exelastealer | 949b887d9197fe79cdc64e440165d7fdcdca4864fcb1fb12152f0457889fb7f8

Resubmissions

17-08-2024 02:32

240817-c1d29swapj 10

17-08-2024 02:27

240817-cxtzbavhlm 10

17-08-2024 02:26

240817-cw118ssbpd 3

Analysis

max time kernel
148s
max time network
152s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
17-08-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0dde8e7faa841d6528a0a3c81ae9db6_JaffaCakes118.js
Size

74KB
MD5

a0dde8e7faa841d6528a0a3c81ae9db6
SHA1

f958fc9f95100574735f9c110f45fb8b54ba8168
SHA256

949b887d9197fe79cdc64e440165d7fdcdca4864fcb1fb12152f0457889fb7f8
SHA512

ef3dc0432118fcd522e2514d9f5d27914950bb51a8c22c266fbaf2a68010e9634ccbf56fd22ccfaa9277e284cb63374c2ff7a2d72b463177bd29a60d2b98fb11
SSDEEP

384:aRd+9O2vHP7JItwTNINmW62DwimXCejF2ke4HWDekXjr1Y/Y+JVqVxXEZ4OrML93:a7+Ugd4ZIoC6dn2ge5djgHxpzJ

Score

10^/10

exelastealer collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1172	netsh.exe
4632	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1328	powershell.exe
4768	cmd.exe

Deletes itself 1 IoCs

pid	Process
3152	StaffLoader.exe

Executes dropped EXE 2 IoCs

pid	Process
2968	StaffLoader.exe
3152	StaffLoader.exe

Loads dropped DLL 31 IoCs

pid	Process
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe
3152	StaffLoader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002a99e-264.dat	upx
behavioral1/memory/3152-268-0x00007FFB3F440000-0x00007FFB3F8A5000-memory.dmp	upx
behavioral1/files/0x000100000002a96f-270.dat	upx
behavioral1/memory/3152-278-0x00007FFB48DB0000-0x00007FFB48DBF000-memory.dmp	upx
behavioral1/memory/3152-277-0x00007FFB42550000-0x00007FFB42574000-memory.dmp	upx
behavioral1/files/0x000100000002a998-276.dat	upx
behavioral1/files/0x000100000002a997-279.dat	upx
behavioral1/files/0x000100000002a979-297.dat	upx
behavioral1/files/0x000100000002a976-294.dat	upx
behavioral1/files/0x000100000002a99f-300.dat	upx
behavioral1/files/0x000100000002a972-304.dat	upx
behavioral1/files/0x000100000002a9a0-308.dat	upx
behavioral1/memory/3152-307-0x00007FFB3FA90000-0x00007FFB3FAAE000-memory.dmp	upx
behavioral1/memory/3152-314-0x00007FFB3F210000-0x00007FFB3F2C6000-memory.dmp	upx
behavioral1/memory/3152-315-0x00007FFB2DCA0000-0x00007FFB2E014000-memory.dmp	upx
behavioral1/memory/3152-317-0x00007FFB3FA60000-0x00007FFB3FA8E000-memory.dmp	upx
behavioral1/memory/3152-313-0x00007FFB3F2D0000-0x00007FFB3F43D000-memory.dmp	upx
behavioral1/files/0x000100000002a999-310.dat	upx
behavioral1/files/0x000100000002a978-309.dat	upx
behavioral1/files/0x000100000002a977-306.dat	upx
behavioral1/memory/3152-305-0x00007FFB42410000-0x00007FFB4243C000-memory.dmp	upx
behavioral1/memory/3152-303-0x00007FFB42440000-0x00007FFB42459000-memory.dmp	upx
behavioral1/files/0x000100000002a96d-302.dat	upx
behavioral1/memory/3152-301-0x00007FFB48CE0000-0x00007FFB48CED000-memory.dmp	upx
behavioral1/memory/3152-299-0x00007FFB424F0000-0x00007FFB42509000-memory.dmp	upx
behavioral1/files/0x000100000002a975-293.dat	upx
behavioral1/files/0x000100000002a974-292.dat	upx
behavioral1/files/0x000100000002a96c-318.dat	upx
behavioral1/files/0x000100000002a973-291.dat	upx
behavioral1/files/0x000100000002a971-289.dat	upx
behavioral1/files/0x000100000002a970-288.dat	upx
behavioral1/files/0x000100000002a96e-287.dat	upx
behavioral1/files/0x000100000002a9a1-284.dat	upx
behavioral1/files/0x000100000002a99c-281.dat	upx
behavioral1/files/0x000100000002a99b-320.dat	upx
behavioral1/memory/3152-327-0x00007FFB3F1D0000-0x00007FFB3F1E5000-memory.dmp	upx
behavioral1/memory/3152-329-0x00007FFB3F0B0000-0x00007FFB3F1C8000-memory.dmp	upx
behavioral1/memory/3152-328-0x00007FFB424F0000-0x00007FFB42509000-memory.dmp	upx
behavioral1/memory/3152-326-0x00007FFB42550000-0x00007FFB42574000-memory.dmp	upx
behavioral1/memory/3152-325-0x00007FFB48480000-0x00007FFB48490000-memory.dmp	upx
behavioral1/memory/3152-324-0x00007FFB3F1F0000-0x00007FFB3F204000-memory.dmp	upx
behavioral1/memory/3152-323-0x00007FFB3FA40000-0x00007FFB3FA54000-memory.dmp	upx
behavioral1/memory/3152-322-0x00007FFB3F440000-0x00007FFB3F8A5000-memory.dmp	upx
behavioral1/memory/3152-330-0x00007FFB3F080000-0x00007FFB3F0A2000-memory.dmp	upx
behavioral1/memory/3152-331-0x00007FFB3F060000-0x00007FFB3F077000-memory.dmp	upx
behavioral1/memory/3152-332-0x00007FFB3F040000-0x00007FFB3F059000-memory.dmp	upx
behavioral1/memory/3152-333-0x00007FFB3FA90000-0x00007FFB3FAAE000-memory.dmp	upx
behavioral1/memory/3152-334-0x00007FFB3EFF0000-0x00007FFB3F03D000-memory.dmp	upx
behavioral1/memory/3152-335-0x00007FFB3F210000-0x00007FFB3F2C6000-memory.dmp	upx
behavioral1/memory/3152-336-0x00007FFB2DCA0000-0x00007FFB2E014000-memory.dmp	upx
behavioral1/memory/3152-341-0x00007FFB3EFB0000-0x00007FFB3EFCE000-memory.dmp	upx
behavioral1/memory/3152-340-0x00007FFB424E0000-0x00007FFB424EA000-memory.dmp	upx
behavioral1/memory/3152-339-0x00007FFB3FA60000-0x00007FFB3FA8E000-memory.dmp	upx
behavioral1/memory/3152-338-0x00007FFB3EFD0000-0x00007FFB3EFE1000-memory.dmp	upx
behavioral1/memory/3152-342-0x00007FFB29BA0000-0x00007FFB2A341000-memory.dmp	upx
behavioral1/memory/3152-343-0x00007FFB3EF70000-0x00007FFB3EFA6000-memory.dmp	upx
behavioral1/memory/3152-390-0x00007FFB3F0B0000-0x00007FFB3F1C8000-memory.dmp	upx
behavioral1/memory/3152-425-0x00007FFB3F080000-0x00007FFB3F0A2000-memory.dmp	upx
behavioral1/memory/3152-426-0x00007FFB425A0000-0x00007FFB425AD000-memory.dmp	upx
behavioral1/memory/3152-442-0x00007FFB3F060000-0x00007FFB3F077000-memory.dmp	upx
behavioral1/memory/3152-443-0x00007FFB3F040000-0x00007FFB3F059000-memory.dmp	upx
behavioral1/memory/3152-444-0x00007FFB3EFF0000-0x00007FFB3F03D000-memory.dmp	upx
behavioral1/memory/3152-477-0x00007FFB425A0000-0x00007FFB425AD000-memory.dmp	upx
behavioral1/memory/3152-476-0x00007FFB3EF70000-0x00007FFB3EFA6000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
36	discord.com
37	discord.com
39	discord.com
40	discord.com
41	discord.com
34	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2060	cmd.exe
1228	ARP.EXE

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
1832	tasklist.exe
868	tasklist.exe
1416	tasklist.exe
3384	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3748	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4964	sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\StaffLoader.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000100000002a969-200.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2948	cmd.exe
4156	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2952	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
2512	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2132	ipconfig.exe
2952	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2760	systeminfo.exe

Kills process with taskkill 7 IoCs

evasion

pid	Process
3200	taskkill.exe
1892	taskkill.exe
1992	taskkill.exe
1212	taskkill.exe
1576	taskkill.exe
1952	taskkill.exe
804	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133683353044616832"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\StaffLoader.exe:Zone.Identifier	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
1328	powershell.exe
1328	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe
Token: SeShutdownPrivilege	3180	chrome.exe
Token: SeCreatePagefilePrivilege	3180	chrome.exe

Suspicious use of FindShellTrayWindow 46 IoCs

pid	Process
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe
3180	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
784	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 5012	3180	chrome.exe	86
PID 3180 wrote to memory of 5012	3180	chrome.exe	86
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 1172	3180	chrome.exe	87
PID 3180 wrote to memory of 4464	3180	chrome.exe	88
PID 3180 wrote to memory of 4464	3180	chrome.exe	88
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89
PID 3180 wrote to memory of 2016	3180	chrome.exe	89

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4744	attrib.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\a0dde8e7faa841d6528a0a3c81ae9db6_JaffaCakes118.js
1⤵
PID:4612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ffb2d95cc40,0x7ffb2d95cc4c,0x7ffb2d95cc58
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1836,i,18049107511911841902,16145767660162058494,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  PID:1172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,18049107511911841902,16145767660162058494,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  PID:4464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2228,i,18049107511911841902,16145767660162058494,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1480 /prefetch:8
  2⤵
  PID:2016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,18049107511911841902,16145767660162058494,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3156,i,18049107511911841902,16145767660162058494,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4472,i,18049107511911841902,16145767660162058494,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:2664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4404,i,18049107511911841902,16145767660162058494,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4468 /prefetch:8
  2⤵
  PID:2980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4764,i,18049107511911841902,16145767660162058494,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4768 /prefetch:8
  2⤵
  PID:3132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=224,i,18049107511911841902,16145767660162058494,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4684 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4628,i,18049107511911841902,16145767660162058494,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4352 /prefetch:8
  2⤵
  PID:5028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5004,i,18049107511911841902,16145767660162058494,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=4380,i,18049107511911841902,16145767660162058494,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5208,i,18049107511911841902,16145767660162058494,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5084 /prefetch:1
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4532,i,18049107511911841902,16145767660162058494,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4548 /prefetch:8
  2⤵
  PID:2608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4544,i,18049107511911841902,16145767660162058494,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4528 /prefetch:8
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3200,i,18049107511911841902,16145767660162058494,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4520 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:8
- C:\Users\Admin\Downloads\StaffLoader.exe
  "C:\Users\Admin\Downloads\StaffLoader.exe"
  2⤵
  - Executes dropped EXE
  PID:2968
- - C:\Users\Admin\Downloads\StaffLoader.exe
    "C:\Users\Admin\Downloads\StaffLoader.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:3652
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:2280
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:3480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:1192
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:3748
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
      4⤵
      PID:4508
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:1012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:5028
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:3384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3180"
      4⤵
      PID:912
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3180
        5⤵
        Kills process with taskkill
        
        PID:1212
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5012"
      4⤵
      PID:724
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5012
        5⤵
        Kills process with taskkill
        
        PID:1576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1172"
      4⤵
      PID:728
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1172
        5⤵
        Kills process with taskkill
        
        PID:1952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4464"
      4⤵
      PID:740
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4464
        5⤵
        Kills process with taskkill
        
        PID:804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2016"
      4⤵
      PID:3496
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2016
        5⤵
        Kills process with taskkill
        
        PID:3200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4024"
      4⤵
      PID:4520
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4024
        5⤵
        Kills process with taskkill
        
        PID:1892
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1572"
      4⤵
      PID:932
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1572
        5⤵
        Kills process with taskkill
        
        PID:1992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:4472
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:3736
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:3236
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:2972
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:4744
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:4228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1732
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      PID:4768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:1328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2948
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      PID:2060
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:2760
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:3964
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        
        PID:2512
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:980
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:3452
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:3148
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:1532
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:276
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:5012
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:768
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:4900
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:2156
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:844
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:4024
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:3472
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:1948
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:868
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:2132
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:1380
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:1228
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:2952
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:4964
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1172
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4632
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:1752
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:2664
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1884

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1456

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2032

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
7e6fc6f83dcd65515fe194dffeb678de

SHA1
ab5426576310181e45a7ac73e00a00df08bdca2d

SHA256
bccc67c08a674b183bcfddfb8375960bb71804e50cf7b82ad22b0cd622cb1b41

SHA512
f7c132ea2100d4c40c44d6c5a6f438a8aaaa2bb646150674d88d2628ab539a45737596a503edcf2f205ceb96575d212cf88d147e499158e195c66bb4a04d634b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
3d0ea66140310f1fa552b3eb852db6ff

SHA1
0beb2cb981c4cafdd181f2fbaf55ea8298430323

SHA256
ea03ed72605e9289d9b1a7e24694854cc59f57dc6692f7f5083cb52a97f5da78

SHA512
a1bbc6c8cf2947370901194f700452708438e958cf579c3c70a00326f8d8b674987272b9e14d69f5a17e1f8ed69438ff2904b371521408a916183a77ed1dceac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2f219cb56b2a4a84aa0131ee590a9021

SHA1
2ae694f07343448913942fff70b4a005ff6b75a5

SHA256
335310a99ba601480c363f0399f25f31ba55bb39b0464cac95ff7a228a95ff50

SHA512
83922ba6bdfcfe25945a3eb5d40978ce51f103844f74912f47d9bb782ca6a0c84b0bae9dfa1a5db2bdc237bfd5ff79d8d73614573e08971d43e422b33a3897a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
60d5a843a3c2693319eea1b662289c43

SHA1
d95c67162583444eebb2283906945dd2acaf4a1a

SHA256
64a7462510f6f9589eb3326ec77823b8d7ca518fcd035bd98d5844cff1b01152

SHA512
afe7f7008b3a63bf24e4e51ab22d4cc08ca660e3446d0945e250a6a357818a3ef4e4e673a0849fd541a89530cb561f6dd2f7539f7f9a6d930e9f740b23613679

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0dfcf7db78885a1510b3b2d0e6eb1cb3

SHA1
b414bb906d6e9abbcf22099da9d758cb9dd0b785

SHA256
31eedd4dedbe082833e07936686b7ef7196fab01a10672ce8a83979eeaea7fac

SHA512
de960e851cee6807f71df2d554727d198012d3d1d166a20922909b13af7e56c85d805f9e4df5e73b2ff8dd2a0b596d96b494ba908a8ea60fee68a1d04db7cf47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7c4d0f41be56a69198fbe71268aa6bb6

SHA1
647daa5ce66a24bc773f149b0c10a5dbafd24211

SHA256
8262539355843e12783b1a66c277c687c6ede3cd70e25eeee92a0adb29aed936

SHA512
51546c2a38e9e6f42ff65274d7692a664d5493589389ec0e31e42ef922b461b0c80328f058e01fa4f341e7c58235db6f9d567040a625571b174e259270f84922

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ae1bf91ac8da1995aab9185b5f1bf5f7

SHA1
63ff85ffd7dbe1beb7aff7c61741cc14335446a5

SHA256
db549a335e1e73b7ea992a813bd3822811b75eb8b78c9ddddb502e3a676fd11b

SHA512
4485cad371107670e3d7703fbda4f25352fc04f0569f3830746c8a18d64fc66ae3379f095d242bddbbf31aec79b12bffc6ca211d64f6d47c9ca4d10e1b025a94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8d3d6918e66a99cb4f630f8985ccaaad

SHA1
af5e9b15020967a92b99b77009135ccb35fd5e0a

SHA256
567494c5323691aab84db233cb6bbbf6e4a61f9dd0798c770ea375f351d104de

SHA512
5f5a626fa75f209d770188de846c851712e8b63028a6c37d5f99d5e174e684ae967aaa3f66336896dc048a9720422f15520088b8583848e8bf35f9321fbd2bd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
db9b7ce8c9a51e97998e9158391a4458

SHA1
b886d3fb394ae84f1ce3048b8d1de16b22195c3e

SHA256
dac10527877d8e80163e1e39058a7c3d8e9014bb6eea2249d4df2d6ed850e6a3

SHA512
a176974d48f36979cd488368214dd5b3832ff5e3f70690614f694cfdc82339300accfc7965c40f84dc753445d7bc0f29b6ddd954684ceb9f3b1ae50d737c59db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
48b1b0838ab08a39ebb6815171473e8c

SHA1
f70f6ea05e26058fdfe7e5eb728159b42a979e18

SHA256
6d3d83163aa46749b4413063c29aa0e4ba24239d2e9b30141578f0388e80430b

SHA512
6101d3568b81f3faeca303bf92fd4c8ba7abf94457e3e5bfe5fec4201b1776aa9e9ee1b39f45314c0905b569c8de8d5793169054bc30fb0b590d8c3d53cbfd66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
51d2143fecf12ad8f267c7b760b3de7a

SHA1
97a908a1cb8349a9e95f724e0406347c3abccc23

SHA256
626d5fe6cca3090d2289116db57a5f41b46a062cb695040d5a0cffcd00f14f3c

SHA512
ab1858ce20bf8fa3085c1813e57daf8fd037e71c2e010367e7e64e6a9b369d8cc2b1ba17616ddf1cac5814af708404f3fdc39a44d760a35753d3d7f2b61acf4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
80c3a050812408b279bf0e53534a9068

SHA1
b79923afe9cd7acd53642daa580bec5125d7b427

SHA256
514817dd3bb8def9d691df5bfc22ca49fe3cb9e11b4c3a09ffd3a106da92b90f

SHA512
6aeb9b63f193ed80713354035e7ee7fdd000d8fcd7efd2424648b9a6db0df8481a56289f08cef3f6e8ec354250b81c8c2bc2d41d516437e7f95c7a79d0e0cb93

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
13KB

MD5
ea15c048b51a7194c638d96c85f9a9be

SHA1
729132fd5a8eeff5e3e13cfe657288a83612b9c5

SHA256
b197078ff5985f896b00e48fee91c38b16c8748fc72e678d3cc1f738fb86d082

SHA512
87493153c27281d7a6a748d93d0a017872a4a351df9d2b74b728f708c2f738c3d8ad0fb5b20f7f9bea7b07b61972796778c76feb2df25072fff488d125eb236a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
4eef8a2d1aa2d757d5ddf323d6bfa337

SHA1
4150e24b5473ad251ef936d9ce4ffb33e7aa5624

SHA256
2aa766a49a8c5f3a23bc3ad727d2be50eaa911c27c2255c0c938347888a421c5

SHA512
1efdfc973936b481df0324ae60c34ebd971e75e0bebe0fa65e28c8a1361288d39ac50811ad52cdb974eb5a07459ec92c515d919d9308803598ebf23d2fed8d4e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
fccee890b9a2d0b49b3c1637ade92225

SHA1
3919c0bcc61bdbb4f009c4e76fa063b6d965016b

SHA256
5d42279196301d7291f14f2b48975aaac733f5694d2441035805d90204f92e0f

SHA512
d9b493cf2e547d60c20fe8f36d7f7ae4775b43beb63e813d33870800c98fffc530a4e874c860fd2f311458a72b9982382e0697fa5ad89da284ed4d1635897484

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
f91dce04dc35cae99a7add79c2ca2de6

SHA1
5e711a4efe936ed39581946164cf67be802bf255

SHA256
d789c196e32ad81165572b48510eaf2f3049f93a9d51c038f0e50242f2735410

SHA512
5e30c4c73074c69bc1ebee51b88e4149f5a2a2eed81313bb01a6dd1bf13f2a9bebad80d9b2fb3369e29912b19e563c99951a83ba2f6c73223b9dd871e63a92e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
b8d5620e6dcbe502253b96eafe6349f0

SHA1
fcdfae993f8092135d7abbaa1ee63144bbb4cfa8

SHA256
0897e44d31dec12cbffa389513336c6ca10a5063eec3a8979ee288b32813bd93

SHA512
4f3ac72f8bdc33e8642e6d6d0b298c552e831ca06b838786e34b1dcc9e4387de4c770bb65e3c65ecc7fb1bab65a410e2365557aad2807151aa3ddd4a5f0b3f5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
198KB

MD5
4670b71101030424c98a6ccd71a0346c

SHA1
93f38ac6f38cad4d30c96c6deb4cf16f0cc808b1

SHA256
aeb6ce7bff587e80d87bc9d91026f5e293c6986b238b322db151c6b144271199

SHA512
2778ee06717b33cb35670ef560c3377d1d1a9f16e857988fedc89b79e43c264a534abbe1581794cd6b3aad3421fe6ca16c3b4cb43db87e5b8556bfbc77a2e7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_asyncio.pyd

Filesize
31KB

MD5
480d3f4496e16d54bb5313d206164134

SHA1
3db3a9f21be88e0b759855bf4f937d0bbfdf1734

SHA256
568fb5c3d9b170ce1081ad12818b9a12f44ab1577449425a3ef30c2efbee613d

SHA512
8e887e8de9c31dbb6d0a85b4d6d4157e917707e63ce5f119bb4b03cb28d41af90d087e3843f3a4c2509bca70cdac3941e00b8a5144ade8532a97166a5d0a7bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_bz2.pyd

Filesize
43KB

MD5
39b487c3e69816bd473e93653dbd9b7f

SHA1
bdce6fde092a3f421193ddb65df893c40542a4e2

SHA256
a1629c455be2cf55e36021704716f4b16a96330fe993aae9e818f67c4026fcdc

SHA512
7543c1555e8897d15c952b89427e7d06c32e250223e85fafae570f8a0fa13c39fb6fc322d043324a31b2f2f08d2f36e0da59dfd741d09c035d0429173b6badc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_cffi_backend.cp310-win_amd64.pyd

Filesize
70KB

MD5
02f89c947c9e367ca623665a3fae46c5

SHA1
e07b3b8286834a26167c18bb0af67112355ce490

SHA256
08d0b7f5c0930d09af47db6627d48a89f3801afe37fe71d0739ea569092d3b55

SHA512
ab9ee4976f7842e978588e05b658a8320d487249886706ad42c1fd1fc292ab71c6efac04f0a9c0b3a6cf2dcb2c8b80a62baa71899bb4f4032fcfe0458975663c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_ctypes.pyd

Filesize
53KB

MD5
b1f12f4bfc0bd49a6646a0786bc5bc00

SHA1
acb7d8c665bb8ca93e5f21e178870e3d141d7cbc

SHA256
1fe61645ed626fc1dec56b2e90e8e551066a7ff86edbd67b41cb92211358f3d7

SHA512
a3fb041bd122638873c395b95f1a541007123f271572a8a988c9d01d2b2d7bb20d70e1d97fc3abffd28cb704990b41d8984974c344faea98dd0c6b07472b5731

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_decimal.pyd

Filesize
101KB

MD5
b7f498da5aec35140a6d928a8f792911

SHA1
95ab794a2d4cb8074a23d84b10cd62f7d12a4cd0

SHA256
b15f0dc3ce6955336162c9428077dcedfa1c52e60296251521819f3239c26ee8

SHA512
5fcb2d5325a6a4b7aff047091957ba7f13de548c5330f0149682d44140ac0af06837465871c598db71830fd3b2958220f80ae8744ef16fdb7336b3d6a5039e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_hashlib.pyd

Filesize
30KB

MD5
31dfa2caaee02cc38adf4897b192d6d1

SHA1
9be57a9bad1cb420675f5b9e04c48b76d18f4a19

SHA256
dc045ac7d4bde60b0f122d307fcd2bbaf5e1261a280c4fb67cfc43de5c0c2a0f

SHA512
3e58c083e1e3201a9fbbf6a4fcbc2b0273cf22badabab8701b10b3f8fdd20b11758cdcfead557420393948434e340aad751a4c7aa740097ab29d1773ea3a0100

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_lzma.pyd

Filesize
81KB

MD5
95badb08cd77e563c9753fadc39a34dd

SHA1
b3c3dfe64e89b5e7afb5f064bbf9d8d458f626a0

SHA256
5545627b465d780b6107680922ef44144a22939dd406deae44858b79747e301a

SHA512
eb36934b73f36ba2162e75f0866435f57088777dc40379f766366c26d40f185de5be3da55d17f5b82cb498025d8d90bc16152900502eb7f5de88bbef84ace2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_multiprocessing.pyd

Filesize
22KB

MD5
28f6fcc0b7bb10a45ff1370c9e1b9561

SHA1
c7669f406b5ec2306a402e872dec17380219907a

SHA256
6dd33d49554ee61490725ea2c9129c15544791ab7a65fb523cc9b4f88d38744b

SHA512
2aef40344e80c3518afc07bf6ad4c96c4fff44434f8307e2efa544290d59504d7b014d7ea94af0377e342a632d6c4c74bfdf16d26f92ccc7062be618ea4dbee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_overlapped.pyd

Filesize
27KB

MD5
745706ab482fe9c9f92383292f121072

SHA1
439f00978795d0845aceaf007fd76ff5947567fd

SHA256
4d98e7d1b74bd209f8c66e1a276f60b470f6a5d6f519f76a91eb75be157a903d

SHA512
52fe3dfc45c380dfb1d9b6e453bdffcd92d57ad7b7312d0b9a86a76d437c512a17da33822f8e81760710d8ff4fd6a4b702d2abfffc600c9350d4d463451d38d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_queue.pyd

Filesize
21KB

MD5
18b8b2b0aefcee9527299c464b7f6d3d

SHA1
a565216faee2534bbda5b3f65aeb2eef5fd9bcda

SHA256
6f334fa1474116dd499a125f3b5ca4cd698039446faf50340f9a3f7af3adb8c2

SHA512
0b56e9d89f4dd3da830954b6561c49c06775854e0b27bc2b07ea8e9c79829d66dae186b95209c8c4cc7c3a7ba6b03cdf134b2e0036cea929e61d755d4709abcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_socket.pyd

Filesize
38KB

MD5
f675cf3cdd836cacfab9c89ab9f97108

SHA1
3e077bf518f7a4cb30ea4607338cff025d4d476e

SHA256
bb82a23d8dc6bf4c9aeb91d3f3bef069276ae3b14eeca100b988b85dd21e2dd3

SHA512
e2344b5f59bd0fad3570977edf0505aa2e05618e66d07c9f93b163fc151c4e1d6fbc0e25b7c989505c1270f8cd4840c6120a73a7ad64591ee3c4fb282375465e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_sqlite3.pyd

Filesize
45KB

MD5
1dbec8753e5cd062cd71a8bb294f28f9

SHA1
c32e9b577f588408a732047863e04a1db6ca231e

SHA256
6d95d41a36b5c9e3a895eff91149978aa383b6a8617d542accef2080737c3cad

SHA512
a1c95dbb1a9e2ffbcc9422f53780b35fbc77cb56ac3562afb8753161a233e5efa8da8ad67f5bde5a094beb8331d9dab5c3d5e673a8d09fd6d0383a8a6ffda087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_ssl.pyd

Filesize
57KB

MD5
2edf5c4e534a45966a68033e7395f40d

SHA1
478ef27474eec0fd966d1663d2397e8fb47fec17

SHA256
7abc2b326f5b7c3011827eb7a5a4d896cc6b2619246826519b3f57d2bb99d3bd

SHA512
f83b698cfe702a15eb0267f254c593b90fa155ad2aefe75e5ba0ee5d4f38976882796cba2a027b42a910f244360177ac809891d505b3d0ae9276156b64850b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\_uuid.pyd

Filesize
18KB

MD5
b3e7fc44f12d2db5bad6922e0b1d927f

SHA1
3fe8ef4b6fb0bc590a1c0c0f5710453e8e340f8f

SHA256
6b93290a74fb288489405044a7dee7cca7c25fa854be9112427930dd739ebace

SHA512
a0465a38aaac2d501e9a12a67d5d71c9eeeb425f535c473fc27ac13c2bb307641cc3cef540472f916e341d7bada80a84b99d78850d94c95ee14139f8540d0c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\base_library.zip

Filesize
858KB

MD5
1ebb920a2696a11237f3e8e4af10d802

SHA1
f86a052e2dfa2df8884ebf80832814f920a820e6

SHA256
d0e26325e67b3db749a83698413c4c270d8b26cd7dbc607006bc526ee784d6df

SHA512
2cfa6746dcdf575f26267b359a8820a6f29d81967c62131463802b30db2e17c8f159a2cbc652f25bdfdfd7c5942d26a26f9e1df984f8560696153a3427e4fb47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\libcrypto-1_1.dll

Filesize
1.1MB

MD5
700f32459dca0f54c982cd1c1ddd6b8b

SHA1
2538711c091ac3f572cb0f13539a68df0f228f28

SHA256
1de22bd1a0154d49f48b3fab94fb1fb1abd8bfed37d18e79a86ecd7cdab893c9

SHA512
99de1f5cb78c83fc6af0a475fb556f1ac58a1ba734efc69d507bf5dc1b0535a401d901324be845d7a59db021f8967cf33a7b105b2ddcb2e02a39dc0311e7c36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\libssl-1_1.dll

Filesize
198KB

MD5
45498cefc9ead03a63c2822581cd11c6

SHA1
f96b6373237317e606b3715705a71db47e2cafad

SHA256
a84174a00dc98c98240ad5ee16c35e6ef932cebd5b8048ff418d3dd80f20deca

SHA512
4d3d8d33e7f3c2bf1cad3afbfba6ba53852d1314713ad60eeae1d51cc299a52b73da2c629273f9e0b7983ca01544c3645451cfa247911af4f81ca88a82cf6a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\multidict\_multidict.cp310-win_amd64.pyd

Filesize
20KB

MD5
58a0ff76a0d7d3cd86ceb599d247c612

SHA1
af52bdb9556ef4b9d38cf0f0b9283494daa556a6

SHA256
2079d8be068f67fb2ece4fb3f5927c91c1c25edecb9d1c480829eb1cd21d7cc5

SHA512
e2d4f80cdeba2f5749a4d3de542e09866055d8aee1d308b96cb61bc53f4495c781e9b2559cc6a5f160be96b307539a8b6e06cabeffcc0ddb9ad4107dcacd8a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\pyexpat.pyd

Filesize
81KB

MD5
b4cf065f5e5b7a5bc2dd2b2e09bea305

SHA1
d289a500ffd399053767ee7339e48c161655b532

SHA256
9b5f407a2a1feaa76c6d3058a2f04c023b1c50b31d417bbfee69024098e4938b

SHA512
ddd9e216b11152d6a50481e06bb409335d36ce7fe63072aa0c7789c541593f2d7e8b4373be67a018c59f5e418e5a39a3ad729b732f11fa253f6275a64e125989

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\python3.DLL

Filesize
60KB

MD5
a5471f05fd616b0f8e582211ea470a15

SHA1
cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

SHA256
8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

SHA512
e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\python310.dll

Filesize
1.4MB

MD5
90d5b8ba675bbb23f01048712813c746

SHA1
f2906160f9fc2fa719fea7d37e145156742ea8a7

SHA256
3a7d497d779ff13082835834a1512b0c11185dd499ab86be830858e7f8aaeb3e

SHA512
872c2bf56c3fe180d9b4fb835a92e1dc188822e9d9183aab34b305408bb82fba1ead04711e8ad2bef1534e86cd49f2445d728851206d7899c1a7a83e5a62058e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\select.pyd

Filesize
21KB

MD5
740424368fb6339d67941015e7ac4096

SHA1
64f3fab24f469a027ddfcf0329eca121f4164e45

SHA256
a389eae40188282c91e0cdf38c79819f475375860225b6963deb11623485b76d

SHA512
6d17dc3f294f245b4ca2eca8e62f4c070c7b8a5325349bc25ebaeea291a5a5ebd268bd1321c08755141aa58de0f985adc67335b4f83bc1aeec4b398d0f538e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\sqlite3.dll

Filesize
605KB

MD5
7055e9008e847cb6015b1bb89f26c7ac

SHA1
c7c844cb46f8287a88bec3bd5d02647f5a07ae80

SHA256
2884d8e9007461ab6e8bbdd37c6bc4f6de472bbd52ec5b53e0a635075d86b871

SHA512
651b7b8c2518e4826d84c89be5052fd944f58f558c51cc905da181049850186d0a87fd2e05734fbe6a69618a6e48261a9fdd043ab17eb01620c6510e96d57008

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29682\unicodedata.pyd

Filesize
285KB

MD5
0c26e9925bea49d7cf03cfc371283a9b

SHA1
89290d3e43e18165cb07a7a4f99855b9e8466b21

SHA256
13c2ea04a1d40588536f1d7027c8d0ea228a9fb328ca720d6c53b96a8e1ae724

SHA512
6a3cd4b48f7c0087f4a1bdc1241df71d56bd90226759481f17f56baa1b991d1af0ba5798a2b7ba57d9ffa9ec03a12bfac81df2fba88765bd369435ff21a941e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_33lhqqqp.1iw.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\StaffLoader.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 694685.crdownload

Filesize
9.4MB

MD5
4ed456dfa36635dabf31d6571c53362f

SHA1
e6cd5d7271f99d04b90736e3e5defd0988f3103b

SHA256
0acf9a31d3fbee46692c4a92d867038b6296d72b7d1d24b986d3f558e4cb7c90

SHA512
337bdf3daa2ee09e2ffac24f549faa9e770bc3938062b5d88eaf2accfc10e9e098c8c7e55a16d4b3316e186b2ae1bb46868aa05c6b1c7b6abc17468c41f0fd15

Download Submit
memory/1328-427-0x0000020A68A20000-0x0000020A68A42000-memory.dmp

Filesize
136KB

Download
memory/3152-322-0x00007FFB3F440000-0x00007FFB3F8A5000-memory.dmp

Filesize
4.4MB

Download
memory/3152-463-0x00007FFB3FA40000-0x00007FFB3FA54000-memory.dmp

Filesize
80KB

Download
memory/3152-301-0x00007FFB48CE0000-0x00007FFB48CED000-memory.dmp

Filesize
52KB

Download
memory/3152-303-0x00007FFB42440000-0x00007FFB42459000-memory.dmp

Filesize
100KB

Download
memory/3152-305-0x00007FFB42410000-0x00007FFB4243C000-memory.dmp

Filesize
176KB

Download
memory/3152-313-0x00007FFB3F2D0000-0x00007FFB3F43D000-memory.dmp

Filesize
1.4MB

Download
memory/3152-316-0x00000154B17F0000-0x00000154B1B64000-memory.dmp

Filesize
3.5MB

Download
memory/3152-317-0x00007FFB3FA60000-0x00007FFB3FA8E000-memory.dmp

Filesize
184KB

Download
memory/3152-315-0x00007FFB2DCA0000-0x00007FFB2E014000-memory.dmp

Filesize
3.5MB

Download
memory/3152-327-0x00007FFB3F1D0000-0x00007FFB3F1E5000-memory.dmp

Filesize
84KB

Download
memory/3152-329-0x00007FFB3F0B0000-0x00007FFB3F1C8000-memory.dmp

Filesize
1.1MB

Download
memory/3152-328-0x00007FFB424F0000-0x00007FFB42509000-memory.dmp

Filesize
100KB

Download
memory/3152-326-0x00007FFB42550000-0x00007FFB42574000-memory.dmp

Filesize
144KB

Download
memory/3152-325-0x00007FFB48480000-0x00007FFB48490000-memory.dmp

Filesize
64KB

Download
memory/3152-324-0x00007FFB3F1F0000-0x00007FFB3F204000-memory.dmp

Filesize
80KB

Download
memory/3152-323-0x00007FFB3FA40000-0x00007FFB3FA54000-memory.dmp

Filesize
80KB

Download
memory/3152-314-0x00007FFB3F210000-0x00007FFB3F2C6000-memory.dmp

Filesize
728KB

Download
memory/3152-330-0x00007FFB3F080000-0x00007FFB3F0A2000-memory.dmp

Filesize
136KB

Download
memory/3152-331-0x00007FFB3F060000-0x00007FFB3F077000-memory.dmp

Filesize
92KB

Download
memory/3152-332-0x00007FFB3F040000-0x00007FFB3F059000-memory.dmp

Filesize
100KB

Download
memory/3152-333-0x00007FFB3FA90000-0x00007FFB3FAAE000-memory.dmp

Filesize
120KB

Download
memory/3152-334-0x00007FFB3EFF0000-0x00007FFB3F03D000-memory.dmp

Filesize
308KB

Download
memory/3152-335-0x00007FFB3F210000-0x00007FFB3F2C6000-memory.dmp

Filesize
728KB

Download
memory/3152-336-0x00007FFB2DCA0000-0x00007FFB2E014000-memory.dmp

Filesize
3.5MB

Download
memory/3152-341-0x00007FFB3EFB0000-0x00007FFB3EFCE000-memory.dmp

Filesize
120KB

Download
memory/3152-340-0x00007FFB424E0000-0x00007FFB424EA000-memory.dmp

Filesize
40KB

Download
memory/3152-339-0x00007FFB3FA60000-0x00007FFB3FA8E000-memory.dmp

Filesize
184KB

Download
memory/3152-338-0x00007FFB3EFD0000-0x00007FFB3EFE1000-memory.dmp

Filesize
68KB

Download
memory/3152-337-0x00000154B17F0000-0x00000154B1B64000-memory.dmp

Filesize
3.5MB

Download
memory/3152-342-0x00007FFB29BA0000-0x00007FFB2A341000-memory.dmp

Filesize
7.6MB

Download
memory/3152-343-0x00007FFB3EF70000-0x00007FFB3EFA6000-memory.dmp

Filesize
216KB

Download
memory/3152-307-0x00007FFB3FA90000-0x00007FFB3FAAE000-memory.dmp

Filesize
120KB

Download
memory/3152-277-0x00007FFB42550000-0x00007FFB42574000-memory.dmp

Filesize
144KB

Download
memory/3152-390-0x00007FFB3F0B0000-0x00007FFB3F1C8000-memory.dmp

Filesize
1.1MB

Download
memory/3152-425-0x00007FFB3F080000-0x00007FFB3F0A2000-memory.dmp

Filesize
136KB

Download
memory/3152-426-0x00007FFB425A0000-0x00007FFB425AD000-memory.dmp

Filesize
52KB

Download
memory/3152-278-0x00007FFB48DB0000-0x00007FFB48DBF000-memory.dmp

Filesize
60KB

Download
memory/3152-268-0x00007FFB3F440000-0x00007FFB3F8A5000-memory.dmp

Filesize
4.4MB

Download
memory/3152-442-0x00007FFB3F060000-0x00007FFB3F077000-memory.dmp

Filesize
92KB

Download
memory/3152-443-0x00007FFB3F040000-0x00007FFB3F059000-memory.dmp

Filesize
100KB

Download
memory/3152-444-0x00007FFB3EFF0000-0x00007FFB3F03D000-memory.dmp

Filesize
308KB

Download
memory/3152-477-0x00007FFB425A0000-0x00007FFB425AD000-memory.dmp

Filesize
52KB

Download
memory/3152-476-0x00007FFB3EF70000-0x00007FFB3EFA6000-memory.dmp

Filesize
216KB

Download
memory/3152-299-0x00007FFB424F0000-0x00007FFB42509000-memory.dmp

Filesize
100KB

Download
memory/3152-469-0x00007FFB3F060000-0x00007FFB3F077000-memory.dmp

Filesize
92KB

Download
memory/3152-475-0x00007FFB29BA0000-0x00007FFB2A341000-memory.dmp

Filesize
7.6MB

Download
memory/3152-468-0x00007FFB3F080000-0x00007FFB3F0A2000-memory.dmp

Filesize
136KB

Download
memory/3152-464-0x00007FFB48480000-0x00007FFB48490000-memory.dmp

Filesize
64KB

Download
memory/3152-462-0x00007FFB2DCA0000-0x00007FFB2E014000-memory.dmp

Filesize
3.5MB

Download
memory/3152-461-0x00007FFB3F210000-0x00007FFB3F2C6000-memory.dmp

Filesize
728KB

Download
memory/3152-460-0x00007FFB3FA60000-0x00007FFB3FA8E000-memory.dmp

Filesize
184KB

Download
memory/3152-459-0x00007FFB3F2D0000-0x00007FFB3F43D000-memory.dmp

Filesize
1.4MB

Download
memory/3152-458-0x00007FFB3FA90000-0x00007FFB3FAAE000-memory.dmp

Filesize
120KB

Download
memory/3152-452-0x00007FFB42550000-0x00007FFB42574000-memory.dmp

Filesize
144KB

Download
memory/3152-451-0x00007FFB3F440000-0x00007FFB3F8A5000-memory.dmp

Filesize
4.4MB

Download
memory/3152-478-0x00007FFB3F440000-0x00007FFB3F8A5000-memory.dmp

Filesize
4.4MB

Download
memory/3152-490-0x00007FFB3FA40000-0x00007FFB3FA54000-memory.dmp

Filesize
80KB

Download
memory/3152-487-0x00007FFB3FA60000-0x00007FFB3FA8E000-memory.dmp

Filesize
184KB

Download
memory/3152-536-0x00007FFB48CE0000-0x00007FFB48CED000-memory.dmp

Filesize
52KB

Download
memory/3152-546-0x00007FFB3F1F0000-0x00007FFB3F204000-memory.dmp

Filesize
80KB

Download
memory/3152-547-0x00007FFB3F1D0000-0x00007FFB3F1E5000-memory.dmp

Filesize
84KB

Download
memory/3152-553-0x00007FFB2DCA0000-0x00007FFB2E014000-memory.dmp

Filesize
3.5MB

Download
memory/3152-556-0x00007FFB425A0000-0x00007FFB425AD000-memory.dmp

Filesize
52KB

Download
memory/3152-555-0x00007FFB3EF70000-0x00007FFB3EFA6000-memory.dmp

Filesize
216KB

Download
memory/3152-554-0x00007FFB29BA0000-0x00007FFB2A341000-memory.dmp

Filesize
7.6MB

Download
memory/3152-548-0x00007FFB3F0B0000-0x00007FFB3F1C8000-memory.dmp

Filesize
1.1MB

Download
memory/3152-552-0x00007FFB3EFF0000-0x00007FFB3F03D000-memory.dmp

Filesize
308KB

Download
memory/3152-551-0x00007FFB3F040000-0x00007FFB3F059000-memory.dmp

Filesize
100KB

Download
memory/3152-550-0x00007FFB3F060000-0x00007FFB3F077000-memory.dmp

Filesize
92KB

Download
memory/3152-549-0x00007FFB3F080000-0x00007FFB3F0A2000-memory.dmp

Filesize
136KB

Download
memory/3152-545-0x00007FFB3FA40000-0x00007FFB3FA54000-memory.dmp

Filesize
80KB

Download
memory/3152-544-0x00007FFB3EFD0000-0x00007FFB3EFE1000-memory.dmp

Filesize
68KB

Download
memory/3152-543-0x00007FFB3EFB0000-0x00007FFB3EFCE000-memory.dmp

Filesize
120KB

Download
memory/3152-542-0x00007FFB424E0000-0x00007FFB424EA000-memory.dmp

Filesize
40KB

Download
memory/3152-541-0x00007FFB3F210000-0x00007FFB3F2C6000-memory.dmp

Filesize
728KB

Download
memory/3152-540-0x00007FFB3FA60000-0x00007FFB3FA8E000-memory.dmp

Filesize
184KB

Download
memory/3152-539-0x00007FFB3FA90000-0x00007FFB3FAAE000-memory.dmp

Filesize
120KB

Download
memory/3152-538-0x00007FFB42410000-0x00007FFB4243C000-memory.dmp

Filesize
176KB

Download
memory/3152-537-0x00007FFB42440000-0x00007FFB42459000-memory.dmp

Filesize
100KB

Download
memory/3152-513-0x00007FFB3F2D0000-0x00007FFB3F43D000-memory.dmp

Filesize
1.4MB

Download
memory/3152-535-0x00007FFB424F0000-0x00007FFB42509000-memory.dmp

Filesize
100KB

Download
memory/3152-534-0x00007FFB48DB0000-0x00007FFB48DBF000-memory.dmp

Filesize
60KB

Download
memory/3152-533-0x00007FFB42550000-0x00007FFB42574000-memory.dmp

Filesize
144KB

Download
memory/3152-532-0x00007FFB48480000-0x00007FFB48490000-memory.dmp

Filesize
64KB

Download
memory/3152-505-0x00007FFB3F440000-0x00007FFB3F8A5000-memory.dmp

Filesize
4.4MB

Download