Analysis Overview
SHA256
0da05a2b74ed0b0c6ba4bcc6b8d750b313861bac4e35eb0336b7cb538a0ae93d
Threat Level: Known bad
The file 19961176322.zip was found to be: Known bad.
Malicious Activity Summary
Exela Stealer
Exelastealer family
Grants admin privileges
Modifies Windows Firewall
Reads user/profile data of web browsers
Loads dropped DLL
Clipboard Data
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Network Service Discovery
UPX packed file
Hide Artifacts: Hidden Files and Directories
Enumerates processes with tasklist
Launches sc.exe
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
System Network Configuration Discovery: Wi-Fi Discovery
Detects Pyinstaller
Permission Groups Discovery: Local Groups
System Network Connections Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Scheduled Task/Job: Scheduled Task
Views/modifies file attributes
Kills process with taskkill
Runs net.exe
Collects information from the system
Gathers system information
Gathers network information
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Detects videocard installed
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-15 15:40
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-15 15:40
Reported
2024-11-15 15:43
Platform
win11-20241007-en
Max time kernel
100s
Max time network
103s
Command Line
Signatures
Exela Stealer
Exelastealer family
Grants admin privileges
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe
"C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe"
C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe
"C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe /T"
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "gdb --version"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get Manufacturer
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get Manufacturer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "schtasks /query /TN "IrisUpdateService""
C:\Windows\system32\schtasks.exe
schtasks /query /TN "IrisUpdateService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "IrisUpdateService" /tr "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "IrisUpdateService" /tr "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "IrisUpdateService2" /tr "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc hourly /mo 1 /rl highest /tn "IrisUpdateService2" /tr "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\chcp.com
chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:49939 | tcp | |
| N/A | 127.0.0.1:49948 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| N/A | 127.0.0.1:49954 | tcp | |
| N/A | 127.0.0.1:49960 | tcp | |
| N/A | 127.0.0.1:49962 | tcp | |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 8.8.8.8:53 | 227.123.112.45.in-addr.arpa | udp |
| US | 162.159.137.232:443 | discord.com | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| N/A | 127.0.0.1:50269 | tcp | |
| N/A | 127.0.0.1:50271 | tcp | |
| US | 162.159.137.232:443 | discord.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI21562\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\python310.dll
| MD5 | b9d896d5f748793d3dc44be7b2e43ba7 |
| SHA1 | fb81bb8cfba3c5f2caffe0be3e17babf669de42a |
| SHA256 | 686dc3e3104a45f2a38821cd0c43c17d2e4b3f41a30de94fc7bebef3b882ac83 |
| SHA512 | 6835873e751851c3ea9bc53f744f27d89eb1f3bc4a6a88f36de93ac0be3e2eb151c4f57879a07d25dacde51720ca36dd12e390c80535bebd64c9e0390b691736 |
memory/2384-102-0x00007FFE9D7B0000-0x00007FFE9DC1E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\base_library.zip
| MD5 | 6add86f741a99793b73392a9294eb1b2 |
| SHA1 | 7c5da35537ef33fedb8393f707013fbeb652b8b0 |
| SHA256 | 678adfe16f38c82850d8c9b498dd7d89f708fe37380108a02b5e54763bdf21bf |
| SHA512 | 77033b8a18612ed268bb63ceef6be02465269a66baa2c0901879bb1e25241473596473e1b446b1b093a3110298361cd3568955fb3022c19dcf0e7949a5625320 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\_ctypes.pyd
| MD5 | b1e2c169b4d27363ba74cab4f80ef169 |
| SHA1 | 3a87101abe2935c91430146bdc0eeb243ab5a8bf |
| SHA256 | a8f521ef235c1590d3d717912479185602afa8d7ffbe6a8d719ee517339fcf52 |
| SHA512 | 6e2fea022a93468aa7300aaaa32a83ad71a8cfdc046a6b02a6973961b04b6a9870fd7f19457c657b4c1d15e8b101db357c0071e3c1492ecb170f1c62ddb87834 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\python3.DLL
| MD5 | 07bd9f1e651ad2409fd0b7d706be6071 |
| SHA1 | dfeb2221527474a681d6d8b16a5c378847c59d33 |
| SHA256 | 5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5 |
| SHA512 | def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a |
memory/2384-111-0x00007FFEA3F70000-0x00007FFEA3F94000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\libffi-7.dll
| MD5 | 8e1d2a11b94e84eaa382d6a680d93f17 |
| SHA1 | 07750d78022d387292525a7d8385687229795cf1 |
| SHA256 | 090a90cd17b74abefddf9f82d145effe5c676e7c62cf1a59834528f512d7ee82 |
| SHA512 | 213bf92a707b14211941e5e071f1926be4b5795babc6df0d168b623ecd6cb7c7e0ae4320369c51d75c75b38ec282b5bf77f15eb94018ae74c8fd14f328b45a4e |
memory/2384-113-0x00007FFEA61E0000-0x00007FFEA61EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\_socket.pyd
| MD5 | 713f166fbaf2c758677129653c792fd7 |
| SHA1 | 12229626b4cfe1750c31c70115152c4d6ec1eba1 |
| SHA256 | 0d71adce0df6917b5836ba03f76df3deaa7b1aaa2cbd803a734884d1c1bb0059 |
| SHA512 | 4c9675632b4e2776bff8b558485a91bec5d08f5ff0deb55cd577bd95531cfa5883dc80bee39af86c4ec5a7ac818396c2c03a60341b9b02a1e8b521f80e660a98 |
memory/2384-116-0x00007FFEA3BC0000-0x00007FFEA3BD9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\select.pyd
| MD5 | 9d4a187b10cc415cee48d9408f687cef |
| SHA1 | fd8ac4cc6086658a48e5dea3de5a43b924b60df7 |
| SHA256 | 45c715f5ccf0da358855a7d3b01a166e34a82ce6244f7111ed4c81e4d12f2049 |
| SHA512 | 1c8b040cd4f38e16e9c061a0ce2eb76583266a7b514c325cc3fb728bdcf514ce5d12961011a8c2c860837e99af285fdbc5d9624c8e6f6fa02d2003200019356e |
memory/2384-119-0x00007FFEA4D80000-0x00007FFEA4D8D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\_bz2.pyd
| MD5 | 3ac1ec2319523918a50f8ba33ffa4d2f |
| SHA1 | eb9aecb4402bed654a52013759ce9d5d69c33a5b |
| SHA256 | 4f22e9ce6f0232643cfdb9c35c4f3453ab73b103a4dbf633d445863f0251b134 |
| SHA512 | bffcd8bf09a61250b1957af2bd7c3b8b7c761997b7fa83235f48ab1779b7b27ae44b296458b3830d22d880f37e0c5d21a351d33a38c024f97631e87ad45dede2 |
memory/2384-122-0x00007FFEA0F70000-0x00007FFEA0F89000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\_lzma.pyd
| MD5 | d5f861984f70e876bb113c9a996493d1 |
| SHA1 | 66868d0a65ee23ef22af34c103220b759bbbfe05 |
| SHA256 | ac55608d663cc5e5ef0d430d1bf98b9d1688ce9c12e8491f4921f452399b6725 |
| SHA512 | 386859aa0ff6322d385487713912fdfe5432f0670fa70987bdf22f14ef8b1d05f336af80b7db3cc05588c045d2bd4e44bbdae95e82f10581e5f43ca39963160f |
memory/2384-126-0x00007FFEA0D60000-0x00007FFEA0D8D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\_sqlite3.pyd
| MD5 | 42dbc994bc3000b1dd46579ef47afc64 |
| SHA1 | 6356883c4219cf3f485b0ccde32a24d9adcedc95 |
| SHA256 | aed5d832a89528ecb203775cd2ee413c8c7895857ff30403b341fe0a8331efc9 |
| SHA512 | 1999d1f3115d2656fb26488eae9525c41aaa4f94a029e337e5f34edaec53a7dd2d714025987191eca519ea7183682c908bcd18142df46a0d4d2c0176894f4c85 |
memory/2384-129-0x00007FFEA0D40000-0x00007FFEA0D5F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\sqlite3.dll
| MD5 | 709d45be5411647c1526235bec94c168 |
| SHA1 | 27c1597b7a0b7fc19e1f8efee41cb355b3e4212e |
| SHA256 | d45d561f4694055ff072349d86458155505598fa29080bbb7e9691b8509dcdb3 |
| SHA512 | 62aab6333a286df25148b2bde6a41d62f75e7b6da6acf2ef8ca892cbade1dd1daf91961ac52da31cccab415749a6349b2f51a89654846a4bc10b8df3f3086b24 |
memory/2384-131-0x00007FFE8F4E0000-0x00007FFE8F649000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\_ssl.pyd
| MD5 | 92c1b0608e4aa51aa1bc4369559fdad8 |
| SHA1 | 5a57fe482100b694ff2b1fe4256f75c90669134c |
| SHA256 | b9cf399774fea53fe3fe7357c0df65a19315fc7f525fb96758ba8568360fa18d |
| SHA512 | c99c9f9f3f99cbc26e40cc832fe69b7d8ff2e611e5438b8bf5c549d88d138c6294e7d930ab4238b4e01d27cc71e723df1d97dee1dee0cd1880f4e294cf686270 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\libcrypto-1_1.dll
| MD5 | ef98f0bfd75bfca256dfdde36ab79c56 |
| SHA1 | db0c976dd286d6b4a046e19d669ea9366a8d6b0c |
| SHA256 | 17fded0a4337fc353a1a06f40bc7a4c4d6ae4e74a7d563f8bb7fa512daa82f99 |
| SHA512 | 27fa2e78c3153f4c1b824ddc8291af6f4eefd4754b7847917e84e096723c7947da1a8695120fe8071312d6e8963841a82813ea32559457fe9ffb37ff3f75b705 |
memory/2384-136-0x00007FFEA0AB0000-0x00007FFEA0ADE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\libssl-1_1.dll
| MD5 | 594f9b1d3f3f2217896a3d07f861d55a |
| SHA1 | a84a68606a65077258979d9a17b0ae2d83067939 |
| SHA256 | 1ed537c1c1db991ea9297be1e48b4c24d9ddd93ff8b277eea0f5bd228a4c92e2 |
| SHA512 | e61aaa93a4b4e820697a5b02f1aea3152544e5c2af2b5bbdfd86cd8267f69cd09f9321c4791bc81ff05cb2ee7aef57fc0ef1c5ed211c643419ded648f209358d |
memory/2384-143-0x00000130AB4B0000-0x00000130AB827000-memory.dmp
memory/2384-144-0x00007FFEA3F70000-0x00007FFEA3F94000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\_asyncio.pyd
| MD5 | 223915a05f124498a473e1caab2d14ad |
| SHA1 | 62d7d236dc1db0adb4e9769597a3d18cc2de65e1 |
| SHA256 | 77306c7c5c9411db1846bc1b5ef70aef5e52999f2442f1e39a0901df320b6202 |
| SHA512 | ea162e1b4287d7cf3814b8eeee55884e838a4c81d0699093cbea09f73307a8ba50ccbb6405de002bdca8f7200e8ff5840c5f4d45d039e6401e262aa3ef0dbb2a |
memory/2384-156-0x00007FFEA0270000-0x00007FFEA0284000-memory.dmp
memory/2384-155-0x00007FFEA4D80000-0x00007FFEA4D8D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\unicodedata.pyd
| MD5 | 7fdbd3fc6609dec6ac6028513167502b |
| SHA1 | 7d031e081f45f70fe6cd1fc38ca602cd3172052c |
| SHA256 | 8713294d8edd6227fd31114d36033dee58f563b179ca274280e528c4bb085af0 |
| SHA512 | 7a97e8358acbffe14b3e657bad975bb1f4e262eb25bcc783cd4d369a47e29e7e3936548a12333fdb5bb5f1b9dfdd9e7ef6edfaae993107aa7683d9c2f965cee9 |
memory/2384-162-0x00007FFE9FF30000-0x00007FFEA0048000-memory.dmp
memory/2384-161-0x00007FFEA0250000-0x00007FFEA0264000-memory.dmp
memory/2384-159-0x00007FFEA0F70000-0x00007FFEA0F89000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\_hashlib.pyd
| MD5 | 484c70992d2102a7843540593dfc12e0 |
| SHA1 | 350144bd486f9648319dae5332a18ec4dd979f78 |
| SHA256 | 92b2ca8ae281a5559ce071756b392b0937b25ca531dbcba01395027b86a9889b |
| SHA512 | eaea83ec64bf3537302c52dee0b8d75526793543ea1d5396adfea5ab96c7b115d23aedceb7931756929bbd4893eda497dce19c926b6e36cbefa2355827e9404f |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\multidict\_multidict.cp310-win_amd64.pyd
| MD5 | 9781e6bfedeffddb3220de3e49632d4d |
| SHA1 | 06b13c4623888f0703c0e71d2773c5e9201b0374 |
| SHA256 | d0f937783eeadd70654685bd1b49cda9289896c3b719ec37874ac7fe1221e682 |
| SHA512 | 6b2b799f519699fcce94577a4c1aed0e155e8f56750557c24fbe30b10efa55d826e2358827cfb451753830394c5a841471082fda99729d66e0c785cf3cd18f82 |
memory/2384-152-0x00007FFEA3BB0000-0x00007FFEA3BC0000-memory.dmp
memory/2384-151-0x00007FFEA3BC0000-0x00007FFEA3BD9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\_overlapped.pyd
| MD5 | ff7cba7ce768f7f8c638be282f844f0e |
| SHA1 | 406126bad5813b2d09b1cbd17edc05aa5029c7e5 |
| SHA256 | ed9a6782039007f90422a5b981ce66deee0c581052c14e247446c924b09833fa |
| SHA512 | 04d71776010e0c1aab2dd0fdd06b4807739129b9df2d8081927be202d7861a048e92f8fc0162d237478fdb08b9580ef77552c8ece28ce48ea119f8c6c576a5d2 |
memory/2384-148-0x00007FFEA0A90000-0x00007FFEA0AA5000-memory.dmp
memory/2384-141-0x00007FFEA0290000-0x00007FFEA0347000-memory.dmp
memory/2384-140-0x00007FFE9D7B0000-0x00007FFE9DC1E000-memory.dmp
memory/2384-142-0x00007FFE8F160000-0x00007FFE8F4D7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\yarl\_quoting_c.cp310-win_amd64.pyd
| MD5 | fdc577588ffd0f939c02b236fde9fbae |
| SHA1 | 6e8c7a3456870a2bf2fabae861209aed29475498 |
| SHA256 | 2ed79904384fda527647ba6927abfed3062e7b83a308c41d2890685a19e6b883 |
| SHA512 | 3472bb46a90b620a181f73dd5d4b2258fe02a7db4144d22d8feeb8dad6f667940482cb285c77e0c1c7592e3468be4ed126a0caad76a3cfc1bb615c20fe77b7e3 |
memory/2384-166-0x00007FFE8F4E0000-0x00007FFE8F649000-memory.dmp
memory/2384-167-0x00007FFEA0230000-0x00007FFEA024C000-memory.dmp
memory/2384-165-0x00007FFEA0D40000-0x00007FFEA0D5F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\aiohttp\_helpers.cp310-win_amd64.pyd
| MD5 | f7e02ab5fdaceb53d35ce588d1eaa264 |
| SHA1 | 390485a21881334894e63f5a4843c552518fb75c |
| SHA256 | e781d6205149306f4aa80a11ad8c654b7572bfaf0cc5517f2b2daef0ac016229 |
| SHA512 | 4c015d21f33b6fee07d24d060c02ece75aec4bbbffa4a490b2961d92e1ae821f142ee6a32d13c491acef927c14d511112bdfc0412c800b81394d530a9518cbc7 |
memory/2384-170-0x00007FFEA0210000-0x00007FFEA0223000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\aiohttp\_http_writer.cp310-win_amd64.pyd
| MD5 | a4c8dd79a38b8fadecf723c204935ffe |
| SHA1 | 3d71c55aa83c89694204bfd0aade8dc60e0f84f8 |
| SHA256 | 02b68eafcfe40db926f671bafa01db9a691b178103b06377ffa3d1d5df3b1530 |
| SHA512 | d573340437a7b9d4634eca845da94244bb463005e1bb049b4c7753610f4624679ebdff0b80320d416d4363f7e387e8789345d4df8cd5a707fe5eaad588196c73 |
memory/2384-173-0x00007FFEA0AB0000-0x00007FFEA0ADE000-memory.dmp
memory/2384-175-0x00007FFE9FEB0000-0x00007FFE9FEC5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\_brotli.cp310-win_amd64.pyd
| MD5 | 50ca8b574270390ae93fbe452c852555 |
| SHA1 | 1d8dcfe22835a3d92cf63fae6c25e2b4f01b8610 |
| SHA256 | f1d8c9316751c9550aadd94a8ee4bdbb55e143ce967d293f82f1f3cd84e91284 |
| SHA512 | 9c1986adefd2dc2ee8a6c7ac76de78545d27bbea41d156c3f9fff032313bcf737c9ee98360c762b57987a9477d00179786894ed3689f3adc34dda7168e4a4747 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\MSVCP140.dll
| MD5 | 72f3d84384e888bf0d38852eb863026b |
| SHA1 | 8e6a0257591eb913ae7d0e975c56306b3f680b3f |
| SHA256 | a4c2229bdc2a2a630acdc095b4d86008e5c3e3bc7773174354f3da4f5beb9cde |
| SHA512 | 6d53634bc51bd383358e0d55988d70aee6ed3897bc6ae5e0d2413bed27ecff4c8092020682cd089859023b02d9a1858ac42e64d59c38ba90fbaf89b656c539a6 |
memory/2384-184-0x00007FFE8F080000-0x00007FFE8F15F000-memory.dmp
memory/2384-183-0x00007FFE8F160000-0x00007FFE8F4D7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\VCRUNTIME140_1.dll
| MD5 | 75e78e4bf561031d39f86143753400ff |
| SHA1 | 324c2a99e39f8992459495182677e91656a05206 |
| SHA256 | 1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e |
| SHA512 | ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756 |
memory/2384-178-0x00007FFEA0290000-0x00007FFEA0347000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\aiohttp\_http_parser.cp310-win_amd64.pyd
| MD5 | f3a43ee9a1cd3da4b1e8856832d37fb5 |
| SHA1 | e5b257f6b70f033ccc250d8063fa277d294578f6 |
| SHA256 | 5cd0986d4b79c7079bd472df2fb41dc2056fb3f7db6d6776d5fe5f883de45fe1 |
| SHA512 | 1bebd434cb40c9f21cd2ed99429010a7f307ce22822d34a21ceeb7df6566dd8ea056ccecab78be3e98f9e25515ff6bb16d61f3ae4e05734381ebf244ac995e64 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\aiohttp\_websocket.cp310-win_amd64.pyd
| MD5 | 7ea40c5cde77804709ca1652bbdf22c1 |
| SHA1 | 03813e28850f8205c09eaa2412d39227e6bede9b |
| SHA256 | 9dd0fb7690b61fa84713e8fe3ac5b9962124e9573073322508d9c6459eeb263c |
| SHA512 | 4a8ab360eca08065f3b4d2deb0b30be98ecd6ee1bec3e4a15b5cd6ee7ce95dd2b5786bbadb578226614fb5ed665bff8e579f7bc12ea90cb12188673b99f5d99c |
memory/2384-189-0x00000130AB4B0000-0x00000130AB827000-memory.dmp
memory/2384-192-0x00007FFE9FE50000-0x00007FFE9FE5E000-memory.dmp
memory/2384-193-0x00007FFEA0A90000-0x00007FFEA0AA5000-memory.dmp
memory/2384-191-0x00007FFE9FE60000-0x00007FFE9FEA1000-memory.dmp
memory/2384-195-0x00007FFE9FE40000-0x00007FFE9FE4A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI21562\charset_normalizer\md.cp310-win_amd64.pyd
| MD5 | 7b305a0e94a78e72820fa4ddec303ad6 |
| SHA1 | c42ae66f78fc333849e500115d045604ad5bf1a0 |
| SHA256 | 7d69e30849fdbfbafb6d39e7a69568771b80be39e92fb184c63af0d089781592 |
| SHA512 | 5e8f029da7d9fd5d40ed3c64475b4c1239854fe5c63282872d884984c8554211472c6d901f12b0541aa081daf55787dc6e204d6f73faa2ea1d2d4f3879ae1556 |
C:\Users\Admin\AppData\Local\Temp\_MEI21562\_uuid.pyd
| MD5 | 8571d3c1ef8bb47ccdec7b9dab62626c |
| SHA1 | 6d1461e7042c18f5282ac284ab8b8c7c7bd72c80 |
| SHA256 | 9003cb2351efe9f0d392c413ee460d3f29ba70058aefaa018c2402a16d44de55 |
| SHA512 | dcbf20132a9382d2d0aea126badb038afd427c66368cfb2756f125864a3dd2b67b4f5f64fd86a1331fc73f49506318dfeb76f0344b155cca615c29e20f08727a |
memory/2384-198-0x00007FFE9FD10000-0x00007FFE9FD1B000-memory.dmp
memory/2384-199-0x00007FFE964A0000-0x00007FFE964C5000-memory.dmp
memory/2384-201-0x00007FFE9FCF0000-0x00007FFE9FD06000-memory.dmp
memory/2384-200-0x00007FFE9FF30000-0x00007FFEA0048000-memory.dmp
memory/2384-202-0x00007FFE8EA20000-0x00007FFE8F07A000-memory.dmp
memory/2384-204-0x00007FFE96460000-0x00007FFE96498000-memory.dmp
memory/2384-203-0x00007FFEA0210000-0x00007FFEA0223000-memory.dmp
memory/2384-205-0x00007FFE951A0000-0x00007FFE951F1000-memory.dmp
memory/2384-215-0x00007FFE8F080000-0x00007FFE8F15F000-memory.dmp
memory/2384-221-0x00007FFE9FE60000-0x00007FFE9FEA1000-memory.dmp
memory/2384-241-0x00007FFE9D710000-0x00007FFE9D71D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5ikhqwp0.nbv.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/680-249-0x000001AA6DE10000-0x000001AA6DE32000-memory.dmp
memory/2384-257-0x00007FFE964A0000-0x00007FFE964C5000-memory.dmp
memory/2384-258-0x00007FFE8EA20000-0x00007FFE8F07A000-memory.dmp
memory/2384-293-0x00007FFE96460000-0x00007FFE96498000-memory.dmp
memory/2384-281-0x00007FFE9FEB0000-0x00007FFE9FEC5000-memory.dmp
memory/2384-280-0x00007FFEA0210000-0x00007FFEA0223000-memory.dmp
memory/2384-279-0x00007FFEA0230000-0x00007FFEA024C000-memory.dmp
memory/2384-275-0x00007FFEA3BB0000-0x00007FFEA3BC0000-memory.dmp
memory/2384-274-0x00007FFEA0A90000-0x00007FFEA0AA5000-memory.dmp
memory/2384-270-0x00007FFE8F4E0000-0x00007FFE8F649000-memory.dmp
memory/2384-262-0x00007FFE9D7B0000-0x00007FFE9DC1E000-memory.dmp
memory/2384-292-0x00007FFE9D710000-0x00007FFE9D71D000-memory.dmp
memory/2384-283-0x00007FFE9FE60000-0x00007FFE9FEA1000-memory.dmp
memory/2384-269-0x00007FFEA0D40000-0x00007FFEA0D5F000-memory.dmp
memory/2384-263-0x00007FFEA3F70000-0x00007FFEA3F94000-memory.dmp
memory/2384-312-0x00007FFE8F160000-0x00007FFE8F4D7000-memory.dmp
memory/2384-320-0x00007FFE9FEB0000-0x00007FFE9FEC5000-memory.dmp
memory/2384-318-0x00007FFEA0230000-0x00007FFEA024C000-memory.dmp
memory/2384-313-0x00007FFEA0A90000-0x00007FFEA0AA5000-memory.dmp
memory/2384-311-0x00007FFEA0290000-0x00007FFEA0347000-memory.dmp
memory/2384-310-0x00007FFEA0AB0000-0x00007FFEA0ADE000-memory.dmp
memory/2384-301-0x00007FFE9D7B0000-0x00007FFE9DC1E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\ClearDeny.jpeg
| MD5 | 580ff41c978d1a68b2d1c4b74918cf4d |
| SHA1 | 289a4d7fc28362a282e546a6198dcb20b94588cd |
| SHA256 | 873f9c545694a0aa305f8655c576f7aae9ea14ff57cd836216028bf7e090e326 |
| SHA512 | 44a545c8a04dcbc2c1797cd0cf9977ca35e95b8684078d45029a2a6e84a9718983c084d623e983cacf70deec945b4fd2d86a4d555b18176cebdb3e08842de1c7 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\RepairJoin.docx
| MD5 | d4745d6310c8390d3596103f82e81c8d |
| SHA1 | bf9eee7fbc652aa869268709da07961974210ee6 |
| SHA256 | 597f710ef1e876e1030ec258991857fe815871798d7e7805618dd34f57eeded2 |
| SHA512 | 4374dca93880e047930965be8c9a522cf11f391a059df6ba296e7e6a282902820f180be974c82c183c945c60098f9fd6bfedf9285837542e07a737223cf52c81 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\NewUndo.docx
| MD5 | 953c014f3b3c47ae9a59ba25bd786d47 |
| SHA1 | f2b695c0bd21f4254d49ba3f1a5df7c4fe57c308 |
| SHA256 | 0dc6e3c7700f6a28d6a85f6281e11140134c5bd0b092934eb31c256daf6da095 |
| SHA512 | 1a0d78b0bf107f171b84b9b8f1597f14255bfc4747349f43c79193f59d2fddde67026870dd5c25d7c84fe04dcc815c772f4be2f008347c4daf99ad36abc67829 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\InstallLock.xlsx
| MD5 | 3b0f149b243907c93d7e8791153966c1 |
| SHA1 | 1ec7919c5bf215d32296b064695705904ac84651 |
| SHA256 | 29315d66075709dbf37f9be726711e0da7152197cc5484086bfaf2dd34f513af |
| SHA512 | 67eef4146ca8ab9b049233ff302b7441fb114e976192188b0008a74e36e69ac9220c8a7ae3be9e7926b289988b2ebdc24e55654875284630dcb98fc6b7376824 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Documents\BackupUpdate.dotm
| MD5 | 38191a0d2f5a1ec8b4a40920601de387 |
| SHA1 | e53f86d397124119f2529810491b47d14f169f38 |
| SHA256 | 3001421d2403957560c01962ba941d39e3a3bac799d719dcd5c7d20dfe8d4939 |
| SHA512 | 15b101c0f266d9ecd7f139c83d6a9a8a7ba207d7506714a90bd6b92bfe407988c0710d722554d6f332384fc668a24f7fdb55fbfd5a79819f5f9ab3671f5b9b02 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Documents\UpdateSplit.xlsx
| MD5 | f2cf5d1a5844a74f9905543cf1203103 |
| SHA1 | f3fd84bbe1c56ea2c2755143f10b20de0df1ff42 |
| SHA256 | 1291258d229a3baf507c951cdf72898dbc29de11d012ff9dabdda73f9256bad4 |
| SHA512 | 78c266405a48aa590737515427091ca09bcc54ec1733bc723d3ba06dc834df918b0c36a6d01d55933aaf7fb8d5be7fa8fe573625a1254245ca4dc5eec667e820 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Downloads\BackupMerge.scf
| MD5 | c5f3cdc2baadef400f32d18eb9e8e638 |
| SHA1 | 701bf04d603930877bee13f60bf67cd04d175f47 |
| SHA256 | 60d9dc3e6def45d6c941f203ad50f6574bc8884d5228c8f0f6df77a87afacccd |
| SHA512 | f8a7f1c77dad917db741373153e49aa5d9293294351667677baed9af02c7116d1aec6f41012c1d78fee9853a0f9738354fa2c0651e5b4cbb16a6624f094e8df0 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Documents\ImportDisconnect.xlsx
| MD5 | eb272c0f0465a91e56711eb3d8bb283a |
| SHA1 | 83b5b2a60e3666bf3a580e5980117216090ac95b |
| SHA256 | a585314fffe139e214c1cf0f1e72b12007afc4892cb9b1d5c1608a3a06d6f2ba |
| SHA512 | 7f444fbbfcc8a3de0522c7aeb3137e35d356515e65eba59860887fa407527d2ce78f9095e1b65f879be699c8fe9c62919fed325c88d13fe42fa05fce16bcb4ae |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Documents\ExportProtect.xlsx
| MD5 | 8d996f835b31db0e752025e69d4fc860 |
| SHA1 | 808e93bc0328d04af863a30ebddcec8646808b3e |
| SHA256 | c29cf42bf20e133de110a7bce39dd7415a1cf1950d361b0443e36d4d8036d317 |
| SHA512 | b6c8c7f4621d8931c6c86640bebca5d105fb425c3282f79747fa25017d37453b42f0cbc88aa14389ba1b826dd6eaf8a2673518c220deec5aaca010ccebfd547f |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Downloads\RenameUse.mp3
| MD5 | 53d31f3cb1c3221f372020ef918da805 |
| SHA1 | 9e56eb055dc36dcd8984ce6a72094e5fb0c68593 |
| SHA256 | 0528d77c46f9bf4b611a944716eda2945a0b75c4bca26c1e2ade7cb269cbceb6 |
| SHA512 | 791d3b75c585bcebbfe31514dde877f271aedeed302b0aed6bc0beff9af2c819958a2190496fb29406efdbb1e15e4485b81662c73c0e4ed66b11d5bf776d987f |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Downloads\SelectBackup.xml
| MD5 | 84024c6b78008a7eb931d993269451fb |
| SHA1 | 4d623f180fb046cea2de1026dcd8954ec172d4de |
| SHA256 | c501b95ae9a344f31786231ca31dcce075234e1169b17ff08a7cab41a2e2fffa |
| SHA512 | da4bf50c7110a58dab3b2e693251b146ed81510afef8ee7969bbba459e6b189ac5b35967133290e49eb416421c1b60a575b4e4dcbef7a473199e0e545b56f488 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Music\GroupConvertTo.txt
| MD5 | 19801454c699d6dda8ed4111f7e12e26 |
| SHA1 | 79cda58fae746ed4934336a523c466bd13d72304 |
| SHA256 | f8e15dd37e42e08af5e68102904f6b0bea5a6bc9b991b0a74aa0e511932d1984 |
| SHA512 | 81239925456f88356c5aebe525d8f57243aa41e9f9d899892780cbca91a2c880d60356d30e835be32da5879af60ba5f664b9ded15d5bf88569498cec1f31d1e6 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Downloads\ResetBackup.odt
| MD5 | fbab7c41c331abf182275ef80a3a9cae |
| SHA1 | c48b7b01fb4ff60f7cdd5012dad36181334b6931 |
| SHA256 | be16a870175a3433e3a4d7b48bd5d76675829d588e833038ebf55b2fc6304348 |
| SHA512 | 873dff4cd1cddf502c1eb41cc8c983033996b6047b7a7b43830d83434759178f37f03ffc8b6cee83bfe4d852d194e205417083cd4d6221a62d26926c12baa5a5 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Pictures\StartRevoke.jpg
| MD5 | 71e8fdfd239287f8116bb2ea78ac8da4 |
| SHA1 | 5f972350431a2bdc460222afb0c368525ab51fc9 |
| SHA256 | a6e61ad32a00860c24629a979c9ae3a0aba76b8913c5929fda207371e5d2bf22 |
| SHA512 | 6b94d863eab7bdc0cbc78914afeed0a14517406d4ac13f7abedb1bb77599a71e03303adeb57cc71f61d051928a36436c760cbe213335047e0f388a597ec25998 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Pictures\RemoveDismount.jpeg
| MD5 | 477d433ea0160e20dd6f869b483a4044 |
| SHA1 | 9bc189d4451ecd8748e2d45afe0d7d062188ef80 |
| SHA256 | 763a6fd4ec5cd8bf19930713037af87b2e44078ad0dfda70930d9bbbd2607e44 |
| SHA512 | 2f1c57d8ce35b1e3a4a85e25e2fdbb273ccca84dac25dae724e2c04d9e0a4caf0bd08dee5f6b54e641c7ce5fa898c29ff7fa22a559fd53c9fdf63de20cbd3268 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Pictures\My Wallpaper.jpg
| MD5 | a51464e41d75b2aa2b00ca31ea2ce7eb |
| SHA1 | 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d |
| SHA256 | 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f |
| SHA512 | b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Music\ResumeBackup.vsd
| MD5 | 56cd5848f5044a347dbe5cb346ddc085 |
| SHA1 | 67c51c97125633ec0851d149abb3dc661e7fc9f3 |
| SHA256 | 34b2af80256b9cec946324b02a5bc0346d2bb6ec24bce7f8c472c50cb5798711 |
| SHA512 | 37d42a07ed0970c4b9f2cc357cac09c9c19432670919b4cff9932f5b2e4f98b071f1a3397e903f407bc44354d68b576166c9e05c5152368f5799d0bc33b19b40 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Music\InvokeRevoke.jpeg
| MD5 | a6eed8f4de0dd63dd88605a00c82b5d2 |
| SHA1 | 45c5faa04e78e98531379582f5ebf22a0a7b3b66 |
| SHA256 | 95c98fb53b62a371ffb31f145be5c6174000906357806625fb3c2ec9f80d8e76 |
| SHA512 | e2b8141430745df92b8985bbc05bfd61b8811143018b85ffc8c38c08d6ec4b352229d94c429538a76af0101a7e3f565ce4490c3685e0cbfca7dcc08fd9be86bd |
memory/2384-721-0x00007FFEA0290000-0x00007FFEA0347000-memory.dmp
memory/2384-716-0x00007FFEA0F70000-0x00007FFEA0F89000-memory.dmp
memory/2384-737-0x00007FFE9FCF0000-0x00007FFE9FD06000-memory.dmp
memory/2384-741-0x00007FFE9D710000-0x00007FFE9D71D000-memory.dmp
memory/2384-740-0x00007FFE951A0000-0x00007FFE951F1000-memory.dmp
memory/2384-739-0x00007FFE96460000-0x00007FFE96498000-memory.dmp
memory/2384-738-0x00007FFE8EA20000-0x00007FFE8F07A000-memory.dmp
memory/2384-736-0x00007FFE964A0000-0x00007FFE964C5000-memory.dmp
memory/2384-735-0x00007FFE9FD10000-0x00007FFE9FD1B000-memory.dmp
memory/2384-734-0x00007FFE9FE40000-0x00007FFE9FE4A000-memory.dmp
memory/2384-733-0x00007FFE9FE60000-0x00007FFE9FEA1000-memory.dmp
memory/2384-732-0x00007FFE8F080000-0x00007FFE8F15F000-memory.dmp
memory/2384-731-0x00007FFE9FEB0000-0x00007FFE9FEC5000-memory.dmp
memory/2384-730-0x00007FFEA0210000-0x00007FFEA0223000-memory.dmp
memory/2384-729-0x00007FFEA0230000-0x00007FFEA024C000-memory.dmp
memory/2384-728-0x00007FFE8F4E0000-0x00007FFE8F649000-memory.dmp
memory/2384-727-0x00007FFEA0250000-0x00007FFEA0264000-memory.dmp
memory/2384-726-0x00007FFEA0270000-0x00007FFEA0284000-memory.dmp
memory/2384-725-0x00007FFEA3BB0000-0x00007FFEA3BC0000-memory.dmp
memory/2384-724-0x00007FFEA0A90000-0x00007FFEA0AA5000-memory.dmp
memory/2384-723-0x00007FFE9D7B0000-0x00007FFE9DC1E000-memory.dmp
memory/2384-722-0x00007FFE8F160000-0x00007FFE8F4D7000-memory.dmp
memory/2384-720-0x00007FFEA0AB0000-0x00007FFEA0ADE000-memory.dmp
memory/2384-719-0x00007FFE9FF30000-0x00007FFEA0048000-memory.dmp
memory/2384-718-0x00007FFEA0D40000-0x00007FFEA0D5F000-memory.dmp
memory/2384-717-0x00007FFEA0D60000-0x00007FFEA0D8D000-memory.dmp
memory/2384-715-0x00007FFEA4D80000-0x00007FFEA4D8D000-memory.dmp
memory/2384-714-0x00007FFEA3BC0000-0x00007FFEA3BD9000-memory.dmp
memory/2384-713-0x00007FFEA61E0000-0x00007FFEA61EF000-memory.dmp
memory/2384-712-0x00007FFEA3F70000-0x00007FFEA3F94000-memory.dmp
memory/2384-711-0x00007FFE9FE50000-0x00007FFE9FE5E000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-15 15:40
Reported
2024-11-15 15:43
Platform
win10v2004-20241007-en
Max time kernel
103s
Max time network
105s
Command Line
Signatures
Exela Stealer
Exelastealer family
Grants admin privileges
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Runs net.exe
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe
"C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe"
C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe
"C:\Users\Admin\AppData\Local\Temp\87f285bd4941a32b46d2eb58239900388e43341b41ffbdbdf90741729a926624.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /IM chrome.exe /T"
C:\Windows\system32\taskkill.exe
taskkill /F /IM chrome.exe /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "gdb --version"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get Manufacturer
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get Manufacturer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "schtasks /query /TN "IrisUpdateService""
C:\Windows\system32\schtasks.exe
schtasks /query /TN "IrisUpdateService"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "IrisUpdateService" /tr "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc onlogon /rl highest /tn "IrisUpdateService" /tr "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "IrisUpdateService2" /tr "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe""
C:\Windows\system32\schtasks.exe
schtasks /create /f /sc hourly /mo 1 /rl highest /tn "IrisUpdateService2" /tr "C:\Users\Admin\AppData\Local\IrisUpdateService\Iris.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| N/A | 127.0.0.1:60087 | tcp | |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 127.0.0.1:60097 | tcp | |
| N/A | 127.0.0.1:60102 | tcp | |
| N/A | 127.0.0.1:60109 | tcp | |
| N/A | 127.0.0.1:60111 | tcp | |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | store1.gofile.io | udp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 101.210.23.2.in-addr.arpa | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| N/A | 127.0.0.1:60433 | tcp | |
| N/A | 127.0.0.1:60435 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI9642\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
C:\Users\Admin\AppData\Local\Temp\_MEI9642\python310.dll
| MD5 | b9d896d5f748793d3dc44be7b2e43ba7 |
| SHA1 | fb81bb8cfba3c5f2caffe0be3e17babf669de42a |
| SHA256 | 686dc3e3104a45f2a38821cd0c43c17d2e4b3f41a30de94fc7bebef3b882ac83 |
| SHA512 | 6835873e751851c3ea9bc53f744f27d89eb1f3bc4a6a88f36de93ac0be3e2eb151c4f57879a07d25dacde51720ca36dd12e390c80535bebd64c9e0390b691736 |
C:\Users\Admin\AppData\Local\Temp\_MEI9642\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
memory/3652-103-0x00007FF8E89E0000-0x00007FF8E8E4E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI9642\base_library.zip
| MD5 | 6add86f741a99793b73392a9294eb1b2 |
| SHA1 | 7c5da35537ef33fedb8393f707013fbeb652b8b0 |
| SHA256 | 678adfe16f38c82850d8c9b498dd7d89f708fe37380108a02b5e54763bdf21bf |
| SHA512 | 77033b8a18612ed268bb63ceef6be02465269a66baa2c0901879bb1e25241473596473e1b446b1b093a3110298361cd3568955fb3022c19dcf0e7949a5625320 |
C:\Users\Admin\AppData\Local\Temp\_MEI9642\_ctypes.pyd
| MD5 | b1e2c169b4d27363ba74cab4f80ef169 |
| SHA1 | 3a87101abe2935c91430146bdc0eeb243ab5a8bf |
| SHA256 | a8f521ef235c1590d3d717912479185602afa8d7ffbe6a8d719ee517339fcf52 |
| SHA512 | 6e2fea022a93468aa7300aaaa32a83ad71a8cfdc046a6b02a6973961b04b6a9870fd7f19457c657b4c1d15e8b101db357c0071e3c1492ecb170f1c62ddb87834 |
C:\Users\Admin\AppData\Local\Temp\_MEI9642\python3.DLL
| MD5 | 07bd9f1e651ad2409fd0b7d706be6071 |
| SHA1 | dfeb2221527474a681d6d8b16a5c378847c59d33 |
| SHA256 | 5d78cd1365ea9ae4e95872576cfa4055342f1e80b06f3051cf91d564b6cd09f5 |
| SHA512 | def31d2df95cb7999ce1f55479b2ff7a3cb70e9fc4778fc50803f688448305454fbbf82b5a75032f182dff663a6d91d303ef72e3d2ca9f2a1b032956ec1a0e2a |
C:\Users\Admin\AppData\Local\Temp\_MEI9642\libffi-7.dll
| MD5 | 8e1d2a11b94e84eaa382d6a680d93f17 |
| SHA1 | 07750d78022d387292525a7d8385687229795cf1 |
| SHA256 | 090a90cd17b74abefddf9f82d145effe5c676e7c62cf1a59834528f512d7ee82 |
| SHA512 | 213bf92a707b14211941e5e071f1926be4b5795babc6df0d168b623ecd6cb7c7e0ae4320369c51d75c75b38ec282b5bf77f15eb94018ae74c8fd14f328b45a4e |
memory/3652-113-0x00007FF8FB840000-0x00007FF8FB84F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI9642\_socket.pyd
| MD5 | 713f166fbaf2c758677129653c792fd7 |
| SHA1 | 12229626b4cfe1750c31c70115152c4d6ec1eba1 |
| SHA256 | 0d71adce0df6917b5836ba03f76df3deaa7b1aaa2cbd803a734884d1c1bb0059 |
| SHA512 | 4c9675632b4e2776bff8b558485a91bec5d08f5ff0deb55cd577bd95531cfa5883dc80bee39af86c4ec5a7ac818396c2c03a60341b9b02a1e8b521f80e660a98 |
memory/3652-112-0x00007FF8F7EE0000-0x00007FF8F7F04000-memory.dmp
memory/3652-123-0x00007FF8F7DF0000-0x00007FF8F7E09000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI9642\_lzma.pyd
| MD5 | d5f861984f70e876bb113c9a996493d1 |
| SHA1 | 66868d0a65ee23ef22af34c103220b759bbbfe05 |
| SHA256 | ac55608d663cc5e5ef0d430d1bf98b9d1688ce9c12e8491f4921f452399b6725 |
| SHA512 | 386859aa0ff6322d385487713912fdfe5432f0670fa70987bdf22f14ef8b1d05f336af80b7db3cc05588c045d2bd4e44bbdae95e82f10581e5f43ca39963160f |
C:\Users\Admin\AppData\Local\Temp\_MEI9642\_bz2.pyd
| MD5 | 3ac1ec2319523918a50f8ba33ffa4d2f |
| SHA1 | eb9aecb4402bed654a52013759ce9d5d69c33a5b |
| SHA256 | 4f22e9ce6f0232643cfdb9c35c4f3453ab73b103a4dbf633d445863f0251b134 |
| SHA512 | bffcd8bf09a61250b1957af2bd7c3b8b7c761997b7fa83235f48ab1779b7b27ae44b296458b3830d22d880f37e0c5d21a351d33a38c024f97631e87ad45dede2 |
memory/3652-120-0x00007FF8F7E10000-0x00007FF8F7E1D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI9642\sqlite3.dll
| MD5 | 709d45be5411647c1526235bec94c168 |
| SHA1 | 27c1597b7a0b7fc19e1f8efee41cb355b3e4212e |
| SHA256 | d45d561f4694055ff072349d86458155505598fa29080bbb7e9691b8509dcdb3 |
| SHA512 | 62aab6333a286df25148b2bde6a41d62f75e7b6da6acf2ef8ca892cbade1dd1daf91961ac52da31cccab415749a6349b2f51a89654846a4bc10b8df3f3086b24 |
C:\Users\Admin\AppData\Local\Temp\_MEI9642\_sqlite3.pyd
| MD5 | 42dbc994bc3000b1dd46579ef47afc64 |
| SHA1 | 6356883c4219cf3f485b0ccde32a24d9adcedc95 |
| SHA256 | aed5d832a89528ecb203775cd2ee413c8c7895857ff30403b341fe0a8331efc9 |
| SHA512 | 1999d1f3115d2656fb26488eae9525c41aaa4f94a029e337e5f34edaec53a7dd2d714025987191eca519ea7183682c908bcd18142df46a0d4d2c0176894f4c85 |
C:\Users\Admin\AppData\Local\Temp\_MEI9642\_ssl.pyd
| MD5 | 92c1b0608e4aa51aa1bc4369559fdad8 |
| SHA1 | 5a57fe482100b694ff2b1fe4256f75c90669134c |
| SHA256 | b9cf399774fea53fe3fe7357c0df65a19315fc7f525fb96758ba8568360fa18d |
| SHA512 | c99c9f9f3f99cbc26e40cc832fe69b7d8ff2e611e5438b8bf5c549d88d138c6294e7d930ab4238b4e01d27cc71e723df1d97dee1dee0cd1880f4e294cf686270 |
C:\Users\Admin\AppData\Local\Temp\_MEI9642\libcrypto-1_1.dll
| MD5 | ef98f0bfd75bfca256dfdde36ab79c56 |
| SHA1 | db0c976dd286d6b4a046e19d669ea9366a8d6b0c |
| SHA256 | 17fded0a4337fc353a1a06f40bc7a4c4d6ae4e74a7d563f8bb7fa512daa82f99 |
| SHA512 | 27fa2e78c3153f4c1b824ddc8291af6f4eefd4754b7847917e84e096723c7947da1a8695120fe8071312d6e8963841a82813ea32559457fe9ffb37ff3f75b705 |
memory/3652-136-0x00007FF8F78B0000-0x00007FF8F78DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI9642\libssl-1_1.dll
| MD5 | 594f9b1d3f3f2217896a3d07f861d55a |
| SHA1 | a84a68606a65077258979d9a17b0ae2d83067939 |
| SHA256 | 1ed537c1c1db991ea9297be1e48b4c24d9ddd93ff8b277eea0f5bd228a4c92e2 |
| SHA512 | e61aaa93a4b4e820697a5b02f1aea3152544e5c2af2b5bbdfd86cd8267f69cd09f9321c4791bc81ff05cb2ee7aef57fc0ef1c5ed211c643419ded648f209358d |
memory/3652-131-0x00007FF8E85C0000-0x00007FF8E8729000-memory.dmp
memory/3652-129-0x00007FF8F78E0000-0x00007FF8F78FF000-memory.dmp
memory/3652-128-0x00007FF8F7DC0000-0x00007FF8F7DED000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI9642\select.pyd
| MD5 | 9d4a187b10cc415cee48d9408f687cef |
| SHA1 | fd8ac4cc6086658a48e5dea3de5a43b924b60df7 |
| SHA256 | 45c715f5ccf0da358855a7d3b01a166e34a82ce6244f7111ed4c81e4d12f2049 |
| SHA512 | 1c8b040cd4f38e16e9c061a0ce2eb76583266a7b514c325cc3fb728bdcf514ce5d12961011a8c2c860837e99af285fdbc5d9624c8e6f6fa02d2003200019356e |
memory/3652-117-0x00007FF8F7E20000-0x00007FF8F7E39000-memory.dmp
memory/3652-142-0x0000029C35330000-0x0000029C356A7000-memory.dmp
memory/3652-143-0x00007FF8E8180000-0x00007FF8E84F7000-memory.dmp
memory/3652-141-0x00007FF8E8500000-0x00007FF8E85B7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI9642\_asyncio.pyd
| MD5 | 223915a05f124498a473e1caab2d14ad |
| SHA1 | 62d7d236dc1db0adb4e9769597a3d18cc2de65e1 |
| SHA256 | 77306c7c5c9411db1846bc1b5ef70aef5e52999f2442f1e39a0901df320b6202 |
| SHA512 | ea162e1b4287d7cf3814b8eeee55884e838a4c81d0699093cbea09f73307a8ba50ccbb6405de002bdca8f7200e8ff5840c5f4d45d039e6401e262aa3ef0dbb2a |
C:\Users\Admin\AppData\Local\Temp\_MEI9642\_overlapped.pyd
| MD5 | ff7cba7ce768f7f8c638be282f844f0e |
| SHA1 | 406126bad5813b2d09b1cbd17edc05aa5029c7e5 |
| SHA256 | ed9a6782039007f90422a5b981ce66deee0c581052c14e247446c924b09833fa |
| SHA512 | 04d71776010e0c1aab2dd0fdd06b4807739129b9df2d8081927be202d7861a048e92f8fc0162d237478fdb08b9580ef77552c8ece28ce48ea119f8c6c576a5d2 |
memory/3652-154-0x00007FF8F7680000-0x00007FF8F7694000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI9642\yarl\_quoting_c.cp310-win_amd64.pyd
| MD5 | fdc577588ffd0f939c02b236fde9fbae |
| SHA1 | 6e8c7a3456870a2bf2fabae861209aed29475498 |
| SHA256 | 2ed79904384fda527647ba6927abfed3062e7b83a308c41d2890685a19e6b883 |
| SHA512 | 3472bb46a90b620a181f73dd5d4b2258fe02a7db4144d22d8feeb8dad6f667940482cb285c77e0c1c7592e3468be4ed126a0caad76a3cfc1bb615c20fe77b7e3 |
C:\Users\Admin\AppData\Local\Temp\_MEI9642\_brotli.cp310-win_amd64.pyd
| MD5 | 50ca8b574270390ae93fbe452c852555 |
| SHA1 | 1d8dcfe22835a3d92cf63fae6c25e2b4f01b8610 |
| SHA256 | f1d8c9316751c9550aadd94a8ee4bdbb55e143ce967d293f82f1f3cd84e91284 |
| SHA512 | 9c1986adefd2dc2ee8a6c7ac76de78545d27bbea41d156c3f9fff032313bcf737c9ee98360c762b57987a9477d00179786894ed3689f3adc34dda7168e4a4747 |
C:\Users\Admin\AppData\Local\Temp\_MEI9642\MSVCP140.dll
| MD5 | 72f3d84384e888bf0d38852eb863026b |
| SHA1 | 8e6a0257591eb913ae7d0e975c56306b3f680b3f |
| SHA256 | a4c2229bdc2a2a630acdc095b4d86008e5c3e3bc7773174354f3da4f5beb9cde |
| SHA512 | 6d53634bc51bd383358e0d55988d70aee6ed3897bc6ae5e0d2413bed27ecff4c8092020682cd089859023b02d9a1858ac42e64d59c38ba90fbaf89b656c539a6 |
C:\Users\Admin\AppData\Local\Temp\_MEI9642\aiohttp\_http_parser.cp310-win_amd64.pyd
| MD5 | f3a43ee9a1cd3da4b1e8856832d37fb5 |
| SHA1 | e5b257f6b70f033ccc250d8063fa277d294578f6 |
| SHA256 | 5cd0986d4b79c7079bd472df2fb41dc2056fb3f7db6d6776d5fe5f883de45fe1 |
| SHA512 | 1bebd434cb40c9f21cd2ed99429010a7f307ce22822d34a21ceeb7df6566dd8ea056ccecab78be3e98f9e25515ff6bb16d61f3ae4e05734381ebf244ac995e64 |
memory/3652-184-0x00007FF8E85C0000-0x00007FF8E8729000-memory.dmp
memory/3652-190-0x00007FF8F78B0000-0x00007FF8F78DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI9642\charset_normalizer\md__mypyc.cp310-win_amd64.pyd
| MD5 | 92f129c2699477b0db7087a02ccefca7 |
| SHA1 | 553753e30a0c6a92e8916b80d44053b2b85f11c9 |
| SHA256 | fef9870e40b5ca337ad325fd2dcb503bb550864df6656a35c8d734f00eec48ae |
| SHA512 | f4875e1842195b354a34c4ba919d57cafa36137e869e685e64514535bfcef63f3ced8f6bbb45dd7cae04a19ec0fc728cba75532d36348c893540653140881845 |
C:\Users\Admin\AppData\Local\Temp\_MEI9642\charset_normalizer\md.cp310-win_amd64.pyd
| MD5 | 7b305a0e94a78e72820fa4ddec303ad6 |
| SHA1 | c42ae66f78fc333849e500115d045604ad5bf1a0 |
| SHA256 | 7d69e30849fdbfbafb6d39e7a69568771b80be39e92fb184c63af0d089781592 |
| SHA512 | 5e8f029da7d9fd5d40ed3c64475b4c1239854fe5c63282872d884984c8554211472c6d901f12b0541aa081daf55787dc6e204d6f73faa2ea1d2d4f3879ae1556 |
memory/3652-187-0x00007FF8F72D0000-0x00007FF8F72DA000-memory.dmp
memory/3652-186-0x00007FF8F72E0000-0x00007FF8F72EE000-memory.dmp
memory/3652-185-0x00007FF8EE970000-0x00007FF8EE9B1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI9642\_uuid.pyd
| MD5 | 8571d3c1ef8bb47ccdec7b9dab62626c |
| SHA1 | 6d1461e7042c18f5282ac284ab8b8c7c7bd72c80 |
| SHA256 | 9003cb2351efe9f0d392c413ee460d3f29ba70058aefaa018c2402a16d44de55 |
| SHA512 | dcbf20132a9382d2d0aea126badb038afd427c66368cfb2756f125864a3dd2b67b4f5f64fd86a1331fc73f49506318dfeb76f0344b155cca615c29e20f08727a |
C:\Users\Admin\AppData\Local\Temp\_MEI9642\aiohttp\_websocket.cp310-win_amd64.pyd
| MD5 | 7ea40c5cde77804709ca1652bbdf22c1 |
| SHA1 | 03813e28850f8205c09eaa2412d39227e6bede9b |
| SHA256 | 9dd0fb7690b61fa84713e8fe3ac5b9962124e9573073322508d9c6459eeb263c |
| SHA512 | 4a8ab360eca08065f3b4d2deb0b30be98ecd6ee1bec3e4a15b5cd6ee7ce95dd2b5786bbadb578226614fb5ed665bff8e579f7bc12ea90cb12188673b99f5d99c |
memory/3652-194-0x00007FF8E7630000-0x00007FF8E7C8A000-memory.dmp
memory/3652-193-0x00007FF8F7010000-0x00007FF8F7026000-memory.dmp
memory/3652-196-0x00007FF8EF000000-0x00007FF8EF025000-memory.dmp
memory/3652-195-0x00007FF8E8500000-0x00007FF8E85B7000-memory.dmp
memory/3652-200-0x00007FF8F76F0000-0x00007FF8F7705000-memory.dmp
memory/3652-199-0x00007FF8E6F30000-0x00007FF8E6F81000-memory.dmp
memory/3652-198-0x00007FF8E6FF0000-0x00007FF8E7028000-memory.dmp
memory/3652-197-0x00007FF8E8180000-0x00007FF8E84F7000-memory.dmp
memory/3652-192-0x00007FF8F7030000-0x00007FF8F703B000-memory.dmp
memory/3652-191-0x0000029C35330000-0x0000029C356A7000-memory.dmp
memory/3652-177-0x00007FF8E8060000-0x00007FF8E8178000-memory.dmp
memory/3652-175-0x00007FF8F78E0000-0x00007FF8F78FF000-memory.dmp
memory/3652-174-0x00007FF8E7F80000-0x00007FF8E805F000-memory.dmp
memory/3652-173-0x00007FF8F72F0000-0x00007FF8F7305000-memory.dmp
memory/3652-172-0x00007FF8F7310000-0x00007FF8F7323000-memory.dmp
memory/3652-171-0x00007FF8F7330000-0x00007FF8F734C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI9642\VCRUNTIME140_1.dll
| MD5 | 75e78e4bf561031d39f86143753400ff |
| SHA1 | 324c2a99e39f8992459495182677e91656a05206 |
| SHA256 | 1758085a61527b427c4380f0c976d29a8bee889f2ac480c356a3f166433bf70e |
| SHA512 | ce4daf46bce44a89d21308c63e2de8b757a23be2630360209c4a25eb13f1f66a04fbb0a124761a33bbf34496f2f2a02b8df159b4b62f1b6241e1dbfb0e5d9756 |
C:\Users\Admin\AppData\Local\Temp\_MEI9642\aiohttp\_http_writer.cp310-win_amd64.pyd
| MD5 | a4c8dd79a38b8fadecf723c204935ffe |
| SHA1 | 3d71c55aa83c89694204bfd0aade8dc60e0f84f8 |
| SHA256 | 02b68eafcfe40db926f671bafa01db9a691b178103b06377ffa3d1d5df3b1530 |
| SHA512 | d573340437a7b9d4634eca845da94244bb463005e1bb049b4c7753610f4624679ebdff0b80320d416d4363f7e387e8789345d4df8cd5a707fe5eaad588196c73 |
C:\Users\Admin\AppData\Local\Temp\_MEI9642\aiohttp\_helpers.cp310-win_amd64.pyd
| MD5 | f7e02ab5fdaceb53d35ce588d1eaa264 |
| SHA1 | 390485a21881334894e63f5a4843c552518fb75c |
| SHA256 | e781d6205149306f4aa80a11ad8c654b7572bfaf0cc5517f2b2daef0ac016229 |
| SHA512 | 4c015d21f33b6fee07d24d060c02ece75aec4bbbffa4a490b2961d92e1ae821f142ee6a32d13c491acef927c14d511112bdfc0412c800b81394d530a9518cbc7 |
C:\Users\Admin\AppData\Local\Temp\_MEI9642\unicodedata.pyd
| MD5 | 7fdbd3fc6609dec6ac6028513167502b |
| SHA1 | 7d031e081f45f70fe6cd1fc38ca602cd3172052c |
| SHA256 | 8713294d8edd6227fd31114d36033dee58f563b179ca274280e528c4bb085af0 |
| SHA512 | 7a97e8358acbffe14b3e657bad975bb1f4e262eb25bcc783cd4d369a47e29e7e3936548a12333fdb5bb5f1b9dfdd9e7ef6edfaae993107aa7683d9c2f965cee9 |
memory/3652-156-0x00007FF8F7350000-0x00007FF8F7364000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI9642\_hashlib.pyd
| MD5 | 484c70992d2102a7843540593dfc12e0 |
| SHA1 | 350144bd486f9648319dae5332a18ec4dd979f78 |
| SHA256 | 92b2ca8ae281a5559ce071756b392b0937b25ca531dbcba01395027b86a9889b |
| SHA512 | eaea83ec64bf3537302c52dee0b8d75526793543ea1d5396adfea5ab96c7b115d23aedceb7931756929bbd4893eda497dce19c926b6e36cbefa2355827e9404f |
memory/3652-153-0x00007FF8F7DB0000-0x00007FF8F7DC0000-memory.dmp
memory/3652-152-0x00007FF8F7E20000-0x00007FF8F7E39000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI9642\multidict\_multidict.cp310-win_amd64.pyd
| MD5 | 9781e6bfedeffddb3220de3e49632d4d |
| SHA1 | 06b13c4623888f0703c0e71d2773c5e9201b0374 |
| SHA256 | d0f937783eeadd70654685bd1b49cda9289896c3b719ec37874ac7fe1221e682 |
| SHA512 | 6b2b799f519699fcce94577a4c1aed0e155e8f56750557c24fbe30b10efa55d826e2358827cfb451753830394c5a841471082fda99729d66e0c785cf3cd18f82 |
memory/3652-147-0x00007FF8F76F0000-0x00007FF8F7705000-memory.dmp
memory/3652-140-0x00007FF8E89E0000-0x00007FF8E8E4E000-memory.dmp
memory/3652-234-0x00007FF8F7310000-0x00007FF8F7323000-memory.dmp
memory/3652-236-0x00007FF8FDD20000-0x00007FF8FDD2D000-memory.dmp
memory/3652-235-0x00007FF8E7F80000-0x00007FF8E805F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vbjphfsx.lwg.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4584-243-0x000001551AD40000-0x000001551AD62000-memory.dmp
memory/4584-251-0x000001551AC10000-0x000001551AC2E000-memory.dmp
memory/3652-254-0x00007FF8EE970000-0x00007FF8EE9B1000-memory.dmp
memory/3652-255-0x00007FF8E7630000-0x00007FF8E7C8A000-memory.dmp
memory/3652-295-0x00007FF8E6FF0000-0x00007FF8E7028000-memory.dmp
memory/3652-285-0x00007FF8EE970000-0x00007FF8EE9B1000-memory.dmp
memory/3652-283-0x00007FF8F72F0000-0x00007FF8F7305000-memory.dmp
memory/3652-282-0x00007FF8F7310000-0x00007FF8F7323000-memory.dmp
memory/3652-281-0x00007FF8F7330000-0x00007FF8F734C000-memory.dmp
memory/3652-277-0x00007FF8F7DB0000-0x00007FF8F7DC0000-memory.dmp
memory/3652-276-0x00007FF8F76F0000-0x00007FF8F7705000-memory.dmp
memory/3652-272-0x00007FF8E85C0000-0x00007FF8E8729000-memory.dmp
memory/3652-271-0x00007FF8F78E0000-0x00007FF8F78FF000-memory.dmp
memory/3652-265-0x00007FF8F7EE0000-0x00007FF8F7F04000-memory.dmp
memory/3652-264-0x00007FF8E89E0000-0x00007FF8E8E4E000-memory.dmp
memory/3652-310-0x00007FF8F76F0000-0x00007FF8F7705000-memory.dmp
memory/3652-317-0x00007FF8F72F0000-0x00007FF8F7305000-memory.dmp
memory/3652-315-0x00007FF8F7330000-0x00007FF8F734C000-memory.dmp
memory/3652-309-0x00007FF8E8180000-0x00007FF8E84F7000-memory.dmp
memory/3652-308-0x00007FF8E8500000-0x00007FF8E85B7000-memory.dmp
memory/3652-298-0x00007FF8E89E0000-0x00007FF8E8E4E000-memory.dmp
memory/3652-307-0x00007FF8F78B0000-0x00007FF8F78DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\ApproveMerge.docx
| MD5 | 97fdd7a84637449a45d8e8e54467b315 |
| SHA1 | 674b4e35e8f43d72f833550d3660432686eeca6a |
| SHA256 | 9fa4268f5eadfd92f6e2f0b83584f66e3e5bac7a27622a78b64ad06e71a65f2a |
| SHA512 | 50286bb5168bb894c5fea64b19de434fdbe08835bc7bfa086b7fdf95ef8f7985bb151f7b1a37e441807a0e94dc64e4802a27f02fc3ed9f947bf57efdd8164f20 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\ShowUse.mp3
| MD5 | 77bb692c5c193b4cc606e6a759bc5d75 |
| SHA1 | f4afa84f039d650ea73ff64001c202ad99564247 |
| SHA256 | 3ab1ee03044e81c443b83051025f37a0e039f454f3beb8f95381827420c38857 |
| SHA512 | 006885a77da8f70c28aa94c58984c571327af53c286530645bf0e78e5be920a47eeb62ce3ba7e3d3684ab538dc42e6589aeb597e2dc86ecf952bb4b5dc9224fb |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\SelectSplit.docx
| MD5 | 5ab2c7ea46cbc7d1051b294d9a731a75 |
| SHA1 | 93f7e1a4695dc49f8504047192a232e1ea323d04 |
| SHA256 | 13ded70ab69d1fbc9ba6e2ffa93dc4ce38b9e07e548e39081646d32a536e0196 |
| SHA512 | ba8950fdba92d5b64ee069cd563639f9206b3d5d19790659a7bc28ab461a725b1958f71e6ea29e17e6fe38a3fb63fe4c5a2b1cb900f72c8a26823e2182a3319d |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\ResetCompare.xlsx
| MD5 | 1ed5ce6363b8aea991c5e4747dfe1fa4 |
| SHA1 | 34459408623be42b35a6b1b0ddde64074c304fcc |
| SHA256 | 366c2233c440293c0a1c3747d4ab8da82dca1a1d582f6be03d15c346e0826f01 |
| SHA512 | 8ae25dfcbec27a43a6b41b32ec522c58dad545b5a78cd4e013e2e086a55cd947cc89aea036b216c1b51b1e9a971b41f970d7bd7710771a1183e56a3e3d739a40 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\RegisterRead.xlsx
| MD5 | 2d0d119f34f3dfe45fc70c0928ae493c |
| SHA1 | 83bfbdcda8ba29c702dcd1a108aed3438ba677b8 |
| SHA256 | c5bc7976c8142f4557bc0ca8ed2f05764a8defb6179d66819681c754b28369ee |
| SHA512 | b05ffc52f1433b2e62256f1a3308fe04b062d882ebebe19e28c86ed0af723aa0cd8ce8e63e61b1feb307b03c60db0811d7765ed26f39d79ca096f8252fc6556b |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\GroupStop.xlsx
| MD5 | 41bdb86221436e1cb839fe795381588d |
| SHA1 | 33442c42cd1e860c7116822b0622752013492b5e |
| SHA256 | 518ed59990cbfcc22af2a59d54214e98d94559fac86f358449ac6b42f01111f5 |
| SHA512 | a8d81d93ad88819c6358a1688fafb392d88b233dddccd386261a17ab8dfe13b6b6f26c455a63112f8ebc9e4e3aa4c667e2887ee57488caaecf8997b3a44c0dfc |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Documents\CloseOut.txt
| MD5 | 7af9382f97173e9db9c040333d88f889 |
| SHA1 | 823a766f12e37e1fa0c6f91d4fe59c3831acee2d |
| SHA256 | fd928a0341cd83b9f307cd7db71672e7c94eb43827ba1643ab37dabae313af5b |
| SHA512 | abed2b142169d6b0cc0873442149980976bfba51b84e13724c2ce7b8a72ba61bb6b2f8a5f1510ee79dbedbc916a5ae65da4b9629ff45e1f92071cc119cb8df66 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Documents\RegisterBackup.dot
| MD5 | a4c2ed5a756e21ed93a4c6955350c812 |
| SHA1 | 6acfab2ee55bf4f2e056133876481c34b22bdf99 |
| SHA256 | 458b1c4de01df772986d653a668a650ee29806e5dac62e399a3ced518df309a2 |
| SHA512 | 3bf41bf071f0ee30f4e1826d8891ba492cbd1b073d1241823f2fb6c78790d46841147ab7d17ff12ec559dea3881a449b8fbe0b587f14aae8c86258bec0365bb5 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Documents\LimitClear.docx
| MD5 | 1d9dd8ee7b0977ac33ac3f8c7a18b550 |
| SHA1 | 56a04403c1f30826aff40b7f16f64915d62b1540 |
| SHA256 | 665acf7e8b452ca6fb346ae3d1ba8d2ee7ef99e2d5611629728cc8460e19be5e |
| SHA512 | 24f4c1de8a5bd456b211e2cc033adc7028dfc4294a5374466912828e2e393f56a1a8d1f33a3c2f48c45a9c59b059a3f94e2eb82970b0f6b17fdc5eacc23453c8 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Documents\StartEnter.xlsx
| MD5 | 71cb1b68146f3dfe6732c8eb0a811ba6 |
| SHA1 | 8b9e79263ee0583cee36fd58684aeecaa5112154 |
| SHA256 | b6cc2ea39342e6ee20f82e53b3d4a3c538bba9788e397956f91f6b73b622a2d4 |
| SHA512 | 33e4019161504cf758be523d33a25546ea0533913602d526eacacf4084c1c2541b65aaec51d87f3a1385f1336aab03dfe573c1a3617d528fe34e3481fa9f1826 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Documents\SkipClose.txt
| MD5 | 6eed7c13587c8ebc42c7a975648bab3f |
| SHA1 | 9126d33b91eda9e40f0bfc08b631a14d508520c1 |
| SHA256 | 66b63b6f2cec5f15e318a3a2350c35a69476e9844da3dd83ab004da5695adbdb |
| SHA512 | 0dfed2dcd1187c7f14ae77bc0a35185ae36d7063a97a7fc76c0c40a585f0a5e620a9d9dc9f1c4921d4ffcdff8158b99ad1ef087381596b9dea3236bf927f93b6 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\SwitchSync.docx
| MD5 | 6353ad392065edd560b90bc51f7eb264 |
| SHA1 | 000b2a427d950c30ccb751f0811640561e7c1fe3 |
| SHA256 | 3f6b0efffae1b84dc3832621a41a3abd08d9c5ff10a5c069e75b52c8fe2c13ae |
| SHA512 | 4b7ccb4cb3510dbe68eddcf90d67454d94e61e83cadac54d8155e2f3d3875f289467998e75bca898fced186cf44102099bcf4812ee195e3223a52dedda69b067 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Desktop\SkipDismount.docx
| MD5 | 1f47da42062ea69cb90774baf2748c82 |
| SHA1 | d6ab65fa825752a6a457d08ab5652010862b9c0a |
| SHA256 | 889fa70fb8bb0baa1ffff3a66d2ac8cd0c87f5edc2b3b75b5a43ca1980d82d81 |
| SHA512 | d19372405c8d3771cd19e7baedca8299902b14263bed7c2edbc93cc2f5c2c48598a77bd2aa2ee908894667c01dee6eb3b647368d7e9dd1a483547134ef89c227 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Documents\StartSubmit.xlsx
| MD5 | a41329be0ca8303422b37f1f87721e86 |
| SHA1 | f1f9ab0e652e07e81bedd4be9e70e5e64a91607a |
| SHA256 | fedb3dc69469fd28bba11dbe3716e5bb2b100294fbd57d1746abff4a816eb56e |
| SHA512 | 4fb7d832cdd4e7f090f4d0876cdf2a7ec9e78bcfbac31d437bed514ba40f60a73a48e776ab3d3c77216beb036016e63bf908ef3bb9a62acef8f5379c88b9585e |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Downloads\DenyLock.csv
| MD5 | e9961a78709d3afc6fc306e3821a4986 |
| SHA1 | 150d16fc1153115682dd24d2f36b34fb46c35da0 |
| SHA256 | fba48eee2b8a7358699830d9f72728fd0bd549d502fe9d6fef5179bfc922ecb8 |
| SHA512 | 066bced538bb3074238d5bd50c5888eaf7981f8f5babb2e3da5b3432a4d10e4f1b1f92ab4ba1159944566341594eeefa51d7611f3364914057c509dcea4e0e22 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Documents\SuspendRequest.xls
| MD5 | 282b82ac6d1fc18b0caf8efd664687b6 |
| SHA1 | f2512fdc29ca1a4cd1c35136a2def1b2674f8db8 |
| SHA256 | 082d3974c4406ead13e1479d51c2baf361f3109d3b38af0dec1d5342cf9e511a |
| SHA512 | c8ee31363b36d32404798fc8e66e56b51c37414df139ec08d97bb7f58466cec9e06b14e91ea23483161fbcf8100b8cd2dfb44a25b94a48bff0535dd7674a39a1 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Downloads\TestImport.png
| MD5 | 62f09ca9f35b0cdd1198133e2decd8e7 |
| SHA1 | 3ed30aabf13970094db070211a5bfee1294cb91e |
| SHA256 | e12b1d8e8fdbb1afdb079a117c38f516cfee81138a094b9d39ca2e05e6a0ffc9 |
| SHA512 | 4f2498b3e344ce16b9516d58ee15324310cf046621bbfa6c44654919dc2ed6a17f1484e0b319bc02548f2c791c0c12eb964b55d198bace38623461461a8da030 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Pictures\ConvertFromEdit.jpg
| MD5 | 3aef5438a4dbac589ce25c4c535772f8 |
| SHA1 | afee2a1d90237ae606ae5ba72120021aec1f1f99 |
| SHA256 | d0bd5c779aa33837cb0ae64b7073b5da21a3573cb97ab5922c41de0309304382 |
| SHA512 | a4189a05629858683b7d67d8937579f676cf8189b8311a3fd49a290f122ec4b344b9934fa1071f57228c2a24a9cb33f07130d347e0ef59798d8cfb854df3d09e |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Pictures\ConvertFromGet.jpeg
| MD5 | 69d36302c5ba0e005ffd3d9339c8d44d |
| SHA1 | af2552d6ae38f3496eb3e3f4b11a14c10c7e42cb |
| SHA256 | 39dfa25e3276573c7824f5b60569fac2fdf07291aff1298d8d583def0dea9b0e |
| SHA512 | a290f141d1a212313a40f246fb0c056140eb569d2370f06cba06896333c43df176046f3de6095a43c49038a5f0e46eaa03ed9dd7db419b88af4ac96f9f52f0d3 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Pictures\ExpandConfirm.jpg
| MD5 | 0ec4904e713f341ee5c8f151285dc7fe |
| SHA1 | 4b9ba57c5fb992b097396459490cc978edd01dbf |
| SHA256 | 3644d6d600984696207c4b8a9f5045541afa89a95647f6ebca14a906962b3c0f |
| SHA512 | 61b6deb07b2f923746e1cdf2481e6fddd38a771a6483fc6249f1f4d9d4cedab00516ba749960d1718c4993e66bd6951a20def006b644e99faf8e213316c1d641 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Pictures\SearchReceive.jpeg
| MD5 | 8a26d12ad313feab5193c0334e48046c |
| SHA1 | 0cecd28f82b6c3345c06c92c2043961beaad01dd |
| SHA256 | c16f3b58761546bbec1de44d7f4d368f770389c902b66121c8e00b534eefdc34 |
| SHA512 | 632ca2895c6b8145bda876281f02dd773f683391ca1fd67c0b42983bb058edeec98b6d49569d0d6cd15c8e50406da5f1a841e283263d2e2d1f881486afc380dd |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Pictures\My Wallpaper.jpg
| MD5 | a51464e41d75b2aa2b00ca31ea2ce7eb |
| SHA1 | 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d |
| SHA256 | 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f |
| SHA512 | b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Pictures\ConvertFromResize.jpeg
| MD5 | e8beccc452b8881b166db35d4ca71810 |
| SHA1 | bd73251999db88d57c9582007cf815db4509f98e |
| SHA256 | c172e9972b02548b8a3f6384039b1e59616a6029fff6c465c31f2577642787e9 |
| SHA512 | 2c3b916c494c18081696df7cd5db0b3b484d5bbf831f5e4cb277e9ba2ce453f5c948c6315b3ed40682c074a2bcd21ec0abcf9988873587f944e0451ec8a21f27 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Music\LimitDisconnect.txt
| MD5 | 6120032646f0455ba70e07008caf3362 |
| SHA1 | d196ce874af931ec06c368aa551395c8eea1aa6c |
| SHA256 | b49539ab7f4e04b8462c95208be293e33fc338940b7872c757bbd08886bd6b6d |
| SHA512 | cb626bf23497726a71dbaf7e179de04b1bd43150f59fd4cbedc51b53cfb09a34ba476838f73625bc70faa8f9433c2aae7641c385e2e7789ae029c94892667dc8 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Music\JoinBackup.wm
| MD5 | 0f6fb190853534fb433813b09efef8ae |
| SHA1 | 1ffc409874c70cbfb53717a54157187cc9f8de10 |
| SHA256 | baa1df326552b8dc863f80ab353382033562c9012bbff4f35a63ac7d00188453 |
| SHA512 | 8c50a0431f6997fe2b74ba70fc18aaeb72c612333215bacf75237e53a9f19890415813ad06c8546d8e3fe7712402a1bbf3984b2f924e5e9fcd21eba8656e2bf7 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByIris\Music\BackupWait.scf
| MD5 | dd2a52c1ef3e21fb4b30a44c095a2c06 |
| SHA1 | 21a6e40047061da624205f27858cc336a093dfc0 |
| SHA256 | c91dafd1698bf280dd0011c6b70ed5e7238b4fc73acf31bbf9f1bdbfc1f3b3ff |
| SHA512 | 596ea7626a2ff2d858815cb52b58a0799f4b32425af6e50147c2e08ec66c7b77ab83f8d9e31f81be52f9f32dd13631f471bbb3b400a8eebef2003a89c18fa461 |
memory/3652-800-0x00007FF8F7DF0000-0x00007FF8F7E09000-memory.dmp
memory/3652-806-0x00007FF8E8060000-0x00007FF8E8178000-memory.dmp
memory/3652-821-0x00007FF8F7010000-0x00007FF8F7026000-memory.dmp
memory/3652-820-0x00007FF8F7030000-0x00007FF8F703B000-memory.dmp
memory/3652-819-0x00007FF8F72D0000-0x00007FF8F72DA000-memory.dmp
memory/3652-818-0x00007FF8F72E0000-0x00007FF8F72EE000-memory.dmp
memory/3652-817-0x00007FF8EE970000-0x00007FF8EE9B1000-memory.dmp
memory/3652-816-0x00007FF8EF000000-0x00007FF8EF025000-memory.dmp
memory/3652-815-0x00007FF8E7F80000-0x00007FF8E805F000-memory.dmp
memory/3652-814-0x00007FF8F72F0000-0x00007FF8F7305000-memory.dmp
memory/3652-813-0x00007FF8F7310000-0x00007FF8F7323000-memory.dmp
memory/3652-812-0x00007FF8F7330000-0x00007FF8F734C000-memory.dmp
memory/3652-811-0x00007FF8E85C0000-0x00007FF8E8729000-memory.dmp
memory/3652-810-0x00007FF8F7680000-0x00007FF8F7694000-memory.dmp
memory/3652-809-0x00007FF8F7DB0000-0x00007FF8F7DC0000-memory.dmp
memory/3652-808-0x00007FF8F76F0000-0x00007FF8F7705000-memory.dmp
memory/3652-807-0x00007FF8E89E0000-0x00007FF8E8E4E000-memory.dmp
memory/3652-805-0x00007FF8E8500000-0x00007FF8E85B7000-memory.dmp
memory/3652-804-0x00007FF8F78B0000-0x00007FF8F78DE000-memory.dmp
memory/3652-803-0x00007FF8F7350000-0x00007FF8F7364000-memory.dmp
memory/3652-802-0x00007FF8F78E0000-0x00007FF8F78FF000-memory.dmp
memory/3652-801-0x00007FF8F7DC0000-0x00007FF8F7DED000-memory.dmp
memory/3652-799-0x00007FF8F7E10000-0x00007FF8F7E1D000-memory.dmp
memory/3652-798-0x00007FF8F7E20000-0x00007FF8F7E39000-memory.dmp
memory/3652-797-0x00007FF8FB840000-0x00007FF8FB84F000-memory.dmp
memory/3652-796-0x00007FF8F7EE0000-0x00007FF8F7F04000-memory.dmp
memory/3652-795-0x00007FF8E6F30000-0x00007FF8E6F81000-memory.dmp
memory/3652-823-0x00007FF8E6FF0000-0x00007FF8E7028000-memory.dmp
memory/3652-825-0x00007FF8FDD20000-0x00007FF8FDD2D000-memory.dmp
memory/3652-824-0x00007FF8E8180000-0x00007FF8E84F7000-memory.dmp
memory/3652-822-0x00007FF8E7630000-0x00007FF8E7C8A000-memory.dmp