Malware Analysis Report

2024-11-15 09:53

Sample ID 241109-yq98ls1dnn
Target https://mega.nz/file/4nlwxAqL#SRB6SE9FtsJVXmVM_OuUWGUL2GJM7t2fe08Ym2dbty8
Tags
exelastealer collection defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://mega.nz/file/4nlwxAqL#SRB6SE9FtsJVXmVM_OuUWGUL2GJM7t2fe08Ym2dbty8 was found to be: Known bad.

Malicious Activity Summary

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx

Exela Stealer

Exelastealer family

Grants admin privileges

Modifies Windows Firewall

Loads dropped DLL

Clipboard Data

Reads user/profile data of web browsers

Executes dropped EXE

Looks up external IP address via web service

Network Service Discovery

Legitimate hosting services abused for malware hosting/C2

Hide Artifacts: Hidden Files and Directories

UPX packed file

Enumerates processes with tasklist

Drops file in Windows directory

Drops file in Program Files directory

Launches sc.exe

System Network Configuration Discovery: Wi-Fi Discovery

Event Triggered Execution: Netsh Helper DLL

Permission Groups Discovery: Local Groups

Browser Information Discovery

Detects Pyinstaller

System Network Connections Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Gathers network information

Kills process with taskkill

NTFS ADS

Suspicious use of FindShellTrayWindow

Collects information from the system

Uses Volume Shadow Copy service COM API

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of SendNotifyMessage

Uses Volume Shadow Copy WMI provider

Enumerates system info in registry

Gathers system information

Views/modifies file attributes

Modifies data under HKEY_USERS

Runs net.exe

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 20:00

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 20:00

Reported

2024-11-09 20:02

Platform

win10ltsc2021-20241023-en

Max time kernel

111s

Max time network

112s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/4nlwxAqL#SRB6SE9FtsJVXmVM_OuUWGUL2GJM7t2fe08Ym2dbty8

Signatures

Exela Stealer

stealer exelastealer

Exelastealer family

exelastealer

Grants admin privileges

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A
N/A N/A C:\Users\Admin\Downloads\Tools.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\ARP.EXE N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\c7463fb2-6ffd-4419-ac8d-809398b1a0b3.tmp C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20241109200056.pma C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe N/A
File opened for modification C:\Windows\SystemTemp C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133756561197074574" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

NTFS ADS

Description Indicator Process Target
File opened for modification C:\Users\Admin\Downloads\Unconfirmed 525939.crdownload:SmartScreen C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1208 wrote to memory of 1628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 1628 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 2700 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 5108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1208 wrote to memory of 4360 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/4nlwxAqL#SRB6SE9FtsJVXmVM_OuUWGUL2GJM7t2fe08Ym2dbty8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7ff97bf846f8,0x7ff97bf84708,0x7ff97bf84718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x298,0x29c,0x2a0,0x274,0x2a4,0x7ff7ae035460,0x7ff7ae035470,0x7ff7ae035480

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6088 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6096 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6384 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4b4 0x2fc

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6116 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6684 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2208,1426029680493000943,14515432902983703750,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6836 /prefetch:8

C:\Users\Admin\Downloads\Tools.exe

"C:\Users\Admin\Downloads\Tools.exe"

C:\Users\Admin\Downloads\Tools.exe

"C:\Users\Admin\Downloads\Tools.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\mshta.exe

mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1208"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 1208

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1628"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 1628

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2700"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 2700

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5108"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 5108

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4360"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 4360

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4720"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 4720

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1140"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 1140

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4884"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /PID 4884

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2236"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 2236

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5192"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 5192

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5200"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 5200

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ff96e36cc40,0x7ff96e36cc4c,0x7ff96e36cc58

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2028,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2024 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1912,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2116 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2496 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3164 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3180,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3212 /prefetch:1

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4560,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4568 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3712,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3700 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3788,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4704 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4944,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3700 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5036,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5020 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5132,i,13997502721834994177,3024343501860914853,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5148 /prefetch:8

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 mega.nz udp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 5.145.216.31.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
LU 31.216.145.5:443 mega.nz tcp
US 8.8.8.8:53 eu.static.mega.co.nz udp
NL 66.203.127.13:443 eu.static.mega.co.nz tcp
NL 66.203.127.13:443 eu.static.mega.co.nz tcp
GB 51.11.108.188:443 nav.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 188.108.11.51.in-addr.arpa udp
US 8.8.8.8:53 13.127.203.66.in-addr.arpa udp
US 8.8.8.8:53 98.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
GB 51.11.108.188:443 data-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 data-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 data-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 g.api.mega.co.nz udp
LU 66.203.125.12:443 g.api.mega.co.nz tcp
LU 66.203.125.12:443 g.api.mega.co.nz tcp
US 8.8.8.8:53 12.125.203.66.in-addr.arpa udp
NL 66.203.127.13:443 eu.static.mega.co.nz tcp
N/A 127.0.0.1:6341 tcp
N/A 127.0.0.1:6341 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 gfs302n510.userstorage.mega.co.nz udp
CA 185.206.25.20:443 gfs302n510.userstorage.mega.co.nz tcp
CA 185.206.25.20:443 gfs302n510.userstorage.mega.co.nz tcp
CA 185.206.25.20:443 gfs302n510.userstorage.mega.co.nz tcp
CA 185.206.25.20:443 gfs302n510.userstorage.mega.co.nz tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 20.25.206.185.in-addr.arpa udp
CA 185.206.25.20:443 gfs302n510.userstorage.mega.co.nz tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
CA 185.206.25.20:443 gfs302n510.userstorage.mega.co.nz tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 67.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 checkappexec.microsoft.com udp
GB 51.140.242.104:443 checkappexec.microsoft.com tcp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 104.242.140.51.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.4:443 www.google.com tcp
US 8.8.8.8:53 3.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.180.250.142.in-addr.arpa udp
US 8.8.8.8:53 ogads-pa.googleapis.com udp
GB 172.217.16.234:443 ogads-pa.googleapis.com udp
GB 172.217.16.234:443 ogads-pa.googleapis.com tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 172.217.16.238:443 play.google.com udp
US 8.8.8.8:53 api.gofile.io udp
FR 45.112.123.126:443 api.gofile.io tcp
US 8.8.8.8:53 store1.gofile.io udp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 126.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 227.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com udp
GB 142.250.178.14:443 clients2.google.com tcp
US 8.8.8.8:53 14.178.250.142.in-addr.arpa udp
US 162.159.128.233:443 discord.com tcp
N/A 127.0.0.1:53421 tcp
N/A 127.0.0.1:53428 tcp
N/A 127.0.0.1:53431 tcp
N/A 127.0.0.1:53433 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
N/A 127.0.0.1:53591 tcp
N/A 127.0.0.1:53593 tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 cc10dc6ba36bad31b4268762731a6c81
SHA1 9694d2aa8b119d674c27a1cfcaaf14ade8704e63
SHA256 d0d1f405097849f8203095f0d591e113145b1ce99df0545770138d772df4997f
SHA512 0ed193fdcc3f625221293bfd6af3132a5ce7d87138cd7df5e4b89353c89e237c1ff81920a2b17b7e0047f2cc8b2a976f667c7f12b0dcc273ddc3b4c8323b1b56

\??\pipe\LOCAL\crashpad_1208_AECAEQESCLJNHFWO

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 467bc167b06cdf2998f79460b98fa8f6
SHA1 a66fc2b411b31cb853195013d4677f4a2e5b6d11
SHA256 3b19522cb9ce73332fa1c357c6138b97b928545d38d162733eba68c8c5e604bd
SHA512 0eb63e6cacbec78b434d976fa2fb6fb44b1f9bc31001857c9bcb68c041bb52df30fbc7e1353f81d336b8a716821876fcacf3b32a107b16cec217c3d5d9621286

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f8defe7701720c812ae283f7fe6101ae
SHA1 d2713d27a5f668e56bf3e93d4f2246206d566574
SHA256 5d7e3b3dca48a5227b999a99dcce3bc8eb79ae9ca9bd996f59a3e8bf46fb3633
SHA512 ca508e16a0d8bd7438fe209b33fc303aef91507fe6e38a518f27b5466ca62e37dbdf7f93ef89570eeab90b9530235b47ad45a6db8bfabcbbb288650b76a52cb0

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 3b964859deef3a6f470b8021df49b34d
SHA1 62023dacf1e4019c9f204297c6be7e760f71a65d
SHA256 087debdcfba4666c03a5ea699e9bb31cf22ef4e0fad7c961cb0b500e5d262fb5
SHA512 c30b7e1b28820a5815b52634b46cb210c241704e33e41304400cb3ed29e82ec547a1068fc819350b368456bcabd27034afade5add3251dc74e4174f51b6c7adf

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 2df49e8e11448f089e879ae7b4f30577
SHA1 01216d23fce2cf14865e52a9951b4862a3aaef74
SHA256 2750685d210f1f3de4eba397a780568f9c939e2f933039027978298eecaa6a5e
SHA512 300509d02aa0ee67ebe4257eeb752105b79b1d41df996ad1e1e53a0cf156d02b847f277aa12a6f1999e8b3168d9826b595d9eb7eeddec3b7ea684a657546be0c

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

MD5 f23c33eb347265e0c491cbbaa04d217f
SHA1 afbd9f7fc777632cd7b06025546c5070a18c5e63
SHA256 0aa9cd1d44966c48d3d1d70aeeab51d38800f714cbffaf15f5bbcbb1993d0bed
SHA512 3c0745e3e94161e8c8eecd3d9b2cb75940607ba8c69d6c7cf9611e83113b1349e77dfee1efe698f9bca80918091540dfacd5acdde9b7f1680461e785808be33b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f50cb573bf68fc7fdd739ba328fa61d6
SHA1 12d574bf118fa1cb4d1cfa1b314705a2209858df
SHA256 eb335cee61af7d0aae01f89740ac26ec9822cb155e924bc9d62b505f261b2551
SHA512 da09c678ba78bfd251c61ef109bb8df4a01c04dc5ccd6c0d8665beb5e1bcaeabc964670f7b2c13c12ea27363460ea7c1c01940b57bc4a289c972ce4ec67e6022

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 4d94b053ace1199438cd3f853f6b45af
SHA1 7e9c5b02dc67c59c0864b104e7ac7c5dbd41a6ea
SHA256 c7e647b0278bf2805c1a6106a6d3afbac0d7429135760971b4e4640665492c73
SHA512 23b43bbb775094a2eed06df331fbd34486e41f509eab2656ca6707aa4c978501475e5a217d2b69fef26aa2f258865272c3c9a0d431b57704a1249de69af55926

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 5c2d5c900312f44e72209416d45723cb
SHA1 68fb8909308589149399c3fb74605600833fbbc1
SHA256 56f7a77549e5fc45bd4b1f7c2db3e8b4bd1dd9234545207613a80342cee8e7d8
SHA512 07c2920cff7c1125e3a2fe66bf21d8606a1f2a3d36be2d8e136da0d2a21130242ac8324f18cedfb0040304cf804815861767c969a6923d8db851312bf9b4348b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 6d6fa7e8b98e22a229f140a85a303322
SHA1 e11c3d97fd66fa24fc863274853ca8eb7197e665
SHA256 151d279fbfc89cc69f461ba4d50d048d4a977ad881ecd512b9dafc571e7e5dac
SHA512 72940adaffa94cf1653b7dc032c3b4ed7b12877618119f3241b39a76fec9770ef321762f73c6a3cdf57f40a2b8819bbcab188ee72589601c45cf112ec877933e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 40c08d56c5feaced74b97ce197f08750
SHA1 f71cfa4a4b48f984eb060106888867e8c17cd7e1
SHA256 ffcaf28ad64b5769cdf720bd804af7c5fb5563dd373e13954c8ac88e5247f543
SHA512 bd20fb8daa8844c72e2c8f855d64d76e116bf25e617454a8dda582e7520f62c325862230f600ae0f50b3556eb5934990bd1bda20c6b4a3d4c3b92bb023d7e79c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 580d30a6d681949e596f05ce3ca93643
SHA1 042cc44e68a563f0c4eb269a8592103d7313d5f0
SHA256 60bcf5242a7d70e213c8c5626c4438287fba94c0fdbc256b86a44e9dfda077a8
SHA512 b70cfae648b3f55cba3eca54b5e6fa5310c7048f0163f111678350fa3220b2f3b54fd85f0aec4ab537645203f6dd8111a273776f1a85310bd3001ba70125d8bc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57c1e8.TMP

MD5 24649e46612a671375a1ab65ee29b5c3
SHA1 9cc1b5fd3108d9e81d4bfeab14add156ae55119f
SHA256 a656f4728e2d21532f30a015a662b689a762805ab30b23bceaf1b4207be6141e
SHA512 7bbd3eed84bd5fd4e13e00fbcf3345cce520b2d455ff4347351c00e445f8d7c2c2fa47bba3873111491320bf72638d8856389a6d595c509f1d261e9a1be4ea74

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

MD5 950eca48e414acbe2c3b5d046dcb8521
SHA1 1731f264e979f18cdf08c405c7b7d32789a6fb59
SHA256 c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2
SHA512 27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

C:\Users\Admin\Downloads\Tools.exe

MD5 9ef872cbbbbc5bb4b1ee521ef0203930
SHA1 a0be1aff9a8feec9f847e6d1ef2a1f41eb5c062d
SHA256 41d0d7f4aeb95e0ef2b69f00b443b82f9cfab03dd47ca80cbb61ac8ae9b714ea
SHA512 4e250cd530e00b302082579fca6ae2a2d44058e5a288fc5fe809a040866702da84305060ced7f6fa89210e1e5811391142e4a4fe1917c71d60583378f4446dc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fcacdae72b723d06ede44142131945d1
SHA1 ca2158fe18e5cd5a3568b0c1d4b5d560add4d59c
SHA256 afcb5499beb28348ce5ee421903fa4a2a4352ce64ca48d2ec73ceddd088983d3
SHA512 588d5bdc4621e6db265fd675812d567d96064c7e9a7f353a30f9a505625d3ecac152910ea81b1feb327ea827ec379eb5b00512b1ad4e5543439f5d916cf255db

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5163964754e61aea387d5ae647cee41e
SHA1 f37072bd81913515c8199cfef6bc58c89b547720
SHA256 24a38b2059bdf38820b3a55ac8414aacf386b4d0f5aff8fb4fa1d46b4ddeada9
SHA512 705dd1293022c886b19607699ea3fc1c543b7f3e62db1487292835289634a07408e4e86f38d41e4c7a2c73f20ab7904948410f0722315c0b4eed893ffabe1188

C:\Users\Admin\AppData\Local\Temp\_MEI56202\python311.dll

MD5 db09c9bbec6134db1766d369c339a0a1
SHA1 c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b
SHA256 b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79
SHA512 653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

C:\Users\Admin\AppData\Local\Temp\_MEI56202\VCRUNTIME140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

memory/5888-414-0x00007FF969590000-0x00007FF969B78000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI56202\base_library.zip

MD5 2a138e2ee499d3ba2fc4afaef93b7caa
SHA1 508c733341845e94fce7c24b901fc683108df2a8
SHA256 130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c
SHA512 1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

C:\Users\Admin\AppData\Local\Temp\_MEI56202\python3.DLL

MD5 34e49bb1dfddf6037f0001d9aefe7d61
SHA1 a25a39dca11cdc195c9ecd49e95657a3e4fe3215
SHA256 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281
SHA512 edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

C:\Users\Admin\AppData\Local\Temp\_MEI56202\_ctypes.pyd

MD5 b4c41a4a46e1d08206c109ce547480c7
SHA1 9588387007a49ec2304160f27376aedca5bc854d
SHA256 9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9
SHA512 30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

C:\Users\Admin\AppData\Local\Temp\_MEI56202\_sqlite3.pyd

MD5 d9eeeeacc3a586cf2dbf6df366f6029e
SHA1 4ff9fb2842a13e9371ce7894ec4fe331b6af9219
SHA256 67649e1e8acd348834efb2c927ab6a7599cf76b2c0c0a50b137b3be89c482e29
SHA512 0b9f1d80fb92c796682dba94a75fbce0e4fbeaedccd50e21d42d4b9366463a830109a8cd4300aa62b41910655f8ca96ecc609ea8a1b84236250b6fd08c965830

C:\Users\Admin\AppData\Local\Temp\_MEI56202\_ssl.pyd

MD5 fd0f4aed22736098dc146936cbf0ad1d
SHA1 e520def83b8efdbca9dd4b384a15880b036ee0cf
SHA256 50404a6a3de89497e9a1a03ff3df65c6028125586dced1a006d2abb9009a9892
SHA512 c8f3c04d87da19041f28e1d474c8eb052fe8c03ffd88f0681ef4a2ffe29755cfd5b9c100a1b1d2fdb233cb0f70e367af500cbd3cd4ce77475f441f2b2aa0ab8a

C:\Users\Admin\AppData\Local\Temp\_MEI56202\_uuid.pyd

MD5 3377ae26c2987cfee095dff160f2c86c
SHA1 0ca6aa60618950e6d91a7dea530a65a1cdf16625
SHA256 9534cb9c997a17f0004fb70116e0141bdd516373b37bbd526d91ad080daa3a2b
SHA512 8e408b84e2130ff48b8004154d1bdf6a08109d0b40f9fafb6f55e9f215e418e05dca819f411c802792a9d9936a55d6b90460121583e5568579a0fda6935852ee

memory/5888-455-0x00007FF96A1A0000-0x00007FF96A313000-memory.dmp

memory/5888-457-0x00007FF96A170000-0x00007FF96A19E000-memory.dmp

memory/5888-461-0x00007FF969590000-0x00007FF969B78000-memory.dmp

memory/5888-465-0x00007FF97C140000-0x00007FF97C164000-memory.dmp

memory/5888-481-0x00007FF9690D0000-0x00007FF9690EB000-memory.dmp

memory/5888-491-0x00007FF96A0B0000-0x00007FF96A168000-memory.dmp

memory/5888-494-0x00007FF968870000-0x00007FF968FFA000-memory.dmp

memory/5888-496-0x00007FF968830000-0x00007FF968867000-memory.dmp

memory/5888-503-0x00007FF97A770000-0x00007FF97A785000-memory.dmp

memory/5888-495-0x00007FF974B90000-0x00007FF974BA2000-memory.dmp

memory/5888-493-0x00007FF969210000-0x00007FF969585000-memory.dmp

memory/5888-492-0x0000026261440000-0x00000262617B5000-memory.dmp

memory/5888-490-0x00007FF96A170000-0x00007FF96A19E000-memory.dmp

memory/5888-489-0x00007FF969000000-0x00007FF96901E000-memory.dmp

memory/5888-488-0x00007FF97C110000-0x00007FF97C11A000-memory.dmp

memory/5888-487-0x00007FF969020000-0x00007FF969031000-memory.dmp

memory/5888-486-0x00007FF969040000-0x00007FF96908D000-memory.dmp

memory/5888-485-0x00007FF969090000-0x00007FF9690A9000-memory.dmp

memory/5888-484-0x00007FF9690B0000-0x00007FF9690C6000-memory.dmp

memory/5888-483-0x00007FF96A1A0000-0x00007FF96A313000-memory.dmp

memory/5888-482-0x00007FF96A320000-0x00007FF96A343000-memory.dmp

memory/5888-480-0x00007FF96A990000-0x00007FF96A9BD000-memory.dmp

memory/5888-479-0x00007FF9690F0000-0x00007FF96920C000-memory.dmp

memory/5888-478-0x00007FF96A060000-0x00007FF96A082000-memory.dmp

memory/5888-477-0x00007FF96A970000-0x00007FF96A984000-memory.dmp

memory/5888-476-0x00007FF97C120000-0x00007FF97C139000-memory.dmp

memory/5888-475-0x00007FF96A090000-0x00007FF96A0A4000-memory.dmp

memory/5888-474-0x00007FF974B90000-0x00007FF974BA2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI56202\yarl\_quoting_c.cp311-win_amd64.pyd

MD5 1fa0ad3deb7f851a231c1a973b121b93
SHA1 65ae7bb5fec98da8665c70290c40082c8358b688
SHA256 0054d20391ebcd1ed30ef2d5aaa1efbbc5aceb7d8f716c16de0ac0d9d2680121
SHA512 64b6cf9d90daca0fb5e2d0eb91c853edaa2fb90edea064b96032ce968ee46961464772e353bf503e05b05471330c5afc8ffc72273e6ebdb6b1ad22fbce331fbf

C:\Users\Admin\AppData\Local\Temp\_MEI56202\_hashlib.pyd

MD5 0629bdb5ff24ce5e88a2ddcede608aee
SHA1 47323370992b80dafb6f210b0d0229665b063afb
SHA256 f404bb8371618bbd782201f092a3bcd7a96d3c143787ebea1d8d86ded1f4b3b8
SHA512 3faeff1a19893257c17571b89963af37534c189421585ea03dd6a3017d28803e9d08b0e4daceee01ffeda21da60e68d10083fe7dbdbbde313a6b489a40e70952

C:\Users\Admin\AppData\Local\Temp\_MEI56202\multidict\_multidict.cp311-win_amd64.pyd

MD5 5587c32d9bf7f76e1a9565df8b1b649f
SHA1 52ae204a65c15a09ecc73e7031e3ac5c3dcb71b2
SHA256 7075185db068e3c8f1b7db75e5aa5c500fc76ed8270c6abc6f49681d7119a782
SHA512 f21d0530389138457d6fdcdb3487a3c8b030338c569b2742f9e691e43af1d9e779c98426bad81b152f343b324a9375fe1322ef74030b1c8f8ba606d19e562e97

memory/5888-469-0x00007FF97A770000-0x00007FF97A785000-memory.dmp

memory/5888-468-0x00007FF9801A0000-0x00007FF9801AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI56202\_overlapped.pyd

MD5 97a40f53a81c39469cc7c8dd00f51b5d
SHA1 6c3916fe42e7977d8a6b53bfbc5a579abcf22a83
SHA256 11879a429c996fee8be891af2bec7d00f966593f1e01ca0a60bd2005feb4176f
SHA512 02af654ab73b6c8bf15a81c0e9071c8faf064c529b1439a2ab476e1026c860cf7d01472945112d4583e5da8e4c57f1df2700331440be80066dbb6a7e89e1c5af

memory/5888-464-0x00007FF969210000-0x00007FF969585000-memory.dmp

memory/5888-463-0x0000026261440000-0x00000262617B5000-memory.dmp

memory/5888-462-0x00007FF96A0B0000-0x00007FF96A168000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI56202\_asyncio.pyd

MD5 1b8ce772a230a5da8cbdccd8914080a5
SHA1 40d4faf1308d1af6ef9f3856a4f743046fd0ead5
SHA256 fa5a1e7031de5849ab2ab5a177e366b41e1df6bbd90c8d2418033a01c740771f
SHA512 d2fc21b9f58b57065b337c3513e7e6c3e2243b73c5a230e81c91dafcb6724b521ad766667848ba8d0a428d530691ffc4020de6ce9ce1eaa2bf5e15338114a603

C:\Users\Admin\AppData\Local\Temp\_MEI56202\libcrypto-1_1.dll

MD5 86cfc84f8407ab1be6cc64a9702882ef
SHA1 86f3c502ed64df2a5e10b085103c2ffc9e3a4130
SHA256 11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307
SHA512 b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

C:\Users\Admin\AppData\Local\Temp\_MEI56202\libssl-1_1.dll

MD5 6cd33578bc5629930329ca3303f0fae1
SHA1 f2f8e3248a72f98d27f0cfa0010e32175a18487f
SHA256 4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0
SHA512 c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

C:\Users\Admin\AppData\Local\Temp\_MEI56202\sqlite3.dll

MD5 895f001ae969364432372329caf08b6a
SHA1 4567fc6672501648b277fe83e6b468a7a2155ddf
SHA256 f5dd29e1e99cf8967f7f81487dc624714dcbec79c1630f929d5507fc95cbfad7
SHA512 05b4559d283ea84174da72a6c11b8b93b1586b4e7d8cda8d745c814f8f6dff566e75f9d7890f32bd9dfe43485244973860f83f96ba39296e28127c9396453261

memory/5888-453-0x00007FF96A320000-0x00007FF96A343000-memory.dmp

memory/5888-451-0x00007FF96A990000-0x00007FF96A9BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI56202\_lzma.pyd

MD5 bfca96ed7647b31dd2919bedebb856b8
SHA1 7d802d5788784f8b6bfbb8be491c1f06600737ac
SHA256 032b1a139adcff84426b6e156f9987b501ad42ecfb18170b10fb54da0157392e
SHA512 3a2926b79c90c3153c88046d316a081c8ddfb181d5f7c849ea6ae55cb13c6adba3a0434f800c4a30017d2fbab79d459432a2e88487914b54a897c4301c778551

memory/5888-449-0x00007FF97A790000-0x00007FF97A7A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI56202\_bz2.pyd

MD5 80c69a1d87f0c82d6c4268e5a8213b78
SHA1 bae059da91d48eaac4f1bb45ca6feee2c89a2c06
SHA256 307359f1b2552b60839385eb63d74cbfe75cd5efdb4e7cd0bb7d296fa67d8a87
SHA512 542cf4ba19dd6a91690340779873e0cb8864b28159f55917f98a192ff9c449aba2d617e9b2b3932ddfeee13021706577ab164e5394e0513fe4087af6bc39d40d

memory/5888-447-0x00007FF97D840000-0x00007FF97D84D000-memory.dmp

memory/5888-446-0x00007FF97C120000-0x00007FF97C139000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI56202\select.pyd

MD5 c39459806c712b3b3242f8376218c1e1
SHA1 85d254fb6cc5d6ed20a04026bff1158c8fd0a530
SHA256 7cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9
SHA512 b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d

C:\Users\Admin\AppData\Local\Temp\_MEI56202\_socket.pyd

MD5 04e7eb0b6861495233247ac5bb33a89a
SHA1 c4d43474e0b378a00845cca044f68e224455612a
SHA256 7efe25284a4663df9458603bf0988b0f47c7dcf56119e3e853e6bda80831a383
SHA512 d4ea0484363edf284ac08a1c3356cc3112d410dd80fe5010c1777acf88dbd830e9f668b593e252033d657a3431a79f7b68d09eb071d0c2ceb51632dbe9b8ed97

memory/5888-516-0x00007FF96A060000-0x00007FF96A082000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI56202\_queue.pyd

MD5 0614691624f99748ef1d971419bdb80d
SHA1 39c52450ed7e31e935b5b0e49d03330f2057747d
SHA256 ac7972502144e9e01e53001e8eec3fc9ab063564678b784d024da2036ba7384d
SHA512 184bc172c7bb8a1fb55c4c23950cbe5e0b5a3c96c1c555ed8476edf79c5c729ed297112ee01b45d771e5c0055d2dc402b566967d1900b5abf683ee8e668c5b26

C:\Users\Admin\AppData\Local\Temp\_MEI56202\_multiprocessing.pyd

MD5 849b4203c5f9092db9022732d8247c97
SHA1 ed7bd0d6dcdcfa07f754b98acf44a7cfe5dcb353
SHA256 45bfbab1d2373cf7a8af19e5887579b8a306b3ad0c4f57e8f666339177f1f807
SHA512 cc618b4fc918b423e5dbdcbc45206653133df16bf2125fd53bafef8f7850d2403564cf80f8a5d4abb4a8928ff1262f80f23c633ea109a18556d1871aff81cd39

C:\Users\Admin\AppData\Local\Temp\_MEI56202\_decimal.pyd

MD5 e9501519a447b13dcca19e09140c9e84
SHA1 472b1aa072454d065dfe415a05036ffd8804c181
SHA256 6b5fe2dea13b84e40b0278d1702aa29e9e2091f9dc09b64bbff5fd419a604c3c
SHA512 ef481e0e4f9b277642652cd090634e1c04702df789e2267a87205e0fe12b00f1de6cdd4fafb51da01efa726606c0b57fcb2ea373533c772983fc4777dc0acc63

C:\Users\Admin\AppData\Local\Temp\_MEI56202\_cffi_backend.cp311-win_amd64.pyd

MD5 0f0f1c4e1d043f212b00473a81c012a3
SHA1 ff9ff3c257dceefc74551e4e2bacde0faaef5aec
SHA256 fda255664cbf627cb6a9cd327daf4e3eb06f4f0707ed2615e86e2e99b422ad0b
SHA512 fcfa42f417e319bddf721f298587d1b26e6974e5d7589dfe6ddd2b013bc554a53db3725741fbc4941f34079ed8cb96f05934f3c2b933cda6a7e19cda315591a7

C:\Users\Admin\AppData\Local\Temp\_MEI56202\unicodedata.pyd

MD5 06a5e52caf03426218f0c08fc02cc6b8
SHA1 ae232c63620546716fbb97452d73948ebfd06b35
SHA256 118c31faa930f2849a14c3133df36420a5832114df90d77b09cde0ad5f96f33a
SHA512 546b1a01f36d3689b0fdeeda8b1ce55e7d3451731ca70fffe6627d542fff19d7a70e27147cab1920aae8bed88272342908d4e9d671d7aba74abb5db398b90718

C:\Users\Admin\AppData\Local\Temp\_MEI56202\pyexpat.pyd

MD5 fe0e32bfe3764ed5321454e1a01c81ec
SHA1 7690690df0a73bdcc54f0f04b674fc8a9a8f45fb
SHA256 b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92
SHA512 d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d

memory/5888-424-0x00007FF9801A0000-0x00007FF9801AF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI56202\libffi-8.dll

MD5 decbba3add4c2246928ab385fb16a21e
SHA1 5f019eff11de3122ffa67a06d52d446a3448b75e
SHA256 4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d
SHA512 760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

memory/5888-422-0x00007FF97C140000-0x00007FF97C164000-memory.dmp

memory/5888-520-0x00007FF9690F0000-0x00007FF96920C000-memory.dmp

memory/5888-559-0x00007FF9851B0000-0x00007FF9851BD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fpiahoi5.jy3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5856-571-0x0000023C9B550000-0x0000023C9B572000-memory.dmp

memory/5888-576-0x00007FF968870000-0x00007FF968FFA000-memory.dmp

memory/5888-585-0x00007FF96A1A0000-0x00007FF96A313000-memory.dmp

memory/5888-577-0x00007FF969590000-0x00007FF969B78000-memory.dmp

memory/5888-598-0x00007FF969040000-0x00007FF96908D000-memory.dmp

memory/5888-590-0x00007FF974B90000-0x00007FF974BA2000-memory.dmp

memory/5888-589-0x00007FF97A770000-0x00007FF97A785000-memory.dmp

memory/5888-578-0x00007FF97C140000-0x00007FF97C164000-memory.dmp

memory/5888-605-0x00007FF968830000-0x00007FF968867000-memory.dmp

memory/5888-597-0x00007FF969090000-0x00007FF9690A9000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\EnterOut.xlsx

MD5 880dae70b2022931ac7259ff2b6cb587
SHA1 6d0e13222c5ac1b61470525885002c6a8a1ace5d
SHA256 03545ee011b3724f77ed178df31eab23d40b26c65be095ebef9bf73aabb682fa
SHA512 b0c770455431a673f8570b6f486b40db773afa0a1fac9938648374d2c5a2292b5ae52ed5a7ee153a111da59cc3c804296927f310e1391f9012acdc2554040994

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ShowComplete.docx

MD5 bfd3c6838dd6567689830b0c99021718
SHA1 f7a15bbb3732c52bbf422a75c2f2e242dc1bafb7
SHA256 a6e3e745e6f5590f0e11c706999c7f71c9c560d93f13580cc34e10ca4feac748
SHA512 27d64e401a4606d6f2c86e52f0ec70ebfc066676aa092291a6cc170ab52b0588367d80dced7373af2188f6e341dec72660d26cb025137f5b309177927d8dddad

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\BackupConnect.vsdx

MD5 008d9948364685c06f3456c4f3e7af80
SHA1 9bc6abc0d6a737ec2b12466686cdb2f64c3cd94f
SHA256 3107f161000b6e7940c08888c54add2d6a08ad4ad26e563245433d92987d8dc7
SHA512 dd03e3a053c5dc016b11ac1b618e28c947da9bc4b20e9e8425ee43e202a095eedb31d16ffc1ae1bbc735cfcf218cf425843800aa54f200fe3d9fcaad8ac8868c

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\LimitMount.txt

MD5 967cec8a3a639ceed08e9018c1ac3ffe
SHA1 fad7e0a79ef7b5a0d59201468f3cc207c9f809cc
SHA256 ef54aad74251c872bc9a696373fce59f11c6a0b84ac1f1885317f0a0d963b75a
SHA512 7a27018544874e69e415c914c2c55fb9012e56edfafff74b203e5abb77c685d4d3c468db8386199949237f7940551cc280639405144ea28ef9d60c16d50b80f3

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\StopOut.docx

MD5 366e7210ba3f85c4154110a8008791f3
SHA1 837f73de0ce93dc01a4ee36868dedda26ff5a9af
SHA256 1ede48099dd1dc48fac0b92f5cc15208d953f6c2f87fad35858d508ada125c6a
SHA512 8b4d31500be401d9f2e0df7757f28a010e02f77fe559a523f55af4b7c5d7c111f861f4e92ab7e5bad510e684cc5947d354d674004ec58cadcbefd12b00de2fd5

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\DisconnectReset.jpeg

MD5 7b226696d6ade9a018bd174abab7b4ac
SHA1 0e4d69f70f4aa56a305afb07dcd59a0c3a71ac73
SHA256 39074d220f53ca9096f559ee7ac802c27d060615406217c228ca04dbb1ea8e63
SHA512 00980a8bf12031d9e81f18e7ea684fba599b2b78d306b5938c496c594eac3ee121605e6893ee03a2f4f248b94446989be54bcce53be55e666f054122fc6b40bc

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\NewEdit.mp3

MD5 365077271d110ccc54476cb9f42245bd
SHA1 27985cded8f8396cb37cbbced051d33efc9c2e32
SHA256 7690f0cb21b285dfb17ab2db1a0318a96ea1fd4f3fa7e134774c8bbdb35f2022
SHA512 a412ef5876c82e640c93036e70c5ffd001f220cf2709906978b1fa86f96cb3ce8369b4febe981c0673bea4a5cf82928a9e6ef396c7d91aacfc8b0bf01dd658aa

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\BackupPing.m4a

MD5 04ff1e93752556f04979a9aee3370556
SHA1 6bb3dccbb7761c84b2671d3fc7ab08fa90a9628a
SHA256 ccc86b624814960c33863aaf54324dd3b75c02c023e9bd579054fac81d5d9853
SHA512 4453acf6bb191fae3635bffc985d73914f53716b10cdccabc564f16b23aa40dc54142fb2a5fd63e6ab5b3f4d5d70b27b670bfd28ba271b3cf8d2714a148199bc

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RestartEdit.txt

MD5 82cc37d43891ac36ec92652f207df547
SHA1 b6324c003257851b2c169c2a4910d36de58b03f2
SHA256 a71cb14875a3290904db852aa6fd14098705d82bc7cbc402e01aaeb415b09cde
SHA512 f798c4a237e60c0a8323c9974627ed5c70929c91d3747f0916db973d9081d259608232476b7a5f0cb4611bbcbbd9a041e71221dc95eae421af0e06f5298de54d

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\BackupMeasure.xltm

MD5 ace708a6df648a83b4a31bfd121b2ca1
SHA1 0dc4c32f31a3bc7efc263fb19154cddf3f0c74b6
SHA256 fc0cd8422ceb0892ceefbffbcbccad97af3bd8e813808c45bb391c340a4902d2
SHA512 cb16d19a2bc40c9463415b96057d4c0ba51294e350e9acf96d28c9df2b19e5f244bfff5f6eecf501a1a7a6190e373ca7eedbb9548cae762668ddbd0868e1980f

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UnregisterConfirm.docx

MD5 3710aee34cc4b6cb3e89f8b2a52e17b1
SHA1 f00145afc0a4c83f06b38f6dbc9998ebfe115155
SHA256 b1d90554f94827be99762b40f1a266f42e8d09fb846aa3e0a4b3a60b2708db14
SHA512 0f79916b30fb3b3eeb548a96863483d2cafacc62dbaf06d3ec9636c94553561f05a1eaf486f579afd838dd9eec0e4486d79193f8ab3e501d1df22f1e169a3970

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\SaveSelect.pdf

MD5 7f2fd4e44967bc9a45a8b9a672d2b97d
SHA1 ebabb758440f6913ed998618df7c032dc76bc4a5
SHA256 1401507285fb7bc4e79b0bf85ada93860f91cfce55bff16247d9a3df0fbb4a56
SHA512 5fead157fce9bcd544b02992562f58f36bf43f6fd0a174dfa710df28efe9e196be5fc1c4845357f898d8e195e196f639bea6682af084eaf1ee935615d4ebddce

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\JoinApprove.png

MD5 ca83ea35f7754990b1ad0b81b861778b
SHA1 1b0a8c1983cf1210914f4e00826ce87ae1314550
SHA256 97fafbaa0576782593ab6e8fd800b41c1ed10f9e4d05346683d882724b144aed
SHA512 5a14101862b0c29ada130f84a5078ca94aa6bbb74e792b15879a9b2aed660524be7aaa5063b7204ff2b573ecb3115ca29573d14faa829498da0ccb88aff3dc9b

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\MountCompare.jpeg

MD5 e0f3efec69e6879c8a250e285f28d268
SHA1 904b420a88a9d1b13ccd492ab6a515d9ca069f07
SHA256 906c5b8a0e1f8a8deebfba62b43be5e02778ec0a07f95afb9fe358da2ba99975
SHA512 7617c18632ca83ab77dea1aa315dea917cf060d4c6fa6f7e5ccb0b3a8e9b17d6af6d0249b2bdd6054f2ae4a1c2add4e15815a7ffe4c6dd6080c4bc29cb69c555

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\StepGet.jpeg

MD5 907275399c8aa22e53a532188dbf808c
SHA1 92c5e58de66cab99bb4383ec509954f342d17167
SHA256 6d507a07aa05af1c6383c68b17a2a3134be0ec2627be89c14eac7b8dda965f2d
SHA512 6d511f8a3873412d659810119bb69057272b00a7db0263599e6db902ca6c8e3afc8ba461b8d735275391ec4a6f934de1ec1afbae8c60542e7c750093fbcc0e99

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\MoveRead.jpeg

MD5 5141279391c7c28776da496dfb71ab3a
SHA1 8ae654907adb66c51644a1eb71bdbc006723d601
SHA256 fd0e0062deaa097893d806ce2bd7c272bc9e0b251741c0dbad1d57a09b68b553
SHA512 92da427528024932e890d3ed8cf7b444cabfdea5d37e21f83899d9fe4f2f42bb98cebad6ab43c9d7b0ea1a91452869465cf15c605a5549ab5ae0760bb70a2eb2

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\StepReset.jpg

MD5 f6802018860beab0e371d5bffa2c0329
SHA1 d3c2f68843921e8fb9f1e26b083a89c3a4275f3a
SHA256 90da474215a3c3ff24b08c098795d50891329685c1148831034f17f687ebd6bb
SHA512 95132b9a0227e15d89502d1ffaddb909063f7650c8f70f710bcbc94c9f84249e1698efca85d3360e7f5bcad636fad131c4c88256b7bcf5c07ead703e478d53f0

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\TraceSkip.png

MD5 77b44a15785ed4445b2a564b5ea5c80a
SHA1 4aec53400cfc4ea9e0465adf5cd058a29af268bd
SHA256 cc8c130993fd054c0883383c534de5345c72e3b14a99286ff31f8b704ae22ccb
SHA512 ffda0603170c22e22699df5dc4b7c01d6232594ec56632043d685c497a3fd8354e6b9f69ca9dd3be1ebb679b2d4d089fa2a8211336a0a93eaba012563eb1e1da

memory/5888-784-0x00007FF97A770000-0x00007FF97A785000-memory.dmp

memory/5888-793-0x00007FF969040000-0x00007FF96908D000-memory.dmp

memory/5888-792-0x00007FF969090000-0x00007FF9690A9000-memory.dmp

memory/5888-772-0x00007FF969590000-0x00007FF969B78000-memory.dmp

memory/5888-781-0x00007FF96A170000-0x00007FF96A19E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

MD5 cd2dacffc275c8071fcde956de153272
SHA1 98953146e634d1e999baf09ceb9485edd175edf5
SHA256 271198889a5e286834e20e834b3a9a33a8505f2077e2bfc09b4dc3683c5b7bc4
SHA512 3d955334ed40b97f1a9a7d4048819fccce1c42163d4ab04e3c6b35ecb5cd4ddc8f0d9f4e32f8c9fa5b2e2cf570290bf502684d1123832e3799789ef693ed0e33

memory/5888-825-0x00007FF969590000-0x00007FF969B78000-memory.dmp

memory/5888-857-0x00007FF97D840000-0x00007FF97D84D000-memory.dmp

memory/5888-863-0x00007FF9690F0000-0x00007FF96920C000-memory.dmp

memory/5888-876-0x00007FF969210000-0x00007FF969585000-memory.dmp

memory/5888-875-0x00007FF97C110000-0x00007FF97C11A000-memory.dmp

memory/5888-874-0x00007FF969020000-0x00007FF969031000-memory.dmp

memory/5888-873-0x00007FF969040000-0x00007FF96908D000-memory.dmp

memory/5888-872-0x00007FF969090000-0x00007FF9690A9000-memory.dmp

memory/5888-871-0x00007FF9690B0000-0x00007FF9690C6000-memory.dmp

memory/5888-870-0x00007FF9690D0000-0x00007FF9690EB000-memory.dmp

memory/5888-869-0x00007FF96A0B0000-0x00007FF96A168000-memory.dmp

memory/5888-868-0x00007FF96A1A0000-0x00007FF96A313000-memory.dmp

memory/5888-867-0x00007FF974B90000-0x00007FF974BA2000-memory.dmp

memory/5888-866-0x00007FF96A090000-0x00007FF96A0A4000-memory.dmp

memory/5888-865-0x00007FF96A970000-0x00007FF96A984000-memory.dmp

memory/5888-864-0x00007FF97A770000-0x00007FF97A785000-memory.dmp

memory/5888-862-0x00007FF96A170000-0x00007FF96A19E000-memory.dmp

memory/5888-861-0x00007FF96A060000-0x00007FF96A082000-memory.dmp

memory/5888-860-0x00007FF96A320000-0x00007FF96A343000-memory.dmp

memory/5888-859-0x00007FF96A990000-0x00007FF96A9BD000-memory.dmp

memory/5888-858-0x00007FF97A790000-0x00007FF97A7A9000-memory.dmp

memory/5888-856-0x00007FF97C120000-0x00007FF97C139000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 1d42430e9378bd108d5e306facb79651
SHA1 05cb764caa3e6930deb3bbca9596c5d6cbca1e5f
SHA256 c1e45616f720502abc8fc51e5ea798a3de41bb111c69b49e91791ff91e35fd65
SHA512 95fb28b2ee55d668116e378ec9fcfc893447881df4018cebe3924b14d7370c5e98c87cf5d6b73c83b2a7c1bfd3b1c0521338f9cbed3e654d2c045bdaf4152501

memory/5888-889-0x00007FF9851B0000-0x00007FF9851BD000-memory.dmp

memory/5888-888-0x00007FF968830000-0x00007FF968867000-memory.dmp

memory/5888-887-0x00007FF968870000-0x00007FF968FFA000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 43911a6ffeaa35874ca541a21e66bf20
SHA1 f181b23dcf3f85c78950a2183fa45225b066d6fe
SHA256 fbb3cc8bc95dd3bd4afa16b3795d111ff984ef9f9c7565124bfab441f230b66c
SHA512 a2a8dba517e04911264d79b474d03316479f396d1614b28988b76b61331efa822fd0c3f93484d4fae710b252d08eb10b6c0a50953736092d1e725b4348da708d

memory/5888-855-0x00007FF9801A0000-0x00007FF9801AF000-memory.dmp

memory/5888-854-0x00007FF97C140000-0x00007FF97C164000-memory.dmp

memory/5888-853-0x00007FF969000000-0x00007FF96901E000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 8cee74b8bf3e55857f3fff6e59a656e0
SHA1 9dc75ec8d277ebda5d48597f33d562ae4648a967
SHA256 1d7421e027a4196b3a487579ad7e1619d38946e8825f4392181a03a2d0042774
SHA512 245d519245d583eecc6ec0eca623d6908b26d7894962d00dbbfdb89d8f9334b57b2564a8457f064e77b306cc8314f83af558da707f0959d36fdbdd14f9a2c71e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 9b2a8d2d15c662128004b668f359f58b
SHA1 26aa26ab6a8b1b67b7019eea76f518d43e129c1f
SHA256 c1b5c302139f096820266794dfaa284c378ac0123d9f0408b1330f0a3c8dfdc6
SHA512 19e72ce43b3f86844d022da25d2ce0cea87f571a871d43cdc40c9eca9e96ce9c25c21ef5bd87dc5f03dae6429add39a6975c9220fe290240a8cb84d63cd757b5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6b074037473fee489fffc7eb2d24a257
SHA1 4c3160d727f0255b03104f267561d07faebda23c
SHA256 5475342061ffe579d89c700e48186991e567c4d06ca5e8c58d39a5fd78edec78
SHA512 b2a7225bdf9faba9abc5159cdbc5c252b7d32f404241f77e6e501e1d9e3afb973f47526a4243102ea9e96888a7127a9e5222ac2b9e943b5fa6677a8d9ca8e4ff

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7b5b9b494f0e8fc00e5b0bd39a7213d7
SHA1 e97cea936739dae5fb4c6a77dfd25772c0b85128
SHA256 6ebdd29129c520c0f3dfeed3e69da82d1b57802f07f7d1c78f8700242ad7538e
SHA512 75ba22bea60b0c9fcdd76c0fd3a81733f5c32d03321eec0b7d1db876ff667a5a6f51097225de05aea4f966ae5f4cb8eadab8df86dc3c3f6924cd7d486a859d81

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 abadc8379cec0bc27226d9b12898de4a
SHA1 17984b18a40d8ef2a532f62875739abb05f08b41
SHA256 dca9da4ffa855a6dab31ff50f79869b1fed4c79bc8405cd398138aacd1163cd5
SHA512 db458803936044f42c8a656ada4ff930a4da9bb12540872278b23a9268caa48be6bfbaafe6b3c9b0b54d7ce5793ae4a068d10f19ad7658353dbec45c36737f54