Analysis Overview
Threat Level: Known bad
The file https://brutality.my.canva.site/free-cheeaty was found to be: Known bad.
Malicious Activity Summary
Exela Stealer
Exelastealer family
Grants admin privileges
Downloads MZ/PE file
Modifies Windows Firewall
Reads user/profile data of web browsers
Executes dropped EXE
Loads dropped DLL
Clipboard Data
Network Service Discovery
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Hide Artifacts: Hidden Files and Directories
UPX packed file
Enumerates processes with tasklist
Launches sc.exe
Subvert Trust Controls: Mark-of-the-Web Bypass
System Network Configuration Discovery: Wi-Fi Discovery
Permission Groups Discovery: Local Groups
Detects Pyinstaller
Event Triggered Execution: Netsh Helper DLL
System Network Connections Discovery
Browser Information Discovery
Gathers system information
Enumerates system info in registry
Kills process with taskkill
Modifies registry class
Suspicious use of SendNotifyMessage
Gathers network information
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Detects videocard installed
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
NTFS ADS
Suspicious use of SetWindowsHookEx
Collects information from the system
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-29 12:39
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-29 12:39
Reported
2024-10-29 12:42
Platform
win11-20241007-en
Max time kernel
94s
Max time network
126s
Command Line
Signatures
Exela Stealer
Exelastealer family
Grants admin privileges
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Subvert Trust Controls: Mark-of-the-Web Bypass
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Browser Information Discovery
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 772088.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://brutality.my.canva.site/free-cheeaty
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff70663cb8,0x7fff70663cc8,0x7fff70663cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5004 /prefetch:8
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004CC
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2172 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5808 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6944 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6760 /prefetch:8
C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe
"C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe"
C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe
"C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "gdb --version"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get Manufacturer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get Manufacturer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\mshta.exe
mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2936"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2936
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3928"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 3928
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2604"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2604
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1012"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 1012
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1084"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 1084
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 964"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 964
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3544"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 3544
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2920"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2920
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2256"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2256
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4720"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4720
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2336"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2336
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2576"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2576
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4320"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4320
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | brutality.my.canva.site | udp |
| AU | 103.169.142.250:443 | brutality.my.canva.site | tcp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| GB | 2.18.27.82:443 | www.bing.com | tcp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| N/A | 127.0.0.1:50312 | tcp | |
| N/A | 127.0.0.1:50326 | tcp | |
| N/A | 127.0.0.1:50331 | tcp | |
| N/A | 127.0.0.1:50335 | tcp | |
| N/A | 127.0.0.1:50339 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| N/A | 127.0.0.1:50468 | tcp | |
| N/A | 127.0.0.1:50470 | tcp | |
| US | 162.159.128.233:443 | discord.com | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 9314124f4f0ad9f845a0d7906fd8dfd8 |
| SHA1 | 0d4f67fb1a11453551514f230941bdd7ef95693c |
| SHA256 | cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e |
| SHA512 | 87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85 |
\??\pipe\LOCAL\crashpad_2936_ISDZRJAZNJJDVHJW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e1544690d41d950f9c1358068301cfb5 |
| SHA1 | ae3ff81363fcbe33c419e49cabef61fb6837bffa |
| SHA256 | 53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724 |
| SHA512 | 1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 08bd2b48313bf06e0ecaf9fdd5185346 |
| SHA1 | c31d61e7f605d5975bf1eade843c0ab6477946fb |
| SHA256 | 70636e2eefb98a4114dbb4a139d06fe2bae5875348ba7259f07bbf4d55574b01 |
| SHA512 | 9049264a8ac5b000923cb9bd27602241bf84096fdc7dbff2451351edc3f0a08265dc1a2c686e2b339a93864bbf374458f1fea91d54c25d29abb263229ab5239e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 33070f849160457365d36d730f22f8f0 |
| SHA1 | 8ec231cf0e0244fddae4fcb31d5723e8c5ce1895 |
| SHA256 | 7f4c8d0b59575d8bdcdd1292c86cbea61f1edcd60d2a5a8512a504feaf42e005 |
| SHA512 | 037391d1c1af0cc409a1af576556383e37457dcaa4179f107f389bef619508decc395abaee1e5af5a79030c9177cee71693c72c545859376db6822b00bdbca81 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5dd2e0b34ed3a6072981cbfa8b37bfa1 |
| SHA1 | 318e127942eb8a6ea7672a6e734aa0959238730d |
| SHA256 | 544178cf2b0e8e8dc32805d7213fd92227a9fd7789bb2ab6f337365626996c26 |
| SHA512 | 9a1bf4ffc3a81e8e27cd3f5819bf5a1bf82aaa6fc2900c00effe0b379d996c07571064e647c96aa8f61b5b3de4b148e3aa8ba3a4cc7a0ff7477bb24a39ba0ac1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0e2664a65b28d14b465600ac0f38691a |
| SHA1 | 136f670235cd03ba83aa80e97b28f6409a875293 |
| SHA256 | 18993e7d317bdad462b35ebc71b438bdf065af84b361bcfbd0cb177ae399fb74 |
| SHA512 | 00f2def6fb625dd92d756f2e90a0cad0457054098a7aad2ae1df92844becb7ac2d780d4eec2ffdce87ff7e08ceaded99c1fc6208e1a7cd45a9531b09a89581a3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 927931bddfd617e3718941fc4bd00ec6 |
| SHA1 | 577703b1af5a4610809f2d27c4beed79566f5cf4 |
| SHA256 | 62945f122da3db86dce3ed8b8d807c2d3c7d88fc0073e58fb0178f3277e74ff2 |
| SHA512 | 7f0219d903d2cd730d81df0e0463086cd48364b268fff15fbd2e6515f3b5e3798a58681f202ea499c48658749d12ec037add16dc96823d6b50934bc94af8e921 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 0a949df6e8f2ed8a635dfc12b18b78a4 |
| SHA1 | 2c5591041e86e6c27a6098f592c98c582458b27d |
| SHA256 | 83c4cde8d8f4bfed5b40350f73dc5d30e35a7230571ecc82d81e4496284131c8 |
| SHA512 | f97522d7b93af284cf316c73f24a27c73953bc4bfcd61212d7e5f9e5bda1500977b2730013dd5865e39ca59bfd10218ad1280771fc8fe05ec1096f9005873f64 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 270e1b9b80d66fb2bc014c3ebf2b10ab |
| SHA1 | d44b2785c5020c580c21222ae4e2743268bd47d5 |
| SHA256 | 2149f5fe6724c0b7578a2d8585f4c98802ba7a0279b12c70fd7ad9564bbc3209 |
| SHA512 | 1b03d6106b61ff5679966b4e4c2958b99cf4589587619a49360c36429156c7a9c90b3db3988a3a47416b191a3bb2d95db563272156462518f58a7d4d43c02b77 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 958ea796533f57bf743bb911bf077953 |
| SHA1 | 81e3479112087a8262ca9a4d5f0802f8cc2fe023 |
| SHA256 | 42a6b968a70c034be6b534ecd2a3789adc47a2d519c5792978f50df5f42b036b |
| SHA512 | 1246d24e84d8b4c142a5f43b15430e1d5182e8efd8b4f7c0997daab55b95229543904381d0b3879b612547014b7bcd9d813c5a24af1cfe88b3836f22f2c98b00 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3265133599ef7d1fb80aef56428579ac |
| SHA1 | df4a322d22e4a8915d9052c13f1d1689b4a4f9b1 |
| SHA256 | 3611f12b47bf0c8c638bdebc41e8c9b749208170c3c767f57a1a70093bd844ee |
| SHA512 | 7a6067e928e4ec93a84e7400fb5abb5676b347e96928ba1745bc2e29ea8eaafa1d9276a8b46b1962d375cb270d5f06bb75cad722d0283ee3487842f33f21ea8f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 709d018b1a7abf92259c269346473319 |
| SHA1 | 2f2c8e7173089d60d781c9cc8e2d1c97a7f8f7c4 |
| SHA256 | 6f9d9a83860c6b158748d122a8ad3750f8877b7c29e1ae527abf7985581d47f1 |
| SHA512 | ee705f2a2fb30d754c52d8401d186ed8253f9667fd5a45fb4e498eca2f14fbd3043039025f0d783590f684215c53167aa3909b2fc0cef7ccd7f07f4c9eab334a |
C:\Users\Admin\Downloads\Unconfirmed 772088.crdownload
| MD5 | 0c7bdb693ff2dcbf070a8ae550e56f39 |
| SHA1 | c4e5b2b2dc7299d8762c2fcf49c2f7c19a72a54f |
| SHA256 | 2045decb04bd6e377a0a4de9aba80e8fdfb80e5ed5d29afbceb1fbd0a6d88cb2 |
| SHA512 | 10f80fdd41de20d3f489914c1dbbe6da38a66e25d911ee21b56f04c70f4ef67db758c26d4ea7fe89f643ff14a9d90b21397fdcece868a84c52859889466002e4 |
C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe:Zone.Identifier
| MD5 | fbccf14d504b7b2dbcb5a5bda75bd93b |
| SHA1 | d59fc84cdd5217c6cf74785703655f78da6b582b |
| SHA256 | eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913 |
| SHA512 | aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | a592248146eda47e9a219c1e8d571042 |
| SHA1 | 0ed4303a352c49e2d716a5a1ec0f093812c9a3a8 |
| SHA256 | a460a95fb3be6a3e825880bcc40a71f07ac6b2c5949045e8f3045507c93062d5 |
| SHA512 | 08c96ab96816a09482721585b357e790a3298e67f76921234430d7c4e5348f1f61b5a0f59c69a70ae96d8007e8ea36d6b8f990b08fcb916be46f6f85e774d9a9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 25644ea6e8d738f272ce945af9782341 |
| SHA1 | 9961fa51f660ab4b95b5ca126c6ef2b60140476e |
| SHA256 | f9be409f9e63918915a5083f764dd5724a1c83425a6ee71b5ff46d0d7ac252e9 |
| SHA512 | 295f87d86ef302323e0d74446efd010d15c2bbc85312a0f7c80a97b52589c5c82a5bf850638ea6d1809aff7e6f50d89ce529adedf992df193be6cdf92bc42fe4 |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\python311.dll
| MD5 | db09c9bbec6134db1766d369c339a0a1 |
| SHA1 | c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b |
| SHA256 | b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79 |
| SHA512 | 653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45 |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
memory/1468-476-0x00007FFF5C8A0000-0x00007FFF5CE88000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI40442\base_library.zip
| MD5 | 2a138e2ee499d3ba2fc4afaef93b7caa |
| SHA1 | 508c733341845e94fce7c24b901fc683108df2a8 |
| SHA256 | 130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c |
| SHA512 | 1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\python3.DLL
| MD5 | 34e49bb1dfddf6037f0001d9aefe7d61 |
| SHA1 | a25a39dca11cdc195c9ecd49e95657a3e4fe3215 |
| SHA256 | 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281 |
| SHA512 | edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856 |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\libffi-8.dll
| MD5 | decbba3add4c2246928ab385fb16a21e |
| SHA1 | 5f019eff11de3122ffa67a06d52d446a3448b75e |
| SHA256 | 4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d |
| SHA512 | 760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012 |
memory/1468-505-0x00007FFF74AA0000-0x00007FFF74AAF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | a0c2dbe0f5e18d1add0d1ba22580893b |
| SHA1 | 29624df37151905467a223486500ed75617a1dfd |
| SHA256 | 3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f |
| SHA512 | 3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12 |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-profile-l1-1-0.dll
| MD5 | f3ff2d544f5cd9e66bfb8d170b661673 |
| SHA1 | 9e18107cfcd89f1bbb7fdaf65234c1dc8e614add |
| SHA256 | e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f |
| SHA512 | 184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad |
memory/1468-506-0x00007FFF70420000-0x00007FFF70439000-memory.dmp
memory/1468-507-0x00007FFF74880000-0x00007FFF7488D000-memory.dmp
memory/1468-510-0x00007FFF703A0000-0x00007FFF703C3000-memory.dmp
memory/1468-509-0x00007FFF703D0000-0x00007FFF703FD000-memory.dmp
memory/1468-508-0x00007FFF70400000-0x00007FFF70419000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 517eb9e2cb671ae49f99173d7f7ce43f |
| SHA1 | 4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab |
| SHA256 | 57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54 |
| SHA512 | 492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | c3632083b312c184cbdd96551fed5519 |
| SHA1 | a93e8e0af42a144009727d2decb337f963a9312e |
| SHA256 | be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125 |
| SHA512 | 8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 0462e22f779295446cd0b63e61142ca5 |
| SHA1 | 616a325cd5b0971821571b880907ce1b181126ae |
| SHA256 | 0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e |
| SHA512 | 07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | 321a3ca50e80795018d55a19bf799197 |
| SHA1 | df2d3c95fb4cbb298d255d342f204121d9d7ef7f |
| SHA256 | 5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f |
| SHA512 | 3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-memory-l1-1-0.dll
| MD5 | 3c38aac78b7ce7f94f4916372800e242 |
| SHA1 | c793186bcf8fdb55a1b74568102b4e073f6971d6 |
| SHA256 | 3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d |
| SHA512 | c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588 |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 724223109e49cb01d61d63a8be926b8f |
| SHA1 | 072a4d01e01dbbab7281d9bd3add76f9a3c8b23b |
| SHA256 | 4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210 |
| SHA512 | 19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | 1f2a00e72bc8fa2bd887bdb651ed6de5 |
| SHA1 | 04d92e41ce002251cc09c297cf2b38c4263709ea |
| SHA256 | 9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142 |
| SHA512 | 8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | c6024cc04201312f7688a021d25b056d |
| SHA1 | 48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd |
| SHA256 | 8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500 |
| SHA512 | d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47 |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-heap-l1-1-0.dll
| MD5 | accc640d1b06fb8552fe02f823126ff5 |
| SHA1 | 82ccc763d62660bfa8b8a09e566120d469f6ab67 |
| SHA256 | 332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f |
| SHA512 | 6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-handle-l1-1-0.dll
| MD5 | e89cdcd4d95cda04e4abba8193a5b492 |
| SHA1 | 5c0aee81f32d7f9ec9f0650239ee58880c9b0337 |
| SHA256 | 1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238 |
| SHA512 | 55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-file-l2-1-0.dll
| MD5 | bfffa7117fd9b1622c66d949bac3f1d7 |
| SHA1 | 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2 |
| SHA256 | 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e |
| SHA512 | b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-file-l1-2-0.dll
| MD5 | 1c58526d681efe507deb8f1935c75487 |
| SHA1 | 0e6d328faf3563f2aae029bc5f2272fb7a742672 |
| SHA256 | ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2 |
| SHA512 | 8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1 |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-file-l1-1-0.dll
| MD5 | efad0ee0136532e8e8402770a64c71f9 |
| SHA1 | cda3774fe9781400792d8605869f4e6b08153e55 |
| SHA256 | 3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed |
| SHA512 | 69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852 |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | eb0978a9213e7f6fdd63b2967f02d999 |
| SHA1 | 9833f4134f7ac4766991c918aece900acfbf969f |
| SHA256 | ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e |
| SHA512 | 6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63 |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-debug-l1-1-0.dll
| MD5 | 33bbece432f8da57f17bf2e396ebaa58 |
| SHA1 | 890df2dddfdf3eeccc698312d32407f3e2ec7eb1 |
| SHA256 | 7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e |
| SHA512 | 619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5 |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | cfe0c1dfde224ea5fed9bd5ff778a6e0 |
| SHA1 | 5150e7edd1293e29d2e4d6bb68067374b8a07ce6 |
| SHA256 | 0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e |
| SHA512 | b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000 |
C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-console-l1-1-0.dll
| MD5 | e8b9d74bfd1f6d1cc1d99b24f44da796 |
| SHA1 | a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452 |
| SHA256 | b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59 |
| SHA512 | b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27 |
memory/1468-484-0x00007FFF70680000-0x00007FFF706A4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI40442\_ctypes.pyd
| MD5 | b4c41a4a46e1d08206c109ce547480c7 |
| SHA1 | 9588387007a49ec2304160f27376aedca5bc854d |
| SHA256 | 9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9 |
| SHA512 | 30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33 |
memory/1468-511-0x00007FFF5C720000-0x00007FFF5C893000-memory.dmp
memory/1468-512-0x00007FFF5C8A0000-0x00007FFF5CE88000-memory.dmp
memory/1468-514-0x00007FFF5C2E0000-0x00007FFF5C398000-memory.dmp
memory/1468-515-0x00007FFF5C3A0000-0x00007FFF5C715000-memory.dmp
memory/1468-513-0x00007FFF70370000-0x00007FFF7039E000-memory.dmp
memory/1468-516-0x00007FFF70680000-0x00007FFF706A4000-memory.dmp
memory/1468-517-0x00007FFF6FFF0000-0x00007FFF70005000-memory.dmp
memory/1468-518-0x00007FFF6FFD0000-0x00007FFF6FFE2000-memory.dmp
memory/1468-519-0x00007FFF70420000-0x00007FFF70439000-memory.dmp
memory/1468-521-0x00007FFF650A0000-0x00007FFF650B4000-memory.dmp
memory/1468-520-0x00007FFF650C0000-0x00007FFF650D4000-memory.dmp
memory/1468-522-0x00007FFF5F4F0000-0x00007FFF5F512000-memory.dmp
memory/1468-523-0x00007FFF5C1C0000-0x00007FFF5C2DC000-memory.dmp
memory/1468-525-0x00007FFF5F4D0000-0x00007FFF5F4EB000-memory.dmp
memory/1468-524-0x00007FFF703A0000-0x00007FFF703C3000-memory.dmp
memory/1468-527-0x00007FFF5F230000-0x00007FFF5F246000-memory.dmp
memory/1468-526-0x00007FFF5C720000-0x00007FFF5C893000-memory.dmp
memory/1468-530-0x00007FFF5F210000-0x00007FFF5F229000-memory.dmp
memory/1468-529-0x00007FFF5C2E0000-0x00007FFF5C398000-memory.dmp
memory/1468-528-0x00007FFF70370000-0x00007FFF7039E000-memory.dmp
memory/1468-535-0x00007FFF6FFF0000-0x00007FFF70005000-memory.dmp
memory/1468-534-0x00007FFF5C1A0000-0x00007FFF5C1B1000-memory.dmp
memory/1468-533-0x00007FFF793B0000-0x00007FFF793BA000-memory.dmp
memory/1468-532-0x00007FFF5F1C0000-0x00007FFF5F20D000-memory.dmp
memory/1468-531-0x00007FFF5C3A0000-0x00007FFF5C715000-memory.dmp
memory/1468-536-0x00007FFF5C180000-0x00007FFF5C19E000-memory.dmp
memory/1468-537-0x00007FFF5B9F0000-0x00007FFF5C17A000-memory.dmp
memory/1468-538-0x00007FFF5B9B0000-0x00007FFF5B9E7000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 4facd2b1d6590cc746d68efd79b949ce |
| SHA1 | ec248b48ab5532d2440b6671cca1dda77a8bf876 |
| SHA256 | 106f57686f62ed04b6e7521cb53c90996ac87abaa6ee7ac9c86890beedc6d478 |
| SHA512 | 61cbda64fc723ffea5f2acf1f1906291f33cff1eb636565561859c0cd977e5f4bf99c805871983fb86e78777f508b0653189655a55aedcea3c3fe9c44eef54c3 |
memory/1468-555-0x00007FFF5F4F0000-0x00007FFF5F512000-memory.dmp
memory/1468-570-0x00007FFF5C1C0000-0x00007FFF5C2DC000-memory.dmp
memory/1468-613-0x00007FFF5F230000-0x00007FFF5F246000-memory.dmp
memory/1468-614-0x00007FFF7A0D0000-0x00007FFF7A0DD000-memory.dmp
memory/3584-617-0x0000023EF2530000-0x0000023EF2552000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qjcjdvs2.edf.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1468-632-0x00007FFF5F1C0000-0x00007FFF5F20D000-memory.dmp
memory/1468-642-0x00007FFF70370000-0x00007FFF7039E000-memory.dmp
memory/1468-661-0x00007FFF5C180000-0x00007FFF5C19E000-memory.dmp
memory/1468-658-0x00007FFF5B9F0000-0x00007FFF5C17A000-memory.dmp
memory/1468-653-0x00007FFF5F210000-0x00007FFF5F229000-memory.dmp
memory/1468-646-0x00007FFF6FFD0000-0x00007FFF6FFE2000-memory.dmp
memory/1468-645-0x00007FFF6FFF0000-0x00007FFF70005000-memory.dmp
memory/1468-643-0x00007FFF5C3A0000-0x00007FFF5C715000-memory.dmp
memory/1468-633-0x00007FFF5C8A0000-0x00007FFF5CE88000-memory.dmp
memory/1468-659-0x00007FFF5B9B0000-0x00007FFF5B9E7000-memory.dmp
memory/1468-644-0x00007FFF5C2E0000-0x00007FFF5C398000-memory.dmp
memory/1468-641-0x00007FFF5C720000-0x00007FFF5C893000-memory.dmp
memory/1468-634-0x00007FFF70680000-0x00007FFF706A4000-memory.dmp
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
| MD5 | 77a8b2c86dd26c214bc11c989789b62d |
| SHA1 | 8b0f2d9d0ded2d7f9bff8aed6aefd6b3fdd1a499 |
| SHA256 | e288c02cbba393c9703519e660bf8709331f11978c6d994ea2a1346eef462cb8 |
| SHA512 | c287e3ae580343c43a5354347ca5444f54840fba127a2b1edc897b1dfea286fa37b5808f6e89f535c4022db8b3f29448aa4cc2f41ab0f308eec525a99fac4e5e |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\CloseRepair.docx
| MD5 | b9532827bdbc13f1c0e180e1cc3ada1c |
| SHA1 | 791baf0830025232f90d323c9cdc2a5a37f423bc |
| SHA256 | cd0ca8e86a4bf3c9bb55706848f7f5ca7685fa9217b8e480a2ddc506ec923f5d |
| SHA512 | 42db273f2b75cbfac837f0b61245bf77e11606899f12a1f29d53c8ce6c4128e0ecc435eb4e128253b4582668102eb26ca1ae3be11ff2400b9b09a238cfd083f0 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\CompressMove.txt
| MD5 | df075d6310f94032e2ce70f9b434b413 |
| SHA1 | 799730985189b24b381931d57b3a8e896c6fcb35 |
| SHA256 | 6702dc175327a951cc2dd41a464d32e936b942a3d47fac8fb4c9ad7603d81eb4 |
| SHA512 | e2832a8f06d238e365a5e9872fbe2a56653eb38ee5d9453b96642e1dd3853f24b9655c0df76172487bc6cf52c42b6394f4beac552fd2adfa0121f66dccda29b5 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UndoSwitch.xls
| MD5 | afe61d59559429167b51cdbc1ddc65c1 |
| SHA1 | f7ef3fc9d4e732e06a36818ced0a07b7e9281f83 |
| SHA256 | c8a7dfb38b4204d899c50978bafa3ccb8d02817d1042a0af59b06321c78ce914 |
| SHA512 | c8e7f959d3434ed0817b6382648d32eb7344340c454591dd4bb6b57b1790eda2c713bf966a3a1ac375af90a7f978cc530e925f10e78bff38350bf5a34f7996a7 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\HideDisconnect.xlsx
| MD5 | 0ab5cf7992adc1064b743f7e3469dba0 |
| SHA1 | bfacb79a6d637d017ab66670dd0ed447617234c1 |
| SHA256 | b09d1a7b557e535337a70bc0c952b204661ed5100cf7470476eb879d70fba807 |
| SHA512 | 535b14ebe0ae3a48d903bb796b2daad217171f234125c648fcf56ebfa2515a1ea4a61e9ee9d6a2276452dec084e682cddc96b8a565c16d674136a71f4c24c6b7 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\GrantUse.zip
| MD5 | 5225759bef7ef975bf3318ad189fb50a |
| SHA1 | 444ae3896e824aac68a91c9a4fdfc16ef0d13dfb |
| SHA256 | 4f7346c52cedf41d749ad2bd404f23c603d7cccb21c923ffb5b8356fd51cb49a |
| SHA512 | 54fb196d8ece578b231eb547d8836e0fdeb44821c095963bec982526f234a82da7bb19fcf8abf8abbe62bd48f6f072e2896483bff4f2af33fd5f64a618742059 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\DebugPublish.xlsx
| MD5 | 31d99a977b1deb4dfb412843101d6e2d |
| SHA1 | 705355bbd9c1503e89bde4b0e8e4c2a1eb80acba |
| SHA256 | 9e899ae3a8e4c4f2d8a99f488255ceaf9572b8c625938b0943ff1ef5c54af814 |
| SHA512 | 06f454bee04ca308206e70e7849efdb7422b4aed041ad2564551f61ed8b3951f2fdceb631c06d3d1624e61256a6d4d7f3af85a61cb1b854ce336099192222e4a |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\BackupLimit.xla
| MD5 | ebcf1c0fd19d65e101ad1d64a78db4f6 |
| SHA1 | 0c1abcc7e25c583f7a4a6e26f56b2893a26d3040 |
| SHA256 | 51002b78141227eadf6a58bcabddb6037b91af2552709972e42ef956e9ad5f09 |
| SHA512 | 69bb56812b635f280b1bcfe38749ddf5c79ea39c46800d0d325ba4c90137ba67e7d9746c6c03eba1ed87c30a973ca95da26b9026d6e5ea4167e9833add62b517 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\CompleteRemove.csv
| MD5 | f132359b2b6f7efd612eb79a39d2beff |
| SHA1 | 426329f9b596c430317e2634ee77d6cdf0d5945a |
| SHA256 | 2f37416f37e599305389390c19bbfed000c54c944efb828e807eccdc037c4058 |
| SHA512 | e41bdbf2a634ea984a95bacb703bec877e06675c7fa49ab166df8f4c964a816bf3320414c80d0789e83520a31c9d5bc6102a9ee4dc87455e09c946ba658893c2 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\FindConvertFrom.xls
| MD5 | bbdf7bbbbbbc92f9c79a090c8a110d8e |
| SHA1 | e2c6a11f35ee4268da55e62dbe5a14f73bf0432b |
| SHA256 | 5d4a101c1949978c6f705eca7ffac8d8942df8c2432dba64cf0c3e1b85cf65d8 |
| SHA512 | bab36064b536114d3cede087579c4a20f2ab5b993ccebb7e31ec2a27c02cf88df09c9bb6cd05bed4704f68d4b22f01fb0d7db622ba560d54c2026fb1633f742a |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\CompressSkip.xlsx
| MD5 | 68f50128411ada90e029289b6a7eff5b |
| SHA1 | 387e242817adb79acdceedffe64027e08c1619bb |
| SHA256 | 7c92a088d017442a1cd84b8e2f35a1834f91724cb06d414a87847dc9e927b81f |
| SHA512 | 954ce1c1e7e717abe815a98a42689b2bb6ec1d6173c4ed7a71f87542cab14b84e7ce6787bfd02b1e00477b2e3a5d60dcdb554b4b1d3bd1168d2cae4beb65b15e |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\NewOut.pdf
| MD5 | 5e792ac51f7596798e142bfe53656a07 |
| SHA1 | 0f174ed028d0a377e31a7104e9658d3e3bbd0f25 |
| SHA256 | 0db2d8098c82a29519439faa722d17fe1eb9edb188f39a16db7caad39c72802f |
| SHA512 | 0226c39745785d76d57c27ba21d942012e28b09bbe82d16c663255edfcced5a7da9a4874b0cef573b5e63a39131f31b9922406664e3f5437e23d83fa585ac410 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ReadResize.txt
| MD5 | 5b50afb0b09398b216e1d076c5d87181 |
| SHA1 | d3aa9b512bea58569c3147c6d2aec0b2aca5cbaa |
| SHA256 | ad2c8ecf762a8cdc9b25f549f8ff25cc8a771a7112541e133c17ed1d762db217 |
| SHA512 | 6f20ff7e5f258ffad4d01142201d22afd8ce20b25bc286b5db06cb437ed16b832e8ba22584eb84ba910258387a79d427c7e201c8e8a496a705861f9a24c6f387 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\BackupMount.bin
| MD5 | ac47a83bf9acd5310cf52cda3664c8d7 |
| SHA1 | 51e1bb256c2d3108b011ffe23fac1813da7fe357 |
| SHA256 | ef80bf6d87aef7bd7677cd690838868c5ff4d52f21854d5d95c21715db45b647 |
| SHA512 | 75512f285e913bcbece1a87bf20cfbf35b410019bbe8bc9035d1c5ab343764b921eae656b94d11cf9b55b8acd0af9706f235d8f3ee1bbcb415fda398a9e2a0d6 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\SwitchDebug.docx
| MD5 | 5f5779fca49b7315ea2f0ab20bee6f8e |
| SHA1 | 427d1f4d182eec14934f445081916f1794c98783 |
| SHA256 | aec5ffcde872f9ddf74ed26110ffbc107d94e39e0b5994267c1e1368fe653e98 |
| SHA512 | e9440c8f2627f7274bad79eabbdf3d3a6bf7d908aae28c943b069de43bba06df819eaf0c7898ea9489061f60cc023efe222ea55ad325c6677741402b07a27a39 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\SendRestart.xlsx
| MD5 | 183528b544c2b61600bdd2f2f3149b69 |
| SHA1 | 6aec7aa82582434a0ca754c4a6b36ea35f154764 |
| SHA256 | 83667b7740829090474b4ed9b58aaede523ffb7601279ba78575c00d0342da11 |
| SHA512 | e20b8f784c667fb9271a21ed6260c99259db654b039e0346c304c1b6984779173487ba65a22545e783963a4e458f45951a94658322363d16119fc25358722ac9 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ConvertUse.jpeg
| MD5 | 637dbccd222c89a584d1d80df8288f80 |
| SHA1 | 1c84340d31cdc3b877dc4d53409794ff825bf4c4 |
| SHA256 | 6ea46728796538d46559004bbfe572bd6b6d4aed43b4df9dd6940f95a1d7281f |
| SHA512 | f9f587542361d915b5b51409fe43963a5176cdb70ad7bf90db31c78f9b333a870a6a547197723c3076536bd2d21dbbb72aef7faba287c9f9b35e9d2158bba5ef |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\GetOut.zip
| MD5 | aa66470eaf30d8cea776529da57968dd |
| SHA1 | 6a09e079986026767e400a93f85f97cc44297aca |
| SHA256 | 6882ebf8269fd9728d089830afda18327ffd938a916b58e6f0528f48573c79d0 |
| SHA512 | c99656904674a80330216962d29a49b9b71037d5d3356a4df8e6f1963b3d8243b885f5c92eaf9a273630b0f4b1a97b9979b375305823c4bae4b3eddd9c90f0cf |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\HideFormat.mp4
| MD5 | c733bb6208cece1a85904d472abbbd6c |
| SHA1 | effc889a63cd032efe40db3a49412e23efde4a1c |
| SHA256 | 7f2322886a15449e4a9133bbe8860d41a61874aa3d9aea15b705fc7012b23d54 |
| SHA512 | 70da6aba5d6fcaa27237d379abee86085bef0066c90fecdf726f48ca9b18c8ae5760213647c590f1d01582711b07be8eeacc936f28720cd888a1e754b41ae5dc |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\HideUnprotect.pdf
| MD5 | 96169d402e2cd46f51a9f493a5ae7403 |
| SHA1 | 03b100b352099fb9aa42dee3c173f3e7fcfc02f9 |
| SHA256 | efd4923b6e360714cd9ac709a5deba62ee7201801949a323cb610cab8b8f3a04 |
| SHA512 | d645cbdb3d15bcea101dfb7e015ee653c782496fbd8eecd256ec46f1d6ccbb7b98543046a75936e30f9f472f090cf6d889cb98998b3d62db43e8b1a7583fcea5 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\RenameMeasure.jpg
| MD5 | d07fc2e260ea1c32a9107d78316253f4 |
| SHA1 | 68754f15c360a31cb90d30a9a8817d46a0aa61f9 |
| SHA256 | 9969bbce91150f4eb9e95d85874f8448100ee5a080d859ceef6b377f1f2c777e |
| SHA512 | 5aca6d53cf522a3745c054da838027e012a921a336872bcdbbfa14b15899af0a06facc55a1df4a9cca56d194edbcb5d5d32256fe043e67e3e15ea1d2f52ea44a |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ResetSave.zip
| MD5 | b4784a27120d465c1641ae78d73e98e3 |
| SHA1 | 800b6f363c3d3287c2ea694ed1920cc1f256d5e6 |
| SHA256 | e3b8691ecf7f1ae132197328814787157e525cc5eaceca4e002ed224240a53e2 |
| SHA512 | 90e965b3994689e9e27f91105b2d85462316055b7f1f6dc0c242820b69341aca203c2651e0c251350551f078d31cd6af0b6598919f63d66bdbee6da324a12b1d |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\SetRequest.jpeg
| MD5 | 9edcd8d73777ff81be2625fe94776199 |
| SHA1 | 7b3355065ce1862796cc0c445e463ec3d3781030 |
| SHA256 | 673b487fcecf7fe108e476338d38799ea623e3b162ee306f898876c4ddcf7228 |
| SHA512 | 194893bd2415c8b56946367fb05076114cdc4ba0f729c99bc987e88cc876694dfcb684f8e2f65060b9c535a3febb81d9a9f5b2e3403121d70cedb0ccba2a7f4f |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\SearchRedo.zip
| MD5 | 6bc6a9421e2b9d627bfbbcef59eb64d0 |
| SHA1 | 4fdcb5a46028c13df9bcd7709cd3534ede7e265e |
| SHA256 | d7b37fb4628f31f40c67f5a71438ae7fd5dde19def71f4d8736fc24474369af3 |
| SHA512 | 9800d91853c415bfe5151359738627c16b964a8d7e937f16327b8d7dac7d7a995fb627840500a9dfd615e84ecfa4f2bc78e80f9f4f385a5ca82ec8476440b1a3 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\TraceEdit.txt
| MD5 | 4aac71aa77f441e8397b6a6ae63a1532 |
| SHA1 | 7fa71c6739cdc1c560e3b12e41a1c76dc0bac7c0 |
| SHA256 | da553956e1c2e1cdc058c50eb4ecd6c9c019f5a51ac1c78463d295b1c183a1e6 |
| SHA512 | dcd2d578b5f2fa41e9df21a692a26d719483a9b287ec81b4568d67b5b575e97048654a6023ef34d7a93ae07610998c082f960b32748d5e0b15bc807152b73f47 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\UpdateTrace.docx
| MD5 | fd3db2ee1774ff024dd58106f7d0bed2 |
| SHA1 | 0a60c017d871b49ef57bdfc9da042296116f5c38 |
| SHA256 | c48329ae427a7a203d8c94c4e0cb265dc824d72d4658ec7ee60b3cb32c8886fc |
| SHA512 | 092390320e1f035bb357bff7021e16d89c69db3b8d3661d2468d3b53a781ae48c8aba313816befe83ede975a971fbf792c9130822a956b5d684d9edc410e6483 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\SubmitPing.zip
| MD5 | 4f95b045271cbdfc1a2b2eef6cd83524 |
| SHA1 | 02ff6da83b2898d68d912607eba7485bd51a2db7 |
| SHA256 | daba18735a7416a1a16b9691f5950ce92eaedfafa1d43a407fbeb2289353318d |
| SHA512 | 8759d4592141e7d05ae89cf237a585d378a0d50726cfe147a1f076e412e9ba672100417ebf7063a7f607358f73d7552f7e197e9fbcbaec70eb348c8110510716 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\BackupInstall.avi
| MD5 | 8a799646eaf0ab42f76f45f95f719391 |
| SHA1 | 7eb98ef6a6f457d7f3a040f863d56cb0e4957689 |
| SHA256 | 3927521f50da3b1691041878766e04422131488a429b07e14d0f7f515053a1d2 |
| SHA512 | eeb915522a039bcf67ace99efddf3dda72a209eb8b447491a94c296d0be8d584420000c9998d922242bb398000bf7b379cbd4e13398145bf462356c4bcc5e129 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\DenyShow.jpg
| MD5 | 25bb082069cd96f317d366e99f52b0e4 |
| SHA1 | 95299321f64feb4765bb35da8bb92202fbcf6ecd |
| SHA256 | 4cd5b83b95e161dba0622e68a5dd2b9656bb791f8fa762b3cb5f542e931a0dff |
| SHA512 | f38d5185105573729912c75aea7740c63f96eeda5d5b956b8d789ef3a1566ad571192fc93b1e2d3a807c73e0d536ca1a0e6be3d72d4246f058ae09eae3fd7bd2 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\GetStep.jpeg
| MD5 | 849f7368cff9f395aa05a779ebfb938d |
| SHA1 | 646905d353a731972e0f3515e8734da9a0578a9f |
| SHA256 | ebe645cdd7488cbbd7fbce354a9ce768a326f3952c044915156d9087bb26bb74 |
| SHA512 | f04d2f09cfc1c9b8af1e898f81c87bc13f11e4c63c1f57e11d0f8fc05f204cbdc7126e44809228c759610dc4759a98957f1322f82b9a3e4f55115152eb32dc5d |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\SelectConvertTo.jpg
| MD5 | af17075f6cf2db4940d480377b1e6dc3 |
| SHA1 | e0420eadc2872fa79f1c0dfd16209608847f9c1d |
| SHA256 | 6d7073e46cb920bbe9680fd393f05b502fa1b76f955598a86248f2282c780ae4 |
| SHA512 | 03257a3bbeb274d7b6488f4d9070c42a8ae84b92d91c75e037622337f99a6546d01ac5838d86d3c1e7d7c18b5e415e8d75f39df843e4c94861f5ec067ac1bce7 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg
| MD5 | a51464e41d75b2aa2b00ca31ea2ce7eb |
| SHA1 | 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d |
| SHA256 | 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f |
| SHA512 | b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\UnlockRestore.jpeg
| MD5 | 2412328330389576e844c47cf588d93b |
| SHA1 | b86dc3a9fb2a51aa9065dd0e41514add66c979d4 |
| SHA256 | 334b3045c9931f3c1e916d30bbc0a3b27232342e7404163cd60bc855796d9634 |
| SHA512 | a139a502eae3b8dae205b0a56757207eba30988af2e1731fe8d1eaa25a1ca306912a95d33a48231d0c670eb656d46712f4550ba7cc37c22006621b1ea86b046d |
memory/1468-895-0x00007FFF5F210000-0x00007FFF5F229000-memory.dmp
memory/1468-887-0x00007FFF6FFF0000-0x00007FFF70005000-memory.dmp
memory/1468-896-0x00007FFF5F1C0000-0x00007FFF5F20D000-memory.dmp
memory/1468-884-0x00007FFF70370000-0x00007FFF7039E000-memory.dmp
memory/1468-875-0x00007FFF5C8A0000-0x00007FFF5CE88000-memory.dmp
memory/1468-975-0x00007FFF5C2E0000-0x00007FFF5C398000-memory.dmp
memory/1468-974-0x00007FFF70370000-0x00007FFF7039E000-memory.dmp
memory/1468-986-0x00007FFF793B0000-0x00007FFF793BA000-memory.dmp
memory/1468-985-0x00007FFF5F1C0000-0x00007FFF5F20D000-memory.dmp
memory/1468-984-0x00007FFF5F210000-0x00007FFF5F229000-memory.dmp
memory/1468-983-0x00007FFF5F230000-0x00007FFF5F246000-memory.dmp
memory/1468-982-0x00007FFF5F4D0000-0x00007FFF5F4EB000-memory.dmp
memory/1468-981-0x00007FFF5C1C0000-0x00007FFF5C2DC000-memory.dmp
memory/1468-980-0x00007FFF5F4F0000-0x00007FFF5F512000-memory.dmp
memory/1468-979-0x00007FFF650C0000-0x00007FFF650D4000-memory.dmp
memory/1468-978-0x00007FFF650A0000-0x00007FFF650B4000-memory.dmp
memory/1468-977-0x00007FFF6FFD0000-0x00007FFF6FFE2000-memory.dmp
memory/1468-976-0x00007FFF6FFF0000-0x00007FFF70005000-memory.dmp
memory/1468-973-0x00007FFF5C720000-0x00007FFF5C893000-memory.dmp
memory/1468-972-0x00007FFF5C1A0000-0x00007FFF5C1B1000-memory.dmp
memory/1468-971-0x00007FFF703D0000-0x00007FFF703FD000-memory.dmp
memory/1468-970-0x00007FFF70400000-0x00007FFF70419000-memory.dmp
memory/1468-969-0x00007FFF74880000-0x00007FFF7488D000-memory.dmp
memory/1468-968-0x00007FFF70420000-0x00007FFF70439000-memory.dmp
memory/1468-967-0x00007FFF74AA0000-0x00007FFF74AAF000-memory.dmp
memory/1468-966-0x00007FFF70680000-0x00007FFF706A4000-memory.dmp
memory/1468-965-0x00007FFF703A0000-0x00007FFF703C3000-memory.dmp
memory/1468-937-0x00007FFF5C8A0000-0x00007FFF5CE88000-memory.dmp
memory/1468-988-0x00007FFF5C180000-0x00007FFF5C19E000-memory.dmp
memory/1468-987-0x00007FFF5C3A0000-0x00007FFF5C715000-memory.dmp
memory/1468-991-0x00007FFF7A0D0000-0x00007FFF7A0DD000-memory.dmp
memory/1468-990-0x00007FFF5B9B0000-0x00007FFF5B9E7000-memory.dmp
memory/1468-989-0x00007FFF5B9F0000-0x00007FFF5C17A000-memory.dmp