exelastealer | hxxps://cdn[.]discordapp[.]com/attachments/1313962676715651142/1318658765800865812/DD0S-BYblessed[.]exe?ex=67651a6d&is=6763c8ed&hm=86cfd7b1eb63c4371c0dbebf2c9d21b2b3603cbc3c0282241d8bc04a1f2e5c15&

Analysis

max time kernel
142s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2024 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1313962676715651142/1318658765800865812/DD0S-BYblessed.exe?ex=67651a6d&is=6763c8ed&hm=86cfd7b1eb63c4371c0dbebf2c9d21b2b3603cbc3c0282241d8bc04a1f2e5c15&

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2244	netsh.exe
996	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DD0S-BYblessed.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1892	cmd.exe
5064	powershell.exe

Executes dropped EXE 5 IoCs

pid	Process
4012	DD0S-BYblessed.exe
1936	DDoS-ByBlessed.exe
3788	DDoS-ByBlessed.exe
1960	Hellion.exe
3164	Stub.exe

Loads dropped DLL 32 IoCs

pid	Process
3788	DDoS-ByBlessed.exe
3788	DDoS-ByBlessed.exe
3788	DDoS-ByBlessed.exe
3788	DDoS-ByBlessed.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe
3164	Stub.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
58	discord.com
75	discord.com
55	discord.com
56	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
49	ipinfo.io
52	ipinfo.io
67	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2524	cmd.exe
2720	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4916	tasklist.exe
4012	tasklist.exe
4460	tasklist.exe
1760	tasklist.exe
4872	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1720	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1308	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000023cc6-91.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
8	cmd.exe
2320	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
404	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4536	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4092	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1176	ipconfig.exe
404	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3336	systeminfo.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
1464	taskkill.exe
3640	taskkill.exe
756	taskkill.exe
3448	taskkill.exe
2832	taskkill.exe
2896	taskkill.exe
4908	taskkill.exe
664	taskkill.exe
4076	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 270417.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
756	msedge.exe
756	msedge.exe
1284	msedge.exe
1284	msedge.exe
964	identity_helper.exe
964	identity_helper.exe
848	msedge.exe
848	msedge.exe
5064	powershell.exe
5064	powershell.exe
5064	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4092	WMIC.exe
Token: SeSecurityPrivilege	4092	WMIC.exe
Token: SeTakeOwnershipPrivilege	4092	WMIC.exe
Token: SeLoadDriverPrivilege	4092	WMIC.exe
Token: SeSystemProfilePrivilege	4092	WMIC.exe
Token: SeSystemtimePrivilege	4092	WMIC.exe
Token: SeProfSingleProcessPrivilege	4092	WMIC.exe
Token: SeIncBasePriorityPrivilege	4092	WMIC.exe
Token: SeCreatePagefilePrivilege	4092	WMIC.exe
Token: SeBackupPrivilege	4092	WMIC.exe
Token: SeRestorePrivilege	4092	WMIC.exe
Token: SeShutdownPrivilege	4092	WMIC.exe
Token: SeDebugPrivilege	4092	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4092	WMIC.exe
Token: SeRemoteShutdownPrivilege	4092	WMIC.exe
Token: SeUndockPrivilege	4092	WMIC.exe
Token: SeManageVolumePrivilege	4092	WMIC.exe
Token: 33	4092	WMIC.exe
Token: 34	4092	WMIC.exe
Token: 35	4092	WMIC.exe
Token: 36	4092	WMIC.exe
Token: SeDebugPrivilege	4916	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3704	WMIC.exe
Token: SeSecurityPrivilege	3704	WMIC.exe
Token: SeTakeOwnershipPrivilege	3704	WMIC.exe
Token: SeLoadDriverPrivilege	3704	WMIC.exe
Token: SeSystemProfilePrivilege	3704	WMIC.exe
Token: SeSystemtimePrivilege	3704	WMIC.exe
Token: SeProfSingleProcessPrivilege	3704	WMIC.exe
Token: SeIncBasePriorityPrivilege	3704	WMIC.exe
Token: SeCreatePagefilePrivilege	3704	WMIC.exe
Token: SeBackupPrivilege	3704	WMIC.exe
Token: SeRestorePrivilege	3704	WMIC.exe
Token: SeShutdownPrivilege	3704	WMIC.exe
Token: SeDebugPrivilege	3704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3704	WMIC.exe
Token: SeRemoteShutdownPrivilege	3704	WMIC.exe
Token: SeUndockPrivilege	3704	WMIC.exe
Token: SeManageVolumePrivilege	3704	WMIC.exe
Token: 33	3704	WMIC.exe
Token: 34	3704	WMIC.exe
Token: 35	3704	WMIC.exe
Token: 36	3704	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4092	WMIC.exe
Token: SeSecurityPrivilege	4092	WMIC.exe
Token: SeTakeOwnershipPrivilege	4092	WMIC.exe
Token: SeLoadDriverPrivilege	4092	WMIC.exe
Token: SeSystemProfilePrivilege	4092	WMIC.exe
Token: SeSystemtimePrivilege	4092	WMIC.exe
Token: SeProfSingleProcessPrivilege	4092	WMIC.exe
Token: SeIncBasePriorityPrivilege	4092	WMIC.exe
Token: SeCreatePagefilePrivilege	4092	WMIC.exe
Token: SeBackupPrivilege	4092	WMIC.exe
Token: SeRestorePrivilege	4092	WMIC.exe
Token: SeShutdownPrivilege	4092	WMIC.exe
Token: SeDebugPrivilege	4092	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4092	WMIC.exe
Token: SeRemoteShutdownPrivilege	4092	WMIC.exe
Token: SeUndockPrivilege	4092	WMIC.exe
Token: SeManageVolumePrivilege	4092	WMIC.exe
Token: 33	4092	WMIC.exe
Token: 34	4092	WMIC.exe
Token: 35	4092	WMIC.exe
Token: 36	4092	WMIC.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe
1284	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1284 wrote to memory of 3332	1284	msedge.exe	83
PID 1284 wrote to memory of 3332	1284	msedge.exe	83
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 996	1284	msedge.exe	84
PID 1284 wrote to memory of 756	1284	msedge.exe	85
PID 1284 wrote to memory of 756	1284	msedge.exe	85
PID 1284 wrote to memory of 2024	1284	msedge.exe	86
PID 1284 wrote to memory of 2024	1284	msedge.exe	86
PID 1284 wrote to memory of 2024	1284	msedge.exe	86
PID 1284 wrote to memory of 2024	1284	msedge.exe	86
PID 1284 wrote to memory of 2024	1284	msedge.exe	86
PID 1284 wrote to memory of 2024	1284	msedge.exe	86
PID 1284 wrote to memory of 2024	1284	msedge.exe	86
PID 1284 wrote to memory of 2024	1284	msedge.exe	86
PID 1284 wrote to memory of 2024	1284	msedge.exe	86
PID 1284 wrote to memory of 2024	1284	msedge.exe	86
PID 1284 wrote to memory of 2024	1284	msedge.exe	86
PID 1284 wrote to memory of 2024	1284	msedge.exe	86
PID 1284 wrote to memory of 2024	1284	msedge.exe	86
PID 1284 wrote to memory of 2024	1284	msedge.exe	86
PID 1284 wrote to memory of 2024	1284	msedge.exe	86
PID 1284 wrote to memory of 2024	1284	msedge.exe	86
PID 1284 wrote to memory of 2024	1284	msedge.exe	86
PID 1284 wrote to memory of 2024	1284	msedge.exe	86
PID 1284 wrote to memory of 2024	1284	msedge.exe	86
PID 1284 wrote to memory of 2024	1284	msedge.exe	86

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4424	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1313962676715651142/1318658765800865812/DD0S-BYblessed.exe?ex=67651a6d&is=6763c8ed&hm=86cfd7b1eb63c4371c0dbebf2c9d21b2b3603cbc3c0282241d8bc04a1f2e5c15&
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99b7b46f8,0x7ff99b7b4708,0x7ff99b7b4718
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,990992916123609433,1785609725225974502,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,990992916123609433,1785609725225974502,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,990992916123609433,1785609725225974502,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:2024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,990992916123609433,1785609725225974502,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,990992916123609433,1785609725225974502,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,990992916123609433,1785609725225974502,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,990992916123609433,1785609725225974502,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,990992916123609433,1785609725225974502,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,990992916123609433,1785609725225974502,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,990992916123609433,1785609725225974502,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:1172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,990992916123609433,1785609725225974502,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2044,990992916123609433,1785609725225974502,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5444 /prefetch:8
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,990992916123609433,1785609725225974502,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2044,990992916123609433,1785609725225974502,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  PID:1300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2044,990992916123609433,1785609725225974502,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:848

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:680

C:\Users\Admin\Downloads\DD0S-BYblessed.exe
"C:\Users\Admin\Downloads\DD0S-BYblessed.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:4012
- C:\Users\Admin\AppData\Local\Temp\DDoS-ByBlessed.exe
  "C:\Users\Admin\AppData\Local\Temp\DDoS-ByBlessed.exe"
  2⤵
  - Executes dropped EXE
  PID:1936
- - C:\Users\Admin\AppData\Local\Temp\DDoS-ByBlessed.exe
    "C:\Users\Admin\AppData\Local\Temp\DDoS-ByBlessed.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3788
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c clear
      4⤵
      PID:3360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c clear
      4⤵
      PID:3232
- C:\Users\Admin\AppData\Local\Temp\Hellion.exe
  "C:\Users\Admin\AppData\Local\Temp\Hellion.exe"
  2⤵
  - Executes dropped EXE
  PID:1960
- - C:\Users\Admin\AppData\Local\Temp\onefile_1960_133790893896181309\Stub.exe
    C:\Users\Admin\AppData\Local\Temp\Hellion.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:3448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:2632
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:4092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
      4⤵
      PID:4448
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "gdb --version"
      4⤵
      PID:1592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:1800
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:4916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
      4⤵
      PID:4880
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        5⤵
        
        PID:4516
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:4984
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2944
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:1064
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:4012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:1720
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
      4⤵
      PID:2008
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        5⤵
        
        PID:1260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:2524
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:4460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1284"
      4⤵
      PID:5076
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1284
        5⤵
        Kills process with taskkill
        
        PID:3448
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3332"
      4⤵
      PID:1720
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3332
        5⤵
        Kills process with taskkill
        
        PID:2832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 996"
      4⤵
      PID:848
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 996
        5⤵
        Kills process with taskkill
        
        PID:1464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 756"
      4⤵
      PID:4916
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 756
        5⤵
        Kills process with taskkill
        
        PID:3640
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2024"
      4⤵
      PID:2872
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2024
        5⤵
        Kills process with taskkill
        
        PID:2896
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4592"
      4⤵
      PID:4896
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4592
        5⤵
        Kills process with taskkill
        
        PID:4908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1172"
      4⤵
      PID:4340
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1172
        5⤵
        Kills process with taskkill
        
        PID:664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2084"
      4⤵
      PID:4904
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2084
        5⤵
        Kills process with taskkill
        
        PID:756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4300"
      4⤵
      PID:2668
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4300
        5⤵
        Kills process with taskkill
        
        PID:4076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:3212
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:3992
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:4548
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:1308
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:5116
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:404
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:824
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1760
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:5064
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      PID:2524
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:3336
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:4500
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        
        PID:4536
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:4432
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:4592
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:4076
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:3320
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:4512
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:2840
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:3316
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:2716
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:1856
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:4508
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:1728
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:1444
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:4572
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:4872
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:1176
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:3420
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:2720
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:404
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:1308
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:996
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:8
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:2320
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:4740
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3244
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:3308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8749e21d9d0a17dac32d5aa2027f7a75

SHA1
a5d555f8b035c7938a4a864e89218c0402ab7cde

SHA256
915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304

SHA512
c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
34d2c4f40f47672ecdf6f66fea242f4a

SHA1
4bcad62542aeb44cae38a907d8b5a8604115ada2

SHA256
b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33

SHA512
50fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
03392a7fbfcaf955f2bf47674e6ae4c3

SHA1
9c0d303e277d94f88184431b4b69fe3ee463cabe

SHA256
fa51fed66a6ef0baf7a04a52a1389c8e967d9499ef94f661969fe97b4b0c637a

SHA512
26b80ec006eaea2c48f330da42c1826bc024f51db40345144990f8323674562339ba159d583eee498f8669d48f9abff569d1932711e925b6fdb815724c9f149e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b155f35bfd49f282f130c5af0fbadb3c

SHA1
4f5a0fcc53f3318886f3a964918cf5b3b22369be

SHA256
ac83b10406054c03a81711963384e2e33c6849a6ade8c10af0838c5702a7d246

SHA512
b9cefdd0363cc9c94dbe925a476946d1eb276714ec12d1525f95e0f0f22034b1ceeb02012dd08d8e7d323eb951c3ef33431d934e2bf7b86dec11fe5db9d456e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cba8587e6378865e9115e76aa715872a

SHA1
64a68addddaf3ae6170b77aada28dc9b8ea65aee

SHA256
3665f302a870ee2be0d78b2020ce1798b3e2ba7e1924f722ba5e6c8ddea13063

SHA512
cd9d93e91a157809d96c2875c2a7aa6e17ae628fe440d9e0c8117183f0d6c4ae6cf4635c14da60a3fb0443886e5ff5d2bfc045615337e3e0b32031a2e15df650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
7b3a80c08b5edbf2d1fd2fb8d385322b

SHA1
95d97941e08c98087bb8ae8265c9e1fc05e197a2

SHA256
09b0f0f7347a9125def343c8bf67926728ea1f6bb4619db1d5f66ed9b8773198

SHA512
e97cc03bed4344bfc3be5444f2c631aead59b5e02fae5218b87077f2813ae64c97d12ea6163405e067e0ec7f044a478285eed60e9b9d0c1ac6c5233adedeedd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDoS-ByBlessed.exe

Filesize
6.9MB

MD5
f951f37c7359990368695dac021d7c43

SHA1
e845fd70d41a6e8a0729d868aca62a106075a244

SHA256
729e2c29b8cc5966946161b806e6d1ce34902382bd3a4f409dbcbe76cd90753d

SHA512
65e9ba5c4c35d7a1f7c3acd2e9a99ead8980cf85bc07166b5a64ab9039dcb2f22cb7516b060f4fb8353bb3c86c8f2df906d48f51cd38c48b95116a709673c903

Download Submit
C:\Users\Admin\AppData\Local\Temp\Hellion.exe

Filesize
38.8MB

MD5
5338e376c1424fa35cc28c6a4ad332d8

SHA1
3c6ece7f5af5e900b73622ab2a5cd0b096308f77

SHA256
fc4843faa54782b623e6dd7df05342f1b3c5103f12b785a302d3e3d8c70fcaee

SHA512
1154d0f3c578ddb031531ed7e63b9fa2f8b8842ca2d1eb5ef6268710c0ed375fa8a4f263da11bf612b9dba453d377e8f7f418448cfff3cb8d7d8d2ddfde0850d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

Filesize
81KB

MD5
56203038756826a0a683d5750ee04093

SHA1
93d5a07f49bdcc7eb8fba458b2428fe4afcc20d2

SHA256
31c2f21adf27ca77fa746c0fda9c7d7734587ab123b95f2310725aaf4bf4ff3c

SHA512
3da5ae98511300694c9e91617c152805761d3de567981b5ab3ef7cd3dbba3521aae0d49b1eb42123d241b5ed13e8637d5c5bc1b44b9eaa754657f30662159f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
120KB

MD5
462fd515ca586048459b9d90a660cb93

SHA1
06089f5d5e2a6411a0d7b106d24d5203eb70ec60

SHA256
bf017767ac650420487ca3225b3077445d24260bf1a33e75f7361b0c6d3e96b4

SHA512
67851bdbf9ba007012b89c89b86fd430fce24790466fefbb54431a7c200884fc9eb2f90c36d57acd300018f607630248f1a3addc2aa5f212458eb7a5c27054b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
154KB

MD5
14ea9d8ba0c2379fb1a9f6f3e9bbd63b

SHA1
f7d4e7b86acaf796679d173e18f758c1e338de82

SHA256
c414a5a418c41a7a8316687047ed816cad576741bd09a268928e381a03e1eb39

SHA512
64a52fe41007a1cac4afedf2961727b823d7f1c4399d3465d22377b5a4a5935cee2598447aeff62f99c4e98bb3657cfae25b5c27de32107a3a829df5a25ba1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_sqlite3.pyd

Filesize
96KB

MD5
98228631212a443781d0ac72e4656b97

SHA1
7e87e1fb891439cf466648b37abdbd4053a5da66

SHA256
fab3440d88376c9c334333b80b50f20a273a08f1d319bf0a9a6eb8bd04d35250

SHA512
5d41384b0280415f581c13b4b47de3de845fd60fc0373613dc9a73d4e0ecf9e855cb0e4aaa1c88fdc2d98e973ca083a48c129529141a8fd65c74c104ad9015f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

Filesize
3.3MB

MD5
80b72c24c74d59ae32ba2b0ea5e7dad2

SHA1
75f892e361619e51578b312605201571bfb67ff8

SHA256
eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d

SHA512
08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

Filesize
686KB

MD5
86f2d9cc8cc54bbb005b15cabf715e5d

SHA1
396833cba6802cb83367f6313c6e3c67521c51ad

SHA256
d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771

SHA512
0013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

Filesize
1.5MB

MD5
fcc7a468d46c90f5a71e3e9c99b1d50e

SHA1
91070cac3cdde28905a7bc695f8c0fd1290fd0d0

SHA256
215c02ac57378e48428d4b013f7bcedd2b58d73e83c54eca17a8c9bd7f3bdf55

SHA512
95bff194696436e590a5df8f18987ce6e5c20b6e50e552e7d049fec8da834c71cdbd87418fc85be73aaea4176aeb672d44e89256cd64bfade5959f3aabb0884d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\_bz2.pyd

Filesize
83KB

MD5
c17dcb7fc227601471a641ec90e6237f

SHA1
c93a8c2430e844f40f1d9c880aa74612409ffbb9

SHA256
55894b2b98d01f37b9a8cf4daf926d0161ff23c2fb31c56f9dbbac3a61932712

SHA512
38851cbd234a51394673a7514110eb43037b4e19d2a6fb79471cc7d01dbcf2695e70df4ba2727c69f1fed56fc7980e3ca37fddff73cc3294a2ea44facdeb0fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\_decimal.pyd

Filesize
274KB

MD5
ad4324e5cc794d626ffccda544a5a833

SHA1
ef925e000383b6cad9361430fc38264540d434a5

SHA256
040f361f63204b55c17a100c260c7ddfadd00866cc055fbd641b83a6747547d5

SHA512
0a002b79418242112600b9246da66a5c04651aecb2e245f0220b2544d7b7df67a20139f45ddf2d4e7759ce8cc3d6b4be7f98b0a221c756449eb1b6d7af602325

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\_hashlib.pyd

Filesize
63KB

MD5
422e214ca76421e794b99f99a374b077

SHA1
58b24448ab889948303cdefe28a7c697687b7ebc

SHA256
78223aef72777efc93c739f5308a3fc5de28b7d10e6975b8947552a62592772b

SHA512
03fcccc5a300cc029bef06c601915fa38604d955995b127b5b121cb55fb81752a8a1eec4b1b263ba12c51538080335dabaef9e2b8259b4bf02af84a680552fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\_lzma.pyd

Filesize
155KB

MD5
66a9028efd1bb12047dafce391fd6198

SHA1
e0b61ce28ea940f1f0d5247d40abe61ae2b91293

SHA256
e44dea262a24df69fd9b50b08d09ae6f8b051137ce0834640c977091a6f9fca8

SHA512
3c2a4e2539933cbeb1d0b3c8ef14f0563675fd53b6ef487c7a5371dfe2ee1932255f91db598a61aaadacd8dc2fe2486a91f586542c52dfc054b22ad843831d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\_socket.pyd

Filesize
82KB

MD5
abf998769f3cba685e90fa06e0ec8326

SHA1
daa66047cf22b6be608127f8824e59b30c9026bf

SHA256
62d0493ced6ca33e2fd8141649dd9889c23b2e9afc5fdf56edb4f888c88fb823

SHA512
08c6b3573c596a15accf4936533567415198a0daab5b6e9824b820fd1f078233bbc3791fde6971489e70155f7c33c1242b0b0a3a17fe2ec95b9fadae555ed483

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\base_library.zip

Filesize
1.3MB

MD5
18c3f8bf07b4764d340df1d612d28fad

SHA1
fc0e09078527c13597c37dbea39551f72bbe9ae8

SHA256
6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

SHA512
135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\python313.dll

Filesize
5.8MB

MD5
3aad23292404a7038eb07ce5a6348256

SHA1
35cac5479699b28549ebe36c1d064bfb703f0857

SHA256
78b1dd211c0e66a0603df48da2c9b67a915ab3258701b9285d3faa255ed8dc25

SHA512
f5b6ef04e744d2c98c1ef9402d7a8ce5cda3b008837cf2c37a8b6d0cd1b188ca46585a40b2db7acf019f67e6ced59eff5bc86e1aaf48d3c3b62fecf37f3aec6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\select.pyd

Filesize
31KB

MD5
62fe3761d24b53d98cc9b0cbbd0feb7c

SHA1
317344c9edf2fcfa2b9bc248a18f6e6acedafffb

SHA256
81f124b01a85882e362a42e94a13c0eff2f4ccd72d461821dc5457a789554413

SHA512
a1d3da17937087af4e5980d908ed645d4ea1b5f3ebfab5c572417df064707cae1372b331c7096cc8e2e041db9315172806d3bc4bb425c6bb4d2fa55e00524881

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19362\unicodedata.pyd

Filesize
695KB

MD5
43b8b61debbc6dd93124a00ddd922d8c

SHA1
5dee63d250ac6233aac7e462eee65c5326224f01

SHA256
3f462ee6e7743a87e5791181936539642e3761c55de3de980a125f91fe21f123

SHA512
dd4791045cf887e6722feae4442c38e641f19ec994a8eaf7667e9df9ea84378d6d718caf3390f92443f6bbf39840c150121bb6fa896c4badd3f78f1ffe4de19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_25buxpo3.uli.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1960_133790893896181309\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1960_133790893896181309\_socket.pyd

Filesize
77KB

MD5
c389430e19f1cd4c2e7b8538e8c52459

SHA1
546ed5a85ad80a7b7db99f80c7080dc972e4f2a2

SHA256
a14efa68d8f7ec018fb867a6ba6c6c290a803b4001fd8c45db7bda66fb700067

SHA512
5bef6c90c65bf1d4be0ce0d0cb3f38fe288f5716c93e444cf12f89f066791850d8316d414f1d795ff148c9e841cda90ef9c35ceb4a499563f28d068a6b427671

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1960_133790893896181309\_ssl.pyd

Filesize
156KB

MD5
7c7223f28c0c27c85a979ad222d19288

SHA1
4185e671b1dc56b22134c97cd8a4a67747887b87

SHA256
4ec47beadc4fd0d38fa39092244c108674012874f3190ee0e484aa988b94f986

SHA512
f3e813b954357f1bc323d897edf308a99ed30ff451053b312f81b6baae188cda58d144072627398a19d8d12fe659e4f40636dbbdf22a45770c3ca71746ec2df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1960_133790893896181309\python310.dll

Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_1960_133790893896181309\select.pyd

Filesize
29KB

MD5
c6ef07e75eae2c147042d142e23d2173

SHA1
6ef3e912db5faf5a6b4225dbb6e34337a2271a60

SHA256
43ee736c8a93e28b1407bf5e057a7449f16ee665a6e51a0f1bc416e13cee7e78

SHA512
30e915566e7b934bdd49e708151c98f732ff338d7bc3a46797de9cca308621791276ea03372c5e2834b6b55e66e05d58cf1bb4cb9ff31fb0a1c1aca0fcdc0d45

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 270417.crdownload

Filesize
45.4MB

MD5
2e6ae2d1df9752aac8f165766da3c468

SHA1
d84d7cf61bcfbd70dfba9bfa39bc678607cc0194

SHA256
5eb4e68ccc476f07ba6e61baa18f1147132cc5cfab6d583b0821b07ca27b859c

SHA512
8df0acf4e9d8f7ee6660274048d1cfbac148a7181f49e7cd5899d2ae37a40aff6971c732089f1d37927a955dde4d28d1a752d79570f42bdffefa9a1f0f39ee43

Download Submit
memory/3164-223-0x000001C775C80000-0x000001C77640E000-memory.dmp

Filesize
7.6MB

Download
memory/3164-276-0x000001C775C80000-0x000001C77640E000-memory.dmp

Filesize
7.6MB

Download
memory/4012-77-0x0000000000940000-0x00000000036AC000-memory.dmp

Filesize
45.4MB

Download
memory/5064-261-0x00000291A0E30000-0x00000291A0E52000-memory.dmp

Filesize
136KB

Download