Malware Analysis Report

2025-03-15 03:43

Sample ID 241029-pv43qawqbm
Target https://brutality.my.canva.site/free-cheeaty
Tags
exelastealer collection defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://brutality.my.canva.site/free-cheeaty was found to be: Known bad.

Malicious Activity Summary

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx

Exela Stealer

Exelastealer family

Grants admin privileges

Downloads MZ/PE file

Modifies Windows Firewall

Reads user/profile data of web browsers

Executes dropped EXE

Loads dropped DLL

Clipboard Data

Network Service Discovery

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Hide Artifacts: Hidden Files and Directories

UPX packed file

Enumerates processes with tasklist

Launches sc.exe

Subvert Trust Controls: Mark-of-the-Web Bypass

System Network Configuration Discovery: Wi-Fi Discovery

Permission Groups Discovery: Local Groups

Detects Pyinstaller

Event Triggered Execution: Netsh Helper DLL

System Network Connections Discovery

Browser Information Discovery

Gathers system information

Enumerates system info in registry

Kills process with taskkill

Modifies registry class

Suspicious use of SendNotifyMessage

Gathers network information

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Detects videocard installed

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

NTFS ADS

Suspicious use of SetWindowsHookEx

Collects information from the system

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 12:39

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 12:39

Reported

2024-10-29 12:42

Platform

win11-20241007-en

Max time kernel

94s

Max time network

126s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://brutality.my.canva.site/free-cheeaty

Signatures

Exela Stealer

stealer exelastealer

Exelastealer family

exelastealer

Grants admin privileges

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A
N/A N/A C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\ARP.EXE N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Subvert Trust Controls: Mark-of-the-Web Bypass

defense_evasion
Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2253712635-4068079004-3870069674-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 772088.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
File opened for modification C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe:Zone.Identifier C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2936 wrote to memory of 3928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 3928 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 2604 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1012 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1012 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2936 wrote to memory of 1084 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://brutality.my.canva.site/free-cheeaty

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff70663cb8,0x7fff70663cc8,0x7fff70663cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1920 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2628 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5004 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004DC 0x00000000000004CC

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5936 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6008 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5840 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2172 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3832 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5808 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6556 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6944 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1912,8167123438643158409,16681983228300735757,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6760 /prefetch:8

C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe

"C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe"

C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe

"C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "gdb --version"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get Manufacturer

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get Manufacturer

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2936"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 2936

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3928"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 3928

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2604"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 2604

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1012"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 1012

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1084"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 1084

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 964"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 964

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3544"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 3544

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2920"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 2920

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2256"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 2256

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4720"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 4720

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2336"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 2336

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2576"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 2576

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4320"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 4320

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 brutality.my.canva.site udp
AU 103.169.142.250:443 brutality.my.canva.site tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
FR 45.112.123.126:443 api.gofile.io tcp
FR 45.112.123.126:443 api.gofile.io tcp
FR 45.112.123.126:443 api.gofile.io tcp
FR 51.75.242.210:443 s.gofile.io tcp
FR 51.75.242.210:443 s.gofile.io tcp
GB 2.18.27.82:443 www.bing.com tcp
FR 45.112.123.227:443 store1.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
N/A 127.0.0.1:50312 tcp
N/A 127.0.0.1:50326 tcp
N/A 127.0.0.1:50331 tcp
N/A 127.0.0.1:50335 tcp
N/A 127.0.0.1:50339 tcp
US 208.95.112.1:80 ip-api.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
FR 45.112.123.126:443 api.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
N/A 127.0.0.1:50468 tcp
N/A 127.0.0.1:50470 tcp
US 162.159.128.233:443 discord.com tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9314124f4f0ad9f845a0d7906fd8dfd8
SHA1 0d4f67fb1a11453551514f230941bdd7ef95693c
SHA256 cbd58fa358e4b1851c3da2d279023c29eba66fb4d438c6e87e7ce5169ffb910e
SHA512 87b9060ca4942974bd8f95b8998df7b2702a3f4aba88c53b2e3423a532a75407070368f813a5bbc0251864b4eae47e015274a839999514386d23c8a526d05d85

\??\pipe\LOCAL\crashpad_2936_ISDZRJAZNJJDVHJW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e1544690d41d950f9c1358068301cfb5
SHA1 ae3ff81363fcbe33c419e49cabef61fb6837bffa
SHA256 53d69c9cc3c8aaf2c8b58ea6a2aa47c49c9ec11167dd9414cd9f4192f9978724
SHA512 1e4f1fe2877f4f947d33490e65898752488e48de34d61e197e4448127d6b1926888de80b62349d5a88b96140eed0a5b952ef4dd7ca318689f76e12630c9029da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 08bd2b48313bf06e0ecaf9fdd5185346
SHA1 c31d61e7f605d5975bf1eade843c0ab6477946fb
SHA256 70636e2eefb98a4114dbb4a139d06fe2bae5875348ba7259f07bbf4d55574b01
SHA512 9049264a8ac5b000923cb9bd27602241bf84096fdc7dbff2451351edc3f0a08265dc1a2c686e2b339a93864bbf374458f1fea91d54c25d29abb263229ab5239e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 33070f849160457365d36d730f22f8f0
SHA1 8ec231cf0e0244fddae4fcb31d5723e8c5ce1895
SHA256 7f4c8d0b59575d8bdcdd1292c86cbea61f1edcd60d2a5a8512a504feaf42e005
SHA512 037391d1c1af0cc409a1af576556383e37457dcaa4179f107f389bef619508decc395abaee1e5af5a79030c9177cee71693c72c545859376db6822b00bdbca81

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5dd2e0b34ed3a6072981cbfa8b37bfa1
SHA1 318e127942eb8a6ea7672a6e734aa0959238730d
SHA256 544178cf2b0e8e8dc32805d7213fd92227a9fd7789bb2ab6f337365626996c26
SHA512 9a1bf4ffc3a81e8e27cd3f5819bf5a1bf82aaa6fc2900c00effe0b379d996c07571064e647c96aa8f61b5b3de4b148e3aa8ba3a4cc7a0ff7477bb24a39ba0ac1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0e2664a65b28d14b465600ac0f38691a
SHA1 136f670235cd03ba83aa80e97b28f6409a875293
SHA256 18993e7d317bdad462b35ebc71b438bdf065af84b361bcfbd0cb177ae399fb74
SHA512 00f2def6fb625dd92d756f2e90a0cad0457054098a7aad2ae1df92844becb7ac2d780d4eec2ffdce87ff7e08ceaded99c1fc6208e1a7cd45a9531b09a89581a3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 927931bddfd617e3718941fc4bd00ec6
SHA1 577703b1af5a4610809f2d27c4beed79566f5cf4
SHA256 62945f122da3db86dce3ed8b8d807c2d3c7d88fc0073e58fb0178f3277e74ff2
SHA512 7f0219d903d2cd730d81df0e0463086cd48364b268fff15fbd2e6515f3b5e3798a58681f202ea499c48658749d12ec037add16dc96823d6b50934bc94af8e921

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 0a949df6e8f2ed8a635dfc12b18b78a4
SHA1 2c5591041e86e6c27a6098f592c98c582458b27d
SHA256 83c4cde8d8f4bfed5b40350f73dc5d30e35a7230571ecc82d81e4496284131c8
SHA512 f97522d7b93af284cf316c73f24a27c73953bc4bfcd61212d7e5f9e5bda1500977b2730013dd5865e39ca59bfd10218ad1280771fc8fe05ec1096f9005873f64

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 270e1b9b80d66fb2bc014c3ebf2b10ab
SHA1 d44b2785c5020c580c21222ae4e2743268bd47d5
SHA256 2149f5fe6724c0b7578a2d8585f4c98802ba7a0279b12c70fd7ad9564bbc3209
SHA512 1b03d6106b61ff5679966b4e4c2958b99cf4589587619a49360c36429156c7a9c90b3db3988a3a47416b191a3bb2d95db563272156462518f58a7d4d43c02b77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 958ea796533f57bf743bb911bf077953
SHA1 81e3479112087a8262ca9a4d5f0802f8cc2fe023
SHA256 42a6b968a70c034be6b534ecd2a3789adc47a2d519c5792978f50df5f42b036b
SHA512 1246d24e84d8b4c142a5f43b15430e1d5182e8efd8b4f7c0997daab55b95229543904381d0b3879b612547014b7bcd9d813c5a24af1cfe88b3836f22f2c98b00

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 3265133599ef7d1fb80aef56428579ac
SHA1 df4a322d22e4a8915d9052c13f1d1689b4a4f9b1
SHA256 3611f12b47bf0c8c638bdebc41e8c9b749208170c3c767f57a1a70093bd844ee
SHA512 7a6067e928e4ec93a84e7400fb5abb5676b347e96928ba1745bc2e29ea8eaafa1d9276a8b46b1962d375cb270d5f06bb75cad722d0283ee3487842f33f21ea8f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 709d018b1a7abf92259c269346473319
SHA1 2f2c8e7173089d60d781c9cc8e2d1c97a7f8f7c4
SHA256 6f9d9a83860c6b158748d122a8ad3750f8877b7c29e1ae527abf7985581d47f1
SHA512 ee705f2a2fb30d754c52d8401d186ed8253f9667fd5a45fb4e498eca2f14fbd3043039025f0d783590f684215c53167aa3909b2fc0cef7ccd7f07f4c9eab334a

C:\Users\Admin\Downloads\Unconfirmed 772088.crdownload

MD5 0c7bdb693ff2dcbf070a8ae550e56f39
SHA1 c4e5b2b2dc7299d8762c2fcf49c2f7c19a72a54f
SHA256 2045decb04bd6e377a0a4de9aba80e8fdfb80e5ed5d29afbceb1fbd0a6d88cb2
SHA512 10f80fdd41de20d3f489914c1dbbe6da38a66e25d911ee21b56f04c70f4ef67db758c26d4ea7fe89f643ff14a9d90b21397fdcece868a84c52859889466002e4

C:\Users\Admin\Downloads\ANARCHIA.GG GRIM CLIENT.exe:Zone.Identifier

MD5 fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1 d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256 eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512 aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 a592248146eda47e9a219c1e8d571042
SHA1 0ed4303a352c49e2d716a5a1ec0f093812c9a3a8
SHA256 a460a95fb3be6a3e825880bcc40a71f07ac6b2c5949045e8f3045507c93062d5
SHA512 08c96ab96816a09482721585b357e790a3298e67f76921234430d7c4e5348f1f61b5a0f59c69a70ae96d8007e8ea36d6b8f990b08fcb916be46f6f85e774d9a9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 25644ea6e8d738f272ce945af9782341
SHA1 9961fa51f660ab4b95b5ca126c6ef2b60140476e
SHA256 f9be409f9e63918915a5083f764dd5724a1c83425a6ee71b5ff46d0d7ac252e9
SHA512 295f87d86ef302323e0d74446efd010d15c2bbc85312a0f7c80a97b52589c5c82a5bf850638ea6d1809aff7e6f50d89ce529adedf992df193be6cdf92bc42fe4

C:\Users\Admin\AppData\Local\Temp\_MEI40442\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

C:\Users\Admin\AppData\Local\Temp\_MEI40442\python311.dll

MD5 db09c9bbec6134db1766d369c339a0a1
SHA1 c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b
SHA256 b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79
SHA512 653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

C:\Users\Admin\AppData\Local\Temp\_MEI40442\VCRUNTIME140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

memory/1468-476-0x00007FFF5C8A0000-0x00007FFF5CE88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI40442\base_library.zip

MD5 2a138e2ee499d3ba2fc4afaef93b7caa
SHA1 508c733341845e94fce7c24b901fc683108df2a8
SHA256 130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c
SHA512 1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

C:\Users\Admin\AppData\Local\Temp\_MEI40442\python3.DLL

MD5 34e49bb1dfddf6037f0001d9aefe7d61
SHA1 a25a39dca11cdc195c9ecd49e95657a3e4fe3215
SHA256 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281
SHA512 edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

C:\Users\Admin\AppData\Local\Temp\_MEI40442\libffi-8.dll

MD5 decbba3add4c2246928ab385fb16a21e
SHA1 5f019eff11de3122ffa67a06d52d446a3448b75e
SHA256 4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d
SHA512 760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

memory/1468-505-0x00007FFF74AA0000-0x00007FFF74AAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 a0c2dbe0f5e18d1add0d1ba22580893b
SHA1 29624df37151905467a223486500ed75617a1dfd
SHA256 3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f
SHA512 3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12

C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-profile-l1-1-0.dll

MD5 f3ff2d544f5cd9e66bfb8d170b661673
SHA1 9e18107cfcd89f1bbb7fdaf65234c1dc8e614add
SHA256 e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f
SHA512 184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad

memory/1468-506-0x00007FFF70420000-0x00007FFF70439000-memory.dmp

memory/1468-507-0x00007FFF74880000-0x00007FFF7488D000-memory.dmp

memory/1468-510-0x00007FFF703A0000-0x00007FFF703C3000-memory.dmp

memory/1468-509-0x00007FFF703D0000-0x00007FFF703FD000-memory.dmp

memory/1468-508-0x00007FFF70400000-0x00007FFF70419000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-processthreads-l1-1-1.dll

MD5 517eb9e2cb671ae49f99173d7f7ce43f
SHA1 4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab
SHA256 57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54
SHA512 492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-processthreads-l1-1-0.dll

MD5 c3632083b312c184cbdd96551fed5519
SHA1 a93e8e0af42a144009727d2decb337f963a9312e
SHA256 be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125
SHA512 8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4

C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 0462e22f779295446cd0b63e61142ca5
SHA1 616a325cd5b0971821571b880907ce1b181126ae
SHA256 0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e
SHA512 07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 321a3ca50e80795018d55a19bf799197
SHA1 df2d3c95fb4cbb298d255d342f204121d9d7ef7f
SHA256 5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f
SHA512 3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-memory-l1-1-0.dll

MD5 3c38aac78b7ce7f94f4916372800e242
SHA1 c793186bcf8fdb55a1b74568102b4e073f6971d6
SHA256 3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d
SHA512 c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-localization-l1-2-0.dll

MD5 724223109e49cb01d61d63a8be926b8f
SHA1 072a4d01e01dbbab7281d9bd3add76f9a3c8b23b
SHA256 4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210
SHA512 19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 1f2a00e72bc8fa2bd887bdb651ed6de5
SHA1 04d92e41ce002251cc09c297cf2b38c4263709ea
SHA256 9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142
SHA512 8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-interlocked-l1-1-0.dll

MD5 c6024cc04201312f7688a021d25b056d
SHA1 48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd
SHA256 8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500
SHA512 d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-heap-l1-1-0.dll

MD5 accc640d1b06fb8552fe02f823126ff5
SHA1 82ccc763d62660bfa8b8a09e566120d469f6ab67
SHA256 332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f
SHA512 6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-handle-l1-1-0.dll

MD5 e89cdcd4d95cda04e4abba8193a5b492
SHA1 5c0aee81f32d7f9ec9f0650239ee58880c9b0337
SHA256 1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238
SHA512 55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-file-l2-1-0.dll

MD5 bfffa7117fd9b1622c66d949bac3f1d7
SHA1 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA256 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512 b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-file-l1-2-0.dll

MD5 1c58526d681efe507deb8f1935c75487
SHA1 0e6d328faf3563f2aae029bc5f2272fb7a742672
SHA256 ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2
SHA512 8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-file-l1-1-0.dll

MD5 efad0ee0136532e8e8402770a64c71f9
SHA1 cda3774fe9781400792d8605869f4e6b08153e55
SHA256 3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed
SHA512 69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 eb0978a9213e7f6fdd63b2967f02d999
SHA1 9833f4134f7ac4766991c918aece900acfbf969f
SHA256 ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e
SHA512 6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-debug-l1-1-0.dll

MD5 33bbece432f8da57f17bf2e396ebaa58
SHA1 890df2dddfdf3eeccc698312d32407f3e2ec7eb1
SHA256 7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e
SHA512 619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-datetime-l1-1-0.dll

MD5 cfe0c1dfde224ea5fed9bd5ff778a6e0
SHA1 5150e7edd1293e29d2e4d6bb68067374b8a07ce6
SHA256 0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e
SHA512 b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

C:\Users\Admin\AppData\Local\Temp\_MEI40442\api-ms-win-core-console-l1-1-0.dll

MD5 e8b9d74bfd1f6d1cc1d99b24f44da796
SHA1 a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452
SHA256 b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59
SHA512 b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

memory/1468-484-0x00007FFF70680000-0x00007FFF706A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI40442\_ctypes.pyd

MD5 b4c41a4a46e1d08206c109ce547480c7
SHA1 9588387007a49ec2304160f27376aedca5bc854d
SHA256 9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9
SHA512 30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

memory/1468-511-0x00007FFF5C720000-0x00007FFF5C893000-memory.dmp

memory/1468-512-0x00007FFF5C8A0000-0x00007FFF5CE88000-memory.dmp

memory/1468-514-0x00007FFF5C2E0000-0x00007FFF5C398000-memory.dmp

memory/1468-515-0x00007FFF5C3A0000-0x00007FFF5C715000-memory.dmp

memory/1468-513-0x00007FFF70370000-0x00007FFF7039E000-memory.dmp

memory/1468-516-0x00007FFF70680000-0x00007FFF706A4000-memory.dmp

memory/1468-517-0x00007FFF6FFF0000-0x00007FFF70005000-memory.dmp

memory/1468-518-0x00007FFF6FFD0000-0x00007FFF6FFE2000-memory.dmp

memory/1468-519-0x00007FFF70420000-0x00007FFF70439000-memory.dmp

memory/1468-521-0x00007FFF650A0000-0x00007FFF650B4000-memory.dmp

memory/1468-520-0x00007FFF650C0000-0x00007FFF650D4000-memory.dmp

memory/1468-522-0x00007FFF5F4F0000-0x00007FFF5F512000-memory.dmp

memory/1468-523-0x00007FFF5C1C0000-0x00007FFF5C2DC000-memory.dmp

memory/1468-525-0x00007FFF5F4D0000-0x00007FFF5F4EB000-memory.dmp

memory/1468-524-0x00007FFF703A0000-0x00007FFF703C3000-memory.dmp

memory/1468-527-0x00007FFF5F230000-0x00007FFF5F246000-memory.dmp

memory/1468-526-0x00007FFF5C720000-0x00007FFF5C893000-memory.dmp

memory/1468-530-0x00007FFF5F210000-0x00007FFF5F229000-memory.dmp

memory/1468-529-0x00007FFF5C2E0000-0x00007FFF5C398000-memory.dmp

memory/1468-528-0x00007FFF70370000-0x00007FFF7039E000-memory.dmp

memory/1468-535-0x00007FFF6FFF0000-0x00007FFF70005000-memory.dmp

memory/1468-534-0x00007FFF5C1A0000-0x00007FFF5C1B1000-memory.dmp

memory/1468-533-0x00007FFF793B0000-0x00007FFF793BA000-memory.dmp

memory/1468-532-0x00007FFF5F1C0000-0x00007FFF5F20D000-memory.dmp

memory/1468-531-0x00007FFF5C3A0000-0x00007FFF5C715000-memory.dmp

memory/1468-536-0x00007FFF5C180000-0x00007FFF5C19E000-memory.dmp

memory/1468-537-0x00007FFF5B9F0000-0x00007FFF5C17A000-memory.dmp

memory/1468-538-0x00007FFF5B9B0000-0x00007FFF5B9E7000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 4facd2b1d6590cc746d68efd79b949ce
SHA1 ec248b48ab5532d2440b6671cca1dda77a8bf876
SHA256 106f57686f62ed04b6e7521cb53c90996ac87abaa6ee7ac9c86890beedc6d478
SHA512 61cbda64fc723ffea5f2acf1f1906291f33cff1eb636565561859c0cd977e5f4bf99c805871983fb86e78777f508b0653189655a55aedcea3c3fe9c44eef54c3

memory/1468-555-0x00007FFF5F4F0000-0x00007FFF5F512000-memory.dmp

memory/1468-570-0x00007FFF5C1C0000-0x00007FFF5C2DC000-memory.dmp

memory/1468-613-0x00007FFF5F230000-0x00007FFF5F246000-memory.dmp

memory/1468-614-0x00007FFF7A0D0000-0x00007FFF7A0DD000-memory.dmp

memory/3584-617-0x0000023EF2530000-0x0000023EF2552000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qjcjdvs2.edf.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1468-632-0x00007FFF5F1C0000-0x00007FFF5F20D000-memory.dmp

memory/1468-642-0x00007FFF70370000-0x00007FFF7039E000-memory.dmp

memory/1468-661-0x00007FFF5C180000-0x00007FFF5C19E000-memory.dmp

memory/1468-658-0x00007FFF5B9F0000-0x00007FFF5C17A000-memory.dmp

memory/1468-653-0x00007FFF5F210000-0x00007FFF5F229000-memory.dmp

memory/1468-646-0x00007FFF6FFD0000-0x00007FFF6FFE2000-memory.dmp

memory/1468-645-0x00007FFF6FFF0000-0x00007FFF70005000-memory.dmp

memory/1468-643-0x00007FFF5C3A0000-0x00007FFF5C715000-memory.dmp

memory/1468-633-0x00007FFF5C8A0000-0x00007FFF5CE88000-memory.dmp

memory/1468-659-0x00007FFF5B9B0000-0x00007FFF5B9E7000-memory.dmp

memory/1468-644-0x00007FFF5C2E0000-0x00007FFF5C398000-memory.dmp

memory/1468-641-0x00007FFF5C720000-0x00007FFF5C893000-memory.dmp

memory/1468-634-0x00007FFF70680000-0x00007FFF706A4000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

MD5 77a8b2c86dd26c214bc11c989789b62d
SHA1 8b0f2d9d0ded2d7f9bff8aed6aefd6b3fdd1a499
SHA256 e288c02cbba393c9703519e660bf8709331f11978c6d994ea2a1346eef462cb8
SHA512 c287e3ae580343c43a5354347ca5444f54840fba127a2b1edc897b1dfea286fa37b5808f6e89f535c4022db8b3f29448aa4cc2f41ab0f308eec525a99fac4e5e

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\CloseRepair.docx

MD5 b9532827bdbc13f1c0e180e1cc3ada1c
SHA1 791baf0830025232f90d323c9cdc2a5a37f423bc
SHA256 cd0ca8e86a4bf3c9bb55706848f7f5ca7685fa9217b8e480a2ddc506ec923f5d
SHA512 42db273f2b75cbfac837f0b61245bf77e11606899f12a1f29d53c8ce6c4128e0ecc435eb4e128253b4582668102eb26ca1ae3be11ff2400b9b09a238cfd083f0

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\CompressMove.txt

MD5 df075d6310f94032e2ce70f9b434b413
SHA1 799730985189b24b381931d57b3a8e896c6fcb35
SHA256 6702dc175327a951cc2dd41a464d32e936b942a3d47fac8fb4c9ad7603d81eb4
SHA512 e2832a8f06d238e365a5e9872fbe2a56653eb38ee5d9453b96642e1dd3853f24b9655c0df76172487bc6cf52c42b6394f4beac552fd2adfa0121f66dccda29b5

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UndoSwitch.xls

MD5 afe61d59559429167b51cdbc1ddc65c1
SHA1 f7ef3fc9d4e732e06a36818ced0a07b7e9281f83
SHA256 c8a7dfb38b4204d899c50978bafa3ccb8d02817d1042a0af59b06321c78ce914
SHA512 c8e7f959d3434ed0817b6382648d32eb7344340c454591dd4bb6b57b1790eda2c713bf966a3a1ac375af90a7f978cc530e925f10e78bff38350bf5a34f7996a7

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\HideDisconnect.xlsx

MD5 0ab5cf7992adc1064b743f7e3469dba0
SHA1 bfacb79a6d637d017ab66670dd0ed447617234c1
SHA256 b09d1a7b557e535337a70bc0c952b204661ed5100cf7470476eb879d70fba807
SHA512 535b14ebe0ae3a48d903bb796b2daad217171f234125c648fcf56ebfa2515a1ea4a61e9ee9d6a2276452dec084e682cddc96b8a565c16d674136a71f4c24c6b7

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\GrantUse.zip

MD5 5225759bef7ef975bf3318ad189fb50a
SHA1 444ae3896e824aac68a91c9a4fdfc16ef0d13dfb
SHA256 4f7346c52cedf41d749ad2bd404f23c603d7cccb21c923ffb5b8356fd51cb49a
SHA512 54fb196d8ece578b231eb547d8836e0fdeb44821c095963bec982526f234a82da7bb19fcf8abf8abbe62bd48f6f072e2896483bff4f2af33fd5f64a618742059

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\DebugPublish.xlsx

MD5 31d99a977b1deb4dfb412843101d6e2d
SHA1 705355bbd9c1503e89bde4b0e8e4c2a1eb80acba
SHA256 9e899ae3a8e4c4f2d8a99f488255ceaf9572b8c625938b0943ff1ef5c54af814
SHA512 06f454bee04ca308206e70e7849efdb7422b4aed041ad2564551f61ed8b3951f2fdceb631c06d3d1624e61256a6d4d7f3af85a61cb1b854ce336099192222e4a

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\BackupLimit.xla

MD5 ebcf1c0fd19d65e101ad1d64a78db4f6
SHA1 0c1abcc7e25c583f7a4a6e26f56b2893a26d3040
SHA256 51002b78141227eadf6a58bcabddb6037b91af2552709972e42ef956e9ad5f09
SHA512 69bb56812b635f280b1bcfe38749ddf5c79ea39c46800d0d325ba4c90137ba67e7d9746c6c03eba1ed87c30a973ca95da26b9026d6e5ea4167e9833add62b517

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\CompleteRemove.csv

MD5 f132359b2b6f7efd612eb79a39d2beff
SHA1 426329f9b596c430317e2634ee77d6cdf0d5945a
SHA256 2f37416f37e599305389390c19bbfed000c54c944efb828e807eccdc037c4058
SHA512 e41bdbf2a634ea984a95bacb703bec877e06675c7fa49ab166df8f4c964a816bf3320414c80d0789e83520a31c9d5bc6102a9ee4dc87455e09c946ba658893c2

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\FindConvertFrom.xls

MD5 bbdf7bbbbbbc92f9c79a090c8a110d8e
SHA1 e2c6a11f35ee4268da55e62dbe5a14f73bf0432b
SHA256 5d4a101c1949978c6f705eca7ffac8d8942df8c2432dba64cf0c3e1b85cf65d8
SHA512 bab36064b536114d3cede087579c4a20f2ab5b993ccebb7e31ec2a27c02cf88df09c9bb6cd05bed4704f68d4b22f01fb0d7db622ba560d54c2026fb1633f742a

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\CompressSkip.xlsx

MD5 68f50128411ada90e029289b6a7eff5b
SHA1 387e242817adb79acdceedffe64027e08c1619bb
SHA256 7c92a088d017442a1cd84b8e2f35a1834f91724cb06d414a87847dc9e927b81f
SHA512 954ce1c1e7e717abe815a98a42689b2bb6ec1d6173c4ed7a71f87542cab14b84e7ce6787bfd02b1e00477b2e3a5d60dcdb554b4b1d3bd1168d2cae4beb65b15e

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\NewOut.pdf

MD5 5e792ac51f7596798e142bfe53656a07
SHA1 0f174ed028d0a377e31a7104e9658d3e3bbd0f25
SHA256 0db2d8098c82a29519439faa722d17fe1eb9edb188f39a16db7caad39c72802f
SHA512 0226c39745785d76d57c27ba21d942012e28b09bbe82d16c663255edfcced5a7da9a4874b0cef573b5e63a39131f31b9922406664e3f5437e23d83fa585ac410

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ReadResize.txt

MD5 5b50afb0b09398b216e1d076c5d87181
SHA1 d3aa9b512bea58569c3147c6d2aec0b2aca5cbaa
SHA256 ad2c8ecf762a8cdc9b25f549f8ff25cc8a771a7112541e133c17ed1d762db217
SHA512 6f20ff7e5f258ffad4d01142201d22afd8ce20b25bc286b5db06cb437ed16b832e8ba22584eb84ba910258387a79d427c7e201c8e8a496a705861f9a24c6f387

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\BackupMount.bin

MD5 ac47a83bf9acd5310cf52cda3664c8d7
SHA1 51e1bb256c2d3108b011ffe23fac1813da7fe357
SHA256 ef80bf6d87aef7bd7677cd690838868c5ff4d52f21854d5d95c21715db45b647
SHA512 75512f285e913bcbece1a87bf20cfbf35b410019bbe8bc9035d1c5ab343764b921eae656b94d11cf9b55b8acd0af9706f235d8f3ee1bbcb415fda398a9e2a0d6

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\SwitchDebug.docx

MD5 5f5779fca49b7315ea2f0ab20bee6f8e
SHA1 427d1f4d182eec14934f445081916f1794c98783
SHA256 aec5ffcde872f9ddf74ed26110ffbc107d94e39e0b5994267c1e1368fe653e98
SHA512 e9440c8f2627f7274bad79eabbdf3d3a6bf7d908aae28c943b069de43bba06df819eaf0c7898ea9489061f60cc023efe222ea55ad325c6677741402b07a27a39

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\SendRestart.xlsx

MD5 183528b544c2b61600bdd2f2f3149b69
SHA1 6aec7aa82582434a0ca754c4a6b36ea35f154764
SHA256 83667b7740829090474b4ed9b58aaede523ffb7601279ba78575c00d0342da11
SHA512 e20b8f784c667fb9271a21ed6260c99259db654b039e0346c304c1b6984779173487ba65a22545e783963a4e458f45951a94658322363d16119fc25358722ac9

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ConvertUse.jpeg

MD5 637dbccd222c89a584d1d80df8288f80
SHA1 1c84340d31cdc3b877dc4d53409794ff825bf4c4
SHA256 6ea46728796538d46559004bbfe572bd6b6d4aed43b4df9dd6940f95a1d7281f
SHA512 f9f587542361d915b5b51409fe43963a5176cdb70ad7bf90db31c78f9b333a870a6a547197723c3076536bd2d21dbbb72aef7faba287c9f9b35e9d2158bba5ef

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\GetOut.zip

MD5 aa66470eaf30d8cea776529da57968dd
SHA1 6a09e079986026767e400a93f85f97cc44297aca
SHA256 6882ebf8269fd9728d089830afda18327ffd938a916b58e6f0528f48573c79d0
SHA512 c99656904674a80330216962d29a49b9b71037d5d3356a4df8e6f1963b3d8243b885f5c92eaf9a273630b0f4b1a97b9979b375305823c4bae4b3eddd9c90f0cf

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\HideFormat.mp4

MD5 c733bb6208cece1a85904d472abbbd6c
SHA1 effc889a63cd032efe40db3a49412e23efde4a1c
SHA256 7f2322886a15449e4a9133bbe8860d41a61874aa3d9aea15b705fc7012b23d54
SHA512 70da6aba5d6fcaa27237d379abee86085bef0066c90fecdf726f48ca9b18c8ae5760213647c590f1d01582711b07be8eeacc936f28720cd888a1e754b41ae5dc

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\HideUnprotect.pdf

MD5 96169d402e2cd46f51a9f493a5ae7403
SHA1 03b100b352099fb9aa42dee3c173f3e7fcfc02f9
SHA256 efd4923b6e360714cd9ac709a5deba62ee7201801949a323cb610cab8b8f3a04
SHA512 d645cbdb3d15bcea101dfb7e015ee653c782496fbd8eecd256ec46f1d6ccbb7b98543046a75936e30f9f472f090cf6d889cb98998b3d62db43e8b1a7583fcea5

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\RenameMeasure.jpg

MD5 d07fc2e260ea1c32a9107d78316253f4
SHA1 68754f15c360a31cb90d30a9a8817d46a0aa61f9
SHA256 9969bbce91150f4eb9e95d85874f8448100ee5a080d859ceef6b377f1f2c777e
SHA512 5aca6d53cf522a3745c054da838027e012a921a336872bcdbbfa14b15899af0a06facc55a1df4a9cca56d194edbcb5d5d32256fe043e67e3e15ea1d2f52ea44a

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ResetSave.zip

MD5 b4784a27120d465c1641ae78d73e98e3
SHA1 800b6f363c3d3287c2ea694ed1920cc1f256d5e6
SHA256 e3b8691ecf7f1ae132197328814787157e525cc5eaceca4e002ed224240a53e2
SHA512 90e965b3994689e9e27f91105b2d85462316055b7f1f6dc0c242820b69341aca203c2651e0c251350551f078d31cd6af0b6598919f63d66bdbee6da324a12b1d

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\SetRequest.jpeg

MD5 9edcd8d73777ff81be2625fe94776199
SHA1 7b3355065ce1862796cc0c445e463ec3d3781030
SHA256 673b487fcecf7fe108e476338d38799ea623e3b162ee306f898876c4ddcf7228
SHA512 194893bd2415c8b56946367fb05076114cdc4ba0f729c99bc987e88cc876694dfcb684f8e2f65060b9c535a3febb81d9a9f5b2e3403121d70cedb0ccba2a7f4f

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\SearchRedo.zip

MD5 6bc6a9421e2b9d627bfbbcef59eb64d0
SHA1 4fdcb5a46028c13df9bcd7709cd3534ede7e265e
SHA256 d7b37fb4628f31f40c67f5a71438ae7fd5dde19def71f4d8736fc24474369af3
SHA512 9800d91853c415bfe5151359738627c16b964a8d7e937f16327b8d7dac7d7a995fb627840500a9dfd615e84ecfa4f2bc78e80f9f4f385a5ca82ec8476440b1a3

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\TraceEdit.txt

MD5 4aac71aa77f441e8397b6a6ae63a1532
SHA1 7fa71c6739cdc1c560e3b12e41a1c76dc0bac7c0
SHA256 da553956e1c2e1cdc058c50eb4ecd6c9c019f5a51ac1c78463d295b1c183a1e6
SHA512 dcd2d578b5f2fa41e9df21a692a26d719483a9b287ec81b4568d67b5b575e97048654a6023ef34d7a93ae07610998c082f960b32748d5e0b15bc807152b73f47

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\UpdateTrace.docx

MD5 fd3db2ee1774ff024dd58106f7d0bed2
SHA1 0a60c017d871b49ef57bdfc9da042296116f5c38
SHA256 c48329ae427a7a203d8c94c4e0cb265dc824d72d4658ec7ee60b3cb32c8886fc
SHA512 092390320e1f035bb357bff7021e16d89c69db3b8d3661d2468d3b53a781ae48c8aba313816befe83ede975a971fbf792c9130822a956b5d684d9edc410e6483

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\SubmitPing.zip

MD5 4f95b045271cbdfc1a2b2eef6cd83524
SHA1 02ff6da83b2898d68d912607eba7485bd51a2db7
SHA256 daba18735a7416a1a16b9691f5950ce92eaedfafa1d43a407fbeb2289353318d
SHA512 8759d4592141e7d05ae89cf237a585d378a0d50726cfe147a1f076e412e9ba672100417ebf7063a7f607358f73d7552f7e197e9fbcbaec70eb348c8110510716

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\BackupInstall.avi

MD5 8a799646eaf0ab42f76f45f95f719391
SHA1 7eb98ef6a6f457d7f3a040f863d56cb0e4957689
SHA256 3927521f50da3b1691041878766e04422131488a429b07e14d0f7f515053a1d2
SHA512 eeb915522a039bcf67ace99efddf3dda72a209eb8b447491a94c296d0be8d584420000c9998d922242bb398000bf7b379cbd4e13398145bf462356c4bcc5e129

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\DenyShow.jpg

MD5 25bb082069cd96f317d366e99f52b0e4
SHA1 95299321f64feb4765bb35da8bb92202fbcf6ecd
SHA256 4cd5b83b95e161dba0622e68a5dd2b9656bb791f8fa762b3cb5f542e931a0dff
SHA512 f38d5185105573729912c75aea7740c63f96eeda5d5b956b8d789ef3a1566ad571192fc93b1e2d3a807c73e0d536ca1a0e6be3d72d4246f058ae09eae3fd7bd2

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\GetStep.jpeg

MD5 849f7368cff9f395aa05a779ebfb938d
SHA1 646905d353a731972e0f3515e8734da9a0578a9f
SHA256 ebe645cdd7488cbbd7fbce354a9ce768a326f3952c044915156d9087bb26bb74
SHA512 f04d2f09cfc1c9b8af1e898f81c87bc13f11e4c63c1f57e11d0f8fc05f204cbdc7126e44809228c759610dc4759a98957f1322f82b9a3e4f55115152eb32dc5d

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\SelectConvertTo.jpg

MD5 af17075f6cf2db4940d480377b1e6dc3
SHA1 e0420eadc2872fa79f1c0dfd16209608847f9c1d
SHA256 6d7073e46cb920bbe9680fd393f05b502fa1b76f955598a86248f2282c780ae4
SHA512 03257a3bbeb274d7b6488f4d9070c42a8ae84b92d91c75e037622337f99a6546d01ac5838d86d3c1e7d7c18b5e415e8d75f39df843e4c94861f5ec067ac1bce7

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\UnlockRestore.jpeg

MD5 2412328330389576e844c47cf588d93b
SHA1 b86dc3a9fb2a51aa9065dd0e41514add66c979d4
SHA256 334b3045c9931f3c1e916d30bbc0a3b27232342e7404163cd60bc855796d9634
SHA512 a139a502eae3b8dae205b0a56757207eba30988af2e1731fe8d1eaa25a1ca306912a95d33a48231d0c670eb656d46712f4550ba7cc37c22006621b1ea86b046d

memory/1468-895-0x00007FFF5F210000-0x00007FFF5F229000-memory.dmp

memory/1468-887-0x00007FFF6FFF0000-0x00007FFF70005000-memory.dmp

memory/1468-896-0x00007FFF5F1C0000-0x00007FFF5F20D000-memory.dmp

memory/1468-884-0x00007FFF70370000-0x00007FFF7039E000-memory.dmp

memory/1468-875-0x00007FFF5C8A0000-0x00007FFF5CE88000-memory.dmp

memory/1468-975-0x00007FFF5C2E0000-0x00007FFF5C398000-memory.dmp

memory/1468-974-0x00007FFF70370000-0x00007FFF7039E000-memory.dmp

memory/1468-986-0x00007FFF793B0000-0x00007FFF793BA000-memory.dmp

memory/1468-985-0x00007FFF5F1C0000-0x00007FFF5F20D000-memory.dmp

memory/1468-984-0x00007FFF5F210000-0x00007FFF5F229000-memory.dmp

memory/1468-983-0x00007FFF5F230000-0x00007FFF5F246000-memory.dmp

memory/1468-982-0x00007FFF5F4D0000-0x00007FFF5F4EB000-memory.dmp

memory/1468-981-0x00007FFF5C1C0000-0x00007FFF5C2DC000-memory.dmp

memory/1468-980-0x00007FFF5F4F0000-0x00007FFF5F512000-memory.dmp

memory/1468-979-0x00007FFF650C0000-0x00007FFF650D4000-memory.dmp

memory/1468-978-0x00007FFF650A0000-0x00007FFF650B4000-memory.dmp

memory/1468-977-0x00007FFF6FFD0000-0x00007FFF6FFE2000-memory.dmp

memory/1468-976-0x00007FFF6FFF0000-0x00007FFF70005000-memory.dmp

memory/1468-973-0x00007FFF5C720000-0x00007FFF5C893000-memory.dmp

memory/1468-972-0x00007FFF5C1A0000-0x00007FFF5C1B1000-memory.dmp

memory/1468-971-0x00007FFF703D0000-0x00007FFF703FD000-memory.dmp

memory/1468-970-0x00007FFF70400000-0x00007FFF70419000-memory.dmp

memory/1468-969-0x00007FFF74880000-0x00007FFF7488D000-memory.dmp

memory/1468-968-0x00007FFF70420000-0x00007FFF70439000-memory.dmp

memory/1468-967-0x00007FFF74AA0000-0x00007FFF74AAF000-memory.dmp

memory/1468-966-0x00007FFF70680000-0x00007FFF706A4000-memory.dmp

memory/1468-965-0x00007FFF703A0000-0x00007FFF703C3000-memory.dmp

memory/1468-937-0x00007FFF5C8A0000-0x00007FFF5CE88000-memory.dmp

memory/1468-988-0x00007FFF5C180000-0x00007FFF5C19E000-memory.dmp

memory/1468-987-0x00007FFF5C3A0000-0x00007FFF5C715000-memory.dmp

memory/1468-991-0x00007FFF7A0D0000-0x00007FFF7A0DD000-memory.dmp

memory/1468-990-0x00007FFF5B9B0000-0x00007FFF5B9E7000-memory.dmp

memory/1468-989-0x00007FFF5B9F0000-0x00007FFF5C17A000-memory.dmp