exelastealer | hxxps://github[.]com/eko13375/FakeExodus/releases/tag/FakeExodus

Analysis

max time kernel
89s
max time network
86s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
22/03/2025, 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/eko13375/FakeExodus/releases/tag/FakeExodus

Score

10^/10

exelastealer collection defense_evasion discovery persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5188	netsh.exe
4804	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
6080	cmd.exe
4668	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
4472	fake exodus.exe
5068	fake exodus.exe
4688	fake exodus.exe
4252	fake exodus.exe

Loads dropped DLL 64 IoCs

pid	Process
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
5068	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe
4252	fake exodus.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe"	reg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
212	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5124	cmd.exe
2320	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4412	tasklist.exe
5616	tasklist.exe
3736	tasklist.exe
912	tasklist.exe
1292	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5284	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000243fb-1244.dat	upx
behavioral1/memory/5068-1248-0x00007FFC609A0000-0x00007FFC60F88000-memory.dmp	upx
behavioral1/files/0x00070000000243a3-1250.dat	upx
behavioral1/memory/5068-1255-0x00007FFC61840000-0x00007FFC61864000-memory.dmp	upx
behavioral1/files/0x00070000000243f3-1256.dat	upx
behavioral1/memory/5068-1258-0x00007FFC79010000-0x00007FFC7901F000-memory.dmp	upx
behavioral1/memory/5068-1281-0x00007FFC61450000-0x00007FFC61469000-memory.dmp	upx
behavioral1/memory/5068-1282-0x00007FFC75150000-0x00007FFC7515D000-memory.dmp	upx
behavioral1/memory/5068-1283-0x00007FFC61430000-0x00007FFC61449000-memory.dmp	upx
behavioral1/memory/5068-1284-0x00007FFC61400000-0x00007FFC6142D000-memory.dmp	upx
behavioral1/memory/5068-1285-0x00007FFC613D0000-0x00007FFC613F3000-memory.dmp	upx
behavioral1/memory/5068-1286-0x00007FFC60820000-0x00007FFC60993000-memory.dmp	upx
behavioral1/memory/5068-1287-0x00007FFC607F0000-0x00007FFC6081E000-memory.dmp	upx
behavioral1/memory/5068-1289-0x00007FFC60730000-0x00007FFC607E8000-memory.dmp	upx
behavioral1/memory/5068-1288-0x00007FFC609A0000-0x00007FFC60F88000-memory.dmp	upx
behavioral1/memory/5068-1291-0x00007FFC61840000-0x00007FFC61864000-memory.dmp	upx
behavioral1/memory/5068-1290-0x00007FFC603B0000-0x00007FFC60725000-memory.dmp	upx
behavioral1/memory/5068-1293-0x00007FFC60390000-0x00007FFC603A5000-memory.dmp	upx
behavioral1/memory/5068-1292-0x00007FFC79010000-0x00007FFC7901F000-memory.dmp	upx
behavioral1/memory/5068-1294-0x00007FFC61450000-0x00007FFC61469000-memory.dmp	upx
behavioral1/memory/5068-1296-0x00007FFC60350000-0x00007FFC60364000-memory.dmp	upx
behavioral1/memory/5068-1295-0x00007FFC60370000-0x00007FFC60382000-memory.dmp	upx
behavioral1/memory/5068-1298-0x00007FFC60330000-0x00007FFC60344000-memory.dmp	upx
behavioral1/memory/5068-1297-0x00007FFC61430000-0x00007FFC61449000-memory.dmp	upx
behavioral1/memory/5068-1300-0x00007FFC60300000-0x00007FFC60322000-memory.dmp	upx
behavioral1/memory/5068-1299-0x00007FFC61400000-0x00007FFC6142D000-memory.dmp	upx
behavioral1/memory/5068-1302-0x00007FFC601E0000-0x00007FFC602FC000-memory.dmp	upx
behavioral1/memory/5068-1301-0x00007FFC613D0000-0x00007FFC613F3000-memory.dmp	upx
behavioral1/memory/5068-1304-0x00007FFC601C0000-0x00007FFC601DB000-memory.dmp	upx
behavioral1/memory/5068-1303-0x00007FFC60820000-0x00007FFC60993000-memory.dmp	upx
behavioral1/memory/5068-1306-0x00007FFC600F0000-0x00007FFC601BF000-memory.dmp	upx
behavioral1/memory/5068-1305-0x00007FFC607F0000-0x00007FFC6081E000-memory.dmp	upx
behavioral1/memory/5068-1307-0x00007FFC60730000-0x00007FFC607E8000-memory.dmp	upx
behavioral1/memory/5068-1308-0x00007FFC603B0000-0x00007FFC60725000-memory.dmp	upx
behavioral1/memory/5068-1311-0x00007FFC60080000-0x00007FFC600CD000-memory.dmp	upx
behavioral1/memory/5068-1313-0x00007FFC60020000-0x00007FFC60052000-memory.dmp	upx
behavioral1/memory/5068-1312-0x00007FFC60390000-0x00007FFC603A5000-memory.dmp	upx
behavioral1/memory/5068-1310-0x00007FFC60060000-0x00007FFC60071000-memory.dmp	upx
behavioral1/memory/5068-1309-0x00007FFC600D0000-0x00007FFC600E9000-memory.dmp	upx
behavioral1/memory/5068-1314-0x00007FFC74A50000-0x00007FFC74A5A000-memory.dmp	upx
behavioral1/memory/5068-1315-0x00007FFC60000000-0x00007FFC6001E000-memory.dmp	upx
behavioral1/memory/5068-1316-0x00007FFC5F800000-0x00007FFC5FFFB000-memory.dmp	upx
behavioral1/memory/5068-1327-0x00007FFC5F7C0000-0x00007FFC5F7F7000-memory.dmp	upx
behavioral1/memory/5068-1326-0x00007FFC60300000-0x00007FFC60322000-memory.dmp	upx
behavioral1/memory/5068-1338-0x00007FFC601C0000-0x00007FFC601DB000-memory.dmp	upx
behavioral1/memory/5068-1337-0x00007FFC601E0000-0x00007FFC602FC000-memory.dmp	upx
behavioral1/memory/4252-1428-0x00007FFC4D2E0000-0x00007FFC4D8C8000-memory.dmp	upx
behavioral1/memory/5068-1430-0x00007FFC600F0000-0x00007FFC601BF000-memory.dmp	upx
behavioral1/memory/4252-1432-0x00007FFC7CCB0000-0x00007FFC7CCBF000-memory.dmp	upx
behavioral1/memory/4252-1431-0x00007FFC78D10000-0x00007FFC78D34000-memory.dmp	upx
behavioral1/memory/5068-1436-0x00007FFC60020000-0x00007FFC60052000-memory.dmp	upx
behavioral1/memory/5068-1442-0x00007FFC5F800000-0x00007FFC5FFFB000-memory.dmp	upx
behavioral1/memory/4252-1441-0x00007FFC63E40000-0x00007FFC63FB3000-memory.dmp	upx
behavioral1/memory/4252-1440-0x00007FFC74B30000-0x00007FFC74B49000-memory.dmp	upx
behavioral1/memory/5068-1439-0x00007FFC74A50000-0x00007FFC74A5A000-memory.dmp	upx
behavioral1/memory/4252-1438-0x00007FFC74AD0000-0x00007FFC74AF3000-memory.dmp	upx
behavioral1/memory/4252-1437-0x00007FFC74B00000-0x00007FFC74B2D000-memory.dmp	upx
behavioral1/memory/4252-1435-0x00007FFC78CE0000-0x00007FFC78CED000-memory.dmp	upx
behavioral1/memory/4252-1434-0x00007FFC78CF0000-0x00007FFC78D09000-memory.dmp	upx
behavioral1/memory/5068-1433-0x00007FFC60080000-0x00007FFC600CD000-memory.dmp	upx
behavioral1/memory/4252-1444-0x00007FFC74AA0000-0x00007FFC74ACE000-memory.dmp	upx
behavioral1/memory/5068-1443-0x00007FFC60000000-0x00007FFC6001E000-memory.dmp	upx
behavioral1/memory/4252-1445-0x00007FFC4DB50000-0x00007FFC4DEC5000-memory.dmp	upx
behavioral1/memory/4252-1447-0x00007FFC64650000-0x00007FFC64708000-memory.dmp	upx

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3092_1367304608\LICENSE	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3092_1367304608\manifest.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3092_1367304608\sets.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3092_1367304608\_metadata\verified_contents.json	msedge.exe
File created	C:\Program Files\chrome_Unpacker_BeginUnzipping3092_1367304608\manifest.fingerprint	msedge.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4300	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x002e000000023fe5-1153.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1100	cmd.exe
1096	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
1348	NETSTAT.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
5328	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4340	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1348	NETSTAT.EXE
2976	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3688	systeminfo.exe

Kills process with taskkill 13 IoCs

defense_evasion

pid	Process
2436	taskkill.exe
5556	taskkill.exe
4340	taskkill.exe
1676	taskkill.exe
5672	taskkill.exe
1444	taskkill.exe
1712	taskkill.exe
3296	taskkill.exe
3176	taskkill.exe
6056	taskkill.exe
1036	taskkill.exe
5624	taskkill.exe
1776	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133871133584655822"	msedge.exe

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-308834014-1004923324-1191300197-1000\{B30A64E8-2C08-48D5-8A41-3843E1B0FB78}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4668	powershell.exe
4668	powershell.exe
4668	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	5152	7zG.exe
Token: 35	5152	7zG.exe
Token: SeSecurityPrivilege	5152	7zG.exe
Token: SeSecurityPrivilege	5152	7zG.exe
Token: SeIncreaseQuotaPrivilege	4340	WMIC.exe
Token: SeSecurityPrivilege	4340	WMIC.exe
Token: SeTakeOwnershipPrivilege	4340	WMIC.exe
Token: SeLoadDriverPrivilege	4340	WMIC.exe
Token: SeSystemProfilePrivilege	4340	WMIC.exe
Token: SeSystemtimePrivilege	4340	WMIC.exe
Token: SeProfSingleProcessPrivilege	4340	WMIC.exe
Token: SeIncBasePriorityPrivilege	4340	WMIC.exe
Token: SeCreatePagefilePrivilege	4340	WMIC.exe
Token: SeBackupPrivilege	4340	WMIC.exe
Token: SeRestorePrivilege	4340	WMIC.exe
Token: SeShutdownPrivilege	4340	WMIC.exe
Token: SeDebugPrivilege	4340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4340	WMIC.exe
Token: SeRemoteShutdownPrivilege	4340	WMIC.exe
Token: SeUndockPrivilege	4340	WMIC.exe
Token: SeManageVolumePrivilege	4340	WMIC.exe
Token: 33	4340	WMIC.exe
Token: 34	4340	WMIC.exe
Token: 35	4340	WMIC.exe
Token: 36	4340	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5940	WMIC.exe
Token: SeSecurityPrivilege	5940	WMIC.exe
Token: SeTakeOwnershipPrivilege	5940	WMIC.exe
Token: SeLoadDriverPrivilege	5940	WMIC.exe
Token: SeSystemProfilePrivilege	5940	WMIC.exe
Token: SeSystemtimePrivilege	5940	WMIC.exe
Token: SeProfSingleProcessPrivilege	5940	WMIC.exe
Token: SeIncBasePriorityPrivilege	5940	WMIC.exe
Token: SeCreatePagefilePrivilege	5940	WMIC.exe
Token: SeBackupPrivilege	5940	WMIC.exe
Token: SeRestorePrivilege	5940	WMIC.exe
Token: SeShutdownPrivilege	5940	WMIC.exe
Token: SeDebugPrivilege	5940	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5940	WMIC.exe
Token: SeRemoteShutdownPrivilege	5940	WMIC.exe
Token: SeUndockPrivilege	5940	WMIC.exe
Token: SeManageVolumePrivilege	5940	WMIC.exe
Token: 33	5940	WMIC.exe
Token: 34	5940	WMIC.exe
Token: 35	5940	WMIC.exe
Token: 36	5940	WMIC.exe
Token: SeDebugPrivilege	4412	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4340	WMIC.exe
Token: SeSecurityPrivilege	4340	WMIC.exe
Token: SeTakeOwnershipPrivilege	4340	WMIC.exe
Token: SeLoadDriverPrivilege	4340	WMIC.exe
Token: SeSystemProfilePrivilege	4340	WMIC.exe
Token: SeSystemtimePrivilege	4340	WMIC.exe
Token: SeProfSingleProcessPrivilege	4340	WMIC.exe
Token: SeIncBasePriorityPrivilege	4340	WMIC.exe
Token: SeCreatePagefilePrivilege	4340	WMIC.exe
Token: SeBackupPrivilege	4340	WMIC.exe
Token: SeRestorePrivilege	4340	WMIC.exe
Token: SeShutdownPrivilege	4340	WMIC.exe
Token: SeDebugPrivilege	4340	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4340	WMIC.exe
Token: SeRemoteShutdownPrivilege	4340	WMIC.exe
Token: SeUndockPrivilege	4340	WMIC.exe
Token: SeManageVolumePrivilege	4340	WMIC.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
5152	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 4236	3092	msedge.exe	86
PID 3092 wrote to memory of 4236	3092	msedge.exe	86
PID 3092 wrote to memory of 2404	3092	msedge.exe	87
PID 3092 wrote to memory of 2404	3092	msedge.exe	87
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 212	3092	msedge.exe	88
PID 3092 wrote to memory of 3688	3092	msedge.exe	89
PID 3092 wrote to memory of 3688	3092	msedge.exe	89
PID 3092 wrote to memory of 3688	3092	msedge.exe	89
PID 3092 wrote to memory of 3688	3092	msedge.exe	89
PID 3092 wrote to memory of 3688	3092	msedge.exe	89
PID 3092 wrote to memory of 3688	3092	msedge.exe	89
PID 3092 wrote to memory of 3688	3092	msedge.exe	89
PID 3092 wrote to memory of 3688	3092	msedge.exe	89
PID 3092 wrote to memory of 3688	3092	msedge.exe	89

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4224	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/eko13375/FakeExodus/releases/tag/FakeExodus
1⤵
- Drops file in Program Files directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ffc7435f208,0x7ffc7435f214,0x7ffc7435f220
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1940,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  PID:2404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2208,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=1932,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=2548 /prefetch:8
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3460,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3476,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4744,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:5872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4828,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=5112 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5740,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5740,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=5696 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6036,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=6040 /prefetch:8
  2⤵
  PID:5860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4276,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=6056 /prefetch:8
  2⤵
  PID:5820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=6148,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=5776 /prefetch:1
  2⤵
  PID:2568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=6508,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:2300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --always-read-main-dll --field-trial-handle=3964,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:6060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --always-read-main-dll --field-trial-handle=6292,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=6516 /prefetch:1
  2⤵
  PID:2452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --always-read-main-dll --field-trial-handle=6796,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=6812 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6120,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6132,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=6416 /prefetch:8
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6396,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=6768 /prefetch:8
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=6388,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5316,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  PID:5136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --always-read-main-dll --field-trial-handle=5096,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=6876 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6768,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=3908 /prefetch:8
  2⤵
  PID:5556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5376,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=6808 /prefetch:8
  2⤵
  PID:808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --always-read-main-dll --field-trial-handle=7352,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=7364 /prefetch:1
  2⤵
  PID:5656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6592,i,13041643439632145491,8038602925387279506,262144 --variations-seed-version --mojo-platform-channel-handle=7248 /prefetch:8
  2⤵
  PID:336

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4544

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5392

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\fake-exodus-main\" -ad -an -ai#7zMap21675:94:7zEvent28368
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5152

C:\Users\Admin\Downloads\fake-exodus-main\fake-exodus-main\fake exodus.exe
"C:\Users\Admin\Downloads\fake-exodus-main\fake-exodus-main\fake exodus.exe"
1⤵
- Executes dropped EXE
PID:4472
- C:\Users\Admin\Downloads\fake-exodus-main\fake-exodus-main\fake exodus.exe
  "C:\Users\Admin\Downloads\fake-exodus-main\fake-exodus-main\fake exodus.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1524
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:4340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:2292
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2144
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:6096
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:4704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5496
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:6044
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:5284
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:4224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
    3⤵
    PID:4812
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
      4⤵
      Adds Run key to start application
      PID:1516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:2776
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:5880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5188
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3092"
    3⤵
    PID:4932
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3092
      4⤵
      Kills process with taskkill
      PID:1776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4236"
    3⤵
    PID:5392
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4236
      4⤵
      Kills process with taskkill
      PID:5672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2404"
    3⤵
    PID:5724
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2404
      4⤵
      Kills process with taskkill
      PID:2436
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 212"
    3⤵
    PID:5712
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 212
      4⤵
      Kills process with taskkill
      PID:1444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3688"
    3⤵
    PID:528
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3688
      4⤵
      Kills process with taskkill
      PID:5556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5692"
    3⤵
    PID:3156
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5692
      4⤵
      Kills process with taskkill
      PID:4340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4776"
    3⤵
    PID:5740
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4776
      4⤵
      Kills process with taskkill
      PID:1712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5820"
    3⤵
    PID:5764
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5820
      4⤵
      Kills process with taskkill
      PID:3296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1892"
    3⤵
    PID:2572
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1892
      4⤵
      Kills process with taskkill
      PID:3176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5136"
    3⤵
    PID:208
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5136
      4⤵
      Kills process with taskkill
      PID:6056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1188"
    3⤵
    PID:1536
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1188
      4⤵
      Kills process with taskkill
      PID:1036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 808"
    3⤵
    PID:3696
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 808
      4⤵
      Kills process with taskkill
      PID:5624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5656"
    3⤵
    PID:2356
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5656
      4⤵
      Kills process with taskkill
      PID:1676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:1560
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4296
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:2352
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:3108
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1556
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:6080
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1100
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:5124
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3688
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:4304
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:5328
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:3700
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4008
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:4564
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:4860
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:632
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:2296
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:4876
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:4888
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:5588
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4664
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:3692
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:1892
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:5160
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:1292
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2976
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:5680
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:2320
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:1348
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:4300
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5188
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4804

C:\Users\Admin\Downloads\fake-exodus-main\fake-exodus-main\fake exodus.exe
"C:\Users\Admin\Downloads\fake-exodus-main\fake-exodus-main\fake exodus.exe"
1⤵
- Executes dropped EXE
PID:4688
- C:\Users\Admin\Downloads\fake-exodus-main\fake-exodus-main\fake exodus.exe
  "C:\Users\Admin\Downloads\fake-exodus-main\fake-exodus-main\fake exodus.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\chrome_Unpacker_BeginUnzipping3092_1367304608\LICENSE

Filesize
1KB

MD5
ee002cb9e51bb8dfa89640a406a1090a

SHA1
49ee3ad535947d8821ffdeb67ffc9bc37d1ebbb2

SHA256
3dbd2c90050b652d63656481c3e5871c52261575292db77d4ea63419f187a55b

SHA512
d1fdcc436b8ca8c68d4dc7077f84f803a535bf2ce31d9eb5d0c466b62d6567b2c59974995060403ed757e92245db07e70c6bddbf1c3519fed300cc5b9bf9177c

Download Submit
C:\Program Files\chrome_Unpacker_BeginUnzipping3092_1367304608\manifest.json

Filesize
85B

MD5
c3419069a1c30140b77045aba38f12cf

SHA1
11920f0c1e55cadc7d2893d1eebb268b3459762a

SHA256
db9a702209807ba039871e542e8356219f342a8d9c9ca34bcd9a86727f4a3a0f

SHA512
c5e95a4e9f5919cb14f4127539c4353a55c5f68062bf6f95e1843b6690cebed3c93170badb2412b7fb9f109a620385b0ae74783227d6813f26ff8c29074758a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
01cc3a42395638ce669dd0d7aba1f929

SHA1
89aa0871fa8e25b55823dd0db9a028ef46dfbdd8

SHA256
d0c6ee43e769188d8a32f782b44cb00052099222be21cbe8bf119469c6612dee

SHA512
d3b88e797333416a4bc6c7f7e224ba68362706747e191a1cd8846a080329473b8f1bfebee5e3fe21faa4d24c8a7683041705e995777714330316e9b563d38e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000078

Filesize
37KB

MD5
9a0f2fed78beabcb1af818103e79eb49

SHA1
e36dcc0472152bec227a1f5a81b5024ff3624452

SHA256
bc3ea6c39f4b013cb279391c0adbbd540219cae079703926d37a82dab9046450

SHA512
c4a96707d57cb474f45d669a52e31cc4f34e783b3600781c683c88d470cc6f6c3a5c5a399af33b8a193c57df87e797087fab9f6817048baec5a75e44ff835c6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000079

Filesize
38KB

MD5
b8103746b4757c6332fe545f11de8f70

SHA1
588965d6333eb015af39c7f44ce71dfac67fb0f7

SHA256
4177d563a186175d3a67091c399db6c57fc271e202406e244d4bc8ad95b1aebd

SHA512
c83bd52d674d90752dfffeb76971a4f9684054d6f02cfdbe8f336758ac46d8b430f306cc64be00112b8c38d191afd1b8395d58600b12cefcb6a052ab70214ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007a

Filesize
21KB

MD5
eb5f2f8b27b3794eb0b9d7302f3ed208

SHA1
ceb14ae185daed71ebd356c06f067ee90ca75a3a

SHA256
16a56eb5759e2174470278fec544af28e58f93a2e895141c140eef9409efeb60

SHA512
4c1441f9bc16c6c03df5c727c75e238d41aa24127904f86d18eb755564765eed86674de1d6d19406c2f9085454bbaa26c9b65f31973a364906878a9fa4688eb8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007b

Filesize
21KB

MD5
45871552253619d6f54089fd8353a0e5

SHA1
b6ff76fcb884d1e8218790a1be60d50b57917281

SHA256
99601398f0d87d23767f0d832e7230c8ce3f1cdd4e9b56e86a394cec2474e3b3

SHA512
5c3ce901310db91d31023923a75d4b98c7b4175d6e3ea6e0e77cb13ebb2335398eba3952b5e91b5247dd867ebf2bede6f1530e43375e4436db05a915466c3b90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007d

Filesize
27KB

MD5
482e69a70bd0db3690f0422498dbfe51

SHA1
03d8c267e5f48ccc5f4e781e82c7e443e354794e

SHA256
e24cd258636323a750f60e58600f3cfda0f90cea73d9fd79294b5748b7d2ef6f

SHA512
862300384a8d6218654f7c231e9627b3ec3744817bcf4267008cad979d17f413ff06f5e7c84c822683c4a36676e92aa85bbb9d6216ae3f8187a5e2c710938de5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007e

Filesize
18KB

MD5
89ee4d8818e8a732f16be7086b4bf894

SHA1
2cc00669ddc0f4e33c95a926089cea5c1f7b9371

SHA256
f6a0dfa58a63ca96a9c7e2e1244fcff6aea5d14348596d6b42cd750030481b82

SHA512
89cc7dfae78985f32e9c82521b46e6a66c22258ebe70063d05f5eb25f941b2fd52df6e1938b20fe6c2e166faa2306526fdf74b398b35483f87b556a052b34c5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_00007f

Filesize
16KB

MD5
db2656b672846f689c00438d029d58b6

SHA1
43b8d5085f31085a3a1e0c9d703861831dd507ce

SHA256
aa3f28db9caadce78e49e2aeb52fda016b254ed89b924cdb2d87c6d86c1be763

SHA512
4c57c347b10ea6b2ca1beb908afc122f304e50bd44a404f13c3082ba855796baef1a5eb69276d8744c1728578fa8b651815d7981fcec14a3c41c3ca58d2b24ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000080

Filesize
16KB

MD5
dde035d148d344c412bd7ba8016cf9c6

SHA1
fb923138d1cde1f7876d03ca9d30d1accbcf6f34

SHA256
bcff459088f46809fba3c1d46ee97b79675c44f589293d1d661192cf41c05da9

SHA512
87843b8eb37be13e746eb05583441cb4a6e16c3d199788c457672e29fdadc501fc25245095b73cf7712e611f5ff40b37e27fca5ec3fa9eb26d94c546af8b2bc0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000081

Filesize
60KB

MD5
65f600946dba43f86ffe8feab1e002bb

SHA1
80d0cfac13edd30144748be2b75102c8b102fd06

SHA256
9a67a73ccb3869bcac620962d6864982570b9681cd7b7bc6acaea5c6dd19c0bd

SHA512
4b93895237d33ab021bd480c71a0086ed416dbe24e3c4437fee13ae92a00c34491219537d888cbe49a36b151abb84055ad98409b0a6f63ca12ad73aca11b3d00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000082

Filesize
45KB

MD5
6c6d3ebcde7c772f7246a3ff86a068ce

SHA1
3ad3721a67ad5968d4b415602d8c0bdad49ff0a7

SHA256
fca0ec54b618c192a3ad712ef7d7eaf59baf614db1e86f21a83fee49531bbf09

SHA512
fb48201c78e30dc4165fe5b8b3ab4f002bc53b7ee1521e01e210b62cdd58b8347f222e37ef6127155752da47d65fdafd16ebb800d584444587afaa99d23bc3c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000083

Filesize
55KB

MD5
92e42e747b8ca4fc0482f2d337598e72

SHA1
671d883f0ea3ead2f8951dc915dacea6ec7b7feb

SHA256
18f8f1914e86317d047fd704432fa4d293c2e93aec821d54efdd9a0d8b639733

SHA512
d544fbc039213b3aa6ed40072ce7ccd6e84701dca7a5d0b74dc5a6bfb847063996dfea1915a089f2188f3f68b35b75d83d77856fa3a3b56b7fc661fc49126627

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000084

Filesize
88KB

MD5
2dfda5e914fd68531522fb7f4a9332a6

SHA1
48a850d0e9a3822a980155595e5aa548246d0776

SHA256
6abad504ab74e0a9a7a6f5b17cadc7dea2188570466793833310807fd052b09c

SHA512
d41b94218215cec61120cc474d3bc99f9473ab716aadf9cdcbcabf16e742a3e2683dc64023ba4fd8d0ff06a221147b6014f35e0be421231dffb1cc64ac1755e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000085

Filesize
110KB

MD5
212fb70cc1811eed57c5aaf5bc070dcf

SHA1
94ec17177f218c87d58828020705ba19a054b364

SHA256
f570fc5a000981d30666094c0820795186217dc40768d082e38b47c556fb4b4e

SHA512
69b4257439e14d4fa0ce55c70deb8f21e5ffd259f149b3a31c7feb284d7e28305cca0fd54faca0b5bea451abc6c0fb6c1a1b9471ef8cfc267605781d9745c0eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\Cache_Data\f_000086

Filesize
16KB

MD5
dc491f2e34e1eb5974c0781d49b8cbaf

SHA1
b73ca9b5f9c627d49da4ecbc3455192e4b305a3f

SHA256
f956049f0d96d455a71003eba400cb94f7067bc52620cd05b81006ecfdd438d8

SHA512
5c9bd0d5c93a05ca76eb727328a0fde40f2be7fe53b6b6c9eb260e8f20f92cfc831fd4b46f954d85baf151ae8aba1cdd6f76b0faf96217922cad844c905f3645

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
9a4ed1db7b0986e3b86eef7159aae7df

SHA1
10f38f94cad16956cc588459c354d356b1a09459

SHA256
305f189e347a84878839c5d6e8eb2772dd03facacc52ec1423641c1d1c1fc78a

SHA512
6e2e8fedc167efc029ba6f60ce91a415f07c179a97a15c80b6b623a50167698702c28ebca15f4c22941fb12ea7fb4b79cf89866b7aeca725b67cf56d011fb83b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
87055863d917edfbfd061774ca308226

SHA1
074d5885e8dc3f3ae5700c804b2c43ebee85bac8

SHA256
6da03198fb7526d0c1a08f32078fddd3d09a2cbec47ab8874f708eb624913258

SHA512
44833372dc328623c58d18fd4942d535d6f4f39e497c844540933719d50cb145ce6422f5d8154cffb4a2636706056b5368e191409c29717cf48ba141c2e213a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
7KB

MD5
c371d37c764d54cf935d5e44ab657b69

SHA1
c7b8299811b93038efced96cb7e661297a25d220

SHA256
78648d78d42ec8ae3084356c361d316b6c52ade42d6aca144a8e38b58d98657f

SHA512
bf7975db7a95dd0b5098c39b43141de4a4c54029e016c626fe9481c2a6b9e28db9a7f04adb97973b034ce07043890b8f0e3d2d1e309305d65a64c8c71b5d37d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
be91318f15f0ae171a609fe057db3c9d

SHA1
2124e18e117afd9d26849cf4c7fbcae5ddecb6ab

SHA256
e52b7dd3ad42394c998d9930d09425249bb5b4a9dfbc4cc24dd3d35d61f3e17a

SHA512
05fe44e34280e4f79283d9e647e7cd27217681bbbfe30bb2ffe49e757a832a3492120fd7ccc4f5102621afd885b22b3ee7a1fb30a4eaf957b038c78b5cc9a6ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
211B

MD5
c2dcd5adadaffca84dcfb7240169e395

SHA1
a400560837cc11e3138ed9d3f3a7ae99eb02c59a

SHA256
e6723989bcd5954b90d73a06b01878dd0e5bf40566a52e164bf9a96b970bfe03

SHA512
18064dadfd680311c930b27b6295327bfcc455b50bf293d98516e27b7157c77e8d3476b984fd0f181fa8df2d78b6b48aeedc9a3e3b1425c91c50ce287c0dcf3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
17KB

MD5
2fa6eadf3671c4436fec887ffd0a83ef

SHA1
072558c77af42c594760eee9b5f168410422e639

SHA256
d96ff85b0c21913d2b19cf734667d495d24b4dbbddca38457c1eab02cecff1c6

SHA512
d4c204efcc740ee595fad8a5bbcf78fe16200ae62e9f0ba73374932fdac353b82ef9ef87b1b1b7590cc9a146ba032b0f594db674fe1daac9c510525346d8bb61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
dbc0f708bf583d8ad59a778e507426f5

SHA1
12bebeecdd135d98db8dc3c892ed0a3a1be02dcc

SHA256
6fbd1fa7c8851abe2e15591f63142dad5a42321c179ac1ed0394cfd82be4c237

SHA512
0c46484b442e75deadbf8d0ac33bf563685b34829533458ed3c5bd3d82bdbd8508a0f5e2852b5e674e556f553165459fcf056cf3b816a8852180744d08b5696e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
4e4d5398730b49cdbf2e80d620b08fb9

SHA1
08e5aee7a9f3e85563859177b74c7f77e8981ab4

SHA256
5cb3fc74139c00e7b1f07497c0e8fcc2e3a135c4d7284f65cdec4260f90dea36

SHA512
a53554ece55676e5b752c7b23be2987c92071a43a94ef2cba65dc4db957bd040b75500811958f3e34523ab3718aaf6d175d717dcb8e76aa91092b70b085c0a4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
0fc6baa7361dcaefb2efc0947a7a199a

SHA1
dba12206f28551f5062a4985931337679c53e980

SHA256
6f8d0abab915a514e98004f8f7f0780498ddffa4a5de386f47b2e2fda5171996

SHA512
181110b35429ac5a2281dd0dd4d54657ea1a00d971ec6f43f0d7c7bfa5f880db098854efef8b30ff6b3956627bf24899b95e8af281e5fb7b5393e5ad0b692fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
cf0304ed41213af80c915ca541fa6bb0

SHA1
4fa377e1db9f8666c6595ab5e6335ca505a6d3c4

SHA256
54f7299a6c26344101c71923b0763e4fe9bc57dc07ebaf7572aea2fbffb6c808

SHA512
79df525d02b2c60c6711666bc55a80518ec9a9466f9131de05873aa742e7473c3b61f19613a903b0be99480542a94d9b60a94a9f0d26439fefd2adce9ac32ace

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
22KB

MD5
6198c8df4db11fc5a90275c1ee271728

SHA1
78068728f1125832eb428be72ccdaa1ce654174b

SHA256
b16f80470cfbe412398591c55c9c46d89afe2fde2cfb5478b4766e7717be9d8f

SHA512
96e89a01e7445790864c761b489bf664328aa9468a64ee189d524ee264834aa6e906daef6cb4b3f82911a6b396213777946909a147b24d230dec6903c5744cd7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
2ce5a78e01a63f914a685ed8dc343453

SHA1
0547d647bf752e5d1027257674dc002e4eb1cf39

SHA256
b785973a01995844a1989dff203a89cce27c011f006f55d8ed7efaa10bd73694

SHA512
567e0d9bb7be71f1133a5d044ac81088f8a55ad00389b65f41eb98a3aa49b5599a4cb6dd9ea15e1d84bc2e6672f2f46823f428af8c4fdac44a83ec4cadd5f422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
440638e87a8ea96aefd6bdb0969aadb0

SHA1
c8d9fc788fcf8184b9b4334b03df8da6dfd33c39

SHA256
efd1d865222fe512cf9a5faf25b0a3259cec94fc5d69fff63b1b5495dedc1949

SHA512
7981c2527e97fe60fffdd508f09ac3edd86cf9360b68458f7d59cbcc94142f78fb28f2bf45fbcd6d8e6f27e38ea66d820d3db57648bd6003bae6bdb2e5fe85a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
55KB

MD5
be42b971824b242557a70de03a12948a

SHA1
afdb29cffc196312db5022023949622640a3845a

SHA256
0e1d4c44333d3aee331a88d60b6550cdf094472132a832a0dce279e7e2f50940

SHA512
bc990e0f4a7501f8ccd399889e77d6f41fcfc5176f28544652e7622d2ea07c424421564384cebeaddaf064d443acc44e57210135fa02324454a72a085fc9edb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter

Filesize
392B

MD5
fe0df4a365e160ed1cc6ddf6157f1a9f

SHA1
a7993d68fec175f6b72e01c7c92e1b4bdc0b12ba

SHA256
c1dc9e69e8ad6b9b6a407549930f3ad1cbe58a7e3143b7ca4df75ae9bdebb72b

SHA512
fecd544bf8b11cfe1321e09c01e3287c38ee6a37e3aa24fd35c8fbdec90658917f7c3e046a7bcfaa147338b0fd0fd9fa73a2003c3cceddd7a3b6a8b70aadc18b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\RevisitationBloomfilter~RFe57f4ef.TMP

Filesize
392B

MD5
4fdc3041c5cc87b13ea0d1addcf0682e

SHA1
74d86ba4632b72783b8a9430f600c763e5f99a09

SHA256
24ee63842a4ed0e070a9262d1911594b0ceb0193e19c03fe06ba7fc5c020c3f4

SHA512
c9032d6b3ef5c3a9994bd2a9189516c8fcdf49bbe75590e6f4578c4f6124d74ef237bc6b03f1d05a4edd4b741bf562702213a1be71b55a4b84762b0c2a4e1e3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
7154234ed53cd66551008f767d897761

SHA1
29624caabacef7d26b6b37679383ceac70619d16

SHA256
e079a468c5ce9929a7e4df71208ba2843b263896654db2b8fee5db1cbc68897b

SHA512
db8659d4ec46c5bd27c0c7fe5d2a1eeab823708c310dcfa92c204dbbeea1afecd00280e741f244d10a08c147d202abd88707e4cddf74418e1dda8a44d8db0fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\_ctypes.pyd

Filesize
57KB

MD5
b4c41a4a46e1d08206c109ce547480c7

SHA1
9588387007a49ec2304160f27376aedca5bc854d

SHA256
9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9

SHA512
30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
9313c86e7bae859f0174a1c8b6aba58b

SHA1
dce67fd1da5da8dc4ba406c544e55a83d6536cc9

SHA256
af9675ac90bae8a0d8623f6fdaff9d39e1b8810e8e46a5b044baaa3396e745b3

SHA512
2ec64fce4a86bc52dc6c485fd94d203020617df92698ca91ae25c4901984899e21c7dd92881ec52d6850edfa547701aab9b0cd1b8d076e6779b1a13324cdd3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
854458ad55c39a9dfd1e350a51be02b8

SHA1
5013cf58de5a0b55e026ace967e9842b3b131c2a

SHA256
f918b0c45f59b2cb29f1eb3653d2f2679095e85e082a1198c933a76edf1f33ef

SHA512
faa41a5031033f7e86efebc47777f915e95617f4b05d93833066c206d9c092855d8072c7bd142898f5a2bd1f94b646d98933302ddeb5a9ca0d5930c7b2241b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
7ad2034acd0f296fe9eed320e5ad7591

SHA1
fe1b217e3f4567905968f7a3d48a7611e3cf3f7b

SHA256
0d859a866d1bcefe1a1bc5adb88dcf2765567ecc31dfb4e472b512d033d88bb4

SHA512
06d017b0ef9d081bc627f7f33d51ef2fe64e2cc5023204771032c4ed7bf26c0c6106b69d78f7bdd880fa59e8e4048b2da8848784bc92d7780155df140c952420

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
12ea48ce605ebb204a21ae7d86db3417

SHA1
5fb0ff9ba4105cd76ee4470ae4cad0a39ae68c66

SHA256
189bbbd739526a986e53518865e741cde8c5967aacd5ed687408cec3d8781f1c

SHA512
39b486fb72c9dff4e391673a872e957dbf0545d4d26914d0b0a475624e40b4feec3a9a17549e87ba806b1a90bf6f7784a187c506daa1db5201561cef90ff6e81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-fibers-l1-1-0.dll

Filesize
21KB

MD5
201ff3cd2ffe7d222f46574d4ac40a70

SHA1
b43f19bbb8fd1c8aa05ba67dea38a7785dbe57b6

SHA256
b83a71978215fdba477c4ea61340168947a1021324d118e6b7159054985f2d1a

SHA512
3f99d7b501c1db470a6d91af856ebbede05522acb5763d928f4fb28c74db2339b46df108745ed8ebd8c6c1298d9495358c245d188f055638b0d6dd568fa596d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
4b328f140a3ae7fedb21ca50cc23d938

SHA1
9e71b4c2cf030a644d2050188c4b77e638c0ee14

SHA256
e55b200643e8b078e7f5eb0c97de44fead21b11d06590ebedbcb84214d063345

SHA512
4c349f45ca4db4f1247aa405e5627f22b7ccfe66234d8d970475e71471ebb251f7a0f781a33d0e4ec893f86653b0a1c8508adf576e923d0ce86b43f552204614

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
4a060eec454c222a5381cd359dc00b81

SHA1
21e1bc115d04a74779e955ea16a16bd71454d9bb

SHA256
e6b2b05e14a6c6f5381e8f4c7f4fd28a499246fb4c8eafe1f08014b9273d70df

SHA512
16fb1f4ccdad05d07feb62e0cd078401f4023f9fab0fb15e52b927ca413e65eb32c2932ba59dbfa7f7ee0e8a8053748e27f2757e82e600db812271aa44a9433c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-file-l2-1-0.dll

Filesize
20KB

MD5
50abf0a7ee67f00f247bada185a7661c

SHA1
0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1

SHA256
f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7

SHA512
c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
4166d703abc9c6de65d5b269d3a5425e

SHA1
16bcd7191312b94bdf38368d188e5a5cc479a36c

SHA256
0a351c2a2889a42886017e7dbcf75f45e3cb24d2f55e72205624272487e4a056

SHA512
f722dba410cab727c753e9cce0bc47663e22f45828f5df0bac5bd6331497a2f15f6d9330b5203d3ff735f1ce6397e63c1b21d3ea6c5ceab817b5f83ec296882b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
993b5bc35dac959bed58b77fe42ac77a

SHA1
2abad159cbab86ff423d6446143427daab751366

SHA256
b998ff8d173c34505e1d5984134282866de910b09919cf9a322fce760b75c80b

SHA512
ca19e949dcc8460af53c9dad17995a0cbffd971bb731b7fcb53bb9384d227357926231c9fadfaa5aef09055bebae9d5c23ee73eb6eca04d6a52a3df0847e10ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
0b65672b91c6a12d769dd777f810b149

SHA1
2d527b45dcbe653a91e10365891c7e589f5e51e0

SHA256
c09eb307b2eb747b73c516267a99a23bb73204452326d41bdeb6f43598f6d62e

SHA512
f090bb0b8f3616cf2d77ff25523bc823918e1452f626a1298c95003def1867c785566a4e85ccd7f5a20f14631caec5dd392777db2d00368c3fdf3597e0f51788

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
259b4186004bb41e706dd781e29f5c5b

SHA1
85751d31fe233ed51c46466f214f497d01be8d87

SHA256
b3ba83880986f2522d05a88c52fe69eda9c9fadbc5192a063e36bba777cc877f

SHA512
f8a06252e96f40965668c978c4808305d424de698f47f420643d713751926636f2049dd34c8156ba5bbbf5a5b2f4d5c19a978cf27d3aaebd728d7a3de8f0afa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
4c26932f8f1f490017add31f5ec0a533

SHA1
0da01a7c89b506fe3fd939344bb51b976efb3207

SHA256
dd3843c2e46b4e926c36150d614efe02ca0ebc1f767f64f471568adc35c2ef23

SHA512
eb2b87d187991fdc8e3a6577f20622d2d4a2a994dd375d8c27e1434ce786596533eacfbde8714db9959d88d6bcb91fdc8079c60c23f0eb920ba45c546a44e523

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
41e0b7cb0eecba317cf321b1ada084d7

SHA1
4ce1f13188fc00eb29c726717eae489c524c1c8a

SHA256
db978830b1fbcc0521582a6a79864b0fd83179248fa374926c8097bc02cd6383

SHA512
f0961cde8dc83b845b2b91e42436ed8b42d2fb19caaabf49b300fa9cbbae9fab84009b4714c3899ab4a703315a135a61e508db29239d823a1cc11462ce6ffab7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
7e751952f122f4e8be1317087dc9dc71

SHA1
f65884c8cfbb8ad565b3df3a51af11b1617c7092

SHA256
d078a9a9958a7c816dea989bef24f32befc6651aea5e07f97a7b5d50df73f799

SHA512
960922ac1309bdcf42d6900a0bea30d4096d1411ec6a97f328520d4a59f71fc04e6f4a7b8d2b346012530329f76897607369c8e1ed1fe9c589d7f7682987c043

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
6d0762a2ba4263d0901ca7aaa0725c0c

SHA1
e36d2d049116bd2d84121cdfa179098ac03650b4

SHA256
2ee9434cc5f40f4514c7284e14b90db5c7a33000afda834d7c1dc063baa3d805

SHA512
94616b2bfc0497ca2dbbc23c1aa4ecb04113a53d75fa570f6bb5e2561e5cdb940792e2cb290562133d226400c78d91377fdd312ba2858679084c66ff1ae9031d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
abaabc1df36c7a0674f20fb83247fd71

SHA1
345db0ffea0cb2531b79d464ad69347ac71ee2b9

SHA256
ba55f8481d8a9d225b8c430eb010f675250c5afa64d9eeb15ff31dc159a19f5a

SHA512
7c01b8f46e9fbe08784066a9df03723b3485fa714f22f4ab7e1cbe719b0a91ab1a5d597ef9d567836375de929ea9397ce0685f00b908f3d0aa4d0288eb59f7ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
a6776c201baae1dd6f88048d7747d14c

SHA1
646119d2e440e6dad0ffb0fe449ab4fc27f09fbe

SHA256
ee99af71c347ff53c4e15109cb597759e657a3e859d9530680eeea8bb0540112

SHA512
a9137af8529fd96dbba22c5179a16d112ec0bfab9792babe0a9f1cca27408eff73ba89f498cb5f941a5aa44555529ee10484e6ca4a3fbf1627523acfde622b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
fb731a1f96c9e34347cba5bb18e54581

SHA1
88a62edfbbd806b1043b4a1266c4708e1d47be1d

SHA256
c4c1d381f419731c848e4a20aef02a4436758935c9a274896228b9451956cc8e

SHA512
be6c94d6015edae41fa0d6464c7dc5976adbc3617e02b293b9a39e645ec173071f1f282959ddf264a133ce3b3bb9c434eb2e65fc607136f11d8eb07538168ffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
8aad6a3a2fe9052ef218d5c8ce1995e1

SHA1
33748750e57cdc165fcdd186ae53003649607221

SHA256
e44d56d10ee14d4c4767a25839c2ef6826adbea3e15c2705b1d79676a63905b4

SHA512
841c70c63b243dea68c2ac9cd886731b6171dcf76a60932191fb29402585d6bbfcc98d11868fc6032f08c29d8e0040a2b896c32c2fb4697bd54dea2a52589ae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
2ebacbbda70b888b1bcc5e816d14f3a2

SHA1
ebf1763b0cee267040312deccb3dad61af1b9cf4

SHA256
96b11fa8aca734f4b1ddee377c84427d384f8e06affd99c63128797289fc9304

SHA512
af15fc2b1ff31a3550ae4e9ae45f7bbe728d839b288d6dc5f04859e27463ed946d5b2619736223ae401cee504e683b9fe9dffb65754280644dda91527eb46c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
87c57eddf837c1e7aaaddb451d3d981e

SHA1
5287af84ca9cdfa928355c3c899a43051169a2fd

SHA256
e65305c73e3540491a0c62103764d50d827a13d749f76cb2af593a800c93cf44

SHA512
0900608072d807082087275bd71061f7118534ea20d4cbd9b0e8190f500cd57feabe0bf7f9fac6438a7c4655ac405dd4ec17fd5f1a48b4f5dc70eb25e6f0e8ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\libffi-8.dll

Filesize
24KB

MD5
decbba3add4c2246928ab385fb16a21e

SHA1
5f019eff11de3122ffa67a06d52d446a3448b75e

SHA256
4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d

SHA512
760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\python3.DLL

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44722\ucrtbase.dll

Filesize
1.1MB

MD5
3b337c2d41069b0a1e43e30f891c3813

SHA1
ebee2827b5cb153cbbb51c9718da1549fa80fc5c

SHA256
c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7

SHA512
fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ovzeykam.mer.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\fake-exodus-main.zip.crdownload

Filesize
11.7MB

MD5
0d061ca2aab76f99800be7f3552d04ed

SHA1
1f44213ba00504d3597e5ce6afa6895d9d95743a

SHA256
99922da10c17da44829641649efbd823753c0fa4f4686e90d229784eaf135446

SHA512
f876dfc76e97bcf5f82310da67846b49abc981113eceec9fd95765e2330f1213c3f33aeadb26b2fbe0ae6950adbc32cd276c290bed9337b202c4cca6dee83743

Download Submit
C:\Users\Admin\Downloads\fake-exodus-main\fake-exodus-main\fake exodus.exe

Filesize
11.9MB

MD5
ce41931fce1b250d9a9a15f7be90b848

SHA1
98afa8976d8474f9453c4a92bc79e6ca463dcd91

SHA256
e134866a3a8e23179c39872478c00ad59803ee36ae399f11a54f0f2c4021d2ba

SHA512
c85698af10ec6898244ee892bc19b516b9d9d6838d6ce4d2f89a3716db1feb7001754e5852fd134a966e36e38209d38577b021ea42eb8b45a54df76ae1e4a884

Download Submit
memory/4252-1503-0x00007FFC7CCB0000-0x00007FFC7CCBF000-memory.dmp

Filesize
60KB

Download
memory/4252-1466-0x00007FFC63C00000-0x00007FFC63C4D000-memory.dmp

Filesize
308KB

Download
memory/4252-1482-0x00007FFC74AD0000-0x00007FFC74AF3000-memory.dmp

Filesize
140KB

Download
memory/4252-1483-0x00007FFC63E40000-0x00007FFC63FB3000-memory.dmp

Filesize
1.4MB

Download
memory/4252-1484-0x00007FFC74AA0000-0x00007FFC74ACE000-memory.dmp

Filesize
184KB

Download
memory/4252-1487-0x00007FFC74A20000-0x00007FFC74A35000-memory.dmp

Filesize
84KB

Download
memory/4252-1488-0x00007FFC74A00000-0x00007FFC74A12000-memory.dmp

Filesize
72KB

Download
memory/4252-1490-0x00007FFC743E0000-0x00007FFC743F4000-memory.dmp

Filesize
80KB

Download
memory/4252-1491-0x00007FFC739A0000-0x00007FFC739C2000-memory.dmp

Filesize
136KB

Download
memory/4252-1493-0x00007FFC6B7C0000-0x00007FFC6B7DB000-memory.dmp

Filesize
108KB

Download
memory/4252-1494-0x00007FFC63C50000-0x00007FFC63D1F000-memory.dmp

Filesize
828KB

Download
memory/4252-1495-0x00007FFC6B7A0000-0x00007FFC6B7B9000-memory.dmp

Filesize
100KB

Download
memory/4252-1496-0x00007FFC63C00000-0x00007FFC63C4D000-memory.dmp

Filesize
308KB

Download
memory/4252-1497-0x00007FFC6B780000-0x00007FFC6B791000-memory.dmp

Filesize
68KB

Download
memory/4252-1498-0x00007FFC63BC0000-0x00007FFC63BF2000-memory.dmp

Filesize
200KB

Download
memory/4252-1499-0x00007FFC74A90000-0x00007FFC74A9A000-memory.dmp

Filesize
40KB

Download
memory/4252-1500-0x00007FFC63BA0000-0x00007FFC63BBE000-memory.dmp

Filesize
120KB

Download
memory/4252-1502-0x00007FFC5F780000-0x00007FFC5F7B7000-memory.dmp

Filesize
220KB

Download
memory/4252-1452-0x00007FFC745F0000-0x00007FFC74604000-memory.dmp

Filesize
80KB

Download
memory/4252-1504-0x00007FFC745F0000-0x00007FFC74604000-memory.dmp

Filesize
80KB

Download
memory/4252-1505-0x00007FFC78D10000-0x00007FFC78D34000-memory.dmp

Filesize
144KB

Download
memory/4252-1506-0x00007FFC74B30000-0x00007FFC74B49000-memory.dmp

Filesize
100KB

Download
memory/4252-1507-0x00007FFC78CF0000-0x00007FFC78D09000-memory.dmp

Filesize
100KB

Download
memory/4252-1508-0x00007FFC78CE0000-0x00007FFC78CED000-memory.dmp

Filesize
52KB

Download
memory/4252-1492-0x00007FFC63D20000-0x00007FFC63E3C000-memory.dmp

Filesize
1.1MB

Download
memory/4252-1501-0x00007FFC4B910000-0x00007FFC4C10B000-memory.dmp

Filesize
8.0MB

Download
memory/4252-1485-0x00007FFC4DB50000-0x00007FFC4DEC5000-memory.dmp

Filesize
3.5MB

Download
memory/4252-1486-0x00007FFC64650000-0x00007FFC64708000-memory.dmp

Filesize
736KB

Download
memory/4252-1475-0x00007FFC4D2E0000-0x00007FFC4D8C8000-memory.dmp

Filesize
5.9MB

Download
memory/4252-1474-0x00007FFC5F780000-0x00007FFC5F7B7000-memory.dmp

Filesize
220KB

Download
memory/4252-1464-0x00007FFC4DB50000-0x00007FFC4DEC5000-memory.dmp

Filesize
3.5MB

Download
memory/4252-1465-0x00007FFC6B7A0000-0x00007FFC6B7B9000-memory.dmp

Filesize
100KB

Download
memory/4252-1472-0x00007FFC4B910000-0x00007FFC4C10B000-memory.dmp

Filesize
8.0MB

Download
memory/4252-1481-0x00007FFC74B00000-0x00007FFC74B2D000-memory.dmp

Filesize
180KB

Download
memory/4252-1467-0x00007FFC63BC0000-0x00007FFC63BF2000-memory.dmp

Filesize
200KB

Download
memory/4252-1469-0x00007FFC64650000-0x00007FFC64708000-memory.dmp

Filesize
736KB

Download
memory/4252-1471-0x00007FFC63BA0000-0x00007FFC63BBE000-memory.dmp

Filesize
120KB

Download
memory/4252-1454-0x00007FFC739A0000-0x00007FFC739C2000-memory.dmp

Filesize
136KB

Download
memory/4252-1470-0x00007FFC74A90000-0x00007FFC74A9A000-memory.dmp

Filesize
40KB

Download
memory/4252-1468-0x00007FFC6B780000-0x00007FFC6B791000-memory.dmp

Filesize
68KB

Download
memory/4252-1462-0x00007FFC63C50000-0x00007FFC63D1F000-memory.dmp

Filesize
828KB

Download
memory/4252-1463-0x00007FFC74AA0000-0x00007FFC74ACE000-memory.dmp

Filesize
184KB

Download
memory/4252-1428-0x00007FFC4D2E0000-0x00007FFC4D8C8000-memory.dmp

Filesize
5.9MB

Download
memory/4252-1461-0x00007FFC63E40000-0x00007FFC63FB3000-memory.dmp

Filesize
1.4MB

Download
memory/4252-1432-0x00007FFC7CCB0000-0x00007FFC7CCBF000-memory.dmp

Filesize
60KB

Download
memory/4252-1431-0x00007FFC78D10000-0x00007FFC78D34000-memory.dmp

Filesize
144KB

Download
memory/4252-1457-0x00007FFC74AD0000-0x00007FFC74AF3000-memory.dmp

Filesize
140KB

Download
memory/4252-1458-0x00007FFC6B7C0000-0x00007FFC6B7DB000-memory.dmp

Filesize
108KB

Download
memory/4252-1441-0x00007FFC63E40000-0x00007FFC63FB3000-memory.dmp

Filesize
1.4MB

Download
memory/4252-1440-0x00007FFC74B30000-0x00007FFC74B49000-memory.dmp

Filesize
100KB

Download
memory/4252-1456-0x00007FFC63D20000-0x00007FFC63E3C000-memory.dmp

Filesize
1.1MB

Download
memory/4252-1438-0x00007FFC74AD0000-0x00007FFC74AF3000-memory.dmp

Filesize
140KB

Download
memory/4252-1437-0x00007FFC74B00000-0x00007FFC74B2D000-memory.dmp

Filesize
180KB

Download
memory/4252-1435-0x00007FFC78CE0000-0x00007FFC78CED000-memory.dmp

Filesize
52KB

Download
memory/4252-1434-0x00007FFC78CF0000-0x00007FFC78D09000-memory.dmp

Filesize
100KB

Download
memory/4252-1455-0x00007FFC78CF0000-0x00007FFC78D09000-memory.dmp

Filesize
100KB

Download
memory/4252-1444-0x00007FFC74AA0000-0x00007FFC74ACE000-memory.dmp

Filesize
184KB

Download
memory/4252-1450-0x00007FFC4D2E0000-0x00007FFC4D8C8000-memory.dmp

Filesize
5.9MB

Download
memory/4252-1445-0x00007FFC4DB50000-0x00007FFC4DEC5000-memory.dmp

Filesize
3.5MB

Download
memory/4252-1447-0x00007FFC64650000-0x00007FFC64708000-memory.dmp

Filesize
736KB

Download
memory/4252-1451-0x00007FFC743E0000-0x00007FFC743F4000-memory.dmp

Filesize
80KB

Download
memory/4252-1449-0x00007FFC74A00000-0x00007FFC74A12000-memory.dmp

Filesize
72KB

Download
memory/4252-1448-0x00007FFC74A20000-0x00007FFC74A35000-memory.dmp

Filesize
84KB

Download
memory/4252-1453-0x00007FFC78D10000-0x00007FFC78D34000-memory.dmp

Filesize
144KB

Download
memory/4668-1594-0x00000163549D0000-0x00000163549F2000-memory.dmp

Filesize
136KB

Download
memory/5068-1255-0x00007FFC61840000-0x00007FFC61864000-memory.dmp

Filesize
144KB

Download
memory/5068-1446-0x00007FFC5F7C0000-0x00007FFC5F7F7000-memory.dmp

Filesize
220KB

Download
memory/5068-1443-0x00007FFC60000000-0x00007FFC6001E000-memory.dmp

Filesize
120KB

Download
memory/5068-1433-0x00007FFC60080000-0x00007FFC600CD000-memory.dmp

Filesize
308KB

Download
memory/5068-1439-0x00007FFC74A50000-0x00007FFC74A5A000-memory.dmp

Filesize
40KB

Download
memory/5068-1442-0x00007FFC5F800000-0x00007FFC5FFFB000-memory.dmp

Filesize
8.0MB

Download
memory/5068-1436-0x00007FFC60020000-0x00007FFC60052000-memory.dmp

Filesize
200KB

Download
memory/5068-1430-0x00007FFC600F0000-0x00007FFC601BF000-memory.dmp

Filesize
828KB

Download
memory/5068-1337-0x00007FFC601E0000-0x00007FFC602FC000-memory.dmp

Filesize
1.1MB

Download
memory/5068-1338-0x00007FFC601C0000-0x00007FFC601DB000-memory.dmp

Filesize
108KB

Download
memory/5068-1326-0x00007FFC60300000-0x00007FFC60322000-memory.dmp

Filesize
136KB

Download
memory/5068-1327-0x00007FFC5F7C0000-0x00007FFC5F7F7000-memory.dmp

Filesize
220KB

Download
memory/5068-1316-0x00007FFC5F800000-0x00007FFC5FFFB000-memory.dmp

Filesize
8.0MB

Download
memory/5068-1315-0x00007FFC60000000-0x00007FFC6001E000-memory.dmp

Filesize
120KB

Download
memory/5068-1314-0x00007FFC74A50000-0x00007FFC74A5A000-memory.dmp

Filesize
40KB

Download
memory/5068-1309-0x00007FFC600D0000-0x00007FFC600E9000-memory.dmp

Filesize
100KB

Download
memory/5068-1310-0x00007FFC60060000-0x00007FFC60071000-memory.dmp

Filesize
68KB

Download
memory/5068-1312-0x00007FFC60390000-0x00007FFC603A5000-memory.dmp

Filesize
84KB

Download
memory/5068-1313-0x00007FFC60020000-0x00007FFC60052000-memory.dmp

Filesize
200KB

Download
memory/5068-1311-0x00007FFC60080000-0x00007FFC600CD000-memory.dmp

Filesize
308KB

Download
memory/5068-1308-0x00007FFC603B0000-0x00007FFC60725000-memory.dmp

Filesize
3.5MB

Download
memory/5068-1307-0x00007FFC60730000-0x00007FFC607E8000-memory.dmp

Filesize
736KB

Download
memory/5068-1305-0x00007FFC607F0000-0x00007FFC6081E000-memory.dmp

Filesize
184KB

Download
memory/5068-1306-0x00007FFC600F0000-0x00007FFC601BF000-memory.dmp

Filesize
828KB

Download
memory/5068-1303-0x00007FFC60820000-0x00007FFC60993000-memory.dmp

Filesize
1.4MB

Download
memory/5068-1304-0x00007FFC601C0000-0x00007FFC601DB000-memory.dmp

Filesize
108KB

Download
memory/5068-1301-0x00007FFC613D0000-0x00007FFC613F3000-memory.dmp

Filesize
140KB

Download
memory/5068-1302-0x00007FFC601E0000-0x00007FFC602FC000-memory.dmp

Filesize
1.1MB

Download
memory/5068-1299-0x00007FFC61400000-0x00007FFC6142D000-memory.dmp

Filesize
180KB

Download
memory/5068-1300-0x00007FFC60300000-0x00007FFC60322000-memory.dmp

Filesize
136KB

Download
memory/5068-1297-0x00007FFC61430000-0x00007FFC61449000-memory.dmp

Filesize
100KB

Download
memory/5068-1298-0x00007FFC60330000-0x00007FFC60344000-memory.dmp

Filesize
80KB

Download
memory/5068-1295-0x00007FFC60370000-0x00007FFC60382000-memory.dmp

Filesize
72KB

Download
memory/5068-1296-0x00007FFC60350000-0x00007FFC60364000-memory.dmp

Filesize
80KB

Download
memory/5068-1294-0x00007FFC61450000-0x00007FFC61469000-memory.dmp

Filesize
100KB

Download
memory/5068-1292-0x00007FFC79010000-0x00007FFC7901F000-memory.dmp

Filesize
60KB

Download
memory/5068-1293-0x00007FFC60390000-0x00007FFC603A5000-memory.dmp

Filesize
84KB

Download
memory/5068-1290-0x00007FFC603B0000-0x00007FFC60725000-memory.dmp

Filesize
3.5MB

Download
memory/5068-1291-0x00007FFC61840000-0x00007FFC61864000-memory.dmp

Filesize
144KB

Download
memory/5068-1288-0x00007FFC609A0000-0x00007FFC60F88000-memory.dmp

Filesize
5.9MB

Download
memory/5068-1289-0x00007FFC60730000-0x00007FFC607E8000-memory.dmp

Filesize
736KB

Download
memory/5068-1287-0x00007FFC607F0000-0x00007FFC6081E000-memory.dmp

Filesize
184KB

Download
memory/5068-1286-0x00007FFC60820000-0x00007FFC60993000-memory.dmp

Filesize
1.4MB

Download
memory/5068-1285-0x00007FFC613D0000-0x00007FFC613F3000-memory.dmp

Filesize
140KB

Download
memory/5068-1284-0x00007FFC61400000-0x00007FFC6142D000-memory.dmp

Filesize
180KB

Download
memory/5068-1283-0x00007FFC61430000-0x00007FFC61449000-memory.dmp

Filesize
100KB

Download
memory/5068-1282-0x00007FFC75150000-0x00007FFC7515D000-memory.dmp

Filesize
52KB

Download
memory/5068-1281-0x00007FFC61450000-0x00007FFC61469000-memory.dmp

Filesize
100KB

Download
memory/5068-1586-0x00007FFC7CCB0000-0x00007FFC7CCBD000-memory.dmp

Filesize
52KB

Download
memory/5068-1258-0x00007FFC79010000-0x00007FFC7901F000-memory.dmp

Filesize
60KB

Download
memory/5068-1248-0x00007FFC609A0000-0x00007FFC60F88000-memory.dmp

Filesize
5.9MB

Download
memory/5068-1604-0x00007FFC61840000-0x00007FFC61864000-memory.dmp

Filesize
144KB

Download
memory/5068-1631-0x00007FFC7CCB0000-0x00007FFC7CCBD000-memory.dmp

Filesize
52KB

Download
memory/5068-1624-0x00007FFC60080000-0x00007FFC600CD000-memory.dmp

Filesize
308KB

Download
memory/5068-1623-0x00007FFC600D0000-0x00007FFC600E9000-memory.dmp

Filesize
100KB

Download
memory/5068-1614-0x00007FFC603B0000-0x00007FFC60725000-memory.dmp

Filesize
3.5MB

Download
memory/5068-1613-0x00007FFC60730000-0x00007FFC607E8000-memory.dmp

Filesize
736KB

Download
memory/5068-1611-0x00007FFC60820000-0x00007FFC60993000-memory.dmp

Filesize
1.4MB

Download
memory/5068-1603-0x00007FFC609A0000-0x00007FFC60F88000-memory.dmp

Filesize
5.9MB

Download
memory/5068-1616-0x00007FFC60370000-0x00007FFC60382000-memory.dmp

Filesize
72KB

Download
memory/5068-1615-0x00007FFC60390000-0x00007FFC603A5000-memory.dmp

Filesize
84KB

Download
memory/5068-1612-0x00007FFC607F0000-0x00007FFC6081E000-memory.dmp

Filesize
184KB

Download