exelastealer | hxxps://www[.]mediafire[.]com/file/49m2137ebiqbuq5/NyrixGrabber+(2)[.]zip/file

Analysis

max time kernel
171s
max time network
169s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
17/08/2024, 19:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/49m2137ebiqbuq5/NyrixGrabber+(2).zip/file

Score

10^/10

exelastealer collection credential_access defense_evasion discovery evasion persistence privilege_escalation stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2820	netsh.exe
2812	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4596	cmd.exe
2640	powershell.exe

Loads dropped DLL 31 IoCs

pid	Process
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe
4648	NyrixGrabberA.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002abcc-935.dat	upx
behavioral1/memory/4648-939-0x00007FFF46D20000-0x00007FFF47308000-memory.dmp	upx
behavioral1/files/0x000300000002ab9d-941.dat	upx
behavioral1/files/0x000100000002abc6-948.dat	upx
behavioral1/memory/4648-947-0x00007FFF65950000-0x00007FFF65974000-memory.dmp	upx
behavioral1/files/0x000200000002ab9b-956.dat	upx
behavioral1/files/0x000800000002ab90-955.dat	upx
behavioral1/files/0x000100000002abcf-954.dat	upx
behavioral1/files/0x000100000002abce-953.dat	upx
behavioral1/files/0x000100000002abcd-952.dat	upx
behavioral1/files/0x000100000002abca-951.dat	upx
behavioral1/files/0x000100000002abc7-950.dat	upx
behavioral1/files/0x000100000002abc5-949.dat	upx
behavioral1/memory/4648-976-0x00007FFF65890000-0x00007FFF658B3000-memory.dmp	upx
behavioral1/memory/4648-977-0x00007FFF46BA0000-0x00007FFF46D13000-memory.dmp	upx
behavioral1/memory/4648-975-0x00007FFF658E0000-0x00007FFF6590D000-memory.dmp	upx
behavioral1/memory/4648-974-0x00007FFF65910000-0x00007FFF65929000-memory.dmp	upx
behavioral1/memory/4648-972-0x00007FFF659B0000-0x00007FFF659BD000-memory.dmp	upx
behavioral1/memory/4648-971-0x00007FFF65930000-0x00007FFF65949000-memory.dmp	upx
behavioral1/files/0x000100000002aba4-969.dat	upx
behavioral1/memory/4648-968-0x00007FFF66860000-0x00007FFF6686F000-memory.dmp	upx
behavioral1/files/0x000100000002aba7-967.dat	upx
behavioral1/files/0x000100000002aba6-966.dat	upx
behavioral1/files/0x000100000002aba5-965.dat	upx
behavioral1/files/0x000100000002aba3-963.dat	upx
behavioral1/files/0x000100000002aba2-962.dat	upx
behavioral1/files/0x000100000002aba1-961.dat	upx
behavioral1/files/0x000200000002aba0-960.dat	upx
behavioral1/files/0x000200000002ab9f-959.dat	upx
behavioral1/files/0x000200000002ab9e-958.dat	upx
behavioral1/files/0x000200000002ab9c-957.dat	upx
behavioral1/memory/4648-979-0x00007FFF64EF0000-0x00007FFF64F1E000-memory.dmp	upx
behavioral1/memory/4648-980-0x00007FFF51720000-0x00007FFF517D8000-memory.dmp	upx
behavioral1/memory/4648-985-0x00007FFF59BE0000-0x00007FFF59C02000-memory.dmp	upx
behavioral1/memory/4648-986-0x00007FFF46820000-0x00007FFF46B95000-memory.dmp	upx
behavioral1/memory/4648-984-0x00007FFF46700000-0x00007FFF4681C000-memory.dmp	upx
behavioral1/memory/4648-983-0x00007FFF60240000-0x00007FFF60254000-memory.dmp	upx
behavioral1/memory/4648-982-0x00007FFF60DE0000-0x00007FFF60DF4000-memory.dmp	upx
behavioral1/memory/4648-993-0x00007FFF59BC0000-0x00007FFF59BDE000-memory.dmp	upx
behavioral1/memory/4648-996-0x00007FFF60220000-0x00007FFF60237000-memory.dmp	upx
behavioral1/memory/4648-995-0x00007FFF65950000-0x00007FFF65974000-memory.dmp	upx
behavioral1/memory/4648-994-0x00007FFF45F50000-0x00007FFF466F1000-memory.dmp	upx
behavioral1/memory/4648-992-0x00007FFF5FF90000-0x00007FFF5FF9A000-memory.dmp	upx
behavioral1/memory/4648-991-0x00007FFF5BC50000-0x00007FFF5BC61000-memory.dmp	upx
behavioral1/memory/4648-990-0x00007FFF4BCB0000-0x00007FFF4BCFD000-memory.dmp	upx
behavioral1/memory/4648-989-0x00007FFF5CFE0000-0x00007FFF5CFF9000-memory.dmp	upx
behavioral1/memory/4648-988-0x00007FFF60E00000-0x00007FFF60E12000-memory.dmp	upx
behavioral1/memory/4648-987-0x00007FFF62660000-0x00007FFF62675000-memory.dmp	upx
behavioral1/memory/4648-978-0x00007FFF46D20000-0x00007FFF47308000-memory.dmp	upx
behavioral1/memory/4648-997-0x00007FFF58B80000-0x00007FFF58BB6000-memory.dmp	upx
behavioral1/memory/4648-1009-0x00007FFF65930000-0x00007FFF65949000-memory.dmp	upx
behavioral1/memory/4648-1066-0x00007FFF65890000-0x00007FFF658B3000-memory.dmp	upx
behavioral1/memory/4648-1100-0x00007FFF46BA0000-0x00007FFF46D13000-memory.dmp	upx
behavioral1/memory/4648-1102-0x00007FFF5FFD0000-0x00007FFF5FFDD000-memory.dmp	upx
behavioral1/memory/4648-1118-0x00007FFF59BE0000-0x00007FFF59C02000-memory.dmp	upx
behavioral1/memory/4648-1119-0x00007FFF62660000-0x00007FFF62675000-memory.dmp	upx
behavioral1/memory/4648-1120-0x00007FFF60E00000-0x00007FFF60E12000-memory.dmp	upx
behavioral1/memory/4648-1121-0x00007FFF45F50000-0x00007FFF466F1000-memory.dmp	upx
behavioral1/memory/4648-1122-0x00007FFF46D20000-0x00007FFF47308000-memory.dmp	upx
behavioral1/memory/4648-1147-0x00007FFF58B80000-0x00007FFF58BB6000-memory.dmp	upx
behavioral1/memory/4648-1130-0x00007FFF46BA0000-0x00007FFF46D13000-memory.dmp	upx
behavioral1/memory/4648-1123-0x00007FFF65950000-0x00007FFF65974000-memory.dmp	upx
behavioral1/memory/4648-1158-0x00007FFF46D20000-0x00007FFF47308000-memory.dmp	upx
behavioral1/memory/4648-1170-0x00007FFF62660000-0x00007FFF62675000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
67	discord.com
278	discord.com
279	discord.com
280	discord.com
281	discord.com
282	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1920	cmd.exe
368	ARP.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_01cf530faf2f1752\display.PNF	chrome.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4880	tasklist.exe
3988	tasklist.exe
2068	tasklist.exe
3512	tasklist.exe
128	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1352	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1428	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
476	netsh.exe
2944	cmd.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
1832	NETSTAT.EXE

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Winword.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
1420	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4008	WMIC.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	Winword.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	Winword.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1408	ipconfig.exe
1832	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2160	systeminfo.exe

Kills process with taskkill 12 IoCs

evasion

pid	Process
3092	taskkill.exe
1656	taskkill.exe
2192	taskkill.exe
2040	taskkill.exe
3664	taskkill.exe
4644	taskkill.exe
2072	taskkill.exe
3364	taskkill.exe
2904	taskkill.exe
3216	taskkill.exe
2876	taskkill.exe
4652	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133683977033368842"	chrome.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\潬灯se谏⑚눀耀	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\sln_auto_file\shell	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\sln_auto_file\shell\edit\command\ = "\"C:\\Program Files\\Microsoft Office\\root\\Office16\\Winword.exe\" /n \"%1\""	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\.sln	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\짎ǖ\ = "sln_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\潬灯se谏⑚눀耀\ = "sln_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\D1짎ǖ\ = "sln_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\潬灯s谍⑜돖耀敲d敲e谒┨ऀ耀	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\sln_auto_file\shell\edit\command	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\sln_auto_file	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\潬灯s谍⑜돖耀敲d敲e谒┨ऀ耀\ = "sln_auto_file"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\sln_auto_file\shell\edit\ = "@C:\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\Office16\\oregres.dll,-1"	OpenWith.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\.sln\ = "sln_auto_file"	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\짎ǖ	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\D1짎ǖ	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\sln_auto_file\shell\edit	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\NyrixGrabber (2).zip:Zone.Identifier	chrome.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
2384	Winword.exe
2384	Winword.exe
3364	Winword.exe
3364	Winword.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4484	chrome.exe
4484	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
3928	chrome.exe
2640	powershell.exe
2640	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3928	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe
Token: SeShutdownPrivilege	4484	chrome.exe
Token: SeCreatePagefilePrivilege	4484	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe
4484	chrome.exe

Suspicious use of SetWindowsHookEx 44 IoCs

pid	Process
1232	OpenWith.exe
4880	OpenWith.exe
4880	OpenWith.exe
4880	OpenWith.exe
4880	OpenWith.exe
4880	OpenWith.exe
4880	OpenWith.exe
4880	OpenWith.exe
4880	OpenWith.exe
4880	OpenWith.exe
4880	OpenWith.exe
4880	OpenWith.exe
4880	OpenWith.exe
4880	OpenWith.exe
2384	Winword.exe
2384	Winword.exe
2384	Winword.exe
2384	Winword.exe
2384	Winword.exe
2384	Winword.exe
2384	Winword.exe
2384	Winword.exe
2384	Winword.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3928	OpenWith.exe
3364	Winword.exe
3364	Winword.exe
3364	Winword.exe
3364	Winword.exe
3364	Winword.exe
3364	Winword.exe
3364	Winword.exe
3364	Winword.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4484 wrote to memory of 2460	4484	chrome.exe	80
PID 4484 wrote to memory of 2460	4484	chrome.exe	80
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 2076	4484	chrome.exe	82
PID 4484 wrote to memory of 3740	4484	chrome.exe	83
PID 4484 wrote to memory of 3740	4484	chrome.exe	83
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84
PID 4484 wrote to memory of 2604	4484	chrome.exe	84

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1816	attrib.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://www.mediafire.com/file/49m2137ebiqbuq5/NyrixGrabber+(2).zip/file
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff5cf5cc40,0x7fff5cf5cc4c,0x7fff5cf5cc58
  2⤵
  PID:2460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1804,i,13762148061588153598,7483931698199741227,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1800 /prefetch:2
  2⤵
  PID:2076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2104,i,13762148061588153598,7483931698199741227,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2196,i,13762148061588153598,7483931698199741227,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2356 /prefetch:8
  2⤵
  PID:2604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,13762148061588153598,7483931698199741227,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,13762148061588153598,7483931698199741227,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,13762148061588153598,7483931698199741227,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4524 /prefetch:8
  2⤵
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4308,i,13762148061588153598,7483931698199741227,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4776 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4008,i,13762148061588153598,7483931698199741227,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4916 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5080,i,13762148061588153598,7483931698199741227,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5044 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5072,i,13762148061588153598,7483931698199741227,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4708,i,13762148061588153598,7483931698199741227,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:2216
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5540,i,13762148061588153598,7483931698199741227,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5696,i,13762148061588153598,7483931698199741227,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5712 /prefetch:1
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=6100,i,13762148061588153598,7483931698199741227,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5904,i,13762148061588153598,7483931698199741227,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5944,i,13762148061588153598,7483931698199741227,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=6580 /prefetch:8
  2⤵
  - NTFS ADS
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5832,i,13762148061588153598,7483931698199741227,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=1036 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:3928

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2936

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4548

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1232

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4880
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_.zip\README.md"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:2384

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3928
- C:\Program Files\Microsoft Office\root\Office16\Winword.exe
  "C:\Program Files\Microsoft Office\root\Office16\Winword.exe" /n "C:\Users\Admin\AppData\Local\Temp\Temp1_.zip\Mercurial-Grabber 2.0 read file.sln"
  2⤵
  - Checks processor information in registry
  - Enumerates system info in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of SetWindowsHookEx
  PID:3364

C:\Users\Admin\Downloads\NyrixGrabber (2)\NyrixGrabberA.exe
"C:\Users\Admin\Downloads\NyrixGrabber (2)\NyrixGrabberA.exe"
1⤵
PID:5004
- C:\Users\Admin\Downloads\NyrixGrabber (2)\NyrixGrabberA.exe
  "C:\Users\Admin\Downloads\NyrixGrabber (2)\NyrixGrabberA.exe"
  2⤵
  - Loads dropped DLL
  PID:4648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:1800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2172
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:3584
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:3616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:1484
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:1072
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1676
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:476
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:1352
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:1816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:2652
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:1484
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5060
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4484"
    3⤵
    PID:920
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4484
      4⤵
      Kills process with taskkill
      PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2460"
    3⤵
    PID:2040
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1676
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2460
      4⤵
      Kills process with taskkill
      PID:2072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2076"
    3⤵
    PID:3000
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2076
      4⤵
      Kills process with taskkill
      PID:3364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3740"
    3⤵
    PID:2160
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:920
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3740
      4⤵
      Kills process with taskkill
      PID:2904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2604"
    3⤵
    PID:4940
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2604
      4⤵
      Kills process with taskkill
      PID:3216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2044"
    3⤵
    PID:3732
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2044
      4⤵
      Kills process with taskkill
      PID:2876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1452"
    3⤵
    PID:1896
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1452
      4⤵
      Kills process with taskkill
      PID:4652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4020"
    3⤵
    PID:1600
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4020
      4⤵
      Kills process with taskkill
      PID:3092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4712"
    3⤵
    PID:3084
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4712
      4⤵
      Kills process with taskkill
      PID:1656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3512"
    3⤵
    PID:3656
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3512
      4⤵
      Kills process with taskkill
      PID:2192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2216"
    3⤵
    PID:4980
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2216
      4⤵
      Kills process with taskkill
      PID:2040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1492"
    3⤵
    PID:1452
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1492
      4⤵
      Kills process with taskkill
      PID:3664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:2584
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:3536
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:3704
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:2088
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4328
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4596
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:1920
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2160
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:3080
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:1420
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:1068
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:2196
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:1160
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:3736
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:4104
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:2544
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:2188
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:2940
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:1676
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:8
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:2040
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:2548
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:4980
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:128
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1408
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:3164
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:368
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:1832
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:1428
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2820
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2944
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:676
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2088
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
471B

MD5
6e2583c1b8c1124bffe4bda01d3bf3f0

SHA1
2a0dcd8b433d50a92a5d42f0d5ef9728dba87483

SHA256
65f462ce59bdf9242438d22392fe3659885bcd890a11dd5d67e8a409d40c00b4

SHA512
effa0e17ebe409655bde5971a994f552f44e316b8e2b90f19f50d31ff7ccdf522cd0ca4571ad6f0d6f8e9b5d5aed7363c218631bd6716aee6078457a93127666

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_0FB9553B978E7F00C6B2309507DEB64A

Filesize
412B

MD5
874bc2bd93e740c963a6d82a4c30ef6f

SHA1
28660219cc36c1669dc45c3e82ca57eccd585fa6

SHA256
0d6cb5f5064a96a6816d89de50b7a13a90c43863632a780751c2f246e526ed63

SHA512
795b307830d25d47ef8f86fadd46b4f709d3ff1eab4ac6623e22d2adf74d323da4ab9d24c97df4a1a670fbc16367b0c3c2c5b8c73d68d5e35b300d51a2e47f5f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
8c70a081513b9b6b57176170ad4631f2

SHA1
1fef79c42e99fcdb28e4032cc189ae07a043bf23

SHA256
da3d4c9598cc59f71715904a8aae6fe3caf08f8e6230e086e6a63d7c44036c85

SHA512
14a64ad5052b86ec163da43beb47044818da8742db259eccbdb2b98f9bdd211717bd73367dba1f5c229f6470c67d3af191ebbd63767d045a3eca446a7a25a478

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
ce2c568ab134d59a444d7f303481a381

SHA1
129b669dcc2ad5ce522bcf866f8525d98e58d51e

SHA256
ab098fbd115af3ddae509897cbc35deb0ceebe8216c2bdc35521e38194c5dd82

SHA512
4aa6ebaec3af53bda742f4450b4fa05d1f4089c2a49e630af8d2de79971bed77e4370fc050dcf6d0ee44c1e7d6019a1152a925753a52aea2286c841d9c92a2ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
fe1fc2246bb3e26f513e881aa8f766a5

SHA1
8e812b8e09a0f20da832f402d94b4db6111ac031

SHA256
ec14ec79662689ed18518541b3223809fbebe20279828335397768f7953de860

SHA512
5c1ee8526a4c63a4b4b9193e2940f74f9a8c83c764a9c5979ac393e36db39d2b149da76548f2ebc68b4469345ef55cc035d47e2b194d0f45eb0dbee1b5ed8c21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
17KB

MD5
e63a8619951e7a17fdcee0c27db7f475

SHA1
c383c4d60f86317ccbfa8491d4132ea2d8b2b83d

SHA256
4faaf9652ad70cbb9468521fcb6c97d04a80fe9bbb44e08b9f8999dcd85f76c8

SHA512
767661c29ebd5d73589f7eebca4edbc1093fd10a28eb85be79ebcab84108defd52c0a2baaccdebe7ea3b7b8d1cc99e2dd869938aae370f97e572d865fbe1ed32

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
854B

MD5
a690559095ccb9b5b79a7e0e900137e4

SHA1
02f6cc9d0d86918a17bb724dfef3cf39205cd056

SHA256
d41537fbaa53e912e2ec35f7fd028606e2a8431ec7e832bd6818f9013e8d2964

SHA512
5e42d6e6ed2ffa0ce3f2d91470d3672140532087daa8d1899cb46908f8d2b2be8b0c71954502002550a4ffcb67739ffa6611b49b058bad6fe0d8caba87a21a06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
b2a8f79874da0dc211cd33a4027dbf00

SHA1
1d3f94cf46c0141326291500bc5ee20c8dbc000c

SHA256
396adf6504b7f46c1140444b9a1b97aac1c6323f15cd6a250dcbaa96cba12ba0

SHA512
39ee1498a8f6c0b63e8a94e4c3e00d4bfc0dbccca509f1138cb0ce45e278480bd890645dbb99ddc1028440198221ce67a57d76769d5f8aa8251ee2b36c966dd5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
67a962d8428c62d74591c05729c202b0

SHA1
f040fd99c0375585a84796a746f23d1e7b8bd802

SHA256
fedcb845ca43fd18945e73cb22621f73727e324deff3f05378f01b1800e97f08

SHA512
c588db6cca2d4c27f2328243e9a28bf32b4d7b9de236a40b5d44da2e615567746340d5f628dde509fc1928ae85e7bbdb9cc6765d99ba1a9f3358de19172e409c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
d32173ec9998398ecbab628665a6e0c0

SHA1
0af19fc9ccff9cfc9c09d56c126c90b942660324

SHA256
bdf409c4d9111e47b794a22e5c4a409d416b16edac4d12d0af01ca08e2071c26

SHA512
78486558808bc596008581e2ba95e46dae470e3dcc7555ec261f65746dfb520d9e367ae3c3db6453ae1527825ed0e359d9057848baa7de4aa00ad9b5e713aa2f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3303c614a40f11650a438d6c7beeeeb7

SHA1
55161c10992f71f8ec3e4288fd7ee64d1fa63bf3

SHA256
346d2114ee72e29d11cb85880aaa354c18240dae4b16641a1e4348de3f0d9516

SHA512
5f7121e55c6da117455264c0095db0a3a095c1c0cb5f3a9be5bfd22044b5e4b4342042f54c9336e2b77dd265fd4d59ccf20b24fe4b9b15afd42b95d59134b153

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
84ce4c8011886500e657e8739616b0d3

SHA1
4bf98a6d426dc4ab0266b364b566a0f1c501206d

SHA256
c2d0705ad67b59044d64215f6a78b0b393fe6acdd4f6e78ea81ae341aeccc510

SHA512
6b6ce079fc3f3569628856798edefbd003eea21ba7b67839a860b1c6906d9064f758bc31f785c683c14b6a55b06dc55f066c70abfdfbc0df84907e09f25b2fc8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1d86be79f238597c752f294e95817d0d

SHA1
33d2313e64bc9bb2ca7437bfb8b5e02c301dfe77

SHA256
53575b97be3529ff465026e8fe5dec87ee0e5771e976eb2e312ffd261f8ec67d

SHA512
03d73a7f35ff31cf4ebc46b625cb7cdee9f5f2b55fcbe27a5ceb5b3d9d6895a1698e7439e94689c94cc5430b5c8071b55ab37024809109ad13da11ad7b468e97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
609ba780f96d0011a75870f39e0abd90

SHA1
63aafa201589997abbd33f1dd22edee602439771

SHA256
a17ed18a3c3735cfe942ad8d380e5cffc6152b0a960bf09439a8a7387b5f5ec8

SHA512
883c7c8ae71d884e3bb430355d7979091c3f9430d5d368ce574ae838b8a1f7dfa8ac2f9e9a33575f0d727f7d5222220c02c3d8fe8a5feac889c0a4a3481ad942

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
214b81e55d33b10de3c731e3b17f8ada

SHA1
c6caa70c7d7d8961ee5eb3bdacf0bf55747306f6

SHA256
f70a7a1e1c39a0541f89cadb5b7d67e523f8488e69b0aa5ab76cb1576c097ef9

SHA512
e296fce927292ef841a7bd9200558b5bf77c5b37a2930d6fe78181cc46748bd62b2391de010d9f2eb6026378a5cf4bebbbeeeb9371093b8a7c4dda704787e254

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
8dbf6a8ca1271451d896e5b9fa2dac55

SHA1
8ca015e71c5e877e332a8d5b310d955f9af3c674

SHA256
34fb5df653914aec32071b908727b202acb97bde68ad60e8cb22b1f0e9873a18

SHA512
78779e8928c714d59867ce44d9828208eea5a813702458c4dd0b4fdece1ea3663e11387a68216e1c45d536b31af9faeb71e90f0bbca07b5324a8070eead3934e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0756e4a7c95dde3072fbac744e3bced6

SHA1
02aa144e3a50c79a057869dd4f655e8b09b4ac7e

SHA256
987daa8a4902159307f40b6ba3f50ff00057ce20e7a60f5ef18e0beb2ac6e976

SHA512
bbae6a84e017c03ddfb718f49bfc220078c29340d4979fed9164e041d5b165ab56023822be246e7d89d59b16c503e9c162b087e7daf9015b96b7e7a00bc0dfe5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c71ebd98-d20e-4899-b508-7fb6b4338f2a.tmp

Filesize
10KB

MD5
94e0d9ff822a22e99013e90b516f62d7

SHA1
90e935650cc13306bf06602f1b0b3c3833be3d0b

SHA256
623a0d179bae31a14d1b1e487a3b9fffe40afd3fa407d9086658429b981dbb15

SHA512
dd889de2a5d652274ab5cd42e608eae2aa37a7a1c12882131f3f9f70894b52d83dc6e8fc9f6df598fa39f4ed52ffef19d343a10aafbe230e19899ac883afeb66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
d9cea575402913dd3082cb98a33ab37f

SHA1
b55988512cbcc7141ff553b400a22a94bf608b95

SHA256
56c90e26ce391f49dd1f5f66d52852bb63f4fa520b36192e64daeba206491ee2

SHA512
bc71b33b95e0c659c6e8defe965b100e8e1e63d70f9811f402843d8acc8436bce5cb7556e5050411caf2ac10590987dfc8eab528f5b9daa7e11d912899d46633

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
9a50992f1033f41048f6bba25eb383ee

SHA1
801453609c7590ad3a4d32144c46ace5214f3d76

SHA256
4ba9524531a64c51dde13634004fd89bcdb58877a8006dd8cb0f0e1380a258b4

SHA512
94114d936ee5981442fdb3d18ab439b38a0232806c4af56b38ce4faf2750ea794970c72f90fe86e7601b2e9cfa4da578f9f9b0c8138e4ddbb47dfac769e6306e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
c6773b2db71ff27f344fbc24badd28ff

SHA1
8ad9c4b893ef462ad221bd49cbf0cd64bce00dd3

SHA256
289ddfea6ba556dab4ada9656140b049610dc1e202905f2c8786f50858ca1285

SHA512
cfa22ac0c684b4f29c58fd31b567c7a4f7bbfc1a7911ea0f6c4a595bdb7682cf005eb1e81a10df2a7c6758f6e93d7135f7cb3f1ef3fb2daee5a8e0c6da9c3123

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.CampaignStates.json

Filesize
21B

MD5
f1b59332b953b3c99b3c95a44249c0d2

SHA1
1b16a2ca32bf8481e18ff8b7365229b598908991

SHA256
138e49660d259061d8152137abd8829acdfb78b69179890beb489fe3ffe23e0c

SHA512
3c1f99ecc394df3741be875fbe8d95e249d1d9ac220805794a22caf81620d5fdd3cce19260d94c0829b3160b28a2b4042e46b56398e60f72134e49254e9679a4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.GovernedChannelStates.json

Filesize
417B

MD5
c56ff60fbd601e84edd5a0ff1010d584

SHA1
342abb130dabeacde1d8ced806d67a3aef00a749

SHA256
200e8cc8dd12e22c9720be73092eafb620435d4569dbdcdba9404ace2aa4343c

SHA512
acd2054fddb33b55b58b870edd4eb6a3cdd3131dfe6139cb3d27054ac2b2a460694c9be9c2a1da0f85606e95e7f393cf16868b6c654e78a664799bc3418da86e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.Settings.json

Filesize
87B

MD5
e4e83f8123e9740b8aa3c3dfa77c1c04

SHA1
5281eae96efde7b0e16a1d977f005f0d3bd7aad0

SHA256
6034f27b0823b2a6a76fe296e851939fd05324d0af9d55f249c79af118b0eb31

SHA512
bd6b33fd2bbce4a46991bc0d877695d16f7e60b1959a0defc79b627e569e5c6cac7b4ad4e3e1d8389a08584602a51cf84d44cf247f03beb95f7d307fbba12bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\Floodgate\Word.SurveyHistoryStats.json

Filesize
14B

MD5
6ca4960355e4951c72aa5f6364e459d5

SHA1
2fd90b4ec32804dff7a41b6e63c8b0a40b592113

SHA256
88301f0b7e96132a2699a8bce47d120855c7f0a37054540019e3204d6bcbaba3

SHA512
8544cd778717788b7484faf2001f463320a357db63cb72715c1395ef19d32eec4278bab07f15de3f4fed6af7e4f96c41908a0c45be94d5cdd8121877eccf310d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\6937DC39-801A-45F6-ABC6-BE3C04E13C3E

Filesize
170KB

MD5
adec0a3d121b17b0ff03b1b0cbaddf71

SHA1
02c6c22576fb600e922333130e8777f67a20e7a6

SHA256
1ed610547674e1d21f5207d5f4f13dd7fd5d7f29825c5695b6498cb1402adb93

SHA512
b582b44d2082e52303fa5129b901a863a8d8ac5d2c59a2fefd66711174d12b0e021caedabc0eabb89c75f2f780b786861102a6d6d6ec227ce2112d8518fc9cd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\mip\logs\mip_sdk.miplog

Filesize
12KB

MD5
b988a06c17f7e58bab903e6dc388f53c

SHA1
dcd4b1299bc3a12cde7c15e0c28a9a3da843677c

SHA256
1142728f9173af953470bff4dec5c9ef4fa2ab52d8ae5257b8a0bcb75ce70d0d

SHA512
5566a6f526cadf5b75c2c6033e0f6bec74e72fd415179a64dfd330396717ed22975556710cfb55e0e8b5261523b800e9992313c1a21731d3a59664fa2bae99ea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db

Filesize
24KB

MD5
8665de22b67e46648a5a147c1ed296ca

SHA1
b289a96fee9fa77dd8e045ae8fd161debd376f48

SHA256
b5cbae5c48721295a51896f05abd4c9566be7941cda7b8c2aecb762e6e94425f

SHA512
bb03ea9347d302abf3b6fece055cdae0ad2d7c074e8517f230a90233f628e5803928b9ba7ba79c343e58dacb3e7a6fc16b94690a5ab0c71303959654a18bb5da

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCD271A.tmp\iso690.xsl

Filesize
263KB

MD5
ff0e07eff1333cdf9fc2523d323dd654

SHA1
77a1ae0dd8dbc3fee65dd6266f31e2a564d088a4

SHA256
3f925e0cc1542f09de1f99060899eafb0042bb9682507c907173c392115a44b5

SHA512
b4615f995fab87661c2dbe46625aa982215d7bde27cafae221dca76087fe76da4b4a381943436fcac1577cb3d260d0050b32b7b93e3eb07912494429f126bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_asyncio.pyd

Filesize
34KB

MD5
1b8ce772a230a5da8cbdccd8914080a5

SHA1
40d4faf1308d1af6ef9f3856a4f743046fd0ead5

SHA256
fa5a1e7031de5849ab2ab5a177e366b41e1df6bbd90c8d2418033a01c740771f

SHA512
d2fc21b9f58b57065b337c3513e7e6c3e2243b73c5a230e81c91dafcb6724b521ad766667848ba8d0a428d530691ffc4020de6ce9ce1eaa2bf5e15338114a603

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_bz2.pyd

Filesize
46KB

MD5
80c69a1d87f0c82d6c4268e5a8213b78

SHA1
bae059da91d48eaac4f1bb45ca6feee2c89a2c06

SHA256
307359f1b2552b60839385eb63d74cbfe75cd5efdb4e7cd0bb7d296fa67d8a87

SHA512
542cf4ba19dd6a91690340779873e0cb8864b28159f55917f98a192ff9c449aba2d617e9b2b3932ddfeee13021706577ab164e5394e0513fe4087af6bc39d40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_cffi_backend.cp311-win_amd64.pyd

Filesize
70KB

MD5
3ee19e638459380934a44073c184b5c0

SHA1
6849d2f9e0920564e7a82f365616d6b763b1386f

SHA256
d26943222b0645c4d00f29fb4e0fb234ab2b963d8d48f616f204d8ae644c7322

SHA512
a7985b0acc57b635ed88b4945e72919c48c203bdea2f85659f0169ad3778ffb405e579d4bfcd9fc8d9752d10bec2f1cc793ac4e0c2cb84f4ce5b2297cd468d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_ctypes.pyd

Filesize
57KB

MD5
b4c41a4a46e1d08206c109ce547480c7

SHA1
9588387007a49ec2304160f27376aedca5bc854d

SHA256
9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9

SHA512
30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_decimal.pyd

Filesize
104KB

MD5
e9501519a447b13dcca19e09140c9e84

SHA1
472b1aa072454d065dfe415a05036ffd8804c181

SHA256
6b5fe2dea13b84e40b0278d1702aa29e9e2091f9dc09b64bbff5fd419a604c3c

SHA512
ef481e0e4f9b277642652cd090634e1c04702df789e2267a87205e0fe12b00f1de6cdd4fafb51da01efa726606c0b57fcb2ea373533c772983fc4777dc0acc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_hashlib.pyd

Filesize
33KB

MD5
0629bdb5ff24ce5e88a2ddcede608aee

SHA1
47323370992b80dafb6f210b0d0229665b063afb

SHA256
f404bb8371618bbd782201f092a3bcd7a96d3c143787ebea1d8d86ded1f4b3b8

SHA512
3faeff1a19893257c17571b89963af37534c189421585ea03dd6a3017d28803e9d08b0e4daceee01ffeda21da60e68d10083fe7dbdbbde313a6b489a40e70952

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_lzma.pyd

Filesize
84KB

MD5
bfca96ed7647b31dd2919bedebb856b8

SHA1
7d802d5788784f8b6bfbb8be491c1f06600737ac

SHA256
032b1a139adcff84426b6e156f9987b501ad42ecfb18170b10fb54da0157392e

SHA512
3a2926b79c90c3153c88046d316a081c8ddfb181d5f7c849ea6ae55cb13c6adba3a0434f800c4a30017d2fbab79d459432a2e88487914b54a897c4301c778551

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_multiprocessing.pyd

Filesize
25KB

MD5
849b4203c5f9092db9022732d8247c97

SHA1
ed7bd0d6dcdcfa07f754b98acf44a7cfe5dcb353

SHA256
45bfbab1d2373cf7a8af19e5887579b8a306b3ad0c4f57e8f666339177f1f807

SHA512
cc618b4fc918b423e5dbdcbc45206653133df16bf2125fd53bafef8f7850d2403564cf80f8a5d4abb4a8928ff1262f80f23c633ea109a18556d1871aff81cd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_overlapped.pyd

Filesize
30KB

MD5
97a40f53a81c39469cc7c8dd00f51b5d

SHA1
6c3916fe42e7977d8a6b53bfbc5a579abcf22a83

SHA256
11879a429c996fee8be891af2bec7d00f966593f1e01ca0a60bd2005feb4176f

SHA512
02af654ab73b6c8bf15a81c0e9071c8faf064c529b1439a2ab476e1026c860cf7d01472945112d4583e5da8e4c57f1df2700331440be80066dbb6a7e89e1c5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_queue.pyd

Filesize
24KB

MD5
0614691624f99748ef1d971419bdb80d

SHA1
39c52450ed7e31e935b5b0e49d03330f2057747d

SHA256
ac7972502144e9e01e53001e8eec3fc9ab063564678b784d024da2036ba7384d

SHA512
184bc172c7bb8a1fb55c4c23950cbe5e0b5a3c96c1c555ed8476edf79c5c729ed297112ee01b45d771e5c0055d2dc402b566967d1900b5abf683ee8e668c5b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_socket.pyd

Filesize
41KB

MD5
04e7eb0b6861495233247ac5bb33a89a

SHA1
c4d43474e0b378a00845cca044f68e224455612a

SHA256
7efe25284a4663df9458603bf0988b0f47c7dcf56119e3e853e6bda80831a383

SHA512
d4ea0484363edf284ac08a1c3356cc3112d410dd80fe5010c1777acf88dbd830e9f668b593e252033d657a3431a79f7b68d09eb071d0c2ceb51632dbe9b8ed97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_sqlite3.pyd

Filesize
54KB

MD5
d9eeeeacc3a586cf2dbf6df366f6029e

SHA1
4ff9fb2842a13e9371ce7894ec4fe331b6af9219

SHA256
67649e1e8acd348834efb2c927ab6a7599cf76b2c0c0a50b137b3be89c482e29

SHA512
0b9f1d80fb92c796682dba94a75fbce0e4fbeaedccd50e21d42d4b9366463a830109a8cd4300aa62b41910655f8ca96ecc609ea8a1b84236250b6fd08c965830

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_ssl.pyd

Filesize
60KB

MD5
fd0f4aed22736098dc146936cbf0ad1d

SHA1
e520def83b8efdbca9dd4b384a15880b036ee0cf

SHA256
50404a6a3de89497e9a1a03ff3df65c6028125586dced1a006d2abb9009a9892

SHA512
c8f3c04d87da19041f28e1d474c8eb052fe8c03ffd88f0681ef4a2ffe29755cfd5b9c100a1b1d2fdb233cb0f70e367af500cbd3cd4ce77475f441f2b2aa0ab8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\_uuid.pyd

Filesize
21KB

MD5
3377ae26c2987cfee095dff160f2c86c

SHA1
0ca6aa60618950e6d91a7dea530a65a1cdf16625

SHA256
9534cb9c997a17f0004fb70116e0141bdd516373b37bbd526d91ad080daa3a2b

SHA512
8e408b84e2130ff48b8004154d1bdf6a08109d0b40f9fafb6f55e9f215e418e05dca819f411c802792a9d9936a55d6b90460121583e5568579a0fda6935852ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\libcrypto-1_1.dll

Filesize
1.1MB

MD5
86cfc84f8407ab1be6cc64a9702882ef

SHA1
86f3c502ed64df2a5e10b085103c2ffc9e3a4130

SHA256
11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307

SHA512
b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\libffi-8.dll

Filesize
24KB

MD5
decbba3add4c2246928ab385fb16a21e

SHA1
5f019eff11de3122ffa67a06d52d446a3448b75e

SHA256
4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d

SHA512
760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\libssl-1_1.dll

Filesize
203KB

MD5
6cd33578bc5629930329ca3303f0fae1

SHA1
f2f8e3248a72f98d27f0cfa0010e32175a18487f

SHA256
4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0

SHA512
c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\pyexpat.pyd

Filesize
86KB

MD5
fe0e32bfe3764ed5321454e1a01c81ec

SHA1
7690690df0a73bdcc54f0f04b674fc8a9a8f45fb

SHA256
b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92

SHA512
d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\python3.dll

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\select.pyd

Filesize
24KB

MD5
c39459806c712b3b3242f8376218c1e1

SHA1
85d254fb6cc5d6ed20a04026bff1158c8fd0a530

SHA256
7cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9

SHA512
b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\sqlite3.dll

Filesize
608KB

MD5
895f001ae969364432372329caf08b6a

SHA1
4567fc6672501648b277fe83e6b468a7a2155ddf

SHA256
f5dd29e1e99cf8967f7f81487dc624714dcbec79c1630f929d5507fc95cbfad7

SHA512
05b4559d283ea84174da72a6c11b8b93b1586b4e7d8cda8d745c814f8f6dff566e75f9d7890f32bd9dfe43485244973860f83f96ba39296e28127c9396453261

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50042\unicodedata.pyd

Filesize
293KB

MD5
06a5e52caf03426218f0c08fc02cc6b8

SHA1
ae232c63620546716fbb97452d73948ebfd06b35

SHA256
118c31faa930f2849a14c3133df36420a5832114df90d77b09cde0ad5f96f33a

SHA512
546b1a01f36d3689b0fdeeda8b1ce55e7d3451731ca70fffe6627d542fff19d7a70e27147cab1920aae8bed88272342908d4e9d671d7aba74abb5db398b90718

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_djc2ezgq.ez3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

Filesize
16B

MD5
d29962abc88624befc0135579ae485ec

SHA1
e40a6458296ec6a2427bcb280572d023a9862b31

SHA256
a91a702aab9b8dd722843d3d208a21bcfa6556dfc64e2ded63975de4511eb866

SHA512
4311e87d8d5559248d4174908817a4ddc917bf7378114435cf12da8ccb7a1542c851812afbaf7dc106771bdb2e2d05f52e7d0c50d110fc7fffe4395592492c2f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
666B

MD5
bfad49c31808e04df0d154bbef8dc172

SHA1
f83c5645d0b547a265a786e5ab4ea6f9307bf5c1

SHA256
4064962a57325887f010122a5e2710c61f609b42518233aeeacb8e790f042821

SHA512
a661c3b6692fa317c500e603e5f4854714607cc16fcd0fe96e69e071139bdc98baed5327179e481675ee1e8451d48b7cc467209e2ba1ea7342250bd2d589e7b7

Download Submit
C:\Users\Admin\Downloads\NyrixGrabber (2).zip

Filesize
10.7MB

MD5
3d74a2ad264136cbb507595d7e282076

SHA1
2ee772ccbf284d4a31fda94b4fb8b18478e32a58

SHA256
5c4fe0c1d415bfd715386e2e1b72781ec950117956cc64ee46fdb6dee5167f77

SHA512
0d08b70e39787542ccc42c470ba8361bd68c10511147dcf32d0373099a2443f121980b721131fa1264100fbfa452fb7d62af8fa85af7eecfa0a13bed829072fd

Download Submit
C:\Users\Admin\Downloads\NyrixGrabber (2).zip:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
memory/2384-824-0x00007FFF2BFB0000-0x00007FFF2BFC0000-memory.dmp

Filesize
64KB

Download
memory/2384-822-0x00007FFF2BFB0000-0x00007FFF2BFC0000-memory.dmp

Filesize
64KB

Download
memory/2384-248-0x00007FFF2BFB0000-0x00007FFF2BFC0000-memory.dmp

Filesize
64KB

Download
memory/2384-249-0x00007FFF2BFB0000-0x00007FFF2BFC0000-memory.dmp

Filesize
64KB

Download
memory/2384-251-0x00007FFF2BFB0000-0x00007FFF2BFC0000-memory.dmp

Filesize
64KB

Download
memory/2384-250-0x00007FFF2BFB0000-0x00007FFF2BFC0000-memory.dmp

Filesize
64KB

Download
memory/2384-252-0x00007FFF2BFB0000-0x00007FFF2BFC0000-memory.dmp

Filesize
64KB

Download
memory/2384-253-0x00007FFF29410000-0x00007FFF29420000-memory.dmp

Filesize
64KB

Download
memory/2384-254-0x00007FFF29410000-0x00007FFF29420000-memory.dmp

Filesize
64KB

Download
memory/2384-823-0x00007FFF2BFB0000-0x00007FFF2BFC0000-memory.dmp

Filesize
64KB

Download
memory/2384-825-0x00007FFF2BFB0000-0x00007FFF2BFC0000-memory.dmp

Filesize
64KB

Download
memory/2640-1111-0x000001B25C5F0000-0x000001B25C612000-memory.dmp

Filesize
136KB

Download
memory/4648-1102-0x00007FFF5FFD0000-0x00007FFF5FFDD000-memory.dmp

Filesize
52KB

Download
memory/4648-1121-0x00007FFF45F50000-0x00007FFF466F1000-memory.dmp

Filesize
7.6MB

Download
memory/4648-968-0x00007FFF66860000-0x00007FFF6686F000-memory.dmp

Filesize
60KB

Download
memory/4648-947-0x00007FFF65950000-0x00007FFF65974000-memory.dmp

Filesize
144KB

Download
memory/4648-971-0x00007FFF65930000-0x00007FFF65949000-memory.dmp

Filesize
100KB

Download
memory/4648-972-0x00007FFF659B0000-0x00007FFF659BD000-memory.dmp

Filesize
52KB

Download
memory/4648-974-0x00007FFF65910000-0x00007FFF65929000-memory.dmp

Filesize
100KB

Download
memory/4648-979-0x00007FFF64EF0000-0x00007FFF64F1E000-memory.dmp

Filesize
184KB

Download
memory/4648-980-0x00007FFF51720000-0x00007FFF517D8000-memory.dmp

Filesize
736KB

Download
memory/4648-985-0x00007FFF59BE0000-0x00007FFF59C02000-memory.dmp

Filesize
136KB

Download
memory/4648-986-0x00007FFF46820000-0x00007FFF46B95000-memory.dmp

Filesize
3.5MB

Download
memory/4648-984-0x00007FFF46700000-0x00007FFF4681C000-memory.dmp

Filesize
1.1MB

Download
memory/4648-983-0x00007FFF60240000-0x00007FFF60254000-memory.dmp

Filesize
80KB

Download
memory/4648-982-0x00007FFF60DE0000-0x00007FFF60DF4000-memory.dmp

Filesize
80KB

Download
memory/4648-981-0x000001B0D02F0000-0x000001B0D0665000-memory.dmp

Filesize
3.5MB

Download
memory/4648-993-0x00007FFF59BC0000-0x00007FFF59BDE000-memory.dmp

Filesize
120KB

Download
memory/4648-996-0x00007FFF60220000-0x00007FFF60237000-memory.dmp

Filesize
92KB

Download
memory/4648-995-0x00007FFF65950000-0x00007FFF65974000-memory.dmp

Filesize
144KB

Download
memory/4648-994-0x00007FFF45F50000-0x00007FFF466F1000-memory.dmp

Filesize
7.6MB

Download
memory/4648-992-0x00007FFF5FF90000-0x00007FFF5FF9A000-memory.dmp

Filesize
40KB

Download
memory/4648-991-0x00007FFF5BC50000-0x00007FFF5BC61000-memory.dmp

Filesize
68KB

Download
memory/4648-990-0x00007FFF4BCB0000-0x00007FFF4BCFD000-memory.dmp

Filesize
308KB

Download
memory/4648-989-0x00007FFF5CFE0000-0x00007FFF5CFF9000-memory.dmp

Filesize
100KB

Download
memory/4648-988-0x00007FFF60E00000-0x00007FFF60E12000-memory.dmp

Filesize
72KB

Download
memory/4648-987-0x00007FFF62660000-0x00007FFF62675000-memory.dmp

Filesize
84KB

Download
memory/4648-978-0x00007FFF46D20000-0x00007FFF47308000-memory.dmp

Filesize
5.9MB

Download
memory/4648-997-0x00007FFF58B80000-0x00007FFF58BB6000-memory.dmp

Filesize
216KB

Download
memory/4648-1009-0x00007FFF65930000-0x00007FFF65949000-memory.dmp

Filesize
100KB

Download
memory/4648-1066-0x00007FFF65890000-0x00007FFF658B3000-memory.dmp

Filesize
140KB

Download
memory/4648-1100-0x00007FFF46BA0000-0x00007FFF46D13000-memory.dmp

Filesize
1.4MB

Download
memory/4648-976-0x00007FFF65890000-0x00007FFF658B3000-memory.dmp

Filesize
140KB

Download
memory/4648-1101-0x000001B0D02F0000-0x000001B0D0665000-memory.dmp

Filesize
3.5MB

Download
memory/4648-975-0x00007FFF658E0000-0x00007FFF6590D000-memory.dmp

Filesize
180KB

Download
memory/4648-977-0x00007FFF46BA0000-0x00007FFF46D13000-memory.dmp

Filesize
1.4MB

Download
memory/4648-1118-0x00007FFF59BE0000-0x00007FFF59C02000-memory.dmp

Filesize
136KB

Download
memory/4648-1119-0x00007FFF62660000-0x00007FFF62675000-memory.dmp

Filesize
84KB

Download
memory/4648-1120-0x00007FFF60E00000-0x00007FFF60E12000-memory.dmp

Filesize
72KB

Download
memory/4648-939-0x00007FFF46D20000-0x00007FFF47308000-memory.dmp

Filesize
5.9MB

Download
memory/4648-1122-0x00007FFF46D20000-0x00007FFF47308000-memory.dmp

Filesize
5.9MB

Download
memory/4648-1147-0x00007FFF58B80000-0x00007FFF58BB6000-memory.dmp

Filesize
216KB

Download
memory/4648-1130-0x00007FFF46BA0000-0x00007FFF46D13000-memory.dmp

Filesize
1.4MB

Download
memory/4648-1123-0x00007FFF65950000-0x00007FFF65974000-memory.dmp

Filesize
144KB

Download
memory/4648-1158-0x00007FFF46D20000-0x00007FFF47308000-memory.dmp

Filesize
5.9MB

Download
memory/4648-1170-0x00007FFF62660000-0x00007FFF62675000-memory.dmp

Filesize
84KB

Download
memory/4648-1169-0x00007FFF46820000-0x00007FFF46B95000-memory.dmp

Filesize
3.5MB

Download
memory/4648-1168-0x00007FFF51720000-0x00007FFF517D8000-memory.dmp

Filesize
736KB

Download
memory/4648-1167-0x00007FFF64EF0000-0x00007FFF64F1E000-memory.dmp

Filesize
184KB

Download
memory/4648-1215-0x00007FFF65930000-0x00007FFF65949000-memory.dmp

Filesize
100KB

Download
memory/4648-1223-0x00007FFF60E00000-0x00007FFF60E12000-memory.dmp

Filesize
72KB

Download
memory/4648-1224-0x00007FFF46D20000-0x00007FFF47308000-memory.dmp

Filesize
5.9MB

Download
memory/4648-1238-0x00007FFF5FFD0000-0x00007FFF5FFDD000-memory.dmp

Filesize
52KB

Download
memory/4648-1237-0x00007FFF58B80000-0x00007FFF58BB6000-memory.dmp

Filesize
216KB

Download
memory/4648-1236-0x00007FFF46820000-0x00007FFF46B95000-memory.dmp

Filesize
3.5MB

Download
memory/4648-1235-0x00007FFF45F50000-0x00007FFF466F1000-memory.dmp

Filesize
7.6MB

Download
memory/4648-1234-0x00007FFF59BC0000-0x00007FFF59BDE000-memory.dmp

Filesize
120KB

Download
memory/4648-1233-0x00007FFF5FF90000-0x00007FFF5FF9A000-memory.dmp

Filesize
40KB

Download
memory/4648-1232-0x00007FFF5BC50000-0x00007FFF5BC61000-memory.dmp

Filesize
68KB

Download
memory/4648-1231-0x00007FFF4BCB0000-0x00007FFF4BCFD000-memory.dmp

Filesize
308KB

Download
memory/4648-1230-0x00007FFF5CFE0000-0x00007FFF5CFF9000-memory.dmp

Filesize
100KB

Download
memory/4648-1229-0x00007FFF59BE0000-0x00007FFF59C02000-memory.dmp

Filesize
136KB

Download
memory/4648-1228-0x00007FFF46700000-0x00007FFF4681C000-memory.dmp

Filesize
1.1MB

Download
memory/4648-1227-0x00007FFF60240000-0x00007FFF60254000-memory.dmp

Filesize
80KB

Download
memory/4648-1226-0x00007FFF60DE0000-0x00007FFF60DF4000-memory.dmp

Filesize
80KB

Download
memory/4648-1225-0x00007FFF51720000-0x00007FFF517D8000-memory.dmp

Filesize
736KB

Download
memory/4648-1222-0x00007FFF62660000-0x00007FFF62675000-memory.dmp

Filesize
84KB

Download
memory/4648-1221-0x00007FFF64EF0000-0x00007FFF64F1E000-memory.dmp

Filesize
184KB

Download
memory/4648-1220-0x00007FFF46BA0000-0x00007FFF46D13000-memory.dmp

Filesize
1.4MB

Download
memory/4648-1219-0x00007FFF60220000-0x00007FFF60237000-memory.dmp

Filesize
92KB

Download
memory/4648-1218-0x00007FFF658E0000-0x00007FFF6590D000-memory.dmp

Filesize
180KB

Download
memory/4648-1217-0x00007FFF65910000-0x00007FFF65929000-memory.dmp

Filesize
100KB

Download
memory/4648-1216-0x00007FFF659B0000-0x00007FFF659BD000-memory.dmp

Filesize
52KB

Download
memory/4648-1214-0x00007FFF66860000-0x00007FFF6686F000-memory.dmp

Filesize
60KB

Download
memory/4648-1213-0x00007FFF65950000-0x00007FFF65974000-memory.dmp

Filesize
144KB

Download
memory/4648-1212-0x00007FFF65890000-0x00007FFF658B3000-memory.dmp

Filesize
140KB

Download