb8-91.dat	upx
behavioral1/memory/2004-90-0x00007FFF368C0000-0x00007FFF368D9000-memory.dmp	upx
behavioral1/files/0x001900000002abb1-89.dat	upx
behavioral1/memory/2004-88-0x00007FFF3B630000-0x00007FFF3B63D000-memory.dmp	upx
behavioral1/memory/2004-86-0x00007FFF368E0000-0x00007FFF368F9000-memory.dmp	upx
behavioral1/files/0x001c00000002abbe-85.dat	upx
behavioral1/files/0x001900000002abbd-79.dat	upx
behavioral1/files/0x001900000002abb9-77.dat	upx
behavioral1/files/0x001900000002abb4-74.dat	upx

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia80.dll	msiexec.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\amd64\msdia80.dll	msiexec.exe
File opened for modification	\??\c:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia90.dll	msiexec.exe
File created	\??\c:\Program Files (x86)\Common Files\Microsoft Shared\VC\msdia90.dll	msiexec.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll	msiexec.exe
File created	\??\c:\Program Files\Common Files\Microsoft Shared\VC\msdia90.dll	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\InstallTemp\20250130065622879.0	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9C14.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20250130065656743.0\mfc80CHT.dll	msiexec.exe
File created	C:\Windows\SystemTemp\~DFCA46C604B2F03A47.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIECAD.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\12B8D03ED28D112328CCF0A0D541598E\12.0.40660\F_CENTRAL_vcamp120_x86	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8520DAD7C5154DD39846DB1714990E7F\12.0.40660\F_CENTRAL_mfc120cht_x86	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\CE6380BC270BD863282B3D74B09F7570\12.0.40660\F_CENTRAL_vccorlib120_x64	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\44DB0475D85BA123FA0CD6D35465DDC6\12.0.40660\F_CENTRAL_mfc120u_x64	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20250130065656743.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_9c659d69.manifest	msiexec.exe
File created	C:\Windows\SystemTemp\~DFBCD4F2A0D4A08991.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI126E.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{382F1166-A409-4C5B-9B1E-85ED538B8291}	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a181d.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE191.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8122DAB1-ED4D-3676-BB0A-CA368196543E}	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\12B8D03ED28D112328CCF0A0D541598E\12.0.40660\F_CENTRAL_msvcp120_x86	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8520DAD7C5154DD39846DB1714990E7F\12.0.40660\F_CENTRAL_mfc120fra_x86	msiexec.exe
File created	C:\Windows\SystemTemp\~DF344488629D35BBC2.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF3AAFBE7901CE334D.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF74B38D5CA6EB1291.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF814694F0E83E125.TMP	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\44DB0475D85BA123FA0CD6D35465DDC6\12.0.40660\F_CENTRAL_mfc120esn_x64	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20250130065656696.0\mfc80u.dll	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\44DB0475D85BA123FA0CD6D35465DDC6\12.0.40660\F_CENTRAL_mfc120fra_x64	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\44DB0475D85BA123FA0CD6D35465DDC6\12.0.40660\F_CENTRAL_mfc120rus_x64	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20250130065622944.0\mfc80KOR.dll	msiexec.exe
File created	C:\Windows\Installer\e5a177b.msi	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8520DAD7C5154DD39846DB1714990E7F\12.0.40660\F_CENTRAL_mfcm120_x86	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF58A.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{010792BA-551A-3AC0-A7EF-0FAB4156C382}	msiexec.exe
File created	C:\Windows\Installer\e5a17e2.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20250130065622845.0\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20250130065623031.0\8.0.50727.6195.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20250130065623031.0\8.0.50727.6195.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20250130065656796.0\8.0.50727.6195.policy	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a176e.msp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8520DAD7C5154DD39846DB1714990E7F\12.0.40660\F_CENTRAL_mfc120chs_x86	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8520DAD7C5154DD39846DB1714990E7F\12.0.40660\F_CENTRAL_mfc120deu_x86	msiexec.exe
File created	C:\Windows\SystemTemp\~DFB423147AC15C0B22.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2DA00EB570A4462E.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{84E3E712-6343-484B-8B6C-9F145F019A70}	msiexec.exe
File created	C:\Windows\SystemTemp\~DFD3C3E522AAF8BDC5.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID3A4.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{53CF6934-A98D-3D84-9146-FC4EDF3D5641}	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\CE6380BC270BD863282B3D74B09F7570\12.0.40660\F_CENTRAL_vcamp120_x64	msiexec.exe
File created	C:\Windows\SystemTemp\~DF911AB94F4528D4BF.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E1902FC6-C423-4719-AB8A-AC7B2694B367}	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20250130065622944.0\mfc80CHS.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20250130065656652.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_76301166.manifest	msiexec.exe
File created	C:\Windows\SystemTemp\~DF44FDBD82768FFA20.TMP	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20250130065622996.0\x86_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_452bf920.manifest	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8520DAD7C5154DD39846DB1714990E7F\12.0.40660\F_CENTRAL_mfc120fra_x86	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI349.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\44DB0475D85BA123FA0CD6D35465DDC6\12.0.40660\F_CENTRAL_mfc120enu_x64	msiexec.exe
File created	C:\Windows\SystemTemp\~DF73E666E1A4F255CC.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\CE6380BC270BD863282B3D74B09F7570\12.0.40660\F_CENTRAL_vcamp120_x64	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI182D.tmp	msiexec.exe
File created	C:\Windows\Installer\e5a180a.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20250130065622879.0\mfcm80u.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20250130065622996.0	msiexec.exe
File created	C:\Windows\Installer\e5a1757.msi	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20250130065656743.0\mfc80ITA.dll	msiexec.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4968	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 2 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2064	msiexec.exe
2976	msiexec.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 37 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2010_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2012_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2013_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2012_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2013_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2012_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2015_2017_2019_2022_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2005_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2010_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2012_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VC_redist.x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2008_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2013_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2015_2017_2019_2022_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	install.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2015_2017_2019_2022_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2015_2017_2019_2022_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2005_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2008_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2013_x86.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist_x86.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4832	cmd.exe
4960	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2484	NETSTAT.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000ffe3df86b77af750000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000ffe3df80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000ffe3df8000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0ffe3df8000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000ffe3df800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4772	WMIC.exe

Enumerates system info in registry 2 TTPs 8 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4080	ipconfig.exe
2484	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3480	systeminfo.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
1532	taskkill.exe
464	taskkill.exe

Modifies data under HKEY_USERS 49 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3A	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3C	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3d	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3B	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\3D	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\28	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2c	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\38	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\31	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\28	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2B	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3b	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\33	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\39	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\39	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\37	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\37	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3c	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\32	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\32	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\33	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\36	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\35	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\38	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3a	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\31	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\34	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\34	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\29	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2C	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\35	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\36	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\3e	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6E815EB96CCE9A53884E7857C57002F0\FT_VC_Redist_ATL_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6E815EB96CCE9A53884E7857C57002F0\FT_VC_Redist_MFCLOC_x86 = "VC_Redist_12222_x86_enu"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6611F283904AB5C4B9E158DE35B82819\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86" = 67006700610044004c004d004e002c00540040003f004400350062002e0057004b0075003d005d00560043005f005200650064006900730074003e0061005a004f002c0048002a004b00320060004500650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\c1c4f01781cc94c4c8fb1542c0981a2a\SourceList\PackageName = "vcredist.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4396FC35D89A48D31964CFE4FDD36514\PackageCode = "1553588F03D4A6D43BA639FEDAE4EE30"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4396FC35D89A48D31964CFE4FDD36514\SourceList\Media\1 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\44DB0475D85BA123FA0CD6D35465DDC6\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Dependents\{804e7d66-ccc2-4c12-84ba-476da31d103d}	VC_redist.x64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\67D6ECF5CD5FBA732B8B22BAC8DE1B4D\FT_VC_Redist_OpenMP_x64 = "VC_Redist_12222_amd64_enu"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A\KB2565063 = "Servicing_Key"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D169104D02A37CA349B316935DDB94A0\Provider	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2022 X86 Additional Runtime - 14.42.34433"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\InstanceType = "0"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\679E80FBE29B63345BF612177149674C\SourceList	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\AA5D9C68C00F12943B2F6CA09FE28244	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4396FC35D89A48D31964CFE4FDD36514\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.42.34433"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\SourceList\PackageName = "vc_runtimeAdditional_x64.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00530021004900240047002e004f005f0078006800650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\4D54076CED4F5BA32BBD3E5FAD1CD4C9\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12B8D03ED28D112328CCF0A0D541598E\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12B8D03ED28D112328CCF0A0D541598E\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\VC,redist.x86,x86,14.42,bundle	VC_redist.x86.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D169104D02A37CA349B316935DDB94A0\ProductName = "Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.40664"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v12\Version = "12.0.40664"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x86,x86,14.30,bundle\Dependents	VC_redist.x86.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\c1c4f01781cc94c4c8fb1542c0981a2a	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1926E8D15D0BCE53481466615F760A7F\Version = "167812379"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v12\ = "{D401961D-3A20-3AC7-943B-6139D5BD490A}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4396FC35D89A48D31964CFE4FDD36514\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{53CF6934-A98D-3D84-9146-FC4EDF3D5641}v12.0.40664\\packages\\vcRuntimeMinimum_amd64\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1D5E3C0FEDA1E123187686FED06E995A	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v12	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5040806F8AF9AAC49928419ED5A1D3CA\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\DisplayName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.42.34433"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\4D54076CED4F5BA32BBD3E5FAD1CD4C9\SourceList\Net\2 = "f:\\2a134a654e3e2c0a8abcd4\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\44DB0475D85BA123FA0CD6D35465DDC6\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA59BB2C3F091984181C7A5E56BB38C6\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\67D6ECF5CD5FBA732B8B22BAC8DE1B4D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1D5E3C0FEDA1E123187686FED06E995A\ProductName = "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6CF2091E324C9174BAA8CAB762493B76\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.9.0.Microsoft.VC90.ATL,version="9.0.30729.6161",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32-policy" = 5300530073002b005a0066007a00250039003500390027006e006a004d0066002c00350072002700460054005f00560043005f005200650064006900730074005f00410054004c005f007800380036003e004e002e004b004300300068004d0064007b00340060006d002b00380039004f002e002e003100540000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1926E8D15D0BCE53481466615F760A7F\KB2524860 = "Servicing_Key"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v12\Dependents\{9dff3540-fc85-4ed5-ac84-9e3c7fd8bece}	vcredist2013_x86.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\4396FC35D89A48D31964CFE4FDD36514\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C05586832351A613E9FF58906A9EF297	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}	vcredist_x64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\217E3E483436B484B8C6F941F510A907\SourceList\PackageName = "vc_runtimeAdditional_x86.msi"	msiexec.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024.zip:Zone.Identifier	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3156	msedge.exe
3156	msedge.exe
3524	msedge.exe
3524	msedge.exe
3216	powershell.exe
3216	powershell.exe
1396	msedge.exe
1396	msedge.exe
2856	msedge.exe
2856	msedge.exe
464	msedge.exe
464	msedge.exe
3464	identity_helper.exe
3464	identity_helper.exe
2032	msedge.exe
2032	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
2248	msiexec.exe
2248	msiexec.exe
2248	msiexec.exe
2248	msiexec.exe
2248	msiexec.exe
2248	msiexec.exe
2248	msiexec.exe
2248	msiexec.exe
1912	Setup.exe
1912	Setup.exe
1912	Setup.exe
1912	Setup.exe
1912	Setup.exe
1912	Setup.exe
1912	Setup.exe
1912	Setup.exe
1912	Setup.exe
1912	Setup.exe
1912	Setup.exe
1912	Setup.exe
2248	msiexec.exe
2248	msiexec.exe
2248	msiexec.exe
2248	msiexec.exe
4644	Setup.exe
4644	Setup.exe
4644	Setup.exe
4644	Setup.exe
4644	Setup.exe
4644	Setup.exe
4644	Setup.exe
4644	Setup.exe
4644	Setup.exe
4644	Setup.exe
4644	Setup.exe
4644	Setup.exe
2248	msiexec.exe
2248	msiexec.exe
2248	msiexec.exe
2248	msiexec.exe
2248	msiexec.exe
2248	msiexec.exe
2248	msiexec.exe
2248	msiexec.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 49 IoCs

pid	Process
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3240	tasklist.exe
Token: SeIncreaseQuotaPrivilege	464	WMIC.exe
Token: SeSecurityPrivilege	464	WMIC.exe
Token: SeTakeOwnershipPrivilege	464	WMIC.exe
Token: SeLoadDriverPrivilege	464	WMIC.exe
Token: SeSystemProfilePrivilege	464	WMIC.exe
Token: SeSystemtimePrivilege	464	WMIC.exe
Token: SeProfSingleProcessPrivilege	464	WMIC.exe
Token: SeIncBasePriorityPrivilege	464	WMIC.exe
Token: SeCreatePagefilePrivilege	464	WMIC.exe
Token: SeBackupPrivilege	464	WMIC.exe
Token: SeRestorePrivilege	464	WMIC.exe
Token: SeShutdownPrivilege	464	WMIC.exe
Token: SeDebugPrivilege	464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	464	WMIC.exe
Token: SeRemoteShutdownPrivilege	464	WMIC.exe
Token: SeUndockPrivilege	464	WMIC.exe
Token: SeManageVolumePrivilege	464	WMIC.exe
Token: 33	464	WMIC.exe
Token: 34	464	WMIC.exe
Token: 35	464	WMIC.exe
Token: 36	464	WMIC.exe
Token: SeIncreaseQuotaPrivilege	464	WMIC.exe
Token: SeSecurityPrivilege	464	WMIC.exe
Token: SeTakeOwnershipPrivilege	464	WMIC.exe
Token: SeLoadDriverPrivilege	464	WMIC.exe
Token: SeSystemProfilePrivilege	464	WMIC.exe
Token: SeSystemtimePrivilege	464	WMIC.exe
Token: SeProfSingleProcessPrivilege	464	WMIC.exe
Token: SeIncBasePriorityPrivilege	464	WMIC.exe
Token: SeCreatePagefilePrivilege	464	WMIC.exe
Token: SeBackupPrivilege	464	WMIC.exe
Token: SeRestorePrivilege	464	WMIC.exe
Token: SeShutdownPrivilege	464	WMIC.exe
Token: SeDebugPrivilege	464	WMIC.exe
Token: SeSystemEnvironmentPrivilege	464	WMIC.exe
Token: SeRemoteShutdownPrivilege	464	WMIC.exe
Token: SeUndockPrivilege	464	WMIC.exe
Token: SeManageVolumePrivilege	464	WMIC.exe
Token: 33	464	WMIC.exe
Token: 34	464	WMIC.exe
Token: 35	464	WMIC.exe
Token: 36	464	WMIC.exe
Token: SeDebugPrivilege	3736	tasklist.exe
Token: SeDebugPrivilege	464	taskkill.exe
Token: SeDebugPrivilege	1532	taskkill.exe
Token: SeDebugPrivilege	2772	tasklist.exe
Token: SeDebugPrivilege	3216	powershell.exe
Token: SeIncreaseQuotaPrivilege	4772	WMIC.exe
Token: SeSecurityPrivilege	4772	WMIC.exe
Token: SeTakeOwnershipPrivilege	4772	WMIC.exe
Token: SeLoadDriverPrivilege	4772	WMIC.exe
Token: SeSystemProfilePrivilege	4772	WMIC.exe
Token: SeSystemtimePrivilege	4772	WMIC.exe
Token: SeProfSingleProcessPrivilege	4772	WMIC.exe
Token: SeIncBasePriorityPrivilege	4772	WMIC.exe
Token: SeCreatePagefilePrivilege	4772	WMIC.exe
Token: SeBackupPrivilege	4772	WMIC.exe
Token: SeRestorePrivilege	4772	WMIC.exe
Token: SeShutdownPrivilege	4772	WMIC.exe
Token: SeDebugPrivilege	4772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4772	WMIC.exe
Token: SeRemoteShutdownPrivilege	4772	WMIC.exe
Token: SeUndockPrivilege	4772	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
3524	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3524 wrote to memory of 1224	3524	msedge.exe	80
PID 3524 wrote to memory of 1224	3524	msedge.exe	80
PID 4624 wrote to memory of 2004	4624	Wave.exe	81
PID 4624 wrote to memory of 2004	4624	Wave.exe	81
PID 2004 wrote to memory of 952	2004	Wave.exe	82
PID 2004 wrote to memory of 952	2004	Wave.exe	82
PID 2004 wrote to memory of 1376	2004	Wave.exe	84
PID 2004 wrote to memory of 1376	2004	Wave.exe	84
PID 2004 wrote to memory of 3644	2004	Wave.exe	85
PID 2004 wrote to memory of 3644	2004	Wave.exe	85
PID 3644 wrote to memory of 3240	3644	cmd.exe	88
PID 3644 wrote to memory of 3240	3644	cmd.exe	88
PID 1376 wrote to memory of 464	1376	cmd.exe	111
PID 1376 wrote to memory of 464	1376	cmd.exe	111
PID 2004 wrote to memory of 4656	2004	Wave.exe	91
PID 2004 wrote to memory of 4656	2004	Wave.exe	91
PID 4656 wrote to memory of 4340	4656	cmd.exe	93
PID 4656 wrote to memory of 4340	4656	cmd.exe	93
PID 2004 wrote to memory of 4492	2004	Wave.exe	94
PID 2004 wrote to memory of 4492	2004	Wave.exe	94
PID 2004 wrote to memory of 2808	2004	Wave.exe	132
PID 2004 wrote to memory of 2808	2004	Wave.exe	132
PID 4492 wrote to memory of 5076	4492	cmd.exe	98
PID 4492 wrote to memory of 5076	4492	cmd.exe	98
PID 2808 wrote to memory of 3736	2808	cmd.exe	99
PID 2808 wrote to memory of 3736	2808	cmd.exe	99
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100
PID 3524 wrote to memory of 1484	3524	msedge.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4340	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Wave.exe
"C:\Users\Admin\AppData\Local\Temp\Wave.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4624
- C:\Users\Admin\AppData\Local\Temp\Wave.exe
  "C:\Users\Admin\AppData\Local\Temp\Wave.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3644
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:4340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4492
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:5076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3524"
    3⤵
    PID:4616
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3524
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1224"
    3⤵
    PID:3064
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1224
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:3860
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:1600
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:3048
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:2044
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4488
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3320
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4832
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:4988
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:2808
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3480
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2044
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious use of AdjustPrivilegeToken
      PID:4772
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:2416
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:2380
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:2292
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:1416
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:4420
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:2924
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:2204
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1320
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:2176
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:3224
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:3540
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:920
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:1468
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:4776
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4080
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:4960
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:2852
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:2484
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:4968
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:852
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4288
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3712
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1272
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:3000
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff36863cb8,0x7fff36863cc8,0x7fff36863cd8
  2⤵
  PID:1224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,9172701930181461823,14779989170863705926,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1932 /prefetch:2
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,9172701930181461823,14779989170863705926,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,9172701930181461823,14779989170863705926,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,9172701930181461823,14779989170863705926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,9172701930181461823,14779989170863705926,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,9172701930181461823,14779989170863705926,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,9172701930181461823,14779989170863705926,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:3000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff36863cb8,0x7fff36863cc8,0x7fff36863cd8
  2⤵
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:4160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3572 /prefetch:1
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:1264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=printing.mojom.PrintCompositor --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --service-sandbox-type=print_compositor --mojo-platform-channel-handle=6520 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=ppapi --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --device-scale-factor=1 --ppapi-antialiased-text-enabled=1 --ppapi-subpixel-rendering-setting=1 --mojo-platform-channel-handle=6392 /prefetch:6
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6356 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=216 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=printing.mojom.PrintCompositor --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --service-sandbox-type=print_compositor --mojo-platform-channel-handle=6472 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6908 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6368 /prefetch:1
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
  2⤵
  PID:1708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=printing.mojom.PrintCompositor --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --service-sandbox-type=print_compositor --mojo-platform-channel-handle=6988 /prefetch:8
  2⤵
  PID:4180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1636 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7384 /prefetch:1
  2⤵
  PID:3328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=printing.mojom.PrintCompositor --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --service-sandbox-type=print_compositor --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:4288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7096 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:4896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7288 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6200 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7028 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6620 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=printing.mojom.PrintCompositor --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --service-sandbox-type=print_compositor --mojo-platform-channel-handle=7348 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7636 /prefetch:1
  2⤵
  PID:3208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=7716 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --extension-process --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7176 /prefetch:1
  2⤵
  PID:648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --service-sandbox-type=entity_extraction --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6172 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7412 /prefetch:1
  2⤵
  PID:3220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7832 /prefetch:1
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7080 /prefetch:1
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5100 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3536 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4332 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2520 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1872,7135005583792084402,11815331664258974409,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3480 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2748

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:2360

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\install_all.bat" "
1⤵
PID:1652
- C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2005_x86.exe
  vcredist2005_x86.exe /q
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1216
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec /i vcredist.msi
    3⤵
    - Enumerates connected drives
    - Event Triggered Execution: Installer Packages
    - System Location Discovery: System Language Discovery
    PID:2064
- C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2005_x64.exe
  vcredist2005_x64.exe /q
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:4792
- - C:\Windows\SysWOW64\msiexec.exe
    msiexec /i vcredist.msi
    3⤵
    - Enumerates connected drives
    - Event Triggered Execution: Installer Packages
    - System Location Discovery: System Language Discovery
    PID:2976
- C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2008_x86.exe
  vcredist2008_x86.exe /qb
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1392
- - \??\f:\3a95d336101d8149747fa4\install.exe
    f:\3a95d336101d8149747fa4\.\install.exe /qb
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:832
- C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2008_x64.exe
  vcredist2008_x64.exe /qb
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1144
- - \??\f:\4970052491098a3b7bfd\install.exe
    f:\4970052491098a3b7bfd\.\install.exe /qb
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4144
- C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2010_x86.exe
  vcredist2010_x86.exe /passive /norestart
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4888
- - \??\f:\c8fd700fd6a3721744\Setup.exe
    f:\c8fd700fd6a3721744\Setup.exe /passive /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1912
- C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2010_x64.exe
  vcredist2010_x64.exe /passive /norestart
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4656
- - \??\f:\2a134a654e3e2c0a8abcd4\Setup.exe
    f:\2a134a654e3e2c0a8abcd4\Setup.exe /passive /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4644
- C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2012_x86.exe
  vcredist2012_x86.exe /passive /norestart
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3140
- - C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2012_x86.exe
    "C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2012_x86.exe" /passive /norestart -burn.unelevated BurnPipe.{433D40C4-4556-4947-8EB7-94035ACE8CB8} {56DFC013-1766-4454-B8E8-A5FD8C4F131F} 3140
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2164
- C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2012_x64.exe
  vcredist2012_x64.exe /passive /norestart
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:3860
- - C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2012_x64.exe
    "C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2012_x64.exe" /passive /norestart -burn.unelevated BurnPipe.{FF75DC6B-88EB-4572-BA37-800B400DF26D} {EE0E9904-5C38-461E-B6C5-26519B8F30F2} 3860
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4648
- C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2013_x86.exe
  vcredist2013_x86.exe /passive /norestart
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:4932
- - C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2013_x86.exe
    "C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2013_x86.exe" /passive /norestart -burn.unelevated BurnPipe.{58D9BDF9-F309-466C-94EC-A79A05F71D5F} {DC6D5B5C-42D8-4AB4-85A7-9D50DCBF1CAF} 4932
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2144
- - C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
    "C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={9dff3540-fc85-4ed5-ac84-9e3c7fd8bece} -burn.embedded BurnPipe.{B8E9CF6A-03BF-47CC-9953-33E98609F419} {56DD4444-19EF-45E0-AAD0-06C6E60449AF} 4932
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4216
  - - C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
      "C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={9dff3540-fc85-4ed5-ac84-9e3c7fd8bece} -burn.embedded BurnPipe.{B8E9CF6A-03BF-47CC-9953-33E98609F419} {56DD4444-19EF-45E0-AAD0-06C6E60449AF} 4932 -burn.unelevated BurnPipe.{54FCDCDB-C0B5-46C8-84D0-8E9EF264331F} {07133091-78EF-4A61-AFFC-7F20C8E2F0F1} 4216
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1048
- C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2013_x64.exe
  vcredist2013_x64.exe /passive /norestart
  2⤵
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  PID:1640
- - C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2013_x64.exe
    "C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2013_x64.exe" /passive /norestart -burn.unelevated BurnPipe.{FE469E23-C795-4C18-B204-BC0AB6B6758B} {E8E72777-D9D3-4477-883C-92AE829DB931} 1640
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1552
- - C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
    "C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={042d26ef-3dbe-4c25-95d3-4c1b11b235a7} -burn.embedded BurnPipe.{97DB3180-6318-4993-91BF-55F09763A948} {FEA7C588-6EC2-4CB0-8121-F9A32E17BE14} 1640
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:4144
  - - C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
      "C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={042d26ef-3dbe-4c25-95d3-4c1b11b235a7} -burn.embedded BurnPipe.{97DB3180-6318-4993-91BF-55F09763A948} {FEA7C588-6EC2-4CB0-8121-F9A32E17BE14} 1640 -burn.unelevated BurnPipe.{461D319D-1EE0-472B-B177-4071F4B25BE7} {A8FC3B26-3BB8-4869-BC5F-C2311653FB10} 4144
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1912
- C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2015_2017_2019_2022_x86.exe
  vcredist2015_2017_2019_2022_x86.exe /passive /norestart
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4776
- - C:\Windows\Temp\{D1DE32A4-B228-4C5D-BA3A-60B584AAFD10}\.cr\vcredist2015_2017_2019_2022_x86.exe
    "C:\Windows\Temp\{D1DE32A4-B228-4C5D-BA3A-60B584AAFD10}\.cr\vcredist2015_2017_2019_2022_x86.exe" -burn.clean.room="C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2015_2017_2019_2022_x86.exe" -burn.filehandle.attached=592 -burn.filehandle.self=740 /passive /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1376
  - - C:\Windows\Temp\{9467038C-A4B3-4210-BA5E-646A5C395FCD}\.be\VC_redist.x86.exe
      "C:\Windows\Temp\{9467038C-A4B3-4210-BA5E-646A5C395FCD}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{72A40392-1D5C-49EB-9D2F-9EC88E5DAD1E} {DB7856EC-137C-43AE-A7B8-49DA60F9F072} 1376
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4956
    - - C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={e7802eac-3305-4da0-9378-e55d1ed05518} -burn.filehandle.self=1004 -burn.embedded BurnPipe.{70DEF07B-29F2-47CE-86D1-F38FF2BE38CC} {30C5CA52-3938-4487-81CF-431F8A814E60} 4956
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:728
      - C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=544 -burn.filehandle.self=560 -uninstall -quiet -burn.related.upgrade -burn.ancestors={e7802eac-3305-4da0-9378-e55d1ed05518} -burn.filehandle.self=1004 -burn.embedded BurnPipe.{70DEF07B-29F2-47CE-86D1-F38FF2BE38CC} {30C5CA52-3938-4487-81CF-431F8A814E60} 4956
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe
        
        "C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{4DF4B9D6-20AF-411F-828E-2A4EBEDB0937} {EC3708B6-308A-4D60-917F-619F13BD2094} 1912
        7⤵
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
- C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2015_2017_2019_2022_x64.exe
  vcredist2015_2017_2019_2022_x64.exe /passive /norestart
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1924
- - C:\Windows\Temp\{A130F9EA-B201-4042-9226-28DC33256339}\.cr\vcredist2015_2017_2019_2022_x64.exe
    "C:\Windows\Temp\{A130F9EA-B201-4042-9226-28DC33256339}\.cr\vcredist2015_2017_2019_2022_x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\Visual-C-Runtimes-All-in-One-Nov-2024\vcredist2015_2017_2019_2022_x64.exe" -burn.filehandle.attached=736 -burn.filehandle.self=740 /passive /norestart
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:4796
  - - C:\Windows\Temp\{E40332E8-6AF8-4F4D-9B09-34D858355046}\.be\VC_redist.x64.exe
      "C:\Windows\Temp\{E40332E8-6AF8-4F4D-9B09-34D858355046}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{1F7A229E-75A2-4665-AF37-58F3C8CDAEDB} {3DDA0291-7CE5-4BBF-B258-3098391C0B41} 4796
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Modifies registry class
      PID:4688
    - - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=916 -burn.embedded BurnPipe.{3A345AA3-5645-4994-9419-70852DB5AFD1} {E0ABC959-FA90-438A-9076-D9C67DDA0E70} 4688
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4268
      - C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=544 -burn.filehandle.self=560 -uninstall -quiet -burn.related.upgrade -burn.ancestors={804e7d66-ccc2-4c12-84ba-476da31d103d} -burn.filehandle.self=916 -burn.embedded BurnPipe.{3A345AA3-5645-4994-9419-70852DB5AFD1} {E0ABC959-FA90-438A-9076-D9C67DDA0E70} 4688
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1912
        
        C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
        
        "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{F584425F-089C-4BF8-BD29-F901AE26AF4D} {2DAFD2CC-D102-4B0E-971B-77515DD241C4} 1912
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3384

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2248
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4560
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4E9A992CD4368092A8DB975CBD7E6297
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1640
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F7CE931C66D17063E045EF5ED018499D
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3440

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3340" "11400" "13840" "13152" "0" "0" "11404" "4376" "0" "0" "0" "0"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Installer Packages

T1546.016

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5a175e.rbs

Filesize
30KB

MD5
a04d4cd8839cfa49dbe4d44cea9518a0

SHA1
d4601b4d3989f2bee7d3f55c57b8425af7b613d2

SHA256
d4d855741edb83ca71f727d1b47a1705494b09f6623bb80d4359e825d8471984

SHA512
6684a7bd904147809eaf156944237e9a5516f37639c8a52610dbee61686ae5ed1d77770606f0527ca848c9540757008ba3d57b80e18c87470b9e85088b64adb7

Download Submit
C:\Config.Msi\e5a1762.rbs

Filesize
30KB

MD5
b30dd99715e8580cba6f1b8cdc0ba031

SHA1
d415fe089c8ed7f1798c77a24366813f12e3c09f

SHA256
454ae3c1ab3c835cf37496e953c800f9cb8314f60c9c22ecfc76f90ed96a90a4

SHA512
9a9f231b531177d0bd7782f2152b0016b3fbcde3b11159cfd7de84844fa78e99d4b60ce4f4ccdcd6bd4b617552ed68beb2dabd3c29329b3f38640ccdc32eb833

Download Submit
C:\Config.Msi\e5a1766.rbs

Filesize
4KB

MD5
f5655b7f1623e368346f46c27362b7cd

SHA1
d2d8cf93a0e190491aa1b2c4f6556b0f221c6cdc

SHA256
0fc8201478e7e03cd96951d2760087862fc25666b4f28fab2764053e949cedd3

SHA512
100885a2482b4c61f30ab5affa8c3a1b2333faf6eb340bcb6d227b23b7c348848c1a68d476d359dfc8b2d094d8655310358e87fffa7e56005d16ff52be473a96

Download Submit
C:\Config.Msi\e5a176a.rbs

Filesize
31KB

MD5
8b1625db5d6ab239be8735ef09a1d899

SHA1
810356b3d9d22afe7b0f51087db7fa49253fda6c

SHA256
eb8bb6c141135a72e495e4d8e9389b54d5301b9e83c87f00b9068fd5aa5b2461

SHA512
6980052d67e74754114dcf0da442f05a81aa828566faf6dafa94b8314ef6ae046225f73cca3aec7539221aeb1722ffa3bafc35d0aac8942b45d8e294e4c0a87a

Download Submit
C:\Config.Msi\e5a176d.rbs

Filesize
4KB

MD5
b306f55c53219bf90f482ec0a87a0901

SHA1
80e727ae0bf369c09e1a5237f6936987556d9c0c

SHA256
00e82c59c872f57d9481f148f61720d564e6fe67eec6d9e70adb92ab1de6e372

SHA512
1ca1d772a2e6fc0c560e72ee4a90c494064780b67c5588f1e51ca09027cffddf827366562b7d93080bdb643f2a7a093dbc4eb7e2c076e6fae63b58971623b4e7

Download Submit
C:\Config.Msi\e5a1771.rbs

Filesize
31KB

MD5
1b7d9c3cb0c918bb58550d5cf7bc9ef1

SHA1
8495cc0a29314c1b7cbc6304c6ec6cf92c025cc1

SHA256
110f1c475900a2afce2a2e8b02d8d528e3d07a2c3b60ad5a78ea4468e6d810ed

SHA512
cb0a1255a00adba10c22ad395aad432b04574a61ca716b8039fbce51e51e3c3693bd1fdc827740ec9d9d583d62944529035b9a272df44ee9ed348064581c15bc

Download Submit
C:\Config.Msi\e5a1775.rbs

Filesize
17KB

MD5
8b39e0029d46845284c8ae35e00cd23d

SHA1
a5505490bb62b6e66ac164fc498d5b301c2295cd

SHA256
a58ace0506176408237769a45f2221745eaeac194c8749ec3aad14900583a2dc

SHA512
55be044997d87f47afc7aae865832d30d4aa6d76cd4cd2a8a7f2cf676a772115264342d89d88b4cda7b04639d62735f53fb7d05b310720005c27a77bef734c4e

Download Submit
C:\Config.Msi\e5a177e.rbs

Filesize
13KB

MD5
e8caab500adb24274b9825cef7848266

SHA1
3493ae7278adec780af83645e26bffe59ecb72cc

SHA256
094a03887aaf5347cc5a96e64db28158a195df356b79b813eee1afcf6300d23a

SHA512
1d8a2a07e5937b1e8eab33a4a4ddf112c8ae22b36fb4f97690412d22df2345b7ebcd0c761c6030c5092485bd387e03a74c1b7a70b7e70d09d9cf19a7654ada20

Download Submit
C:\Config.Msi\e5a177f.rbf

Filesize
444KB

MD5
a883c95684eff25e71c3b644912c73a5

SHA1
3f541023690680d002a22f64153ea4e000e5561b

SHA256
d672fb07a05fb53cc821da0fde823fdfd46071854fe8c6c5ea83d7450b978ecb

SHA512
5a47c138d50690828303b1a01b28e6ef67cfe48215d16ed8a70f2bc8dbb4a73a42c37d02ccae416dc5bd12b7ed14ff692369bc294259b46dbf02dc1073f0cb52

Download Submit
C:\Config.Msi\e5a1780.rbf

Filesize
948KB

MD5
2fb20c782c237f8b23df112326048479

SHA1
b2d5a8b5c0fd735038267914b5080aab57b78243

SHA256
e0305aa54823e6f39d847f8b651b7bd08c085f1dbbcb5c3c1ce1942c0fa1e9fa

SHA512
4c1a67da2a56bc910436f9e339203d939f0bf854b589e26d3f4086277f2bec3dfce8b1f60193418c2544ef0c55713c90f6997df2bfb43f1429f3d00ba46b39b0

Download Submit
C:\Config.Msi\e5a1781.rbf

Filesize
331KB

MD5
69004e08c1eb19fcf709908103c002fd

SHA1
d59459f9a18b2e9a06e5af2b88f4fecb0ce690d5

SHA256
c1b61dd24dc2dd5efd5cd548c0cd74fac112358e9e580df4d780d2c125474dad

SHA512
3fc67a5fccb252a67285e19d62057fb4e3c63e702f4be91e552f93d9827cc746b8fb43b4a3b24b7fd5c48832d18a1dae26c1bd237f40b7b88618d402fdac1a76

Download Submit
C:\Config.Msi\e5a1782.rbf

Filesize
242KB

MD5
c7739dd4212d084d299df68f0a0debc3

SHA1
cba81d847d91bfea5c03279c0ca03fb1aacd4ae9

SHA256
1d67a8464991a03fc190d87b43591764f231d7a7a71a72ffc51d982b26691153

SHA512
5b8e98e6764460f9afbfa6dd34c12ad59284003eea99997c9e1db9b4a85ba30ac8b6a699b2888388dc424c547918137d42984bf040ac3d292e612bc433368fb3

Download Submit
C:\Config.Msi\e5a1783.rbf

Filesize
117KB

MD5
90419039c035404fb1dc38c3fb406f65

SHA1
67884b612d143aa08a307110cee7069bddb989a0

SHA256
62287589fc0b577398005f7ac07256d9fe671cdd3e5369faf74b9f64cb572317

SHA512
e632c78c941861e61fbec68e333e6549cd4bec683593db92c2522e162176bd64160dba37d4226c1599cfe1d77b36d5d4c452dd2f453c291a15310dfb607f3414

Download Submit
C:\Config.Msi\e5a1784.rbf

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Config.Msi\e5a1788.rbs

Filesize
26KB

MD5
927acf697c8ba5efb3e7a5a5ce0e175b

SHA1
bde840a8c7adac567febcad5bfa17b867185e65f

SHA256
4eb90f8d6040dddcdba26626c1f6fae862f535cb70c976c280a5d127a486e73a

SHA512
369b2c367046a489b1334a1d5f52943066832230d2b8c7ee0ef33439d57f2ce7d795ef3f82ddfa9b4cafc0f8d593fac1e5104c760999e9072cfc453dbf968781

Download Submit
C:\Config.Msi\e5a179a.rbs

Filesize
22KB

MD5
17e32f93628151b8578a6518dee02441

SHA1
588e89059623a885ff19babc2a8271d8d7e63ab8

SHA256
be76f039d948c77e3e5a18f83ff82cd0473345e779a4ef9176da91a98ab50d12

SHA512
98a6ed20a54946b31bc326a8b5c716b250b441490b1b45fd2cc73b5afb5f3b2af3323a11ec34ba8ad6ee49c1a8504c3dc7254d80dbdadc203a23517e6b8c2554

Download Submit
C:\Config.Msi\e5a179b.rbf

Filesize
45KB

MD5
2f7c88c43a8966882ca89ce4981e3cde

SHA1
588bdeae6eab1f447771bd6963b5b3329196e686

SHA256
5e7331a6adeb9d4252531ade800d47b8ddf020b97cfedc58de85386b3ae64e76

SHA512
3f2eca126fc821e36aaf4430a0f41af1a060396f52cfb2efd1c3be2ab9d69cfac870121c646776c8b15e8561938ac30367bc5687bb9a79f0c19156c3b56249a7

Download Submit
C:\Config.Msi\e5a179c.rbf

Filesize
45KB

MD5
70bbafa7c8b0aeba0e25e27c440a6038

SHA1
44a5e06229ae4f6ce6d3b2b57cb3b6050667def2

SHA256
9eec79bd4af04bba1e11fc24c64d94f30c22985c8ebbce3e0b411a61a1edbabe

SHA512
2e9b8696c1b4ab8e721fa07b6c81fe30613f0d188250991c573af95263688b7db6e25ebc4c030825724248c9713d9c5b772f199369785ac615ad2d2fdf527f8a

Download Submit
C:\Config.Msi\e5a179d.rbf

Filesize
73KB

MD5
09936f1f2ad5ae9d0663b6e8709527c7

SHA1
f0e5945663e65405d94c394db83880f713295104

SHA256
550f6c9f16fe85a8338b04f1bec43de3babeac60ff257197625f2802907007b8

SHA512
3e95e1e3f2043e1f0a4baf1267e82f912bcd5830ae6c5abc750a38a0666b1a6b9e1169dadb58bc2eafae00a2e11bcf574ea805f3a1f07f77d5450d1265e8e7f6

Download Submit
C:\Config.Msi\e5a179e.rbf

Filesize
63KB

MD5
9becefa155c8c9f5ef5bf9d537c0a258

SHA1
4f33f6d08685d50ce799df6369cb5efc51673e12

SHA256
d1dbc7677010f9af7b680ea2efa28c964154997bddbf6c8d9d65ea225a5ec613

SHA512
5e9972cfe26c0fc6a0ea38643c644b5ac33e4ddfc1cff5b25017c81f3121ec7732565554f43c1916e9f8e2b1d84226aacd2cc4d6805425c2f1f1e7683e506ff4

Download Submit
C:\Config.Msi\e5a179f.rbf

Filesize
72KB

MD5
30281f2891b6deae8c0deb122b5906c7

SHA1
43ed0c7bf45839ba07501c1013ba74c97b4d0beb

SHA256
87e5c496e038c337ca1acee52c145d8f4bdb3e74261b13e1feb740c4e2124e0a

SHA512
cb0e3f3cf89af55e4b849b3f4f883d8348fc8f806690db4fff238ee54bc5f80a34e53c7e8a22dd9d1dc57c1a60c69d3e25ad9cc52ac66628613cdf358e7aa537

Download Submit
C:\Config.Msi\e5a17a0.rbf

Filesize
73KB

MD5
b41aa9a167ac3d6c11b5c2e1e183c11b

SHA1
ac8efa5f7b8211e4dc0d0d0e6bc7717f88d2c0ac

SHA256
b098ed9a5f44052b9ab5ceee82ab4cea5c6d9a14a61816882ef996a0599838b2

SHA512
de667f1fe0bcb0ddf8f59054a2d5c516ec47ab59f7e78e29ec8a2cc756c72aae65bb73ea03701c67c978166649d69278fb0269e9588d968f630165bcfa6f40f8

Download Submit
C:\Config.Msi\e5a17a1.rbf

Filesize
71KB

MD5
2bcf9a28e5fe7a3fefd16a9c03d35dbb

SHA1
7c1446d8ca4d2c6890d62c02308daccb8be5475f

SHA256
271abe43d14cbd8c80b85ec804787272522bc06c45b7f93244b718ab0c08a289

SHA512
445ef027eeecda4361834334706079053ce9a735cbeeadaec37f28c4f9a485b07ba156178c2cdb1f012d1760d0495d041deceb6372921eb94d18241eb304eafa

Download Submit
C:\Config.Msi\e5a17a2.rbf

Filesize
52KB

MD5
34b5ae129703de4a4bb5f52f4306fdf6

SHA1
601ba6cc73cbbe6d7014519a885fde2c9e9c2fba

SHA256
43cd9fdf714b7dfca4b2a8f54bc25ceeddc7a6212ba59233d89a03c650053407

SHA512
016dae93356e42a19f4fb4d34efa04e93f802e5de3157c29ce940d9637d697d2b7a4f61b705b5b5df271b97d942cb81265d0fe7c9561c0ef3c46c249b8b7fb9c

Download Submit
C:\Config.Msi\e5a17a3.rbf

Filesize
52KB

MD5
f89147c034de186e3ab79326523888b8

SHA1
d3e6c00363a429eae066953f7c187e33c687ec6b

SHA256
32dfe0f26b5024ec900a31f0dde736ca62769dc5de48238b485f4322cd367e7d

SHA512
d7842681f67b46f67233ad0f7c57c7155f152dc25ef546a08fb91914ee54984b87f9ccbd8da3e40d012b251fffade838f2d779681afa84c383ea7982f0ad1cfe

Download Submit
C:\Config.Msi\e5a17a4.rbf

Filesize
69KB

MD5
d7f2e87512d19d01328840187fc7cb04

SHA1
7a312b677b76d7303e01da6064f1a5e0fb26c604

SHA256
1154c537bd700ebbda599a5c2923e73d098c3eaa930fd0f4d415583ff90eea67

SHA512
8a00cae2dc0d59e530cd43bf84f33301f53ccdd96477787805b487ffdf6869223621414cf180a1aafb6b8910ba19684c02c60226a651d051eacc4cac1fbd8c2b

Download Submit
C:\Config.Msi\e5a17a5.rbf

Filesize
4.2MB

MD5
293002e4332f01c74c2a843b5c638a90

SHA1
2e412f945ac4353b4908c87e31b847415b3ec19b

SHA256
6130ad7d21a492cd3f3924bed43d954f80b6b6920374934b9eed057f27130e15

SHA512
49eaf5633debad535ffc6584c8383e21c99f7a3a81a0b3496943af0e79853399649706ceda9da9990c259d605ab163c22c08f641b91e80c8a14d519837a595ce

Download Submit
C:\Config.Msi\e5a17a6.rbf

Filesize
4.2MB

MD5
e1629a36f15824346bb54a9ebe9b622f

SHA1
ee5d55315ffb351e24b7c918c82e6ce4ec17a645

SHA256
68df186e26151313a0df2adb0ef5f3a45ebba3cb02229bd8723a29dee60e278d

SHA512
0301ed7ad473015478f32afd3e41dafd045eab26ad42080bad6030324564a7ed09a7516b8d362b5cb2201d087eb25f2bb7ac5fc809a387f49f893ac3df8814bb

Download Submit
C:\Config.Msi\e5a17a7.rbf

Filesize
81KB

MD5
36ca9bc41425660ad80f23933e6e9f1f

SHA1
3206186f932cd5948062a837b5fc2094ddb1c8b7

SHA256
8c82f149507c3415250e52bf4c7fe937946a60d51f07492a1e36ab3e14482187

SHA512
a58eee2824bad90ea0790bdf55c5b58a6eec5f3e87bebf5a941a6dbcb8106c6d96b7eee0a022c4a16f35d80e38501fed54d88127f30de0e9fdd22e4df8fa2ea5

Download Submit
C:\Config.Msi\e5a17a8.rbf

Filesize
81KB

MD5
9b73043d5646be7b544e3ac3d49b7744

SHA1
a3eecb1a85c244d5428a012041eee947462e7a09

SHA256
d6d2ba4ac1606e825216a25ab401d26d77c4300299e957cfadab3b0b945d065a

SHA512
8f339c23f8d1e8eed1bd055a31c027e5da03d916769468394ba1befe7b4f2586e67e8dcf29326ff40abb0d879a45f886398d5d733c988c507860d1ece16ed83a

Download Submit
C:\Config.Msi\e5a17ad.rbs

Filesize
18KB

MD5
69a4ffd1d95180293ff2aa08a293509c

SHA1
29a3f6cf1ae615dd64b7e6fa6cd9b46b45ef63e7

SHA256
d7391a17d90fa918f7c30019bda8f4eb98728cbc2ceff3bdfced7ac8f8be447c

SHA512
b4ae62e7446502bf4d05e9cd52c6b07653be5850802e31e03e75a12d38fc454b10598f2ea23293c121140c3bbd4288b8a882581e236f1247b04d3c4611eda25f

Download Submit
C:\Config.Msi\e5a17b6.rbs

Filesize
14KB

MD5
f49beb7e720040502918c567760eacfc

SHA1
734ce79f5e1fbd2e1aa5b1dc06873161c9971283

SHA256
cb5add07e23e0f7100b4757c427032325cb757c619c4c4e068ea07e5dc1a05f9

SHA512
5eee9667c1d45271019022004e8e19befb9e5c473e6a9ed1bee264e285f22ab3d3e66abe77aec177bcfc18a2d12336f50c78429dba16274806788fb6ab1b2211

Download Submit
C:\Config.Msi\e5a17b7.rbf

Filesize
644KB

MD5
edef53778eaafe476ee523be5c2ab67f

SHA1
58c416508913045f99cdf559f31e71f88626f6de

SHA256
92faedd18a29e1bd2dd27a1d805ea5aa3e73b954a625af45a74f49d49506d20f

SHA512
7fc931c69aca6a09924c84f57a4a2bcf506859ab02f622d858e9e13d5917c5d3bdd475ba88f7a7e537bdae84ca3df9c3a7c56b2b0ca3c2d463bd7e9b905e2ef8

Download Submit
C:\Config.Msi\e5a17b8.rbf

Filesize
940KB

MD5
aeb29ccc27e16c4fd223a00189b44524

SHA1
45a6671c64f353c79c0060bdafea0ceb5ad889be

SHA256
d28c7ab34842b6149609bd4e6b566ddab8b891f0d5062480a253ef20a6a2caaa

SHA512
2ec4d768a07cfa19d7a30cbd1a94d97ba4f296194b9c725cef8e50a2078e9e593a460e4296e033a05b191dc863acf6879d50c2242e82fe00054ca1952628e006

Download Submit
C:\Config.Msi\e5a17b9.rbf

Filesize
470KB

MD5
f0ec8a3ddf8e0534983a05a52bce8924

SHA1
5f6d0265273f00ffe8e30cf507f0d05d330ff296

SHA256
88a5ed51a7be4ff7ebded0c107fafda6ace3801877216c0bb6cbb458ae054a7b

SHA512
d7b084d7f20de29ff16341df2756861bb7ac22eab0711869b3e77a84d841fb76a898d7459ca1be62eed522caa1f022c891a7d30c94bf0fff1bb4d016be8aa9bb

Download Submit
C:\Config.Msi\e5a17ba.rbf

Filesize
348KB

MD5
ea1e99dec990691d41f938085f68bcc7

SHA1
5fdcbcd777e10e765d593994dc66f930c1377b0e

SHA256
1b296bd172332d3b2253bdcb6ecac46afef883f75c13c361632ff40fec743fcc

SHA512
e90a40bd8e20bbca3c6188a78ad75578e51d88aa638e0bbfed4f6f6efdd0917e92b08ef4b0ccc2dee08774f08658b189e25234270e8ce1ca60a7e0ec8e3fbcf8

Download Submit
C:\Config.Msi\e5a17bb.rbf

Filesize
134KB

MD5
d7dbc7c92177837431ae2fd7fb569e2c

SHA1
c26140204a6db421842ad36599326a5369fd1b5d

SHA256
22d14e004ba4b78a9143257399dc40ef4d0e8f2cdb9127e1ba2638f54cce5c70

SHA512
4f2b197ea912b5ea1a82ac84e1c15ca8e3787460cd79a32733ea920dcf3b1db5cf0507ad7c94f4e4ccab9dfc6773a9d05a8eeaa7bd7c61b63d780b69ed7ae0d8

Download Submit
C:\Config.Msi\e5a17c0.rbs

Filesize
27KB

MD5
ba1fbac679f7f696fdaaa2f01b4bf633

SHA1
defb328a523df428fe9b7bb4677764fa5f023671

SHA256
7940fe624237e6aaa578383dcb253d9302a69ac2838bade15e480d9ec0023712

SHA512
c98e05e2457ccad17c9be893f7171099aae0002a48ee2ce54fdee21a7a16b2cc68ebb0366427c4a0f4d370c76798e2752a4c06f28146ea5e0c38173b2c71b0c3

Download Submit
C:\Config.Msi\e5a17d2.rbs

Filesize
22KB

MD5
63604edf20459f287e06d00b5d5cd321

SHA1
22e90fbc4fda8dff99fac50b2030c1dbabc28ec3

SHA256
a79fbeee9c4fdebf095a6f53cc501da106e941706c6f2c8eae5f01ab31b79626

SHA512
eee46900fa7f3cd0bdbd16d16ef698b790091fa308fb329602c2267e146c97b39bc913c81fc6fc6aacbb2205e8f6af58ad7633bc1f9b0d46ed5664f2393f398d

Download Submit
C:\Config.Msi\e5a17d3.rbf

Filesize
45KB

MD5
f96a9a88487a27de7b3e15c733cf1fe1

SHA1
0a4157f064349b0370b8ee3f244f44debd04b4c0

SHA256
cb531679be2881677a93d11067c71274ec30b30aadf1cdcf1543dddd6b1d7b61

SHA512
df5390b235157e65efa3a9385a7ffd6d5f4f2471306625f01370ed463c65b81c4274370f93b5b0d04d44175c57322d2f2fb1cdd2bcbc123997f4ae4ae9557f0b

Download Submit
C:\Config.Msi\e5a17d4.rbf

Filesize
45KB

MD5
6a5e17d5a4b24e5c2b947a343a182949

SHA1
ddf5ed505953e073f09b17e8e2bdecf2766c6a4b

SHA256
0301c5dc6e762788891356987e9c8cd0d40b262df06e8384bf5796b1f20f083e

SHA512
8a383192f9f6e6c4fab24645cf7c30fa927881451f0e65175b724717151cca6fcc49ed3394cc689407f19a7b1afd6b462688bccb898912762b804eeeb7cd8d97

Download Submit
C:\Config.Msi\e5a17d5.rbf

Filesize
73KB

MD5
bfc853c578252e29698ff6b770794e6a

SHA1
1091dced7b18bdd7eda2be4d095ac43cfd342b7d

SHA256
80e0f29ff6b7ada892f23927f17021783575ad80f9f6c8a268a6c2a7ce35e5d6

SHA512
306445384614b48d3182a91c8adf8d8206c36efd88abf23753800566f9650518af382164ca1a17ed000888e6a99c175478ad621d0a0d46c9bc7d5359113e05fb

Download Submit
C:\Config.Msi\e5a17d6.rbf

Filesize
63KB

MD5
19b7b852ac2dec695e6a52801e59c421

SHA1
cd72265e1a6a64c761984980895d92cb93bc61b7

SHA256
e463f38fa6b6157398ad224a462538bd8e36b75031fa711e567c5505a9092df6

SHA512
d0fd9f75820d3dbdc4001ed6262a940f062655ebb5f31f3d45d984e38b1bae2e5a958665b79b5b4aeb899e39348ba987c82148bfd85477e69249d3a59a076017

Download Submit
C:\Config.Msi\e5a17d7.rbf

Filesize
72KB

MD5
9ef2dc352d20b615a556be53b449b17c

SHA1
933b2a39f3d730c6b5d437558d0db68c5d2c22b7

SHA256
db4fc3652d24224d5375d1a5696144ac8881332cc20f5992ed1488236e64c120

SHA512
8031a4d0e44beb290c48292a0987108ed6d6f56950dfb17ee4671e692407fcbb8dc652d82907d8f98db2f841689f9480aee6fbce60cf2bfa1d0d6294c3f6da91

Download Submit
C:\Config.Msi\e5a17d8.rbf

Filesize
73KB

MD5
06473191b67c8b3d1a26b76474c5daeb

SHA1
94c72bb597c365cb77f621e6e2cf3920954df2d7

SHA256
e7cb6c2818ca27c864bda635d5b5d9f7bdb308f4b5d4bbc206ee1e135b7dbbf7

SHA512
237c144cd3cd78c4a4eeb5c6a22043a8e604bdbd7182b89bacb81135b1e3de08780061dfa3664508cfbdc01e918fa2610e317f9441b10c4df8def1ca444de4eb

Download Submit
C:\Config.Msi\e5a17d9.rbf

Filesize
71KB

MD5
713e30e13c1998e035cf4ace66b03230

SHA1
2d244e01c2bd9f3f17dfa0b74c19ce6bc512e1b5

SHA256
9cfc5985440df4e70b57869b32c8ee69eb6fc570a98cc94a53141a0dc7535e10

SHA512
8a2581aaa125eb45543e679e58be7040d151cfcfe0625f6e62dccc3fcf87872d3504b30082036d5219dc4c8493600838d31b2ddfde3ba0bc1b2b6ef97078e29a

Download Submit
C:\Config.Msi\e5a17da.rbf

Filesize
52KB

MD5
689b5f0061a67ac95f59a64744702186

SHA1
52227dd2c8a66c0528bff28475846faf7036340f

SHA256
83fb72fd2142d54bff6280e7c4d4ff22d43c3a81fa4ff8881003abbe5e21ec3b

SHA512
30b4e01d20c6c3ac1b799dd4d23fda3ca988eadb59356f84aff0a0760572b5c4119ef21467494e47a7d74dd6b136633a6ae40f45ec051d5cacbe44b5d6255d42

Download Submit
C:\Config.Msi\e5a17db.rbf

Filesize
52KB

MD5
7d03ffc6a8fb686abd660efdc3aaf223

SHA1
3d04c53971a525cc3255ff1eab05ff0cbad75bb7

SHA256
b2c7fc2c95b13bac36316d298c94d842dd2574f78e9c22e4d4e4af1c3fcc0fd9

SHA512
b5d41294630e342f2242a91c9dcf9085cddbd2389860e14c741147cb695425971cf79339b523d28fd3189589e5f948115359b89f59a03186e3c6a103f854f4e1

Download Submit
C:\Config.Msi\e5a17dc.rbf

Filesize
69KB

MD5
a99ad214ccd1e7bc1f609b972467b0ca

SHA1
9ee79954fdb2338026c3c81da00ab6e7e6c2e1ff

SHA256
3238676035d9c1595248ef65ef5b044384b473ab9bdfe8d1077e10e4fe7bc983

SHA512
da1f8a4dd82559635ea53dfeac1817a9ced1d247a170a8153a54c05c371fc80aa2fa958bc5c515c026815c505f70fb374178f8ccf94836b66c4a7e23dab1c083

Download Submit
C:\Config.Msi\e5a17dd.rbf

Filesize
5.4MB

MD5
ee4af4ceb4b7fded7cdda37faef69704

SHA1
5ab8f2ace2f4a1892ea4a2a26df5ee7e9cd497b2

SHA256
75497de4aec4b5f0f258164672db2eb55eef5138c028317860e05f11030f7b7c

SHA512
4f807157e6bd57ac37bd1d8a52ffdc38e330e517101a1ea603096d8728b04c9c2ae96e510b961c87536e957587ce169fdece6bc3ed5e5025aa87c0f276da0ece

Download Submit
C:\Config.Msi\e5a17de.rbf

Filesize
5.3MB

MD5
a6d08e8e290c80822842015cd877d405

SHA1
2ee9d28e20a73facff20be87092e482b562dad41

SHA256
950ff7746d747de51cc09c1aaaf88fbc2fc97c59865f574cc3fb10243ae7b906

SHA512
b6dfc3d0ef4f57c116d44b201fae187c9427d4fe7cad969f50f9408af40071d811e88698134491f479923b259a47d0b528e7ea23790248314e902ee24d0b93a2

Download Submit
C:\Config.Msi\e5a17df.rbf

Filesize
89KB

MD5
43aae7bfb0c911e7e98003e2b45667e6

SHA1
0c6c7d96cd0eca734e425b1ddef178c3ab6c31ce

SHA256
a78e7988c9f99bcbe02d29441b0dcbdebafa616d2a4652aad867b81f554a0476

SHA512
33d1293a7905ee9ec58b9a7744981006d6dadafb75ef64769723de02ba273f344a20e20d206d64d2453746549fe471328a035e2b5cc8e485e7cfd2c2fbc7c6a9

Download Submit
C:\Config.Msi\e5a17e0.rbf

Filesize
89KB

MD5
0d5451a0050f7acc970ca02459c63d9a

SHA1
2de9febca0b1d48014081907e835237c832c65b0

SHA256
864958960b8dd2890d47f2774ba836954f2c4f5ad6e4d529b13138caefcce73e

SHA512
4d0b3d3d494c1774ae4575eb945f3c0742b723d6583d98dd36cc51a1d099b8f1a090d4b18c54897d1d58a67381b800604724cb609447860105bc2e0e8d5094a8

Download Submit
C:\Config.Msi\e5a17e7.rbs

Filesize
16KB

MD5
2d3b479b27ef7d1276c4cef481a7a069

SHA1
4fafe02fa177b0dc442459a456ef45012a05bfbf

SHA256
f8f19afc3d43c7b11e79a490d2b5b8fa365f4cff597cbe42a15737604dc9db0b

SHA512
b919129c77ec17bf980a8aae16634f516edb345b209812e719cfbbbdc890dd97d356359fb0770656c6adcda915a439a15c8dacc85bf7f247aeb131710f2a60cb

Download Submit
C:\Config.Msi\e5a17ec.rbs

Filesize
18KB

MD5
78ba32536ebcd273020ad97fff62caeb

SHA1
22d4e70de68cadb49d8a2e68569f875ef200e228

SHA256
b576872a8bd89c22f8bdba2b5b8d095cd4481e7f4412e01ed2c44c7008fea386

SHA512
b62f9c0d2a815b3d79be5177876d4667d3f9e9bd014b0e184dedf831b08e6cd0e251987190206b4b61e9a6da5c96dde5b27be154a8613c99bc92b522b06bafe8

Download Submit
C:\Config.Msi\e5a17f9.rbs

Filesize
20KB

MD5
7a8d53e24c73622a70c7d552e3ccf0b0

SHA1
3cc85edd9f0a1cea99acdf13df1da033141e4fce

SHA256
7ff7ad2eebb249a3bfa7ca12b0945b65cf80ec961505267bde0eb800003487f7

SHA512
5afd106305862395cfa01bebc948ac83f7d5bf18525701a302b148b35770202c9762ee2eda191dfb70a9e7e9ca79b0b09d9a56b726429e72ad27114382052d22

Download Submit
C:\Config.Msi\e5a1808.rbs

Filesize
19KB

MD5
77ac1633ed500dfe91acec4a69e438d3

SHA1
7b985ee721021e541f1989dd33f49d079f470793

SHA256
e3008418c9d6b212c312ad3c2ed8cc410553f3ee6c1f7b65dd491d4141cd7e69

SHA512
291cb9489422cefd61b6c28290ac7587a8e5bc0e2fe3d8598814e8bd6eb0141290e31a7cbe47e8bd0f47a1a4717bf90e90402f767ea790fa47d0795e26556adf

Download Submit
C:\Config.Msi\e5a180f.rbs

Filesize
19KB

MD5
308681ff0df45228e4e0bb055d43cc55

SHA1
c42f1cf9a30db22fa49a5ae5565a83c71fbddeed

SHA256
f736e85e4d6d435fb723737fe46eb865f43fea035ad23484338c5736ea5adc09

SHA512
71c0fbf72bb7efabb4708f48266151c1405be8e63a7496b28f6865026921f6f05390b04e7134b574d8816cdac45729da967c699e559b555d72d54cecb09ba5c3

Download Submit
C:\Config.Msi\e5a181b.rbs

Filesize
19KB

MD5
c38de557e933c7fd4ae085febecdb904

SHA1
5af3ab805ecfb58b0a9de081b2da4d28dd5cf95f

SHA256
e94e3a50181aee7afebc98470bbe727b5ab375d1658dd9015ea7b7c1f4845983

SHA512
b8c8aa604288a7741bd9d03457261409b2f239e2b89b13bd5c4e5c7958e33b20ae867f943a1fc1348330235e7de5656c72005850e820108af0a584e306019560

Download Submit
C:\Config.Msi\e5a1822.rbs

Filesize
21KB

MD5
99310f8678030e14264817b3800051ec

SHA1
a3ad03a97ad5cd19ab63e95d7ac8ee2b9b2dc7bc

SHA256
8d76b7e00c423b7480a161d00bb2b5e678e553cf3391f0e6e390985cc1c5ffd6

SHA512
f8e64207146c55ecbbd3b27f1ea2903e139cae57618b53b13eeb21a1554203f5c567e9add1b5af5aef4ca1f429a3b05d101dd37dee15a9a7c705f625d84f3294

Download Submit
C:\Config.Msi\e5a1831.rbs

Filesize
21KB

MD5
fab17f0f487af48134ec55f8198907bb

SHA1
ed927c93b72678cdb75da7292773ed2f3e32e94a

SHA256
3d84b08f3613bb2437fe0353b5ea5029058d377408449d263c04b08b991f1204

SHA512
6ec8ba95385ae31b1b8850ca761fdfca371e5786045a187111256a03d4e5f858cc03842b5b35e544ceee07460d7b891ac500d8566db60911ddd3322dd27cd47f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\4efc3238-833b-4878-94e6-77f4f7148140.tmp

Filesize
10KB

MD5
6e81632b9f40719144490c691c0f30bb

SHA1
ccabc8261fbc51b2a9bbad862c20a5612ea5da2f

SHA256
8cec85957ebc92d25c053966bd7800c96eb7b864d8b324e8f9276d043c5b1d8b

SHA512
62752d3a4765a378af39838369f3af42d1532ef8474481c8bbb8818a864aca09907517eb185fd3c9e5cc2284ded7dc8b1ddf238425aec357a5cd1dd097655def

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bed1eca5620a49f52232fd55246d09a

SHA1
e429d9d401099a1917a6fb31ab2cf65fcee22030

SHA256
49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

SHA512
afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5431d6602455a6db6e087223dd47f600

SHA1
27255756dfecd4e0afe4f1185e7708a3d07dea6e

SHA256
7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

SHA512
868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
43df4ee160c54c9b090e621b74c49e3c

SHA1
f97915b0ae8caf366410043996d59028f15bb82d

SHA256
2399a905e161cd2c09a8da33ce4e7ae415670e1238b85f656c515cbbd0b1a400

SHA512
167a29fe2c84f23df45e0c5f61aba0c83ab608c0f08a2f741f023f3b6f12f16b2fe2c932682107f70f08e7576936aeb35492f0206e50f26453057ed48b388a30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eee4c04cba2af394fb6ae026a8315785

SHA1
502f0ccb08fa1e8a610a2ea693442a4df0a6b9d3

SHA256
de14cab2193eb829b5bc4a147af4e5c9923b18793c9c51fb2f08f2ecd9f4a3ea

SHA512
92e320accd527f46277f3ba5e65313a5f4100d098876bbfa94652556b1df25ee845e6a041d09dc5ba1ae76ac6ac05e20479f97f82d0c5a069f06ebda86ccc0ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6cdf191cf7f155f6a4d5198dcd17cf48

SHA1
2132f350bb0a9ec890f8f6e50156e58032392de9

SHA256
511c0f3cec2641abd2de323ce0b79e7f9426a106bddca9e6f5884f11dfe5a5f6

SHA512
8a169c518f86b5de9cff832ea03d03335c4396b6ba5ee1a4ab73a0dc1e51ac6cba759b2bb4cdd3723503c9cc5b3d38748f9bac29f90e0f6b49340d0bf463363a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
87ddd6bdacdd489b13951cc2396f8bfc

SHA1
5e69834fe534d534e20d36cd7d1ad40f61a164a3

SHA256
d8062e5641002387d757fd567e475716b4611c0f38c6b1fee690c2f8f6d7af3e

SHA512
6b6cba3dc5d070f3024a83997983430d0be7d0a1671c66b2bf9849cd09698ed0f80281fdeead39cd0bed3bfa44ea18758ef9bf1697b2ed784fdaa958938d60d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
627B

MD5
69b9f3c426b17e583743d001580c86b9

SHA1
ade2d4bc932275c0bcc468334bac3f8a05322ac3

SHA256
dbcf7cc59b7b311e42c5330b6c6f0db66e2c462b0b74b18f40572b97ae071e2f

SHA512
d6e5e798e183e2711497226b9b2792af9142a433b2f22869645eecebd280d59e33c6f94077eb1367474773b16567ca770957475ccf90b084882492d5017feec9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
547B

MD5
9c1df49705d4e33e5f2af619b35bbcd2

SHA1
166fff49a6f9fef920d549b10b1a94b93daef939

SHA256
58917e3ae746fa9046fff640f605c502540b5652e44a0375fd6c098426e1d54c

SHA512
0e292e8958dc98de9958af4b41d0018b749199f6a28027e0abfa1c65865ce09912ad9facb9da0cee35e965ffeab410c58b6d2112c7c6107f7f77d237a5e82bcb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
786290b31337dcc3688d28f62e792587

SHA1
ebdc2450386b4ea769aed7f56deed247d361b543

SHA256
90e609248990ed88befd944a66f28085239b6a77dc220fa9598b40d4f47fa21a

SHA512
36b580a15bde31a98565ab94e1922f67ae24b974ec66f162d972bdb2156ed20052cabb228a2f922a6db6e02734255f2b47c8859df2b670051cb6801e29e000af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
f08be9500c62ab697432c855ca1113c5

SHA1
0e3a53c3701fde4c5b7d28bcb724b490bff15ca4

SHA256
26c9697c0b062deabb0e06735c7b52da6f52ab691558ec6badde3db7a8bd931d

SHA512
ba23e082807f95547aaf40d8495fb10ae0f3662ff0b620796e2f18027e93080b855e35f8301a1c3d63382ca2ea92ee43d1fcb4c8ad58f5f2732fc0b62f83e504

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7841df531c984bf83227e0c1384968af

SHA1
2d1f6fcb719a3755fcd75a6545bc8a8176f432df

SHA256
6b0a80c1a9dcac9465762f6966b809b7296c900e2a9c981dbb823a53756e958e

SHA512
f5ea8bb0521735ade0048e1e67c4dbe508f48f56ec69b13528e4a153676a6c15970fbacc35fe489d6fa07313b9f2e12229b3ea2b6138c6e91a86bb0f9c17128c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1d5f9baf7d57329cba75f28297af08f5

SHA1
b95c16ced17d9bec966f4caf31b38d4d540be727

SHA256
e3ef4e422781542cb133b27dcdf6b6f37729fbc229eb1a9f9069810b1311c6c3

SHA512
4149a28e23df5ff426ea5266f20cd1e41e9be889397920157c76eda1d47982b841d043050aee177aad298bfb33ce08091f33c65bf109dcac7ab62e5ec4392acf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f0602851e4642fe3f29b63f5faf081dc

SHA1
9a5802b4de314273a59e751be116d0a5d1e730ab

SHA256
6fe451793c74c480f6e7bfdcc4f60ee81f07f7f3b7332a94292462aaf7e259c0

SHA512
007c4b2fd3c345c64773cddf9f385a3d54c2e6d73f09a6171fa3152725ab9891a448f9262798d467b5e4fc1b9e91b7288d9515950384f5447d8596b02521e699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
722ae35700c22fe03694d63b7ff1cf8b

SHA1
745ed8748e48210d0078480ecf3dc465ab568abe

SHA256
f46831f57ed23b2c0be20b2eb14c17f394092bd6b4e0a01140263e9d94a39385

SHA512
e8270c6bda67092c8e13183dc9ba2e059e349b9331eba3fe6d9cec0f5ed6319e0664172b595fbeda5e5124b5d622c6a3a735c33ed0cd2be8c0764c680c113357

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ed84cc2d11bbea86e82295f995697a7e

SHA1
2cb7a822207338aaa38779494fb118350edc3d26

SHA256
a538210f6665dcf0ab6d9ea40902084573962cb9820f862d0cdcf81311d083f3

SHA512
e53a85d9c23029cd1b0a7cce758d945932db001f85545f5bcf03cb8d60fe781fd277fe3e448ed80e028308434c1c995a3d1291ba58f70beb90e379a65d48847e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
bee7b999bcda40635724d9b92c26b3ff

SHA1
c8b4ecceb5ed7e61c46bff1367d812a80ef3273e

SHA256
cefd1c36ab777b861f0b378a3e9ea6b23f29f1b59125349bf91d2d8a180acf7d

SHA512
ee9308ba020a2bc26820d7fc23733e5a95d74ca1cb6bc91444798915717a3e8be6246088836f445e52aabaa11c003d963f3b9cf3e249123fc462a87b14883581

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
536B

MD5
66a2d26cdafa6261e4b7044253fa6192

SHA1
1acbc7505db3348687ade5b877d60420e7c2f86d

SHA256
f38932bb8c4e67e87a0833b5e57ddcf250e8f7cf895cec155b99b269e123032a

SHA512
744f9d296ba2191e0b4b1b9c4da95ff0a754a3f6286650fdffcbc0252bc44d359b1f06ef4ab0486510741868213622c4688bb7bfcf0c949c05fefb20cf31f89a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58cbb7.TMP

Filesize
201B

MD5
06e03713df9a0082958887a6277b9ed5

SHA1
a553639dcc77b329692aa83d56ebf21dd3b3ffda

SHA256
73fa3dc9b14c84a124c2ee5376af47eb693720bbaf156dfb5eade64a30f88aff

SHA512
86eb474aeb4bd1af9d1c1572176243f0cae1e8d0b9a15db07214bd23e891fe8644db3ffcfc50b3e9d2f60c27efc26fc88bc159117e5f31789a4546f905944ea7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
03255c349f7a8ca8a878ca539132ce12

SHA1
8b14d1cbd433148e469ce50f046e2872594da2ae

SHA256
95d8be75415606c98e7391c34d001507a2528a5abbfbb76e2def32deece40420

SHA512
55d9b664bdaac985ba35f0439ef42ba931a5d717b443ee70fd0bcb75a0db32f4c350f0635e4687dd11febc8fc16ec48017d30bb625b1b7dbf0de20a672b4ca36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5e507797cea7a4f7633e609941017a9c

SHA1
11af49357a4438cc693fa87ae2f8451921d3530e

SHA256
c19203645fc7d2f313d75c8f1625c5b132c59a1f13c2a307148b6fb6152e0754

SHA512
de168c1707b38928f2b6505ddd22efaed861e2dd540f85a27c13d65bd1f3d07359e93435e45686893b6fba8e1ba7eabb8074c60b7f4961404c3ea4e6102e7444

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup_20250130_065705775.html

Filesize
16KB

MD5
d6c2631d0ccebc90737cf228167f3a58

SHA1
ce86304cf5017df93fe3a7409d62417ec1a399e3

SHA256
491c9b4b8931dcc89a75f5ed656b614a4a1c89fa0148f7a5189726a4b053477f

SHA512
d7b2b7f43934b1ab71e8f2284cd2d66619f6783db1285ca9c392c8a06ece4fccfaa2a5b40eea3ef357b7d57c491b74134a54e7c8fb1d192567237489f8654c5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWLC44B.tmp

Filesize
392B

MD5
6e2b631d7f833fcab2abfdf9b4f6fe6e

SHA1
692f4d5b05bdbcebb2d2823060a4e8068fb04d9a

SHA256
4089f49f98d3a97ff04c22a095f78c1d1e6806693583656101e82db87d887892

SHA512
531b9e498343f425d9293200a465123815f0b7999682e14e7f8a3fb5636c02e8631f86d8ba038b2518239025d7624807c54e4741b796eaf1c2be3f6ef311e0c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\VWLC852.tmp

Filesize
392B

MD5
c560272150d4ef75901d4e40c54eb503

SHA1
c5c966266a009b29aad855b6d178059b9169bae2

SHA256
f9c3f01ffdb3ac341ab86d609e5ffbf410bb4f3c2ce70983be7f301e839776ff

SHA512
fb79045532994cc146aba9010928746ed48e29b7002b6f8cd4e23fa2934b0b94d215b96f6d313da8d203671b732e72ffde8167a0750246045bea81273e5cd0f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\MSVCP140.dll

Filesize
552KB

MD5
cd0c37f1875b704f8eb08e397381ac16

SHA1
249d33c43e105a1c36ec6a24e5ef8dbc5f56b31b

SHA256
d86ac158123a245b927592c80cc020fea29c8c4addc144466c4625a00ca9c77a

SHA512
d60c56716399b417e1d9d7d739af13674c8572974f220a44e5e4e9ab0b0a23b8937bd0929eee9f03f20b7f74db008f70f9559a7eb66948b3afab5b96bdd1a6d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\VCRUNTIME140_1.dll

Filesize
48KB

MD5
bba9680bc310d8d25e97b12463196c92

SHA1
9a480c0cf9d377a4caedd4ea60e90fa79001f03a

SHA256
e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab

SHA512
1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_asyncio.pyd

Filesize
34KB

MD5
7d4f9a2b793e021f7e37b8448751ed4e

SHA1
0ea07b5024501aad5008655cfeae6d96b5da957a

SHA256
2293c1b6b0b901832a57a1c4dcb1265c9e92d21177195712c30632a7b63227d4

SHA512
af75452279c308c61c3e222a031a8201e47e8fe44c4e92cb7dab03d56c7e7e3e2a2c589f650c50e0b29e2df175d6f2ff50c8e5e589d17a124bf0a2e0d7886c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_brotli.cp310-win_amd64.pyd

Filesize
291KB

MD5
277ad3ef0a1323a7e29d32f1fb4f0782

SHA1
3cbac1c280afb586fc79abcc24732b71700c4c16

SHA256
e4b450838c9408ed80f8bb8d4e165e8de204c73108af50c20c8b2b0c797cf219

SHA512
26a4446fccd2aa2b6c151ade640c154ac85be975dde0a1e5a6a857f1c505c7ac763e420fdce68892bcd70fb1bb5a24dff39f6751eefb7d01ba34de905e1db508

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_bz2.pyd

Filesize
46KB

MD5
6250a28b9d0bfefc1254bd78ece7ae9f

SHA1
4b07c8e18d23c8ae9d92d7b8d39ae20bc447aecd

SHA256
7d43f7105aa4f856239235c67f61044493ee6f95ddf04533189bf5ea98073f0b

SHA512
6d0aa5c3f8f5b268b94341dfdd5afbe48f91f9aac143bf59f7f5e8ba6f54205b85ec527c53498ed8860fdff6a8d08e48ec4e1652eeab2d3c89aaaf3a14fcaaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_cffi_backend.cp310-win_amd64.pyd

Filesize
72KB

MD5
569d276da5bcb89d9e93b639d27d4c7c

SHA1
46ef90c9dbac45a89c384d26af1971fb780073bf

SHA256
e016f14f54a7907f0afe9970b5bfe9fb0ad043109d4446dd5e2910600e0b5a82

SHA512
1b883a41ecd35fe4a62d996f4a8c96e2ed9c7d16fd5a1515792f39524cacb9bdb314b5435644e52af0f1874b1a4ee1865492722649f59b51eb70085c0679d7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_ctypes.pyd

Filesize
56KB

MD5
4b90108fabdd64577a84313c765a2946

SHA1
245f4628683a3e18bb6f0d1c88aa26fb959ed258

SHA256
e1b634628839a45ab08913463e07b6b6b7fd502396d768f43b21da2875b506a1

SHA512
91fa069d7cf61c57faad6355f6fd46d702576c4342460dadcedfdcbc07cd9d84486734f0561fa5e1e01668b384c3c07dd779b332f77d0bb6fbdbb8c0cb5091bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_decimal.pyd

Filesize
103KB

MD5
20985dc78dbd1992382354af5ca28988

SHA1
385a3e7a7654e5e4c686399f3a72b235e941e311

SHA256
f3620cac68595b8a8495ab044f19a1c89012f50d2fe571b7a1721485f7ff2e43

SHA512
61b8ecd2d12b3f785773b98d4bf4af0eb6eb2c61fbea6effb77ec24b2127e888d0ea5fdd8cc298484e0f770d70c87907048fc382faace8e0ca6b49ab106c89f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_hashlib.pyd

Filesize
33KB

MD5
3b5530f497ff7c127383d0029e680c35

SHA1
fb5dc554bb9ff49622184cc16883a7567115c7ca

SHA256
5971fcc9758b7f4a12cde2190a323f35a34ab7f97bd8c39cc8f3335223102573

SHA512
12ced7ddb0352f8eca3c3cb7c7c2faaf08e617b2dd278d20008051fb6b564b17c3e9ecfa8b0ffe7674154ad533dfbbf1e802accd5e1aef12ece01368da06e85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_lzma.pyd

Filesize
84KB

MD5
8edbeeccb6f3dbb09389d99d45db5542

SHA1
f7e7af2851a5bf22de79a24fe594b5c0435fca8a

SHA256
90701973be6b23703e495f6a145bae251a7bb066d3c5f398ec42694fd06a069f

SHA512
2a8bf60f2280b9a947578bd7fd49c3ace8e010a3d4b38e370edb511ea0e125df688bbac369d6a3cec9d285a1fa2ad2dac18a0ef30fda46e49a9440418581e501

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_multiprocessing.pyd

Filesize
25KB

MD5
4fbc5fd5da9da74c04fe0374387b34d3

SHA1
1e9c98db0486f98fb7d8eb9fa57a949494b649b5

SHA256
b2347790c87052623710382d3178887f68a79618d6da5174909f46b169236950

SHA512
ce87d4512c2ab7c1ad7986e8e1fe790615ae39c7667d234dfc09026ee7e1518b3bfbf7974612811db0c3e5654b35b54e118e23e624bebe027a51d2c8f2a4652a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_overlapped.pyd

Filesize
30KB

MD5
5c1441f6ee11632183a83dac2d22853b

SHA1
eef732ff4bab9ea5c8fffb6a93c47cfc8e64dae2

SHA256
104e0b0e0e9fec9eb6438683296feeba298d5f23b02d2080577fc87ffec67acf

SHA512
e41d3433754a8a3d2c572bb7f3902c0d37cba2e6f3307f0e6dfed316a22b11ef7e52a73c30085fa89fcff603e4b76858abe761217c320e38fa2eb95d1777b595

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_queue.pyd

Filesize
24KB

MD5
5c4c43763fb1a796134aa5734905c891

SHA1
44a5e1ae4806406a239129d77888bd87d291a410

SHA256
4edc80e7d331ba0e9338431d407157181190f995821d1cd24f7a7aa2422ece0c

SHA512
07bec7e4a85e76cfab2c21776b50ee2bd0454835fcb43b573dee757eca24cbeb4530784bae07de3be90820cee6d72023d9ded395d4f1a4931971db247dc1a71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_socket.pyd

Filesize
41KB

MD5
53e72716073038c1dd1db65bfdb1254c

SHA1
7bf220a02a3b51aa51300b3a9ea7fa48358ca161

SHA256
e1fb6927ba2ed014d0ac750af0ee0bb3d49487dd6920848937259606e1e92e1d

SHA512
c10d91b6ec82402b0eb05dc31a4703c999f4988e88204b695e009fae5fdcc61e8a6dc4d2879ecf2babc030224048afd2f256b9e7f5c5b6f28762047813be0941

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_sqlite3.pyd

Filesize
48KB

MD5
e7d68df8f65fbb0298a45519e2336f32

SHA1
ad3c84ad7eb75a61f287b1ba9fd2801567e39b6d

SHA256
2473ebaf52723c3751a12117ebbe974e50ecdaeb40b282a12ba4e6aa98492e79

SHA512
626204685e9b95310aba51be4a8abaf3b6e152fa35902f64f837303fc4011a4518ee393047ceb45bf377e9d965d169c92bfbb6673475150e159c59b7857ba03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_ssl.pyd

Filesize
60KB

MD5
7e9d95ac47a2284706318656b4f711d3

SHA1
f085104709201c6e64635aeacf1da51599054e55

SHA256
38dcb3d0f217785b39c03d4c949dd1e04b70e9eade8a4ad83f026390684059c9

SHA512
294a5148d8fcddabd177b776617da7720d9876ac2a1cdf8dd7b9489f0f719600a634346cdfa07da66588de885b0a64d8cccde4d47edbf6305bd2af44ee209118

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\_uuid.pyd

Filesize
21KB

MD5
59cfd9669367517b384922b2485cb6a7

SHA1
1bd44298543204d61d4efd2cd3980ad01071360d

SHA256
e02bfad84786560b624efd56df55c88a4ffbd6c7cfc728bf68b6401aa10f849f

SHA512
d0dd041d8493c7c19db01ea8477981148726796ce2ab58d3193064123319bd5b68fd57871d1db0aaa08d07f78ab96a3d343051c33ffd406e96b921248ea32665

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\aiohttp\_helpers.cp310-win_amd64.pyd

Filesize
21KB

MD5
4ee50be5f99d4f5ab298bb3a4a49b074

SHA1
999e12e6feb57a8b7353523169a0e989e11f41f6

SHA256
9b289b01e9d45609a4e7ea9695a6971caee51543d5f5def473f2fd1be3ba476d

SHA512
9d6171645cba26792829b732313da50405ccb07e0ab725775ba6cce5d4fe36ecbd736a6710734df45aaa9ff389f51e4059d8eca187df989c05bd90b4db8e9f54

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\aiohttp\_http_parser.cp310-win_amd64.pyd

Filesize
64KB

MD5
a2e8916b3e660e9e76b16063b4b99cfe

SHA1
7b06ae2b1a610692ca166c50dfbc6c3a4221fd16

SHA256
41dd331430b6395cc4abdd1855f84e8e341846021453e395769d712888ed77bb

SHA512
6e6196863fade7f8c2ade8942c302a915aa026cbf30a293edf591b2272d1a3eb1a1de652f36e1bf09ab787946ef48a11b70b8f017f99b2d16e4e77f793b34d4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\aiohttp\_http_writer.cp310-win_amd64.pyd

Filesize
19KB

MD5
b89d69ec0b65fd551996798dde5e9394

SHA1
f6d89be7145c1ef93b3251de2f4f6e4d93103288

SHA256
dc3cf160204e11c0ec79cf33ac4c97a1aebbb820c2e07855e5fcd29c5dd31158

SHA512
d2575aa5c6e81e43c53d76659fa3b6aa66f9afbe1e343aa9004d8a533e5c37cd3ef2f062c6a440389728b18a38d2de90aab36340607bb004d23c28e681db142c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\aiohttp\_websocket.cp310-win_amd64.pyd

Filesize
14KB

MD5
40354ebde496e17e83b228a61718fdeb

SHA1
8501f20087255843fa3ebb8380c79f0bc1b81fc7

SHA256
4689bae0e0660c2f9def96867e9b0f72d6b253e3bb01d50985599d89d573350f

SHA512
adbce70c6804ef3626e4ba6a6639046a6dc9da359f8cb6433d0c2ee52d1bc0813be6350d02324d68094ce745d13d9848340303c1fb2622329425d4ed5d7a5628

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\base_library.zip

Filesize
859KB

MD5
4253e18e2f977da6beaf3587db5b605c

SHA1
60eeed22b25bae022bdc5784352a49e441c6b301

SHA256
281e6f042e93f9de1c44c9917c8a54c0efbbe5fd97d9f46a65c8d702e144f4dd

SHA512
2f474078f48739660cf4a770544c52dcd00d2951c3ad03549f80951f57c425cda5979d56e9482dd05541de851c33a27658da8b4bccde19276ab43108d0a30163

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\libcrypto-1_1.dll

Filesize
1.1MB

MD5
86cfc84f8407ab1be6cc64a9702882ef

SHA1
86f3c502ed64df2a5e10b085103c2ffc9e3a4130

SHA256
11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307

SHA512
b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\libssl-1_1.dll

Filesize
203KB

MD5
6cd33578bc5629930329ca3303f0fae1

SHA1
f2f8e3248a72f98d27f0cfa0010e32175a18487f

SHA256
4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0

SHA512
c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\multidict\_multidict.cp310-win_amd64.pyd

Filesize
20KB

MD5
dba01ddfe41784191780e50534b7b86b

SHA1
64e834d0e457252f6deba67843626804d6343a41

SHA256
1fc13691e104e56fb0b742288d4aa943b907db3da6848e1b92904a1aa9b89187

SHA512
13046e44a6e0df896789d17427f9c05c229cbabfb0414e3c6b78637701a316953efa507e40519c760ea762e2e2c90714fd72e14e7bd949094c08d70bf515c2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\pyexpat.pyd

Filesize
86KB

MD5
46331749084f98bcfe8631d74c5e038f

SHA1
5e5510f7a4d03f10d979e0d6a0d2a6f0e53ca347

SHA256
21cc4b9ccd69d08d7c1068b1f004ae9454f7ea0a322801860faf0e6f4a24a3df

SHA512
edd39ce2d927fb6700a86db07f4f56cab897ef91a320f3e5ecb542ea1be6888dd27a08008e5fa1df3765b0c82d1046a23c8d59e76d11f4e6449d4d6826879589

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\python3.DLL

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\python310.dll

Filesize
1.4MB

MD5
fc7bd515b12e537a39dc93a09b3eaad6

SHA1
96f5d4b0967372553cb106539c5566bc184f6167

SHA256
461e008b7cdf034f99a566671b87849772873a175aefec6ed00732976f5c4164

SHA512
a8433d5b403f898e4eeebd72fce08ebad066ca60aeb0b70e2ae78377babc2acbbae2ac91ab20f813cce4b1dc58c2ad6b3868f18cc8ac0fe7be2bff020eb73122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\select.pyd

Filesize
24KB

MD5
3797a47a60b606e25348c67043874fe8

SHA1
63a33fedffd52190236a6acd0fc5d9d491e3ac45

SHA256
312e9b01d1632840983e8533d1685a64fb87e4538f724a7a59a71b1ba148bbac

SHA512
3eb7599825b7b21aaab05e420dd16d4a8eaa21652d232f6e4ede213a232b701401556e44df73cfa20ae855d1adc28304b52d42367b74ebd8e96c2e3d9a9b93e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\sqlite3.dll

Filesize
608KB

MD5
6a3a34c9c67efd6c17d44292e8db8fad

SHA1
339b1e514d60d8370eaec1e2f2b71cead999f970

SHA256
7b0e840165d65f0f5285476467e4c154c4d936613966b84948110a4614b9cad9

SHA512
6f2a1b670d28762745f0d3b961a331cbbb0dec244f8798734b911b3a3bc9519c73a3b26f1e1117725f6f1e880e57cadb562a1450659bca1aae353f6b9575d7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\unicodedata.pyd

Filesize
287KB

MD5
fed35db31377d515d198e5e446498be2

SHA1
62e388d17e17208ea0e881ccd96c75b7b1fbc5f7

SHA256
af3cdc9a2a1d923be67244429867a3c5c70835249e3573a03b98d08d148fe24b

SHA512
0985528cb0289086ec895e21a8947e04f732d5660460f2e7fa8668bd441c891438781c808bcea9294f348720e3752c10ea65363371f7e75ea48600d016bab72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46242\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
31KB

MD5
e38fde2d8395e72458dd08956598279e

SHA1
1fc9f0562d9012d3cfcf8ac8cff6854d7f35e333

SHA256
248cd49446e0e0939a03ffe6cc8b83885bfc9b285dbaff90bc10ac6334d10f54

SHA512
bd8428f4f67de23d65c86b8901a9351fd5fbd81bd980ad3277a1520eb21723287f2364dd13fbcf5454bad41947d37b614a245fc204d9a69c0dbfca1ad78329f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fs2b1ws5.qdv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\{042d26ef-3dbe-4c25-95d3-4c1b11b235a7}\.ba1\license.rtf

Filesize
6KB

MD5
1e47ee7b71b22488068343df4ce30534

SHA1
deaee13f21ab70b57f44f0aa3128ec7ad9e3816a

SHA256
8518f0420972c1dbe8a323ffc6f57863af0b80c6a3b27fd0c6fc9bdabb7e2d13

SHA512
c4c653bfd1fc493b0efd8f9c75495287818179dc35969d1fb1927faac3ff9189fde1131c5abbcc3963f707412a7f8ad05a9e6855b7d47d6df1f80d25d67be9ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{61087a79-ac85-455c-934d-1fa22cc64f36}\.ba1\wixstdba.dll

Filesize
117KB

MD5
a52e5220efb60813b31a82d101a97dcb

SHA1
56e16e4df0944cb07e73a01301886644f062d79b

SHA256
e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf

SHA512
d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9dff3540-fc85-4ed5-ac84-9e3c7fd8bece}\.ba1\thm.wxl

Filesize
2KB

MD5
fbfcbc4dacc566a3c426f43ce10907b6

SHA1
63c45f9a771161740e100faf710f30eed017d723

SHA256
70400f181d00e1769774ff36bcd8b1ab5fbc431418067d31b876d18cc04ef4ce

SHA512
063fb6685ee8d2fa57863a74d66a83c819fe848ba3072b6e7d1b4fe397a9b24a1037183bb2fda776033c0936be83888a6456aae947e240521e2ab75d984ee35e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{9dff3540-fc85-4ed5-ac84-9e3c7fd8bece}\.ba1\thm.xml

Filesize
5KB

MD5
0056f10a42638ea8b4befc614741ddd6

SHA1
61d488cfbea063e028a947cb1610ee372d873c9f

SHA256
6b1ba0dea830e556a58c883290faa5d49c064e546cbfcd0451596a10cc693f87

SHA512
5764ec92f65acc4ebe4de1e2b58b8817e81e0a6bc2f6e451317347e28d66e1e6a3773d7f18be067bbb2cb52ef1fa267754ad2bf2529286cf53730a03409d398e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
aeec514ab320aae85024e730ce87d101

SHA1
cb5e8b7d717ede694c469b3d0d42aa92f2ef91b2

SHA256
f26917abf91c27471482ce7a544115a7a4950a03497fcd40be2263f4ad6af1d0

SHA512
01a26921d33190529b58e45507bf51996fe91bd8ef92704476425306c27d5acde1f3737f0d26ee6f1fa0e4d0a7ae39616ecf24218910805e8963a26ed76938f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
12e6486237059c9d670495ac01aad902

SHA1
865879642937c9989a4ff260ceaf40748280edc3

SHA256
7e665d076ff11a3622f124e93059f9eff3f5c024eee2eea04cf8e059607564a9

SHA512
3d0c4d3b41042284653b9ca91fee31dbaf4fb11280522b5cc81f30ac6b5641c60c8f6258f0aab09623b4abadf6da53a2de3de44a22615840b81544e7532e918f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
5cf1753dde3c27ca17da80411e32989a

SHA1
70b8da03e0152e2db912d21d963ff95468e70771

SHA256
6b3b32ae1c7afd2fde1341903b9736be26aea61c49220bce9389c3cb74934c87

SHA512
357c55d7563c73fdc44577f0f11e1784b6e3c418a12a91ea8a52ef8570c27f2c6f535327ab84a1c874e9e64030c8d6efe6838231a94a2498e154ae1868b6e68b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
2c21b8e7622f6bfdf244211b9ece2f54

SHA1
5c73f77ca4a95be0e0e42fb23a11bfc48e3b9cb8

SHA256
b6a184cd64988705024ae4b881f035a8fdaa0572859b276ff22d9abdd446ec5b

SHA512
a20474c98d7585cd35369ff458d0176938599e075a1bd41f43e5d05f32d48f10d8dd8f62fb8fd291fcc1b314663e61973f2217699a79657c84d907a6c53811cc

Download Submit
C:\Windows\Installer\e5a1752.msi

Filesize
2.6MB

MD5
b20bbeb818222b657df49a9cfe4fed79

SHA1
3f6508e880b86502773a3275bc9527f046d45502

SHA256
91bdd063f6c53126737791c9eccf0b2f4cf44927831527245bc89a0be06c0cb4

SHA512
f534bc7bf1597e728940e6c3b77f864adfaa413bb1e080458326b692b0f96bddf4fbd294eeed36d7764a3578e6c8e919488bbf63b8fe2d4355ab3efd685424a4

Download Submit
C:\Windows\Installer\e5a1757.msi

Filesize
3.0MB

MD5
6dbdf338a0a25cdb236d43ea3ca2395e

SHA1
685b6ea61e574e628392eaac8b10aff4309f1081

SHA256
200fef5d4994523a02c4daa00060db28eb289b99d47fc6c1305183101e72bdeb

SHA512
6b5b31c55cf72ab92b17fb6074b3901a1e6afe0796ef9bc831e4dfb97450376d2889cd24b1cf3fce60eb3c1bcd1b31254b5cfa3ef6107974dfa0b35c233daf5a

Download Submit
C:\Windows\Installer\e5a177b.msi

Filesize
140KB

MD5
89d36fccb34b319b60d1850863e0560b

SHA1
f356410e3946063b85750f54998582510b9672c8

SHA256
60714fcdac0a7cbfc45e6ed9bc6d4b7f8536947f630016e5faca5cce1745adcf

SHA512
24e167d0305811409e433c8d78716e9b3af4bce4b3f372276f4730ae7c802b8be8f193a70ac0d44ad6e083a35f03fcfdb2faaae4a9975c9e2ef1254285b0309f

Download Submit
C:\Windows\Temp\{522754EA-7B43-4160-8022-679394935BDB}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
C:\Windows\Temp\{9467038C-A4B3-4210-BA5E-646A5C395FCD}\.be\VC_redist.x86.exe

Filesize
669KB

MD5
f7aca1ef43beaa02107214482e6b51d6

SHA1
fb5cec36519b148119dec501cec92d894eb3b60a

SHA256
169b8f7025b301ffce5402c98c07f9e01bbadce52a2961175b777279f92624a7

SHA512
82cf5ebaa0a16e229b82e2dd550d7ab76409c89b4cfb7f163d1cce6d156db737ec5a09a3aa832b4076039665a6044aaeca3a6d311f8264492707ae281bbe7443

Download Submit
C:\Windows\Temp\{E40332E8-6AF8-4F4D-9B09-34D858355046}\.ba\license.rtf

Filesize
9KB

MD5
04b33f0a9081c10e85d0e495a1294f83

SHA1
1efe2fb2d014a731b752672745f9ffecdd716412

SHA256
8099dc3cf9502c335da829e5c755948a12e3e6de490eb492a99deb673d883d8b

SHA512
d1dbed00df921169dd61501e2a3e95e6d7807348b188be9dd8fc63423501e4d848ece19ac466c3cacfccc6084e0eb2f457dc957990f6f511df10fd426e432685

Download Submit
C:\Windows\Temp\{E40332E8-6AF8-4F4D-9B09-34D858355046}\.ba\thm.xml

Filesize
8KB

MD5
f62729c6d2540015e072514226c121c7

SHA1
c1e189d693f41ac2eafcc363f7890fc0fea6979c

SHA256
f13bae0ec08c91b4a315bb2d86ee48fade597e7a5440dce6f751f98a3a4d6916

SHA512
cbbfbfa7e013a2b85b78d71d32fdf65323534816978e7544ca6cea5286a0f6e8e7e5ffc4c538200211f11b94373d5658732d5d8aa1d01f9ccfdbf20f154f1471

Download Submit
C:\Windows\Temp\{E40332E8-6AF8-4F4D-9B09-34D858355046}\.ba\wixstdba.dll

Filesize
215KB

MD5
f68f43f809840328f4e993a54b0d5e62

SHA1
01da48ce6c81df4835b4c2eca7e1d447be893d39

SHA256
e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e

SHA512
a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1

Download Submit
C:\Windows\Temp\{E40332E8-6AF8-4F4D-9B09-34D858355046}\.be\VC_redist.x64.exe

Filesize
670KB

MD5
3f32f1a9bd60ae065b89c2223676592e

SHA1
9d386d394db87f1ee41252cac863c80f1c8d6b8b

SHA256
270fa05033b8b9455bd0d38924b1f1f3e4d3e32565da263209d1f9698effbc05

SHA512
bddfeab33a03b0f37cff9008815e2900cc96bddaf763007e5f7fdffd80e56719b81341029431bd9d25c8e74123c1d9cda0f2aefafdc4937095d595093db823df

Download Submit
memory/2004-720-0x00007FFF369E0000-0x00007FFF36A04000-memory.dmp

Filesize
144KB

Download
memory/2004-735-0x00007FFF36310000-0x00007FFF36324000-memory.dmp

Filesize
80KB

Download
memory/2004-209-0x00007FFF35950000-0x00007FFF35989000-memory.dmp

Filesize
228KB

Download
memory/2004-176-0x00007FFF31C00000-0x00007FFF3206E000-memory.dmp

Filesize
4.4MB

Download
memory/2004-193-0x00007FFF36720000-0x00007FFF36735000-memory.dmp

Filesize
84KB

Download
memory/2004-238-0x00007FFF36720000-0x00007FFF36735000-memory.dmp

Filesize
84KB

Download
memory/2004-194-0x00007FFF3A790000-0x00007FFF3A7A0000-memory.dmp

Filesize
64KB

Download
memory/2004-226-0x00007FFF31C00000-0x00007FFF3206E000-memory.dmp

Filesize
4.4MB

Download
memory/2004-177-0x00007FFF369E0000-0x00007FFF36A04000-memory.dmp

Filesize
144KB

Download
memory/2004-165-0x00007FFF35DC0000-0x00007FFF35DFF000-memory.dmp

Filesize
252KB

Download
memory/2004-60-0x00007FFF369E0000-0x00007FFF36A04000-memory.dmp

Filesize
144KB

Download
memory/2004-300-0x00007FFF36300000-0x00007FFF3630D000-memory.dmp

Filesize
52KB

Download
memory/2004-719-0x00007FFF36720000-0x00007FFF36735000-memory.dmp

Filesize
84KB

Download
memory/2004-373-0x00007FFF36300000-0x00007FFF3630D000-memory.dmp

Filesize
52KB

Download
memory/2004-86-0x00007FFF368E0000-0x00007FFF368F9000-memory.dmp

Filesize
100KB

Download
memory/2004-88-0x00007FFF3B630000-0x00007FFF3B63D000-memory.dmp

Filesize
52KB

Download
memory/2004-90-0x00007FFF368C0000-0x00007FFF368D9000-memory.dmp

Filesize
100KB

Download
memory/2004-721-0x00007FFF3B640000-0x00007FFF3B64F000-memory.dmp

Filesize
60KB

Download
memory/2004-722-0x00007FFF368E0000-0x00007FFF368F9000-memory.dmp

Filesize
100KB

Download
memory/2004-723-0x00007FFF3B630000-0x00007FFF3B63D000-memory.dmp

Filesize
52KB

Download
memory/2004-724-0x00007FFF368C0000-0x00007FFF368D9000-memory.dmp

Filesize
100KB

Download
memory/2004-92-0x00007FFF36360000-0x00007FFF3638D000-memory.dmp

Filesize
180KB

Download
memory/2004-725-0x00007FFF36360000-0x00007FFF3638D000-memory.dmp

Filesize
180KB

Download
memory/2004-726-0x00007FFF368A0000-0x00007FFF368BF000-memory.dmp

Filesize
124KB

Download
memory/2004-727-0x00007FFF39800000-0x00007FFF3980A000-memory.dmp

Filesize
40KB

Download
memory/2004-728-0x00007FFF36330000-0x00007FFF3635E000-memory.dmp

Filesize
184KB

Download
memory/2004-102-0x00007FFF31C00000-0x00007FFF3206E000-memory.dmp

Filesize
4.4MB

Download
memory/2004-730-0x00007FFF31C00000-0x00007FFF3206E000-memory.dmp

Filesize
4.4MB

Download
memory/2004-731-0x00007FFF3A790000-0x00007FFF3A7A0000-memory.dmp

Filesize
64KB

Download
memory/2004-110-0x00007FFF24A60000-0x00007FFF24DD5000-memory.dmp

Filesize
3.5MB

Download
memory/2004-111-0x00007FFF369E0000-0x00007FFF36A04000-memory.dmp

Filesize
144KB

Download
memory/2004-112-0x00007FFF3A790000-0x00007FFF3A7A0000-memory.dmp

Filesize
64KB

Download
memory/2004-164-0x00007FFF2F140000-0x00007FFF2F21F000-memory.dmp

Filesize
892KB

Download
memory/2004-113-0x00007FFF366C0000-0x00007FFF366D4000-memory.dmp

Filesize
80KB

Download
memory/2004-732-0x00007FFF366C0000-0x00007FFF366D4000-memory.dmp

Filesize
80KB

Download
memory/2004-115-0x00007FFF36310000-0x00007FFF36324000-memory.dmp

Filesize
80KB

Download
memory/2004-734-0x00007FFF24A60000-0x00007FFF24DD5000-memory.dmp

Filesize
3.5MB

Download
memory/2004-119-0x00007FFF31AE0000-0x00007FFF31BF8000-memory.dmp

Filesize
1.1MB

Download
memory/2004-120-0x00007FFF368E0000-0x00007FFF368F9000-memory.dmp

Filesize
100KB

Download
memory/2004-121-0x00007FFF35E40000-0x00007FFF35E5B000-memory.dmp

Filesize
108KB

Download
memory/2004-125-0x00007FFF35E20000-0x00007FFF35E33000-memory.dmp

Filesize
76KB

Download
memory/2004-208-0x00007FFF244E0000-0x00007FFF248B7000-memory.dmp

Filesize
3.8MB

Download
memory/2004-127-0x00007FFF35E00000-0x00007FFF35E15000-memory.dmp

Filesize
84KB

Download
memory/2004-129-0x00007FFF2F140000-0x00007FFF2F21F000-memory.dmp

Filesize
892KB

Download
memory/2004-736-0x00007FFF31AE0000-0x00007FFF31BF8000-memory.dmp

Filesize
1.1MB

Download
memory/2004-737-0x00007FFF35E20000-0x00007FFF35E33000-memory.dmp

Filesize
76KB

Download
memory/2004-738-0x00007FFF35E00000-0x00007FFF35E15000-memory.dmp

Filesize
84KB

Download
memory/2004-135-0x00007FFF368A0000-0x00007FFF368BF000-memory.dmp

Filesize
124KB

Download
memory/2004-136-0x00007FFF35DC0000-0x00007FFF35DFF000-memory.dmp

Filesize
252KB

Download
memory/2004-739-0x00007FFF2F140000-0x00007FFF2F21F000-memory.dmp

Filesize
892KB

Download
memory/2004-139-0x00007FFF24DE0000-0x00007FFF24F51000-memory.dmp

Filesize
1.4MB

Download
memory/2004-140-0x00007FFF39F80000-0x00007FFF39F8E000-memory.dmp

Filesize
56KB

Download
memory/2004-141-0x00007FFF39800000-0x00007FFF3980A000-memory.dmp

Filesize
40KB

Download
memory/2004-142-0x00007FFF36330000-0x00007FFF3635E000-memory.dmp

Filesize
184KB

Download
memory/2004-145-0x00007FFF24A60000-0x00007FFF24DD5000-memory.dmp

Filesize
3.5MB

Download
memory/2004-157-0x00007FFF35E20000-0x00007FFF35E33000-memory.dmp

Filesize
76KB

Download
memory/2004-146-0x00007FFF35C50000-0x00007FFF35C66000-memory.dmp

Filesize
88KB

Download
memory/2004-149-0x00007FFF244E0000-0x00007FFF248B7000-memory.dmp

Filesize
3.8MB

Download
memory/2004-150-0x00007FFF35950000-0x00007FFF35989000-memory.dmp

Filesize
228KB

Download
memory/2004-147-0x00007FFF248C0000-0x00007FFF24A53000-memory.dmp

Filesize
1.6MB

Download
memory/2004-148-0x00007FFF35BF0000-0x00007FFF35C43000-memory.dmp

Filesize
332KB

Download
memory/2004-144-0x000001CEE9880000-0x000001CEE9BF5000-memory.dmp

Filesize
3.5MB

Download
memory/2004-143-0x00007FFF35C70000-0x00007FFF35D28000-memory.dmp

Filesize
736KB

Download
memory/2004-740-0x00007FFF35DC0000-0x00007FFF35DFF000-memory.dmp

Filesize
252KB

Download
memory/2004-116-0x00007FFF36720000-0x00007FFF36735000-memory.dmp

Filesize
84KB

Download
memory/2004-104-0x000001CEE9880000-0x000001CEE9BF5000-memory.dmp

Filesize
3.5MB

Download
memory/2004-103-0x00007FFF35C70000-0x00007FFF35D28000-memory.dmp

Filesize
736KB

Download
memory/2004-741-0x00007FFF39F80000-0x00007FFF39F8E000-memory.dmp

Filesize
56KB

Download
memory/2004-98-0x00007FFF36330000-0x00007FFF3635E000-memory.dmp

Filesize
184KB

Download
memory/2004-96-0x00007FFF24DE0000-0x00007FFF24F51000-memory.dmp

Filesize
1.4MB

Download
memory/2004-742-0x00007FFF24DE0000-0x00007FFF24F51000-memory.dmp

Filesize
1.4MB

Download
memory/2004-94-0x00007FFF368A0000-0x00007FFF368BF000-memory.dmp

Filesize
124KB

Download
memory/2004-743-0x00007FFF35C50000-0x00007FFF35C66000-memory.dmp

Filesize
88KB

Download
memory/2004-745-0x00007FFF248C0000-0x00007FFF24A53000-memory.dmp

Filesize
1.6MB

Download
memory/2004-84-0x00007FFF3B640000-0x00007FFF3B64F000-memory.dmp

Filesize
60KB

Download
memory/2004-746-0x00007FFF244E0000-0x00007FFF248B7000-memory.dmp

Filesize
3.8MB

Download
memory/2004-747-0x00007FFF35950000-0x00007FFF35989000-memory.dmp

Filesize
228KB

Download
memory/2004-748-0x00007FFF36300000-0x00007FFF3630D000-memory.dmp

Filesize
52KB

Download
memory/2004-744-0x00007FFF35BF0000-0x00007FFF35C43000-memory.dmp

Filesize
332KB

Download
memory/2004-733-0x00007FFF35E40000-0x00007FFF35E5B000-memory.dmp

Filesize
108KB

Download
memory/2004-729-0x00007FFF35C70000-0x00007FFF35D28000-memory.dmp

Filesize
736KB

Download
memory/2004-337-0x00007FFF369E0000-0x00007FFF36A04000-memory.dmp

Filesize
144KB

Download
memory/2004-52-0x00007FFF31C00000-0x00007FFF3206E000-memory.dmp

Filesize
4.4MB

Download
memory/3216-308-0x0000022134A50000-0x0000022134A72000-memory.dmp

Filesize
136KB

Download