exelastealer | hxxps://gofile[.]io/d/SzkurD

Analysis

max time kernel
47s
max time network
47s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-12-2024 14:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/SzkurD

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5180	netsh.exe
2132	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
6092	cmd.exe
5168	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
3468	YimMenu.exe
4020	YimMenu.exe
960	YimMenu.exe
5348	YimMenu.exe

Loads dropped DLL 64 IoCs

pid	Process
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
4020	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe
5348	YimMenu.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
63	discord.com
64	discord.com
66	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
51	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
6020	ARP.EXE
5204	cmd.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
6040	tasklist.exe
5252	tasklist.exe
5216	tasklist.exe
5776	tasklist.exe
5752	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5136	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023d6c-210.dat	upx
behavioral1/memory/4020-214-0x00007FFC72DC0000-0x00007FFC733A8000-memory.dmp	upx
behavioral1/memory/4020-222-0x00007FFC73560000-0x00007FFC73584000-memory.dmp	upx
behavioral1/files/0x0007000000023d5d-221.dat	upx
behavioral1/memory/4020-225-0x00007FFC86E10000-0x00007FFC86E1F000-memory.dmp	upx
behavioral1/files/0x0007000000023d0c-220.dat	upx
behavioral1/files/0x0007000000023d0a-224.dat	upx
behavioral1/files/0x0007000000023d0f-229.dat	upx
behavioral1/memory/4020-230-0x00007FFC73510000-0x00007FFC7353D000-memory.dmp	upx
behavioral1/memory/4020-228-0x00007FFC73540000-0x00007FFC73559000-memory.dmp	upx
behavioral1/memory/4020-259-0x00007FFC734F0000-0x00007FFC73509000-memory.dmp	upx
behavioral1/memory/4020-260-0x00007FFC86C40000-0x00007FFC86C4D000-memory.dmp	upx
behavioral1/memory/4020-261-0x00007FFC86A80000-0x00007FFC86A8D000-memory.dmp	upx
behavioral1/memory/4020-262-0x00007FFC734D0000-0x00007FFC734E4000-memory.dmp	upx
behavioral1/memory/4020-263-0x00007FFC72910000-0x00007FFC72C85000-memory.dmp	upx
behavioral1/memory/4020-270-0x00007FFC73560000-0x00007FFC73584000-memory.dmp	upx
behavioral1/memory/4020-269-0x00007FFC72850000-0x00007FFC72908000-memory.dmp	upx
behavioral1/memory/4020-271-0x00007FFC72D30000-0x00007FFC72D65000-memory.dmp	upx
behavioral1/memory/4020-267-0x00007FFC72DC0000-0x00007FFC733A8000-memory.dmp	upx
behavioral1/memory/4020-268-0x00007FFC72D70000-0x00007FFC72D9E000-memory.dmp	upx
behavioral1/memory/4020-273-0x00007FFC726D0000-0x00007FFC72843000-memory.dmp	upx
behavioral1/memory/4020-272-0x00007FFC72D00000-0x00007FFC72D23000-memory.dmp	upx
behavioral1/memory/4020-275-0x00007FFC734B0000-0x00007FFC734C5000-memory.dmp	upx
behavioral1/memory/4020-274-0x00007FFC734F0000-0x00007FFC73509000-memory.dmp	upx
behavioral1/memory/4020-278-0x00007FFC72390000-0x00007FFC723A4000-memory.dmp	upx
behavioral1/memory/4020-277-0x00007FFC723B0000-0x00007FFC723C2000-memory.dmp	upx
behavioral1/memory/4020-276-0x00007FFC86C40000-0x00007FFC86C4D000-memory.dmp	upx
behavioral1/memory/4020-280-0x00007FFC72910000-0x00007FFC72C85000-memory.dmp	upx
behavioral1/memory/4020-283-0x00007FFC72CE0000-0x00007FFC72CFB000-memory.dmp	upx
behavioral1/memory/4020-279-0x00007FFC734D0000-0x00007FFC734E4000-memory.dmp	upx
behavioral1/memory/4020-282-0x00007FFC725B0000-0x00007FFC726CC000-memory.dmp	upx
behavioral1/memory/4020-281-0x00007FFC72360000-0x00007FFC72382000-memory.dmp	upx
behavioral1/memory/4020-284-0x00007FFC72590000-0x00007FFC725A9000-memory.dmp	upx
behavioral1/memory/4020-285-0x00007FFC72540000-0x00007FFC7258D000-memory.dmp	upx
behavioral1/memory/4020-286-0x00007FFC72D00000-0x00007FFC72D23000-memory.dmp	upx
behavioral1/memory/4020-287-0x00007FFC72520000-0x00007FFC72531000-memory.dmp	upx
behavioral1/memory/4020-288-0x00007FFC726D0000-0x00007FFC72843000-memory.dmp	upx
behavioral1/memory/4020-291-0x00007FFC734B0000-0x00007FFC734C5000-memory.dmp	upx
behavioral1/memory/4020-290-0x00007FFC866F0000-0x00007FFC866FA000-memory.dmp	upx
behavioral1/memory/4020-289-0x00007FFC724E0000-0x00007FFC72512000-memory.dmp	upx
behavioral1/memory/4020-292-0x00007FFC724C0000-0x00007FFC724DE000-memory.dmp	upx
behavioral1/memory/4020-293-0x00007FFC71B60000-0x00007FFC7235B000-memory.dmp	upx
behavioral1/memory/4020-296-0x00007FFC72480000-0x00007FFC724B7000-memory.dmp	upx
behavioral1/memory/4020-295-0x00007FFC725B0000-0x00007FFC726CC000-memory.dmp	upx
behavioral1/memory/4020-294-0x00007FFC72360000-0x00007FFC72382000-memory.dmp	upx
behavioral1/memory/4020-325-0x00007FFC72CE0000-0x00007FFC72CFB000-memory.dmp	upx
behavioral1/memory/4020-330-0x00007FFC72590000-0x00007FFC725A9000-memory.dmp	upx
behavioral1/memory/4020-381-0x00007FFC72540000-0x00007FFC7258D000-memory.dmp	upx
behavioral1/memory/4020-386-0x00007FFC724E0000-0x00007FFC72512000-memory.dmp	upx
behavioral1/memory/4020-416-0x00007FFC866F0000-0x00007FFC866FA000-memory.dmp	upx
behavioral1/memory/4020-415-0x00007FFC72480000-0x00007FFC724B7000-memory.dmp	upx
behavioral1/memory/4020-398-0x00007FFC72850000-0x00007FFC72908000-memory.dmp	upx
behavioral1/memory/4020-394-0x00007FFC86A80000-0x00007FFC86A8D000-memory.dmp	upx
behavioral1/memory/4020-388-0x00007FFC73560000-0x00007FFC73584000-memory.dmp	upx
behavioral1/memory/4020-414-0x00007FFC71B60000-0x00007FFC7235B000-memory.dmp	upx
behavioral1/memory/4020-409-0x00007FFC72540000-0x00007FFC7258D000-memory.dmp	upx
behavioral1/memory/4020-408-0x00007FFC72590000-0x00007FFC725A9000-memory.dmp	upx
behavioral1/memory/4020-403-0x00007FFC723B0000-0x00007FFC723C2000-memory.dmp	upx
behavioral1/memory/4020-402-0x00007FFC734B0000-0x00007FFC734C5000-memory.dmp	upx
behavioral1/memory/4020-401-0x00007FFC726D0000-0x00007FFC72843000-memory.dmp	upx
behavioral1/memory/4020-397-0x00007FFC72D70000-0x00007FFC72D9E000-memory.dmp	upx
behavioral1/memory/4020-396-0x00007FFC72910000-0x00007FFC72C85000-memory.dmp	upx
behavioral1/memory/4020-387-0x00007FFC72DC0000-0x00007FFC733A8000-memory.dmp	upx
behavioral1/memory/5348-525-0x00007FFC76C60000-0x00007FFC77248000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5212	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000900000000072d-72.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3584	netsh.exe
5244	cmd.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
6104	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
452	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5712	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
6104	NETSTAT.EXE
5628	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4964	systeminfo.exe

Kills process with taskkill 9 IoCs

evasion

pid	Process
5344	taskkill.exe
4392	taskkill.exe
5392	taskkill.exe
5620	taskkill.exe
5848	taskkill.exe
5876	taskkill.exe
5444	taskkill.exe
5692	taskkill.exe
5716	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 964199.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
856	msedge.exe
856	msedge.exe
1168	msedge.exe
1168	msedge.exe
5004	identity_helper.exe
5004	identity_helper.exe
4112	msedge.exe
4112	msedge.exe
5168	powershell.exe
5168	powershell.exe
5168	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5712	WMIC.exe
Token: SeSecurityPrivilege	5712	WMIC.exe
Token: SeTakeOwnershipPrivilege	5712	WMIC.exe
Token: SeLoadDriverPrivilege	5712	WMIC.exe
Token: SeSystemProfilePrivilege	5712	WMIC.exe
Token: SeSystemtimePrivilege	5712	WMIC.exe
Token: SeProfSingleProcessPrivilege	5712	WMIC.exe
Token: SeIncBasePriorityPrivilege	5712	WMIC.exe
Token: SeCreatePagefilePrivilege	5712	WMIC.exe
Token: SeBackupPrivilege	5712	WMIC.exe
Token: SeRestorePrivilege	5712	WMIC.exe
Token: SeShutdownPrivilege	5712	WMIC.exe
Token: SeDebugPrivilege	5712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5712	WMIC.exe
Token: SeRemoteShutdownPrivilege	5712	WMIC.exe
Token: SeUndockPrivilege	5712	WMIC.exe
Token: SeManageVolumePrivilege	5712	WMIC.exe
Token: 33	5712	WMIC.exe
Token: 34	5712	WMIC.exe
Token: 35	5712	WMIC.exe
Token: 36	5712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5760	WMIC.exe
Token: SeSecurityPrivilege	5760	WMIC.exe
Token: SeTakeOwnershipPrivilege	5760	WMIC.exe
Token: SeLoadDriverPrivilege	5760	WMIC.exe
Token: SeSystemProfilePrivilege	5760	WMIC.exe
Token: SeSystemtimePrivilege	5760	WMIC.exe
Token: SeProfSingleProcessPrivilege	5760	WMIC.exe
Token: SeIncBasePriorityPrivilege	5760	WMIC.exe
Token: SeCreatePagefilePrivilege	5760	WMIC.exe
Token: SeBackupPrivilege	5760	WMIC.exe
Token: SeRestorePrivilege	5760	WMIC.exe
Token: SeShutdownPrivilege	5760	WMIC.exe
Token: SeDebugPrivilege	5760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5760	WMIC.exe
Token: SeRemoteShutdownPrivilege	5760	WMIC.exe
Token: SeUndockPrivilege	5760	WMIC.exe
Token: SeManageVolumePrivilege	5760	WMIC.exe
Token: 33	5760	WMIC.exe
Token: 34	5760	WMIC.exe
Token: 35	5760	WMIC.exe
Token: 36	5760	WMIC.exe
Token: SeDebugPrivilege	5752	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5712	WMIC.exe
Token: SeSecurityPrivilege	5712	WMIC.exe
Token: SeTakeOwnershipPrivilege	5712	WMIC.exe
Token: SeLoadDriverPrivilege	5712	WMIC.exe
Token: SeSystemProfilePrivilege	5712	WMIC.exe
Token: SeSystemtimePrivilege	5712	WMIC.exe
Token: SeProfSingleProcessPrivilege	5712	WMIC.exe
Token: SeIncBasePriorityPrivilege	5712	WMIC.exe
Token: SeCreatePagefilePrivilege	5712	WMIC.exe
Token: SeBackupPrivilege	5712	WMIC.exe
Token: SeRestorePrivilege	5712	WMIC.exe
Token: SeShutdownPrivilege	5712	WMIC.exe
Token: SeDebugPrivilege	5712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5712	WMIC.exe
Token: SeRemoteShutdownPrivilege	5712	WMIC.exe
Token: SeUndockPrivilege	5712	WMIC.exe
Token: SeManageVolumePrivilege	5712	WMIC.exe
Token: 33	5712	WMIC.exe
Token: 34	5712	WMIC.exe
Token: 35	5712	WMIC.exe
Token: 36	5712	WMIC.exe

Suspicious use of FindShellTrayWindow 40 IoCs

pid	Process
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe
1168	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1168 wrote to memory of 4952	1168	msedge.exe	82
PID 1168 wrote to memory of 4952	1168	msedge.exe	82
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 264	1168	msedge.exe	83
PID 1168 wrote to memory of 856	1168	msedge.exe	84
PID 1168 wrote to memory of 856	1168	msedge.exe	84
PID 1168 wrote to memory of 1860	1168	msedge.exe	85
PID 1168 wrote to memory of 1860	1168	msedge.exe	85
PID 1168 wrote to memory of 1860	1168	msedge.exe	85
PID 1168 wrote to memory of 1860	1168	msedge.exe	85
PID 1168 wrote to memory of 1860	1168	msedge.exe	85
PID 1168 wrote to memory of 1860	1168	msedge.exe	85
PID 1168 wrote to memory of 1860	1168	msedge.exe	85
PID 1168 wrote to memory of 1860	1168	msedge.exe	85
PID 1168 wrote to memory of 1860	1168	msedge.exe	85
PID 1168 wrote to memory of 1860	1168	msedge.exe	85
PID 1168 wrote to memory of 1860	1168	msedge.exe	85
PID 1168 wrote to memory of 1860	1168	msedge.exe	85
PID 1168 wrote to memory of 1860	1168	msedge.exe	85
PID 1168 wrote to memory of 1860	1168	msedge.exe	85
PID 1168 wrote to memory of 1860	1168	msedge.exe	85
PID 1168 wrote to memory of 1860	1168	msedge.exe	85
PID 1168 wrote to memory of 1860	1168	msedge.exe	85
PID 1168 wrote to memory of 1860	1168	msedge.exe	85
PID 1168 wrote to memory of 1860	1168	msedge.exe	85
PID 1168 wrote to memory of 1860	1168	msedge.exe	85

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5172	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/SzkurD
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc86bc46f8,0x7ffc86bc4708,0x7ffc86bc4718
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,1108650076102798508,8844016040810683390,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,1108650076102798508,8844016040810683390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,1108650076102798508,8844016040810683390,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:1860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1108650076102798508,8844016040810683390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:3236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1108650076102798508,8844016040810683390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1108650076102798508,8844016040810683390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3920 /prefetch:1
  2⤵
  PID:1144
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1108650076102798508,8844016040810683390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,1108650076102798508,8844016040810683390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3528 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1108650076102798508,8844016040810683390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3872 /prefetch:1
  2⤵
  PID:2724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1108650076102798508,8844016040810683390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1108650076102798508,8844016040810683390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:1748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1108650076102798508,8844016040810683390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1108650076102798508,8844016040810683390,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2140,1108650076102798508,8844016040810683390,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5460 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,1108650076102798508,8844016040810683390,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5592 /prefetch:1
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2140,1108650076102798508,8844016040810683390,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6204 /prefetch:8
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2140,1108650076102798508,8844016040810683390,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6044 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4112

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1496

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4684

C:\Users\Admin\Downloads\YimMenu.exe
"C:\Users\Admin\Downloads\YimMenu.exe"
1⤵
- Executes dropped EXE
PID:3468
- C:\Users\Admin\Downloads\YimMenu.exe
  "C:\Users\Admin\Downloads\YimMenu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:5432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5556
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:5712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:5564
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:5588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5600
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:5840
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:5896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5944
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:6024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5952
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:6040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:5136
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:5172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5200
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5252
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1168"
    3⤵
    PID:5292
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1168
      4⤵
      Kills process with taskkill
      PID:5344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4952"
    3⤵
    PID:3324
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4952
      4⤵
      Kills process with taskkill
      PID:4392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 264"
    3⤵
    PID:4232
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 264
      4⤵
      Kills process with taskkill
      PID:5392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 856"
    3⤵
    PID:5448
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 856
      4⤵
      Kills process with taskkill
      PID:5444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1860"
    3⤵
    PID:5500
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1860
      4⤵
      Kills process with taskkill
      PID:5620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3236"
    3⤵
    PID:2616
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3236
      4⤵
      Kills process with taskkill
      PID:5692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2316"
    3⤵
    PID:1344
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2316
      4⤵
      Kills process with taskkill
      PID:5716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2072"
    3⤵
    PID:5728
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2072
      4⤵
      Kills process with taskkill
      PID:5848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 972"
    3⤵
    PID:1732
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 972
      4⤵
      Kills process with taskkill
      PID:5876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:5984
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:5124
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:5172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:5948
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:1408
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:5280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5944
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:6092
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:5168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5244
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:5204
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4964
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2608
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:452
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:1336
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:3628
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:5380
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:4928
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:5048
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:5404
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:5504
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:5468
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:5464
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:5472
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:5528
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:3388
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:5616
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:5776
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:5628
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:6052
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:6020
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:6104
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:5212
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5180
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1072
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5288
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5944

C:\Users\Admin\Downloads\YimMenu.exe
"C:\Users\Admin\Downloads\YimMenu.exe"
1⤵
- Executes dropped EXE
PID:960
- C:\Users\Admin\Downloads\YimMenu.exe
  "C:\Users\Admin\Downloads\YimMenu.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5348
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:5816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b8880802fc2bb880a7a869faa01315b0

SHA1
51d1a3fa2c272f094515675d82150bfce08ee8d3

SHA256
467b8cd4aacac66557712f9843023dcedefcc26efc746f3e44157bc8dac73812

SHA512
e1c6dba2579357ba70de58968b167d2c529534d24bff70568144270c48ac18a48ee2af2d58d78ae741e5a36958fa78a57955bd2456f1df00b781fc1002e123d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ba6ef346187b40694d493da98d5da979

SHA1
643c15bec043f8673943885199bb06cd1652ee37

SHA256
d86eec91f295dfda8ed1c5fa99de426f2fe359282c7ebf67e3a40be739475d73

SHA512
2e6cc97330be8868d4b9c53be7e12c558f6eb1ac2c4080a611ba6c43561d0c5bb4791b8a11a8c2371599f0ba73ed1d9a7a2ea6dee2ae6a080f1912e0cb1f656c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
1901deee77221970b60a182b94448e5d

SHA1
543019508aa8d501e503bf74431c4e28b651570e

SHA256
53ccd0ef1b3488b7dac5433a597732a6d3dcf421b0f8400c7b47a307d00db53b

SHA512
12d030eb300e255fcf821bfb346237fb554badf6ea858effcd6d2ca83936ff8cd3809f15a69f1f4537f50708c7d9a64663472bd5df9e01023babd34e321ffe45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
02808e48f53e9927e55ecd4ffe71f86a

SHA1
6ce88e210c11efb555273de27c4c36fb84466678

SHA256
934faef52e0b7020538ac45542304582ee908b99b0d05187d7b22068568af796

SHA512
b22a60429899d703fb5b5e16f93b184033403bd0b7f33ea3062d0863cc385ff1f036fb59c937711b0acaca345765c58e76d7f14a4ab93fce52a621efcddae7ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cd66c865627dd3f175f9911bdbdaba19

SHA1
5fc51bab22fbd2bda3eb103f4f1ddaa7b64a46de

SHA256
cba52bfefee972b2ae7152899c2c21f7c26e9a3d175119cad780907df567d5a5

SHA512
73a105d33a0c5127f4a532c8017b1f613cd479886ef0fd6354c812a6a0b91b21b95840f06ff4712e5e3cf4e192f7ce1f8e37e66c7cf3f556ccd83cb32010190e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
72a0991084d4254d07a39c5184e67d39

SHA1
c2715c4bc4bec60d086fa5a3705b2bdf006f93b4

SHA256
c165dc2fe5a6801df20e6f0e354121b571157af297a181c3d98e1aaa965b222f

SHA512
51492153d739a9b36c610e68ea0b673085ef438d2ebf64a08168ff546057266c8921ffef535ac1bdd23f3ec3a6b0eac89733e89982f8af4782af059fd06258fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
2cfc22b230c3a5a192678cb92b143c7e

SHA1
02818259c67b8f11b7b3016463ece13c67db5c02

SHA256
33d2f3ce1c45105fdd619de9a6925b92f66694f4a262ba4b2b1a4975625d4c74

SHA512
465cdc4b918b0e96a24f1b41b2584b0fcb03d4fdcd701e3b40ba80784dbc5d1d09b956397d7bdffffc598ecd273a901b855965e4fe0601dc6e720e6c856d28ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\.zip

Filesize
8.1MB

MD5
62c4bfd1905e6efb353dba6521c1737d

SHA1
1d6b695b99784d7ee096c250f3f6ddf387be76bc

SHA256
b26be64f88f7b66d8943be644eb7f78ed58e9d841b5f510b942228482dc03e18

SHA512
e5240716c31bf10d6f9e9575a402d909491ee546d5664ed337d8c42c3c0b1a314eb75c296126ee42fbb2c161bd5c8aed2a64b90a18c77ac8468e765f98db2fe0

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\BackupApprove.xlsx

Filesize
15KB

MD5
8bdc232a0dfeef0f1c64a2d27a3b2169

SHA1
e0ddb7acee2e4db826bbc73653402ee4799e98c7

SHA256
bcb8da7bb0d0179c5cc8b03fd3d6070eda657454ac308a685d6f7f6946b469f8

SHA512
3d5e41b5c142f77bcba2070d0e70ecfab072196e674eccffad8cf165f1e4faefe78b9e94cdf5e2bc35e7cf886817b6fcb8ebe114f000ab8763934b6e54867bc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\DisableBackup.aifc

Filesize
231KB

MD5
f030b4d4739212c1641eeddc036c99b3

SHA1
08c8575ab17380b26b093ee10e9964329c3606c6

SHA256
0c9db29c86b542f202ccad1cf5c85788b3046105703c669621b4d503f7fe7df5

SHA512
e88a9705b90317c0f7bf2e742b15b1e27d90012108507d93a795cd1c79f07edacc016f7d642ee41aa24749ef4a0686fd509c1cf21cbf215584d4f74dd9bab19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\GroupWait.xls

Filesize
444KB

MD5
6bc4f99f4a21782acf9a4f4be773314b

SHA1
c3afd65c5f06a2c7ac99ee26ca1e4a34fa2d2ad4

SHA256
efb1e0a11a7c805ac1f5702bec6f06f42e0cc53b2fc5e8ac8c34d14bd627e639

SHA512
4619b9070c2259917c4660bbc4b2a1b0f9df49a43dbdb7d8da935b2a57f28b0670de599668db45464235a67eff15bf9a3864548fc8c60170fe878f47c89e5a74

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\MeasureRegister.xlsx

Filesize
9KB

MD5
a8f702e52e3c99f1a981036d2b70afde

SHA1
c9f12b4b680ca5093f604572993008793eef4696

SHA256
196ebaddb32885ed5b1a9c539c595536926e7d9b402c3b2dd9410b5d7cce98af

SHA512
5bc039a6ef03f2885a2890f4306ceb9c9483dda30bcd672abc7ccb737320aa2242c1563c00ca1f2d43dda024f525a3bda39a3bdea51d7a03839df60b19e8e8d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\MeasureWait.docx

Filesize
15KB

MD5
ce212900311d33aeccc9fe1106b74a66

SHA1
9e42bb527f62382e0ddb0a7dfb147c1d20ab35f6

SHA256
e90c4eb0293fcad38fd69063695450767c4754fb3f084593b15fd9ab934f8c50

SHA512
b0aa4904e25f8b84650dc9e3a098ec99406af60d901361f0ae8424c9296e50412c41809489ab5015ad3c382af155e6ada76b62753bcf39ba054a684b7550a507

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\MountProtect.doc

Filesize
248KB

MD5
c97ee8b6d27efcf1b3818db48a2444f9

SHA1
72fb8ff0e75d0d83b29fee2052cb1f7ec0667b8d

SHA256
ff0b20e3eaa26bc1cf368468f64ca215898643c9287d7b0047d7ae3a7e8d1c6b

SHA512
fdd34c3fceeb60938449ca9e6bdfb1a80176132d6d9c356904ea77b613876fcffbb33bc9bd610d6b3e99f503a3cb64352cd3cb2bff76067afc00bb3b80c06d90

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ReceiveEnable.docx

Filesize
17KB

MD5
860e0a383cfd56dddfa43599e92bc5b4

SHA1
23d84c2bb2a27532ef0c150a22cc398d8055c9ba

SHA256
1e62865b28e8a3a65344b9f3cfc63f5efa4d950d61aa9eb08474742947991f88

SHA512
e6ce642b0d5a7674007aecac1701279fdd723855c2131970e0bc74ed517f86ebe42102426f92f880bc6dae1313b81f3e823287869989bc01d3179480ddd411f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\RestartConvertTo.docx

Filesize
19KB

MD5
735de501ef00e3714a0f14929ee9bac6

SHA1
0141183cdafeefe473e6c8051751123cefd09c37

SHA256
b7cb1208df67cb7030c5c5e0a6744e9bb8dabacb35d82b8b22f051f61fb13759

SHA512
475492a9c2444abac89e7c470f51eb82d96230f2c639bdc8d092e5f87585971425f3000fabe5142ba8014d4977b2ff895d0b6a5f688b4869c4e747dd8100462d

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\SendWait.docx

Filesize
515KB

MD5
f48f9ccbdb9fd426c1787c16caf9fefa

SHA1
c835ec036c171810b3cdc80e641b0967770ee3a8

SHA256
5f8dac3b78e0bebe37072e828dd721bba200acb73113b1fa00b0c2f31b790ce4

SHA512
dbcda74a76b88074dd3d00a0e18dcfe91d1a83866585e5022cf24408a756bab5ac71e615a2ffe39b11b839e04b5dc6202a132c39edaa8982a03befb916f98428

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\StepRemove.xlsx

Filesize
16KB

MD5
ee69af2a7bee15e2a86e7dacb2becec8

SHA1
5ba564bc337b3c64f1668b7e708c00174c88e162

SHA256
9b17aa0c257a6c4dd43868feeca4be932036a1c02a2030c58cbdce3deb0e5e37

SHA512
9febab521b240c7b6ab7d2963c34bbdcb5e6363ff4c4dc3bec56d2ab2813603f7e252a1b31250733801f55d02e7d45905999a5906733247b819a829426a24433

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\BackupExit.docx

Filesize
1010KB

MD5
a7e713b2ed400c0bc97f24f7c60d6f28

SHA1
07057189565df3ff4995904eed2f470cf6f76ff1

SHA256
11cf8849842437665bbe852518cc65601d3de1d1b991b352b96078edc0ff78ca

SHA512
4131da26e769c152f76fa8b58be84c1ed11052aeeb3238a6bb1d6d133faa0e1cf2f8c4de565bb6dd3e9f6d30debcb283ce74fb520d7fd9fbbd0c73f8c3121991

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\FormatProtect.xlsx

Filesize
10KB

MD5
78e272311fb40890542228b05f70a68e

SHA1
3896cd7e89fa4444b822643c5eaca49b68967a8f

SHA256
35d00cdeb523c33fd90e1840f36ff4bf648e62b4bfd506b69036e44fef7b699d

SHA512
e8fa63f2f46456401668099c429ddfd7d9310c9ec6357afa8f031487b8d74ce31a288e92cf7ae95573cc851fb2dab6bd898d187d3ce43f61aabfbdb076b05efe

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\GrantProtect.docx

Filesize
13KB

MD5
fb910adb9eba8ef451f6224092e9a46a

SHA1
1183c06f50f7ca54eff118786d88763e096376ed

SHA256
25fafb6b7e5d0ffb97870e8e1747f406a453de36fd16140ae893c7b6070976a4

SHA512
639c91c9b82a505d6fa49687cb595d6c8bf3b33435e3ea0698a078399de95991829ae693c250c54769fb854a60a5f91e620a25907051f1aadb906771b8cacf08

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\OutRestart.doc

Filesize
791KB

MD5
54aa5fda9f3c932981f0e7e33a981733

SHA1
c995122b0ee03baa6f2ac082f1454f1994015317

SHA256
49b3c189b1a30027591f741f8429e02fd7f100d816a82b10d92e709d5f005143

SHA512
b0d3bbaa55d8e488e3f8a2f7eb2bc01ec951b58e0beb1a3b5e0a3bb6d2f3233a85931d1996536b0427af0284270c3e35c79cafc1ca4466c95afbbd382e3aba89

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\StepBackup.doc

Filesize
518KB

MD5
9ff7d62046b3f839836e8c46c83e567e

SHA1
d2fe0244e7745bc89a9f51a845463c0e25d8f3f2

SHA256
2cc3a150522bf2258ae319202f891d4698f889f535d48aa4b6cd363575c87732

SHA512
de0a841baff86c62d3249d0d4907e8ce38dfca570561bd01d9054b2a64118528703bde0eb94af8af4b3b77d6551f71939d88ebeec53a4ed25a10ed78a1685be1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\WatchRename.csv

Filesize
955KB

MD5
0b0232335ae178dcf3dd5bc858257e21

SHA1
2ba603e2d84e41627406748f5ac243aeaca668a3

SHA256
d25ac468f824da9f97598929120f87faac6fdbd0504bca0f94ffd3b5726df451

SHA512
af2ec9ee8ef4cce5e2efc06054131f6c157598ff62801f640faaa9520128d8fc7245d226ce2cd1cfdc0f472167b74cfe6bf96c49640dc2ea1e27fe670cee79bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\WriteComplete.txt

Filesize
737KB

MD5
579a5005e3ad3eb32fc4199ff9cc4ec5

SHA1
e8dc34c0a413517a50230eddc7dc6d3ba237fdd9

SHA256
4ddf6dbcc7e6d793235f088b516a0fb099772829cf99910ca4b7b1dd4b5090c6

SHA512
db44f4c7eadf876f35558a644b978616b7d1c4e84fdbe2e8ea73eb8cd8124febf9e2e00c0202508d6c265046a643dcddcbb1c166b7ee91c63db11aacde54484b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\BackupEdit.gif

Filesize
243KB

MD5
2175908bf3eaeb07d92b27ebbe28760f

SHA1
285041f7d074d19ed8eb7c54b2cacfc9cc8e7d74

SHA256
90eb7d05fc40fd2b9fb9aa984ea122df72954ec939f8501143148b92b5a0ab50

SHA512
562ea1312944559fd0628d866d8b272e5c779e17919bdc67e6a59a444ad2d7b54770f51c35743d840e03d14d1b29c99cc9b7dc8c398ab50f648f504ba827300f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\BackupTrace.MOD

Filesize
347KB

MD5
04879119ddf36b558277b40cd0a9d4ce

SHA1
4cfd75b27373add0150df06200199bf08feb8515

SHA256
46899c52cad0e1718a223858841c119f62fc4614ee2b56057ddb5985840149cd

SHA512
17efda7cd120a69bc78ef833b691733e16b515f33725e1959bd651133d28f1e555a1373128c27d741ce94c08786ad4938b2a0f4ca6bc4363186b96e432412981

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\DisableBackup.bmp

Filesize
312KB

MD5
19ee92c3fccb1eb777269173b233d65f

SHA1
5a27404762e1a7c95ccbde0c0d128078e30f7058

SHA256
910d0293033ed1a338401e16a316b38a07606fe40504390d6230eea6f83ce5ad

SHA512
cf241feae95e90f676785a9a2fc4ff9d04727609a9a67f8a0c19b478ac404e986baedcdd6d258abd6449a9ef73e7ec18a303023fdb4a5370541fe2921172c68e

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\InitializeDeny.zip

Filesize
252KB

MD5
f82edd55ac239d0c6f275cf667cb7e10

SHA1
0cdc26208e85e2490378cff5fcac491fc38d0e94

SHA256
d6966e3d3585c3847c35d093040ff2b8b331a327951d0d16e4edf2c69246f182

SHA512
e16d1e234a0152ddc1ca533365847ce5dc3e77b650520de451127f4b9592c638663bb01960c6bbab2110e133ca68eb708cf6b45667ff14313ff008ef87eb2ea5

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\MoveRestore.zip

Filesize
199KB

MD5
64a5180b759d36e7bff02377402c22c6

SHA1
2483424cde0118c36dddc72ec36b5dc6834227bf

SHA256
593f65a7ffcf70893284dfd1b37f75e8300c222ffe4da8c2f5791753ef07cf9d

SHA512
8c43128fb3450ace9e815380757f182a62e1cc15d6d1b053e38146692e2fffbc9ed81b8bf04b1dfc5f8ff3affa2f6e399c4f23bcd7bdb658e3485caaaf6c709f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\SubmitSkip.csv

Filesize
182KB

MD5
8cf93a3a959f57faa8cc5e442095eed2

SHA1
deb463fb8f8e15b43c4b2e5053e3a9f36a452195

SHA256
c929bb14fdfae502f25b2babb3c6bad457846274e81e0b1fd840624a9c7c0e77

SHA512
f99436a76005d1eaceb1f7aebac45406c4fa9d78a57df3121acd9d19c1e18fbd605de34efa9cc1b0ba5ae2c7ba70c0182cc7e2441c7a0d794c139d891323212c

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\UnprotectResize.doc

Filesize
451KB

MD5
7f62f2ebd0431b49d7f026423e09dc44

SHA1
ccf91d483b71d6bfa422473d8a9f6a5f8c9fc07f

SHA256
9eda74203ba1253d2f71e2daaf65a139888016c002591529b66e98ca004435d9

SHA512
d842e788a7241e869909d7574b8e00632106bd52cfb3630c5ad3b27fdc1c278eee5bc639d94e65d87a14203cea5507c4fb28d28a181862660e30db1b366a63b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\BackupSkip.ods

Filesize
384KB

MD5
10d2b6f793504dd5f27c02c2f5495e43

SHA1
bf41d1871c566e43ae00dfb21058495700feadb0

SHA256
c31659bcb85afaf6ca34faaa33dd071b955783c78943dabfe5cea70dd5a2e5d0

SHA512
5275faa8171bc075fe9b78d204f8c75fd527f46c6aab5efbc6814791affc0f3fe97ae03d20a59686f268595b6cefeab8d2fd2d3edc11e149a5e504c011d91b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\EnableReset.jpeg

Filesize
1.6MB

MD5
404e1a6bec5787ae3cdc8e5d8c082552

SHA1
ddf11f91f11d6a9b3181fbda6e4120980904c465

SHA256
2f43675e486162db4c555c0bd691b949edbebbb2a0aec220ce1ac1cc30d9d76c

SHA512
f7e201cfbb7edd8a5574d4f47c724ebd53394459bec9cef0c46e7f3db74cd05b0fd12adab779a9698f4ec39c82edf804e9f5e888ea466c31bd7f0a93d071a8fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\ReadUnblock.jpg

Filesize
885KB

MD5
c118e566a62aaebb623157ffe7893e20

SHA1
cbc6c188af22153e42804c253f422cecd43da11d

SHA256
4d2983af840ca80139f723dec5aa1874f04605e3b3d4dc08dc3ef2c8ba642c3c

SHA512
bd11cb9e84dd6f2569e960d741fe92592c95500293b9c2f4d893068faae084c88c89b61f177c98aa02e45bc7ff7a7a6ea208b16687f9d127b70f08bae50408c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\ResetStart.jpeg

Filesize
1.0MB

MD5
b628b139d9f53484d4d77b145db871a8

SHA1
10a7c0f1bbafcd86c5c458de2a63bf68da1d35f4

SHA256
be220519c64b4cb0f985127efae1e40f267745991f0011056f65d5729298e04a

SHA512
b97583c7a14e519fab21efc08e662144a2c2d66529ba9b03562404e67b2c5ba9dfd3cdb31b2cb6a6f300c0ecc428eea09d463541c1685a2a1c8b7dd2d8096f4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\RestoreConnect.png

Filesize
748KB

MD5
bc57b063befaba047d8bf34cd7b1facb

SHA1
441a024bb6d691faec5adfb15616574f2887cace

SHA256
109e6c780c50df6a6efeb47a71e134f2a23fdc4e4940087b3a89970fd9bfb1f6

SHA512
5d1cf6a425923b600d35910ed01b39f350e3e2d66f1dfbc738aa7b0700371f719de95de2d8367653205eb89758d41f2e07b6ef2c64d813454184f6e43f1eb0c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\_bz2.pyd

Filesize
46KB

MD5
80c69a1d87f0c82d6c4268e5a8213b78

SHA1
bae059da91d48eaac4f1bb45ca6feee2c89a2c06

SHA256
307359f1b2552b60839385eb63d74cbfe75cd5efdb4e7cd0bb7d296fa67d8a87

SHA512
542cf4ba19dd6a91690340779873e0cb8864b28159f55917f98a192ff9c449aba2d617e9b2b3932ddfeee13021706577ab164e5394e0513fe4087af6bc39d40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\_ctypes.pyd

Filesize
57KB

MD5
b4c41a4a46e1d08206c109ce547480c7

SHA1
9588387007a49ec2304160f27376aedca5bc854d

SHA256
9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9

SHA512
30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\_lzma.pyd

Filesize
84KB

MD5
bfca96ed7647b31dd2919bedebb856b8

SHA1
7d802d5788784f8b6bfbb8be491c1f06600737ac

SHA256
032b1a139adcff84426b6e156f9987b501ad42ecfb18170b10fb54da0157392e

SHA512
3a2926b79c90c3153c88046d316a081c8ddfb181d5f7c849ea6ae55cb13c6adba3a0434f800c4a30017d2fbab79d459432a2e88487914b54a897c4301c778551

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
3c38aac78b7ce7f94f4916372800e242

SHA1
c793186bcf8fdb55a1b74568102b4e073f6971d6

SHA256
3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d

SHA512
c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
321a3ca50e80795018d55a19bf799197

SHA1
df2d3c95fb4cbb298d255d342f204121d9d7ef7f

SHA256
5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f

SHA512
3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
0462e22f779295446cd0b63e61142ca5

SHA1
616a325cd5b0971821571b880907ce1b181126ae

SHA256
0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e

SHA512
07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c3632083b312c184cbdd96551fed5519

SHA1
a93e8e0af42a144009727d2decb337f963a9312e

SHA256
be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125

SHA512
8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
f3ff2d544f5cd9e66bfb8d170b661673

SHA1
9e18107cfcd89f1bbb7fdaf65234c1dc8e614add

SHA256
e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f

SHA512
184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
a0c2dbe0f5e18d1add0d1ba22580893b

SHA1
29624df37151905467a223486500ed75617a1dfd

SHA256
3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f

SHA512
3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
2666581584ba60d48716420a6080abda

SHA1
c103f0ea32ebbc50f4c494bce7595f2b721cb5ad

SHA256
27e9d3e7c8756e4512932d674a738bf4c2969f834d65b2b79c342a22f662f328

SHA512
befed15f11a0550d2859094cc15526b791dadea12c2e7ceb35916983fb7a100d89d638fb1704975464302fae1e1a37f36e01e4bef5bc4924ab8f3fd41e60bd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
225d9f80f669ce452ca35e47af94893f

SHA1
37bd0ffc8e820247bd4db1c36c3b9f9f686bbd50

SHA256
61c0ebe60ce6ebabcb927ddff837a9bf17e14cd4b4c762ab709e630576ec7232

SHA512
2f71a3471a9868f4d026c01e4258aff7192872590f5e5c66aabd3c088644d28629ba8835f3a4a23825631004b1afd440efe7161bb9fc7d7c69e0ee204813ca7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
1281e9d1750431d2fe3b480a8175d45c

SHA1
bc982d1c750b88dcb4410739e057a86ff02d07ef

SHA256
433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa

SHA512
a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
fd46c3f6361e79b8616f56b22d935a53

SHA1
107f488ad966633579d8ec5eb1919541f07532ce

SHA256
0dc92e8830bc84337dcae19ef03a84ef5279cf7d4fdc2442c1bc25320369f9df

SHA512
3360b2e2a25d545ccd969f305c4668c6cda443bbdbd8a8356ffe9fbc2f70d90cf4540f2f28c9ed3eea6c9074f94e69746e7705e6254827e6a4f158a75d81065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
0f129611a4f1e7752f3671c9aa6ea736

SHA1
40c07a94045b17dae8a02c1d2b49301fad231152

SHA256
2e1f090aba941b9d2d503e4cd735c958df7bb68f1e9bdc3f47692e1571aaac2f

SHA512
6abc0f4878bb302713755a188f662c6fe162ea6267e5e1c497c9ba9fddbdaea4db050e322cb1c77d6638ecf1dad940b9ebc92c43acaa594040ee58d313cbcfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
d4fba5a92d68916ec17104e09d1d9d12

SHA1
247dbc625b72ffb0bf546b17fb4de10cad38d495

SHA256
93619259328a264287aee7c5b88f7f0ee32425d7323ce5dc5a2ef4fe3bed90d5

SHA512
d5a535f881c09f37e0adf3b58d41e123f527d081a1ebecd9a927664582ae268341771728dc967c30908e502b49f6f853eeaebb56580b947a629edc6bce2340d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-crt-convert-l1-1-0.dll

Filesize
25KB

MD5
edf71c5c232f5f6ef3849450f2100b54

SHA1
ed46da7d59811b566dd438fa1d09c20f5dc493ce

SHA256
b987ab40cdd950ebe7a9a9176b80b8fffc005ccd370bb1cbbcad078c1a506bdc

SHA512
481a3c8dc5bef793ee78ce85ec0f193e3e9f6cd57868b813965b312bd0fadeb5f4419707cd3004fbdb407652101d52e061ef84317e8bd458979443e9f8e4079a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\api-ms-win-crt-environment-l1-1-0.dll

Filesize
21KB

MD5
f9235935dd3ba2aa66d3aa3412accfbf

SHA1
281e548b526411bcb3813eb98462f48ffaf4b3eb

SHA256
2f6bd6c235e044755d5707bd560a6afc0ba712437530f76d11079d67c0cf3200

SHA512
ad0c0a7891fb8328f6f0cf1ddc97523a317d727c15d15498afa53c07610210d2610db4bc9bd25958d47adc1af829ad4d7cf8aabcab3625c783177ccdb7714246

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\base_library.zip

Filesize
1.4MB

MD5
9836732a064983e8215e2e26e5b66974

SHA1
02e9a46f5a82fa5de6663299512ca7cd03777d65

SHA256
3dfe7d63f90833e0f3de22f450ed5ee29858bb12fe93b41628afe85657a3b61f

SHA512
1435ba9bc8d35a9336dee5db06944506953a1bcf340e9bdad834828170ce826dcfb1fa80274cd9df667e47b83348139b38ab317055a5a3e6824df15adf8a4d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\libffi-8.dll

Filesize
24KB

MD5
decbba3add4c2246928ab385fb16a21e

SHA1
5f019eff11de3122ffa67a06d52d446a3448b75e

SHA256
4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d

SHA512
760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\python3.DLL

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI34682\wheel-0.45.1.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ommgawjr.lky.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 964199.crdownload

Filesize
14.0MB

MD5
12a46842c9cb6cd2171007fc1052f6e9

SHA1
dea2cd7f181c15eb686dcb69deb944f51eda7498

SHA256
bb1f5b80ed0a3acfca1dabf4f601bfb2ea237343d0480616ebe8ab81cfd0e386

SHA512
7c727aab1a0ed0fae666b0deeaa95d6b940f288cd5d2ca7359de09b8642ebe0814eaa87a9efa300a8c90f3d50515bbefce43c508d8787a77d2756d8440273132

Download Submit
memory/4020-402-0x00007FFC734B0000-0x00007FFC734C5000-memory.dmp

Filesize
84KB

Download
memory/4020-292-0x00007FFC724C0000-0x00007FFC724DE000-memory.dmp

Filesize
120KB

Download
memory/4020-293-0x00007FFC71B60000-0x00007FFC7235B000-memory.dmp

Filesize
8.0MB

Download
memory/4020-296-0x00007FFC72480000-0x00007FFC724B7000-memory.dmp

Filesize
220KB

Download
memory/4020-295-0x00007FFC725B0000-0x00007FFC726CC000-memory.dmp

Filesize
1.1MB

Download
memory/4020-294-0x00007FFC72360000-0x00007FFC72382000-memory.dmp

Filesize
136KB

Download
memory/4020-289-0x00007FFC724E0000-0x00007FFC72512000-memory.dmp

Filesize
200KB

Download
memory/4020-290-0x00007FFC866F0000-0x00007FFC866FA000-memory.dmp

Filesize
40KB

Download
memory/4020-325-0x00007FFC72CE0000-0x00007FFC72CFB000-memory.dmp

Filesize
108KB

Download
memory/4020-330-0x00007FFC72590000-0x00007FFC725A9000-memory.dmp

Filesize
100KB

Download
memory/4020-291-0x00007FFC734B0000-0x00007FFC734C5000-memory.dmp

Filesize
84KB

Download
memory/4020-381-0x00007FFC72540000-0x00007FFC7258D000-memory.dmp

Filesize
308KB

Download
memory/4020-386-0x00007FFC724E0000-0x00007FFC72512000-memory.dmp

Filesize
200KB

Download
memory/4020-416-0x00007FFC866F0000-0x00007FFC866FA000-memory.dmp

Filesize
40KB

Download
memory/4020-415-0x00007FFC72480000-0x00007FFC724B7000-memory.dmp

Filesize
220KB

Download
memory/4020-398-0x00007FFC72850000-0x00007FFC72908000-memory.dmp

Filesize
736KB

Download
memory/4020-394-0x00007FFC86A80000-0x00007FFC86A8D000-memory.dmp

Filesize
52KB

Download
memory/4020-388-0x00007FFC73560000-0x00007FFC73584000-memory.dmp

Filesize
144KB

Download
memory/4020-414-0x00007FFC71B60000-0x00007FFC7235B000-memory.dmp

Filesize
8.0MB

Download
memory/4020-409-0x00007FFC72540000-0x00007FFC7258D000-memory.dmp

Filesize
308KB

Download
memory/4020-408-0x00007FFC72590000-0x00007FFC725A9000-memory.dmp

Filesize
100KB

Download
memory/4020-403-0x00007FFC723B0000-0x00007FFC723C2000-memory.dmp

Filesize
72KB

Download
memory/4020-288-0x00007FFC726D0000-0x00007FFC72843000-memory.dmp

Filesize
1.4MB

Download
memory/4020-401-0x00007FFC726D0000-0x00007FFC72843000-memory.dmp

Filesize
1.4MB

Download
memory/4020-397-0x00007FFC72D70000-0x00007FFC72D9E000-memory.dmp

Filesize
184KB

Download
memory/4020-396-0x00007FFC72910000-0x00007FFC72C85000-memory.dmp

Filesize
3.5MB

Download
memory/4020-387-0x00007FFC72DC0000-0x00007FFC733A8000-memory.dmp

Filesize
5.9MB

Download
memory/4020-214-0x00007FFC72DC0000-0x00007FFC733A8000-memory.dmp

Filesize
5.9MB

Download
memory/4020-222-0x00007FFC73560000-0x00007FFC73584000-memory.dmp

Filesize
144KB

Download
memory/4020-225-0x00007FFC86E10000-0x00007FFC86E1F000-memory.dmp

Filesize
60KB

Download
memory/4020-230-0x00007FFC73510000-0x00007FFC7353D000-memory.dmp

Filesize
180KB

Download
memory/4020-228-0x00007FFC73540000-0x00007FFC73559000-memory.dmp

Filesize
100KB

Download
memory/4020-259-0x00007FFC734F0000-0x00007FFC73509000-memory.dmp

Filesize
100KB

Download
memory/4020-260-0x00007FFC86C40000-0x00007FFC86C4D000-memory.dmp

Filesize
52KB

Download
memory/4020-261-0x00007FFC86A80000-0x00007FFC86A8D000-memory.dmp

Filesize
52KB

Download
memory/4020-262-0x00007FFC734D0000-0x00007FFC734E4000-memory.dmp

Filesize
80KB

Download
memory/4020-263-0x00007FFC72910000-0x00007FFC72C85000-memory.dmp

Filesize
3.5MB

Download
memory/4020-270-0x00007FFC73560000-0x00007FFC73584000-memory.dmp

Filesize
144KB

Download
memory/4020-269-0x00007FFC72850000-0x00007FFC72908000-memory.dmp

Filesize
736KB

Download
memory/4020-271-0x00007FFC72D30000-0x00007FFC72D65000-memory.dmp

Filesize
212KB

Download
memory/4020-267-0x00007FFC72DC0000-0x00007FFC733A8000-memory.dmp

Filesize
5.9MB

Download
memory/4020-268-0x00007FFC72D70000-0x00007FFC72D9E000-memory.dmp

Filesize
184KB

Download
memory/4020-273-0x00007FFC726D0000-0x00007FFC72843000-memory.dmp

Filesize
1.4MB

Download
memory/4020-272-0x00007FFC72D00000-0x00007FFC72D23000-memory.dmp

Filesize
140KB

Download
memory/4020-275-0x00007FFC734B0000-0x00007FFC734C5000-memory.dmp

Filesize
84KB

Download
memory/4020-274-0x00007FFC734F0000-0x00007FFC73509000-memory.dmp

Filesize
100KB

Download
memory/4020-278-0x00007FFC72390000-0x00007FFC723A4000-memory.dmp

Filesize
80KB

Download
memory/4020-277-0x00007FFC723B0000-0x00007FFC723C2000-memory.dmp

Filesize
72KB

Download
memory/4020-276-0x00007FFC86C40000-0x00007FFC86C4D000-memory.dmp

Filesize
52KB

Download
memory/4020-280-0x00007FFC72910000-0x00007FFC72C85000-memory.dmp

Filesize
3.5MB

Download
memory/4020-283-0x00007FFC72CE0000-0x00007FFC72CFB000-memory.dmp

Filesize
108KB

Download
memory/4020-279-0x00007FFC734D0000-0x00007FFC734E4000-memory.dmp

Filesize
80KB

Download
memory/4020-282-0x00007FFC725B0000-0x00007FFC726CC000-memory.dmp

Filesize
1.1MB

Download
memory/4020-281-0x00007FFC72360000-0x00007FFC72382000-memory.dmp

Filesize
136KB

Download
memory/4020-284-0x00007FFC72590000-0x00007FFC725A9000-memory.dmp

Filesize
100KB

Download
memory/4020-285-0x00007FFC72540000-0x00007FFC7258D000-memory.dmp

Filesize
308KB

Download
memory/4020-286-0x00007FFC72D00000-0x00007FFC72D23000-memory.dmp

Filesize
140KB

Download
memory/4020-287-0x00007FFC72520000-0x00007FFC72531000-memory.dmp

Filesize
68KB

Download
memory/5168-380-0x00000229E1180000-0x00000229E11A2000-memory.dmp

Filesize
136KB

Download
memory/5348-556-0x00007FFC764C0000-0x00007FFC764D1000-memory.dmp

Filesize
68KB

Download
memory/5348-578-0x00007FFC85D30000-0x00007FFC85D53000-memory.dmp

Filesize
140KB

Download
memory/5348-559-0x00007FFC86AC0000-0x00007FFC86ACA000-memory.dmp

Filesize
40KB

Download
memory/5348-558-0x00007FFC766A0000-0x00007FFC76813000-memory.dmp

Filesize
1.4MB

Download
memory/5348-557-0x00007FFC76480000-0x00007FFC764B2000-memory.dmp

Filesize
200KB

Download
memory/5348-561-0x00007FFC76460000-0x00007FFC7647E000-memory.dmp

Filesize
120KB

Download
memory/5348-562-0x00007FFC71360000-0x00007FFC71B5B000-memory.dmp

Filesize
8.0MB

Download
memory/5348-564-0x00007FFC76420000-0x00007FFC76457000-memory.dmp

Filesize
220KB

Download
memory/5348-563-0x00007FFC76670000-0x00007FFC76692000-memory.dmp

Filesize
136KB

Download
memory/5348-579-0x00007FFC766A0000-0x00007FFC76813000-memory.dmp

Filesize
1.4MB

Download
memory/5348-577-0x00007FFC85D60000-0x00007FFC85D95000-memory.dmp

Filesize
212KB

Download
memory/5348-567-0x00007FFC86AD0000-0x00007FFC86ADF000-memory.dmp

Filesize
60KB

Download
memory/5348-602-0x00007FFC86030000-0x00007FFC86044000-memory.dmp

Filesize
80KB

Download
memory/5348-601-0x00007FFC86700000-0x00007FFC8670D000-memory.dmp

Filesize
52KB

Download
memory/5348-600-0x00007FFC86760000-0x00007FFC8676D000-memory.dmp

Filesize
52KB

Download
memory/5348-599-0x00007FFC86050000-0x00007FFC86069000-memory.dmp

Filesize
100KB

Download
memory/5348-598-0x00007FFC86170000-0x00007FFC8619D000-memory.dmp

Filesize
180KB

Download
memory/5348-597-0x00007FFC861A0000-0x00007FFC861B9000-memory.dmp

Filesize
100KB

Download
memory/5348-596-0x00007FFC86770000-0x00007FFC86794000-memory.dmp

Filesize
144KB

Download
memory/5348-595-0x00007FFC76C60000-0x00007FFC77248000-memory.dmp

Filesize
5.9MB

Download
memory/5348-594-0x00007FFC76820000-0x00007FFC768D8000-memory.dmp

Filesize
736KB

Download
memory/5348-593-0x00007FFC76420000-0x00007FFC76457000-memory.dmp

Filesize
220KB

Download
memory/5348-592-0x00007FFC71360000-0x00007FFC71B5B000-memory.dmp

Filesize
8.0MB

Download
memory/5348-591-0x00007FFC76460000-0x00007FFC7647E000-memory.dmp

Filesize
120KB

Download
memory/5348-590-0x00007FFC86AC0000-0x00007FFC86ACA000-memory.dmp

Filesize
40KB

Download
memory/5348-589-0x00007FFC76480000-0x00007FFC764B2000-memory.dmp

Filesize
200KB

Download
memory/5348-588-0x00007FFC764C0000-0x00007FFC764D1000-memory.dmp

Filesize
68KB

Download
memory/5348-587-0x00007FFC764E0000-0x00007FFC7652D000-memory.dmp

Filesize
308KB

Download
memory/5348-586-0x00007FFC76530000-0x00007FFC76549000-memory.dmp

Filesize
100KB

Download
memory/5348-585-0x00007FFC77C30000-0x00007FFC77C4B000-memory.dmp

Filesize
108KB

Download
memory/5348-584-0x00007FFC76550000-0x00007FFC7666C000-memory.dmp

Filesize
1.1MB

Download
memory/5348-583-0x00007FFC76670000-0x00007FFC76692000-memory.dmp

Filesize
136KB

Download
memory/5348-582-0x00007FFC77C50000-0x00007FFC77C64000-memory.dmp

Filesize
80KB

Download
memory/5348-581-0x00007FFC85D10000-0x00007FFC85D22000-memory.dmp

Filesize
72KB

Download
memory/5348-580-0x00007FFC86010000-0x00007FFC86025000-memory.dmp

Filesize
84KB

Download
memory/5348-560-0x00007FFC86010000-0x00007FFC86025000-memory.dmp

Filesize
84KB

Download
memory/5348-575-0x00007FFC85EB0000-0x00007FFC85EDE000-memory.dmp

Filesize
184KB

Download
memory/5348-574-0x00007FFC768E0000-0x00007FFC76C55000-memory.dmp

Filesize
3.5MB

Download
memory/5348-555-0x00007FFC85D30000-0x00007FFC85D53000-memory.dmp

Filesize
140KB

Download
memory/5348-552-0x00007FFC76820000-0x00007FFC768D8000-memory.dmp

Filesize
736KB

Download
memory/5348-553-0x00007FFC76530000-0x00007FFC76549000-memory.dmp

Filesize
100KB

Download
memory/5348-554-0x00007FFC764E0000-0x00007FFC7652D000-memory.dmp

Filesize
308KB

Download
memory/5348-548-0x00007FFC768E0000-0x00007FFC76C55000-memory.dmp

Filesize
3.5MB

Download
memory/5348-550-0x00007FFC85EB0000-0x00007FFC85EDE000-memory.dmp

Filesize
184KB

Download
memory/5348-551-0x00007FFC77C30000-0x00007FFC77C4B000-memory.dmp

Filesize
108KB

Download
memory/5348-549-0x00007FFC76550000-0x00007FFC7666C000-memory.dmp

Filesize
1.1MB

Download
memory/5348-546-0x00007FFC86030000-0x00007FFC86044000-memory.dmp

Filesize
80KB

Download
memory/5348-547-0x00007FFC76670000-0x00007FFC76692000-memory.dmp

Filesize
136KB

Download
memory/5348-544-0x00007FFC85D10000-0x00007FFC85D22000-memory.dmp

Filesize
72KB

Download
memory/5348-545-0x00007FFC77C50000-0x00007FFC77C64000-memory.dmp

Filesize
80KB

Download
memory/5348-543-0x00007FFC86010000-0x00007FFC86025000-memory.dmp

Filesize
84KB

Download
memory/5348-542-0x00007FFC86050000-0x00007FFC86069000-memory.dmp

Filesize
100KB

Download
memory/5348-535-0x00007FFC85EB0000-0x00007FFC85EDE000-memory.dmp

Filesize
184KB

Download
memory/5348-536-0x00007FFC76820000-0x00007FFC768D8000-memory.dmp

Filesize
736KB

Download
memory/5348-537-0x00007FFC76C60000-0x00007FFC77248000-memory.dmp

Filesize
5.9MB

Download
memory/5348-538-0x00007FFC85D60000-0x00007FFC85D95000-memory.dmp

Filesize
212KB

Download
memory/5348-541-0x00007FFC766A0000-0x00007FFC76813000-memory.dmp

Filesize
1.4MB

Download
memory/5348-540-0x00007FFC86170000-0x00007FFC8619D000-memory.dmp

Filesize
180KB

Download
memory/5348-539-0x00007FFC85D30000-0x00007FFC85D53000-memory.dmp

Filesize
140KB

Download
memory/5348-534-0x00007FFC768E0000-0x00007FFC76C55000-memory.dmp

Filesize
3.5MB

Download
memory/5348-533-0x00007FFC86030000-0x00007FFC86044000-memory.dmp

Filesize
80KB

Download
memory/5348-532-0x00007FFC86700000-0x00007FFC8670D000-memory.dmp

Filesize
52KB

Download
memory/5348-531-0x00007FFC86760000-0x00007FFC8676D000-memory.dmp

Filesize
52KB

Download
memory/5348-530-0x00007FFC86050000-0x00007FFC86069000-memory.dmp

Filesize
100KB

Download
memory/5348-529-0x00007FFC86170000-0x00007FFC8619D000-memory.dmp

Filesize
180KB

Download
memory/5348-526-0x00007FFC86770000-0x00007FFC86794000-memory.dmp

Filesize
144KB

Download
memory/5348-528-0x00007FFC86AD0000-0x00007FFC86ADF000-memory.dmp

Filesize
60KB

Download
memory/5348-527-0x00007FFC861A0000-0x00007FFC861B9000-memory.dmp

Filesize
100KB

Download
memory/5348-525-0x00007FFC76C60000-0x00007FFC77248000-memory.dmp

Filesize
5.9MB

Download