exelastealer | hxxps://mega[.]nz/folder/NNhizKIY#_598We3JUoSu2eXAdjgzhg/folder/ZFZm3TQD

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-10-2024 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/folder/NNhizKIY#_598We3JUoSu2eXAdjgzhg/folder/ZFZm3TQD

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer themida trojan upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	strip.bin

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2376	netsh.exe
4672	netsh.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	strip.bin
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	strip.bin

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Pastebin Leecher v 0.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	Steam Account Generator v12.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	PSC PIN GENERATOR.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3624	cmd.exe
3200	powershell.exe

Executes dropped EXE 17 IoCs

pid	Process
4956	Pastebin Leecher v 0.1.exe
4476	Windows Explorer.exe
4832	Pastebin Leecher v 0.1.exe
4384	Windows Explorer.exe
3152	vshost.exe
1928	libGLESV2.dll
1436	winst.exe
5992	Steam Account Generator v12.1.exe
5368	Windows Explorer.exe
3612	Steam Account Generator v12.1.exe
6020	Windows Explorer.exe
5828	strip.bin
4820	PSC PIN GENERATOR.exe
3704	Windows Explorer.exe
5824	PSC PIN GENERATOR.exe
5960	Windows Explorer.exe
5880	data32.cfg

Loads dropped DLL 64 IoCs

pid	Process
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
4384	Windows Explorer.exe
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
4384	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
5828	strip.bin
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
5828	strip.bin
5828	strip.bin
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe
6020	Windows Explorer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Themida packer 3 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/5828-1141-0x0000000070D50000-0x0000000071312000-memory.dmp	themida
behavioral1/files/0x0008000000023d3b-1137.dat	themida
behavioral1/memory/5828-1163-0x0000000070D50000-0x0000000071312000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	strip.bin

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
251	discord.com
252	discord.com
295	discord.com
250	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
242	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5384	cmd.exe
3636	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
5800	tasklist.exe
1876	tasklist.exe
5496	tasklist.exe
4836	tasklist.exe
3960	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5880	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
5828	strip.bin

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023d24-408.dat	upx
behavioral1/memory/4384-412-0x00007FF80A980000-0x00007FF80AF70000-memory.dmp	upx
behavioral1/files/0x0007000000023cf2-433.dat	upx
behavioral1/memory/4384-445-0x00007FF8281B0000-0x00007FF8281BF000-memory.dmp	upx
behavioral1/files/0x0007000000023cfc-442.dat	upx
behavioral1/files/0x0007000000023cfb-441.dat	upx
behavioral1/files/0x0007000000023cfa-440.dat	upx
behavioral1/memory/4384-461-0x00007FF80E090000-0x00007FF80E09D000-memory.dmp	upx
behavioral1/memory/4384-460-0x00007FF80C1B0000-0x00007FF80C1C9000-memory.dmp	upx
behavioral1/memory/4384-463-0x00007FF80BC80000-0x00007FF80BCAD000-memory.dmp	upx
behavioral1/memory/4384-465-0x00007FF80A800000-0x00007FF80A976000-memory.dmp	upx
behavioral1/memory/4384-464-0x00007FF80BC50000-0x00007FF80BC73000-memory.dmp	upx
behavioral1/memory/4384-462-0x00007FF80BCB0000-0x00007FF80BCC9000-memory.dmp	upx
behavioral1/memory/4384-532-0x00007FF80DB60000-0x00007FF80E089000-memory.dmp	upx
behavioral1/memory/4384-580-0x00007FF81E7B0000-0x00007FF81E7C7000-memory.dmp	upx
behavioral1/memory/4384-586-0x00007FF80C1B0000-0x00007FF80C1C9000-memory.dmp	upx
behavioral1/memory/4384-649-0x00007FF80A800000-0x00007FF80A976000-memory.dmp	upx
behavioral1/memory/4384-644-0x00007FF80BC50000-0x00007FF80BC73000-memory.dmp	upx
behavioral1/memory/4384-910-0x00007FF80DA90000-0x00007FF80DB5D000-memory.dmp	upx
behavioral1/memory/4384-911-0x00007FF80DB60000-0x00007FF80E089000-memory.dmp	upx
behavioral1/memory/4384-588-0x00007FF80E470000-0x00007FF80E4A8000-memory.dmp	upx
behavioral1/memory/4384-587-0x00007FF80A100000-0x00007FF80A7F2000-memory.dmp	upx
behavioral1/memory/4384-585-0x00007FF80E500000-0x00007FF80E51E000-memory.dmp	upx
behavioral1/memory/4384-584-0x00007FF80E520000-0x00007FF80E531000-memory.dmp	upx
behavioral1/memory/4384-583-0x00007FF80E540000-0x00007FF80E58A000-memory.dmp	upx
behavioral1/memory/4384-582-0x00007FF80E590000-0x00007FF80E5A9000-memory.dmp	upx
behavioral1/memory/4384-581-0x00007FF80BCD0000-0x00007FF80BCF4000-memory.dmp	upx
behavioral1/memory/4384-579-0x00007FF80A980000-0x00007FF80AF70000-memory.dmp	upx
behavioral1/memory/4384-566-0x00007FF81E5E0000-0x00007FF81E602000-memory.dmp	upx
behavioral1/memory/4384-565-0x00007FF80BB30000-0x00007FF80BC4C000-memory.dmp	upx
behavioral1/memory/4384-564-0x00007FF822210000-0x00007FF822225000-memory.dmp	upx
behavioral1/memory/4384-563-0x00007FF81EEC0000-0x00007FF81EED4000-memory.dmp	upx
behavioral1/memory/4384-562-0x00007FF822090000-0x00007FF8220A4000-memory.dmp	upx
behavioral1/memory/4384-561-0x00007FF8221F0000-0x00007FF822202000-memory.dmp	upx
behavioral1/memory/4384-560-0x00007FF80DA90000-0x00007FF80DB5D000-memory.dmp	upx
behavioral1/memory/4384-502-0x00007FF822230000-0x00007FF822263000-memory.dmp	upx
behavioral1/files/0x0007000000023cf9-439.dat	upx
behavioral1/files/0x0007000000023cf8-438.dat	upx
behavioral1/files/0x0007000000023cf7-437.dat	upx
behavioral1/files/0x0007000000023cf3-434.dat	upx
behavioral1/files/0x0007000000023cf1-432.dat	upx
behavioral1/files/0x0007000000023d27-431.dat	upx
behavioral1/files/0x0007000000023d26-430.dat	upx
behavioral1/files/0x0007000000023d25-429.dat	upx
behavioral1/files/0x0007000000023d22-428.dat	upx
behavioral1/files/0x0007000000023d1f-427.dat	upx
behavioral1/files/0x0007000000023d1d-426.dat	upx
behavioral1/memory/4384-425-0x00007FF80BCD0000-0x00007FF80BCF4000-memory.dmp	upx
behavioral1/files/0x0007000000023d1e-424.dat	upx
behavioral1/files/0x0007000000023cfd-443.dat	upx
behavioral1/files/0x0007000000023cf6-436.dat	upx
behavioral1/files/0x0007000000023cf5-435.dat	upx
behavioral1/files/0x0007000000023cf4-422.dat	upx
behavioral1/memory/4384-935-0x00007FF8221F0000-0x00007FF822202000-memory.dmp	upx
behavioral1/memory/4384-934-0x00007FF822230000-0x00007FF822263000-memory.dmp	upx
behavioral1/memory/4384-978-0x00007FF824B90000-0x00007FF824B9D000-memory.dmp	upx
behavioral1/memory/4384-977-0x00007FF81E5E0000-0x00007FF81E602000-memory.dmp	upx
behavioral1/memory/4384-976-0x00007FF822210000-0x00007FF822225000-memory.dmp	upx
behavioral1/memory/4384-996-0x00007FF80E590000-0x00007FF80E5A9000-memory.dmp	upx
behavioral1/memory/4384-995-0x00007FF81E7B0000-0x00007FF81E7C7000-memory.dmp	upx
behavioral1/memory/4384-1023-0x00007FF80E540000-0x00007FF80E58A000-memory.dmp	upx
behavioral1/memory/4384-1024-0x00007FF80A100000-0x00007FF80A7F2000-memory.dmp	upx
behavioral1/memory/4384-1025-0x00007FF80E470000-0x00007FF80E4A8000-memory.dmp	upx
behavioral1/memory/6020-1120-0x00007FF80F860000-0x00007FF80FE50000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
324	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000b000000023b70-341.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	data32.cfg
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pastebin Leecher v 0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vshost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	libGLESV2.dll
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Steam Account Generator v12.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	strip.bin
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PSC PIN GENERATOR.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5556	cmd.exe
4084	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4396	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
856	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5488	WMIC.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4808	ipconfig.exe
4396	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4728	systeminfo.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
5056	taskkill.exe
5628	taskkill.exe
5608	taskkill.exe
2452	taskkill.exe
5916	taskkill.exe
5240	taskkill.exe
5696	taskkill.exe
4972	taskkill.exe
5900	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133738521904225201"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
6056	schtasks.exe
6120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 59 IoCs

pid	Process
2132	msedge.exe
2132	msedge.exe
2420	msedge.exe
2420	msedge.exe
2716	identity_helper.exe
2716	identity_helper.exe
4156	msedge.exe
4156	msedge.exe
2804	msedge.exe
2804	msedge.exe
2460	msedge.exe
2460	msedge.exe
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
1928	libGLESV2.dll
3200	powershell.exe
3200	powershell.exe
3200	powershell.exe
5152	chrome.exe
5152	chrome.exe
6084	msedge.exe
6084	msedge.exe
5504	msedge.exe
5504	msedge.exe
3276	identity_helper.exe
3276	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 24 IoCs

pid	Process
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5504	msedge.exe
5504	msedge.exe
5504	msedge.exe
5504	msedge.exe
5504	msedge.exe
5504	msedge.exe
5504	msedge.exe
5504	msedge.exe
5504	msedge.exe
5504	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4224	7zG.exe
Token: 35	4224	7zG.exe
Token: SeSecurityPrivilege	4224	7zG.exe
Token: SeSecurityPrivilege	4224	7zG.exe
Token: SeRestorePrivilege	2804	7zG.exe
Token: 35	2804	7zG.exe
Token: SeSecurityPrivilege	2804	7zG.exe
Token: SeSecurityPrivilege	2804	7zG.exe
Token: SeRestorePrivilege	2084	7zG.exe
Token: 35	2084	7zG.exe
Token: SeSecurityPrivilege	2084	7zG.exe
Token: SeSecurityPrivilege	2084	7zG.exe
Token: SeDebugPrivilege	1928	libGLESV2.dll
Token: SeIncreaseQuotaPrivilege	5488	WMIC.exe
Token: SeSecurityPrivilege	5488	WMIC.exe
Token: SeTakeOwnershipPrivilege	5488	WMIC.exe
Token: SeLoadDriverPrivilege	5488	WMIC.exe
Token: SeSystemProfilePrivilege	5488	WMIC.exe
Token: SeSystemtimePrivilege	5488	WMIC.exe
Token: SeProfSingleProcessPrivilege	5488	WMIC.exe
Token: SeIncBasePriorityPrivilege	5488	WMIC.exe
Token: SeCreatePagefilePrivilege	5488	WMIC.exe
Token: SeBackupPrivilege	5488	WMIC.exe
Token: SeRestorePrivilege	5488	WMIC.exe
Token: SeShutdownPrivilege	5488	WMIC.exe
Token: SeDebugPrivilege	5488	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5488	WMIC.exe
Token: SeRemoteShutdownPrivilege	5488	WMIC.exe
Token: SeUndockPrivilege	5488	WMIC.exe
Token: SeManageVolumePrivilege	5488	WMIC.exe
Token: 33	5488	WMIC.exe
Token: 34	5488	WMIC.exe
Token: 35	5488	WMIC.exe
Token: 36	5488	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5504	WMIC.exe
Token: SeSecurityPrivilege	5504	WMIC.exe
Token: SeTakeOwnershipPrivilege	5504	WMIC.exe
Token: SeLoadDriverPrivilege	5504	WMIC.exe
Token: SeSystemProfilePrivilege	5504	WMIC.exe
Token: SeSystemtimePrivilege	5504	WMIC.exe
Token: SeProfSingleProcessPrivilege	5504	WMIC.exe
Token: SeIncBasePriorityPrivilege	5504	WMIC.exe
Token: SeCreatePagefilePrivilege	5504	WMIC.exe
Token: SeBackupPrivilege	5504	WMIC.exe
Token: SeRestorePrivilege	5504	WMIC.exe
Token: SeShutdownPrivilege	5504	WMIC.exe
Token: SeDebugPrivilege	5504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5504	WMIC.exe
Token: SeRemoteShutdownPrivilege	5504	WMIC.exe
Token: SeUndockPrivilege	5504	WMIC.exe
Token: SeManageVolumePrivilege	5504	WMIC.exe
Token: 33	5504	WMIC.exe
Token: 34	5504	WMIC.exe
Token: 35	5504	WMIC.exe
Token: 36	5504	WMIC.exe
Token: SeDebugPrivilege	5496	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5488	WMIC.exe
Token: SeSecurityPrivilege	5488	WMIC.exe
Token: SeTakeOwnershipPrivilege	5488	WMIC.exe
Token: SeLoadDriverPrivilege	5488	WMIC.exe
Token: SeSystemProfilePrivilege	5488	WMIC.exe
Token: SeSystemtimePrivilege	5488	WMIC.exe
Token: SeProfSingleProcessPrivilege	5488	WMIC.exe
Token: SeIncBasePriorityPrivilege	5488	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
4224	7zG.exe
2804	7zG.exe
2084	7zG.exe
1928	libGLESV2.dll
5164	NOTEPAD.EXE
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
2420	msedge.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe
5152	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1928	libGLESV2.dll

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 464	2420	msedge.exe	86
PID 2420 wrote to memory of 464	2420	msedge.exe	86
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 1432	2420	msedge.exe	87
PID 2420 wrote to memory of 2132	2420	msedge.exe	88
PID 2420 wrote to memory of 2132	2420	msedge.exe	88
PID 2420 wrote to memory of 2620	2420	msedge.exe	89
PID 2420 wrote to memory of 2620	2420	msedge.exe	89
PID 2420 wrote to memory of 2620	2420	msedge.exe	89
PID 2420 wrote to memory of 2620	2420	msedge.exe	89
PID 2420 wrote to memory of 2620	2420	msedge.exe	89
PID 2420 wrote to memory of 2620	2420	msedge.exe	89
PID 2420 wrote to memory of 2620	2420	msedge.exe	89
PID 2420 wrote to memory of 2620	2420	msedge.exe	89
PID 2420 wrote to memory of 2620	2420	msedge.exe	89
PID 2420 wrote to memory of 2620	2420	msedge.exe	89
PID 2420 wrote to memory of 2620	2420	msedge.exe	89
PID 2420 wrote to memory of 2620	2420	msedge.exe	89
PID 2420 wrote to memory of 2620	2420	msedge.exe	89
PID 2420 wrote to memory of 2620	2420	msedge.exe	89
PID 2420 wrote to memory of 2620	2420	msedge.exe	89
PID 2420 wrote to memory of 2620	2420	msedge.exe	89
PID 2420 wrote to memory of 2620	2420	msedge.exe	89
PID 2420 wrote to memory of 2620	2420	msedge.exe	89
PID 2420 wrote to memory of 2620	2420	msedge.exe	89
PID 2420 wrote to memory of 2620	2420	msedge.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5924	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://mega.nz/folder/NNhizKIY#_598We3JUoSu2eXAdjgzhg/folder/ZFZm3TQD
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff81e1e46f8,0x7ff81e1e4708,0x7ff81e1e4718
  2⤵
  PID:464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,18031206529617224537,18111897594331722390,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
  2⤵
  PID:1432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,18031206529617224537,18111897594331722390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,18031206529617224537,18111897594331722390,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:2620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,18031206529617224537,18111897594331722390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,18031206529617224537,18111897594331722390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2152,18031206529617224537,18111897594331722390,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4624 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,18031206529617224537,18111897594331722390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,18031206529617224537,18111897594331722390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,18031206529617224537,18111897594331722390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,18031206529617224537,18111897594331722390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,18031206529617224537,18111897594331722390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:3308
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,18031206529617224537,18111897594331722390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2152,18031206529617224537,18111897594331722390,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5836 /prefetch:8
  2⤵
  PID:1276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,18031206529617224537,18111897594331722390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,18031206529617224537,18111897594331722390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,18031206529617224537,18111897594331722390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6400 /prefetch:1
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,18031206529617224537,18111897594331722390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1424 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,18031206529617224537,18111897594331722390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
  2⤵
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2152,18031206529617224537,18111897594331722390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6444 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3768

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4ec 0x240
1⤵
PID:3972

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2804

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap13796:96:7zEvent9975
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4224

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap27929:116:7zEvent31286
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2804

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap9347:92:7zEvent27963
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2084

C:\Users\Admin\Desktop\Pastebin Leecher v1\Pastebin Leecher v 0.1.exe
"C:\Users\Admin\Desktop\Pastebin Leecher v1\Pastebin Leecher v 0.1.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4956
- C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
  2⤵
  - Executes dropped EXE
  PID:4476
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:5300
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:5488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
      4⤵
      PID:5312
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5504
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "gdb --version"
      4⤵
      PID:5320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:5328
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
      4⤵
      PID:5616
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        5⤵
        
        PID:5664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:5704
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:5792
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:5712
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:5880
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Views/modifies file attributes
        
        PID:5924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "schtasks /query /TN "ExelaUpdateService""
      4⤵
      PID:5944
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /query /TN "ExelaUpdateService"
        5⤵
        
        PID:5988
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      PID:6008
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      PID:6076
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:6120
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:6140
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2420"
      4⤵
      PID:4832
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2420
        5⤵
        Kills process with taskkill
        
        PID:5240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 464"
      4⤵
      PID:212
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 464
        5⤵
        Kills process with taskkill
        
        PID:5056
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1432"
      4⤵
      PID:5388
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1432
        5⤵
        Kills process with taskkill
        
        PID:5628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2132"
      4⤵
      PID:5536
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2132
        5⤵
        Kills process with taskkill
        
        PID:5608
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2620"
      4⤵
      PID:5752
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2620
        5⤵
        Kills process with taskkill
        
        PID:2452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 844"
      4⤵
      PID:5380
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 844
        5⤵
        Kills process with taskkill
        
        PID:5916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3948"
      4⤵
      PID:5368
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3948
        5⤵
        Kills process with taskkill
        
        PID:5696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4236"
      4⤵
      PID:5500
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4236
        5⤵
        Kills process with taskkill
        
        PID:4972
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1156"
      4⤵
      PID:6120
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6008
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1156
        5⤵
        Kills process with taskkill
        
        PID:5900
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:452
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:2924
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:1296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:1552
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:1120
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:5216
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:5176
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:6076
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:4836
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      PID:3624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:3200
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      PID:5384
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:4728
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:5492
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        
        PID:856
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:3864
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:5364
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:2508
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:4204
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:5708
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:5272
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:5392
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:5260
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:2124
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:1864
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:652
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:840
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:4004
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:3960
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:4808
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:5112
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:3636
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4396
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:324
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2376
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4672
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5556
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:2084
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:4284
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2308
- C:\Users\Admin\AppData\Local\Temp\Pastebin Leecher v 0.1.exe
  "C:\Users\Admin\AppData\Local\Temp\Pastebin Leecher v 0.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4832
- - C:\ProgramData\vshost\vshost.exe
    C:\ProgramData\\vshost\\vshost.exe ,.
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3152
- - C:\Users\Admin\Desktop\Pastebin Leecher v1\libGLESV2.dll
    libGLESV2.dll
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:1928
- - C:\ProgramData\winst\winst.exe
    C:\ProgramData\\winst\\winst.exe YkuOXOWEpTjyM5bfHsP5nHx6lBesI0yI3GSIr2kRJypPBkJxB3ql021VwBEJh9NK
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1436

C:\Users\Admin\Desktop\Steam Account Generator v12.1\Steam Account Generator v12.1.exe
"C:\Users\Admin\Desktop\Steam Account Generator v12.1\Steam Account Generator v12.1.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:5992
- C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
  2⤵
  - Executes dropped EXE
  PID:5368
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:6020
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:6028
- C:\Users\Admin\AppData\Local\Temp\Steam Account Generator v12.1.exe
  "C:\Users\Admin\AppData\Local\Temp\Steam Account Generator v12.1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3612
- - C:\Users\Admin\Desktop\Steam Account Generator v12.1\strip.bin
    strip.bin
    3⤵
    - Identifies VirtualBox via ACPI registry values (likely anti-VM)
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    PID:5828

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Steam Account Generator v12.1\accounts.txt
1⤵
- Suspicious use of FindShellTrayWindow
PID:5164

C:\Users\Admin\Desktop\PSC PIN GENERATOR\PSC PIN GENERATOR.exe
"C:\Users\Admin\Desktop\PSC PIN GENERATOR\PSC PIN GENERATOR.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4820
- C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
  "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
  2⤵
  - Executes dropped EXE
  PID:3704
- - C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe
    "C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe"
    3⤵
    - Executes dropped EXE
    PID:5960
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:6120
- C:\Users\Admin\AppData\Local\Temp\PSC PIN GENERATOR.exe
  "C:\Users\Admin\AppData\Local\Temp\PSC PIN GENERATOR.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5824
- - C:\Users\Admin\Desktop\PSC PIN GENERATOR\data32.cfg
    data32.cfg
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff82660cc40,0x7ff82660cc4c,0x7ff82660cc58
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,6028104683175366133,5870437993503337666,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1888 /prefetch:2
  2⤵
  PID:5376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2084,i,6028104683175366133,5870437993503337666,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2600 /prefetch:3
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2136,i,6028104683175366133,5870437993503337666,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2576 /prefetch:8
  2⤵
  PID:5532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3164,i,6028104683175366133,5870437993503337666,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:5848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3424,i,6028104683175366133,5870437993503337666,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:3156
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4544,i,6028104683175366133,5870437993503337666,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4376 /prefetch:1
  2⤵
  PID:5204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3896,i,6028104683175366133,5870437993503337666,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3900 /prefetch:8
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4848,i,6028104683175366133,5870437993503337666,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4860 /prefetch:8
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3744,i,6028104683175366133,5870437993503337666,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  PID:736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5000,i,6028104683175366133,5870437993503337666,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4748 /prefetch:8
  2⤵
  PID:5468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4208,i,6028104683175366133,5870437993503337666,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5268 /prefetch:1
  2⤵
  PID:5928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5428,i,6028104683175366133,5870437993503337666,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5616,i,6028104683175366133,5870437993503337666,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5624 /prefetch:8
  2⤵
  PID:5464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4968,i,6028104683175366133,5870437993503337666,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:5720

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff81a2646f8,0x7ff81a264708,0x7ff81a264718
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,12730376542072004273,17968166306493909960,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2232 /prefetch:2
  2⤵
  PID:6008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,12730376542072004273,17968166306493909960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,12730376542072004273,17968166306493909960,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3040 /prefetch:8
  2⤵
  PID:3612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12730376542072004273,17968166306493909960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12730376542072004273,17968166306493909960,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:5516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12730376542072004273,17968166306493909960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4588 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12730376542072004273,17968166306493909960,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
  2⤵
  PID:5816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12730376542072004273,17968166306493909960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,12730376542072004273,17968166306493909960,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3564 /prefetch:8
  2⤵
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12730376542072004273,17968166306493909960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
  2⤵
  PID:4912
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,12730376542072004273,17968166306493909960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,12730376542072004273,17968166306493909960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12730376542072004273,17968166306493909960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3556 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12730376542072004273,17968166306493909960,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,12730376542072004273,17968166306493909960,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4040 /prefetch:8
  2⤵
  PID:5820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12730376542072004273,17968166306493909960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,12730376542072004273,17968166306493909960,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6332 /prefetch:1
  2⤵
  PID:184

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
f0ecfbb82bd8f1e856641c0cb87047b0

SHA1
c54ae7d8e942e174e157760ccd9326172e8f8eff

SHA256
3a6c944bfe89dbb1aa2d6813239f815dee58ed1a7462b7271a391b635f6011c6

SHA512
ec25ff2ccef98b65064c3c254487c278298df2fce98e6d7339d2c00e7297d0667c9132d617ccbfbe819c902c05751a8b942205d588c88a803ff170b142c4483e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
34c96cdab5c10d488aeba740411ad7e2

SHA1
19b27397dbbc0e745548d1a20d5973fbef5b9b2c

SHA256
8fb4a3b233d807f7800fee9ae273fbdcbd21dab8dbca8b00208c06cef1dcb751

SHA512
c67a05f83679f72780b7e4f4c4f68a7aa4bb05ced4352e34752894652762afb450ca8e5d0b643aa3d88304cc536b8b89342f1664cd8224dcbe5e76680e8e469a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
a039cd652a01a06a9323759b667b953a

SHA1
cc8aa0d8f23c17b31eb37c9040cc1583c15625bb

SHA256
2885ae07282822468acefb0123d21995a656fdb093d2f3c3f9d27ae7387dd4c7

SHA512
cd5ea8de06b904c90d4798e739d90e3b0cb985e7b0e88fd110d9e9a7bf89198c458e7d16eb1fa87d4e38ba3f07acdcf8098002b5dbab4fae42de09d15bd54bd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
c5a72435096eb78dc0b66ddb7ed77054

SHA1
c01194b0c06c346bd8f7aa4bc017bfe7f625f47c

SHA256
853cf2d62ec053794acdd816675c4c466df377c91c5b675b7a0fb90bb77b28bb

SHA512
f7f68a6a460110873b8abd5a1ecc4866797917978fe304d40faf26035ebe45fcf158d3f43f3b51e90ad53d9ecd230a459589cdf6abc51a6a8d24b319f5495611

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
ae509d60603694b53981395b6ea7f218

SHA1
7c9bc57f8e0a5cbebda6f8bf6b333b777c70aa56

SHA256
20f0dddc64cddd424a97d2ca17d88090db761ea04086732869bec7334640c818

SHA512
5e160a0e63d5c476b87629cbe5069e13f998cbdb5f6f3045fc5d56fb11c3d138e526aa08e73c36f3d478e9a075268cb72a3c81bd1c26e13f373b4fec11702344

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
b022662e98ddd2e30daecce2fac955c3

SHA1
08098731234c33ce2cd65818dd131a7acfd0a2f6

SHA256
ec92236f72ea38b749077038383320c0fcc70faebc8c49d3aaa70b8c93b09ae3

SHA512
60e008dbf0d33b82a6517b39fb2f393d8de516c7e3b7e203faab4ee51d147561d96b91d72dd85e981c2d20a4c5742af4efc1fbe0ce7543f7c28d01a3a4eea6b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
229KB

MD5
75a9c1a26aed5934ba12bbfc01a3f9d3

SHA1
94d50bd97f3384d9068c85d9f90cc827b9845598

SHA256
df86d2bb9c67a282e6ea1e3039eb78ef306694115c739f6bdd6c3f411b62fc2a

SHA512
8030d257e25ae898a138af6fdbc3c493610c8d2aae17ccf112cf5c406808b49bc28386befbf66a5ac7067b32aedd09c7a864b6fe6e27e08b0f441c44d33a541e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9dafc9a353533b99db251977ac6ae013

SHA1
7813f294eaee953cf4ab0c9e75b09a770a1f0e48

SHA256
00d3f47872f058260b936d3942acd436439bec9da636ae3f2c50cf2fc5c29603

SHA512
27536e364d2e7ac6ab52870343ed6183dc9da5244d2fcb435c5e4c92f74d5911c509d0ab70781ce3ea901ee39b8861ba8d493deef253addb2026dae83ec58438

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000025

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
25022915f794a6fc765976c3746ad92d

SHA1
017f9f1812736d2e2d1522411016a7442085aec0

SHA256
f52770baf1158b82bb4396c94d54539e7806f1d4631187fcd817481c867126ea

SHA512
1a1678d3bb1fa75d90a6fc5ce864d25c2446c8c2162b4ecb44e87a6c4bd16f401c4bbb3d6fa7e55dc31b1ab1b272eb5ceb7a11df08ff746bd51005d817b90258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
188B

MD5
008114e1a1a614b35e8a7515da0f3783

SHA1
3c390d38126c7328a8d7e4a72d5848ac9f96549b

SHA256
7301b76033c2970e61bab5eaddaff5aa652c39db5c0ea5632814f989716a1d18

SHA512
a202fc891eace003c346bad7e5d2c73dadf9591d5ce950395ff4b63cc2866b17e02bd3f0ad92749df033a936685851455bcdbfad30f26e765c3c89d3309cb82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3335b44692a4c92c2c923982fc39ca13

SHA1
031a4c2fae69e13b939a4e9a0b206622d637d3e1

SHA256
29f3e46c1d6e7988afe0c128213797da5ff4c967a7100c94c9afe54c61e03759

SHA512
6163626e6338181a1971c187829d9ec49171cbfbe826d48703da0c83a4b4472b50a9eae3ef9a99a7665e299070a48a0ce3d72caf167c07ac2d6a6efef3dc58a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
98eaedd4a177c5f2234c54559f60e9a9

SHA1
03cdce073baf15993ce65e9295dcb8dc890c01d3

SHA256
df9d81c6d1dcfd8c1e6018e7737f0633ed596b93b2ad8e7bcc331aa7f0255e78

SHA512
de831c72eac96fb6da53023eae18a46ac2775f91a1b7ee9448684e42d3499e3e18952aef5962bc20cca8090b946ba317499d04cbb27d0b32d8167a82c5439af4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2a75b1188dc279f6beaff01fbc27a319

SHA1
7acfd84936475f3d31c52316bdb6ded9452f2175

SHA256
2e10f2dbd85759cd7c50d48c2213f24eea2d0ed68456b74ceed242b405918e70

SHA512
0f25f0db61df85625ebdfdefbc7808d97d21292dd9aecc42c843889af5f3d24f983b6c8991ef8ed79a5aa83d8b03ca833aeac40a2820fa3c26eab7d4ce92b33d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
12d3585b3b6a58e021a44198b56c529b

SHA1
d598b8ca95a729b88698a1e3f28c30aed15acdfc

SHA256
cead76ca881dcb280fa7c36d08fa9856d917e444ec1d8ce5975fdcbedec3a567

SHA512
f3dd15f8d6d7f226821a8959e81b55e2d88f6ace9cd5525ccd27da872e6c214b9b17b46ae2278ece4d9fe1f04ad44aa9acbbd9fe70b37c3546c9e6621b9648c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a6405c8d827e9c99346864fa0e3bcf37

SHA1
51a78a3d65ae503a0575efbe60a4b78b67da9a7b

SHA256
f6bc01a9f9d792839128849a8d41925c6b3633a729d8372f18b9a21541c6683e

SHA512
96d313bbad290186025c9bc10529db3a32abfb91cee421c0c8911c42ac0127f6f6c255327c858e6341bc4f07b20fb3f6dd03f00ae3b303db34f198a98cccaf4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
be98836fb64432c72d924b9581d389bc

SHA1
073e05943c558d796e3ec2dec96d8fae9bcb5c85

SHA256
b82f47a887612bee8d03f5b61b2ce7d46eb3e3c8146ce6ed7f9ef752824da335

SHA512
ef5fb79976a44bd4340cbd34f1ab2c2f90d9bd3aa0d0f8f47f49588e8340b0bebdccb888aac362056501de2fc52644dc66289cd612a3a86fff6263ea3e4289c5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
3cfc3e756b786af8202284a474ec8fce

SHA1
feaa3f52e50feb963aea5d245ed994ce479a9636

SHA256
608dc44db8e509b251fb6fec0886be7a8ba9a1dc82c50a2ec50f71e66ab3c73f

SHA512
279541f44e010b1d560f12c7e79464f6b4e473075095a50d4c2103bc78dca3aaf7962001884e941e978593d320e0ce917855f7a3aef9a8e4e051a74fb07aa013

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe581c3d.TMP

Filesize
48B

MD5
cb34fec5b841912f46ee1fe0e765c438

SHA1
0b9ef9ae057543ceb9b29be215974899e70e338c

SHA256
bd1aeaf158fa3dd65c7ec9766f806277528fedcb7fdfa6a0fd50d5dc36c73706

SHA512
97e609d05fceb85d28c876e0a3881b350fcbf522601c4f56e8906654e3b871d7761f81888b16d325d4e075835c5e99d615c04acb58da1f7e92eb03dbdae771ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ede1c86c-6a94-451c-b755-cf48a5418e56.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
52df63b0ac70d9e33189d361da1266d5

SHA1
aeea9dc4bc2c8f453919fb435bbef964c6ebe1da

SHA256
b746cb787cbf85e90c19961819a2869babc117fbd1d347831ac29dc97de3c431

SHA512
1ef68b621bd98fc2630cd56d019456a6720079ce7af47165679775c7a197068311681fafde9c06e07f67613713a0347ea39ecc8b4f89aaeaa4ffbe97e388755f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9d9ed63086e0804e893d47187af30cca

SHA1
9084c16915c87b20b70b8ca7720a5360cd7891ff

SHA256
7c69dc5fc54985c1c84cd700bfe8e05f8f6b853ccc3adec93605d5bcf0f41290

SHA512
86cf8a824053c9b8fee557f50e418abf14afae766e71d6f63d5b6449ea3239c90950a9a05af87e8d2d6bf73b65ef29a4711f6ac14fd13b1096dd535ea5d3ca7b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a8acf5341d0d545125c70119ebc69481

SHA1
4870f0cd6854a31502758f05015a73ff7897e63a

SHA256
5c36e579b41585c39e7687f90bfc74851c00259c62583aaffc02cd9c31e398fa

SHA512
f91d38d708c74957b829385a2f33b665cc227e11029ece20d635e2c7a6c2aa437a9f23f293b470c59dd1cdf464a9808afcaecbc460ddd83b4cdbede293797b56

Download Submit
C:\Users\Admin\AppData\Local\Temp\PSC PIN GENERATOR.exe

Filesize
567KB

MD5
a4268355d4ef05148783a89537eb2f44

SHA1
22459e096ab033ec3a6fdbaa53a71b3405641ba8

SHA256
6f7bcdc3c40a67e70f70e3d8e5ab10eecf87ab176a47f241a8c5d3651ca4f557

SHA512
e97027b9de7586963ffeba8e039252973f404fc4b6950975af699877f98dab587fb4aae86f5bfb72a0a3f8811855677023b016a079cb11c3e952091014370724

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pastebin Leecher v 0.1.exe

Filesize
765KB

MD5
f12fe23f3d8704bfecab70f8b6c89558

SHA1
c18326ee378f4f94f394c1f0be40d3615fd247ba

SHA256
3aa863c8c3c9ce4885802bccbd648be2dbbef4e7f362e631920839da2cba7fa5

SHA512
ac68428671c735ba85c6066b0cd3e3c70b899441fb8ca36b280d69e61bcf578074a9af852b23d1500f2fb03d73adc17fc24b1710b1768e5e61246266ad6166e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\CompleteSelect.docx

Filesize
386KB

MD5
16a9610e10ebd8946fd0035c1f496bc5

SHA1
7edf4e7307cba08ab1ada39a889fccdb779738ee

SHA256
1faf13b650a1fbd830c743816f0cee52951f13f45b7a4a18ec74bbb434e8eb74

SHA512
9398888a29b2472f9a44c01bd5207b1b91446f93fc8e0dad3d0a280dd71dac69901b865a0d33b72412baf57738a1239c4e1f0c3727e5c388ed647c23735937c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\DismountDeny.xlsx

Filesize
9KB

MD5
7dfc47eea35f133fe02c4327aa7bc722

SHA1
4bcd5ce71eb058b727a6f95e16f8ebf5251a7f8d

SHA256
40dec24db0c3f2b1801b9874f90d30b59d2bddc399b722ad5dcb36364f4c9bf1

SHA512
14857d2f67f2e2135b9dedfe8cffac0579a481327046cff996823b7b39aeb476bbcf957a26e3a49556d917f29e67ca7df17c5029f29a664cf4f32e6b0a9c1435

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ExitDismount.zip

Filesize
264KB

MD5
135e00359f10291f5f6a1771f2d5430e

SHA1
e8ddab923b7c6f1cf8f81405f3493d4cffab824c

SHA256
6f3dc209f2abfb0673446efb0e7ebe5d3a547546104dbe69c5bad0f2e6ef96f8

SHA512
a0802b5c2abaeb227d4cdb35f382d53f498e223aff9a87788c3866f0ab2004baa58905a5a00ff1f719e58420fded77efa39963e588a13db739c7793592cc7dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\RegisterUnblock.xlsx

Filesize
9KB

MD5
10f6bbd3535954e84f4b97e21fae5c07

SHA1
0592d9242721837c669886b7497c715aa2978113

SHA256
403dd95fa13142372712b6e356df28daf03f0a15ae19b999f5c8637b4ddef1ba

SHA512
abae3fd0431a6ada1cab81322bef0d468f1a8e63cfa7344e75a3bcd8a086f0b56d4912beb3ebaf4fec331022c6f64dbce0211607a3d66ad586b6222d089234f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\RemoveProtect.xlsx

Filesize
11KB

MD5
77c6b62e86ee445b9923be479f9b3581

SHA1
2064967c29ca9fc5999ed26de7416a218a0356c9

SHA256
a2bcf31b499c1c845335e368512f3145902f160e1048eb053cc6c06d2730704c

SHA512
e90a8508b772faccc3f8d4efaa811f9b82ed22fd23f086af3cd2073ce7ec96aa766f9315731faf432205422861503d75a069f54df18333113cc07e1678333d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\SyncEnable.xlsx

Filesize
9KB

MD5
8515a9063d6d84219f116534252da42e

SHA1
6cd14140df8e2dc92b2aafe4321cde3b5f2389e2

SHA256
c8f6d288153e8618706295987dbbf3bec822a05ad3bb3f096b4df9fe357d86c4

SHA512
6c1ef2f261b270acf58c9a9c9ddba60c7a3b06727b1da2f10b9d806d0c092ed6124f1aed04b291383b1b9837bfc04fd0de3bcb67f6f70f0803f5e56badb5f699

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ConvertToRevoke.csv

Filesize
468KB

MD5
cb31bb869d756d0a565f5c587c7d5c88

SHA1
dfbc4ff85bed09236eb803ab494d56ce033f4ca9

SHA256
aab7a5463418af25287af4098c738f130701da7967c88181d674d2e9c13649e1

SHA512
4ea3e8a524f3e7440946d738a09444cac7416572d134d6288896f270865d85b21f77b986436bc9bd0208723dc05e8eef0895a521298f598ea6a6b2ada865d597

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\CopyConfirm.txt

Filesize
354KB

MD5
e8b6f69dcbbc9ddeda0a7d25b1c2b5b4

SHA1
8bde647a8bbbff2a3e672f897eaa4bbc02939ede

SHA256
2a578f0579a70dad13e8d734734a2d0426d01edba25fb06f5170f87cd91be234

SHA512
c3d866cf45cfb360547e045c705cef08ab70795675871cd46e42d5e5438d2bab03c854d0e523de1db814b0022fd1ebc6be1eec324fa485bd5f50b198a0744749

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\EnterOpen.xlsx

Filesize
12KB

MD5
b1381875a73944585f89e4e3cb56f8a7

SHA1
d5ac3510a1c849ad75173dc33e9dfe6bb3096b82

SHA256
01f52d4b5c6517d147a988ed4ab581d92a6dbc9acaa759bf0a6ff48e2c409475

SHA512
1854f4dab48d02f7c96ae39543b02568e22ee6a3f2a790d83b6da9e4f546119d86cd3aeefd684f2a81cba7a981d1d06ce8d588e3b77108cf82518f4c0f1b4392

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\HideGet.doc

Filesize
297KB

MD5
7a45df385dcabc1d88c8bea54f9a3ffb

SHA1
5d0570fceb5c8b36f6e1b0658513f42b91cc1f6b

SHA256
8866a59879fb75166fed6fec0a976fefe1f07b9cfb7c35c1128d4ddf45068635

SHA512
b979e7d7229b7e831007b7b8f341b25f36b8b263a7e7ee329b47176cfa9b8bbf4dfaa97e61ca97b9dc974b79874b1159745040fe22f24a3628f2e64c5123050c

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\LimitResolve.docx

Filesize
751KB

MD5
94ebe832d6573d0968aa0b3b5a38c8e7

SHA1
daddc82f04463171b8731abdb39d04f2f75bdcc2

SHA256
f8b20bf254c52536de8727cbd06b9e70749cdfe48300ff98c9a4a2908779c0d5

SHA512
16ddfd60a204d4be541cb2a906e75485b5fc5dca1d739f4410b2dedfc52c81294d618c25bbfebab2031c5c10b23af5580d1c84c5df08036566ab9dfd7f1c0127

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\PublishResolve.doc

Filesize
439KB

MD5
c1008c3e79dc51c060c0589453309924

SHA1
a182c2da5d2c248c102258041c02794ea2b35c9a

SHA256
66038a00ad2df4c5e2bf42eb898da1157560a6fef89d9485c84b894f6782230b

SHA512
56441dc20d8ad9d7caee7b2fd0ee2b0006f48e89e94bf2c22e687cef3e6e6739b009527934cfcb6f544f9ce866690b9c55943ba13a27a68e743bc1467b797a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RedoUnprotect.xlsx

Filesize
694KB

MD5
06a8839a48582183656a8004c8ae4138

SHA1
5e5b1fb839ed60342dc942ff183386f96662aaab

SHA256
3af9150e6aadbb4bc161338d401c7c90b836ced5040bed7bfa9ab28229c56193

SHA512
3e829ee40e4b1e80625a6567741b1e3227dd9a37500376fdc242b97370b4754f8aaf09c3a42e4e161a6136f27c20f75eca5eb0e5778c95f625e2c504cbeb8ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\AddFind.zip

Filesize
821KB

MD5
925980eb2e991a2ac1291cdb3887bafc

SHA1
f541d2985f269a124bf9093c3ca8582155e2db68

SHA256
d649ee9e10eee123bc077b3801e810e8dd9a05c7da2d26d476a2342b399f1945

SHA512
0d3b40bc0c5129f66cb18cc5cbc318aed97219800b68c668caab107181ecb8d333f45d02fae802fb5428af4883c7d64970b6fedfb8567bff90bf4b9012315fd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\BackupStop.jpeg

Filesize
796KB

MD5
8334f9b04cb7f5081f9e99779bf05f41

SHA1
0d63d6026144f20cadb9f6e58987a3b62a690c76

SHA256
44bbae69f7294276607818c12601503d1a720dfe01fe2057d31c62cca343538d

SHA512
cb4c63cd6a5a8cdd6306432fb4aeaf9d030eda368886f1868bd24270a97db1d408a500900b9144014f30cda660188e0c3261fbb700071c96b7f90b49f62e0f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\RemoveCheckpoint.mp3

Filesize
600KB

MD5
5158f327bd2936ac40ebdd2e575be10a

SHA1
8772358ff8276e1bf8910faef5892eb7bc8014d0

SHA256
107465abc6b1e8e6bc7c89329ff0a8dfd80b24c6c798bf8b834f25bd294b6aa9

SHA512
c61427ac33b1c8e1ccf502f612b39613d47dea1acdecc53f65dd4aa918af01705ee5f51988293200a6c8e3e766a58277deab17285185526b87ca31c0922ef6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\RestoreSuspend.jpg

Filesize
698KB

MD5
c0c36dc4e65184874ac2276be568280c

SHA1
a2aa86d22a41b90ed7dcc79f247bacd0a3810a0b

SHA256
c6a4cfab7e88c64a3fbbc939f3411f681eef00dfc219552e9c8ac78d79682230

SHA512
1912d3313f1565c064ff4aaa7de6cb76db577b1d5979ca79841c23ecbd49f43f0dd160e4a7e37f4a3aa5d10b3139c0943eef65708e31e6fb8c293970305a6073

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\ImportSync.docx

Filesize
241KB

MD5
2947add3b16675600101bf2aab5ea76a

SHA1
00eac2f338bf51eac9ccbc10c40127037f798111

SHA256
0d2c1865158adc27bd5cfeebada827bd5af4504059f6ef2c6de5998f2dbc45f0

SHA512
d6e5dbe21687efc0baae56f8b7c6a6ba14137e241e24c780555a66a04dcebd0edde9d084cccf0015c04642122c9be579cefa9bcc37b9a1726b352ca027867946

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\InvokeUpdate.mp4

Filesize
414KB

MD5
e82a2ecab991472a4de27c0da6ed5800

SHA1
15e606371d95d26a93182274926663680e8e1c87

SHA256
208fbd96a31436d734d3c98f6d5eeddfbc080e4d13311981759adc12913bcb38

SHA512
5f8a381d9d6a22b239a62a2f1bd617896a8971a2b7cbed224333a73a40ae00631fecaaa35fdde863f4c071e8708b28c7511088afb0232af872d4a6580b23f506

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\LimitUninstall.doc

Filesize
105KB

MD5
354408587deeada026dc5ef960e2eb31

SHA1
d2cbd215b8aef3b6db12452e2c969df7616ecea9

SHA256
aae2b05a3cecc9abc644c508647b0145b1b421672378b689fe956980fbb1f4ea

SHA512
be83b80d129febd0e6e487128e1e98bf48419d71bb2d75abcb4f74b20c88e51b0b08b18129a28d8975874d68574a476b71e78c5014991e3cfda47d0d2c3febf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\ResumeUninstall.txt

Filesize
142KB

MD5
79fc6ae805a34ea3de32d84aecae22f1

SHA1
3886b8601ca6f34f51c57087d3eff70be10295aa

SHA256
1078aa15fc459ab7a2b9090668eb1e0244b61ddefc06792a6bed2e9a9db5b220

SHA512
0597432cc13df6eb394b0c01850b94ed9961a88f61801804c85297971b71d5b4e609f9cd37f86e6bfc741ab6724b5fba25a1b419b2e54a9c9778cc15a5271cb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\StartExpand.csv

Filesize
124KB

MD5
285693a452344f3379845fc05d4a45d2

SHA1
5e10657087877498d76ef0b9a837d51f68e3f25d

SHA256
854ff47e1858392b6d8c683991a735fe31b68fcdddffbdbe8af0debdd686e54a

SHA512
3ac6270bd77fbfea9816c6e802832c16acdd2769ab0f0bebbf1731652a4e9289954b2346ca6f4ab00fd95ab4fd45b48cb4e2f8a15584ead14ad615bdf1f9bfa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\CopyRename.png

Filesize
600KB

MD5
bf81c034b536f73b6732c899c6dc6019

SHA1
27f35be6dde03b05d6c8b22eddadd536f7d27335

SHA256
6466eb901d6993afe4d56a3b2c28d6ac9a869001a0eb1dedda9d339366784605

SHA512
35f0f19116622f33065a86227446ca8ca281e35e30353d7ed8d443aa2150745c14a87b421620701f68166513a4ddddb1cb30548919ba8a107082469d60267097

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\OutMeasure.png

Filesize
900KB

MD5
3338f9a1c3958f7f34c611f3452c9812

SHA1
c2fcf94b313faeb9f873423eb1ccb0d00781afc5

SHA256
c32e68de44f6c5045f2e1712f2f14e8e9c0362aeb30fb58c757778e8507addfd

SHA512
9c26ea34637e29b2664375367ab53329d99c319828e9867cc37fe1fa8c45eba44b4395e48d7bac0b763d569222a354cdd71bff72559e3e700199f1e926d758da

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Steam Account Generator v12.1\Note on captcha Service.txt

Filesize
109B

MD5
a3f8b62377d0fd855e27d1e6fc84598b

SHA1
17cefb7053df022a5842695e70305d6322815563

SHA256
adcfa6810102e0a7340c4922e774dd901ec7cd3003b273b528514111e60d76c6

SHA512
86123cd00b36213b31c727209349e9c0beced71316f247f80917e0f6d4e760d3661a12204be920b3caa41dce370d2405e312c8c7c3324b8b6b01303b550a3335

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Steam Account Generator v12.1\Steam Account Generator v12.1.exe

Filesize
11.9MB

MD5
e4063a34c46364d8b98466c79359f7e5

SHA1
fc9cabc60355dba81deac30c6415b979b8f387a5

SHA256
ab0d33be276021fd709bc482fef028bb79378f72afe58ec38db150a3bd8da8b2

SHA512
66753d16a6e4d75c71cb7bf2184260d32219d17a376560929494f4e2b2c577adaad7935b79d29601aaa68f63791111b2ec12ec7ddbe5447118f158552f569e73

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Steam Account Generator v12.1\accounts.txt

Filesize
804B

MD5
a433c0c837bce015f1addad501fbaaf3

SHA1
bda4c3ed5df84f8a45fd5c334216fc8e1207948f

SHA256
520c0e37a368f110c5e66bb87e8439e060b9a8cb15a60ff840b89d9df920cd80

SHA512
74d80b360044ebdfbaa5ff0355d555057edd5f4701e3b16b502fa588e7737774ab76a85a9f4ca2caebc486bda53a3aac083f844c5e259d7af626569f690d5b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Steam Account Generator v12.1.exe

Filesize
567KB

MD5
747fc228e9b8e8b9ae3f4740b419e76b

SHA1
5805a50ce7aae705f21e3f6daf412853efa1a35d

SHA256
3894738e2e967512cf81b0d962c9378970e43c26fb228716f297575837f660c5

SHA512
31b434e1f97c9165c5951c22d960d1e6045ccd00e7713b11869414091bae7614d1eb2b6d46f90ef34473954caa310fba295b1df10c8bd9ac8e5cc51b4106d7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Windows Explorer.exe

Filesize
12.6MB

MD5
416d90082a860d48c4315066a0acfedb

SHA1
5596e599ac839cd3f89fceeec8efc7ba4fb34e87

SHA256
9abbc3b39c02cec08bba97b4fcb7047af7546f141da3ebc5d4cc08e332b82d5d

SHA512
d766010a3e158e52a33f6880466fafb4c67fa13689a2caac776a749af0103de6409cc9f7c790edb73a55c2b744c0a1de35376cf67419285f89ea0f5bee00d858

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37042\attrs-23.2.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\_asyncio.pyd

Filesize
36KB

MD5
5f0d1334cf0c88d0a89d59d90d3c8d7f

SHA1
5651b9527da3870d5d38561d3d3d2a12b18b4762

SHA256
65c1ea882322b224b56e94eb488b0eac29e8910752300ca629beb76885f43e87

SHA512
0d3d6fbe13bd7ea89012b5f4b5b95aadf4a97537f2a6e7cb3c574fae5410effe3e3f04ea5147df4a627029e57e4a1ce60d99d9d384eedb0a6230edffce21865e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\_bz2.pyd

Filesize
48KB

MD5
49d7eeb9edf72ecc9aa1f3f7751f594c

SHA1
46a3bf76d817533fb2c9dda88cbf75f2dc1cee81

SHA256
28a6b14c9d35e01d75abe386eb6a456b663e09c79ffa113e12d015ac75840b04

SHA512
bbefd1ffb5052dbcc7eec55d6be6aa7604c1b35b0c16aa7448f280cf4aa34ff33207f3586aa548e8823a9aaabb7c4854eb982a7408c238966c46b5e5c7aeba0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\_cffi_backend.cp311-win_amd64.pyd

Filesize
71KB

MD5
2443ecaddfe40ee5130539024324e7fc

SHA1
ea74aaf7848de0a078a1510c3430246708631108

SHA256
9a5892ac0cd00c44cd7744d60c9459f302d5984ddb395caea52e4d8fd9bca2da

SHA512
5896af78cf208e1350cf2c31f913aa100098dd1cf4bae77cd2a36ec7695015986ec9913df8d2ebc9992f8f7d48bba102647dc5ee7f776593ae7be36f46bd5c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\_ctypes.pyd

Filesize
58KB

MD5
7c1116e1656d8ab1192d927e8dd9607e

SHA1
5df70de7ed358a5cf95d3ef16bdd53db74c1e2f0

SHA256
a0ab67ea3f27337ed0873d07901eff16f0e6eb58fa7436bb0bde15a35516acc3

SHA512
004bdff5a4d76ad0d7ca3b000615de904660abccc737b3aadfee5488155e3f55612aed2bc7c1e14db07e7e784f35b779abcfe5217ea972a1bc6dd0bafad04699

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\_decimal.pyd

Filesize
106KB

MD5
402beeb25b14b6182335d6fd19fb1e4f

SHA1
2ad5900f0e9aa7e86329da9598cf8315926abb4c

SHA256
66391f61f499833e083ed8ba90f08165224f7ae4a6d719bd3927cc11172736c1

SHA512
54221bad46becfbac2001149f31438b99dc91b2a232fca61f0686f0a51c02bc47d226c9ed2873f7b17dabfc248a46826723297e2c3482e01d79fa7056366d1ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\_hashlib.pyd

Filesize
35KB

MD5
1707552b695aa251dc4a205b55eb92df

SHA1
3ef80ee38fdf87236b224e2faf743d5689714b45

SHA256
9e513d47d56fb59ca9794b129153e75231d7d684b61cc6c7612bf4abda85b4b0

SHA512
97b3947a5a446f45e9ca0b7d8cf945ba4eb42f38543ab67aee563aad8040ad332f1b51663e80352ea973998abbf255df6ec4cc38d795f7a02c20a453e852aed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\_lzma.pyd

Filesize
86KB

MD5
3a53da080c83b709581e5a117b6e308e

SHA1
efa5bf61d6b8384b8c4050fd6b579b3f13ff2ebf

SHA256
779762b87cdf4bcebaa3a571f25324ea7b9e2c8b85833172acc0b58c6af5508c

SHA512
2be3b2085032ed26b734a70a0a94b420ad4c9130cdda38b7dc4b9677d603b3631d1d013839940ae165be85f65400cb77b31804c8806b91b13d0fe1893a6c7254

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\_multiprocessing.pyd

Filesize
26KB

MD5
326061e57a55149d68f3cc931d45ada1

SHA1
9e09ad5ca0551359e77b3cfedad4851f85672ec8

SHA256
dbcce7f1ac98ce01e5e6fea036922ebad3e207e3e97ed07a6445e8f3e3bd66fa

SHA512
3de46fcc8f4e5346a689c3d6cdd7aebc34b8d688b9e60b47e490a117514519c51663ea5f517c96c6b1b07892e533ae3cff40007dc6a8faa50afd71e8a7c09f44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\_overlapped.pyd

Filesize
32KB

MD5
b2b4b47fb5580a9d7c3d975f4d318660

SHA1
da6e2913670c586b4cf729c8f639f305cce6ca74

SHA256
8a210d5bf97189d4bb2d384d262c718eeb8ba549e3bc7a1300275433edcac6ef

SHA512
f3ed282d79e5ae6229e94036439e0030fcf7a592a8227ce8759f1aafda91f1241282653ffd4635eb8acd00eb5ed3c1373d0dd86fb93dc836012d84a1f43f16dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\_queue.pyd

Filesize
25KB

MD5
53c0acf7733afe17cc0b2a4f39793724

SHA1
8c6304bad8e2c009fea48eb4c13c77b793b30a33

SHA256
1dda443bd40f46ce6c60ebbbd7a8d38a9c6c696a8620834b4b62ae5d45fd5e7c

SHA512
fdfb9e9d410746faa531c8f4007b4087b35bc1ea0ca00946f96ac5901eefe66bda2296021c004d070246d5a17afe6a65315c0d2ec7658761ef5d78a23b5f8df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\_socket.pyd

Filesize
43KB

MD5
14ab7774579ee7848cb48ab6a6364c6b

SHA1
3da679166989b6d944ba20ea0001929840bc5354

SHA256
d1dd324fdf327b6b4af757ccb0863ef11901d34344bf78480ab0013b6c2b47de

SHA512
d06b939303907851c4491c9564ed091cc06693f2a5eb5d7d098306fb0c7b96bfcc0bf993bf0edbc504e0681e4520d4d491d1c114547e6019e6b6cc1f4d0958d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\_sqlite3.pyd

Filesize
56KB

MD5
78aa09523acdd53971d9ee0cc69c901e

SHA1
e15972b2ce482712a6076536a2ee33ac5f0bfcac

SHA256
6e778bac115204796aef74f98a293b7ec10de0801b2f8296d260448870993e5f

SHA512
bbb6928709786dec35580e6e256e446cec2f3468266fc93523c9ada126be3df8e898fcec989a6108f042cf8315f6e00bf78fe12c0dfb3ec3f6e7eae808e206a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\_ssl.pyd

Filesize
65KB

MD5
d674ccf80fb5b1e1b09d2437ee572af7

SHA1
76cb6ca0715b27cf0e654ddd5655670df0d16e2a

SHA256
b094a056b5d4f012b6acbf70be5a0fafc0ef7a3ba7173179ac601da475464d7a

SHA512
747a79b06ba5b196dc1f9709ee4980c6955a5047b923ad101df878e84ee17b18ae44c55a0cc5ab378382a6203ee7b9969f41966715a3dbb7aa2e09fe1e273696

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\_uuid.pyd

Filesize
24KB

MD5
b21b864e357ccd72f35f2814bd1e6012

SHA1
2ff0740c26137c6a81b96099c1f5209db33ac56a

SHA256
ce9e2a30c20e6b83446d9ba83bb83c5570e1b1da0e87ff467d1b4fc090da6c53

SHA512
29667eb0e070063ef28b7f8cc39225136065340ae358ad0136802770b2f48ac4bda5e60f2e2083f588859b7429b9ea3bad1596a380601e3b2b4bb74791df92a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\base_library.zip

Filesize
1.4MB

MD5
6e706e4fa21d90109df6fce1b2595155

SHA1
5328dd26b361d36239facff79baca1bab426de68

SHA256
ce9b9f16ce0d9abdbac3307115d91eaf279c5152336ccbe8830151b41c802998

SHA512
c7e377e2854ad5b5c3fb23593817ad6345bf8a78d842ff2a45c3be135fad6bb27b67c5b6c01b26e7c1b1b12ea0814f4f6b6a522bbfa689b89fa50d3652799b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\libcrypto-3.dll

Filesize
1.6MB

MD5
443fd07a22ff1a688a3505d35f3c3dd1

SHA1
ab9f501aa1d3d523b45f8170e53981672cd69131

SHA256
f9c87ec6401039fd03b7c6732c74d1abfdb7c07c8e9803d00effe4c610baa9ee

SHA512
1de390d5d9872c9876662f89c57173391ecd300cabde69c655b2ade7eea56e67376839607cac52572111b88a025797060653dc8bb987c6a165f535b245309844

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\libffi-8.dll

Filesize
29KB

MD5
0d1c6b92d091cef3142e32ac4e0cc12e

SHA1
440dad5af38035cb0984a973e1f266deff2bd7fc

SHA256
11ee9c7fb70c3756c0392843245935517171b95cc5ba0d696b2c1742c8d46fb6

SHA512
5d514ecab93941e83c008f0e9749f99e330949580884bf4850b11cac08fe1ac4ac50033e8888045fe4a9d8b4d2e3ea667b39be18f77266d00f8d7d6797260233

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\libssl-3.dll

Filesize
222KB

MD5
364a71831c9bd0a09eeeceb6980c58c7

SHA1
9d084ccb83e12ddccd17250a009362d720e6271c

SHA256
3b20fb46f41234f8f7bbe342cfebfbbce5708d963cf5c7792d1237a1bc7b2676

SHA512
5abe19130f9306fd6fc3644412ef6c8c5b7da970cfaed69657a6cb62d431abfbba64fefcbfa82910d17d744e299e3ba5036bd490223b2bf28689cf2e70633dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\pyexpat.pyd

Filesize
87KB

MD5
c79cb140401e870e562e451700f8dc42

SHA1
387c7aa25ae47c92968ffccd861ee4b0074b1f37

SHA256
60820b343d07f51d2d056c72475b4efbf1432bc50834faeb7d93a7974da3cdf8

SHA512
85b161fec6bb114efd7c1191b67db254c038ae510ee16fefc3ec7f6572002cdb7aecbc6215fa2e1773fdd9e3f6eca76ad41c9ed3ce4e41db3036f673127834d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\python3.DLL

Filesize
65KB

MD5
35da4143951c5354262a28dee569b7b2

SHA1
b07cb6b28c08c012eecb9fd7d74040163cdf4e0e

SHA256
920350a7c24c46339754e38d0db34ab558e891da0b3a389d5230a0d379bee802

SHA512
2976667732f9ee797b7049d86fd9beeb05409adb7b89e3f5b1c875c72a4076cf65c762632b7230d7f581c052fce65bb91c1614c9e3a52a738051c3bc3d167a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\python311.dll

Filesize
1.6MB

MD5
476ab587f630eb4f9c21e88a065828b0

SHA1
d563e0d67658861a5c8d462fcfa675a6840b2758

SHA256
7cf19201904e4e7db4e5e44cd92d223fb94ddd43da04a03d11e388bf41686b8b

SHA512
3d67e49a09777e6fab36c37cf3a7c2768382eb1c850638b0064e2b00479f74251bb70290fe62971944344ee88b7803ee1697a374a62c7f7c45a556c820800676

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\select.pyd

Filesize
25KB

MD5
2b57ad3042174698a12ff119c21488ea

SHA1
33fdbd701caee66fcc1beb979c8e866a77124f03

SHA256
aef792adfaf8e1b6cdfd3a9b721abc8f66b4fdc21778c9fae5d39385ab003e27

SHA512
623332bed6e9ae88a0d313e15f6565ca7ffc71f728ca842cebae80b24c669c82188080b6646ee402fb7b5d26163a4456a170271c1da9992e3c918d4432825999

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\sqlite3.dll

Filesize
630KB

MD5
017a83acbd1f1e17aea2b062bea62fd7

SHA1
ca387752322a61b1884cb52d6a38cdbd4cddcc2f

SHA256
64eec6403b2a8bf8be8554704eff4c6d9e146afbbb655f34a70e0334e3cca3e8

SHA512
96d151290d45f94f0c656d277a7490810711b55f559a0e15efb65d7cba8869b08118f5429a8c8ee7a705bf87fe3f2013e560b950dd3d2b1a40965bacbf9e108b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44762\unicodedata.pyd

Filesize
295KB

MD5
7fef4897fcaeedd98ee1410a7abd2841

SHA1
7cce279ca32e3ada8344d8cb098e33729a18cd4f

SHA256
4d3bea0a4627d1f43e20ace9b889e52ab93cbcf4562029b0f6db19fd4722077d

SHA512
897f30c9ccfd32776a61a4d6aa80b03f0174ecc4d9368898489a934345bfd32a9c71bee95000cdca9a12e4c85ab0789888928984de6eadeb95252c5468e8fd40

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vo5hmkh0.hko.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1faf11e-8bcb-489a-b1b3-d360a3b149bb\CaptchaHelper.dll

Filesize
2.1MB

MD5
db956a02daba647f229b01d56ea5d892

SHA1
1c8d576d60f74b97ac0b7a419fd1ee710bf0ab8f

SHA256
5b4f5e6cc52df647673b94249e5392e6f00cc5ffb7e1fc7c4219351762618cdd

SHA512
29c5f194757d515ecf3f08bab3ccd30c3acf99b602cad2f084b782d19a023f6d742dae709256479f163241b3413a2df7cb558fd231ee8cb844b9227d4ee83c89

Download Submit
C:\Users\Admin\Desktop\PSC PIN GENERATOR.rar

Filesize
12.2MB

MD5
24150388247e1c57fb6689f6062777a5

SHA1
637d4dc3e903265ed2fba2ea0cccb17b06d685c0

SHA256
c656ef59062ad998a9090ee8727dde7b7bfa186da6477262ce4a4cccbf026799

SHA512
56fb02da1754e8fa91e10c579d317726e83e20de159099b9b9ee91336db5513bfc37aa90147ad2aba1f6005d1f170dd9ce9d6934cc8bcdd80e5d9a33abfcdcc6

Download Submit
C:\Users\Admin\Desktop\PSC PIN GENERATOR\lib32.bin

Filesize
238KB

MD5
4e6a7ee0e286ab61d36c26bd38996821

SHA1
820674b4c75290f8f667764bfb474ca8c1242732

SHA256
f67daf4bf2ad0e774bbd53f243e66806397036e5fde694f3856b27bc0463c0a3

SHA512
f9d99d960afce980421e654d1d541c1fdb81252615c48eed5c4a5c962cb20123d06dbdf383a37a476aa41e4ffabca30e95a8735739c35f66efbaa1dee8a9ba8a

Download Submit
C:\Users\Admin\Desktop\PSC PIN GENERATOR\vcruntime142.lib

Filesize
211KB

MD5
59238144771807b1cbc407b250d6b2c3

SHA1
6c9f87cca7e857e888cb19ea45cf82d2e2d29695

SHA256
8baa5811836c0b4a64810f6a7d6e1d31d7f80350c69643dc9594f58fd0233a7b

SHA512
cf2f8b84526ae8a1445a2d8a2b9099b164f80a7b7290f68058583b0b235395d749ad0b726c4e36d5e901c18d6946fd9b0dd76c20016b65dc7a3977f68ee4a220

Download Submit
C:\Users\Admin\Desktop\Pastebin Leecher v1.rar

Filesize
14.3MB

MD5
521864134cd4eb002ec049c3949c08bc

SHA1
b6ca9948df33e18f858a518c5e4139fce123a045

SHA256
32dcdc81143583ed8b9376831d02dbb1e2c896908b5f2caa1788fbe9d2d2357d

SHA512
5a66cc6b4df9d3f6e28e242d4718514e9ab3bfb0ce60fffffc8842edc63e1ec246f8c6cdf292be73fd07ac50bb45823e5505535cd19861b042a9b6e03f9dd88e

Download Submit
C:\Users\Admin\Desktop\Pastebin Leecher v1\Pastebin Leecher v 0.1.exe

Filesize
12.3MB

MD5
b2bb59a825db866eee2ab9b9c6b93c2d

SHA1
a3f3ca8a419bc820ebe554ce04cce08bcc44731e

SHA256
d2714d7c3aa663055351b8b83ffbf38d913a5331990a385895f45b521aa00349

SHA512
6c71db22eb482402879494f03f58d0cb2022b44f998a968a3bcb3ea62072c2860f908c0fc948e9102eccef56d738ebe2627c198d153e316cd2752dff980287fd

Download Submit
C:\Users\Admin\Desktop\Pastebin Leecher v1\libGLESV2.dll

Filesize
1.7MB

MD5
0181d2e88bdfdf83296cc678722ccb3a

SHA1
a5c8a8d998d548b1b18bde9c08a7dd9ba9ccae36

SHA256
7f9e41e8da0dcc64eb0bc766357d8b55cda649501ed7c08656b0f046f71c7270

SHA512
d148624ab7ba12b99c20f7a3fe90ce09981a47703f35f7c42560ea9d9158476476a299b5d60958aabf1380d43ef2c7e3d083532b13121f9ec5c08b2eccbf2c53

Download Submit
C:\Users\Admin\Desktop\Steam Account Generator v12.1.rar

Filesize
18.0MB

MD5
8d3c5d271fb56718627b65a74714bb7e

SHA1
2b4357c2fbdf35f583335aa89223d93e1881aff9

SHA256
ddcde2c6cb139f8beffec976f9377e6728c92465df8ef499d8439ba186f52712

SHA512
2dd30731e353a9d394fb69d1b927abc2655a15d8764a4b4f88a84c83a57da2c26e4a7f994ad2a601327062cb44e642b5a576fe173ff2cc5d747592628a5bb7b0

Download Submit
memory/1928-484-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-468-0x0000000004E40000-0x0000000004F9A000-memory.dmp

Filesize
1.4MB

Download
memory/1928-499-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-495-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-493-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-491-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-487-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-490-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-485-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-501-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-481-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-475-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-473-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-471-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-470-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-479-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-504-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-535-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-533-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-497-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-477-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-905-0x00000000056F0000-0x0000000005782000-memory.dmp

Filesize
584KB

Download
memory/1928-469-0x0000000004D90000-0x0000000004E2C000-memory.dmp

Filesize
624KB

Download
memory/1928-512-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-516-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-467-0x0000000005100000-0x00000000056A4000-memory.dmp

Filesize
5.6MB

Download
memory/1928-466-0x0000000004FA0000-0x00000000050FA000-memory.dmp

Filesize
1.4MB

Download
memory/1928-518-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-526-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-506-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-508-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-510-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-514-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-520-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-909-0x0000000006070000-0x000000000617E000-memory.dmp

Filesize
1.1MB

Download
memory/1928-522-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-524-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-528-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-530-0x0000000004E40000-0x0000000004F92000-memory.dmp

Filesize
1.3MB

Download
memory/1928-906-0x0000000005810000-0x000000000581A000-memory.dmp

Filesize
40KB

Download
memory/1928-907-0x0000000005930000-0x0000000005986000-memory.dmp

Filesize
344KB

Download
memory/1928-908-0x00000000059B0000-0x00000000059D0000-memory.dmp

Filesize
128KB

Download
memory/3200-990-0x00000276B1500000-0x00000276B1522000-memory.dmp

Filesize
136KB

Download
memory/4384-649-0x00007FF80A800000-0x00007FF80A976000-memory.dmp

Filesize
1.5MB

Download
memory/4384-583-0x00007FF80E540000-0x00007FF80E58A000-memory.dmp

Filesize
296KB

Download
memory/4384-996-0x00007FF80E590000-0x00007FF80E5A9000-memory.dmp

Filesize
100KB

Download
memory/4384-995-0x00007FF81E7B0000-0x00007FF81E7C7000-memory.dmp

Filesize
92KB

Download
memory/4384-412-0x00007FF80A980000-0x00007FF80AF70000-memory.dmp

Filesize
5.9MB

Download
memory/4384-445-0x00007FF8281B0000-0x00007FF8281BF000-memory.dmp

Filesize
60KB

Download
memory/4384-461-0x00007FF80E090000-0x00007FF80E09D000-memory.dmp

Filesize
52KB

Download
memory/4384-460-0x00007FF80C1B0000-0x00007FF80C1C9000-memory.dmp

Filesize
100KB

Download
memory/4384-463-0x00007FF80BC80000-0x00007FF80BCAD000-memory.dmp

Filesize
180KB

Download
memory/4384-465-0x00007FF80A800000-0x00007FF80A976000-memory.dmp

Filesize
1.5MB

Download
memory/4384-464-0x00007FF80BC50000-0x00007FF80BC73000-memory.dmp

Filesize
140KB

Download
memory/4384-1023-0x00007FF80E540000-0x00007FF80E58A000-memory.dmp

Filesize
296KB

Download
memory/4384-462-0x00007FF80BCB0000-0x00007FF80BCC9000-memory.dmp

Filesize
100KB

Download
memory/4384-532-0x00007FF80DB60000-0x00007FF80E089000-memory.dmp

Filesize
5.2MB

Download
memory/4384-580-0x00007FF81E7B0000-0x00007FF81E7C7000-memory.dmp

Filesize
92KB

Download
memory/4384-586-0x00007FF80C1B0000-0x00007FF80C1C9000-memory.dmp

Filesize
100KB

Download
memory/4384-1024-0x00007FF80A100000-0x00007FF80A7F2000-memory.dmp

Filesize
6.9MB

Download
memory/4384-644-0x00007FF80BC50000-0x00007FF80BC73000-memory.dmp

Filesize
140KB

Download
memory/4384-910-0x00007FF80DA90000-0x00007FF80DB5D000-memory.dmp

Filesize
820KB

Download
memory/4384-1025-0x00007FF80E470000-0x00007FF80E4A8000-memory.dmp

Filesize
224KB

Download
memory/4384-911-0x00007FF80DB60000-0x00007FF80E089000-memory.dmp

Filesize
5.2MB

Download
memory/4384-588-0x00007FF80E470000-0x00007FF80E4A8000-memory.dmp

Filesize
224KB

Download
memory/4384-587-0x00007FF80A100000-0x00007FF80A7F2000-memory.dmp

Filesize
6.9MB

Download
memory/4384-585-0x00007FF80E500000-0x00007FF80E51E000-memory.dmp

Filesize
120KB

Download
memory/4384-584-0x00007FF80E520000-0x00007FF80E531000-memory.dmp

Filesize
68KB

Download
memory/4384-976-0x00007FF822210000-0x00007FF822225000-memory.dmp

Filesize
84KB

Download
memory/4384-582-0x00007FF80E590000-0x00007FF80E5A9000-memory.dmp

Filesize
100KB

Download
memory/4384-581-0x00007FF80BCD0000-0x00007FF80BCF4000-memory.dmp

Filesize
144KB

Download
memory/4384-579-0x00007FF80A980000-0x00007FF80AF70000-memory.dmp

Filesize
5.9MB

Download
memory/4384-566-0x00007FF81E5E0000-0x00007FF81E602000-memory.dmp

Filesize
136KB

Download
memory/4384-565-0x00007FF80BB30000-0x00007FF80BC4C000-memory.dmp

Filesize
1.1MB

Download
memory/4384-977-0x00007FF81E5E0000-0x00007FF81E602000-memory.dmp

Filesize
136KB

Download
memory/4384-564-0x00007FF822210000-0x00007FF822225000-memory.dmp

Filesize
84KB

Download
memory/4384-978-0x00007FF824B90000-0x00007FF824B9D000-memory.dmp

Filesize
52KB

Download
memory/4384-563-0x00007FF81EEC0000-0x00007FF81EED4000-memory.dmp

Filesize
80KB

Download
memory/4384-562-0x00007FF822090000-0x00007FF8220A4000-memory.dmp

Filesize
80KB

Download
memory/4384-561-0x00007FF8221F0000-0x00007FF822202000-memory.dmp

Filesize
72KB

Download
memory/4384-560-0x00007FF80DA90000-0x00007FF80DB5D000-memory.dmp

Filesize
820KB

Download
memory/4384-502-0x00007FF822230000-0x00007FF822263000-memory.dmp

Filesize
204KB

Download
memory/4384-425-0x00007FF80BCD0000-0x00007FF80BCF4000-memory.dmp

Filesize
144KB

Download
memory/4384-935-0x00007FF8221F0000-0x00007FF822202000-memory.dmp

Filesize
72KB

Download
memory/4384-934-0x00007FF822230000-0x00007FF822263000-memory.dmp

Filesize
204KB

Download
memory/4956-313-0x0000000000390000-0x0000000000FE0000-memory.dmp

Filesize
12.3MB

Download
memory/5828-1163-0x0000000070D50000-0x0000000071312000-memory.dmp

Filesize
5.8MB

Download
memory/5828-1165-0x00000000075A0000-0x00000000075E8000-memory.dmp

Filesize
288KB

Download
memory/5828-1153-0x0000000005C80000-0x0000000005FD4000-memory.dmp

Filesize
3.3MB

Download
memory/5828-1150-0x00000000058D0000-0x0000000005932000-memory.dmp

Filesize
392KB

Download
memory/5828-1141-0x0000000070D50000-0x0000000071312000-memory.dmp

Filesize
5.8MB

Download
memory/5828-1126-0x0000000000460000-0x0000000000BAC000-memory.dmp

Filesize
7.3MB

Download
memory/5992-1037-0x0000000000DC0000-0x00000000019B2000-memory.dmp

Filesize
11.9MB

Download
memory/6020-1122-0x00007FF81E500000-0x00007FF81E524000-memory.dmp

Filesize
144KB

Download
memory/6020-1120-0x00007FF80F860000-0x00007FF80FE50000-memory.dmp

Filesize
5.9MB

Download
memory/6020-1193-0x00007FF81E7D0000-0x00007FF81E7DD000-memory.dmp

Filesize
52KB

Download
memory/6020-1194-0x00007FF81E500000-0x00007FF81E524000-memory.dmp

Filesize
144KB

Download
memory/6020-1195-0x00007FF824B80000-0x00007FF824B8F000-memory.dmp

Filesize
60KB

Download
memory/6020-1196-0x00007FF81E5C0000-0x00007FF81E5D9000-memory.dmp

Filesize
100KB

Download
memory/6020-1167-0x00007FF81A090000-0x00007FF81A0C8000-memory.dmp

Filesize
224KB

Download
memory/6020-1158-0x00007FF81D9A0000-0x00007FF81D9EA000-memory.dmp

Filesize
296KB

Download
memory/6020-1160-0x00007FF81E2B0000-0x00007FF81E2E3000-memory.dmp

Filesize
204KB

Download
memory/6020-1161-0x00007FF81E080000-0x00007FF81E14D000-memory.dmp

Filesize
820KB

Download
memory/6020-1164-0x00007FF81D960000-0x00007FF81D97E000-memory.dmp

Filesize
120KB

Download
memory/6020-1166-0x00007FF80EAB0000-0x00007FF80F1A2000-memory.dmp

Filesize
6.9MB

Download
memory/6020-1162-0x00007FF81D980000-0x00007FF81D991000-memory.dmp

Filesize
68KB

Download
memory/6020-1154-0x00007FF81DA10000-0x00007FF81DA27000-memory.dmp

Filesize
92KB

Download
memory/6020-1155-0x00007FF81D9F0000-0x00007FF81DA09000-memory.dmp

Filesize
100KB

Download
memory/6020-1156-0x00007FF81E2F0000-0x00007FF81E313000-memory.dmp

Filesize
140KB

Download
memory/6020-1157-0x00007FF80F6E0000-0x00007FF80F856000-memory.dmp

Filesize
1.5MB

Download
memory/6020-1159-0x00007FF80F1B0000-0x00007FF80F6D9000-memory.dmp

Filesize
5.2MB

Download
memory/6020-1144-0x00007FF81E290000-0x00007FF81E2A5000-memory.dmp

Filesize
84KB

Download
memory/6020-1145-0x00007FF81E060000-0x00007FF81E072000-memory.dmp

Filesize
72KB

Download
memory/6020-1148-0x00007FF81E5C0000-0x00007FF81E5D9000-memory.dmp

Filesize
100KB

Download
memory/6020-1149-0x00007FF81DFB0000-0x00007FF81DFC4000-memory.dmp

Filesize
80KB

Download
memory/6020-1152-0x00007FF81DA30000-0x00007FF81DA52000-memory.dmp

Filesize
136KB

Download
memory/6020-1151-0x00007FF81DE90000-0x00007FF81DFAC000-memory.dmp

Filesize
1.1MB

Download
memory/6020-1146-0x00007FF81E040000-0x00007FF81E054000-memory.dmp

Filesize
80KB

Download
memory/6020-1135-0x00007FF81E2B0000-0x00007FF81E2E3000-memory.dmp

Filesize
204KB

Download
memory/6020-1123-0x00007FF824B80000-0x00007FF824B8F000-memory.dmp

Filesize
60KB

Download
memory/6020-1139-0x00007FF80F1B0000-0x00007FF80F6D9000-memory.dmp

Filesize
5.2MB

Download
memory/6020-1140-0x00007FF81E080000-0x00007FF81E14D000-memory.dmp

Filesize
820KB

Download
memory/6020-1134-0x00007FF80F860000-0x00007FF80FE50000-memory.dmp

Filesize
5.9MB

Download
memory/6020-1130-0x00007FF80F6E0000-0x00007FF80F856000-memory.dmp

Filesize
1.5MB

Download
memory/6020-1129-0x00007FF81E2F0000-0x00007FF81E313000-memory.dmp

Filesize
140KB

Download
memory/6020-1124-0x00007FF81E5C0000-0x00007FF81E5D9000-memory.dmp

Filesize
100KB

Download
memory/6020-1125-0x00007FF81E7D0000-0x00007FF81E7DD000-memory.dmp

Filesize
52KB

Download
memory/6020-1128-0x00007FF81E4B0000-0x00007FF81E4DD000-memory.dmp

Filesize
180KB

Download
memory/6020-1127-0x00007FF81E4E0000-0x00007FF81E4F9000-memory.dmp

Filesize
100KB

Download