exelastealer | hxxps://dosya[.]co/lqjbkdnew968/wMdJoAJXB7[.]zip[.]html

Analysis

max time kernel
247s
max time network
248s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06-08-2024 21:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://dosya.co/lqjbkdnew968/wMdJoAJXB7.zip.html

Score

10^/10

exelastealer collection credential_access defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3420	netsh.exe
2384	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1812	cmd.exe
2364	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
892	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe

Loads dropped DLL 31 IoCs

pid	Process
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe
2128	wMdJoAJXB7.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002ab1c-604.dat	upx
behavioral1/memory/2128-608-0x00007FFBA1540000-0x00007FFBA19AE000-memory.dmp	upx
behavioral1/files/0x000100000002aaed-610.dat	upx
behavioral1/files/0x000100000002ab16-615.dat	upx
behavioral1/memory/2128-617-0x00007FFBB49B0000-0x00007FFBB49D4000-memory.dmp	upx
behavioral1/memory/2128-618-0x00007FFBBD840000-0x00007FFBBD84F000-memory.dmp	upx
behavioral1/files/0x000100000002ab17-620.dat	upx
behavioral1/files/0x000100000002ab15-619.dat	upx
behavioral1/files/0x000100000002ab1a-621.dat	upx
behavioral1/files/0x000100000002aaf5-635.dat	upx
behavioral1/files/0x000100000002aaf7-637.dat	upx
behavioral1/files/0x000100000002aaf6-636.dat	upx
behavioral1/files/0x000100000002aaf4-634.dat	upx
behavioral1/files/0x000100000002aaf3-633.dat	upx
behavioral1/files/0x000100000002aaf2-632.dat	upx
behavioral1/files/0x000100000002aaf1-631.dat	upx
behavioral1/files/0x000100000002aaf0-630.dat	upx
behavioral1/files/0x000100000002aaef-629.dat	upx
behavioral1/files/0x000100000002aaee-628.dat	upx
behavioral1/files/0x000100000002aaec-627.dat	upx
behavioral1/files/0x000100000002aaeb-626.dat	upx
behavioral1/files/0x000100000002aaea-625.dat	upx
behavioral1/files/0x000100000002ab1f-624.dat	upx
behavioral1/files/0x000100000002ab1e-623.dat	upx
behavioral1/files/0x000100000002ab1d-622.dat	upx
behavioral1/memory/2128-639-0x00007FFBB8AB0000-0x00007FFBB8AC9000-memory.dmp	upx
behavioral1/memory/2128-640-0x00007FFBB9E80000-0x00007FFBB9E8D000-memory.dmp	upx
behavioral1/memory/2128-641-0x00007FFBB4990000-0x00007FFBB49A9000-memory.dmp	upx
behavioral1/memory/2128-642-0x00007FFBAA1B0000-0x00007FFBAA1DD000-memory.dmp	upx
behavioral1/memory/2128-643-0x00007FFBB12D0000-0x00007FFBB12EF000-memory.dmp	upx
behavioral1/memory/2128-644-0x00007FFBA4330000-0x00007FFBA4499000-memory.dmp	upx
behavioral1/memory/2128-645-0x00007FFBA92B0000-0x00007FFBA92DE000-memory.dmp	upx
behavioral1/memory/2128-647-0x00007FFBA05C0000-0x00007FFBA0937000-memory.dmp	upx
behavioral1/memory/2128-646-0x00007FFBA1D70000-0x00007FFBA1E27000-memory.dmp	upx
behavioral1/memory/2128-654-0x00007FFBB9D60000-0x00007FFBB9D70000-memory.dmp	upx
behavioral1/memory/2128-653-0x00007FFBA1C50000-0x00007FFBA1D68000-memory.dmp	upx
behavioral1/memory/2128-652-0x00007FFBA45E0000-0x00007FFBA45F4000-memory.dmp	upx
behavioral1/memory/2128-651-0x00007FFBA4F00000-0x00007FFBA4F14000-memory.dmp	upx
behavioral1/memory/2128-650-0x00007FFBA4F20000-0x00007FFBA4F35000-memory.dmp	upx
behavioral1/memory/2128-649-0x00007FFBA1540000-0x00007FFBA19AE000-memory.dmp	upx
behavioral1/memory/2128-656-0x00007FFBA45B0000-0x00007FFBA45D2000-memory.dmp	upx
behavioral1/memory/2128-655-0x00007FFBB49B0000-0x00007FFBB49D4000-memory.dmp	upx
behavioral1/memory/2128-659-0x00007FFBA42F0000-0x00007FFBA4309000-memory.dmp	upx
behavioral1/memory/2128-658-0x00007FFBA4310000-0x00007FFBA4327000-memory.dmp	upx
behavioral1/memory/2128-657-0x00007FFBB8AB0000-0x00007FFBB8AC9000-memory.dmp	upx
behavioral1/memory/2128-661-0x00007FFBA2DD0000-0x00007FFBA2E1C000-memory.dmp	upx
behavioral1/memory/2128-660-0x00007FFBB4990000-0x00007FFBB49A9000-memory.dmp	upx
behavioral1/memory/2128-662-0x00007FFBA42D0000-0x00007FFBA42E1000-memory.dmp	upx
behavioral1/memory/2128-666-0x00007FFBA2DB0000-0x00007FFBA2DCE000-memory.dmp	upx
behavioral1/memory/2128-665-0x00007FFBB8DE0000-0x00007FFBB8DEA000-memory.dmp	upx
behavioral1/memory/2128-664-0x00007FFBA4330000-0x00007FFBA4499000-memory.dmp	upx
behavioral1/memory/2128-663-0x00007FFBB12D0000-0x00007FFBB12EF000-memory.dmp	upx
behavioral1/memory/2128-667-0x00007FFBA05C0000-0x00007FFBA0937000-memory.dmp	upx
behavioral1/memory/2128-668-0x00007FFB9FE10000-0x00007FFBA05B1000-memory.dmp	upx
behavioral1/memory/2128-670-0x00007FFBA1D70000-0x00007FFBA1E27000-memory.dmp	upx
behavioral1/memory/2128-672-0x00007FFBA2AE0000-0x00007FFBA2B18000-memory.dmp	upx
behavioral1/memory/2128-669-0x00007FFBA92B0000-0x00007FFBA92DE000-memory.dmp	upx
behavioral1/memory/2128-723-0x00007FFBBF250000-0x00007FFBBF25D000-memory.dmp	upx
behavioral1/memory/2128-722-0x00007FFBA1C50000-0x00007FFBA1D68000-memory.dmp	upx
behavioral1/memory/2128-739-0x00007FFBB9D60000-0x00007FFBB9D70000-memory.dmp	upx
behavioral1/memory/2128-740-0x00007FFBA45B0000-0x00007FFBA45D2000-memory.dmp	upx
behavioral1/memory/2128-779-0x00007FFBA4310000-0x00007FFBA4327000-memory.dmp	upx
behavioral1/memory/2128-780-0x00007FFBA42F0000-0x00007FFBA4309000-memory.dmp	upx
behavioral1/memory/2128-943-0x00007FFBA2DD0000-0x00007FFBA2E1C000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
37	discord.com
88	discord.com
89	discord.com
94	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3724	cmd.exe
3832	ARP.EXE

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
1728	tasklist.exe
5008	tasklist.exe
4188	tasklist.exe
2100	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1628	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2216	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000300000002aad7-556.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3596	cmd.exe
1776	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
1416	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4796	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3020	ipconfig.exe
1416	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3864	systeminfo.exe

Kills process with taskkill 8 IoCs

evasion

pid	Process
4004	taskkill.exe
4620	taskkill.exe
2836	taskkill.exe
672	taskkill.exe
4336	taskkill.exe
1068	taskkill.exe
1528	taskkill.exe
4956	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\wMdJoAJXB7.zip:Zone.Identifier	msedge.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1596	vlc.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
2784	msedge.exe
2784	msedge.exe
2840	msedge.exe
2840	msedge.exe
2740	msedge.exe
2740	msedge.exe
2248	identity_helper.exe
2248	identity_helper.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
568	msedge.exe
568	msedge.exe
2364	powershell.exe
2364	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1596	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 20 IoCs

pid	Process
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4940	7zG.exe
Token: 35	4940	7zG.exe
Token: SeSecurityPrivilege	4940	7zG.exe
Token: SeSecurityPrivilege	4940	7zG.exe
Token: 33	976	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	976	AUDIODG.EXE
Token: 33	1596	vlc.exe
Token: SeIncBasePriorityPrivilege	1596	vlc.exe
Token: SeIncreaseQuotaPrivilege	4448	WMIC.exe
Token: SeSecurityPrivilege	4448	WMIC.exe
Token: SeTakeOwnershipPrivilege	4448	WMIC.exe
Token: SeLoadDriverPrivilege	4448	WMIC.exe
Token: SeSystemProfilePrivilege	4448	WMIC.exe
Token: SeSystemtimePrivilege	4448	WMIC.exe
Token: SeProfSingleProcessPrivilege	4448	WMIC.exe
Token: SeIncBasePriorityPrivilege	4448	WMIC.exe
Token: SeCreatePagefilePrivilege	4448	WMIC.exe
Token: SeBackupPrivilege	4448	WMIC.exe
Token: SeRestorePrivilege	4448	WMIC.exe
Token: SeShutdownPrivilege	4448	WMIC.exe
Token: SeDebugPrivilege	4448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4448	WMIC.exe
Token: SeRemoteShutdownPrivilege	4448	WMIC.exe
Token: SeUndockPrivilege	4448	WMIC.exe
Token: SeManageVolumePrivilege	4448	WMIC.exe
Token: 33	4448	WMIC.exe
Token: 34	4448	WMIC.exe
Token: 35	4448	WMIC.exe
Token: 36	4448	WMIC.exe
Token: SeDebugPrivilege	1728	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4448	WMIC.exe
Token: SeSecurityPrivilege	4448	WMIC.exe
Token: SeTakeOwnershipPrivilege	4448	WMIC.exe
Token: SeLoadDriverPrivilege	4448	WMIC.exe
Token: SeSystemProfilePrivilege	4448	WMIC.exe
Token: SeSystemtimePrivilege	4448	WMIC.exe
Token: SeProfSingleProcessPrivilege	4448	WMIC.exe
Token: SeIncBasePriorityPrivilege	4448	WMIC.exe
Token: SeCreatePagefilePrivilege	4448	WMIC.exe
Token: SeBackupPrivilege	4448	WMIC.exe
Token: SeRestorePrivilege	4448	WMIC.exe
Token: SeShutdownPrivilege	4448	WMIC.exe
Token: SeDebugPrivilege	4448	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4448	WMIC.exe
Token: SeRemoteShutdownPrivilege	4448	WMIC.exe
Token: SeUndockPrivilege	4448	WMIC.exe
Token: SeManageVolumePrivilege	4448	WMIC.exe
Token: 33	4448	WMIC.exe
Token: 34	4448	WMIC.exe
Token: 35	4448	WMIC.exe
Token: 36	4448	WMIC.exe
Token: SeDebugPrivilege	5008	tasklist.exe
Token: SeDebugPrivilege	1068	taskkill.exe
Token: SeDebugPrivilege	1528	taskkill.exe
Token: SeDebugPrivilege	4956	taskkill.exe
Token: SeDebugPrivilege	4004	taskkill.exe
Token: SeDebugPrivilege	4620	taskkill.exe
Token: SeDebugPrivilege	2836	taskkill.exe
Token: SeDebugPrivilege	672	taskkill.exe
Token: SeDebugPrivilege	4336	taskkill.exe
Token: SeDebugPrivilege	4188	tasklist.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeIncreaseQuotaPrivilege	4796	WMIC.exe
Token: SeSecurityPrivilege	4796	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe

Suspicious use of SendNotifyMessage 21 IoCs

pid	Process
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
2840	msedge.exe
1596	vlc.exe
1596	vlc.exe
1596	vlc.exe
1596	vlc.exe
1596	vlc.exe
1596	vlc.exe
1596	vlc.exe
1596	vlc.exe
1596	vlc.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1596	vlc.exe
1596	vlc.exe
1596	vlc.exe
1596	vlc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 4380	2840	msedge.exe	82
PID 2840 wrote to memory of 4380	2840	msedge.exe	82
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 1072	2840	msedge.exe	83
PID 2840 wrote to memory of 2784	2840	msedge.exe	84
PID 2840 wrote to memory of 2784	2840	msedge.exe	84
PID 2840 wrote to memory of 1724	2840	msedge.exe	85
PID 2840 wrote to memory of 1724	2840	msedge.exe	85
PID 2840 wrote to memory of 1724	2840	msedge.exe	85
PID 2840 wrote to memory of 1724	2840	msedge.exe	85
PID 2840 wrote to memory of 1724	2840	msedge.exe	85
PID 2840 wrote to memory of 1724	2840	msedge.exe	85
PID 2840 wrote to memory of 1724	2840	msedge.exe	85
PID 2840 wrote to memory of 1724	2840	msedge.exe	85
PID 2840 wrote to memory of 1724	2840	msedge.exe	85
PID 2840 wrote to memory of 1724	2840	msedge.exe	85
PID 2840 wrote to memory of 1724	2840	msedge.exe	85
PID 2840 wrote to memory of 1724	2840	msedge.exe	85
PID 2840 wrote to memory of 1724	2840	msedge.exe	85
PID 2840 wrote to memory of 1724	2840	msedge.exe	85
PID 2840 wrote to memory of 1724	2840	msedge.exe	85
PID 2840 wrote to memory of 1724	2840	msedge.exe	85
PID 2840 wrote to memory of 1724	2840	msedge.exe	85
PID 2840 wrote to memory of 1724	2840	msedge.exe	85
PID 2840 wrote to memory of 1724	2840	msedge.exe	85
PID 2840 wrote to memory of 1724	2840	msedge.exe	85

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4316	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://dosya.co/lqjbkdnew968/wMdJoAJXB7.zip.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbb5b43cb8,0x7ffbb5b43cc8,0x7ffbb5b43cd8
  2⤵
  PID:4380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1940 /prefetch:2
  2⤵
  PID:1072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
  2⤵
  PID:1724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5668 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6140 /prefetch:1
  2⤵
  PID:3896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1744 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:1884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5784 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6564 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6244 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6704 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6704 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6612 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6532 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5908 /prefetch:1
  2⤵
  PID:3832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6316 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1928,10964008118425870102,13234232419883737734,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:3048

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1868

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2852

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\wMdJoAJXB7\" -spe -an -ai#7zMap3704:82:7zEvent15520
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4940

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Downloads\wMdJoAJXB7\Base_Profile_2024.07.22_-_20.49.47.03.mp4"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1596

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004E4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Users\Admin\Downloads\wMdJoAJXB7\wMdJoAJXB7.exe
"C:\Users\Admin\Downloads\wMdJoAJXB7\wMdJoAJXB7.exe"
1⤵
- Executes dropped EXE
PID:892
- C:\Users\Admin\Downloads\wMdJoAJXB7\wMdJoAJXB7.exe
  "C:\Users\Admin\Downloads\wMdJoAJXB7\wMdJoAJXB7.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:2852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1060
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5092
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:1628
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:3004
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:1884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2580
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2840"
    3⤵
    PID:1212
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2840
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4380"
    3⤵
    PID:464
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4380
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1072"
    3⤵
    PID:2216
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1072
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2784"
    3⤵
    PID:764
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2784
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1724"
    3⤵
    PID:2980
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1724
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1156"
    3⤵
    PID:1656
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1156
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3192"
    3⤵
    PID:2288
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3192
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3048"
    3⤵
    PID:2992
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3048
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:3528
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:3744
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:4452
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:1688
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3912
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1812
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:3724
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3864
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:1528
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious use of AdjustPrivilegeToken
      PID:4796
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:1616
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4180
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:2784
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:4732
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:456
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:4800
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:4912
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1284
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:4764
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:2668
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:1424
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:1436
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:2656
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:2100
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:3020
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:1488
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:3832
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:1416
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:2216
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3420
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3596
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4004
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:968
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2ee16858e751901224340cabb25e5704

SHA1
24e0d2d301f282fb8e492e9df0b36603b28477b2

SHA256
e9784fcff01f83f4925f23e3a24bce63314ea503c2091f7309c014895fead33c

SHA512
bd9994c2fb4bf097ce7ffea412a2bed97e3af386108ab6aab0df9472a92d4bd94489bb9c36750a92f9818fa3ea6d1756497f5364611e6ebd36de4cd14e9a0fba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea667b2dedf919487c556b97119cf88a

SHA1
0ee7b1da90be47cc31406f4dba755fd083a29762

SHA256
9e7e47ebf490ba409eab3be0314fa695bf28f4764f4875c7568a54337f2df70f

SHA512
832391afcac34fc6c949dee8120f2a5f83ca68c159ff707751d844b085c7496930f0c8fd8313fd8f10a5f5725138be651953934aa79b087ba3c6dd22eaa49c72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
9e34a458510985b7aa2494d79adecdf4

SHA1
cde4102688cc5dc227a11b8107cef14cd7804291

SHA256
7e5d16d6d84e5ef36c59dac8e8604deea0fffbd27ac00dfedde113a87bbb6acd

SHA512
60d8dd9de505a8d3780e6142752a3eb9dedef1ab6970208239bce0dc9735b84e8fffce6af2c463144b36c7c1ab42bfe8320ba5cfb637afb74dc5605465f22836

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
9a09147111d5fa88e21d3c948e186cfd

SHA1
d4585ef8c12a6c5599502c809b9bb73e5e46fc6f

SHA256
94315b0045ab0b8bd17e9607cc6546ec4ea2df14ff7a6c0810371ad67baddec2

SHA512
fbc4db85cf87dd89912476971d60747184d9509bf1e9af9d6aa2c8f120fd6096eca49eced0ed0b3b12852ba3c4f5e52b0976ad55b70923871435de081be090a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
b6e29f7547e5628a864e45845ecef8b2

SHA1
66343603496b4b3ad56db485a003bf8b0b980d19

SHA256
98f2debc571574ead9c390f0f6806b7ce74bd8b296c5bd5ff1e03c8610eeb9f2

SHA512
1a26e7d5a1bdbbc2243f87abc049c6fa7dca9f5a0cb47cec46689272a320c02fa3556d5c163ff8b12b1950248490875bdc273cc761cd4d2147e1481265334269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f00d7d27d3a81a245a316229a041c03b

SHA1
cd77fedd67ba7208c66ec6819c3384041d1e8dab

SHA256
3e21f18c2f988b79fe9cd9f10d3a884050f7bf1b1827bed05d007b42d29af76d

SHA512
9cdab91b5db20717ca3367a17bd2303d5e5fcbccf593c5bf699a68ceefaaeb782dc2477482c8f889af55a7a5b204af82b5a8d603a2b8ef01e6e4cf28d1d0569e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
911097b78bd6224f49b58166560d4a2c

SHA1
8abe3f467421e5a932bd0282a63240746a731977

SHA256
7f1a3ba81693dda11ee22d3029a05abc6cd05f1ce878799f98e6ca4ee7322030

SHA512
270f6bce80443a947d06d498493bc8ec73c1a686acc581917ae4e5c794290e8db415313db6b7fc929e248bde0d63603efe9f82998f6bcaa14b17e868b2142c2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
41cb85c3b7ceb4ca01537cee10bf9f6d

SHA1
4e42d020f64b1223d399a7ce06e13baee019f182

SHA256
ac0fd47b1fc52a099d76f24856019c0d1bc74a84834a14ede778de74f3a799e9

SHA512
866b808904a8e5f12bb9b51891745c9f562080ab3e2d48c056f027e51c6c4b9496718a443abfdb91ddc7871e7ff188a72fda527c309d3ceb965de087f8dc8923

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
09917aa55244075e4e9ed2770626d68d

SHA1
807d7f5cf2977cd8725f3ff8f447f33726dcba19

SHA256
57fee79efbca8b38a941eda098e7c65c97e944c51b85a38beac2db816ec92804

SHA512
86d09b9858b27a0d3f9d2ff529c47c91758e8aef7322a80fe1882ce790fc63bdd44db3d2c7935902f52cd3203cdc2777c90598cff8ff2245f0fc868002fc36ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ba891659739f9a4eab911004e080b33f

SHA1
562d0e88548dc7c6109f79a5a31a12f1a5aa6861

SHA256
638479ff3eda774480a9c41e1b434c718acfd0bf3492ef8f419d573cc15be853

SHA512
45abb36804a0816b875c6069f05e36568f294e4f2857b03f3605cdb0cf030a510f2b6d59a6efe7e90d6eb2eeaee5b8005ff78d3f38a8c1851d173e016766ce45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
7a6f394096a6ffa3710f557ddc7ff77e

SHA1
64f7e5922f8e47fc25a23265246beca59c4f0b66

SHA256
cc732b0f1afb09f0a27f9fc4f466c8647ed0b77f7272fb040fcd0f55c664f73a

SHA512
5c2b12eb913069757419fdbba7256cc12f29368f9cc0f740688f679f3b652c2b17fa76801ce29f9dafaeea3906e5d114c61adbf06f46d9d5a99e24fafd55d776

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c224a76f88f4d8bf6da0163dfe119566

SHA1
2909cfc903697062ce58b8dc054faa267cfac663

SHA256
e7954e2903936aea86f6e3a23dbdbc8f2a576b56cf1e64ffe903e043854e29c5

SHA512
1c392dbcd28a9750ffc237c92f1695f8a49f0b9e2f37a9a67e903c4ad55234e6237f96405328cec3a96fd5d6f1f2d24df4091c8441a58f137b8a8e5efa3e9774

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
192ad57b94c40a8bdbd8644a5ca4cdc7

SHA1
5953c24e4af31c05904ba67f4b0272bad32e8983

SHA256
513c56d1818ba03954b8cb891ff5706233f1e6fdb6d1dd31873163422abcdf07

SHA512
939deda57fbdbabe78732e81f2557cafae70b824064215eb77d6b6983801a76f49d7472fd8b8a6515a1a746d2d3e0b9b9fe6756f7b13d75d331622f47c8356d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
285ee63a8ec5634b7706b017df5c1dff

SHA1
c83b65c8522aaed75c7d348d92e3adbb0371ef0c

SHA256
e663f2b9b313254d0862bac6731c5d06ac21a8802e921ee6de8a39abc7027d89

SHA512
7189edc3e68ac378d66e433901d40702e38617298c1d99046cd1fde2111a8260066beea2e04fc41011576f85d9db026fb8f0fbd15cbec0317ad3fedb2398bb10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe59c876.TMP

Filesize
873B

MD5
3890ff502c88e5d06575f7d2ab1dffd4

SHA1
8c47464150cc19da2a71922b8b24cd1304d7d0d3

SHA256
2c414570b91fc1d4d1a23df9e43edcb52037732bc4f11f7c559d8f01f141e268

SHA512
5c4d8d5a85e8313b9b4a78abc211f61fb2a526e0d01395a20e3aa2a8294819a7e5ed6dbf3d23ee2dc767b6457f76bb10529ecdc831338c6c043691e88bccd3c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\blob_storage\b67ba204-8064-48f8-84fa-2a733dfe7d43\2

Filesize
6.3MB

MD5
6644cabff91904aba25f8e10927a3d05

SHA1
cddd61d66029aa45eaf0a971f19f8adbfd94bb35

SHA256
bb0f33ca8e5e5c8ae1068dd25b7783b262decdfc994ba5caff94464de9d35e7d

SHA512
83c30a3b18b383a0612a1de3992e5ecc81d1c9397e254b8f443096abe6d6937d7bac72a36111c0073784671945f4e9672f89621fe667f0cc5f7a3de4f6d6959c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b92f4b846d11b06bc2cb264816813ae1

SHA1
6af68746a69af32ef9456a9b8e71a4d8aadee666

SHA256
f53ec748688e9d367d58751c17be18fff69b6566502bb8c7d2bb7b0f3cc11984

SHA512
dda2f967c6e89d050999be2598258c4407e99c613d81de6b5e16b5536098fa8f94ab833b7fd98c6caca3e30ce1c69b309d143e411622cba8ad9289e790591c6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b31402d812026ea39e0a23e56e4e36ae

SHA1
e3c6f2bcbab08a7ece3944b1e11ea7c890017701

SHA256
e0fced0fb0d41dc20d0dafd3eac41393e3e6640be38b9dee637f35f8cdb2f7c1

SHA512
1f50eeeabcca6c99d7a4063410056bab68803ead2df492d1ad4fab01a8ed4ccd3c6aafc7651086915b99b2d3313d07f6a2b465324cac998d31b67ec4946b0648

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
da2a731a74a1a052c74b60b1c0781966

SHA1
9750abcbcbf9ab8555efb47a29149cf93cfbc33e

SHA256
f69cdd00edf359d28d73e3da0f34b5e4d0466c2e05f5927ae4a7321d852bd8f2

SHA512
00f667b75164aebd70405a6fc262ae37b415e7445f431fd1dfef66ab36c23ca31b0d93d68fbda489784bb6b7cff96536feeb2bf233b819e64f945c6131fe6603

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Desktop\ConfirmImport.xlsx

Filesize
12KB

MD5
26d5a631146c2c7e1ca20fc3ce8d69b2

SHA1
7ca964b120edf0683eb2275c2018d7e37f86d395

SHA256
1ae61a883dedd5c08e09fa889c4650d66515e61d7c746747b1c4e9995b0481a5

SHA512
fe8be3055043d1dbf167dcac9148615929a085ff994a47878da2d3485909ea851d93a650b0155205c72191136d00cbe00779c3523156e490416174490e76fbcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Desktop\DisableResize.xlsx

Filesize
10KB

MD5
0ff35c1a85dbcf193bd78e1fb393f708

SHA1
6d2ea11fdd40a111fec24983a06724c27ce3b517

SHA256
436fa833998215703df3bbe0495a50584f4f181a0084fe2950b184e3513cf48f

SHA512
5f8212014886e29404c910cdfd0b340a11219fa8a285e1621836926d790026243a0d139671f2313330ab614c8d91370865e627402217d115eaa409288ebd7898

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Desktop\FindCopy.xlsx

Filesize
11KB

MD5
cd77bff7367067806778c552ffebb552

SHA1
0b164d53075797b9f28db304db9d5a700e5b261a

SHA256
cf5db221ccdb56d91689aa21e6e6139c5501d271cf33bbde14e30b23a23299eb

SHA512
f677263196cdced1d9f7fbb90cc960a3c97b524f366310167ba6db86a6e8ef12e4f1f2e010d7025b89fa270f83f501e7ec96edacfb75f4a04b617826fdd842dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Desktop\LockClear.png

Filesize
483KB

MD5
0835ac92ff97df1a715422f5fd002c50

SHA1
f1c29baeb937386cfb0e557ab215c2209a55c319

SHA256
940a6067d9066ba03a13a6c2ee604fe8c6ad16d23483638b465e03e6d35598f9

SHA512
b6a5f734d9f367f0f96ddae7a6c3c788af3e288b8e0562fa4ddfd2348bdc1a4a520d9ecbf298ad3d865fe241304b811db838bbda43226a2cf560d7184086a49a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Desktop\NewJoin.pdf

Filesize
301KB

MD5
70345b20701d439d86d61443e2f46acb

SHA1
04b32c4fe5a9f4f66604d271157b4575d0eabd02

SHA256
d004c07b685711357fbe7de5483880d5c32a0ff2bd2bad385342a97c44a85431

SHA512
fc3faba52bafae37f002b1dbabc2d504c736eac2f7adb9bc20e43f9009d7d6c02c57e45f5587883a82be27f17a1cc5056b55f8fd12ce8ab4f04196ed48a8794c

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Desktop\UnpublishOut.jpg

Filesize
392KB

MD5
1749e1f5d58d028fc7feb7ca69d812aa

SHA1
4d1c621ebe4661142627291349873ee62c38cd89

SHA256
1a4e4d68d71c950d918b3f815b065e025aa65e924db34a6c31cfa0c694e8613d

SHA512
391cbad190d5ac8a7f1eeba069c4f06616ee737f0fecb165975b2d3cca4e4a778b169223d64daea4f975d0002e599ca8c72ea23fc9c1d4231858cc6b864189d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Documents\AddConvertTo.xlsx

Filesize
13KB

MD5
bad2659e695bd63bdff24c20b5d2ef27

SHA1
6900db8d0bcd4d4087b8e2b2d5add2d593042174

SHA256
c49153893212cfbf83e387f6aebb27d7e16cd64f37654adaba0231ede56d6d30

SHA512
9a1f2c7827c4a10bfab2779f05368acd8ceec3ee11ddec6677eae51261860e162ede516abbaf0492614eb02c22cf014d7c66dd62145cddccbbd2ab41477f42e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Documents\BlockAdd.xlsx

Filesize
12KB

MD5
723a3b8ca74fb845bb86b9291e090fca

SHA1
3c1f5c83d114209483aeac4cc09f33c2cd4f4ff4

SHA256
88111296bc556bb385b98f0ca7fa60eda1b3736bfea0e3226c9df2a6c77d41e3

SHA512
e8f698061945514e3279cfe6209cada2ddcf25d3df9cc2050570a343f13630dba38e32d6952411c0cf58272d078ebb453313a7923031deeb342809985cebd76e

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Documents\CompleteCheckpoint.xls

Filesize
1.9MB

MD5
33ba2af028f04f3926fa1935c59f1314

SHA1
551ae78011fe7efd598941a36001837beb8fb873

SHA256
e2a568e05a0e9fd1aef341f39b4c8cecdf7082397dead34bab341e7bfd939589

SHA512
fa96cb3f77f2d5f8689391dad041accffb231c5db63596a4e5f877f5a104933edadd35e4556e57084ebffb1a20f8ea660f746f3b6a10b7744388772df7ac69fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Documents\LimitRedo.docx

Filesize
19KB

MD5
8fceea1cfdb921a7fb833ab021a2174f

SHA1
cad421e5cd26de01c94cf77b402bd26fd0e44ccc

SHA256
0633ecbf487a16f3f5f2c46beabee728ba0c90a39d938c731cbfb085d4d07714

SHA512
29cc6da7cf2b3b9b0845adf415e79a107e0cb0c4fcd39b2f90a20d9be95955b311b75a6dfbafc7e244d013981564c5d2b9b56950d70a0007403773220ec39e1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Documents\RestoreExpand.xlsx

Filesize
13KB

MD5
a379356c75cfbed0bc10167365d0dba5

SHA1
c22feacb90c83ed04b043f18b0220ad3b6f70f35

SHA256
a62e6dcdc26181c3c6791916ff141c50eee7c43d9c885df3db45cd6c054d2246

SHA512
775ad288ecf582b0e55af44d5112b16cbf3b17272ad9438226cbf86d5d56f2a1d82ddc80ac8e60ee826d027bc708246f7bf5f323fe66aa3050748a8b8f99e549

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Documents\TraceHide.xlsx

Filesize
10KB

MD5
a90cb896f1e71fb8af74dbe103d7e9a6

SHA1
15e040c87cd0b8aa6f5929cc830218f19a74f77c

SHA256
3374cff0158f6a02b2159d503ede0def3cd20bb1d315a635c6fd26d1af233c0b

SHA512
ce0ca422ebfb1849714a46a2866ac0e67af88eae19b432ce126b8ab33e790bebeca2687a9752074ea7fb38dcc97488cc0dc82a0012fe4311ea3e647d197d1212

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Documents\UpdatePush.doc

Filesize
1.5MB

MD5
c90f4de0f65fe9f6b3e1d56543ba382b

SHA1
5df2ca79b50eff78caf4d351d3215b5899df3afd

SHA256
c55a3b10383973509b914170fe7dcb9ea3d04a74b26eecd458bf4108e0132bf9

SHA512
3060b3e224fca7d4f8e947dfafc7992ce0e1fe6d15b5a201516a492a16ba3ceffb743aeca586a5bae56000157222bf10ae0df80cacef92b38fa910174922466f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Downloads\BlockResolve.mp4

Filesize
843KB

MD5
d9597a36b1056954ff838c7ef01e2bc0

SHA1
321e921e838f4bce1e90f32baf10f9daaf51e378

SHA256
4ba6ed7eb9e5ae09dcc1e57ce00d2c7446159fa52a207dabf489bf5a839b46f5

SHA512
a246dc5b04019729549df53efccd2284fa51288cf99b74a43239d1d26f4b96bc4bfea8d76821b0b375f7201434cf4391b0722260d5ea24433bc1530fd6778cc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Downloads\ExpandReceive.xlsx

Filesize
821KB

MD5
68b58995d91425426b4edbfc130ba65d

SHA1
c805daa9f0e39db5e8935069db87498f4fccae20

SHA256
ced9de56052ef1bd922445eab7a6dc7ee8a08e27827c6136fa846ee5b30b2712

SHA512
ce860ac1fb147d4a9c8630654704688b2c5804a3dce41987ba06f0bd225ac575646065858376780daf2f58562cf39ccd49bafa8f662f3a2d368a2587db3916fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Downloads\OpenRequest.doc

Filesize
324KB

MD5
4d7862feeb744b84661fbc50a778d458

SHA1
eedf68300c574db09ed6e9f4a4177591fdf463d9

SHA256
7393f3deed709788fb665a539268d94c52b8a79c742bafa07d49e2ac688ddf72

SHA512
af152dab1cb0f5f673f90d21e025d41975c4b3a2e119f0dbbf5223c7d481cfd030f37d0695d84f3b2da999124ae9b035d78620b67abedd01c39b59fdd359bc8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Downloads\OutGroup.jpeg

Filesize
540KB

MD5
a1c28963539e4fc43306621b889ac716

SHA1
b70e78f3485a21c15d8c9baac39e44d34c34c136

SHA256
0496a5eded21abe9be9e9b6ab649918b77f869d308e1cabbdb0181ed343a9809

SHA512
f3414ac3dccdda6219194ffaa8a1d64388abb65e3d7fd4f2590d97db0982f85da535a009722fbbe7cfb9667bd71f40d72eccee491f01bd235b2e45bd39aafd5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Downloads\RestartBackup.ppsx

Filesize
605KB

MD5
0fde5d012140ac0cd8359931b9e43b93

SHA1
daeb3f53b91192468bfeeb22fbc824686d466cda

SHA256
3e8a4b91f80e8480d9141bc77dbbd0907e432b5aac058509f86071d5d9629ed2

SHA512
4553051ef728b2affb03ded0700fc228ed12dc62dd884bbb63e31f87525c9e9b36378cae97c894833b0dff5f2a27fdcb31f4c24fc489a7440f74e3b47a77544f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Downloads\RestoreRequest.jpg

Filesize
691KB

MD5
b825c040859395455b84c3e23000f8f2

SHA1
b128aa15eabea3d29bec0659e8cdaa9290d7d30f

SHA256
9eb4e02540863a020d507c16bd5c5aeb4f0f13a85d9e1012e51b34a4e59e94f4

SHA512
90ad5951b6bb596d20e98c9e43840dca6c9c6a5f64e3782f86832ad741d4aad51ec280c4e1824971cf5c84ea34c89c683be3aaff4cb964232294b863c64656f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Music\DebugSearch.png

Filesize
231KB

MD5
eccd3a9c03fa0ab3ec80d7ec4651ddda

SHA1
5175f9772467bdd3b01c917ee5fd9ca413bea21f

SHA256
116fee9411aa3a6b04ad5d755c5e6d2c02c924b7fb522205d8712046ad91cd9d

SHA512
ab79d749b863e3437625fcf94fa3cdd6d38f32f54e10d26f3506a637ea49089f054f59d6902a0e6e196a1193c0f548c6d81db7ab63c2c6ea93156e93689328cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Music\LockEnter.png

Filesize
339KB

MD5
3c3f16014628088d8a9d22260bb15045

SHA1
8330d2bfdb2ad9393fb4fd009ee04acc0a93ce86

SHA256
72c3af220056c019fa501b313d28c0446c226c512f026010b418b5c504fdad11

SHA512
12e1488553150771e4a767bfa03260b379666c02fd3603c06af67443884544354ccccc110ed79eb89aa0f95e073286ffd91cd1912d3613be3733b5a5f11e1d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Music\RegisterBackup.vssx

Filesize
299KB

MD5
339793169aee3a88be108a6457113040

SHA1
f235569e0350fff14e23ccfe9ec7cc8d30a4e92e

SHA256
d590e46647e8da84fba28a179e273d01bda723fea08f8603b8fc3cca8f589629

SHA512
90f0fb843e2f3df61abbac6805a7001ada71b466c3e6be7453a87000b6c0c317a0e496a02f84d6fdc6ddbeb0475fb7a5ac85158b59989695d3397784b518fd83

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Music\SuspendGet.xlsx

Filesize
289KB

MD5
af663eebaf8d715f2fe1d9735dd4816e

SHA1
8ea0fd4814a11a74736b4c519b0393a2b15af0c6

SHA256
4962544f3bea9156d417849d46023b0656572c60748e952045c0fc304005f6a0

SHA512
13c3f0d94765846e1e681b9c4c68fe7ea2b761ca04ae30621fb1a2546a9443cc08ef164876f7b339714dea18f9d03171928506188023d2921ac040cdf92f75cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Pictures\OptimizeBackup.dib

Filesize
272KB

MD5
2c6a829274b0513f6e455c60c6d1efc3

SHA1
07342729e7acb98d4b612f2d07600a8ed79de8ef

SHA256
7f7b3732331a8c641283114c936e28d1aa8747056e1a7afcbb4639ac238f0c6d

SHA512
02ff4d6cd2b0f88a5c455b5ec582a784859f826b90f60da36cf17d8a0f4c35244e88d95bd340482630ecac30436788d47fb64f0293405f76b99895a8595a4e54

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Pictures\SwitchMerge.png

Filesize
381KB

MD5
ef321fa1543c79eaa42c0c88031cb8f6

SHA1
f41f4bb742eafff08146fb5f6b3b001043378eba

SHA256
f7344c6ea2dd55ec9737daff433303439a2ac5c2206e58eaa86d6957bb8be21e

SHA512
5f9038849569e7939f83b33771827cbad3691b0271565be00062d81060b4ffac2accc04ce2ab152e872588fcfd2691f572ff66a7fc6df74252c4db85e7347b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesBy01\Pictures\WriteDismount.jpg

Filesize
654KB

MD5
a15d609743f49c5d553370b672cb1697

SHA1
af0cfe5d3e92980155faa3c19bbe3c5bad15cbea

SHA256
4b4bef7383b2bf026f180bb40421f9336847766ac605f937010163f8268976dc

SHA512
f80a11c16606cee53a2f23f30c61039e6b88810fd5c0417793327e8bbd1cfe1a46e1981a18cd7d0982ea12126ff2f07b245b5176673d5d6598587e03d309881b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_asyncio.pyd

Filesize
34KB

MD5
8a966ec419db15b2fca9e3a7eb06cf81

SHA1
b76b92651b0e8f7c680d5459061d9b5b7096a916

SHA256
d07daa24b92d26074a79b81adab4e851f1236c47f28ffcf8f86240b8c56bc50b

SHA512
7acd4329471373c2ba346cf48331cad4ca943de80dc5be3102dcaff76682b5992726455039fad94ae1e4a63a9f185e6b34ef7fedb773edc118d9335d3f5f5a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_bz2.pyd

Filesize
46KB

MD5
56e45782281a0b6b1edd26bff549e2a3

SHA1
a38a5bf3585f47644eb4cc7c376bee5555359fec

SHA256
89bd7f2c3f061d97433ad858e52a7eb27cbc4f2bcf670427cbea34b2ced1df0b

SHA512
be65734495b393d96b6bdd5019afa298e8440ede289ab0964208a6ca3bbde40c59b8b945e2daa236434fdc2c4897e5fda602c3ba37500eb989384a21416bd543

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
641e49ce0c4fa963d347fbf915aabdbe

SHA1
1351f6c4ac5dcda7e3ffbf3d5e355b4bb864eb10

SHA256
1c795df278c7f64be8e6973f8dbf1a625997cb39ae2dcb5bee0ca4c1b90c8906

SHA512
766b9adb5143e89d663177c2fb0e951afb84c0a43ec690ae2c477ee0bbe036df6f4161a6012430d42e4913fd5fbe7e49af6d13ac7c62d042a484861fc5a04616

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_ctypes.pyd

Filesize
56KB

MD5
666d2076c7aa16e1a4267492817ea0fe

SHA1
e7afe7acd1581d403930ef9e1d867a79534f2d94

SHA256
663d8f1b4a0f9248c200cfffb5efe8612022a3876374ff2d43c0afe824684527

SHA512
a2534ce68a71425a44d611e3db9e159bd527dab58e87519ac2479f05247b0ec6484feb635b716c614a58a71b5841ab6735c1e72b3127946fbaeeafe33c069a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_decimal.pyd

Filesize
104KB

MD5
fd527d3099273a41bf394a3513143b4f

SHA1
a5c6c0657392e8eb1aa0243d0bdcb0b63d935680

SHA256
b0071f676b26065559a97784d6f5d2a0510ecc25b467a991d39489bd4dc30f35

SHA512
721a81f946eb794c45174e1a3080d5f8162e2f9f5e971ec35335696a60c6545cb43fd45fffe3645290b3b3091df2af342a7e626599ed2e1e6cc0f3140a11c954

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_hashlib.pyd

Filesize
33KB

MD5
e1c9b82748a0258d158d10722851f5b9

SHA1
afd8efdc4166f1fb290d95daf21c2fb383989a63

SHA256
e8df3c02eb4f325b43f9f97a1cd8decf6ec47c7baf0452befbc04fb4122fd6d2

SHA512
86a24fd1d1733b530cb21856aeb60c7b2c064e95949c58c7812b706fd2b7aa30da05f94dc91d9fd252b50695af5196a11a300832cceec68374ae86fd2e1125bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_lzma.pyd

Filesize
84KB

MD5
acc65527ab504d6a99ce687ea565831b

SHA1
c3ba31c6e02448a791118821d5dd082225b54841

SHA256
b9f30072453a7430106ebf66564222a9d8a63b67fe40db727183e42748221301

SHA512
45324183bcd6d784d08af78242ee13d42c12a3ddffc7cd3d70771cfc4325efbac9f21793831db638ea1d46cd9fd893041c6919d7b5d129c2a1d097a57d6f3e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_multiprocessing.pyd

Filesize
25KB

MD5
9638abb3b2a25c0f5da0c82f85f4a3f3

SHA1
b28b39b5a9b863e87f67c816cb1dcd1bb4d0fcdd

SHA256
8c5a922e9faad0d4d21927a36fb5b308571e1f59c1176021494f57b365a01c87

SHA512
2154dca46d0ddc6716bdac47d3874e5415ab91b47689d196e6901dc2047d72cd9ae84bce24032a251bb2bcd160e56a02bb0b72a46df1ed8cebc39e4b07bac2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_overlapped.pyd

Filesize
30KB

MD5
7b8127b784ade6c92397ea1e14c9c8b7

SHA1
4f8c19abd9a98ef89e1a996678ff8a968f77c527

SHA256
e2d37f3f373d5d5ce2ac737deb24cc8fac2675f57fe29a81109be8106270f0c3

SHA512
703d2236a5729f07158781a59286d15ef38eb6534145f491e1b237e42e1ca48a5bf16ef5bb94a31c0edd7b82dc8123065864d2b79d71fb5fcb96bfe537c32cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_queue.pyd

Filesize
24KB

MD5
eb784bc23eb3b065f1ad58496ba262e1

SHA1
42ddb586f3cbf6eb8022ceb672bc598b9e8825e8

SHA256
ee08e6a3e0423b25800cf26daf67affab538685e1a11f03ea21da64553506670

SHA512
9c1a09dfc7c2b8c20761ea3ff1aaa35e093c822294517e48398b42487b35b8814acdba1217cb2618f47bf9217655bd11aa6641b99aaac692a0f3444c86e285c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_socket.pyd

Filesize
41KB

MD5
908a3f299f0b94dea6174b2a93fa3d16

SHA1
4930b3314d56416d93780418b88aa3d28103e8ba

SHA256
277e10a1bb9058b1c8b1762bbe24776596e9f034aa3d189a58012fb1a02bdb87

SHA512
d2caa08fc9941447d105c068e0ecbe371fc41cec1e95531782f9c8c0f0dc61e30902e89b3f6813c660881b45f8009712e2febed8922f900b77e763f96fefd67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_sqlite3.pyd

Filesize
48KB

MD5
1a7d26b8e7a51f257e0a0756d17b1206

SHA1
8adde0016877d31a1e40dbbd43e049bb931795d2

SHA256
c5516473c5a26046bfbe9405d360c3cbcd416c1ed8de2c2344ec00f341cd47d5

SHA512
6e554f68f7f3d7c50a08d1ec15505b9f1e98e5c34a88f460ebb94f87f773363c83264ae7a08ed4b5cd0254a38c7303f8cedf8b7451120b66b87770de70d123f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_ssl.pyd

Filesize
60KB

MD5
cc006b1ead5a1936e8d6603621814fc9

SHA1
2f74fde0a39b8dc3e8ecf4ac9d7530576c742ffe

SHA256
649a8ab2e3ff633cbfa1f278ced1eb362b458812f569a08c01d379fb7aeedc92

SHA512
c485d589db2a5f9f7dc71072b5be666cab91d0258884f6ad5e95c6d95b59aaaeec4585fc7649423a83b1e78db163b128cee99f98d2d762eb68aacbb83c1d4ba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\_uuid.pyd

Filesize
21KB

MD5
60e5cda570c90ba0ed386349876ad0c2

SHA1
860453b3480bffc417d66e86775e1467ddc634dd

SHA256
4b76aa939436ad084414093e0dc96d4081b78e4e73772681c7bc217c602b8856

SHA512
9e464fa8d378bebcf93a8df3cf6bef4e77909d43f697ac40f3645a80c223608442b90b7c22a91a26cf6b29b1804e24c04d4ed260be964ae2c28bbc9b680a5c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\base_library.zip

Filesize
859KB

MD5
3fa51488087c6577ba4d4accecda2bb6

SHA1
3584d301bcb007f6de830729b3cc994c048edd93

SHA256
8f614b9743bf81cba58bb2f50dcede4e0e9310727b114be36ef9022d587dc622

SHA512
bc1e42eabc128e304ccd5ec9413907b0760ebc96b6eb7b6d1f509433d1912b703136c42d4f8cac98bbba157c75f3a416f7b2ea241de17c08eafa2acb2a4e1669

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\libcrypto-1_1.dll

Filesize
1.1MB

MD5
5e999bc10636935a56a26b623718d4be

SHA1
378622eb481006983f14607fdce99641d161f244

SHA256
35460fc9fd3bac20826a5bd7608cbe71822ac172e014a6b0e0693bd1b6e255c1

SHA512
d28ecc0f001b91c06fe4572ad18eb49cb0c81c2b3496725d69f6f82eccd992047ecd5819e05e4f7bf786904b6c2e5d68fecc629fa50425a7d7abd9fe33c0052a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\libssl-1_1.dll

Filesize
200KB

MD5
8d8d9c30250f7042d25d73b9822efc45

SHA1
f6b83a793175e77f6e8a6add37204115da8cb319

SHA256
92bf5bdc30c53d52ab53b4f51e5f36f5b8be1235e7929590a9fddc86819dba1d

SHA512
ed40078d289b4293f4e22396f5b7d3016daec76a4406444ccd0a8b33d9c939a6f3274b4028b1c85914b32e69fc00c50ec9a710738746c9ee9962f86d99455bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\pyexpat.pyd

Filesize
86KB

MD5
13c14e8630400ee9d761c8383a287c36

SHA1
a2dcc9cecce66bb948971553e05ab41744731f4b

SHA256
889df7e4de264bef6b0c475107cc2370d9cea60c2cb057241f3b585ba143782d

SHA512
7910683a0afab3f0bdf7c820e47184dd7910a77b14382315baad20b384d509782083348c07cd2df9db0c2fd1b6d26ddb7fcfc4e1a51d7253d70a2f6f9837fa99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\python3.DLL

Filesize
63KB

MD5
07bd9f1e651ad2409fd0b7d706be6071

SHA1
dfeb2221527474a681d6d8b16a5c378847c59d33

SHA256
5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5

SHA512
def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\python310.dll

Filesize
1.4MB

MD5
5007306e4e2f91a39dfd3217d381d2c5

SHA1
17ccbe14499274cba4fa25f55b29727da439b8ca

SHA256
36a87c3402420b744fb03f2ce3685ab6624ecd111797c04f1fc6caa437f0f6c2

SHA512
08dd62e7563fc914aee9d30dc0fc98c9068f8b55c972e097ccb1a4de67ed1561519b06ae51ebe4d72d423ca3de32a2aab5c1564cebc3c72d448db401b948f7c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\select.pyd

Filesize
24KB

MD5
7eba8a9f6a975d1a9e798359e0abb067

SHA1
5c66b8c96692a77c8003b9e96ce9c6da51188402

SHA256
f0770c3fa1132f05379457f16ea3321da7d5f8806a722a1e84955bddac58348f

SHA512
572c1c59b1b9621c696212aa2a1567810c91bf6c8ee967c10cd41db4581bc1b010b4fa00a278e4c6eff6fa81d13bc806b5f11d284218b4ab0ee3fc0f38cd7cac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\sqlite3.dll

Filesize
605KB

MD5
3edbd04500a50ca77486fc4a9f6ec1ab

SHA1
9dc75ca051190314fa128c7e1d34abdef4dab722

SHA256
f8506ce424bb168a89b27a0b8e8aeba354302937b9f8cdd6e1abda724dc1307d

SHA512
10dd03983f7c231c2a1e60c4de03a0a4c499a9f7df591c38a363d1cd3010c561d59cf7804f78f2395b18542bcdfb2d155a042f17c85e9805c346f7a498d9d639

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI8922\unicodedata.pyd

Filesize
288KB

MD5
9651e2a8f41cbd6f81d7738fef8f1067

SHA1
a7717c72304dca1edc889b99a14252fa9479c359

SHA256
777be196ee440fd86e0d7d74f3b45051722768dc3b04917a20b9f41fa15f0c32

SHA512
38e735dff4dde81253a547524ab9216ff63070dfb52289a9fa54544888ffd51c8023d7d9da46bde8cd5bd72a0b28205798b455fd627d0a951d13f7526b0145cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ox03ekgy.ncx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
f3ef526b1d5b9a7909116011b683c44e

SHA1
d93285560e383ab9a2e8da28106ce2bf5dea525e

SHA256
51dca9f65482264713ea32a67d36b056e06fb33e4ce3e0bc60ed3ccce418b950

SHA512
85e99e9eb41853b89c138df0f59f13f91ea01a299c7b6b5591cf6684e3eb1048731b476675fbd67f609ad670a38848e9146e92c40e23824f331ca3fef4d7f34c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
331907949d9f7833f93e6bf762ac686a

SHA1
b29ea1ad8591e257b74b9008280e280ac8d0a5fc

SHA256
b18c7fea331cf225e69a41781b9f7a6a1b9f3d17e2722c30485c583cde33e055

SHA512
709340afd143d98e71a422f219d75d1d1c0ccda405771ee3ec0c3dfada4851dc20de8a54c1293cf2e27a74574d8d2fe8d78241bb0ec0d614981b3ac4e0d04ee9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
c31cb06e778ca79bd0bd5a9067867051

SHA1
51ed833f91da017e5b9462f65b81c6dc41785488

SHA256
b225891ddcabb29df771b60e92d0df33dcbc2e0219f34ff2a1e1f50c435c7eda

SHA512
4f7246e49d8c93681f18ef849b5d4bb0501d5a39fbcb294e5960d4d7e44e30d6472a4e88d33bdd7c090d4d141b92e76b6bf57f1f92a7c5d5d0b6222792967ab6

Download Submit
C:\Users\Admin\Downloads\wMdJoAJXB7.zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\wMdJoAJXB7\wMdJoAJXB7.exe

Filesize
11.4MB

MD5
2b1eaa3873e8f508df6e7fb71aab2372

SHA1
b1bc8cc0fde24f122268215add238fb8caf0dc0a

SHA256
27a0b43633216b8e1f70dbcc5cedce38b5ba8b049dae907ef366c455d4e0e086

SHA512
87ee7f6470e5e8de8e65e93e76feebb0fdf9e478f577967ebec28e12ed8d47c7d6656668cb7d2fdae2115922106443beb2027f111a20d7f4778df73e5920614d

Download Submit
memory/1596-459-0x00007FFB9F640000-0x00007FFB9F65B000-memory.dmp

Filesize
108KB

Download
memory/1596-495-0x00007FFBA1100000-0x00007FFBA13B6000-memory.dmp

Filesize
2.7MB

Download
memory/1596-442-0x00007FFBB49A0000-0x00007FFBB49D4000-memory.dmp

Filesize
208KB

Download
memory/1596-441-0x00007FF61D370000-0x00007FF61D468000-memory.dmp

Filesize
992KB

Download
memory/1596-445-0x00007FFBAA1C0000-0x00007FFBAA1D7000-memory.dmp

Filesize
92KB

Download
memory/1596-444-0x00007FFBB12D0000-0x00007FFBB12E8000-memory.dmp

Filesize
96KB

Download
memory/1596-450-0x00007FFBA4F00000-0x00007FFBA4F11000-memory.dmp

Filesize
68KB

Download
memory/1596-451-0x00007FFBA0730000-0x00007FFBA093B000-memory.dmp

Filesize
2.0MB

Download
memory/1596-449-0x00007FFBA4F20000-0x00007FFBA4F3D000-memory.dmp

Filesize
116KB

Download
memory/1596-448-0x00007FFBA92A0000-0x00007FFBA92B1000-memory.dmp

Filesize
68KB

Download
memory/1596-447-0x00007FFBA92C0000-0x00007FFBA92D7000-memory.dmp

Filesize
92KB

Download
memory/1596-443-0x00007FFBA1100000-0x00007FFBA13B6000-memory.dmp

Filesize
2.7MB

Download
memory/1596-446-0x00007FFBAA1A0000-0x00007FFBAA1B1000-memory.dmp

Filesize
68KB

Download
memory/1596-453-0x00007FFBA45B0000-0x00007FFBA45F1000-memory.dmp

Filesize
260KB

Download
memory/1596-458-0x00007FFB9F660000-0x00007FFB9F671000-memory.dmp

Filesize
68KB

Download
memory/1596-465-0x00007FFB9F4C0000-0x00007FFB9F4D1000-memory.dmp

Filesize
68KB

Download
memory/1596-452-0x00007FFB9F680000-0x00007FFBA0730000-memory.dmp

Filesize
16.7MB

Download
memory/1596-466-0x00007FFB9F460000-0x00007FFB9F4B7000-memory.dmp

Filesize
348KB

Download
memory/1596-463-0x00007FFB9F560000-0x00007FFB9F5C7000-memory.dmp

Filesize
412KB

Download
memory/1596-461-0x00007FFB9F600000-0x00007FFB9F618000-memory.dmp

Filesize
96KB

Download
memory/1596-464-0x00007FFB9F4E0000-0x00007FFB9F55C000-memory.dmp

Filesize
496KB

Download
memory/1596-462-0x00007FFB9F5D0000-0x00007FFB9F600000-memory.dmp

Filesize
192KB

Download
memory/1596-460-0x00007FFB9F620000-0x00007FFB9F631000-memory.dmp

Filesize
68KB

Download
memory/1596-457-0x00007FFBA2AB0000-0x00007FFBA2AC1000-memory.dmp

Filesize
68KB

Download
memory/1596-455-0x00007FFBA42D0000-0x00007FFBA42E8000-memory.dmp

Filesize
96KB

Download
memory/1596-456-0x00007FFBA2AD0000-0x00007FFBA2AE1000-memory.dmp

Filesize
68KB

Download
memory/1596-454-0x00007FFBA2AF0000-0x00007FFBA2B11000-memory.dmp

Filesize
132KB

Download
memory/1596-469-0x00007FFBA1100000-0x00007FFBA13B6000-memory.dmp

Filesize
2.7MB

Download
memory/1596-478-0x00007FFB9F680000-0x00007FFBA0730000-memory.dmp

Filesize
16.7MB

Download
memory/2128-660-0x00007FFBB4990000-0x00007FFBB49A9000-memory.dmp

Filesize
100KB

Download
memory/2128-645-0x00007FFBA92B0000-0x00007FFBA92DE000-memory.dmp

Filesize
184KB

Download
memory/2128-663-0x00007FFBB12D0000-0x00007FFBB12EF000-memory.dmp

Filesize
124KB

Download
memory/2128-667-0x00007FFBA05C0000-0x00007FFBA0937000-memory.dmp

Filesize
3.5MB

Download
memory/2128-668-0x00007FFB9FE10000-0x00007FFBA05B1000-memory.dmp

Filesize
7.6MB

Download
memory/2128-670-0x00007FFBA1D70000-0x00007FFBA1E27000-memory.dmp

Filesize
732KB

Download
memory/2128-672-0x00007FFBA2AE0000-0x00007FFBA2B18000-memory.dmp

Filesize
224KB

Download
memory/2128-671-0x000001F9A8FC0000-0x000001F9A9337000-memory.dmp

Filesize
3.5MB

Download
memory/2128-669-0x00007FFBA92B0000-0x00007FFBA92DE000-memory.dmp

Filesize
184KB

Download
memory/2128-723-0x00007FFBBF250000-0x00007FFBBF25D000-memory.dmp

Filesize
52KB

Download
memory/2128-722-0x00007FFBA1C50000-0x00007FFBA1D68000-memory.dmp

Filesize
1.1MB

Download
memory/2128-1029-0x00007FFBA42F0000-0x00007FFBA4309000-memory.dmp

Filesize
100KB

Download
memory/2128-665-0x00007FFBB8DE0000-0x00007FFBB8DEA000-memory.dmp

Filesize
40KB

Download
memory/2128-739-0x00007FFBB9D60000-0x00007FFBB9D70000-memory.dmp

Filesize
64KB

Download
memory/2128-740-0x00007FFBA45B0000-0x00007FFBA45D2000-memory.dmp

Filesize
136KB

Download
memory/2128-779-0x00007FFBA4310000-0x00007FFBA4327000-memory.dmp

Filesize
92KB

Download
memory/2128-780-0x00007FFBA42F0000-0x00007FFBA4309000-memory.dmp

Filesize
100KB

Download
memory/2128-666-0x00007FFBA2DB0000-0x00007FFBA2DCE000-memory.dmp

Filesize
120KB

Download
memory/2128-662-0x00007FFBA42D0000-0x00007FFBA42E1000-memory.dmp

Filesize
68KB

Download
memory/2128-618-0x00007FFBBD840000-0x00007FFBBD84F000-memory.dmp

Filesize
60KB

Download
memory/2128-661-0x00007FFBA2DD0000-0x00007FFBA2E1C000-memory.dmp

Filesize
304KB

Download
memory/2128-657-0x00007FFBB8AB0000-0x00007FFBB8AC9000-memory.dmp

Filesize
100KB

Download
memory/2128-658-0x00007FFBA4310000-0x00007FFBA4327000-memory.dmp

Filesize
92KB

Download
memory/2128-659-0x00007FFBA42F0000-0x00007FFBA4309000-memory.dmp

Filesize
100KB

Download
memory/2128-655-0x00007FFBB49B0000-0x00007FFBB49D4000-memory.dmp

Filesize
144KB

Download
memory/2128-656-0x00007FFBA45B0000-0x00007FFBA45D2000-memory.dmp

Filesize
136KB

Download
memory/2128-649-0x00007FFBA1540000-0x00007FFBA19AE000-memory.dmp

Filesize
4.4MB

Download
memory/2128-650-0x00007FFBA4F20000-0x00007FFBA4F35000-memory.dmp

Filesize
84KB

Download
memory/2128-651-0x00007FFBA4F00000-0x00007FFBA4F14000-memory.dmp

Filesize
80KB

Download
memory/2128-652-0x00007FFBA45E0000-0x00007FFBA45F4000-memory.dmp

Filesize
80KB

Download
memory/2128-653-0x00007FFBA1C50000-0x00007FFBA1D68000-memory.dmp

Filesize
1.1MB

Download
memory/2128-654-0x00007FFBB9D60000-0x00007FFBB9D70000-memory.dmp

Filesize
64KB

Download
memory/2128-646-0x00007FFBA1D70000-0x00007FFBA1E27000-memory.dmp

Filesize
732KB

Download
memory/2128-648-0x000001F9A8FC0000-0x000001F9A9337000-memory.dmp

Filesize
3.5MB

Download
memory/2128-647-0x00007FFBA05C0000-0x00007FFBA0937000-memory.dmp

Filesize
3.5MB

Download
memory/2128-664-0x00007FFBA4330000-0x00007FFBA4499000-memory.dmp

Filesize
1.4MB

Download
memory/2128-644-0x00007FFBA4330000-0x00007FFBA4499000-memory.dmp

Filesize
1.4MB

Download
memory/2128-643-0x00007FFBB12D0000-0x00007FFBB12EF000-memory.dmp

Filesize
124KB

Download
memory/2128-642-0x00007FFBAA1B0000-0x00007FFBAA1DD000-memory.dmp

Filesize
180KB

Download
memory/2128-641-0x00007FFBB4990000-0x00007FFBB49A9000-memory.dmp

Filesize
100KB

Download
memory/2128-640-0x00007FFBB9E80000-0x00007FFBB9E8D000-memory.dmp

Filesize
52KB

Download
memory/2128-639-0x00007FFBB8AB0000-0x00007FFBB8AC9000-memory.dmp

Filesize
100KB

Download
memory/2128-608-0x00007FFBA1540000-0x00007FFBA19AE000-memory.dmp

Filesize
4.4MB

Download
memory/2128-617-0x00007FFBB49B0000-0x00007FFBB49D4000-memory.dmp

Filesize
144KB

Download
memory/2128-943-0x00007FFBA2DD0000-0x00007FFBA2E1C000-memory.dmp

Filesize
304KB

Download
memory/2128-1038-0x00007FFBA92B0000-0x00007FFBA92DE000-memory.dmp

Filesize
184KB

Download
memory/2128-1044-0x00007FFBA1C50000-0x00007FFBA1D68000-memory.dmp

Filesize
1.1MB

Download
memory/2128-1052-0x00007FFBA2DB0000-0x00007FFBA2DCE000-memory.dmp

Filesize
120KB

Download
memory/2128-1051-0x00007FFBB8DE0000-0x00007FFBB8DEA000-memory.dmp

Filesize
40KB

Download
memory/2128-1055-0x00007FFBBF250000-0x00007FFBBF25D000-memory.dmp

Filesize
52KB

Download
memory/2128-1054-0x00007FFBA2AE0000-0x00007FFBA2B18000-memory.dmp

Filesize
224KB

Download
memory/2128-1053-0x00007FFB9FE10000-0x00007FFBA05B1000-memory.dmp

Filesize
7.6MB

Download
memory/2128-1050-0x00007FFBA42D0000-0x00007FFBA42E1000-memory.dmp

Filesize
68KB

Download
memory/2128-1049-0x00007FFBA05C0000-0x00007FFBA0937000-memory.dmp

Filesize
3.5MB

Download
memory/2128-1048-0x00007FFBA4330000-0x00007FFBA4499000-memory.dmp

Filesize
1.4MB

Download
memory/2128-1047-0x00007FFBA4310000-0x00007FFBA4327000-memory.dmp

Filesize
92KB

Download
memory/2128-1046-0x00007FFBA45B0000-0x00007FFBA45D2000-memory.dmp

Filesize
136KB

Download
memory/2128-1045-0x00007FFBA1540000-0x00007FFBA19AE000-memory.dmp

Filesize
4.4MB

Download
memory/2128-1043-0x00007FFBA45E0000-0x00007FFBA45F4000-memory.dmp

Filesize
80KB

Download
memory/2128-1042-0x00007FFBA4F00000-0x00007FFBA4F14000-memory.dmp

Filesize
80KB

Download
memory/2128-1041-0x00007FFBA4F20000-0x00007FFBA4F35000-memory.dmp

Filesize
84KB

Download
memory/2128-1040-0x00007FFBA2DD0000-0x00007FFBA2E1C000-memory.dmp

Filesize
304KB

Download
memory/2128-1039-0x00007FFBA1D70000-0x00007FFBA1E27000-memory.dmp

Filesize
732KB

Download
memory/2128-1037-0x00007FFBB9D60000-0x00007FFBB9D70000-memory.dmp

Filesize
64KB

Download
memory/2128-1036-0x00007FFBB12D0000-0x00007FFBB12EF000-memory.dmp

Filesize
124KB

Download
memory/2128-1035-0x00007FFBAA1B0000-0x00007FFBAA1DD000-memory.dmp

Filesize
180KB

Download
memory/2128-1034-0x00007FFBB4990000-0x00007FFBB49A9000-memory.dmp

Filesize
100KB

Download
memory/2128-1033-0x00007FFBB9E80000-0x00007FFBB9E8D000-memory.dmp

Filesize
52KB

Download
memory/2128-1032-0x00007FFBB8AB0000-0x00007FFBB8AC9000-memory.dmp

Filesize
100KB

Download
memory/2128-1031-0x00007FFBBD840000-0x00007FFBBD84F000-memory.dmp

Filesize
60KB

Download
memory/2128-1030-0x00007FFBB49B0000-0x00007FFBB49D4000-memory.dmp

Filesize
144KB

Download
memory/2364-724-0x000001F57E2D0000-0x000001F57E2F2000-memory.dmp

Filesize
136KB

Download