exelastealer | ed8d19c843f0c321d9ceb1201d78d9ded4f8685705706b620a250e3ea59adeb9

Resubmissions

18-07-2024 05:33

240718-f838xazgnb 10

18-07-2024 05:19

240718-fz76hawgpk 10

Analysis

max time kernel
617s
max time network
622s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
18-07-2024 05:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Electron V3/ElectronV3.exe
Size

37.2MB
MD5

35ff4b8cfa381b8c421d7f4278e5eea2
SHA1

c686165b7dd71d48433e5298be2fec7e6c6b64dd
SHA256

fec6107f08e216d76cf05ee65f1894de778b386b61cb6c459f6c0f6657de2c6f
SHA512

0f31fc013005b38cb0be2cd33780627364e4e70683670bbc0ab3ffd154c229b97dacffc895c503a4c8689f4d627ec5e6b3e69394871349ccd6c64977d11b4e0e
SSDEEP

786432:y9OQxKKj1YqIdryuIjHNOgi5EMkhqN+NhAiJ1piKvIeVrsgv3FdbfitHJblxb:EOQAKjSqMhIjHNm5Dkq4bAodvIeVrhdO

Score

10^/10

exelastealer defense_evasion evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 8 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2712	netsh.exe
2332	netsh.exe
404	netsh.exe
3536	netsh.exe
1148	netsh.exe
2932	netsh.exe
3280	netsh.exe
4440	netsh.exe

Executes dropped EXE 8 IoCs

pid	Process
436	bound.exe
2172	bound.exe
2776	bound.exe
4464	bound.exe
3756	bound.exe
1216	bound.exe
2240	bound.exe
1872	bound.exe

Loads dropped DLL 64 IoCs

pid	Process
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
2172	bound.exe
2172	bound.exe
2172	bound.exe
2172	bound.exe
2172	bound.exe
2172	bound.exe
2172	bound.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000100000002abb8-129.dat	upx
behavioral2/memory/1784-133-0x00007FFE2CEB0000-0x00007FFE2D315000-memory.dmp	upx
behavioral2/files/0x000100000002ab70-135.dat	upx
behavioral2/files/0x000100000002ab91-141.dat	upx
behavioral2/memory/1784-143-0x00007FFE486B0000-0x00007FFE486BF000-memory.dmp	upx
behavioral2/memory/1784-142-0x00007FFE42900000-0x00007FFE42924000-memory.dmp	upx
behavioral2/files/0x000100000002ab6e-144.dat	upx
behavioral2/memory/1784-147-0x00007FFE3F7F0000-0x00007FFE3F809000-memory.dmp	upx
behavioral2/files/0x000100000002ab73-146.dat	upx
behavioral2/files/0x000100000002ab78-166.dat	upx
behavioral2/files/0x000100000002abb6-169.dat	upx
behavioral2/memory/1784-174-0x00007FFE3F780000-0x00007FFE3F799000-memory.dmp	upx
behavioral2/memory/1784-175-0x00007FFE47B10000-0x00007FFE47B1D000-memory.dmp	upx
behavioral2/files/0x000100000002abbc-173.dat	upx
behavioral2/files/0x000100000002ab77-172.dat	upx
behavioral2/memory/1784-171-0x00007FFE3F080000-0x00007FFE3F0B5000-memory.dmp	upx
behavioral2/memory/1784-170-0x00007FFE3F280000-0x00007FFE3F2AC000-memory.dmp	upx
behavioral2/files/0x000100000002ab7a-168.dat	upx
behavioral2/files/0x000100000002ab79-167.dat	upx
behavioral2/files/0x000100000002ab76-164.dat	upx
behavioral2/files/0x000100000002ab75-163.dat	upx
behavioral2/files/0x000100000002ab74-162.dat	upx
behavioral2/files/0x000100000002ab72-161.dat	upx
behavioral2/files/0x000100000002ab71-160.dat	upx
behavioral2/files/0x000100000002ab6f-159.dat	upx
behavioral2/files/0x000100000002ab6d-158.dat	upx
behavioral2/files/0x000100000002abc7-156.dat	upx
behavioral2/files/0x000100000002abc6-155.dat	upx
behavioral2/files/0x000100000002ab92-151.dat	upx
behavioral2/files/0x000300000002aa31-150.dat	upx
behavioral2/files/0x000100000002abbb-176.dat	upx
behavioral2/memory/1784-178-0x00007FFE3E8C0000-0x00007FFE3E8EE000-memory.dmp	upx
behavioral2/files/0x000100000002abba-181.dat	upx
behavioral2/files/0x000100000002abca-183.dat	upx
behavioral2/memory/1784-185-0x00007FFE3E640000-0x00007FFE3E66B000-memory.dmp	upx
behavioral2/memory/1784-184-0x00007FFE3E800000-0x00007FFE3E8BC000-memory.dmp	upx
behavioral2/memory/1784-186-0x00007FFE2CEB0000-0x00007FFE2D315000-memory.dmp	upx
behavioral2/memory/1784-188-0x00007FFE42A20000-0x00007FFE42A2D000-memory.dmp	upx
behavioral2/memory/1784-190-0x00007FFE2CD90000-0x00007FFE2CEA8000-memory.dmp	upx
behavioral2/memory/1784-192-0x00007FFE3E610000-0x00007FFE3E63E000-memory.dmp	upx
behavioral2/memory/1784-196-0x00007FFE2CCD0000-0x00007FFE2CD86000-memory.dmp	upx
behavioral2/memory/1784-197-0x00007FFE2C950000-0x00007FFE2CCC4000-memory.dmp	upx
behavioral2/files/0x000100000002abd3-199.dat	upx
behavioral2/memory/1784-201-0x00007FFE3E440000-0x00007FFE3E4C7000-memory.dmp	upx
behavioral2/memory/1784-203-0x00007FFE3E5F0000-0x00007FFE3E605000-memory.dmp	upx
behavioral2/files/0x000100000002ab81-205.dat	upx
behavioral2/memory/1784-207-0x00007FFE3F780000-0x00007FFE3F799000-memory.dmp	upx
behavioral2/memory/1784-208-0x00007FFE402E0000-0x00007FFE402EB000-memory.dmp	upx
behavioral2/files/0x000100000002ab82-206.dat	upx
behavioral2/memory/1784-210-0x00007FFE3E8C0000-0x00007FFE3E8EE000-memory.dmp	upx
behavioral2/memory/1784-211-0x00007FFE3B3F0000-0x00007FFE3B416000-memory.dmp	upx
behavioral2/files/0x000100000002abb5-214.dat	upx
behavioral2/memory/1784-216-0x00007FFE3F7E0000-0x00007FFE3F7EA000-memory.dmp	upx
behavioral2/memory/1784-217-0x00007FFE3C300000-0x00007FFE3C318000-memory.dmp	upx
behavioral2/memory/1784-220-0x00007FFE2C7E0000-0x00007FFE2C94D000-memory.dmp	upx
behavioral2/memory/1784-219-0x00007FFE3BCA0000-0x00007FFE3BCBE000-memory.dmp	upx
behavioral2/memory/1784-224-0x00007FFE39630000-0x00007FFE39668000-memory.dmp	upx
behavioral2/memory/1784-223-0x00007FFE3BB00000-0x00007FFE3BB1C000-memory.dmp	upx
behavioral2/memory/1784-222-0x00007FFE3F210000-0x00007FFE3F21B000-memory.dmp	upx
behavioral2/memory/1784-221-0x00007FFE2CD90000-0x00007FFE2CEA8000-memory.dmp	upx
behavioral2/memory/1784-225-0x00007FFE3E610000-0x00007FFE3E63E000-memory.dmp	upx
behavioral2/memory/1784-228-0x00007FFE3C470000-0x00007FFE3C47C000-memory.dmp	upx
behavioral2/memory/1784-229-0x00007FFE2CCD0000-0x00007FFE2CD86000-memory.dmp	upx
behavioral2/memory/1784-234-0x00007FFE3E440000-0x00007FFE3E4C7000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 22 IoCs

Web Service

T1102

flow	ioc
73	discord.com
213	discord.com
214	discord.com
53	discord.com
37	discord.com
54	discord.com
70	discord.com
71	discord.com
74	discord.com
210	discord.com
211	discord.com
1	discord.com
39	discord.com
51	discord.com
36	discord.com
38	discord.com
50	discord.com
52	discord.com
72	discord.com
209	discord.com
212	discord.com
35	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
206	ip-api.com

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2676	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
420	sc.exe
1500	sc.exe
4988	sc.exe
412	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 36 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe

Collects information from the system 1 TTPs 4 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
2260	WMIC.exe
1640	WMIC.exe
976	WMIC.exe
5012	WMIC.exe

Detects videocard installed 1 TTPs 5 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1904	WMIC.exe
244	WMIC.exe
1368	WMIC.exe
5044	WMIC.exe
2324	WMIC.exe

Enumerates processes with tasklist 1 TTPs 20 IoCs

Process Discovery

T1057

pid	Process
2240	tasklist.exe
2144	tasklist.exe
2892	tasklist.exe
1908	tasklist.exe
3628	tasklist.exe
2784	tasklist.exe
4508	tasklist.exe
3128	tasklist.exe
2764	tasklist.exe
1344	tasklist.exe
2432	tasklist.exe
2948	tasklist.exe
3028	tasklist.exe
1952	tasklist.exe
1396	tasklist.exe
2532	tasklist.exe
3572	tasklist.exe
1620	tasklist.exe
3156	tasklist.exe
1984	tasklist.exe

Enumerates system info in registry 2 TTPs 15 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe

Gathers network information 2 TTPs 8 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3768	ipconfig.exe
1456	NETSTAT.EXE
2584	ipconfig.exe
2676	NETSTAT.EXE
332	ipconfig.exe
4248	NETSTAT.EXE
3768	ipconfig.exe
1216	NETSTAT.EXE

Gathers system information 1 TTPs 4 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
784	systeminfo.exe
4220	systeminfo.exe
4388	systeminfo.exe
4876	systeminfo.exe

Kills process with taskkill 16 IoCs

evasion

pid	Process
4224	taskkill.exe
4200	taskkill.exe
880	taskkill.exe
124	taskkill.exe
4136	taskkill.exe
2332	taskkill.exe
5068	taskkill.exe
720	taskkill.exe
1740	taskkill.exe
4124	taskkill.exe
4908	taskkill.exe
3088	taskkill.exe
2876	taskkill.exe
2820	taskkill.exe
784	taskkill.exe
2728	taskkill.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133657539863502571"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3666881604-935092360-1617577973-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3666881604-935092360-1617577973-1000\{A219EFDC-3FD2-4C73-B81B-994FE2B83503}	chrome.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2592	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 6 IoCs

pid	Process
112	Winword.exe
112	Winword.exe
4616	Winword.exe
4616	Winword.exe
4572	Winword.exe
4572	Winword.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
1784	ElectronV3.exe
2544	powershell.exe
2544	powershell.exe
2544	powershell.exe
2544	powershell.exe
2056	chrome.exe
2056	chrome.exe
1304	powershell.exe
1304	powershell.exe
4156	chrome.exe
4156	chrome.exe
1728	powershell.exe
1728	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1892	OpenWith.exe
3384	OpenWith.exe
216	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1784	ElectronV3.exe
Token: SeIncreaseQuotaPrivilege	1072	WMIC.exe
Token: SeSecurityPrivilege	1072	WMIC.exe
Token: SeTakeOwnershipPrivilege	1072	WMIC.exe
Token: SeLoadDriverPrivilege	1072	WMIC.exe
Token: SeSystemProfilePrivilege	1072	WMIC.exe
Token: SeSystemtimePrivilege	1072	WMIC.exe
Token: SeProfSingleProcessPrivilege	1072	WMIC.exe
Token: SeIncBasePriorityPrivilege	1072	WMIC.exe
Token: SeCreatePagefilePrivilege	1072	WMIC.exe
Token: SeBackupPrivilege	1072	WMIC.exe
Token: SeRestorePrivilege	1072	WMIC.exe
Token: SeShutdownPrivilege	1072	WMIC.exe
Token: SeDebugPrivilege	1072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1072	WMIC.exe
Token: SeRemoteShutdownPrivilege	1072	WMIC.exe
Token: SeUndockPrivilege	1072	WMIC.exe
Token: SeManageVolumePrivilege	1072	WMIC.exe
Token: 33	1072	WMIC.exe
Token: 34	1072	WMIC.exe
Token: 35	1072	WMIC.exe
Token: 36	1072	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1072	WMIC.exe
Token: SeSecurityPrivilege	1072	WMIC.exe
Token: SeTakeOwnershipPrivilege	1072	WMIC.exe
Token: SeLoadDriverPrivilege	1072	WMIC.exe
Token: SeSystemProfilePrivilege	1072	WMIC.exe
Token: SeSystemtimePrivilege	1072	WMIC.exe
Token: SeProfSingleProcessPrivilege	1072	WMIC.exe
Token: SeIncBasePriorityPrivilege	1072	WMIC.exe
Token: SeCreatePagefilePrivilege	1072	WMIC.exe
Token: SeBackupPrivilege	1072	WMIC.exe
Token: SeRestorePrivilege	1072	WMIC.exe
Token: SeShutdownPrivilege	1072	WMIC.exe
Token: SeDebugPrivilege	1072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1072	WMIC.exe
Token: SeRemoteShutdownPrivilege	1072	WMIC.exe
Token: SeUndockPrivilege	1072	WMIC.exe
Token: SeManageVolumePrivilege	1072	WMIC.exe
Token: 33	1072	WMIC.exe
Token: 34	1072	WMIC.exe
Token: 35	1072	WMIC.exe
Token: 36	1072	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2832	WMIC.exe
Token: SeSecurityPrivilege	2832	WMIC.exe
Token: SeTakeOwnershipPrivilege	2832	WMIC.exe
Token: SeLoadDriverPrivilege	2832	WMIC.exe
Token: SeSystemProfilePrivilege	2832	WMIC.exe
Token: SeSystemtimePrivilege	2832	WMIC.exe
Token: SeProfSingleProcessPrivilege	2832	WMIC.exe
Token: SeIncBasePriorityPrivilege	2832	WMIC.exe
Token: SeCreatePagefilePrivilege	2832	WMIC.exe
Token: SeBackupPrivilege	2832	WMIC.exe
Token: SeRestorePrivilege	2832	WMIC.exe
Token: SeShutdownPrivilege	2832	WMIC.exe
Token: SeDebugPrivilege	2832	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2832	WMIC.exe
Token: SeRemoteShutdownPrivilege	2832	WMIC.exe
Token: SeUndockPrivilege	2832	WMIC.exe
Token: SeManageVolumePrivilege	2832	WMIC.exe
Token: 33	2832	WMIC.exe
Token: 34	2832	WMIC.exe
Token: 35	2832	WMIC.exe
Token: 36	2832	WMIC.exe

Suspicious use of FindShellTrayWindow 52 IoCs

pid	Process
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
2056	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe
4156	chrome.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
3108	OpenWith.exe
2804	OpenWith.exe
236	OpenWith.exe
3840	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
1892	OpenWith.exe
112	Winword.exe
112	Winword.exe
112	Winword.exe
112	Winword.exe
112	Winword.exe
112	Winword.exe
112	Winword.exe
112	Winword.exe
112	Winword.exe
112	Winword.exe
112	Winword.exe
3384	OpenWith.exe
3384	OpenWith.exe
3384	OpenWith.exe
3384	OpenWith.exe
3384	OpenWith.exe
3384	OpenWith.exe
3384	OpenWith.exe
3384	OpenWith.exe
3384	OpenWith.exe
3384	OpenWith.exe
3384	OpenWith.exe
4616	Winword.exe
4616	Winword.exe
4616	Winword.exe
4616	Winword.exe
4616	Winword.exe
4616	Winword.exe
4616	Winword.exe
216	OpenWith.exe
216	OpenWith.exe
216	OpenWith.exe
216	OpenWith.exe
216	OpenWith.exe
216	OpenWith.exe
216	OpenWith.exe
216	OpenWith.exe
216	OpenWith.exe
216	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 1784	1520	ElectronV3.exe	82
PID 1520 wrote to memory of 1784	1520	ElectronV3.exe	82
PID 1784 wrote to memory of 556	1784	ElectronV3.exe	83
PID 1784 wrote to memory of 556	1784	ElectronV3.exe	83
PID 1784 wrote to memory of 1096	1784	ElectronV3.exe	85
PID 1784 wrote to memory of 1096	1784	ElectronV3.exe	85
PID 1784 wrote to memory of 5052	1784	ElectronV3.exe	86
PID 1784 wrote to memory of 5052	1784	ElectronV3.exe	86
PID 1784 wrote to memory of 772	1784	ElectronV3.exe	88
PID 1784 wrote to memory of 772	1784	ElectronV3.exe	88
PID 772 wrote to memory of 1072	772	cmd.exe	90
PID 772 wrote to memory of 1072	772	cmd.exe	90
PID 1784 wrote to memory of 1644	1784	ElectronV3.exe	92
PID 1784 wrote to memory of 1644	1784	ElectronV3.exe	92
PID 1644 wrote to memory of 5044	1644	cmd.exe	94
PID 1644 wrote to memory of 5044	1644	cmd.exe	94
PID 436 wrote to memory of 2172	436	bound.exe	110
PID 436 wrote to memory of 2172	436	bound.exe	110
PID 2172 wrote to memory of 4380	2172	bound.exe	111
PID 2172 wrote to memory of 4380	2172	bound.exe	111
PID 2172 wrote to memory of 3468	2172	bound.exe	113
PID 2172 wrote to memory of 3468	2172	bound.exe	113
PID 2172 wrote to memory of 1148	2172	bound.exe	114
PID 2172 wrote to memory of 1148	2172	bound.exe	114
PID 2172 wrote to memory of 3960	2172	bound.exe	117
PID 2172 wrote to memory of 3960	2172	bound.exe	117
PID 2172 wrote to memory of 1684	2172	bound.exe	118
PID 2172 wrote to memory of 1684	2172	bound.exe	118
PID 1148 wrote to memory of 2832	1148	cmd.exe	121
PID 1148 wrote to memory of 2832	1148	cmd.exe	121
PID 3468 wrote to memory of 2324	3468	cmd.exe	122
PID 3468 wrote to memory of 2324	3468	cmd.exe	122
PID 1684 wrote to memory of 2764	1684	cmd.exe	123
PID 1684 wrote to memory of 2764	1684	cmd.exe	123
PID 2172 wrote to memory of 4356	2172	bound.exe	125
PID 2172 wrote to memory of 4356	2172	bound.exe	125
PID 4356 wrote to memory of 420	4356	cmd.exe	127
PID 4356 wrote to memory of 420	4356	cmd.exe	127
PID 2172 wrote to memory of 3052	2172	bound.exe	128
PID 2172 wrote to memory of 3052	2172	bound.exe	128
PID 2172 wrote to memory of 2624	2172	bound.exe	129
PID 2172 wrote to memory of 2624	2172	bound.exe	129
PID 2624 wrote to memory of 1344	2624	cmd.exe	132
PID 2624 wrote to memory of 1344	2624	cmd.exe	132
PID 3052 wrote to memory of 2180	3052	cmd.exe	133
PID 3052 wrote to memory of 2180	3052	cmd.exe	133
PID 2172 wrote to memory of 2676	2172	bound.exe	134
PID 2172 wrote to memory of 2676	2172	bound.exe	134
PID 2676 wrote to memory of 4440	2676	cmd.exe	136
PID 2676 wrote to memory of 4440	2676	cmd.exe	136
PID 2172 wrote to memory of 4156	2172	bound.exe	137
PID 2172 wrote to memory of 4156	2172	bound.exe	137
PID 4156 wrote to memory of 2240	4156	cmd.exe	139
PID 4156 wrote to memory of 2240	4156	cmd.exe	139
PID 2172 wrote to memory of 4656	2172	bound.exe	140
PID 2172 wrote to memory of 4656	2172	bound.exe	140
PID 2172 wrote to memory of 1884	2172	bound.exe	141
PID 2172 wrote to memory of 1884	2172	bound.exe	141
PID 2172 wrote to memory of 880	2172	bound.exe	143
PID 2172 wrote to memory of 880	2172	bound.exe	143
PID 2172 wrote to memory of 3816	2172	bound.exe	145
PID 2172 wrote to memory of 3816	2172	bound.exe	145
PID 4656 wrote to memory of 4804	4656	cmd.exe	148
PID 4656 wrote to memory of 4804	4656	cmd.exe	148

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4440	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Electron V3\ElectronV3.exe
"C:\Users\Admin\AppData\Local\Temp\Electron V3\ElectronV3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\Electron V3\ElectronV3.exe
  "C:\Users\Admin\AppData\Local\Temp\Electron V3\ElectronV3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    PID:1096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:5052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:772
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5044

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4932

C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436
- C:\Users\Admin\AppData\Local\Temp\bound.exe
  "C:\Users\Admin\AppData\Local\Temp\bound.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3468
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2832
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:3960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2240
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4656
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4804
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:1884
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:3284
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:880
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    PID:3816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    PID:2576
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4876
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2136
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:2260
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:4028
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:132
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:2156
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:2012
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:5108
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:3140
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:964
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:3408
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:4464
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:1860
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:1032
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:4424
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:2020
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:2432
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:3768
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:1684
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      PID:4428
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      PID:1216
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:420
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1148
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:2520
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:4576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2180
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5084
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2516

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3108

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2804

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:236

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt
1⤵
PID:1944

C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
1⤵
- Executes dropped EXE
PID:2776
- C:\Users\Admin\AppData\Local\Temp\bound.exe
  "C:\Users\Admin\AppData\Local\Temp\bound.exe"
  2⤵
  - Executes dropped EXE
  PID:4464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2332
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:1500
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      PID:1996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:2764
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:276
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:3280
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:1708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1200
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2516
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:4896
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:4180
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:1340
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:4572
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4796
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5000
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    PID:4564
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    PID:2320
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:784
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:5108
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:1640
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:1520
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4424
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:228
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:1512
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:2904
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:940
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:1096
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:2104
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:3564
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4136
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:1880
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:2968
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:5056
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:2892
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:3768
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:4956
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      PID:1712
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      PID:1456
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:1500
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3280
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:1212
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2564
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3660
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3456

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\dd_setup.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:2592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffe3906cc40,0x7ffe3906cc4c,0x7ffe3906cc58
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1944,i,6381643972049899870,17575485714986261816,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1720,i,6381643972049899870,17575485714986261816,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2052 /prefetch:3
  2⤵
  PID:3204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2176,i,6381643972049899870,17575485714986261816,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=2188 /prefetch:8
  2⤵
  PID:3592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3096,i,6381643972049899870,17575485714986261816,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3104 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,6381643972049899870,17575485714986261816,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:2540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3768,i,6381643972049899870,17575485714986261816,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4356 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4716,i,6381643972049899870,17575485714986261816,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:2064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4872,i,6381643972049899870,17575485714986261816,262144 --variations-seed-version=20240709-050124.519000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:4140

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3664

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:3732

C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
1⤵
- Executes dropped EXE
PID:3756
- C:\Users\Admin\AppData\Local\Temp\bound.exe
  "C:\Users\Admin\AppData\Local\Temp\bound.exe"
  2⤵
  - Executes dropped EXE
  PID:1216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:1344
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:2864
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:1880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:1996
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:5044
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:3728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3176
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:876
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:4228
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2056"
    3⤵
    PID:4464
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2056
      4⤵
      Kills process with taskkill
      PID:4224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3384"
    3⤵
    PID:5108
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3384
      4⤵
      Kills process with taskkill
      PID:4200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2564"
    3⤵
    PID:4316
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2564
      4⤵
      Kills process with taskkill
      PID:4136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3204"
    3⤵
    PID:3052
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3204
      4⤵
      Kills process with taskkill
      PID:2820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3592"
    3⤵
    PID:124
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3592
      4⤵
      Kills process with taskkill
      PID:2332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3504"
    3⤵
    PID:2748
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3504
      4⤵
      Kills process with taskkill
      PID:3088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2540"
    3⤵
    PID:3116
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2540
      4⤵
      Kills process with taskkill
      PID:5068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3444"
    3⤵
    PID:4644
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3444
      4⤵
      Kills process with taskkill
      PID:880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:944
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4680
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:1252
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:2176
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4028
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    PID:2012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1304
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    PID:3340
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4220
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2592
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:976
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:3572
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:1244
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:1448
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:3776
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:660
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:3932
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:4212
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1340
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:2324
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:8
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:1032
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:940
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:3564
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:1396
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2584
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:236
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      PID:3840
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      PID:2676
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:4988
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2712
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:4272
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:3872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1936
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5068
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1212

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3840

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1892
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\AppData\Local\Temp\Cookies.db"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe250dcc40,0x7ffe250dcc4c,0x7ffe250dcc58
  2⤵
  PID:4876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1864,i,12690921743168817365,5922416104800005920,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:3120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1980,i,12690921743168817365,5922416104800005920,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=2084 /prefetch:3
  2⤵
  PID:412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,12690921743168817365,5922416104800005920,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=2244 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,12690921743168817365,5922416104800005920,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3120,i,12690921743168817365,5922416104800005920,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:8
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3576,i,12690921743168817365,5922416104800005920,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=3548 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4768,i,12690921743168817365,5922416104800005920,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4632,i,12690921743168817365,5922416104800005920,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=3588 /prefetch:8
  2⤵
  PID:104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5060,i,12690921743168817365,5922416104800005920,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=5052 /prefetch:1
  2⤵
  PID:476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5108,i,12690921743168817365,5922416104800005920,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3300,i,12690921743168817365,5922416104800005920,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:1852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4808,i,12690921743168817365,5922416104800005920,262144 --variations-seed-version=20240717-180138.221000 --mojo-platform-channel-handle=5180 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4124

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2008

C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
1⤵
- Executes dropped EXE
PID:2240
- C:\Users\Admin\AppData\Local\Temp\bound.exe
  "C:\Users\Admin\AppData\Local\Temp\bound.exe"
  2⤵
  - Executes dropped EXE
  PID:1872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4432
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:1264
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2980
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:784
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:2424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5008
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:1184
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:3808
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4156"
    3⤵
    PID:2164
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4156
      4⤵
      Kills process with taskkill
      PID:720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4876"
    3⤵
    PID:4644
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4876
      4⤵
      Kills process with taskkill
      PID:1740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3120"
    3⤵
    PID:2920
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3120
      4⤵
      Kills process with taskkill
      PID:2876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 412"
    3⤵
    PID:856
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 412
      4⤵
      Kills process with taskkill
      PID:4124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1696"
    3⤵
    PID:1328
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1696
      4⤵
      Kills process with taskkill
      PID:4908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3840"
    3⤵
    PID:2712
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3840
      4⤵
      Kills process with taskkill
      PID:784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1212"
    3⤵
    PID:5032
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1212
      4⤵
      Kills process with taskkill
      PID:2728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1852"
    3⤵
    PID:964
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1852
      4⤵
      Kills process with taskkill
      PID:124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:3512
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:3028
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:1032
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:2568
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4120
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    PID:1028
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:3052
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    PID:960
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4388
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2104
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:5012
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:2928
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4812
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:1360
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:3656
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:3232
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:388
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:3948
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:2760
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:3872
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4692
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:4592
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:5000
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:1748
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:3128
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:332
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:3096
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      PID:2236
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      PID:4248
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:412
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:404
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2624
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5032
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5008
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4148

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3384
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\AppData\Local\Temp\Cookies.db"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:4616

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:216
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\AppData\Local\Temp\Cookies.db"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  PID:4572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
49528be1898f10250c6dbec700f95a9c

SHA1
7bb8af5ca075aee038c0c458934d6fe6ec9bc106

SHA256
8315119af5407603f19f1dc1ae1ae8b25b5ac9735520f7511460c26e4a796efc

SHA512
298f25ccebf640afbbe3bef170ee287d7977470989b013c9e625d3660810fb50d83a237b1b891834bae011ad4b08b7d3ba5eb3bc9a3cf5fb931334baee6da383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8ca32a0628b1dcc2e7d09fc2b91ad98c

SHA1
47afd3461b1d9dd04fedb5dc1fe1d82d3726fb8a

SHA256
54a0c83dd02f771e57be2a90eb5bae552ee29c1e50952e0f5d44fe2caebb22a7

SHA512
c408acd43b056ca501be720a3a5c2b992f489135189c2810ec7f7c1c52f006fa16a38a925f8dcfc6d48fc2fb18a31e1a0d16030ff98509fdeedebbe43eeb3c5f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
086c523c0d9a7d91e9cb10064d21a059

SHA1
8aaf33ffc3ccc5081bbf7cf2b097a02ead78b2b0

SHA256
8e0d2ba12da2e96d23e3adcb61bc25bec2676c36ccfb807df6d3c4d7feaf3d29

SHA512
f69ee205257887e59ce46172bc0370b7ad1af23b8121520f97346444962a0899dd2e7637917630b05f64a181664cbfcd66c6f89eada7f101e272c78115adb4da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\5b55df1d-1aed-4043-a98f-1ccb8e2f19f8.tmp

Filesize
3KB

MD5
ed407426f7e7b06b1554287d322f78bc

SHA1
e66ca049cc80136f7389964f31de28e08c3bccdc

SHA256
92f868eb16320d6fd13c1971ce46dcda7174305cabaf19b1bdc4d620cee2a5f6

SHA512
59efea5fe76eeb7ad9679e916fa4fde7c3d02ce5c2979c666a039c98ed3a8bef1a87a6c401f9fe97b5e94bb167aca8031d2ce2d240cc3b70355e0ca7c958088f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
8ecc0688a9c4ea981163c1b70c0fc7ab

SHA1
6fb66bc3ce669edc36445df1bebccd413de10757

SHA256
5e81d61ce7fc6670b6134fe5e3fa78b4ca542101c0fc33449d80c3c6d345dccf

SHA512
f55d24f99e60c3060aa65ba6dc868b2ba780ae60cfc53958bf29508aa364c7248b8f5c35e6696cc949aa0f40d52390bbcb01440f06f7520a195d060499504694

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
8d8e3958e8b7f360ae263cb4130fe19b

SHA1
cb3ea6c88ee30eefa530662ef7daf7e53726b5bb

SHA256
64fb2fc2af47bab3fe5f34068f5a82e6f3e6ea4de74e8109980b33f94681b80a

SHA512
50fc39bce04e324ca09f8c9651bf0a9b33ec1b9184cf8b06326ff58fecf0be9df1645e8f3d4af6e03da881c7e3ad6526a559258e1857afc407b3e9c531376533

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7d15ef2b83af22b98988e65f12f2ddd6

SHA1
8c60b7e832a118df10975ce04469959406f8de8d

SHA256
b67f0b0c822d93ec49a466e94ed605b5a576aa64ed8d49f55f6f3d46126a8efb

SHA512
0b0d3ed468ece1659e2037f68b784aa49326fc8d2328f192605e2772ffda3b06af8cf53568c4c38cfcf02eac0b0f7f6ea9639e08808dc2163fa1a610361ae9a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
bae93a0a398b082bd3242eb372ae8261

SHA1
eff86f803bab0e5940429bf65966553575e5f892

SHA256
1595d957a5bb9c5b4f3bc3bca55808aeecf794507eda5bd2640a5ec8b85b0eec

SHA512
cc0413ab736a0ad288d63081424aa3a542857a65193e6e554d5b8d46b4034cf77ea12333c01cee5c70859fac23ea48859e2b41b780da93bce5e8be5955c91536

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
f2df4f717c218753bc611abb7cd0c8ce

SHA1
9b8ebc620408656fd71e3ba8668522b00df52061

SHA256
ecba8fcb779d8c94a3034398fe08d0bff3060b99e049f1537af782f65f67ce0f

SHA512
9c841bd0d0911c1c1cb0a03a8c1daeabd920a0cf9e44e3ec341754117716a66e654bd99b2b0188877de09b5c7ba2cc8f077622664654130b41d4dabb8d7b4aea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
6fdf0e31ae4a80f852feb070d42d57bf

SHA1
65e769d7ac6753a2b23fe3f780a73e2e48f4b286

SHA256
880f5f35f5c9efe59e50f4e2ab12f957f10d92abb169165a33a9a08ee9d5eedd

SHA512
c08b4d55cec3100f13bd2059494996cda69033a3857a10355aeb97336ee3b62a4ab01c9ef04adcf2625e3127de3e2619d30ff9e7d02219eaf8f35034e74f62ad

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
1952fa94155d041160d07cba2da1d21c

SHA1
5e0f78426df97108090e478d7fb2c722e7ca2e23

SHA256
d69d3dcb63b98a24b9642d3f792152308601018c52722e0cbf9b64a9616bcb95

SHA512
df649254649c4bb8f1b634fcc69e2c1c9a987fb046f432c04d1960bca2990ccd18bef5d2bbdaba7efd4d925f59086dea88765841df49aa71c7a65896763c363a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
e8058d7d03d7e8e1fc8671bc6087b87a

SHA1
8b78363a6e859ae5ce3cbed41b94316a00ba5f26

SHA256
66b14b7e4a5713f08acd488eedf7a14b88253bd3fd53177be05b7adc805cb6c1

SHA512
595fc3fc61b9e14790b6ae3c13564c1d992afd41656c0e34d18dca3c0b24ec81edf41d9912ab880d294ad0cf1616f287cc2f0254bb1ba7ce60407fdf5eaa7037

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ecf4032bc8a4b7e4f9e79dfdf3aa9094

SHA1
4ad0ab00a39fc51a02667831f8f1a1435fa1dbcb

SHA256
71be9e94b79a997831282a664b71cefc37d32974e240a07a3a2ca1dd1e8849ac

SHA512
24fa14220c2708acb6612e606c537fd7b04412d4544f5a944e3175816f234b377ecf18f9eff8f145b00220360a8da5fa12e9a6607cfd015de30dda4414684d39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
cc99d78eaccd070a84b9a394211c51a9

SHA1
5ccbe9ce39fe6937d702c2a33b31947f9a909ce3

SHA256
84458a6aed8640040be372fdb32f84d6c5de1b3c77253cb143709c26ae41a8b2

SHA512
158c9f002ca36dd10afbac919f0dc225736395c5e1aeea411b8512d273cc7307f3c6464d19e743ef836104292d82b197d2913aede918614331c854740a04d83a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
31af6cd403992ce2a2dd6322489bf6de

SHA1
052fe31fd5858ae1976439e69fdc170824c0755b

SHA256
cfcde0a24640bbc9ed3430b74e280f58acd7e101429aa110f73b6aec5b160844

SHA512
cc0fee28403d6cf4f9f6041cd299223bf02bcbbf8f1c0f5396e8fd24f85d81955d7fb2b2e26fc493d7eca4874e5fdeed599648cedd7c7cfcc7970f908c078c31

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
90f20f139a6ff88ce4c1638ef4222306

SHA1
bae16d49f4611ca34a80c6c13780561b228bc3a2

SHA256
95c24491e6ddce85f052473125ba8cf0a62d5b35838ba9a4f39189f3de214502

SHA512
901e7e795560591b41146d98ed58167c6962c2a39aa32e935f9f3ec8cd516383450879b5f7c671237d0a5bd444f99676d8673c883a6755b9ef869192730fe6c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3fcfc2c051360346e7aac71bda4d2b71

SHA1
61b90c89f3424657d0403ca6128eb22faaf111f1

SHA256
b8d7448540ea18d0b3892dc1d31fe02a1d0abb72f23af31f42f34c5d623defc7

SHA512
bb5f45d88b4d4aaa678cbfbd7b9657db35060c7444ac23e914ca2ac5fe8c57d7a7a544522ec87b3aeedf3f4a98b9e197dd1f23617d3876d75329e46c94d4399b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ba7a8a7490e768352911b30d8701ae36

SHA1
4405d38e8ef8049fb1ef5962dc4f9ccf3784abbc

SHA256
cb5ab5205294b76235e0f9637739785702904088342eb1a32c1e57290ef33f61

SHA512
6ccefe357fa6794c8af5e94a6084d137f7c8a0f9723e8e0cab0af822193e7066809d3ce99361660bbceab78a4797b5a7c741eb2c7db60f7a17ca06bbdaf5f081

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2a48bc3dc3aad8cec277a3d04998a928

SHA1
b24d695da687c7fc231b198bcc22fb8f41e204fe

SHA256
59abad82175a8762133afd8b1d008315dc4960793567e32ca3b50a4fb7aa0696

SHA512
dd9637a7efc5014e5ccd4da850b9478949982e205bf1546ac04d8eb46357ac2aa04191848b70925eae76c20e3c3e3510449cc66c7765d7d3ea29fe7e4b124f86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
046f2df122d77467e6812ab81133d08d

SHA1
839d44915bb273c1bd9f212ce6658c941413f384

SHA256
369e2ec30fc83312476a89e8e2b1265562a65c5159785b50312b5d46608af938

SHA512
924fda64228186df25e484353be3d02dadfd4baea946d9a236b4df4c341f0475c4eabb46671cab0bee5cc255214f009b693f70a5d1b0bc5e379b5e7ec697c014

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
7f8ff4ef00e72ea0f9c013bdea313044

SHA1
c773ccea57d9e24d2f0766e55e14ca16e00038c4

SHA256
93a903d37e3e96c9d04b43fca7f2e74e7bc84c7ab987b0268d5c90c7fa9de598

SHA512
2e37d341d77823e1999cb7db442745852fcfef904c54e4994135d51eae2683b73409a4952e38b5ff8056c07dadabab74e59e1412c40f6ed1e660bb3c6c822848

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
96KB

MD5
96ea1da2ab303cd6c0385efed636355a

SHA1
b677849574f3e6ec5571badc92fe8196474cd513

SHA256
86e0588da4a070975ed7e3b279f86af9d39f9ac8c3a3972deff010056aa0e705

SHA512
7aebd239bfb77ceba2c51ea277ee091ee9cdf13d5ab6932907eef5a6b7aadf9688e78440733a1d10d0c918cf9b26dbd5d9d04dd1c58fe49dd2d0f56bc1321f27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
96KB

MD5
eb117771bcda03ee49526a7cbd9cdbcc

SHA1
22d41124006151565b5833036a05eb574c4b4ec2

SHA256
1c71f9d9fbff8b277eb338e539bf99113ea14006310bd20e2f532707649cfaa8

SHA512
3d1c409827c36a93f55f8a29b8f3ebc890de18ec676404713158c6ea1c958796548063d5bc156c03558ee87a4dff27f3af4e51e2038757e11c3d08cf2743ed84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
185KB

MD5
ee8734de5cfa7b71ece6fce702ad7468

SHA1
b6d2df82e69c8490f03563ed71ec22661412783c

SHA256
432b8b8a523c4311aa7b9b0371ac54a09c575275b43397e89c0ec36d6b0ae181

SHA512
68ae2f7d53e931b9efc2a432de7b5b82a233dfc6793b7f2c45a89025299d6a27002afab2cfd483dd8cac499b0b7a0852375ef000a2b6938410b4ee6b8fce2ec2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyEventActivityStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cookies.db

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\Logins.db

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD884D.tmp\gb.xsl

Filesize
262KB

MD5
51d32ee5bc7ab811041f799652d26e04

SHA1
412193006aa3ef19e0a57e16acf86b830993024a

SHA256
6230814bf5b2d554397580613e20681752240ab87fd354ececf188c1eabe0e97

SHA512
5fc5d889b0c8e5ef464b76f0c4c9e61bda59b2d1205ac9417cc74d6e9f989fb73d78b4eb3044a1a1e1f2c00ce1ca1bd6d4d07eeadc4108c7b124867711c31810

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
114KB

MD5
a3f8eec86b467589a5a34305cc0b927a

SHA1
2cf6198230efc6ad7fc23c6fc1dc6b2fa608f231

SHA256
9625153846ba9e74e8d95216a0f967295fcf3fe53561739acaac12c95d28bc47

SHA512
9c407b3a5ce111cbd05ace9038dfa090d3f8a55a8874d5f9a61fc51168b62dc0280ee1848c1cca27cef63e3414d40db4ca017048d3437da96fb3c75ed3773fdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\VCRUNTIME140_1.dll

Filesize
36KB

MD5
7667b0883de4667ec87c3b75bed84d84

SHA1
e6f6df83e813ed8252614a46a5892c4856df1f58

SHA256
04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d

SHA512
968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\_asyncio.pyd

Filesize
31KB

MD5
56c8976ee1d4a06037e06f43bf0a4365

SHA1
7efae0428f10ad3280114b532020e69c7ff4da2d

SHA256
389b4b7d0e81a497270e6443ac1f33059b0532bac92488ddb93b73bd70da3202

SHA512
f1b9f484d1abd309106ca931e93609942c82cb02b6217baa002aa64e2870995825e630773e9ca0f6e6783126cf5066d3a4a8b59863adb7b8cd7c566bfc1d0826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\_bz2.pyd

Filesize
43KB

MD5
464825c2e6a84345d103a81930415b58

SHA1
bb62771f9436f8f74fc3ca89c6a1c7bf87b44dca

SHA256
5cda0eacb52ee6c1f561b11b8a1ddce4a0f5295348fe999a73eed3dc2d1741e4

SHA512
4731ae77c7b50676757833bcf47299084a4afb7d2464512da56efd048c608034fc547fee073e48f8c39d0522539859ca195e2a209fe2434119098862b08d0dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
e3bcdf92f94fac36d74ca4d57fc651ed

SHA1
519264bc498e253a62f540d8f106343c6772ef68

SHA256
8fa7db27750c4351d403271dc525a411840844cc913415eca2b1866c5e9dbd7f

SHA512
520eb876eb2a090d126780f0e8457ebb948337499db815a23dc5231d2ae80aef2f9ada14f13aa347e8aec5385a1ed85cdc8b3162ed4ca5976b77228f97a85806

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\_ctypes.pyd

Filesize
53KB

MD5
792451d5b185d4a464c8484bc252f2c2

SHA1
8fbaa275c8e25cdd012c9142026cc75074d61686

SHA256
4c147a23e85541b326a4321e59053eeeba34eb65d7fead807853cee6a68a2fa4

SHA512
a6f3c1343f1a5d26b55ac606033e2bc70c6da8804bf496adcaac99da644a66f6027491f693d1025b9c4260f8f226678d1d248e7ba68fea8d978a845db5dec2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\_decimal.pyd

Filesize
101KB

MD5
c102d880e34122a2c3af883850f2b4fe

SHA1
68a0625a6fe923857a33a2142b7df17b8816280b

SHA256
35d0c0ab98e96595d3701875a56eb2b46bcce6fae758e690320597c3557c4572

SHA512
e81d487ba368539db3e0e32ceda0466b7dea77f5b7e5c6a3a9af58fcbbc09f2bb4f292f2cfcb861be06b4d33c92f79885b245f48da57d5582c74c2cf968e4214

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\_hashlib.pyd

Filesize
30KB

MD5
eebc2dcb17da1a72ced13c2561988625

SHA1
2ec77b48f1bca79a23f20ed37a5c1db2c1efd0a4

SHA256
68263de179a6a54fa56aff38f5b0957cc133bfdaf016e6e9c8f2f30a2ebf9e85

SHA512
77cc9d9a56e343601237abed691771f4c03acf68a87527c2fc55f4e0bdfcc6ca0d6a3a2c0365e0add519ba1dcb9ca3cab92393674c3af7a97fb9a09c30bae59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\_lzma.pyd

Filesize
81KB

MD5
09a2aa784f8b7851579fc538688f5a10

SHA1
7d542e906d292fd30b211dcf3eb05b4c75ed9c4c

SHA256
d1f5f981f5e544e24cfbe54dc149f5ff6ddf8142dc1abb796e5146682ddab211

SHA512
fc2fb0bb9ad98b49ef70f294f00d87871e43bda6b6dbf1681ce71cdec5566b492246b3c5d9339b672b3a836f97b5bfcf058ecaceadf42b8d7be24104fded1c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\_multiprocessing.pyd

Filesize
22KB

MD5
42bb39668f0241f7ab3a1bb18f0b37c5

SHA1
51cc4305729348f57c0eeaefd33d2acd6b196c35

SHA256
b359f9b8a349e1f94303ed6ca63b6dfc0969ae86cd3f0f09f01768592210e4cf

SHA512
0344f15c787d8adadbdb367509c08d6fb4d092f34e095c3c690e3eadaa53cf5c3dd72589ee598fd362232ddd2e11aadc64df5dc08534c6e8cd08c2ca1fd5707c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\_overlapped.pyd

Filesize
27KB

MD5
53d0dba0685e8a8a0a637c2756ca86f0

SHA1
da248c72976d1a5ba866bc93227857f59078bcd4

SHA256
c6ccc16c420e5ba8738791f446c485c11300a73103f73b0710a6cb09d6792804

SHA512
4d99e9e38cee80c6fc2de6a2d0c607eb6a6dba5f452d8d2ec85716e2dd32b61b4d2040403cbd3add713cdbe4efb0f432b5d8b4251dcc34ab150e326c71ea32d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\_queue.pyd

Filesize
21KB

MD5
f33e773d34287f274496893a22999fa8

SHA1
d6f134b5deec092267d04af8dacff8feacaeb310

SHA256
cf11391bdf4f78c0f087a9fa04e04a0ff2d04cd0810d93b22d041be5b314f006

SHA512
872df9066e1c6b63c6b68e87b42698361f4bee1658c6b24dc3c940c81f8963c1523945b7d80e1e618ba6a6eebda71b0fc1b00978bce93201627a344a30080d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\_socket.pyd

Filesize
38KB

MD5
38c4cf8d721649584034bcbf4213a7fb

SHA1
440a9d9196575bebc7142fc010089889e4fc7862

SHA256
dc9ae31110be5e4c0df5ffa957b92c339ffdae8b13a27999a9cb316707b9d046

SHA512
067f2dd390d472c08ba96ee97341398f15aac2365ee3df3c9616806649b29a66316c219ca7e681821de91fab3093705497418e5537ecf6c661c2eaae3f553ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\_sqlite3.pyd

Filesize
45KB

MD5
a1f6465479ffae2af93c9c8e56783152

SHA1
69548b4fa2c605de196c60ee0bdd4f8100f88d14

SHA256
05b03868d999da947cb13f4340c9c893c4f35cd4756781d0c1b38143bcdbcf38

SHA512
281761f17005a7576372042f378c0925fd9a07e9a684dfc8ee1b51ed40a760b4f1a7f090d64fcf6df48304a522784e5fc1c6b85b9c21abdd6714ea05165c3595

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\_ssl.pyd

Filesize
57KB

MD5
9528ffddf9164cd37c8643eff66f413a

SHA1
d5bbd1fa8a89172b7ab6eced407dcebb81fb2993

SHA256
d1220bf3c040366ebb8d0e69b5a5d7198f35e3db1e90eb54e11c8d20a00ad690

SHA512
5fd173f6d652f8d3a9d7c2013183a82b75f8ac31fef9625bcc6ded82f26eaa4d46001593e33713c7f055be10fd2a26cdb319c4d4a488f8bdb7008af8a7ae8302

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\_uuid.pyd

Filesize
18KB

MD5
b7195a97d6d09625f3f2123e681c2dc9

SHA1
83eee7915ca795cedb1661040d236f866c35e1ad

SHA256
3ccd63c7f701e254597645644d121c1ad01cb3f76db0848be1b9e7f30e4c9402

SHA512
2c7a3c4a9d0beca5420d6c0285a4e2f02f379c040739db2db35d8e6c3178f28403f475a758f6bccf328249a328145be80071b7280aa20190b7270bb0bbf02d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\base_library.zip

Filesize
858KB

MD5
b15e945b2a74976b9e3417daff3de44a

SHA1
386f8146feab37861d1a3730469e3b56e1ef3d28

SHA256
3e835af0eaf18019a687ae4322fbf626462a8b2bf6c74bd9fdf671e4841fdfa6

SHA512
795e61c7be30db0da7c384dc6c11057e9064a6594fa9f4edf0d02ff80d0c56e49cf5ee50c95adeca842997f08c1afabc38b6256562b6a8d27bc49195f42fc179

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\bound.luna

Filesize
9.2MB

MD5
cf60d3bba53974aa9da2a3540d609ebe

SHA1
94a6af7b2c918c0bd9794ca897147cb8037348c2

SHA256
6b8d6112a46024ab88c09463b08cfddee088ea4e01dba8d15f2a81b28661e613

SHA512
a54118d2cccb7773994ef318163747a673625e0c518848330f192732663f17e7ca603f0b8048ddf1f8cc47627bb9d18603f25f3c68d62cfc54868498e8a71e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\certifi\cacert.pem

Filesize
284KB

MD5
181ac9a809b1a8f1bc39c1c5c777cf2a

SHA1
9341e715cea2e6207329e7034365749fca1f37dc

SHA256
488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee

SHA512
e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\charset_normalizer\md.cp310-win_amd64.pyd

Filesize
9KB

MD5
e8b4d1cb8570939208d373a453633173

SHA1
ee1fb7d18f65d56dbf4b46df9a457cf93c473b98

SHA256
595f85c233750daf228b7dc19c28327b06ac9964835a48811d126ea47ab063c1

SHA512
d9ae659e2919758825db32b26e0233689d0fdaad241a8edb9316ed1684841ad665cd3b3b5e9bbfb0375c3fe1ea8557aac11b7c824257347ee36258c779c72eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

Filesize
39KB

MD5
1fad2ff24ed0e2fcf6ea8063f0d52520

SHA1
7df4dd9333c58f3fe142fcb4d48af52d6196066e

SHA256
b8b328bb6cd58475d7235578f27aef4dfeeefe1abd7198af564cb541cccf5e30

SHA512
0447b2b7f1b72c7e9c2e4b5909b90495964f1979f299fdbda0fd291daeaf07e937fbf0373e89fb78bae66694ca6ac2c37571f2e04787ba1b2db0ebde95be0e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\libcrypto-1_1.dll

Filesize
1.1MB

MD5
a43194bf570e11957d70a6bd7f4f5bf8

SHA1
cecf0d568b01069d7cdda34182bab79b1213eca9

SHA256
9ba9f077ad54ef08fff0740b934a151858e50ab86b6ffea260bd3dc806093ae2

SHA512
cc5a15ecc899520c4e3ac5f2d5f6a4a9b960405c2d7fd6726adb32137cb50c11f17b17afab23743f01cc89cc9b898a2bcd5eeed02676a984d91b348d244bd770

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\libffi-7.dll

Filesize
23KB

MD5
4e261cbb8247260ea91860986110f805

SHA1
1563d67c2aabcb5e00e25ef293456c6481a2adc3

SHA256
ddfd0755e011ea0df26d77cf3628e2cc59653aee02bf241b54b6b08561520453

SHA512
076cdc8759f9cbbf7f8dc7b1eaba3c51f6c40ae6043b1fb55aa2fb83f81e86933d0f885a61d83300173b9bd7c589ff126e2a5d858a3f4036390d02eb1e73d229

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\libssl-1_1.dll

Filesize
198KB

MD5
85a0098648e8cad7c5fba9990756ef5f

SHA1
441e30102a8f7dfc575d67ff3c8c9bb0f3339483

SHA256
724dafbe2532faec17507300013905149a7dc1c65233d27b85f74c8111f6197b

SHA512
b7873374d3eb15847d313c1aa3b71f756fe60be8ccdfd5285aa1f20b297aa8732c65477e45e90648e375a418f9212f6d27e2c2feafb86a7ffc67805c1c0c8cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\luna.aes

Filesize
4.7MB

MD5
804a6c377b71af7943915ae562ec6fd0

SHA1
70192537a1fbefe3b3629ef675af89c209f33fcd

SHA256
10f606f493b2bd2393033bb52ab39766fc173077cf948b1ce818d6ec5fd7e7b0

SHA512
9e428307f7e4164f7d97a88f13891f4ae3a1fdb6517fad744b48b070384493e268e4816eb28dce20105e312464cd47a76192066d70948039cd61d45d8f54df3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\psutil\_psutil_windows.pyd

Filesize
31KB

MD5
3adca2ff39adeb3567b73a4ca6d0253c

SHA1
ae35dde2348c8490f484d1afd0648380090e74fc

SHA256
92202b877579b74a87be769d58f9d1e8aced8a97336ad70e97d09685a10afeb3

SHA512
358d109b23cf99eb7396c450660f193e9e16f85f13737ecf29f4369b44f8356041a08443d157b325ccb5125a5f10410659761eda55f24fcc03a082ac8acdd345

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\pyexpat.pyd

Filesize
81KB

MD5
a1db9097411cf381f68eb583fbf7d199

SHA1
178aac7a936689c36e7d16138108599d0443d112

SHA256
312b8173296b239d8cd312e8861d5afe19656e345dbca63601a0680b1facd0e8

SHA512
379d0f7332549c288725bee63471248100b4ca251fc239a5b8516cf4c2bdc8760eadae32f70ecafc843a8ac882282b3ebe4f9ee075bd4400196c799d21a3b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\python3.DLL

Filesize
60KB

MD5
a5471f05fd616b0f8e582211ea470a15

SHA1
cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

SHA256
8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

SHA512
e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\python310.dll

Filesize
1.4MB

MD5
fea8b50c9cd4738b0ca28fe61705a77d

SHA1
fb84ab201b017ca27099558b6fb26701efe9612b

SHA256
56cd8356f6e4d4bde52672f58cc657f527cd07f67207bfb17afa0017f3f5d325

SHA512
21d98cb5b87a7c553ec2f1f935987731d2d9ce788f27746f1255fb0a475ae832453f7672081d06fdc31774e0ed64bb6855f4daa9f099bb0ac37179cd491bbe10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\pywin32_system32\pythoncom310.dll

Filesize
193KB

MD5
202a8731825a75911a7c6ae1adc7dfac

SHA1
8c71aa55ed68a6abdf3db27938989c72fcbe8e21

SHA256
30b5dbd6d41f6128b063cc7f9854944dd0497b0d9cb6ba8e18c8d55f33b7733e

SHA512
1ae115ad229c378cb952b79b2923ad5209ce89c183d8a24503cf0cb05f77b45a6f04bf15f512472d04ea787aadc5254542b00c7ccd931061843f401874ab165d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\pywin32_system32\pywintypes310.dll

Filesize
62KB

MD5
95fed288c096235b736c0ffca46a9a5f

SHA1
bd868ccb83edb78b01c52649ee698abcb4eb0f3e

SHA256
6c4b09b003645f5a581a2406a003916847a60e689492b5d8c8be3cbbd4254244

SHA512
7adf8fc912a9b85bf2795c5d03d2f63a0cde5ae290be83411dd52099fc9d6f8d7d325f69f3bd064a242d01fd03271827a302c7a1dbe4905ac81387057c07f35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\select.pyd

Filesize
21KB

MD5
5a3216c0883eef8bfae19c92ef1d6d1d

SHA1
a0ced6e6b47d2185184cd1a4da6803ddbb49d9cb

SHA256
f8252a6f79b819340113f89cfde61bbd9df0862fcf7b22197cb04f9666a76bb3

SHA512
144d9bc81cd12c74db89e05d435df3505603f65b0ac24e543c276031835fab2c10edaff68cde8269c0d50ec2c7504f01dd245fd30581398756d67f92dcfc48a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\sqlite3.dll

Filesize
605KB

MD5
25807738509d67f0723108e69a6fe68e

SHA1
6f45a883863a5d79e3bd7474c0266069c0406678

SHA256
90de31b062940b575e0ed0d25177573bd6f00c6f23423508ac197d5689635c20

SHA512
49d538c6d584be0bb669315453c5ab9991b1c00430d3c4a4fb617746d60af70b6ecb9d2904fb25eeff9a37ba0d9c0d34888bb879785eb600fe68bd4e5fd4b4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\unicodedata.pyd

Filesize
285KB

MD5
f1e6d290a2ad158254b290b3b1df93d2

SHA1
61fbdaea9358171762b114f763871947849182ca

SHA256
2065975efc17fdbee36c64a265dbd1e12c90fb2351f2df3a413c789073faa204

SHA512
d3f96567d51df9a3aa4e6ca3f8e1ebe936661013f0dacfb9b786427cc0aea384d3c43bf26c92438e2a5db961c26a9610fc4c1bcb1fbed2e7bdfcc74ba3b6b06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\win32\win32api.pyd

Filesize
48KB

MD5
71ec15831e6df0a2ef3bd6ba5c5df7e5

SHA1
18d2a5315668f5ae454d3466ba3b2abc13d98eb6

SHA256
1fca2edfada089e695d4ec071e4b59bfaca3bd30327f72a92a51ec2cb5de46eb

SHA512
50180c8b414787ba9c88a70abb1d28a38bb1250d81b8ffe17bd041f9ec8d99d2c68ac52df09286b77db3ac5b74395e804888804b8280eeda13a3fb160a4cd6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15202\zstandard\backend_c.cp310-win_amd64.pyd

Filesize
174KB

MD5
6aa20997ac4e2ed34c3977d46a28662e

SHA1
9618bb8038c6132f012cf5c9a8a1be24e5a65a26

SHA256
e07dda20d5403f5beca70c0db5229a7b4f81cc735ec3f9220da0475fce90146e

SHA512
6f5562e52f342c4e1ef3f763e63ef79f4796bdfadd19cb3d723cf0612368644917a62f64cd2fc8f8b93e918d69de6399fadf4c223bb2261b6154930001f43b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\base_library.zip

Filesize
858KB

MD5
7b2903144d2ab90e0e8c34c0c5fc8b30

SHA1
4f435ff09b472607c96c9fbc38ca1cac8cb4725c

SHA256
76f8cfff0ca0997ba4fead6d7883316f32688cb9872a86df23148cd94c1511b2

SHA512
257ed12db69532081c3b6050779b021e46dcc26377d69310a2352eecb285ed74cb9ca63f3dbfb9e9c2289c6add588a1512b7f0ae547952b6d4b578953dc36701

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\cryptography-42.0.2.dist-info\LICENSE

Filesize
197B

MD5
8c3617db4fb6fae01f1d253ab91511e4

SHA1
e442040c26cd76d1b946822caf29011a51f75d6d

SHA256
3e0c7c091a948b82533ba98fd7cbb40432d6f1a9acbf85f5922d2f99a93ae6bb

SHA512
77a1919e380730bcce5b55d76fbffba2f95874254fad955bd2fe1de7fc0e4e25b5fdaab0feffd6f230fa5dc895f593cf8bfedf8fdc113efbd8e22fadab0b8998

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\cryptography-42.0.2.dist-info\LICENSE.APACHE

Filesize
11KB

MD5
4e168cce331e5c827d4c2b68a6200e1b

SHA1
de33ead2bee64352544ce0aa9e410c0c44fdf7d9

SHA256
aac73b3148f6d1d7111dbca32099f68d26c644c6813ae1e4f05f6579aa2663fe

SHA512
f451048e81a49fbfa11b49de16ff46c52a8e3042d1bcc3a50aaf7712b097bed9ae9aed9149c21476c2a1e12f1583d4810a6d36569e993fe1ad3879942e5b0d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\cryptography-42.0.2.dist-info\LICENSE.BSD

Filesize
1KB

MD5
5ae30ba4123bc4f2fa49aa0b0dce887b

SHA1
ea5b412c09f3b29ba1d81a61b878c5c16ffe69d8

SHA256
602c4c7482de6479dd2e9793cda275e5e63d773dacd1eca689232ab7008fb4fb

SHA512
ddbb20c80adbc8f4118c10d3e116a5cd6536f72077c5916d87258e155be561b89eb45c6341a1e856ec308b49a4cb4dba1408eabd6a781fbe18d6c71c32b72c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\cryptography-42.0.2.dist-info\WHEEL

Filesize
100B

MD5
c48772ff6f9f408d7160fe9537e150e0

SHA1
79d4978b413f7051c3721164812885381de2fdf5

SHA256
67325f22d7654f051b7a1d92bd644f6ebaa00df5bf7638a48219f07d19aa1484

SHA512
a817107d9f70177ea9ca6a370a2a0cb795346c9025388808402797f33144c1baf7e3de6406ff9e3d8a3486bdfaa630b90b63935925a36302ab19e4c78179674f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22402\cryptography-42.0.2.dist-info\top_level.txt

Filesize
13B

MD5
e7274bd06ff93210298e7117d11ea631

SHA1
7132c9ec1fd99924d658cc672f3afe98afefab8a

SHA256
28d693f929f62b8bb135a11b7ba9987439f7a960cc969e32f8cb567c1ef79c97

SHA512
aa6021c4e60a6382630bebc1e16944f9b312359d645fc61219e9a3f19d876fd600e07dca6932dcd7a1e15bfdeac7dbdceb9fffcd5ca0e5377b82268ed19de225

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4362\cryptography-42.0.2.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ke0lkeeh.wjt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
3KB

MD5
bcaa430cbdbb633caa8dd6a02ab4336a

SHA1
5d9dcb4a280dc715fab0c016200cbff9f0e18bfc

SHA256
0d3ed1c461b8dfeb7a613ee3a5346bc6f8ff7e60ea043cca9b98e082e644d4b4

SHA512
02f1799058885f51cd1e27dc4ee1aa9afc1a8d9773637bcabb11c67fb9c510a65ff153ebfc313e5062a1056f8cd57f740cffca60585c7814e476245f587eb2e3

Download Submit
memory/1784-264-0x00007FFE3E8C0000-0x00007FFE3E8EE000-memory.dmp

Filesize
184KB

Download
memory/1784-229-0x00007FFE2CCD0000-0x00007FFE2CD86000-memory.dmp

Filesize
728KB

Download
memory/1784-243-0x00007FFE343E0000-0x00007FFE343EC000-memory.dmp

Filesize
48KB

Download
memory/1784-242-0x00007FFE343F0000-0x00007FFE343FC000-memory.dmp

Filesize
48KB

Download
memory/1784-241-0x00007FFE34400000-0x00007FFE3440B000-memory.dmp

Filesize
44KB

Download
memory/1784-240-0x00007FFE38F50000-0x00007FFE38F5B000-memory.dmp

Filesize
44KB

Download
memory/1784-239-0x00007FFE38FD0000-0x00007FFE38FDC000-memory.dmp

Filesize
48KB

Download
memory/1784-238-0x00007FFE38FE0000-0x00007FFE38FEE000-memory.dmp

Filesize
56KB

Download
memory/1784-237-0x00007FFE38FF0000-0x00007FFE38FFC000-memory.dmp

Filesize
48KB

Download
memory/1784-236-0x00007FFE39000000-0x00007FFE3900C000-memory.dmp

Filesize
48KB

Download
memory/1784-235-0x00007FFE39620000-0x00007FFE3962B000-memory.dmp

Filesize
44KB

Download
memory/1784-249-0x000001CBCB820000-0x000001CBCD946000-memory.dmp

Filesize
33.1MB

Download
memory/1784-250-0x000001CBCB820000-0x000001CBCD946000-memory.dmp

Filesize
33.1MB

Download
memory/1784-252-0x00007FFE29FD0000-0x00007FFE2A218000-memory.dmp

Filesize
2.3MB

Download
memory/1784-253-0x00007FFE33270000-0x00007FFE33287000-memory.dmp

Filesize
92KB

Download
memory/1784-251-0x00007FFE33110000-0x00007FFE33131000-memory.dmp

Filesize
132KB

Download
memory/1784-256-0x00007FFE2CEB0000-0x00007FFE2D315000-memory.dmp

Filesize
4.4MB

Download
memory/1784-268-0x00007FFE2CD90000-0x00007FFE2CEA8000-memory.dmp

Filesize
1.1MB

Download
memory/1784-289-0x00007FFE47B10000-0x00007FFE47B1D000-memory.dmp

Filesize
52KB

Download
memory/1784-288-0x00007FFE3F780000-0x00007FFE3F799000-memory.dmp

Filesize
100KB

Download
memory/1784-287-0x00007FFE3E640000-0x00007FFE3E66B000-memory.dmp

Filesize
172KB

Download
memory/1784-286-0x00007FFE3F280000-0x00007FFE3F2AC000-memory.dmp

Filesize
176KB

Download
memory/1784-278-0x00007FFE3BCA0000-0x00007FFE3BCBE000-memory.dmp

Filesize
120KB

Download
memory/1784-277-0x00007FFE3C300000-0x00007FFE3C318000-memory.dmp

Filesize
96KB

Download
memory/1784-276-0x00007FFE3F7E0000-0x00007FFE3F7EA000-memory.dmp

Filesize
40KB

Download
memory/1784-275-0x00007FFE3B3F0000-0x00007FFE3B416000-memory.dmp

Filesize
152KB

Download
memory/1784-274-0x00007FFE402E0000-0x00007FFE402EB000-memory.dmp

Filesize
44KB

Download
memory/1784-273-0x00007FFE3E5F0000-0x00007FFE3E605000-memory.dmp

Filesize
84KB

Download
memory/1784-267-0x00007FFE42A20000-0x00007FFE42A2D000-memory.dmp

Filesize
52KB

Download
memory/1784-245-0x00007FFE343B0000-0x00007FFE343C2000-memory.dmp

Filesize
72KB

Download
memory/1784-285-0x00007FFE3F7F0000-0x00007FFE3F809000-memory.dmp

Filesize
100KB

Download
memory/1784-284-0x00007FFE486B0000-0x00007FFE486BF000-memory.dmp

Filesize
60KB

Download
memory/1784-283-0x00007FFE42900000-0x00007FFE42924000-memory.dmp

Filesize
144KB

Download
memory/1784-282-0x00007FFE3F080000-0x00007FFE3F0B5000-memory.dmp

Filesize
212KB

Download
memory/1784-280-0x00007FFE3F210000-0x00007FFE3F21B000-memory.dmp

Filesize
44KB

Download
memory/1784-279-0x00007FFE2C7E0000-0x00007FFE2C94D000-memory.dmp

Filesize
1.4MB

Download
memory/1784-271-0x00007FFE2C950000-0x00007FFE2CCC4000-memory.dmp

Filesize
3.5MB

Download
memory/1784-272-0x00007FFE3E440000-0x00007FFE3E4C7000-memory.dmp

Filesize
540KB

Download
memory/1784-270-0x00007FFE2CCD0000-0x00007FFE2CD86000-memory.dmp

Filesize
728KB

Download
memory/1784-269-0x00007FFE3E610000-0x00007FFE3E63E000-memory.dmp

Filesize
184KB

Download
memory/1784-265-0x00007FFE3E800000-0x00007FFE3E8BC000-memory.dmp

Filesize
752KB

Download
memory/1784-297-0x000001CBCB820000-0x000001CBCBB94000-memory.dmp

Filesize
3.5MB

Download
memory/1784-281-0x000001CBCB820000-0x000001CBCD946000-memory.dmp

Filesize
33.1MB

Download
memory/1784-311-0x00007FFE34280000-0x00007FFE342A9000-memory.dmp

Filesize
164KB

Download
memory/1784-310-0x00007FFE33270000-0x00007FFE33287000-memory.dmp

Filesize
92KB

Download
memory/1784-309-0x00007FFE343A0000-0x00007FFE343AC000-memory.dmp

Filesize
48KB

Download
memory/1784-308-0x00007FFE343B0000-0x00007FFE343C2000-memory.dmp

Filesize
72KB

Download
memory/1784-307-0x00007FFE343D0000-0x00007FFE343DD000-memory.dmp

Filesize
52KB

Download
memory/1784-306-0x00007FFE343E0000-0x00007FFE343EC000-memory.dmp

Filesize
48KB

Download
memory/1784-305-0x00007FFE343F0000-0x00007FFE343FC000-memory.dmp

Filesize
48KB

Download
memory/1784-304-0x00007FFE34400000-0x00007FFE3440B000-memory.dmp

Filesize
44KB

Download
memory/1784-303-0x00007FFE38F50000-0x00007FFE38F5B000-memory.dmp

Filesize
44KB

Download
memory/1784-302-0x00007FFE38FD0000-0x00007FFE38FDC000-memory.dmp

Filesize
48KB

Download
memory/1784-301-0x00007FFE38FE0000-0x00007FFE38FEE000-memory.dmp

Filesize
56KB

Download
memory/1784-300-0x00007FFE38FF0000-0x00007FFE38FFC000-memory.dmp

Filesize
48KB

Download
memory/1784-299-0x00007FFE39000000-0x00007FFE3900C000-memory.dmp

Filesize
48KB

Download
memory/1784-298-0x00007FFE39620000-0x00007FFE3962B000-memory.dmp

Filesize
44KB

Download
memory/1784-296-0x00007FFE3C470000-0x00007FFE3C47C000-memory.dmp

Filesize
48KB

Download
memory/1784-295-0x00007FFE3E5E0000-0x00007FFE3E5EB000-memory.dmp

Filesize
44KB

Download
memory/1784-294-0x00007FFE39630000-0x00007FFE39668000-memory.dmp

Filesize
224KB

Download
memory/1784-293-0x00007FFE3BB00000-0x00007FFE3BB1C000-memory.dmp

Filesize
112KB

Download
memory/1784-292-0x00007FFE3E430000-0x00007FFE3E43B000-memory.dmp

Filesize
44KB

Download
memory/1784-291-0x00007FFE3B040000-0x00007FFE3B04C000-memory.dmp

Filesize
48KB

Download
memory/1784-290-0x00007FFE3B5A0000-0x00007FFE3B5AB000-memory.dmp

Filesize
44KB

Download
memory/1784-313-0x00007FFE33110000-0x00007FFE33131000-memory.dmp

Filesize
132KB

Download
memory/1784-312-0x00007FFE2C3F0000-0x00007FFE2C7D4000-memory.dmp

Filesize
3.9MB

Download
memory/1784-314-0x00007FFE29FD0000-0x00007FFE2A218000-memory.dmp

Filesize
2.3MB

Download
memory/1784-248-0x00007FFE2C3F0000-0x00007FFE2C7D4000-memory.dmp

Filesize
3.9MB

Download
memory/1784-133-0x00007FFE2CEB0000-0x00007FFE2D315000-memory.dmp

Filesize
4.4MB

Download
memory/1784-143-0x00007FFE486B0000-0x00007FFE486BF000-memory.dmp

Filesize
60KB

Download
memory/1784-246-0x00007FFE343A0000-0x00007FFE343AC000-memory.dmp

Filesize
48KB

Download
memory/1784-142-0x00007FFE42900000-0x00007FFE42924000-memory.dmp

Filesize
144KB

Download
memory/1784-147-0x00007FFE3F7F0000-0x00007FFE3F809000-memory.dmp

Filesize
100KB

Download
memory/1784-174-0x00007FFE3F780000-0x00007FFE3F799000-memory.dmp

Filesize
100KB

Download
memory/1784-175-0x00007FFE47B10000-0x00007FFE47B1D000-memory.dmp

Filesize
52KB

Download
memory/1784-171-0x00007FFE3F080000-0x00007FFE3F0B5000-memory.dmp

Filesize
212KB

Download
memory/1784-170-0x00007FFE3F280000-0x00007FFE3F2AC000-memory.dmp

Filesize
176KB

Download
memory/1784-178-0x00007FFE3E8C0000-0x00007FFE3E8EE000-memory.dmp

Filesize
184KB

Download
memory/1784-185-0x00007FFE3E640000-0x00007FFE3E66B000-memory.dmp

Filesize
172KB

Download
memory/1784-184-0x00007FFE3E800000-0x00007FFE3E8BC000-memory.dmp

Filesize
752KB

Download
memory/1784-186-0x00007FFE2CEB0000-0x00007FFE2D315000-memory.dmp

Filesize
4.4MB

Download
memory/1784-188-0x00007FFE42A20000-0x00007FFE42A2D000-memory.dmp

Filesize
52KB

Download
memory/1784-190-0x00007FFE2CD90000-0x00007FFE2CEA8000-memory.dmp

Filesize
1.1MB

Download
memory/1784-192-0x00007FFE3E610000-0x00007FFE3E63E000-memory.dmp

Filesize
184KB

Download
memory/1784-196-0x00007FFE2CCD0000-0x00007FFE2CD86000-memory.dmp

Filesize
728KB

Download
memory/1784-197-0x00007FFE2C950000-0x00007FFE2CCC4000-memory.dmp

Filesize
3.5MB

Download
memory/1784-198-0x000001CBCB820000-0x000001CBCBB94000-memory.dmp

Filesize
3.5MB

Download
memory/1784-201-0x00007FFE3E440000-0x00007FFE3E4C7000-memory.dmp

Filesize
540KB

Download
memory/1784-203-0x00007FFE3E5F0000-0x00007FFE3E605000-memory.dmp

Filesize
84KB

Download
memory/1784-207-0x00007FFE3F780000-0x00007FFE3F799000-memory.dmp

Filesize
100KB

Download
memory/1784-208-0x00007FFE402E0000-0x00007FFE402EB000-memory.dmp

Filesize
44KB

Download
memory/1784-210-0x00007FFE3E8C0000-0x00007FFE3E8EE000-memory.dmp

Filesize
184KB

Download
memory/1784-211-0x00007FFE3B3F0000-0x00007FFE3B416000-memory.dmp

Filesize
152KB

Download
memory/1784-216-0x00007FFE3F7E0000-0x00007FFE3F7EA000-memory.dmp

Filesize
40KB

Download
memory/1784-217-0x00007FFE3C300000-0x00007FFE3C318000-memory.dmp

Filesize
96KB

Download
memory/1784-220-0x00007FFE2C7E0000-0x00007FFE2C94D000-memory.dmp

Filesize
1.4MB

Download
memory/1784-247-0x00007FFE34280000-0x00007FFE342A9000-memory.dmp

Filesize
164KB

Download
memory/1784-227-0x00007FFE3E5E0000-0x00007FFE3E5EB000-memory.dmp

Filesize
44KB

Download
memory/1784-230-0x00007FFE2C950000-0x00007FFE2CCC4000-memory.dmp

Filesize
3.5MB

Download
memory/1784-231-0x00007FFE3E430000-0x00007FFE3E43B000-memory.dmp

Filesize
44KB

Download
memory/1784-232-0x00007FFE3B5A0000-0x00007FFE3B5AB000-memory.dmp

Filesize
44KB

Download
memory/1784-233-0x00007FFE3B040000-0x00007FFE3B04C000-memory.dmp

Filesize
48KB

Download
memory/1784-234-0x00007FFE3E440000-0x00007FFE3E4C7000-memory.dmp

Filesize
540KB

Download
memory/1784-244-0x00007FFE343D0000-0x00007FFE343DD000-memory.dmp

Filesize
52KB

Download
memory/1784-228-0x00007FFE3C470000-0x00007FFE3C47C000-memory.dmp

Filesize
48KB

Download
memory/1784-226-0x000001CBCB820000-0x000001CBCBB94000-memory.dmp

Filesize
3.5MB

Download
memory/1784-225-0x00007FFE3E610000-0x00007FFE3E63E000-memory.dmp

Filesize
184KB

Download
memory/1784-221-0x00007FFE2CD90000-0x00007FFE2CEA8000-memory.dmp

Filesize
1.1MB

Download
memory/1784-222-0x00007FFE3F210000-0x00007FFE3F21B000-memory.dmp

Filesize
44KB

Download
memory/1784-223-0x00007FFE3BB00000-0x00007FFE3BB1C000-memory.dmp

Filesize
112KB

Download
memory/1784-224-0x00007FFE39630000-0x00007FFE39668000-memory.dmp

Filesize
224KB

Download
memory/1784-219-0x00007FFE3BCA0000-0x00007FFE3BCBE000-memory.dmp

Filesize
120KB

Download
memory/2172-520-0x00007FFE3E2C0000-0x00007FFE3E2D4000-memory.dmp

Filesize
80KB

Download
memory/2172-428-0x00007FFE2CEB0000-0x00007FFE2D315000-memory.dmp

Filesize
4.4MB

Download
memory/2172-534-0x00007FFE2CEB0000-0x00007FFE2D315000-memory.dmp

Filesize
4.4MB

Download
memory/2172-530-0x00007FFE2C430000-0x00007FFE2CB22000-memory.dmp

Filesize
6.9MB

Download
memory/2172-509-0x00007FFE3E5E0000-0x00007FFE3E5F9000-memory.dmp

Filesize
100KB

Download
memory/2172-513-0x00007FFE3E4E0000-0x00007FFE3E4FE000-memory.dmp

Filesize
120KB

Download
memory/2172-514-0x00007FFE2D6F0000-0x00007FFE2D85D000-memory.dmp

Filesize
1.4MB

Download
memory/2172-515-0x00007FFE3E430000-0x00007FFE3E45E000-memory.dmp

Filesize
184KB

Download
memory/2172-516-0x00007FFE3D510000-0x00007FFE3D5C6000-memory.dmp

Filesize
728KB

Download
memory/2172-517-0x00007FFE2CB30000-0x00007FFE2CEA4000-memory.dmp

Filesize
3.5MB

Download
memory/2172-518-0x00007FFE3E3B0000-0x00007FFE3E3C4000-memory.dmp

Filesize
80KB

Download
memory/2172-519-0x00007FFE442F0000-0x00007FFE44300000-memory.dmp

Filesize
64KB

Download
memory/2172-543-0x00007FFE3E430000-0x00007FFE3E45E000-memory.dmp

Filesize
184KB

Download
memory/2172-544-0x00007FFE3D510000-0x00007FFE3D5C6000-memory.dmp

Filesize
728KB

Download
memory/2172-529-0x00007FFE3C370000-0x00007FFE3C38E000-memory.dmp

Filesize
120KB

Download
memory/2172-523-0x00007FFE3D770000-0x00007FFE3D792000-memory.dmp

Filesize
136KB

Download
memory/2172-524-0x00007FFE3E1B0000-0x00007FFE3E1C7000-memory.dmp

Filesize
92KB

Download
memory/2172-525-0x00007FFE3DC90000-0x00007FFE3DCA9000-memory.dmp

Filesize
100KB

Download
memory/2172-526-0x00007FFE3BB30000-0x00007FFE3BB79000-memory.dmp

Filesize
292KB

Download
memory/2172-527-0x00007FFE3D7C0000-0x00007FFE3D7D1000-memory.dmp

Filesize
68KB

Download
memory/2172-528-0x00007FFE42F10000-0x00007FFE42F1A000-memory.dmp

Filesize
40KB

Download
memory/2172-522-0x00007FFE3C130000-0x00007FFE3C248000-memory.dmp

Filesize
1.1MB

Download
memory/2172-531-0x00007FFE3B440000-0x00007FFE3B478000-memory.dmp

Filesize
224KB

Download
memory/2172-532-0x00007FFE42900000-0x00007FFE4290D000-memory.dmp

Filesize
52KB

Download
memory/2172-506-0x00007FFE2CEB0000-0x00007FFE2D315000-memory.dmp

Filesize
4.4MB

Download
memory/2172-429-0x00007FFE3E550000-0x00007FFE3E574000-memory.dmp

Filesize
144KB

Download
memory/2172-521-0x00007FFE3E1D0000-0x00007FFE3E1E5000-memory.dmp

Filesize
84KB

Download