exelastealer | hxxps://cdn[.]discordapp[.]com/attachments/1319753874122346568/1323318729274036265/otp[.]exe?ex=6774141b&is=6772c29b&hm=3ee56f5ed8a609d23d2ce4c7d28c664c96bc18b1c7fbfe85ce9b7f3662303198&

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
30-12-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1319753874122346568/1323318729274036265/otp.exe?ex=6774141b&is=6772c29b&hm=3ee56f5ed8a609d23d2ce4c7d28c664c96bc18b1c7fbfe85ce9b7f3662303198&

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4848	netsh.exe
232	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5400	cmd.exe
1844	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
3464	otp.exe
5188	Stub.exe
3168	otp.exe
2776	Stub.exe
4296	otp.exe
5752	Stub.exe
5708	otp.exe
6056	Stub.exe
5336	otp.exe
3604	Stub.exe

Loads dropped DLL 64 IoCs

pid	Process
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
5188	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
2776	Stub.exe
5752	Stub.exe
5752	Stub.exe
5752	Stub.exe
5752	Stub.exe
5752	Stub.exe
5752	Stub.exe
5752	Stub.exe
5752	Stub.exe
5752	Stub.exe
5752	Stub.exe
5752	Stub.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
114	raw.githubusercontent.com
124	discord.com
56	discord.com
86	discord.com
113	discord.com
115	raw.githubusercontent.com
45	discord.com
46	discord.com
49	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	ipinfo.io
44	ipinfo.io
63	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1160	cmd.exe
1872	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3016	tasklist.exe
5808	tasklist.exe
6108	tasklist.exe
5332	tasklist.exe
1520	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5148	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4432	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral1/files/0x0007000000023ca3-164.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
5048	cmd.exe
936	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4356	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3384	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5744	WMIC.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4356	NETSTAT.EXE
4948	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
976	systeminfo.exe

Kills process with taskkill 10 IoCs

evasion

pid	Process
5788	taskkill.exe
4980	taskkill.exe
5212	taskkill.exe
5836	taskkill.exe
5532	taskkill.exe
5724	taskkill.exe
5640	taskkill.exe
5944	taskkill.exe
6140	taskkill.exe
5392	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133800479010542620"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 88573.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2264	msedge.exe
2264	msedge.exe
3924	msedge.exe
3924	msedge.exe
2468	identity_helper.exe
2468	identity_helper.exe
1512	msedge.exe
1512	msedge.exe
1844	powershell.exe
1844	powershell.exe
1844	powershell.exe
5668	chrome.exe
5668	chrome.exe
2212	msedge.exe
2212	msedge.exe
5772	msedge.exe
5772	msedge.exe
5832	identity_helper.exe
5832	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 19 IoCs

pid	Process
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5744	WMIC.exe
Token: SeSecurityPrivilege	5744	WMIC.exe
Token: SeTakeOwnershipPrivilege	5744	WMIC.exe
Token: SeLoadDriverPrivilege	5744	WMIC.exe
Token: SeSystemProfilePrivilege	5744	WMIC.exe
Token: SeSystemtimePrivilege	5744	WMIC.exe
Token: SeProfSingleProcessPrivilege	5744	WMIC.exe
Token: SeIncBasePriorityPrivilege	5744	WMIC.exe
Token: SeCreatePagefilePrivilege	5744	WMIC.exe
Token: SeBackupPrivilege	5744	WMIC.exe
Token: SeRestorePrivilege	5744	WMIC.exe
Token: SeShutdownPrivilege	5744	WMIC.exe
Token: SeDebugPrivilege	5744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5744	WMIC.exe
Token: SeRemoteShutdownPrivilege	5744	WMIC.exe
Token: SeUndockPrivilege	5744	WMIC.exe
Token: SeManageVolumePrivilege	5744	WMIC.exe
Token: 33	5744	WMIC.exe
Token: 34	5744	WMIC.exe
Token: 35	5744	WMIC.exe
Token: 36	5744	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5768	WMIC.exe
Token: SeSecurityPrivilege	5768	WMIC.exe
Token: SeTakeOwnershipPrivilege	5768	WMIC.exe
Token: SeLoadDriverPrivilege	5768	WMIC.exe
Token: SeSystemProfilePrivilege	5768	WMIC.exe
Token: SeSystemtimePrivilege	5768	WMIC.exe
Token: SeProfSingleProcessPrivilege	5768	WMIC.exe
Token: SeIncBasePriorityPrivilege	5768	WMIC.exe
Token: SeCreatePagefilePrivilege	5768	WMIC.exe
Token: SeBackupPrivilege	5768	WMIC.exe
Token: SeRestorePrivilege	5768	WMIC.exe
Token: SeShutdownPrivilege	5768	WMIC.exe
Token: SeDebugPrivilege	5768	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5768	WMIC.exe
Token: SeRemoteShutdownPrivilege	5768	WMIC.exe
Token: SeUndockPrivilege	5768	WMIC.exe
Token: SeManageVolumePrivilege	5768	WMIC.exe
Token: 33	5768	WMIC.exe
Token: 34	5768	WMIC.exe
Token: 35	5768	WMIC.exe
Token: 36	5768	WMIC.exe
Token: SeDebugPrivilege	5808	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5744	WMIC.exe
Token: SeSecurityPrivilege	5744	WMIC.exe
Token: SeTakeOwnershipPrivilege	5744	WMIC.exe
Token: SeLoadDriverPrivilege	5744	WMIC.exe
Token: SeSystemProfilePrivilege	5744	WMIC.exe
Token: SeSystemtimePrivilege	5744	WMIC.exe
Token: SeProfSingleProcessPrivilege	5744	WMIC.exe
Token: SeIncBasePriorityPrivilege	5744	WMIC.exe
Token: SeCreatePagefilePrivilege	5744	WMIC.exe
Token: SeBackupPrivilege	5744	WMIC.exe
Token: SeRestorePrivilege	5744	WMIC.exe
Token: SeShutdownPrivilege	5744	WMIC.exe
Token: SeDebugPrivilege	5744	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5744	WMIC.exe
Token: SeRemoteShutdownPrivilege	5744	WMIC.exe
Token: SeUndockPrivilege	5744	WMIC.exe
Token: SeManageVolumePrivilege	5744	WMIC.exe
Token: 33	5744	WMIC.exe
Token: 34	5744	WMIC.exe
Token: 35	5744	WMIC.exe
Token: 36	5744	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
3924	msedge.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5668	chrome.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe
5772	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3924 wrote to memory of 4248	3924	msedge.exe	82
PID 3924 wrote to memory of 4248	3924	msedge.exe	82
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 3016	3924	msedge.exe	83
PID 3924 wrote to memory of 2264	3924	msedge.exe	84
PID 3924 wrote to memory of 2264	3924	msedge.exe	84
PID 3924 wrote to memory of 1496	3924	msedge.exe	85
PID 3924 wrote to memory of 1496	3924	msedge.exe	85
PID 3924 wrote to memory of 1496	3924	msedge.exe	85
PID 3924 wrote to memory of 1496	3924	msedge.exe	85
PID 3924 wrote to memory of 1496	3924	msedge.exe	85
PID 3924 wrote to memory of 1496	3924	msedge.exe	85
PID 3924 wrote to memory of 1496	3924	msedge.exe	85
PID 3924 wrote to memory of 1496	3924	msedge.exe	85
PID 3924 wrote to memory of 1496	3924	msedge.exe	85
PID 3924 wrote to memory of 1496	3924	msedge.exe	85
PID 3924 wrote to memory of 1496	3924	msedge.exe	85
PID 3924 wrote to memory of 1496	3924	msedge.exe	85
PID 3924 wrote to memory of 1496	3924	msedge.exe	85
PID 3924 wrote to memory of 1496	3924	msedge.exe	85
PID 3924 wrote to memory of 1496	3924	msedge.exe	85
PID 3924 wrote to memory of 1496	3924	msedge.exe	85
PID 3924 wrote to memory of 1496	3924	msedge.exe	85
PID 3924 wrote to memory of 1496	3924	msedge.exe	85
PID 3924 wrote to memory of 1496	3924	msedge.exe	85
PID 3924 wrote to memory of 1496	3924	msedge.exe	85

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5216	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1319753874122346568/1323318729274036265/otp.exe?ex=6774141b&is=6772c29b&hm=3ee56f5ed8a609d23d2ce4c7d28c664c96bc18b1c7fbfe85ce9b7f3662303198&
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff97a0846f8,0x7ff97a084708,0x7ff97a084718
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,15848053343046626388,6759543444047579907,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:3016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,15848053343046626388,6759543444047579907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,15848053343046626388,6759543444047579907,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
  2⤵
  PID:1496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15848053343046626388,6759543444047579907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15848053343046626388,6759543444047579907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,15848053343046626388,6759543444047579907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,15848053343046626388,6759543444047579907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15848053343046626388,6759543444047579907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4192 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15848053343046626388,6759543444047579907,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15848053343046626388,6759543444047579907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:1
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15848053343046626388,6759543444047579907,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
  2⤵
  PID:1932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,15848053343046626388,6759543444047579907,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5520 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15848053343046626388,6759543444047579907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,15848053343046626388,6759543444047579907,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,15848053343046626388,6759543444047579907,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
  2⤵
  PID:1304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,15848053343046626388,6759543444047579907,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3116

C:\Users\Admin\Downloads\otp.exe
"C:\Users\Admin\Downloads\otp.exe"
1⤵
- Executes dropped EXE
PID:3464
- C:\Users\Admin\AppData\Local\Temp\onefile_3464_133800478789165663\Stub.exe
  C:\Users\Admin\Downloads\otp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:5520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:5592
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:5744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:5600
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:5608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5616
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:5896
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:5948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:6020
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:6116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:6028
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:6108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:5148
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe"
      4⤵
      Views/modifies file attributes
      PID:5216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:4916
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:5280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5232
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3924"
    3⤵
    PID:5432
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3924
      4⤵
      Kills process with taskkill
      PID:5392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4248"
    3⤵
    PID:5404
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4248
      4⤵
      Kills process with taskkill
      PID:5532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3016"
    3⤵
    PID:5548
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3016
      4⤵
      Kills process with taskkill
      PID:5724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2264"
    3⤵
    PID:5820
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2264
      4⤵
      Kills process with taskkill
      PID:5836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1496"
    3⤵
    PID:5596
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1496
      4⤵
      Kills process with taskkill
      PID:5640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5000"
    3⤵
    PID:1716
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5000
      4⤵
      Kills process with taskkill
      PID:5944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1932"
    3⤵
    PID:5928
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1932
      4⤵
      Kills process with taskkill
      PID:5788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5076"
    3⤵
    PID:5692
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5076
      4⤵
      Kills process with taskkill
      PID:6140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1456"
    3⤵
    PID:6088
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1456
      4⤵
      Kills process with taskkill
      PID:4980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1304"
    3⤵
    PID:6080
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1304
      4⤵
      Kills process with taskkill
      PID:5212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:5452
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4392
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1324
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:348
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:2880
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5248
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:5400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:1160
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:976
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:4816
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:3384
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:3188
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:1452
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:3720
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:1636
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:1404
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:3028
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:3200
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1540
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:1220
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:400
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:860
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:1840
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:1968
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:3016
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4948
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:4024
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:1872
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:4356
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:4432
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4848
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5048
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5608
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5784
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff9798dcc40,0x7ff9798dcc4c,0x7ff9798dcc58
  2⤵
  PID:5712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,11213807265958416012,5194401076679302852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:5868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2188,i,11213807265958416012,5194401076679302852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  PID:5728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,11213807265958416012,5194401076679302852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2256 /prefetch:8
  2⤵
  PID:5124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,11213807265958416012,5194401076679302852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:5228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3140,i,11213807265958416012,5194401076679302852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:5148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4484,i,11213807265958416012,5194401076679302852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4744,i,11213807265958416012,5194401076679302852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:1208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4840,i,11213807265958416012,5194401076679302852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4796 /prefetch:8
  2⤵
  PID:2204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4832,i,11213807265958416012,5194401076679302852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4924,i,11213807265958416012,5194401076679302852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4880 /prefetch:8
  2⤵
  PID:6096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4892,i,11213807265958416012,5194401076679302852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  PID:4724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4648,i,11213807265958416012,5194401076679302852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4204 /prefetch:8
  2⤵
  PID:4352
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=4868,i,11213807265958416012,5194401076679302852,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:2
  2⤵
  PID:3228

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5264

C:\Users\Admin\Downloads\otp.exe
"C:\Users\Admin\Downloads\otp.exe"
1⤵
- Executes dropped EXE
PID:3168
- C:\Users\Admin\AppData\Local\Temp\onefile_3168_133800479000711297\Stub.exe
  C:\Users\Admin\Downloads\otp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2776

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2980

C:\Users\Admin\Downloads\otp.exe
"C:\Users\Admin\Downloads\otp.exe"
1⤵
- Executes dropped EXE
PID:4296
- C:\Users\Admin\AppData\Local\Temp\onefile_4296_133800479064088201\Stub.exe
  C:\Users\Admin\Downloads\otp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:5772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9638746f8,0x7ff963874708,0x7ff963874718
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,3988032150778020477,12501885067217416385,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,3988032150778020477,12501885067217416385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,3988032150778020477,12501885067217416385,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3988032150778020477,12501885067217416385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3988032150778020477,12501885067217416385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3988032150778020477,12501885067217416385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4112 /prefetch:1
  2⤵
  PID:5584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3988032150778020477,12501885067217416385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,3988032150778020477,12501885067217416385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3620 /prefetch:8
  2⤵
  PID:5676
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,3988032150778020477,12501885067217416385,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3620 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3988032150778020477,12501885067217416385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3988032150778020477,12501885067217416385,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:5352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,3988032150778020477,12501885067217416385,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:3384

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1228

C:\Users\Admin\Downloads\otp.exe
"C:\Users\Admin\Downloads\otp.exe"
1⤵
- Executes dropped EXE
PID:5708
- C:\Users\Admin\AppData\Local\Temp\onefile_5708_133800479203212021\Stub.exe
  C:\Users\Admin\Downloads\otp.exe
  2⤵
  - Executes dropped EXE
  PID:6056

C:\Users\Admin\Downloads\otp.exe
"C:\Users\Admin\Downloads\otp.exe"
1⤵
- Executes dropped EXE
PID:5336
- C:\Users\Admin\AppData\Local\Temp\onefile_5336_133800479249014254\Stub.exe
  C:\Users\Admin\Downloads\otp.exe
  2⤵
  - Executes dropped EXE
  PID:3604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
98d645a0b02c8963ebe49064959046d1

SHA1
74151e9d9140205ab328e0ed101d49fdd97b597e

SHA256
e643debefe050fe77f7b3e2f4378f1a9e9c9ea326c2571d4c0809c62bcd0504c

SHA512
3c93372ea0285ce643c1be994755d6303e0e11add67f211d6645d2f76eb275227a078406c5956bd9256fc940898154b43b8bc03dd2dec7b55a5d8426018c3fb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
723e9dc8245ebb340d66617a4e268bb2

SHA1
8ca13669ab68e4d761742d2e4b6e72f409527933

SHA256
90008a6fc57aa837d19a86b575ce3156529ea4a91e655a4d9a3fe1b1ce34bee7

SHA512
5c2ef61e5ffb835e4c074aa25714b7a13db10d00ac03c7057f5279969fab99697df6d1d2f6f155640b13410dc4129ddc83028400d81658d7610f02637b54eb54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
cbf3bce5bd04081c73825e162e46f95d

SHA1
6701973c27d4ad97e53b1e0329c22d02bb5b8db7

SHA256
4f313cd5245add95aa6cd351f1b2a085e9202644968513c9ba79ce79a671248b

SHA512
e3cbc07e6cf44e2ab6cfa4d765e2fc38317fa2fea1fe0bbb7d0068fb3e0811d0865f00e3362f966de4e1cb1a96754a84e0cb2afc61c61353c6a939cfa9b503fd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6cb72fa3e88a33dbae6da10c248779fc

SHA1
f1bd26e877a0307b00230d936b5ec7e52f4baed9

SHA256
f7c5cf74382fefa1857648be36cc049d7e392f583e0ab9df53669f53277f944c

SHA512
2042b2011281c51ed8452a988182945dddbed69539499919e19fb41da436a946d1c9f7802cba7f49b556222e25bfa4ab28b5ee7a057edf96894137aedf4a57d3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
220f4760d50197eb1f0d764aad04d2e4

SHA1
9880607ce14043d5ad42855eec62958f0300ca12

SHA256
f93ef632a1dac69e5a838a9ceb66e1abf8653bec9a60f9263a370603e06f148c

SHA512
16cc08a98c5dc3fd28dfdc07078baf476b8047c807e8dd1fe89d7b730a041c0ef65fdd6d7b5907fdb17e851751863b1d82783e502aa1150bb38bd2fa1ca1115b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3fe32f936710ead2a71a3b19acf51cbb

SHA1
8217db09d7a0459e244c68fb380ee2d77f92698c

SHA256
1401fe31831bfb842a6997dc1a0b74ce7c90fdc6e4bd1daf1a4765bd729c25a3

SHA512
24c1320ad884f07075120b92de8bb5f66a338b59318c7d9d202866079f35cad33ee77f73068fde219c936a442754385f52163a11eda7bcfcceab634e01b00d26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d956b04288355bdb6459929771219b0c

SHA1
f431ce617ab9fea38a0f96d3db2c3776b6652875

SHA256
36aa1490784fa9a744e7ed11a8ec2e1ddb58a8497dfd4d717023f2965e204e90

SHA512
cfa5857b1ba65805dfb8083186e2991be3e4e174dc1be607fa70e5acbd893c9b5573f3caf3c129223a6e18787a75dffdcfff39423e026ca8e2a06bdbaaa71a69

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bb7294ff063ed80bf5c5e2103abfb32e

SHA1
6235b8dcc96a1298e11f8ceb2769401a39d3b0f3

SHA256
88fe6a15bf362f4965c069fda15352cf987f35c6a62c31433a31de26ea921bf1

SHA512
d8532649405fc72595f2cc1eb3dcfe2b7f6008ea51ba5d8659b1b1d5f5d75de13a784ba4f5971759c6f2731f05abdba695acfe3c11504208225a2ebbc789a499

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6326347391597a70a7da888c38fa0478

SHA1
9487a5bc6b100e0c199da2accbe48d715ea56d3e

SHA256
a5db152ddf592b0c23d662d8844fe883d381491640364560be2cc3c796b42199

SHA512
dadd84358a722863ca309b521855b45f006b874d264f435a5db48e46a290de8f2c6afd5fd5865ed217e03e7ef32f593890d21a280a08f811219a3cd7f5c935d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
82a04ea61c87f26561339847db89a7e1

SHA1
f228db48b855c3cde633b6daa0f34be6a20250ea

SHA256
bd200d14b39395f4f8a0a58599b05758be872a9297e76c3c2e356f295c9cec41

SHA512
5c254738783280d638d1c621801c16675f405a526a4dd5faf8b46e38b95a5b5486368e5285fe3f18eb68d4d410a2d5abab4885867b8fad7942edf141c0960413

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
4f5e40dfae0db1f85e897cbc9d95c220

SHA1
99c3a337822fda05ca5a4a26e951b7e194ce02e8

SHA256
0adf6389089e13fe595a6f5a4bce135faadf56d0db99598435ef943e6fb598b6

SHA512
db491acacb1aaf9c8b9465409e86e9e6dbae9d6f2d507d3fcf9238de5888d6999ecc3ba295ab7a002a1dbaea03837ebeb4823ff6f4d9590dd66dd582818246cd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
2785b6dda353af3fbb7cef724eb57758

SHA1
dcda773ae93105131830cfca241e2b6d0444e3ef

SHA256
6ebd6fd95f0bd2f65af2b293fcfe13fb0a882b8fc0cdc874d76807d1243a481e

SHA512
1d514fbe655948c45df04a5729102b43d5d75d14ddeefa76a8506a1efa1cd6824802783c50c76cbf073053fd5d561177e03b7b6e2630ef37c6f47f37b19b25c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
ab276e854dd754c00172d01bc0db1c6f

SHA1
e1b5cf6bdded69af4c27fc0316407f832dfb853f

SHA256
098c13b8f4feec1ac905917713c52cd342d62e336abc288f4d49099b5d0cb0d5

SHA512
c58d57230f79bd929cf5a044750309004c42e39b5da67c83c2643dd86ddbb36de44ab91e6155c927a6c315ccd73e77c895b8fd660a2fddc23ee7ae151cdba4cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
231KB

MD5
3bc1c59d0b1d221b9203b2539acfcfcc

SHA1
52e53d2e083027de51d72ee167c3ae33590c1e6f

SHA256
80c83e42cedc33d89eff44688230809f7c3c544c9bc85db3f09d438d36286b28

SHA512
24db5b6b7f0c2ae243760319afd5a278dfcc2bfc0a368671b08e3221649010d6f632a6790fcb2a1102fa641b4d1e295e1bdb2acf59f4fb0bb1c5c98324d05cfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b696a23384c573dfe30b0dfc0852e519

SHA1
7c6c349384b3a78016187810e2c17fc20365b1aa

SHA256
29335eca25125b10270a96e6bb49bf002eecc3bb5d186f343153d1a1acd3e556

SHA512
6953e499c1417cce78ded2ab7535bcc8436fa004f47e11a218b37eb1b02c27af2e53a6bd92bf85263baf747570583ef8708c6b5a7415e51f1e23ee0f82d58967

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
32109145a9b002dc15831946d6633877

SHA1
4ae6aee06a92eac9a09aee6f22fc9de4007e1cca

SHA256
a3dd1baaaecbefb29477ae07a91b46bf4a72a74702acb0953b71dce9379ae55d

SHA512
99884f09a57efbf6da47da555661f1ff7fe6bc3ec25c5c2f40669af1e7bf30526f3dc7c2cc42e372635aa515589776e9f3f4839075df94a2fb1546b3e8cc4f76

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
455548b498941105b3f0d324352e5db1

SHA1
71acfbf3dd6f29867c90cc259e7a28465a558b5e

SHA256
69412d084883e2d8d330160656a4475e1cbeab97dd38a6db55bee1ba576bdf22

SHA512
a2518ff2c462f50c6ea9d2bc53fc10cb700a152a371946c6d982d352f19cda4ba06789037399ef5f65fca56b98cb55fb1565ab727b5fc7d830d3f3bbba011338

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ef816a9449dd9c994a7e32fe66bc1bfc

SHA1
811c0bf6eb8f2b1f4744b2690e925e2cf8e273f7

SHA256
5f48dc9a9b24ccd244244be93d9bfb8ba7b18e091f875922ad710454b6ffcdb4

SHA512
11af71d54c447362181cabf7af858eed56b8818370dfff0c6cffa941f6038e2d3e5ac1bab96f1eb1a033fe16b486d71adac936ea1c4e5f21171a66e4c13198e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b8d7cf89d27f75797d251bc29fbad112

SHA1
b57562f50c276c798fc2c30e739db448c01dc0fb

SHA256
b6500a876f14db024f49e13ce79fda67809c55c861845563eef104cda28e1f0e

SHA512
b5d79509085a32bbad91f7b8b4384b34d77ebb3ecd58a0adabe6333125f9c5acfadd27c207cc539fab2c1a28f508b70bd18c56dc4a77ef86574d8b4231564dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2490d1fa8615e73e023a2465efc0cf55

SHA1
d5662f1fb1ba208305298e7f5781c8dafbdf7955

SHA256
5f9afb55ffa2ead8be5ae9d2aba038df1b53c68f611c513553802667ee78fc70

SHA512
9f7ddb6b98f7c368cabca8e7d94be8138bdfca730fb38658ff5c60fbc40c92a2676a031af35b1147ff0121824105fdc7dfd8f5bf4a8e057734d9b82294643be6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c41402e8e55d359753167ed0177f5fad

SHA1
662634e785edcf53cb81a487803b89173bd39cb1

SHA256
80176ff2c541fd947e66523e4d52500e65b863184f3e23fe41758bfa4ec3ba37

SHA512
a884a344a1387c922d58d12f2f423f38ad09ad669ee8ceedfff777f055b8caec25f00642e95837fa97319cf465ff8573e8786160a3daeba47be5027704a1c258

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
87a769e27fe3cf3f87cdfbca8a53943e

SHA1
216bb8799d1516c9893fbcc0c60af7b9849e06b8

SHA256
6dff4b49ea072f19ddc6a3642fb0cdfc91a4c7c2fd0a18d7b5e1730986e5f42d

SHA512
dd1e24f3db83969152bdbbad66ac0a3912a6fae9d719e212b564fb4d3056387c68662470f485c7c853cc418ff74e6f86fb13fb2d311b44c5edcba21512e30320

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
1935495bbdaaa566eae4a60fce539045

SHA1
96f582a4b14b065dafe918ba172f606d230dfdd5

SHA256
2331c0140e06a66ca3dc0bca71d9f6f845a26d2b3074aeb3aba12ad6fa2aa7c2

SHA512
04744503c968b10ad8a2d1d116144f801c70d5212c3e5b4c37ff6ba4508581e7f4f8af1bdab9012bd80cc091217e12f399f3a90d8f616634aaa73a5d090c1a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fe7aee4-d59a-49ca-b437-cc0ddaa37d8d.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\ConvertToEdit.xlsx

Filesize
14KB

MD5
1aba9108e9bbdcdc088072a24f79f91e

SHA1
6545915b0f686e849d942fa70ad674701f7fb55b

SHA256
d5d6a046d95557b7a70979161c64f82db726124b4943c2c76ff5e4415adeb7bd

SHA512
6037bc9ed3c1ab2733867bfa4ddc57b6123680bf1cedf9ff60ea3de562d0f98ba8d8a9e74ecf07611330697dd9cd95f020e10820e907c120ca671774cecf1571

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\ConvertToTrace.xlsx

Filesize
13KB

MD5
3aba84b74d042569e0bc648c12f1b9d2

SHA1
09ad0fc5f889d9876daed09cf0bf6b92654a5607

SHA256
413640e6c638857f1b7b7287179d8ec3123f571167de105f5973eba00fa93eff

SHA512
da7b2fbad8fd2f099e538eea2eb35894b7f342620a65f0bc79861d1ac9a939c562b549f3c300b8ffe7f6b952bd5a92e7cc87713666f8caf3993821e9edacd602

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\LockImport.zip

Filesize
424KB

MD5
26a28183f6d67b2477639445e5527f57

SHA1
7f6062d591f1c2bc1b7d4606cfa08ac7bb448dc6

SHA256
0b56a7128af846b8bced99bed25d4776686b15b317b951a004b5e3a8b1e2b7c2

SHA512
15fc92205ea27032cc2a3d06b2dc6082c294cd3fbf90514d0c06db411ec6ae2131f8e9d5f576e76748246a5a15d2a6033e0622beb062b1098da60db3f6c8b46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\MeasureLimit.pdf

Filesize
332KB

MD5
ef485aaa68894ab7a1f1aadc8d44bb24

SHA1
3937ebd95adc5c84a6cb8d67f5717926c4a46f0e

SHA256
82931833a717d89b2a14c3414922328a23a27cb682732246ac95cff2c42f8b4a

SHA512
0c515666a8e59a6458d2488e95cc9ca818ef6322bd9bb6c9df25c34b4cb43ba18f88854cc31f81cb1dec1a1cdb8106757013e01c2946a311a50b37984e447585

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\SkipSplit.jpeg

Filesize
516KB

MD5
c7817ecff0bef1b831d69fa6a819c756

SHA1
1819c71460bf8a8e31591147d673ef03a7f7f5bc

SHA256
b983ea7319baeada4e3b59b5128f2b91585d36a1760d63895848f4d468808aac

SHA512
faff500018a95ce9ba5f395dab58e3340d31c024099c53bc99a8f9b1cca308e4dbb164db2786e90af67d081f753563d4af077330bfad5a34fe7babea8af28a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\TraceBackup.3gpp

Filesize
286KB

MD5
d2b8e892b18f17cfb99b0b8f5619cbd9

SHA1
c242e74fcde0c535c90d649d8b8881a72b8e4485

SHA256
da4ef51decd16a91ab32f87db2b187c360328206b6b6ae1aca1f576d7a4acd9e

SHA512
f32f024931a8a1c7db820c083bd9d937ab0aef7bd3c9716dd67ddacaadc1ea0752a92abd0eddc3d6b84679f39b7a3a8141c9e4d220761e36b095f2fae1d35ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\ComparePing.docx

Filesize
15KB

MD5
d6399b60581d9cd4271b6177270c7156

SHA1
114c9acd1c1ad47fda7fc64829740914286254e6

SHA256
9fb0aa42b1fba56d75392f66bc71a785a91f440bf45c63266312f841065cb7cb

SHA512
c62f443dff7e63942da86b71ec97c08bab10396325f711e53d61b77af81004d3abce3162a05956184b41b64f8a9a389ff5b0c3672eca476cc18a3b11db168aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\FormatMeasure.xlsx

Filesize
9KB

MD5
09d295f062f67d6b03bd5ef5604982c6

SHA1
ec527a0dd67e74d52b1b7a1abadd1190400ff044

SHA256
2e7a00753185f6be5c3e23a3dc054be2b46ad38e999d70c4af1bb942ef9f6ddd

SHA512
6af79c55e39ddd57164d6579ac18670f11dec8df5aa80425f316ea4ce99786a0326d1bf1b010d09abace390008d69da756ee30429d3ae681c71d435210ec02ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\RequestAdd.docx

Filesize
540KB

MD5
6b718a2272a1501f2fea2634df21814d

SHA1
56ef7e6113555780188bc900e84d37675cebff2f

SHA256
7001f7c57f6f49798b0dbe996cf5b24d89cb079e4bd0f3c474ff4357066a7f98

SHA512
3e38d54a857701c01ac354722e48367e65a3360c203894e26f4901dab51210bb1c0b6c8596891f1367b9e1aef90739f6d597c5bb46d288bea0a36abce7d124fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\ResetCheckpoint.txt

Filesize
807KB

MD5
47e3477fd2c4c909b89b0d33426a02d3

SHA1
84cbf85b2647a84c5216f8321d601e93b58231e4

SHA256
5773fde3ca393a2af4c1b811c9a55cb8d8786b420759fcf13d6f77c0a6097188

SHA512
2d9cf682ac66539d72a0ba62a3c2bbb2e58daaa4a37a84b53efcef74e4a5beaeb04a3507fedfdc794534676f6230b80c7a52865cdec86b7961ab0a7ca2afdb7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\ResumeReceive.xls

Filesize
318KB

MD5
db93968483bc2793635c4990a448abd3

SHA1
cff77efd19d02174ebc8c3d608836feaad743e06

SHA256
b290f74a5014266933d1fb23b4efd6f0bcba6d16fd5d6b444b70772d654b4954

SHA512
35a781bae29eaf246de012221da0bfbe98fc703ce1d9c04896cfc763584a8a513221f39f79c1c2b14959d6b605a825fe6e2694aa5f65800212e2e31eefcc02fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Downloads\RepairRestart.png

Filesize
267KB

MD5
22062b913893bad9627251ceca4e548d

SHA1
6c1b9473dc28e53418a790de753e468441a6f6f7

SHA256
cfa5ea2ca4321a09905922bc17c9ffd8313b99441a9b3eda90ec2cd45f6aea89

SHA512
c4c872added0a2fec84978721e638d1e5a622c0ec2a9fe52c96c486d2fc8acdbcf2e6d4900dc183d6aabccc9b7d16a0e56f3d2c9344a5fa7ed97a08cc861dead

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Music\ProtectMove.mp3

Filesize
248KB

MD5
d134b4886413ae6f8adadd9df8a93960

SHA1
7058781a1980be82466422482ceecac4e5e5fe67

SHA256
36f47e2f87b16fe56973ab1b7ee8938a2335a60a8e2b0a7e98d741424ca064b1

SHA512
5cb1162f57c24c98fef556ae642ef308185ee9e72b62eabfef589029f2407bdb2d7b715dad46110d4fcf78ff755f7b995702f884307fae2f89501dcb91ed9d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Music\PublishRename.mp3

Filesize
300KB

MD5
34c2b60852d1977dbba42dfddb9a2dd8

SHA1
f2323fe9d69b0abc8b8da3db95d3dec6fc3f8804

SHA256
90e6cac9ef8ae7b09a797c857cce1b4c64ea3cf0bc4fed8941ad6cc3b2b9d2d2

SHA512
c327675b0a3c27ac2cc30d779511a5abe53a126c6c298b39419b983ea6ecc9e89d8151b1343a5215e3f0624acd330f700ea33b6c015b3d120cc3049e72325a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Music\SplitStop.mp4

Filesize
522KB

MD5
4c5c660e3af49cf8a14571ac89842607

SHA1
387006c548bd93e1adfd0b0809356894f5d3f52c

SHA256
ed9158a34a89f6daad273847f3be6b1a821d67cd7da391d0b3c5e58d1d1d9e70

SHA512
a4a9863297ce658f83cbd7e88f7d783b13d6287760f1c57a60cd7a60574a002bcdde7c8d4759ba65547f03be68597d9adb134960f6ccaad31cbbddd560254fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\BlockRegister.jpeg

Filesize
264KB

MD5
2257c36be443a57b5799ddcd3048f81f

SHA1
14d294c7d58b1179224709b7ff022488381771f3

SHA256
14135e7bb2d0d7611eccd31fd310ab211b40a0940b41e4ff10555089de04094d

SHA512
6f11dd8979e245e8e277035f336b1fbb5fba6b8ea5d322b9537c331506bd9b008e5226bc307faebb2ee780696bca397c027d213964decd8d3f8062b08398daa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\CloseAdd.jpeg

Filesize
456KB

MD5
8e5554244918d73ce6a5918cf7227981

SHA1
51dfce1b0719d74cbf73cb6b1814b0bbc310cb41

SHA256
b250833ca6ec58e0b019255a07772d904cd16308eca75bb1a5bff27f276d748a

SHA512
473b42e5cdd908e8d62360e66eaed5c8b6a70ec3433580a68842f0b3b47f05e0802a9e0d203e23c315469cdc59759b9fcbf138f291c79ea59072f67dc56e2dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\DisableExpand.jpeg

Filesize
204KB

MD5
0f6581b44130151958087b85deab54ea

SHA1
83d0ab4f1914fa146ee69a2d4aec5099dd7c6c5e

SHA256
b14fe1a8b6c78e0e050d083c8889459d7dc2a807710b9cae02c015c1545cc011

SHA512
3c6e218bc985a9f30669e4356b828c22fdac15caf9ab4afc89e481c7aab04aa6706b07f472503460cbc0906b75b06f7359203f2438e6bf6eabb5e26ca90f9db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\ResolveGet.jpeg

Filesize
396KB

MD5
c488a88b512ab803044bfcdbbfb9bf5e

SHA1
b2dd6d23d391d8eaf79bff2b6a58dc5853440648

SHA256
5b37b766c38fafcb65b3ecbe6be5d77179eaf7dae9ca69447c5095c10649b0de

SHA512
3584d495c2133cdc82645162a62b4fbed40d91ff9fcab32c3d1851cf4c7fcaab593f594893d332f627afdb6a1284466b17f7c9cd12a6b019217e9e9ac6822b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\ResumeOpen.jpg

Filesize
516KB

MD5
52f1b1dc49e414a9214668a26e096dd2

SHA1
1cf2381c188a7a61f50af1fc3a9813c9bf8eddee

SHA256
e1d87297f271c200ef6e4d3b63a53e4a12e960f8371f9b7fb8fab19a81ec6c33

SHA512
7a5c9396c9f702c8469d5259be8da95c112cdebac72e4320845d283414077d040745289109320806bce5eb704479c2f6290a88a27777d530f92c2f306d6e3726

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

Filesize
81KB

MD5
56203038756826a0a683d5750ee04093

SHA1
93d5a07f49bdcc7eb8fba458b2428fe4afcc20d2

SHA256
31c2f21adf27ca77fa746c0fda9c7d7734587ab123b95f2310725aaf4bf4ff3c

SHA512
3da5ae98511300694c9e91617c152805761d3de567981b5ab3ef7cd3dbba3521aae0d49b1eb42123d241b5ed13e8637d5c5bc1b44b9eaa754657f30662159f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
120KB

MD5
462fd515ca586048459b9d90a660cb93

SHA1
06089f5d5e2a6411a0d7b106d24d5203eb70ec60

SHA256
bf017767ac650420487ca3225b3077445d24260bf1a33e75f7361b0c6d3e96b4

SHA512
67851bdbf9ba007012b89c89b86fd430fce24790466fefbb54431a7c200884fc9eb2f90c36d57acd300018f607630248f1a3addc2aa5f212458eb7a5c27054b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_sqlite3.pyd

Filesize
96KB

MD5
98228631212a443781d0ac72e4656b97

SHA1
7e87e1fb891439cf466648b37abdbd4053a5da66

SHA256
fab3440d88376c9c334333b80b50f20a273a08f1d319bf0a9a6eb8bd04d35250

SHA512
5d41384b0280415f581c13b4b47de3de845fd60fc0373613dc9a73d4e0ecf9e855cb0e4aaa1c88fdc2d98e973ca083a48c129529141a8fd65c74c104ad9015f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\yarl\_quoting_c.pyd

Filesize
93KB

MD5
6809491f7b8ad46a7281e222ca71745a

SHA1
138c75bfb03b1d54cd62fe14c3dc4501cb418397

SHA256
80660605ae26882225d02d130d0a84927635a79c78055c2eede010a28e84eb32

SHA512
97b498e3f69de6ccc4f3373683d9e2aae67cbe2532508a7677738702bbaf02ebd7c05c26e53cebb076f9943eea59b1ac4b9f7ee71a1626b8e31e539d009b39e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p4ijhdas.wjk.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3464_133800478789165663\_asyncio.pyd

Filesize
63KB

MD5
686262283ba69cce7f3eaba7cdeb0372

SHA1
5b771e444ee97b246545affcdc8fa910c8f591ea

SHA256
02ec5cd22543c0ca298c598b7e13949a4e8247cec288d0bca0a1269059b548ef

SHA512
dca7403cfe2bfe14cf51f747a893f49db52d4d43691dbccecaa83796351b6f7e644cf8e455a0b9c38c6c006f481d5c45d32ae789756250a2b29978e9feb839d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3464_133800478789165663\_hashlib.pyd

Filesize
63KB

MD5
7a74284813386818ada7bf55c8d8acf9

SHA1
380c4184eec7ca266e4c2b96bb92a504dfd8fe5f

SHA256
21a1819013de423bb3b9b682d0b3506c6ef57ee88c61edf4ba12d8d5f589c9c2

SHA512
f8bc4ac57ada754006bbbb0bfa1ccb6c659f9c4d3270970e26219005e872b60afb9242457d8eb3eae0ce1f608f730da3bf16715f04b47bea4c95519dd9994a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3464_133800478789165663\_lzma.pyd

Filesize
154KB

MD5
14ea9d8ba0c2379fb1a9f6f3e9bbd63b

SHA1
f7d4e7b86acaf796679d173e18f758c1e338de82

SHA256
c414a5a418c41a7a8316687047ed816cad576741bd09a268928e381a03e1eb39

SHA512
64a52fe41007a1cac4afedf2961727b823d7f1c4399d3465d22377b5a4a5935cee2598447aeff62f99c4e98bb3657cfae25b5c27de32107a3a829df5a25ba1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3464_133800478789165663\_overlapped.pyd

Filesize
48KB

MD5
a5bd529290006ef1ebc8d32ffe501ca5

SHA1
c59ef2157358fb8f79b5a37ee9abba802ae915ba

SHA256
eeaa26addf211b37e689d46cfac6b7fad0d5421adc4c0113872dac1347aff130

SHA512
6b026e62b0b37445a480599175161cf6a60284ef881e0f0d1da643ac80013c2005f790f099733d76cfcf855e2ecd3a0e6c8bfc19dbabff67869119676ee03b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3464_133800478789165663\_socket.pyd

Filesize
77KB

MD5
c389430e19f1cd4c2e7b8538e8c52459

SHA1
546ed5a85ad80a7b7db99f80c7080dc972e4f2a2

SHA256
a14efa68d8f7ec018fb867a6ba6c6c290a803b4001fd8c45db7bda66fb700067

SHA512
5bef6c90c65bf1d4be0ce0d0cb3f38fe288f5716c93e444cf12f89f066791850d8316d414f1d795ff148c9e841cda90ef9c35ceb4a499563f28d068a6b427671

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3464_133800478789165663\_ssl.pyd

Filesize
156KB

MD5
7c7223f28c0c27c85a979ad222d19288

SHA1
4185e671b1dc56b22134c97cd8a4a67747887b87

SHA256
4ec47beadc4fd0d38fa39092244c108674012874f3190ee0e484aa988b94f986

SHA512
f3e813b954357f1bc323d897edf308a99ed30ff451053b312f81b6baae188cda58d144072627398a19d8d12fe659e4f40636dbbdf22a45770c3ca71746ec2df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3464_133800478789165663\_uuid.pyd

Filesize
24KB

MD5
ecf3d9de103ba77730ed021fe69a2804

SHA1
ce7eae927712fda0c70267f7db6bcb8406d83815

SHA256
7cf37a10023ebf6705963822a46f238395b1fbe8cb898899b3645c92d61b48ea

SHA512
c2bf0e2ba6080e03eca22d74ea7022fb9581036ce46055ea244773d26d8e5b07caf6ed2c44c479fda317000a9fa08ca6913c23fa4f54b08ee6d3427b9603dfba

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3464_133800478789165663\cryptography\hazmat\bindings\_rust.pyd

Filesize
7.5MB

MD5
81ad4f91bb10900e3e2e8eaf917f42c9

SHA1
840f7aef02cda6672f0e3fc7a8d57f213ddd1dc6

SHA256
5f20d6cec04685075781996a9f54a78dc44ab8e39eb5a2bcf3234e36bef4b190

SHA512
11cd299d6812cdf6f0a74ba86eb44e9904ce4106167ebd6e0b81f60a5fcd04236cef5cff81e51ed391f5156430663056393dc07353c4a70a88024194768ffe9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3464_133800478789165663\libcrypto-1_1.dll

Filesize
3.3MB

MD5
80b72c24c74d59ae32ba2b0ea5e7dad2

SHA1
75f892e361619e51578b312605201571bfb67ff8

SHA256
eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d

SHA512
08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3464_133800478789165663\libssl-1_1.dll

Filesize
686KB

MD5
86f2d9cc8cc54bbb005b15cabf715e5d

SHA1
396833cba6802cb83367f6313c6e3c67521c51ad

SHA256
d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771

SHA512
0013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3464_133800478789165663\multidict\_multidict.pyd

Filesize
46KB

MD5
95463f615865a472f75ddb365644a571

SHA1
91f22ef3f2ffd3e9d6ce6e58beea9a96287b090b

SHA256
9ee77474d244a17337d4ccc5113fe4af7b4d86f9969293a884927718d06e63c8

SHA512
e3cccce9ebf5e7cf33e68046d3e7b59e454ccb791635eb5f405977fd270126ef8b58e6288dbe58c96b681361d81ef28720eba8d0bd389bfb0f4c3114d098a117

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3464_133800478789165663\python3.dll

Filesize
64KB

MD5
24f4d5a96cd4110744766ea2da1b8ffa

SHA1
b12a2205d3f70f5c636418811ab2f8431247da15

SHA256
73b0f3952be222ce676672603ae3848ee6e8e479782bd06745116712a4834c53

SHA512
bd2f27441fe5c25c30bab22c967ef32306bcea2f6be6f4a5da8bbb5b54d3d5f59da1ffcb55172d2413fe0235dd7702d734654956e142e9a0810160b8c16225f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3464_133800478789165663\python310.dll

Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3464_133800478789165663\select.pyd

Filesize
29KB

MD5
c6ef07e75eae2c147042d142e23d2173

SHA1
6ef3e912db5faf5a6b4225dbb6e34337a2271a60

SHA256
43ee736c8a93e28b1407bf5e057a7449f16ee665a6e51a0f1bc416e13cee7e78

SHA512
30e915566e7b934bdd49e708151c98f732ff338d7bc3a46797de9cca308621791276ea03372c5e2834b6b55e66e05d58cf1bb4cb9ff31fb0a1c1aca0fcdc0d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3464_133800478789165663\sqlite3.dll

Filesize
1.5MB

MD5
fcc7a468d46c90f5a71e3e9c99b1d50e

SHA1
91070cac3cdde28905a7bc695f8c0fd1290fd0d0

SHA256
215c02ac57378e48428d4b013f7bcedd2b58d73e83c54eca17a8c9bd7f3bdf55

SHA512
95bff194696436e590a5df8f18987ce6e5c20b6e50e552e7d049fec8da834c71cdbd87418fc85be73aaea4176aeb672d44e89256cd64bfade5959f3aabb0884d

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3464_133800478789165663\unicodedata.pyd

Filesize
1.1MB

MD5
d4964a28a22078c30064c65e968f9e1f

SHA1
b9b95975bea97a55c888da66148d54bdb38b609b

SHA256
b204718d21952369726472ca12712047839119ccf87e16979af595c0a57b6703

SHA512
bfe200b255ae1ddba53d98d54479e7e1d0932fb27bbfdcb4170d3d4cbbbfc297e3b5fd273b830399b795feb64cd0d9c48d0e1e0eaf72d0e0992261864e2d7296

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3464_133800478789165663\vcruntime140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3464_133800478789165663\yarl\_helpers_c.pyd

Filesize
53KB

MD5
6fb550ddaee31afedd29bdb97e2525f2

SHA1
b58257f37c581f143176d0c7abd3a98fec75a12f

SHA256
33a9b6f1caede0dbc9ee83097dea21c6db0a5cabff27f2917ea94cf47688e9df

SHA512
dbeb69892c63238aea76422815e45b7b1e12a7d2a0bcc6170f690b68eb56bc04c071413885fce81cc6ce435d9c60c36d9b97c792c75c21541db612c48124df38

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4296_133800479064088201\_decimal.pyd

Filesize
246KB

MD5
709613d7d7bc30abdaee015c331664b6

SHA1
84278fd8acc53c50b4e2ffa3f47b9ddad7dd7a70

SHA256
8600cae4f34cc64c406198e19539d0d4f5a574fc60b32b8aa8f32fd64c981da5

SHA512
4eb48bbcdf7cd9ebb9909e5269d4663bf14906a282a1f1418cc7e137f2be1c792019d78446d4d8bea63024cbf01bec14e28633d6e4ebbd85d7d074b948cab211

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4296_133800479064088201\_multiprocessing.pyd

Filesize
33KB

MD5
b3c8414bbcae9bcc3377a4df72a4aed7

SHA1
cf754caff33c158ef6377b6cb2dc11ab96a27678

SHA256
65413d49d81e5b939226a211fd40c9b7c6d61366651639446273988930f4a6fd

SHA512
3a1a85ff177d5521043a7a84b3aa56f567b9d1e0fb5b72441d50d0234e50519c86dfc24f6432be32460cbc63226ff3e4bc2d86e3154cdcd7a3d9b8d87b32b035

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4296_133800479064088201\_queue.pyd

Filesize
30KB

MD5
60dec90862b996e56aedafb2774c3475

SHA1
ce6ff24b2cc03aff2e825e1cf953cba10c139c9d

SHA256
9568ef8bae36edae7347b6573407c312ce3b19bbd899713551a1819d6632da46

SHA512
c4b2066975f5d204a7659a2c7c6bc6dfc9a2fc83d7614dbbc0396f3dcc8b142df9a803f001768bfd44ca6bfa61622836b20a9d68871954009435449ae6d76720

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4296_133800479064088201\pyexpat.pyd

Filesize
194KB

MD5
ea36d6df8ab58a22421f01d6d673adf2

SHA1
6a22ea1f37e8655d1602823f18ac87727110a1b5

SHA256
32e8c601259ec029e44824116ad911426157ceeae55f9fdd15387af40660dd5a

SHA512
d23b7b4f46e99fa4c93e6adba24e30d09c445e85c7b2eae93a6efbffc5d8be166908f7ba7edf7b3e5089e712a4ce8e5bcdc32610f59bda94b90dd01aa3601035

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_5336_133800479249014254\_cffi_backend.pyd

Filesize
174KB

MD5
2baaa98b744915339ae6c016b17c3763

SHA1
483c11673b73698f20ca2ff0748628c789b4dc68

SHA256
4f1ce205c2be986c9d38b951b6bcb6045eb363e06dacc069a41941f80be9068c

SHA512
2ae8df6e764c0813a4c9f7ac5a08e045b44daac551e8ff5f8aa83286be96aa0714d373b8d58e6d3aa4b821786a919505b74f118013d9fcd1ebc5a9e4876c2b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5668_1245357549\3cb50244-8b80-452e-a770-e44c3326d8b2.tmp

Filesize
150KB

MD5
14937b985303ecce4196154a24fc369a

SHA1
ecfe89e11a8d08ce0c8745ff5735d5edad683730

SHA256
71006a5311819fef45c659428944897184880bcdb571bf68c52b3d6ee97682ff

SHA512
1d03c75e4d2cd57eee7b0e93e2de293b41f280c415fb2446ac234fc5afd11fe2f2fcc8ab9843db0847c2ce6bd7df7213fcf249ea71896fbf6c0696e3f5aee46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir5668_1245357549\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\Admin\Downloads\otp.exe

Filesize
38.2MB

MD5
00148f2c619727ed2d59eaa711782dbd

SHA1
8b9b4abf049108b6d9c5e6a0adcc07460f4f40ed

SHA256
22b0489ea350b5611577ee213b6c8865fdaf952db42ed8f71a94d2e6d32323bd

SHA512
5e9ecf2f11b918da6051aa0e95b77967c178092e5c6abfce9ed29198d24fe9012259b62276990796923b10426d8d37b813caaa6d5893d4f105ecab8653683416

Download Submit
memory/1844-230-0x00000152ECF10000-0x00000152ECF32000-memory.dmp

Filesize
136KB

Download