exelastealer | hxxps://electronv3[.]com/

Analysis

max time kernel
81s
max time network
82s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
05-07-2024 18:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://electronv3.com/

Score

10^/10

exelastealer defense_evasion evasion persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1588	netsh.exe
4940	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
4932	ElectronV3.exe
4572	ElectronV3.exe

Loads dropped DLL 31 IoCs

pid	Process
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe
4572	ElectronV3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023512-359.dat	upx
behavioral1/memory/4572-363-0x00007FFFFCDA0000-0x00007FFFFD205000-memory.dmp	upx
behavioral1/files/0x000700000002350c-371.dat	upx
behavioral1/memory/4572-392-0x00007FF812310000-0x00007FF81231F000-memory.dmp	upx
behavioral1/memory/4572-391-0x00007FF8076A0000-0x00007FF8076C4000-memory.dmp	upx
behavioral1/files/0x00070000000234ee-390.dat	upx
behavioral1/files/0x00070000000234ed-389.dat	upx
behavioral1/files/0x00070000000234ec-388.dat	upx
behavioral1/files/0x00070000000234eb-387.dat	upx
behavioral1/files/0x00070000000234ea-386.dat	upx
behavioral1/files/0x00070000000234e9-385.dat	upx
behavioral1/files/0x00070000000234e8-384.dat	upx
behavioral1/files/0x00070000000234e7-383.dat	upx
behavioral1/files/0x00070000000234e6-382.dat	upx
behavioral1/files/0x00070000000234e5-381.dat	upx
behavioral1/files/0x00070000000234e3-380.dat	upx
behavioral1/files/0x00070000000234e2-379.dat	upx
behavioral1/files/0x00070000000234e1-378.dat	upx
behavioral1/files/0x0007000000023515-377.dat	upx
behavioral1/files/0x0007000000023514-376.dat	upx
behavioral1/files/0x0007000000023513-375.dat	upx
behavioral1/files/0x0007000000023510-374.dat	upx
behavioral1/files/0x000700000002350d-373.dat	upx
behavioral1/files/0x000700000002350b-372.dat	upx
behavioral1/files/0x00070000000234e4-369.dat	upx
behavioral1/memory/4572-396-0x00007FF8114D0000-0x00007FF8114DD000-memory.dmp	upx
behavioral1/memory/4572-395-0x00007FF80E6D0000-0x00007FF80E6E9000-memory.dmp	upx
behavioral1/memory/4572-400-0x00007FF801D00000-0x00007FF801D2C000-memory.dmp	upx
behavioral1/memory/4572-399-0x00007FF808130000-0x00007FF808149000-memory.dmp	upx
behavioral1/memory/4572-404-0x00007FFFFED40000-0x00007FFFFEEAD000-memory.dmp	upx
behavioral1/memory/4572-403-0x00007FF800010000-0x00007FF80002E000-memory.dmp	upx
behavioral1/memory/4572-406-0x00007FFFFED10000-0x00007FFFFED3E000-memory.dmp	upx
behavioral1/memory/4572-410-0x00007FFFFEC50000-0x00007FFFFED06000-memory.dmp	upx
behavioral1/memory/4572-411-0x00007FFFFCA20000-0x00007FFFFCD94000-memory.dmp	upx
behavioral1/memory/4572-423-0x00007FFFFD7E0000-0x00007FFFFD7F4000-memory.dmp	upx
behavioral1/memory/4572-429-0x00007FFFFD7C0000-0x00007FFFFD7D4000-memory.dmp	upx
behavioral1/memory/4572-430-0x00007FFFFC8B0000-0x00007FFFFC8D2000-memory.dmp	upx
behavioral1/memory/4572-428-0x00007FFFFC8E0000-0x00007FFFFC9F8000-memory.dmp	upx
behavioral1/memory/4572-427-0x00007FFFFCA00000-0x00007FFFFCA15000-memory.dmp	upx
behavioral1/memory/4572-426-0x00007FF8111C0000-0x00007FF8111D0000-memory.dmp	upx
behavioral1/memory/4572-425-0x00007FFFFCDA0000-0x00007FFFFD205000-memory.dmp	upx
behavioral1/memory/4572-438-0x00007FF80E6D0000-0x00007FF80E6E9000-memory.dmp	upx
behavioral1/memory/4572-443-0x00007FFFFC800000-0x00007FFFFC811000-memory.dmp	upx
behavioral1/memory/4572-442-0x00007FFFFC820000-0x00007FFFFC869000-memory.dmp	upx
behavioral1/memory/4572-441-0x00007FFFFC870000-0x00007FFFFC889000-memory.dmp	upx
behavioral1/memory/4572-440-0x00007FFFFC890000-0x00007FFFFC8A7000-memory.dmp	upx
behavioral1/memory/4572-439-0x00007FF8114D0000-0x00007FF8114DD000-memory.dmp	upx
behavioral1/memory/4572-446-0x00007FFFFC7E0000-0x00007FFFFC7FE000-memory.dmp	upx
behavioral1/memory/4572-445-0x00007FF810730000-0x00007FF81073A000-memory.dmp	upx
behavioral1/memory/4572-444-0x00007FF801D00000-0x00007FF801D2C000-memory.dmp	upx
behavioral1/memory/4572-448-0x00007FFFFED40000-0x00007FFFFEEAD000-memory.dmp	upx
behavioral1/memory/4572-449-0x00007FFFFC0E0000-0x00007FFFFC7D2000-memory.dmp	upx
behavioral1/memory/4572-447-0x00007FF800010000-0x00007FF80002E000-memory.dmp	upx
behavioral1/memory/4572-450-0x00007FFFFED10000-0x00007FFFFED3E000-memory.dmp	upx
behavioral1/memory/4572-451-0x00007FFFFC0A0000-0x00007FFFFC0D8000-memory.dmp	upx
behavioral1/memory/4572-468-0x00007FFFFEC50000-0x00007FFFFED06000-memory.dmp	upx
behavioral1/memory/4572-469-0x00007FFFFCA20000-0x00007FFFFCD94000-memory.dmp	upx
behavioral1/memory/4572-517-0x00007FFFFD7E0000-0x00007FFFFD7F4000-memory.dmp	upx
behavioral1/memory/4572-518-0x00007FF8162A0000-0x00007FF8162AD000-memory.dmp	upx
behavioral1/memory/4572-536-0x00007FF8076A0000-0x00007FF8076C4000-memory.dmp	upx
behavioral1/memory/4572-563-0x00007FFFFC8E0000-0x00007FFFFC9F8000-memory.dmp	upx
behavioral1/memory/4572-562-0x00007FF8111C0000-0x00007FF8111D0000-memory.dmp	upx
behavioral1/memory/4572-561-0x00007FF8162A0000-0x00007FF8162AD000-memory.dmp	upx
behavioral1/memory/4572-560-0x00007FFFFC0A0000-0x00007FFFFC0D8000-memory.dmp	upx

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
122	api.ipify.org
123	api.ipify.org
201	ip-api.com

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
636	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1432	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00070000000234d3-310.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4476	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1932	WMIC.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
1596	tasklist.exe
5060	tasklist.exe
1836	tasklist.exe
3524	tasklist.exe
2476	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1344	ipconfig.exe
4608	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3120	systeminfo.exe

Kills process with taskkill 12 IoCs

evasion

pid	Process
2788	taskkill.exe
1760	taskkill.exe
3332	taskkill.exe
1532	taskkill.exe
1928	taskkill.exe
4608	taskkill.exe
1636	taskkill.exe
4876	taskkill.exe
2536	taskkill.exe
3252	taskkill.exe
2956	taskkill.exe
3844	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-771719357-2485960699-3367710044-1000\{3402BC01-526A-4DAF-8A81-BD8B99BED79D}	msedge.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1256	schtasks.exe
3996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
1048	msedge.exe
1048	msedge.exe
2664	msedge.exe
2664	msedge.exe
4604	identity_helper.exe
4604	identity_helper.exe
3564	msedge.exe
3564	msedge.exe
3488	msedge.exe
3488	msedge.exe
1064	powershell.exe
1064	powershell.exe
1064	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2192	7zG.exe
Token: 35	2192	7zG.exe
Token: SeSecurityPrivilege	2192	7zG.exe
Token: SeSecurityPrivilege	2192	7zG.exe
Token: SeIncreaseQuotaPrivilege	456	WMIC.exe
Token: SeSecurityPrivilege	456	WMIC.exe
Token: SeTakeOwnershipPrivilege	456	WMIC.exe
Token: SeLoadDriverPrivilege	456	WMIC.exe
Token: SeSystemProfilePrivilege	456	WMIC.exe
Token: SeSystemtimePrivilege	456	WMIC.exe
Token: SeProfSingleProcessPrivilege	456	WMIC.exe
Token: SeIncBasePriorityPrivilege	456	WMIC.exe
Token: SeCreatePagefilePrivilege	456	WMIC.exe
Token: SeBackupPrivilege	456	WMIC.exe
Token: SeRestorePrivilege	456	WMIC.exe
Token: SeShutdownPrivilege	456	WMIC.exe
Token: SeDebugPrivilege	456	WMIC.exe
Token: SeSystemEnvironmentPrivilege	456	WMIC.exe
Token: SeRemoteShutdownPrivilege	456	WMIC.exe
Token: SeUndockPrivilege	456	WMIC.exe
Token: SeManageVolumePrivilege	456	WMIC.exe
Token: 33	456	WMIC.exe
Token: 34	456	WMIC.exe
Token: 35	456	WMIC.exe
Token: 36	456	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1932	WMIC.exe
Token: SeSecurityPrivilege	1932	WMIC.exe
Token: SeTakeOwnershipPrivilege	1932	WMIC.exe
Token: SeLoadDriverPrivilege	1932	WMIC.exe
Token: SeSystemProfilePrivilege	1932	WMIC.exe
Token: SeSystemtimePrivilege	1932	WMIC.exe
Token: SeProfSingleProcessPrivilege	1932	WMIC.exe
Token: SeIncBasePriorityPrivilege	1932	WMIC.exe
Token: SeCreatePagefilePrivilege	1932	WMIC.exe
Token: SeBackupPrivilege	1932	WMIC.exe
Token: SeRestorePrivilege	1932	WMIC.exe
Token: SeShutdownPrivilege	1932	WMIC.exe
Token: SeDebugPrivilege	1932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1932	WMIC.exe
Token: SeRemoteShutdownPrivilege	1932	WMIC.exe
Token: SeUndockPrivilege	1932	WMIC.exe
Token: SeManageVolumePrivilege	1932	WMIC.exe
Token: 33	1932	WMIC.exe
Token: 34	1932	WMIC.exe
Token: 35	1932	WMIC.exe
Token: 36	1932	WMIC.exe
Token: SeDebugPrivilege	1596	tasklist.exe
Token: SeIncreaseQuotaPrivilege	456	WMIC.exe
Token: SeSecurityPrivilege	456	WMIC.exe
Token: SeTakeOwnershipPrivilege	456	WMIC.exe
Token: SeLoadDriverPrivilege	456	WMIC.exe
Token: SeSystemProfilePrivilege	456	WMIC.exe
Token: SeSystemtimePrivilege	456	WMIC.exe
Token: SeProfSingleProcessPrivilege	456	WMIC.exe
Token: SeIncBasePriorityPrivilege	456	WMIC.exe
Token: SeCreatePagefilePrivilege	456	WMIC.exe
Token: SeBackupPrivilege	456	WMIC.exe
Token: SeRestorePrivilege	456	WMIC.exe
Token: SeShutdownPrivilege	456	WMIC.exe
Token: SeDebugPrivilege	456	WMIC.exe
Token: SeSystemEnvironmentPrivilege	456	WMIC.exe
Token: SeRemoteShutdownPrivilege	456	WMIC.exe
Token: SeUndockPrivilege	456	WMIC.exe
Token: SeManageVolumePrivilege	456	WMIC.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2192	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe
2664	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 4664	2664	msedge.exe	81
PID 2664 wrote to memory of 4664	2664	msedge.exe	81
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1792	2664	msedge.exe	84
PID 2664 wrote to memory of 1048	2664	msedge.exe	85
PID 2664 wrote to memory of 1048	2664	msedge.exe	85
PID 2664 wrote to memory of 376	2664	msedge.exe	86
PID 2664 wrote to memory of 376	2664	msedge.exe	86
PID 2664 wrote to memory of 376	2664	msedge.exe	86
PID 2664 wrote to memory of 376	2664	msedge.exe	86
PID 2664 wrote to memory of 376	2664	msedge.exe	86
PID 2664 wrote to memory of 376	2664	msedge.exe	86
PID 2664 wrote to memory of 376	2664	msedge.exe	86
PID 2664 wrote to memory of 376	2664	msedge.exe	86
PID 2664 wrote to memory of 376	2664	msedge.exe	86
PID 2664 wrote to memory of 376	2664	msedge.exe	86
PID 2664 wrote to memory of 376	2664	msedge.exe	86
PID 2664 wrote to memory of 376	2664	msedge.exe	86
PID 2664 wrote to memory of 376	2664	msedge.exe	86
PID 2664 wrote to memory of 376	2664	msedge.exe	86
PID 2664 wrote to memory of 376	2664	msedge.exe	86
PID 2664 wrote to memory of 376	2664	msedge.exe	86
PID 2664 wrote to memory of 376	2664	msedge.exe	86
PID 2664 wrote to memory of 376	2664	msedge.exe	86
PID 2664 wrote to memory of 376	2664	msedge.exe	86
PID 2664 wrote to memory of 376	2664	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3728	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://electronv3.com/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8014046f8,0x7ff801404708,0x7ff801404718
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,5344083138328180650,9148764804349342893,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
  2⤵
  PID:1792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,5344083138328180650,9148764804349342893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,5344083138328180650,9148764804349342893,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2644 /prefetch:8
  2⤵
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5344083138328180650,9148764804349342893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5344083138328180650,9148764804349342893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,5344083138328180650,9148764804349342893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,5344083138328180650,9148764804349342893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5344083138328180650,9148764804349342893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5344083138328180650,9148764804349342893,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5344083138328180650,9148764804349342893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5344083138328180650,9148764804349342893,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5344083138328180650,9148764804349342893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5388 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5344083138328180650,9148764804349342893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:1288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,5344083138328180650,9148764804349342893,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6232 /prefetch:8
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2152,5344083138328180650,9148764804349342893,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6256 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5344083138328180650,9148764804349342893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3032 /prefetch:1
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,5344083138328180650,9148764804349342893,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5616 /prefetch:8
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,5344083138328180650,9148764804349342893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1256 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,5344083138328180650,9148764804349342893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6600 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3488

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3328

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5024

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1988

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\Electron V3\" -ad -an -ai#7zMap26716:84:7zEvent20553
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2192

C:\Users\Admin\Downloads\Electron V3\Electron V3\ElectronV3.exe
"C:\Users\Admin\Downloads\Electron V3\Electron V3\ElectronV3.exe"
1⤵
- Executes dropped EXE
PID:4932
- C:\Users\Admin\Downloads\Electron V3\Electron V3\ElectronV3.exe
  "C:\Users\Admin\Downloads\Electron V3\Electron V3\ElectronV3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:320
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:1708
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:1828
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:1944
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:3404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1804
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:3100
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:636
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /query /TN "ExelaUpdateService""
    3⤵
    PID:2172
  - - C:\Windows\system32\schtasks.exe
      schtasks /query /TN "ExelaUpdateService"
      4⤵
      PID:724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    PID:232
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    PID:1596
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:1812
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:3828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2284
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2664"
    3⤵
    PID:1368
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2664
      4⤵
      Kills process with taskkill
      PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4664"
    3⤵
    PID:4708
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4664
      4⤵
      Kills process with taskkill
      PID:4608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1792"
    3⤵
    PID:3996
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1792
      4⤵
      Kills process with taskkill
      PID:2788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1048"
    3⤵
    PID:3104
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1048
      4⤵
      Kills process with taskkill
      PID:1760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 376"
    3⤵
    PID:3448
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 376
      4⤵
      Kills process with taskkill
      PID:1636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4240"
    3⤵
    PID:4568
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4240
      4⤵
      Kills process with taskkill
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3064"
    3⤵
    PID:2960
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3064
      4⤵
      Kills process with taskkill
      PID:2536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 916"
    3⤵
    PID:2520
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 916
      4⤵
      Kills process with taskkill
      PID:3332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4192"
    3⤵
    PID:4360
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4192
      4⤵
      Kills process with taskkill
      PID:3252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3692"
    3⤵
    PID:4264
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3692
      4⤵
      Kills process with taskkill
      PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 948"
    3⤵
    PID:4464
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 948
      4⤵
      Kills process with taskkill
      PID:2956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3616"
    3⤵
    PID:4608
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3616
      4⤵
      Kills process with taskkill
      PID:1928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:4372
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4560
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:3932
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:2280
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:844
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    PID:3824
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:364
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:1136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    PID:3708
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3120
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2440
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:4476
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:4028
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:404
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:412
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:4588
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:1656
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:2968
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:1748
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:2452
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:1532
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:532
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:2856
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:4868
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:1828
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:2476
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1344
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:984
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      PID:516
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      PID:4608
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:1432
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1588
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fbc957a83b42f65c351e04ce810c1c11

SHA1
78dcdf88beec5a9c112c145f239aefb1203d55ad

SHA256
7bb59b74f42792a15762a77ca69f52bf5cc4506261a67f78cd673a2d398e6128

SHA512
efad54eb0bd521c30bc4a96b9d4cb474c4ca42b4c108e08983a60c880817f61bc19d97538cc09a54b2db95ab9c8996f790672e19fb3851a5d93f174acdfac0ce

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5b6ff6669a863812dff3a9e76cb311e4

SHA1
355f7587ad1759634a95ae191b48b8dbaa2f1631

SHA256
c7fb7eea8bea4488bd4605df51aa560c0e1b11660e9228863eb4ad1be0a07906

SHA512
d153b1412fadda28c0582984e135b819ba330e01d3299bb4887062ffd6d3303da4f2c4b64a3de277773f4756da361e7bc5885c226ae2a5cfdd16ee60512e2e5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
8e9bacbd4e252ff00ca28db51e077666

SHA1
26efdca5184af87122cbf295fd7007e341966739

SHA256
0810be5905ef0aa9fb05fb5922237812e17062c9245e70ffc8b4a63f789cd882

SHA512
b370d8cc0c57d4800ba7b2fb2f5d749e34073914685fe8f9cc2f615587a284e81945a1b2c1ab768cf91425abf57f9e85dbb3a3c353b9144f27ec5ce8f374843c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
e532fcf962f124c798885c0d1395fe1f

SHA1
42b537281ed54e170fd9f703cec9c473152749f3

SHA256
895a9bd726f7a65dcd61bd1204e4395a00f90c674cfc84c956aa58219b80baae

SHA512
64d13d89fa8f2e6b59b5a82a036cb553dade19ac152d3b5bf7b3f5e233135bec022bf45140c4f6aac99d12d1d9b2b2d512716b269360a3cfac703c0c1e4ad02c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d8491eba4a08fe24b5736aa9671cd687

SHA1
30cddf318d9d0e6f80a6d5811960c2289ada2bbc

SHA256
75726fa963ee627ef637273a5a9f168bcc9c83b99025e17d4a34128c9bde77c0

SHA512
78f3d01366d8ddbac861213711089fb5bc3d6c184724bcd02417734b7b0a409eabdddf37fd01f042903f0bd2034061a8bbc2604d903a95d3de2a4b316564265a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
90b3fa917d2d7bfd60b7ef61e803e01d

SHA1
9bca614de836c8e34df3e4ece74f3a95a377f14d

SHA256
4a7db851ace7971359159dd3c5a9c37433e174775a465cec69b979f9ca39fccd

SHA512
0e32be304a846c4c84071187b32a74deb36d7295c71186b1cd420e99cf9bbe3e8e1f35a99f66d08c34b0d1f4744140eec4a4295490619468b8b9ca654c7adb9c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ec01b8f763fa6304b1984b0689e6b2b8

SHA1
70887b887d7272f112fc902d0aca90ced8f06b6f

SHA256
ccdb3ffe595db2b8df17454f450cf16f6c0685eb3671c5546d9bcb2586b0dbee

SHA512
53e3b54d7607b6be334e41ed1590e9cbe6d17290310d05290c3dc9cd8b4175aa42d8d5a05f18aca84797e270bd196dfb59b9ebc28abcc6013d269d133b6ba6b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
07cee56263c86851ef83d6bcb811f4e1

SHA1
d4ecfda0e5ae01bfc94fe811ff17a575ce46e749

SHA256
9f8eac6947ab07d07ad1046ca119264c4e609188cb9c4deb30f15195f57ce8f7

SHA512
2ce36a9ab18dc25b8015fbad4fa694d4307f41fe8ad5ec057d6a2cf5eb2d9857f8e9cb28e87f7e0f3fcdd09995fc0cf398a5834156345b5a6628886b7ab33ada

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
3cadb45f5a79d919349cd327127b723b

SHA1
bc6dacf3d1bf68422f024563b947e82e7235550e

SHA256
a84b0ff6341617b0dc764730e580d0fe00f9d39cbd1aaef303acc36baed58e2b

SHA512
f6c6f7c54b05005ba9e6738bbd2366e9688cc9b942cc476ca4715e6d36b78f60f319678b491f84b06acaeba793289db9854e28fe03f18e62d2953067b1d2d19a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\e00a7408-97e6-49ec-96ec-74c0bd165de4.tmp

Filesize
11KB

MD5
a07190c9182f0c2815aee172f424a12f

SHA1
9ec87b69dc15e16e2f7af309414b0a36d09865b8

SHA256
0d7eab5dce0c033a23e87395694338988d22085b7e2213371e8dfe3648f885f5

SHA512
1b227f5678e36876587f857b3634501796f2d919fcd7dec928638e6b255ea1d3b4f3b316a2ba63e0cf6f6a10135ffacd3e52d45184a02d383ecb456a26cfafe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_asyncio.pyd

Filesize
31KB

MD5
480d3f4496e16d54bb5313d206164134

SHA1
3db3a9f21be88e0b759855bf4f937d0bbfdf1734

SHA256
568fb5c3d9b170ce1081ad12818b9a12f44ab1577449425a3ef30c2efbee613d

SHA512
8e887e8de9c31dbb6d0a85b4d6d4157e917707e63ce5f119bb4b03cb28d41af90d087e3843f3a4c2509bca70cdac3941e00b8a5144ade8532a97166a5d0a7bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_bz2.pyd

Filesize
43KB

MD5
39b487c3e69816bd473e93653dbd9b7f

SHA1
bdce6fde092a3f421193ddb65df893c40542a4e2

SHA256
a1629c455be2cf55e36021704716f4b16a96330fe993aae9e818f67c4026fcdc

SHA512
7543c1555e8897d15c952b89427e7d06c32e250223e85fafae570f8a0fa13c39fb6fc322d043324a31b2f2f08d2f36e0da59dfd741d09c035d0429173b6badc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
641e49ce0c4fa963d347fbf915aabdbe

SHA1
1351f6c4ac5dcda7e3ffbf3d5e355b4bb864eb10

SHA256
1c795df278c7f64be8e6973f8dbf1a625997cb39ae2dcb5bee0ca4c1b90c8906

SHA512
766b9adb5143e89d663177c2fb0e951afb84c0a43ec690ae2c477ee0bbe036df6f4161a6012430d42e4913fd5fbe7e49af6d13ac7c62d042a484861fc5a04616

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_ctypes.pyd

Filesize
53KB

MD5
b1f12f4bfc0bd49a6646a0786bc5bc00

SHA1
acb7d8c665bb8ca93e5f21e178870e3d141d7cbc

SHA256
1fe61645ed626fc1dec56b2e90e8e551066a7ff86edbd67b41cb92211358f3d7

SHA512
a3fb041bd122638873c395b95f1a541007123f271572a8a988c9d01d2b2d7bb20d70e1d97fc3abffd28cb704990b41d8984974c344faea98dd0c6b07472b5731

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_decimal.pyd

Filesize
101KB

MD5
b7f498da5aec35140a6d928a8f792911

SHA1
95ab794a2d4cb8074a23d84b10cd62f7d12a4cd0

SHA256
b15f0dc3ce6955336162c9428077dcedfa1c52e60296251521819f3239c26ee8

SHA512
5fcb2d5325a6a4b7aff047091957ba7f13de548c5330f0149682d44140ac0af06837465871c598db71830fd3b2958220f80ae8744ef16fdb7336b3d6a5039e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_hashlib.pyd

Filesize
30KB

MD5
31dfa2caaee02cc38adf4897b192d6d1

SHA1
9be57a9bad1cb420675f5b9e04c48b76d18f4a19

SHA256
dc045ac7d4bde60b0f122d307fcd2bbaf5e1261a280c4fb67cfc43de5c0c2a0f

SHA512
3e58c083e1e3201a9fbbf6a4fcbc2b0273cf22badabab8701b10b3f8fdd20b11758cdcfead557420393948434e340aad751a4c7aa740097ab29d1773ea3a0100

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_lzma.pyd

Filesize
81KB

MD5
95badb08cd77e563c9753fadc39a34dd

SHA1
b3c3dfe64e89b5e7afb5f064bbf9d8d458f626a0

SHA256
5545627b465d780b6107680922ef44144a22939dd406deae44858b79747e301a

SHA512
eb36934b73f36ba2162e75f0866435f57088777dc40379f766366c26d40f185de5be3da55d17f5b82cb498025d8d90bc16152900502eb7f5de88bbef84ace2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_multiprocessing.pyd

Filesize
22KB

MD5
28f6fcc0b7bb10a45ff1370c9e1b9561

SHA1
c7669f406b5ec2306a402e872dec17380219907a

SHA256
6dd33d49554ee61490725ea2c9129c15544791ab7a65fb523cc9b4f88d38744b

SHA512
2aef40344e80c3518afc07bf6ad4c96c4fff44434f8307e2efa544290d59504d7b014d7ea94af0377e342a632d6c4c74bfdf16d26f92ccc7062be618ea4dbee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_overlapped.pyd

Filesize
27KB

MD5
745706ab482fe9c9f92383292f121072

SHA1
439f00978795d0845aceaf007fd76ff5947567fd

SHA256
4d98e7d1b74bd209f8c66e1a276f60b470f6a5d6f519f76a91eb75be157a903d

SHA512
52fe3dfc45c380dfb1d9b6e453bdffcd92d57ad7b7312d0b9a86a76d437c512a17da33822f8e81760710d8ff4fd6a4b702d2abfffc600c9350d4d463451d38d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_queue.pyd

Filesize
21KB

MD5
18b8b2b0aefcee9527299c464b7f6d3d

SHA1
a565216faee2534bbda5b3f65aeb2eef5fd9bcda

SHA256
6f334fa1474116dd499a125f3b5ca4cd698039446faf50340f9a3f7af3adb8c2

SHA512
0b56e9d89f4dd3da830954b6561c49c06775854e0b27bc2b07ea8e9c79829d66dae186b95209c8c4cc7c3a7ba6b03cdf134b2e0036cea929e61d755d4709abcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_socket.pyd

Filesize
38KB

MD5
f675cf3cdd836cacfab9c89ab9f97108

SHA1
3e077bf518f7a4cb30ea4607338cff025d4d476e

SHA256
bb82a23d8dc6bf4c9aeb91d3f3bef069276ae3b14eeca100b988b85dd21e2dd3

SHA512
e2344b5f59bd0fad3570977edf0505aa2e05618e66d07c9f93b163fc151c4e1d6fbc0e25b7c989505c1270f8cd4840c6120a73a7ad64591ee3c4fb282375465e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_sqlite3.pyd

Filesize
45KB

MD5
1dbec8753e5cd062cd71a8bb294f28f9

SHA1
c32e9b577f588408a732047863e04a1db6ca231e

SHA256
6d95d41a36b5c9e3a895eff91149978aa383b6a8617d542accef2080737c3cad

SHA512
a1c95dbb1a9e2ffbcc9422f53780b35fbc77cb56ac3562afb8753161a233e5efa8da8ad67f5bde5a094beb8331d9dab5c3d5e673a8d09fd6d0383a8a6ffda087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_ssl.pyd

Filesize
57KB

MD5
2edf5c4e534a45966a68033e7395f40d

SHA1
478ef27474eec0fd966d1663d2397e8fb47fec17

SHA256
7abc2b326f5b7c3011827eb7a5a4d896cc6b2619246826519b3f57d2bb99d3bd

SHA512
f83b698cfe702a15eb0267f254c593b90fa155ad2aefe75e5ba0ee5d4f38976882796cba2a027b42a910f244360177ac809891d505b3d0ae9276156b64850b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_uuid.pyd

Filesize
18KB

MD5
b3e7fc44f12d2db5bad6922e0b1d927f

SHA1
3fe8ef4b6fb0bc590a1c0c0f5710453e8e340f8f

SHA256
6b93290a74fb288489405044a7dee7cca7c25fa854be9112427930dd739ebace

SHA512
a0465a38aaac2d501e9a12a67d5d71c9eeeb425f535c473fc27ac13c2bb307641cc3cef540472f916e341d7bada80a84b99d78850d94c95ee14139f8540d0c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\base_library.zip

Filesize
858KB

MD5
1ebb920a2696a11237f3e8e4af10d802

SHA1
f86a052e2dfa2df8884ebf80832814f920a820e6

SHA256
d0e26325e67b3db749a83698413c4c270d8b26cd7dbc607006bc526ee784d6df

SHA512
2cfa6746dcdf575f26267b359a8820a6f29d81967c62131463802b30db2e17c8f159a2cbc652f25bdfdfd7c5942d26a26f9e1df984f8560696153a3427e4fb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\libcrypto-1_1.dll

Filesize
1.1MB

MD5
700f32459dca0f54c982cd1c1ddd6b8b

SHA1
2538711c091ac3f572cb0f13539a68df0f228f28

SHA256
1de22bd1a0154d49f48b3fab94fb1fb1abd8bfed37d18e79a86ecd7cdab893c9

SHA512
99de1f5cb78c83fc6af0a475fb556f1ac58a1ba734efc69d507bf5dc1b0535a401d901324be845d7a59db021f8967cf33a7b105b2ddcb2e02a39dc0311e7c36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\libssl-1_1.dll

Filesize
198KB

MD5
45498cefc9ead03a63c2822581cd11c6

SHA1
f96b6373237317e606b3715705a71db47e2cafad

SHA256
a84174a00dc98c98240ad5ee16c35e6ef932cebd5b8048ff418d3dd80f20deca

SHA512
4d3d8d33e7f3c2bf1cad3afbfba6ba53852d1314713ad60eeae1d51cc299a52b73da2c629273f9e0b7983ca01544c3645451cfa247911af4f81ca88a82cf6a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\pyexpat.pyd

Filesize
81KB

MD5
b4cf065f5e5b7a5bc2dd2b2e09bea305

SHA1
d289a500ffd399053767ee7339e48c161655b532

SHA256
9b5f407a2a1feaa76c6d3058a2f04c023b1c50b31d417bbfee69024098e4938b

SHA512
ddd9e216b11152d6a50481e06bb409335d36ce7fe63072aa0c7789c541593f2d7e8b4373be67a018c59f5e418e5a39a3ad729b732f11fa253f6275a64e125989

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\python3.DLL

Filesize
60KB

MD5
a5471f05fd616b0f8e582211ea470a15

SHA1
cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

SHA256
8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

SHA512
e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\python310.dll

Filesize
1.4MB

MD5
90d5b8ba675bbb23f01048712813c746

SHA1
f2906160f9fc2fa719fea7d37e145156742ea8a7

SHA256
3a7d497d779ff13082835834a1512b0c11185dd499ab86be830858e7f8aaeb3e

SHA512
872c2bf56c3fe180d9b4fb835a92e1dc188822e9d9183aab34b305408bb82fba1ead04711e8ad2bef1534e86cd49f2445d728851206d7899c1a7a83e5a62058e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\select.pyd

Filesize
21KB

MD5
740424368fb6339d67941015e7ac4096

SHA1
64f3fab24f469a027ddfcf0329eca121f4164e45

SHA256
a389eae40188282c91e0cdf38c79819f475375860225b6963deb11623485b76d

SHA512
6d17dc3f294f245b4ca2eca8e62f4c070c7b8a5325349bc25ebaeea291a5a5ebd268bd1321c08755141aa58de0f985adc67335b4f83bc1aeec4b398d0f538e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\sqlite3.dll

Filesize
605KB

MD5
7055e9008e847cb6015b1bb89f26c7ac

SHA1
c7c844cb46f8287a88bec3bd5d02647f5a07ae80

SHA256
2884d8e9007461ab6e8bbdd37c6bc4f6de472bbd52ec5b53e0a635075d86b871

SHA512
651b7b8c2518e4826d84c89be5052fd944f58f558c51cc905da181049850186d0a87fd2e05734fbe6a69618a6e48261a9fdd043ab17eb01620c6510e96d57008

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\unicodedata.pyd

Filesize
285KB

MD5
0c26e9925bea49d7cf03cfc371283a9b

SHA1
89290d3e43e18165cb07a7a4f99855b9e8466b21

SHA256
13c2ea04a1d40588536f1d7027c8d0ea228a9fb328ca720d6c53b96a8e1ae724

SHA512
6a3cd4b48f7c0087f4a1bdc1241df71d56bd90226759481f17f56baa1b991d1af0ba5798a2b7ba57d9ffa9ec03a12bfac81df2fba88765bd369435ff21a941e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nnrypzhw.f5j.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Electron V3.rar

Filesize
9.2MB

MD5
d54af3b230a07eda3384955a2f56f8f0

SHA1
93cbb921e45e34dcc93705d9ff19fa974e3243fd

SHA256
f574b6788dcf96f03c5a475477c950b2b01c30a0b84c286efd957e4c639eef75

SHA512
1e7f66a9938958e9afae04568e0e5761f31175f8ffe061873896c2c4ac8da9619ba08abf0067f23ee9f986b785a67e4a623dececdaa09d64f55d3a32f2463a6a

Download Submit
C:\Users\Admin\Downloads\Electron V3\Electron V3\ElectronV3.exe

Filesize
24.3MB

MD5
dc4daa4ae573a0874b032175c62e8a2f

SHA1
3fb4726a801433670895c26535a38fd85861d6fa

SHA256
eacf7306a01a58e9db080609a688b293b1e4e3899524e335ca846ce3691e022e

SHA512
e045e5d1ea75e4c7a81f0abe68e472f9a8912f2bc9ae28de74a872c5221e4516a74060de1118dfe18b06749cb231ef35f63a17a52f7cf4e3499568b3c32d630d

Download Submit
memory/1064-526-0x0000022101FB0000-0x0000022101FD2000-memory.dmp

Filesize
136KB

Download
memory/4572-404-0x00007FFFFED40000-0x00007FFFFEEAD000-memory.dmp

Filesize
1.4MB

Download
memory/4572-448-0x00007FFFFED40000-0x00007FFFFEEAD000-memory.dmp

Filesize
1.4MB

Download
memory/4572-400-0x00007FF801D00000-0x00007FF801D2C000-memory.dmp

Filesize
176KB

Download
memory/4572-399-0x00007FF808130000-0x00007FF808149000-memory.dmp

Filesize
100KB

Download
memory/4572-396-0x00007FF8114D0000-0x00007FF8114DD000-memory.dmp

Filesize
52KB

Download
memory/4572-403-0x00007FF800010000-0x00007FF80002E000-memory.dmp

Filesize
120KB

Download
memory/4572-406-0x00007FFFFED10000-0x00007FFFFED3E000-memory.dmp

Filesize
184KB

Download
memory/4572-410-0x00007FFFFEC50000-0x00007FFFFED06000-memory.dmp

Filesize
728KB

Download
memory/4572-411-0x00007FFFFCA20000-0x00007FFFFCD94000-memory.dmp

Filesize
3.5MB

Download
memory/4572-412-0x000001B6F6560000-0x000001B6F68D4000-memory.dmp

Filesize
3.5MB

Download
memory/4572-423-0x00007FFFFD7E0000-0x00007FFFFD7F4000-memory.dmp

Filesize
80KB

Download
memory/4572-429-0x00007FFFFD7C0000-0x00007FFFFD7D4000-memory.dmp

Filesize
80KB

Download
memory/4572-430-0x00007FFFFC8B0000-0x00007FFFFC8D2000-memory.dmp

Filesize
136KB

Download
memory/4572-428-0x00007FFFFC8E0000-0x00007FFFFC9F8000-memory.dmp

Filesize
1.1MB

Download
memory/4572-427-0x00007FFFFCA00000-0x00007FFFFCA15000-memory.dmp

Filesize
84KB

Download
memory/4572-426-0x00007FF8111C0000-0x00007FF8111D0000-memory.dmp

Filesize
64KB

Download
memory/4572-425-0x00007FFFFCDA0000-0x00007FFFFD205000-memory.dmp

Filesize
4.4MB

Download
memory/4572-391-0x00007FF8076A0000-0x00007FF8076C4000-memory.dmp

Filesize
144KB

Download
memory/4572-438-0x00007FF80E6D0000-0x00007FF80E6E9000-memory.dmp

Filesize
100KB

Download
memory/4572-443-0x00007FFFFC800000-0x00007FFFFC811000-memory.dmp

Filesize
68KB

Download
memory/4572-442-0x00007FFFFC820000-0x00007FFFFC869000-memory.dmp

Filesize
292KB

Download
memory/4572-441-0x00007FFFFC870000-0x00007FFFFC889000-memory.dmp

Filesize
100KB

Download
memory/4572-440-0x00007FFFFC890000-0x00007FFFFC8A7000-memory.dmp

Filesize
92KB

Download
memory/4572-439-0x00007FF8114D0000-0x00007FF8114DD000-memory.dmp

Filesize
52KB

Download
memory/4572-446-0x00007FFFFC7E0000-0x00007FFFFC7FE000-memory.dmp

Filesize
120KB

Download
memory/4572-445-0x00007FF810730000-0x00007FF81073A000-memory.dmp

Filesize
40KB

Download
memory/4572-444-0x00007FF801D00000-0x00007FF801D2C000-memory.dmp

Filesize
176KB

Download
memory/4572-395-0x00007FF80E6D0000-0x00007FF80E6E9000-memory.dmp

Filesize
100KB

Download
memory/4572-449-0x00007FFFFC0E0000-0x00007FFFFC7D2000-memory.dmp

Filesize
6.9MB

Download
memory/4572-447-0x00007FF800010000-0x00007FF80002E000-memory.dmp

Filesize
120KB

Download
memory/4572-450-0x00007FFFFED10000-0x00007FFFFED3E000-memory.dmp

Filesize
184KB

Download
memory/4572-451-0x00007FFFFC0A0000-0x00007FFFFC0D8000-memory.dmp

Filesize
224KB

Download
memory/4572-468-0x00007FFFFEC50000-0x00007FFFFED06000-memory.dmp

Filesize
728KB

Download
memory/4572-469-0x00007FFFFCA20000-0x00007FFFFCD94000-memory.dmp

Filesize
3.5MB

Download
memory/4572-470-0x000001B6F6560000-0x000001B6F68D4000-memory.dmp

Filesize
3.5MB

Download
memory/4572-517-0x00007FFFFD7E0000-0x00007FFFFD7F4000-memory.dmp

Filesize
80KB

Download
memory/4572-518-0x00007FF8162A0000-0x00007FF8162AD000-memory.dmp

Filesize
52KB

Download
memory/4572-392-0x00007FF812310000-0x00007FF81231F000-memory.dmp

Filesize
60KB

Download
memory/4572-363-0x00007FFFFCDA0000-0x00007FFFFD205000-memory.dmp

Filesize
4.4MB

Download
memory/4572-536-0x00007FF8076A0000-0x00007FF8076C4000-memory.dmp

Filesize
144KB

Download
memory/4572-563-0x00007FFFFC8E0000-0x00007FFFFC9F8000-memory.dmp

Filesize
1.1MB

Download
memory/4572-562-0x00007FF8111C0000-0x00007FF8111D0000-memory.dmp

Filesize
64KB

Download
memory/4572-561-0x00007FF8162A0000-0x00007FF8162AD000-memory.dmp

Filesize
52KB

Download
memory/4572-560-0x00007FFFFC0A0000-0x00007FFFFC0D8000-memory.dmp

Filesize
224KB

Download
memory/4572-555-0x00007FFFFC820000-0x00007FFFFC869000-memory.dmp

Filesize
292KB

Download
memory/4572-554-0x00007FFFFC870000-0x00007FFFFC889000-memory.dmp

Filesize
100KB

Download
memory/4572-553-0x00007FFFFC890000-0x00007FFFFC8A7000-memory.dmp

Filesize
92KB

Download
memory/4572-552-0x00007FFFFC8B0000-0x00007FFFFC8D2000-memory.dmp

Filesize
136KB

Download
memory/4572-547-0x00007FFFFD7E0000-0x00007FFFFD7F4000-memory.dmp

Filesize
80KB

Download
memory/4572-543-0x00007FFFFED40000-0x00007FFFFEEAD000-memory.dmp

Filesize
1.4MB

Download
memory/4572-542-0x00007FF800010000-0x00007FF80002E000-memory.dmp

Filesize
120KB

Download
memory/4572-535-0x00007FFFFCDA0000-0x00007FFFFD205000-memory.dmp

Filesize
4.4MB

Download
memory/4572-559-0x00007FFFFC0E0000-0x00007FFFFC7D2000-memory.dmp

Filesize
6.9MB

Download