exelastealer | hxxps://gofile[.]io/d/2mSNoe

Analysis

max time kernel
136s
max time network
156s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
22/03/2025, 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/2mSNoe

Score

10^/10

exelastealer collection defense_evasion discovery spyware stealer

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Downloads MZ/PE file 1 IoCs

flow	pid	Process
134	4416	msedge.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3492	netsh.exe
4684	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1208	cmd.exe
4580	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
4224	Exodus.exe
4644	Stub.exe

Loads dropped DLL 32 IoCs

pid	Process
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe
4644	Stub.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
37	api.gofile.io
47	api.gofile.io
143	discord.com
144	discord.com
33	api.gofile.io
34	api.gofile.io

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
141	ipinfo.io
142	ipinfo.io
147	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2032	cmd.exe
2460	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
5588	tasklist.exe
1356	tasklist.exe
2248	tasklist.exe
2104	tasklist.exe
5168	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3092	cmd.exe

Drops file in Windows directory 16 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1940_868533641\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1940_868533641\typosquatting_list.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1940_654691096\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1940_654691096\sets.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1940_654691096\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1940_1334304908\LICENSE	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1940_1334304908\_metadata\verified_contents.json	msedge.exe
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1940_868533641\safety_tips.pb	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1940_868533641\_metadata\verified_contents.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1940_868533641\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1940_1334304908\keys.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1940_1334304908\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1940_654691096\manifest.json	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1940_654691096\manifest.fingerprint	msedge.exe
File created	C:\Windows\SystemTemp\chrome_Unpacker_BeginUnzipping1940_1334304908\manifest.json	msedge.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2500	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2248	cmd.exe
4592	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3968	NETSTAT.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
5784	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4220	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5184	ipconfig.exe
3968	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2840	systeminfo.exe

Kills process with taskkill 10 IoCs

defense_evasion

pid	Process
5600	taskkill.exe
3616	taskkill.exe
5356	taskkill.exe
3496	taskkill.exe
6068	taskkill.exe
5324	taskkill.exe
4292	taskkill.exe
3712	taskkill.exe
5644	taskkill.exe
564	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133871416502540287"	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-780313508-644878201-565826771-1000\{1257BEEF-4C53-4AD5-B1D2-DF3E4B3A831F}	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3716	msedge.exe
3716	msedge.exe
4220	WMIC.exe
4220	WMIC.exe
1820	WMIC.exe
1820	WMIC.exe
4220	WMIC.exe
4220	WMIC.exe
1820	WMIC.exe
1820	WMIC.exe
2512	WMIC.exe
2512	WMIC.exe
2512	WMIC.exe
2512	WMIC.exe
4264	WMIC.exe
4264	WMIC.exe
4264	WMIC.exe
4264	WMIC.exe
4580	powershell.exe
4580	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4220	WMIC.exe
Token: SeSecurityPrivilege	4220	WMIC.exe
Token: SeTakeOwnershipPrivilege	4220	WMIC.exe
Token: SeLoadDriverPrivilege	4220	WMIC.exe
Token: SeSystemProfilePrivilege	4220	WMIC.exe
Token: SeSystemtimePrivilege	4220	WMIC.exe
Token: SeProfSingleProcessPrivilege	4220	WMIC.exe
Token: SeIncBasePriorityPrivilege	4220	WMIC.exe
Token: SeCreatePagefilePrivilege	4220	WMIC.exe
Token: SeBackupPrivilege	4220	WMIC.exe
Token: SeRestorePrivilege	4220	WMIC.exe
Token: SeShutdownPrivilege	4220	WMIC.exe
Token: SeDebugPrivilege	4220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4220	WMIC.exe
Token: SeRemoteShutdownPrivilege	4220	WMIC.exe
Token: SeUndockPrivilege	4220	WMIC.exe
Token: SeManageVolumePrivilege	4220	WMIC.exe
Token: 33	4220	WMIC.exe
Token: 34	4220	WMIC.exe
Token: 35	4220	WMIC.exe
Token: 36	4220	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1820	WMIC.exe
Token: SeSecurityPrivilege	1820	WMIC.exe
Token: SeTakeOwnershipPrivilege	1820	WMIC.exe
Token: SeLoadDriverPrivilege	1820	WMIC.exe
Token: SeSystemProfilePrivilege	1820	WMIC.exe
Token: SeSystemtimePrivilege	1820	WMIC.exe
Token: SeProfSingleProcessPrivilege	1820	WMIC.exe
Token: SeIncBasePriorityPrivilege	1820	WMIC.exe
Token: SeCreatePagefilePrivilege	1820	WMIC.exe
Token: SeBackupPrivilege	1820	WMIC.exe
Token: SeRestorePrivilege	1820	WMIC.exe
Token: SeShutdownPrivilege	1820	WMIC.exe
Token: SeDebugPrivilege	1820	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1820	WMIC.exe
Token: SeRemoteShutdownPrivilege	1820	WMIC.exe
Token: SeUndockPrivilege	1820	WMIC.exe
Token: SeManageVolumePrivilege	1820	WMIC.exe
Token: 33	1820	WMIC.exe
Token: 34	1820	WMIC.exe
Token: 35	1820	WMIC.exe
Token: 36	1820	WMIC.exe
Token: SeDebugPrivilege	5588	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4220	WMIC.exe
Token: SeSecurityPrivilege	4220	WMIC.exe
Token: SeTakeOwnershipPrivilege	4220	WMIC.exe
Token: SeLoadDriverPrivilege	4220	WMIC.exe
Token: SeSystemProfilePrivilege	4220	WMIC.exe
Token: SeSystemtimePrivilege	4220	WMIC.exe
Token: SeProfSingleProcessPrivilege	4220	WMIC.exe
Token: SeIncBasePriorityPrivilege	4220	WMIC.exe
Token: SeCreatePagefilePrivilege	4220	WMIC.exe
Token: SeBackupPrivilege	4220	WMIC.exe
Token: SeRestorePrivilege	4220	WMIC.exe
Token: SeShutdownPrivilege	4220	WMIC.exe
Token: SeDebugPrivilege	4220	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4220	WMIC.exe
Token: SeRemoteShutdownPrivilege	4220	WMIC.exe
Token: SeUndockPrivilege	4220	WMIC.exe
Token: SeManageVolumePrivilege	4220	WMIC.exe
Token: 33	4220	WMIC.exe
Token: 34	4220	WMIC.exe
Token: 35	4220	WMIC.exe
Token: 36	4220	WMIC.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe
1940	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2144	1940	msedge.exe	82
PID 1940 wrote to memory of 2144	1940	msedge.exe	82
PID 1940 wrote to memory of 4416	1940	msedge.exe	84
PID 1940 wrote to memory of 4416	1940	msedge.exe	84
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 3088	1940	msedge.exe	86
PID 1940 wrote to memory of 3088	1940	msedge.exe	86
PID 1940 wrote to memory of 3140	1940	msedge.exe	87
PID 1940 wrote to memory of 3140	1940	msedge.exe	87
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 3744	1940	msedge.exe	88
PID 1940 wrote to memory of 3744	1940	msedge.exe	88
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 5452	1940	msedge.exe	85
PID 1940 wrote to memory of 3088	1940	msedge.exe	86
PID 1940 wrote to memory of 3088	1940	msedge.exe	86
PID 1940 wrote to memory of 3088	1940	msedge.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2032	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/2mSNoe
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x26c,0x270,0x274,0x268,0x278,0x7fff4911f208,0x7fff4911f214,0x7fff4911f220
  2⤵
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1820,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=3252 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=3224,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=3220 /prefetch:2
  2⤵
  PID:5452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3056,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3048,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2416,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=3264 /prefetch:8
  2⤵
  PID:3744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4984,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4748,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=1660,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=4848 /prefetch:8
  2⤵
  PID:4592
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5500,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  PID:1980
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5500,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=5724 /prefetch:8
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5968,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=5952 /prefetch:8
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=604,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=5648 /prefetch:8
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5696,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=6040 /prefetch:8
  2⤵
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6060,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  PID:3304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6104,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=5992 /prefetch:8
  2⤵
  PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5392,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=5604 /prefetch:8
  2⤵
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5604,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:8
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5624,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --always-read-main-dll --field-trial-handle=6088,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=5760 /prefetch:1
  2⤵
  PID:5672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5104,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=6148 /prefetch:8
  2⤵
  PID:352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=6152,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=6192 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6128,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=5776 /prefetch:8
  2⤵
  PID:5280
- C:\Users\Admin\Downloads\Exodus.exe
  "C:\Users\Admin\Downloads\Exodus.exe"
  2⤵
  - Executes dropped EXE
  PID:4224
- - C:\Users\Admin\AppData\Local\Temp\onefile_4224_133871417662751709\Stub.exe
    C:\Users\Admin\Downloads\Exodus.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:1240
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
      4⤵
      PID:1620
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "gdb --version"
      4⤵
      PID:2868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:4792
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:5588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
      4⤵
      PID:1328
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2512
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:1668
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4264
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:4580
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:3092
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe"
        5⤵
        Views/modifies file attributes
        
        PID:2032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
      4⤵
      PID:2644
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        5⤵
        
        PID:4704
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:5112
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1940"
      4⤵
      PID:768
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1940
        5⤵
        Kills process with taskkill
        
        PID:5600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2144"
      4⤵
      PID:5464
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2144
        5⤵
        Kills process with taskkill
        
        PID:6068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4416"
      4⤵
      PID:1436
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4416
        5⤵
        Kills process with taskkill
        
        PID:5324
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5452"
      4⤵
      PID:1400
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5452
        5⤵
        Kills process with taskkill
        
        PID:3616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3744"
      4⤵
      PID:2940
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3744
        5⤵
        Kills process with taskkill
        
        PID:4292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3140"
      4⤵
      PID:64
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3140
        5⤵
        Kills process with taskkill
        
        PID:3712
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2948"
      4⤵
      PID:2372
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2948
        5⤵
        Kills process with taskkill
        
        PID:5644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5672"
      4⤵
      PID:1360
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5672
        5⤵
        Kills process with taskkill
        
        PID:5356
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 352"
      4⤵
      PID:416
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 352
        5⤵
        Kills process with taskkill
        
        PID:3496
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3696"
      4⤵
      PID:2368
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3696
        5⤵
        Kills process with taskkill
        
        PID:564
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:1620
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:3044
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:1136
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:2512
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:4000
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:1332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:228
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:4580
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      PID:2032
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:2840
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:528
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        
        PID:5784
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:1948
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:4940
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:3076
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:4080
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:5000
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:3916
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:3456
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:4724
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:4208
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:5788
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:4764
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:3048
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:1176
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:5168
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:5184
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:4572
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:2460
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3968
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:2500
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        
        PID:4684
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        
        PID:3492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2248
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4592
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:5872
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=6472,i,2053245977543564567,15529705351415877170,262144 --variations-seed-version --mojo-platform-channel-handle=6016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3716

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:5464

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
PID:5708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\55003e89-bb65-4cf8-9149-372b73186c8c.tmp

Filesize
54KB

MD5
c68688cc9954bdb5f0b1eb7479dacc03

SHA1
92e028bfa84358f399b319ad2679e9ae1c3531c2

SHA256
90e42a6de465e34ee58743e05b04bbffcb6497a6eb6d2ee41a97a340b6d518d5

SHA512
9ec846825dffc25e7f75c0e8f2c563ddfcecd5aa2a3796c8694deb0a863b27eb4def53a46e45eea34a456cca5bfdfce05e62f6b8d3c1018471c131c380a11e4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
aa9afd16e8041e8c80250b50ea6899e4

SHA1
a3a698d431952253255c343f2b35f74e73e63088

SHA256
2bd7f856d73f78bc3a4de32b447b21babad42c009b19fcebe2f8cdeca2380926

SHA512
344de0888df8851d957ca6fab055eb9e2f1aa6d958022c2c30442cd6aad4d158d0a99f8908184abc60fb1e0ccdd3d9395d8c0d37fc317d3700974c3348d4a5ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
3b91229e6243d6d4e695a57ccc7b29ff

SHA1
f5b4ab268844db08098670b6d6881cbd7bc33950

SHA256
f300d82f89881e148207a1f827a25925f615e59de57b73df04556f357f529850

SHA512
d78e3f9bda3052f2076bdc28ceb6c74a1c0361bb92d375b641d9cb5528861c89af2d351f69b2ec2326b2f5c7b8a5f2243ccc739894b82e68daf1a5df665c9aaf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe581151.TMP

Filesize
2KB

MD5
777320ce68f41b97ddeed36584a848bd

SHA1
ec8d0a5e0be3b57ce4d47d24ef1c890506fdb794

SHA256
3a9e64d80cbf3cb40481b40defba1ff61b1452a275057ae495b7983e485c547a

SHA512
ed24bd9c113fda4b11720e51bf4dffee1c787bcf80c21b92d2615d58b4d080552465598d65e555547a6d8a2d1c01ecbcda0c18c80ef528422a565a316909e6c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
b0694c5dce236df5b7e56509c97afeaf

SHA1
690d4539a795a60a9d4d292332ae602a0f1202f3

SHA256
4871695a8dd8f0c9f0e57f07026133c4e77c391b94f579ec552fd11210151cdd

SHA512
5048e5c0367d55cca5d4603a2d4a70f8a9df28aeeada905a568364a63020c0bb7216999b2888202e5be6c2fcddf58d3bc4c0a8b81f170556c5cf1b85ee486500

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
13b37a18f42b9397a23c0f803f495ebc

SHA1
296ad46c7ab18e0184ced78d5d0384e7fecabe80

SHA256
6f75b282a101498cc97a1a1ce9396f787c6f5ad959af988c74e27435ea63a6fc

SHA512
a6e786a3a3c573696e9f4649327b642cb99b96965d1eb7fcc24b06af1a35f1cadaff2d09f4e0ce6cc2c9403a30ad2a0d9622e29771ace6854d83ef13398b211b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
0e25e5d091d258f012096e8eaf9942e3

SHA1
961f07670ac300326e0c6eb050e09d833111b80e

SHA256
cc905a458f7e022c5d05099b11e214be474a9dd77cfeb1181464850f780acdd6

SHA512
ccc8c4ec7220ac6a956aeb9fa02b5f7181f59a868ed601585a4bedf839c43d7d893cecb1330e5f84a52c34765d46ec8c097c9a4fadc6ae77685aefa8a0372003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
95a15e6cabdfb7c2533999c7e8181c86

SHA1
ad72326df68c3cae3bc84886d901d56332b698d0

SHA256
864487e064ff2144f3d5ed4129a37dee2caa77d62fab424ff5a93be7d7fe0ad8

SHA512
6b918d84536599d28f052697aa2e9e7dcc33d3e6787795b1cef160953650a22dbb1c24362a23ba9477cf5d13f39ddc78314cfdae89c50de7162fb4a947c372c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
6b6a67a793a80776bfab576d8440a9d0

SHA1
36a05ea3b324820052ab388db4e5b8148b95077c

SHA256
76f91cf10020f434246d9630c526395977784e647b8058038a5d8fc03978e641

SHA512
738cd857324f4c6fb23df0ce71c4ab6abc8fa231513f5e9c4a5907db9bb0b24eecbbda74be71b0727e0c25234d10013c98ef0a490516e6a808ba8c694948e6da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
c8e76b47067c3d8e04a76c3e5e4d84cc

SHA1
97025988c3555f605353c2c80b8c7e083b3441e8

SHA256
b6f6fdb6df2724534c73f5f67d6967e97b7cef711c7cc9801554255849af143a

SHA512
257009c38ce5abf7407fd74287b75a283cb56dfbee12810fcf82deea5552fe7c93beb50396b942aa2409826c36d6394728ed2775dfe495b381cac739aebde307

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
22KB

MD5
add7e4444a3a27f5606d180dded39f04

SHA1
22c70b96c493dff8b0e5c26429afb9184e74efaa

SHA256
5cc427b83013faa1c76fac794494b70aeca866fd1baca7fc9f43c48a3f51f6f3

SHA512
e57c3b4f3738be70e74cf62738706155189e7ae1260bc99865426f1442170f5d6e1d45c7bf58f2920e2de0a9722d6f0db25536bf2af0272fea1377e9c3e48cde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
a44659b0da89c8b309de2e69d03f8c97

SHA1
a5c9b365a2f6c1b091f019cf105622a5d06a543f

SHA256
005252c36fcdeed549209adfae965d6a44bafd4d2a2c143c331f783e7d16882d

SHA512
521647016da1b977a8343e74d24fc3796aa80f531c9c4ce7625974c9f8fbc14803d273a785c9e90c6ff0bee3a6890764f4a78017b7d0891fb772e15e8104901a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\c146a04d-e25e-4b6d-bbe8-e750f6511ee4.tmp

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
54KB

MD5
b02bd1df01edd5049d6677d0250a504e

SHA1
93088518f3b3f32b3eeb18cd613b2001f2da7e87

SHA256
193d9e4a6b6e2dd052977b0ee093c8f5efd3207da728763679dba05744490296

SHA512
360d074e3048355531c741ab2af5c289aae1e5a00a2b4eadfed648a8346a9cd05f32feab0872b1f1b9aa5ac88ae8b65a83bd4f92caea4da4e32650c8c28abf10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
7e18a8cbfd6b29fb00ec712710347c71

SHA1
a4a63764ae1b0130cb6c3c2e5e073fe8f71f54fb

SHA256
5d144f976e87a09ea32fd070b270a08b0a1fff5f0c6c45c2bd3ae2e261d5e66c

SHA512
abf0afbee9f214152d1822947c4d6a2c862659d284385816f4247971514956a79a94a6af6c8871efb5260e03bec2fb178dd7b5013c597ec735a7e7b8c8fb784c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
cbadd595877dc314802ad7aba821f6f2

SHA1
66cb94eac5e111657e563c6e7f4f5ae0f508e031

SHA256
c173341de60dbd896e26b5d6be7b3be69b6df2a2cd4ae6437ca653512c305f8a

SHA512
2d8f2f80aa467f63c3299c538ef2ec1145e34bc2c82a5ebf359a407035dbf8f6384830b73e805838cfef65d3fc5ed49aceabe2a99ade3121fc008edc33a06c0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
9812a02eaf198937afc73484fb94c442

SHA1
0247f7bf2594b14aa8ccde4f52bdd207a04e57bd

SHA256
94349d2122a6cd4183cebf7333cb47fd56b34ff290c3b87b8d3f3662aca79406

SHA512
9fe048fc19785592733d854efdb12c8b5c28ce9379e2acb74ceb75788b948af4bdabe845c43f625fd341bcd9cdf228a7380a829a6165ef7e1266ec5614b4945a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_asyncio.pyd

Filesize
63KB

MD5
686262283ba69cce7f3eaba7cdeb0372

SHA1
5b771e444ee97b246545affcdc8fa910c8f591ea

SHA256
02ec5cd22543c0ca298c598b7e13949a4e8247cec288d0bca0a1269059b548ef

SHA512
dca7403cfe2bfe14cf51f747a893f49db52d4d43691dbccecaa83796351b6f7e644cf8e455a0b9c38c6c006f481d5c45d32ae789756250a2b29978e9feb839d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

Filesize
81KB

MD5
56203038756826a0a683d5750ee04093

SHA1
93d5a07f49bdcc7eb8fba458b2428fe4afcc20d2

SHA256
31c2f21adf27ca77fa746c0fda9c7d7734587ab123b95f2310725aaf4bf4ff3c

SHA512
3da5ae98511300694c9e91617c152805761d3de567981b5ab3ef7cd3dbba3521aae0d49b1eb42123d241b5ed13e8637d5c5bc1b44b9eaa754657f30662159f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
120KB

MD5
462fd515ca586048459b9d90a660cb93

SHA1
06089f5d5e2a6411a0d7b106d24d5203eb70ec60

SHA256
bf017767ac650420487ca3225b3077445d24260bf1a33e75f7361b0c6d3e96b4

SHA512
67851bdbf9ba007012b89c89b86fd430fce24790466fefbb54431a7c200884fc9eb2f90c36d57acd300018f607630248f1a3addc2aa5f212458eb7a5c27054b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

Filesize
63KB

MD5
7a74284813386818ada7bf55c8d8acf9

SHA1
380c4184eec7ca266e4c2b96bb92a504dfd8fe5f

SHA256
21a1819013de423bb3b9b682d0b3506c6ef57ee88c61edf4ba12d8d5f589c9c2

SHA512
f8bc4ac57ada754006bbbb0bfa1ccb6c659f9c4d3270970e26219005e872b60afb9242457d8eb3eae0ce1f608f730da3bf16715f04b47bea4c95519dd9994a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
154KB

MD5
14ea9d8ba0c2379fb1a9f6f3e9bbd63b

SHA1
f7d4e7b86acaf796679d173e18f758c1e338de82

SHA256
c414a5a418c41a7a8316687047ed816cad576741bd09a268928e381a03e1eb39

SHA512
64a52fe41007a1cac4afedf2961727b823d7f1c4399d3465d22377b5a4a5935cee2598447aeff62f99c4e98bb3657cfae25b5c27de32107a3a829df5a25ba1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_overlapped.pyd

Filesize
48KB

MD5
a5bd529290006ef1ebc8d32ffe501ca5

SHA1
c59ef2157358fb8f79b5a37ee9abba802ae915ba

SHA256
eeaa26addf211b37e689d46cfac6b7fad0d5421adc4c0113872dac1347aff130

SHA512
6b026e62b0b37445a480599175161cf6a60284ef881e0f0d1da643ac80013c2005f790f099733d76cfcf855e2ecd3a0e6c8bfc19dbabff67869119676ee03b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
77KB

MD5
c389430e19f1cd4c2e7b8538e8c52459

SHA1
546ed5a85ad80a7b7db99f80c7080dc972e4f2a2

SHA256
a14efa68d8f7ec018fb867a6ba6c6c290a803b4001fd8c45db7bda66fb700067

SHA512
5bef6c90c65bf1d4be0ce0d0cb3f38fe288f5716c93e444cf12f89f066791850d8316d414f1d795ff148c9e841cda90ef9c35ceb4a499563f28d068a6b427671

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_sqlite3.pyd

Filesize
96KB

MD5
98228631212a443781d0ac72e4656b97

SHA1
7e87e1fb891439cf466648b37abdbd4053a5da66

SHA256
fab3440d88376c9c334333b80b50f20a273a08f1d319bf0a9a6eb8bd04d35250

SHA512
5d41384b0280415f581c13b4b47de3de845fd60fc0373613dc9a73d4e0ecf9e855cb0e4aaa1c88fdc2d98e973ca083a48c129529141a8fd65c74c104ad9015f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

Filesize
156KB

MD5
7c7223f28c0c27c85a979ad222d19288

SHA1
4185e671b1dc56b22134c97cd8a4a67747887b87

SHA256
4ec47beadc4fd0d38fa39092244c108674012874f3190ee0e484aa988b94f986

SHA512
f3e813b954357f1bc323d897edf308a99ed30ff451053b312f81b6baae188cda58d144072627398a19d8d12fe659e4f40636dbbdf22a45770c3ca71746ec2df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

Filesize
3.3MB

MD5
80b72c24c74d59ae32ba2b0ea5e7dad2

SHA1
75f892e361619e51578b312605201571bfb67ff8

SHA256
eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d

SHA512
08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

Filesize
686KB

MD5
86f2d9cc8cc54bbb005b15cabf715e5d

SHA1
396833cba6802cb83367f6313c6e3c67521c51ad

SHA256
d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771

SHA512
0013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\multidict\_multidict.pyd

Filesize
46KB

MD5
95463f615865a472f75ddb365644a571

SHA1
91f22ef3f2ffd3e9d6ce6e58beea9a96287b090b

SHA256
9ee77474d244a17337d4ccc5113fe4af7b4d86f9969293a884927718d06e63c8

SHA512
e3cccce9ebf5e7cf33e68046d3e7b59e454ccb791635eb5f405977fd270126ef8b58e6288dbe58c96b681361d81ef28720eba8d0bd389bfb0f4c3114d098a117

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
29KB

MD5
c6ef07e75eae2c147042d142e23d2173

SHA1
6ef3e912db5faf5a6b4225dbb6e34337a2271a60

SHA256
43ee736c8a93e28b1407bf5e057a7449f16ee665a6e51a0f1bc416e13cee7e78

SHA512
30e915566e7b934bdd49e708151c98f732ff338d7bc3a46797de9cca308621791276ea03372c5e2834b6b55e66e05d58cf1bb4cb9ff31fb0a1c1aca0fcdc0d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

Filesize
1.5MB

MD5
fcc7a468d46c90f5a71e3e9c99b1d50e

SHA1
91070cac3cdde28905a7bc695f8c0fd1290fd0d0

SHA256
215c02ac57378e48428d4b013f7bcedd2b58d73e83c54eca17a8c9bd7f3bdf55

SHA512
95bff194696436e590a5df8f18987ce6e5c20b6e50e552e7d049fec8da834c71cdbd87418fc85be73aaea4176aeb672d44e89256cd64bfade5959f3aabb0884d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd

Filesize
1.1MB

MD5
d4964a28a22078c30064c65e968f9e1f

SHA1
b9b95975bea97a55c888da66148d54bdb38b609b

SHA256
b204718d21952369726472ca12712047839119ccf87e16979af595c0a57b6703

SHA512
bfe200b255ae1ddba53d98d54479e7e1d0932fb27bbfdcb4170d3d4cbbbfc297e3b5fd273b830399b795feb64cd0d9c48d0e1e0eaf72d0e0992261864e2d7296

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\yarl\_quoting_c.pyd

Filesize
93KB

MD5
9401cdf989b17c78e5d0ea5702380877

SHA1
0f37031def8a227d0b0b09c208494ea5f2324e5b

SHA256
d4ed42ac3f6c002c4e3dbf6fd344d4f3ca5465e0db6e495a920aed7772efb454

SHA512
df4a5404e0aca31c5e4be851a7fced6bb0d1a25b1a5ea4aa66590e7115ffd66324159d5b03811c99dfe2c338867a2d0771afdc0c0888e6f43f2328c19c91a7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lvzes2cq.a52.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4224_133871417662751709\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_4224_133871417662751709\python310.dll

Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit
C:\Users\Admin\Downloads\Exodus.exe

Filesize
38.7MB

MD5
649a8a400b04fe09604c899cba87d3bd

SHA1
8904ca358b5e691d621d008da7dc096a60670982

SHA256
fc51275b58e49d509c01a2a8cdb8367494819e5be0b752590361de0a6473a162

SHA512
6c5b4a39a9ea76111ac2086d861bac6b4f9cfda78b84db8bfffc8852d5172b859653e5cf5e1b0d3f06166a4fd9dd302111d7030d2286a6ff577748fc538393af

Download Submit
memory/4224-474-0x00007FF760320000-0x00007FF7629FD000-memory.dmp

Filesize
38.9MB

Download
memory/4580-576-0x0000027CD9160000-0x0000027CD9182000-memory.dmp

Filesize
136KB

Download
memory/4644-530-0x00007FF700E90000-0x00007FF7068A2000-memory.dmp

Filesize
90.1MB

Download
memory/4644-584-0x00007FF700E90000-0x00007FF7068A2000-memory.dmp

Filesize
90.1MB

Download