exelastealer | hxxps://gofile[.]io/d/BUrsXq

Analysis

max time kernel
150s
max time network
147s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
23/03/2025, 18:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/BUrsXq

Score

10^/10

exelastealer xworm collection defense_evasion discovery persistence privilege_escalation pyinstaller rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:4139

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000700000000032b-491.dat	family_xworm
behavioral1/memory/4544-499-0x00000000005B0000-0x00000000005C6000-memory.dmp	family_xworm

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6096	netsh.exe
5552	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3600	cmd.exe
1180	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
3980	Stub.exe
4544	XClient.exe
5860	checker.exe
1232	checker.exe

Loads dropped DLL 55 IoCs

pid	Process
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
3980	Stub.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe
1232	checker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 36 IoCs

Web Service

T1102

flow	ioc
194	discord.com
195	discord.com
209	discord.com
132	discord.com
154	api.gofile.io
179	discord.com
204	discord.com
37	api.gofile.io
169	discord.com
181	discord.com
191	discord.com
151	discord.com
184	discord.com
192	discord.com
201	discord.com
207	discord.com
211	discord.com
39	api.gofile.io
133	discord.com
163	discord.com
178	discord.com
182	discord.com
202	discord.com
36	api.gofile.io
189	discord.com
199	discord.com
214	discord.com
152	api.gofile.io
162	discord.com
168	discord.com
197	discord.com
205	discord.com
173	discord.com
185	discord.com
176	discord.com
188	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
130	ipinfo.io
131	ipinfo.io
148	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5220	ARP.EXE
4552	cmd.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4016	tasklist.exe
4928	tasklist.exe
3172	tasklist.exe
864	tasklist.exe
5100	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5948	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	msedge.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5104	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0003000000006795-504.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1204	cmd.exe
4284	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
5308	NETSTAT.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
5368	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4848	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4532	ipconfig.exe
5308	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
416	systeminfo.exe

Kills process with taskkill 9 IoCs

defense_evasion

pid	Process
3488	taskkill.exe
5096	taskkill.exe
5616	taskkill.exe
4848	taskkill.exe
4192	taskkill.exe
5404	taskkill.exe
5684	taskkill.exe
5776	taskkill.exe
4844	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133872271374726998"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-73851796-4078923053-1419757224-1000\{972B7512-81DB-461B-BE89-1B082ADB6027}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-73851796-4078923053-1419757224-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1780	NOTEPAD.EXE
4728	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
5376	WMIC.exe
5376	WMIC.exe
4848	WMIC.exe
5376	WMIC.exe
4848	WMIC.exe
5376	WMIC.exe
4848	WMIC.exe
4848	WMIC.exe
3496	WMIC.exe
3496	WMIC.exe
3496	WMIC.exe
3496	WMIC.exe
2284	WMIC.exe
2284	WMIC.exe
2284	WMIC.exe
2284	WMIC.exe
1180	powershell.exe
1180	powershell.exe
1180	powershell.exe
5368	WMIC.exe
5368	WMIC.exe
5368	WMIC.exe
5368	WMIC.exe
2216	WMIC.exe
2216	WMIC.exe
2216	WMIC.exe
2216	WMIC.exe
4868	WMIC.exe
4868	WMIC.exe
4868	WMIC.exe
4868	WMIC.exe
3376	WMIC.exe
3376	WMIC.exe
3376	WMIC.exe
3376	WMIC.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5376	WMIC.exe
Token: SeSecurityPrivilege	5376	WMIC.exe
Token: SeTakeOwnershipPrivilege	5376	WMIC.exe
Token: SeLoadDriverPrivilege	5376	WMIC.exe
Token: SeSystemProfilePrivilege	5376	WMIC.exe
Token: SeSystemtimePrivilege	5376	WMIC.exe
Token: SeProfSingleProcessPrivilege	5376	WMIC.exe
Token: SeIncBasePriorityPrivilege	5376	WMIC.exe
Token: SeCreatePagefilePrivilege	5376	WMIC.exe
Token: SeBackupPrivilege	5376	WMIC.exe
Token: SeRestorePrivilege	5376	WMIC.exe
Token: SeShutdownPrivilege	5376	WMIC.exe
Token: SeDebugPrivilege	5376	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5376	WMIC.exe
Token: SeRemoteShutdownPrivilege	5376	WMIC.exe
Token: SeUndockPrivilege	5376	WMIC.exe
Token: SeManageVolumePrivilege	5376	WMIC.exe
Token: 33	5376	WMIC.exe
Token: 34	5376	WMIC.exe
Token: 35	5376	WMIC.exe
Token: 36	5376	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4848	WMIC.exe
Token: SeSecurityPrivilege	4848	WMIC.exe
Token: SeTakeOwnershipPrivilege	4848	WMIC.exe
Token: SeLoadDriverPrivilege	4848	WMIC.exe
Token: SeSystemProfilePrivilege	4848	WMIC.exe
Token: SeSystemtimePrivilege	4848	WMIC.exe
Token: SeProfSingleProcessPrivilege	4848	WMIC.exe
Token: SeIncBasePriorityPrivilege	4848	WMIC.exe
Token: SeCreatePagefilePrivilege	4848	WMIC.exe
Token: SeBackupPrivilege	4848	WMIC.exe
Token: SeRestorePrivilege	4848	WMIC.exe
Token: SeShutdownPrivilege	4848	WMIC.exe
Token: SeDebugPrivilege	4848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4848	WMIC.exe
Token: SeRemoteShutdownPrivilege	4848	WMIC.exe
Token: SeUndockPrivilege	4848	WMIC.exe
Token: SeManageVolumePrivilege	4848	WMIC.exe
Token: 33	4848	WMIC.exe
Token: 34	4848	WMIC.exe
Token: 35	4848	WMIC.exe
Token: 36	4848	WMIC.exe
Token: SeDebugPrivilege	4016	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4848	WMIC.exe
Token: SeSecurityPrivilege	4848	WMIC.exe
Token: SeTakeOwnershipPrivilege	4848	WMIC.exe
Token: SeLoadDriverPrivilege	4848	WMIC.exe
Token: SeSystemProfilePrivilege	4848	WMIC.exe
Token: SeSystemtimePrivilege	4848	WMIC.exe
Token: SeProfSingleProcessPrivilege	4848	WMIC.exe
Token: SeIncBasePriorityPrivilege	4848	WMIC.exe
Token: SeCreatePagefilePrivilege	4848	WMIC.exe
Token: SeBackupPrivilege	4848	WMIC.exe
Token: SeRestorePrivilege	4848	WMIC.exe
Token: SeShutdownPrivilege	4848	WMIC.exe
Token: SeDebugPrivilege	4848	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4848	WMIC.exe
Token: SeRemoteShutdownPrivilege	4848	WMIC.exe
Token: SeUndockPrivilege	4848	WMIC.exe
Token: SeManageVolumePrivilege	4848	WMIC.exe
Token: 33	4848	WMIC.exe
Token: 34	4848	WMIC.exe
Token: 35	4848	WMIC.exe
Token: 36	4848	WMIC.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe
3076	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 2268	3076	msedge.exe	82
PID 3076 wrote to memory of 2268	3076	msedge.exe	82
PID 3076 wrote to memory of 5220	3076	msedge.exe	83
PID 3076 wrote to memory of 5220	3076	msedge.exe	83
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1552	3076	msedge.exe	84
PID 3076 wrote to memory of 1688	3076	msedge.exe	85
PID 3076 wrote to memory of 1688	3076	msedge.exe	85
PID 3076 wrote to memory of 1688	3076	msedge.exe	85
PID 3076 wrote to memory of 1688	3076	msedge.exe	85
PID 3076 wrote to memory of 1688	3076	msedge.exe	85
PID 3076 wrote to memory of 1688	3076	msedge.exe	85
PID 3076 wrote to memory of 1688	3076	msedge.exe	85
PID 3076 wrote to memory of 1688	3076	msedge.exe	85
PID 3076 wrote to memory of 1688	3076	msedge.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
752	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/BUrsXq
1⤵
- Drops file in Windows directory
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x264,0x268,0x26c,0x260,0x28c,0x7ff88813f208,0x7ff88813f214,0x7ff88813f220
  2⤵
  PID:2268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1780,i,716206870612351085,952316612960525451,262144 --variations-seed-version --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  PID:5220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2196,i,716206870612351085,952316612960525451,262144 --variations-seed-version --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:1552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2540,i,716206870612351085,952316612960525451,262144 --variations-seed-version --mojo-platform-channel-handle=2576 /prefetch:8
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3456,i,716206870612351085,952316612960525451,262144 --variations-seed-version --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:2636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3476,i,716206870612351085,952316612960525451,262144 --variations-seed-version --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=5016,i,716206870612351085,952316612960525451,262144 --variations-seed-version --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4812,i,716206870612351085,952316612960525451,262144 --variations-seed-version --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:6080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4808,i,716206870612351085,952316612960525451,262144 --variations-seed-version --mojo-platform-channel-handle=5284 /prefetch:8
  2⤵
  PID:5692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5452,i,716206870612351085,952316612960525451,262144 --variations-seed-version --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:5460
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5780,i,716206870612351085,952316612960525451,262144 --variations-seed-version --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5780,i,716206870612351085,952316612960525451,262144 --variations-seed-version --mojo-platform-channel-handle=5484 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --always-read-main-dll --field-trial-handle=4256,i,716206870612351085,952316612960525451,262144 --variations-seed-version --mojo-platform-channel-handle=5580 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5528,i,716206870612351085,952316612960525451,262144 --variations-seed-version --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:5596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --always-read-main-dll --field-trial-handle=5092,i,716206870612351085,952316612960525451,262144 --variations-seed-version --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5036,i,716206870612351085,952316612960525451,262144 --variations-seed-version --mojo-platform-channel-handle=6232 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6640,i,716206870612351085,952316612960525451,262144 --variations-seed-version --mojo-platform-channel-handle=6784 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6252,i,716206870612351085,952316612960525451,262144 --variations-seed-version --mojo-platform-channel-handle=6164 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6604,i,716206870612351085,952316612960525451,262144 --variations-seed-version --mojo-platform-channel-handle=6884 /prefetch:8
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6384,i,716206870612351085,952316612960525451,262144 --variations-seed-version --mojo-platform-channel-handle=6348 /prefetch:8
  2⤵
  PID:5100

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:1004

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3368

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\checker\checker\checker\discordWebhook.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:1780

C:\Users\Admin\Downloads\checker\checker\checker\setup.exe
"C:\Users\Admin\Downloads\checker\checker\checker\setup.exe"
1⤵
PID:460
- C:\Users\Admin\AppData\Local\Temp\onefile_460_133872271923726723\Stub.exe
  C:\Users\Admin\Downloads\checker\checker\checker\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:3980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3784
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:3136
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:4760
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:2808
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2436
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:6080
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:5948
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe"
      4⤵
      Views/modifies file attributes
      PID:752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:4208
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:4288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:3772
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3076"
    3⤵
    PID:700
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3076
      4⤵
      Kills process with taskkill
      PID:5776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2268"
    3⤵
    PID:2736
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2268
      4⤵
      Kills process with taskkill
      PID:4192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5220"
    3⤵
    PID:2752
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5220
      4⤵
      Kills process with taskkill
      PID:4844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1552"
    3⤵
    PID:4368
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1552
      4⤵
      Kills process with taskkill
      PID:3488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1688"
    3⤵
    PID:1376
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1688
      4⤵
      Kills process with taskkill
      PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2636"
    3⤵
    PID:5992
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2636
      4⤵
      Kills process with taskkill
      PID:5616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4632"
    3⤵
    PID:4704
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4632
      4⤵
      Kills process with taskkill
      PID:4848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5680"
    3⤵
    PID:3696
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5680
      4⤵
      Kills process with taskkill
      PID:5404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5100"
    3⤵
    PID:5000
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5100
      4⤵
      Kills process with taskkill
      PID:5684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:2380
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4380
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2248
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:5460
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:6016
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5024
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:4552
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:416
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:3976
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious behavior: EnumeratesProcesses
      PID:5368
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:5356
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:5284
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:3200
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:1136
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:3060
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:2736
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:2012
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:5720
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:4692
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:1756
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:2212
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:5052
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2216
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:5100
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4532
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:5848
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:5220
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:5308
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:5104
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:6096
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1204
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3404
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2752
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3376

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4612

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\checker\checker\checker\wordlist.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4728

C:\Users\Admin\Downloads\checker\checker\checker\generator4l.exe
"C:\Users\Admin\Downloads\checker\checker\checker\generator4l.exe"
1⤵
PID:4756
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Executes dropped EXE
  PID:4544
- C:\Users\Admin\AppData\Local\Temp\checker.exe
  "C:\Users\Admin\AppData\Local\Temp\checker.exe"
  2⤵
  - Executes dropped EXE
  PID:5860
- - C:\Users\Admin\AppData\Local\Temp\checker.exe
    "C:\Users\Admin\AppData\Local\Temp\checker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1232
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c title Zero Tolerance Username Checker
      4⤵
      PID:6116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
aad9ef568b38aa2ab42b57a3cbd8d8eb

SHA1
efe601b188069ca6b54ba6bd63866687c5574780

SHA256
ef0ca3af55b0eb83ea83d3376038feecaef97236df7c556f821c93bd08e86a9a

SHA512
5a3e66a1f995ed2779c7260787a2688118406190312d31e7a77bbfef233d81bbc17dd1bbf77a08ba73e390e22dd973c173b5eb39851b359a9196f48bb6fea963

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
f5fe1b23631a9a525a5f6cb78ddb863c

SHA1
eeafd73e3ce878c6a71a0e454c403079a48bedb1

SHA256
fa6cd6d9c1f5d5c94ea4ea107e025848070b06ed106f145005e9ba7cccbdffdc

SHA512
ce55e0df71677e59cb552d20d5753b5784fe418e1018ddb71748d911bda798e706b7c65a3e1c1715a198fc3b12cb3167469f26596193096ec98bf4901afd594c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57d1b7.TMP

Filesize
3KB

MD5
93ed54abc264109934a4adca3d3a3ffa

SHA1
aa65f492d14977b3da654161a0f82b9382a158d1

SHA256
f4067c9ee71e47e8a3715c91d62dbaa86afdded88d241013ac3428661abc013f

SHA512
74d571f2c85325b6c466ac2b01e8c46277ed79dc683c2a899ef2ed79b06456cc52ecfdaad521c66fbbc0126151e9c25b825c411c419d28c0c32f652993083694

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
9e8dec0eb2a3a4db6fbfc0db720a694e

SHA1
434873e9f0285f2b06d2f60f74dffb8c5388998a

SHA256
bb5e4847b59a90c89d36f7b9a27685cb9815e79d2fb990dcf094d4ef940a66fb

SHA512
8dd77516fdc2e4be82e2c8e0140bb98ae49f35b72299bea1a452f3a4072d523d2c31f05d1be052b35974beba701228ed08d7636de1911104849733c8edb295eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
a5a64bfc8598a0d37bf6075fda67e3af

SHA1
d69f3c0722685b19e26b74f909d1f0086d40eb71

SHA256
f221a78ca8ac59f1267548138c1cb3cf7b1dc1cc32c25a4071dc330cf1adb52d

SHA512
f25eaafa014580397196bfcb08e8e8793fe539f3803ed48bd742ee8ae1d89c78cd6c366c318b8da7d91ad62998f1d3ee90c3ef861bd436545210ab654062af10

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
015eacb5f6b3e4d0ff477752e6304642

SHA1
0d72a92ec85ad07d102744ece5845dc663d0bede

SHA256
4eeb5c8ea25a5d0939f642c9f837b10da5c84bba44ee2f7bca10b9f2328dbe00

SHA512
39cfe8e9410d41c9417611873d020f12d282f6530e2e17517f305130343b02d70395a379f5116f062b7485c234b387e997190a319e8f01efeb905a000b0a7914

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
df50005ee62cb28ee24e2e5d8c5ed452

SHA1
6631ed2fe45e4676e88cb4f74f48529aff45bb59

SHA256
fc923901cd598d1596a516127b84aaf5f9921a39edfe79438542e1cdb7af0df1

SHA512
250ecf51afe912095065592aa0ee9422b74f55edfff080c50063b13ec5aca665b4425c8a7b448c909f889beae135ec7bcd38f5732355edf0494710af15427b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
469B

MD5
079f90152696f7fdc6fa25423a0f53e7

SHA1
3a74f6b655b3f42c4a0d2f2e64b333e66d9c677e

SHA256
853483e9c86900ee393b1991910617acda35e0da37573e8d66f9cbf84f918435

SHA512
447fa6f219669bd4b3d5f10f7f587ae5f01285581d9a2f016481538384fb958a7bd0412b61c17880edbec7835a35466ce1cf0ad900fda3f8d98b08df012d3259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
22KB

MD5
fa88392249121c33edcab464465c68b1

SHA1
a08ac694afc5ba06fd098cd1359a581d2b197758

SHA256
686dbb9cceee732b60c186c3fb1ae0cbc7374627f6fcb07374066006363735b5

SHA512
fb1990191c3a5a6b0044f973e3c551db4228bf9e9a6c7620a32478b3185f2f376f924bbc740fa55df2758d567eded544a5ff022189822792ac2031e9ff568acc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\CloudConfigLog

Filesize
904B

MD5
92f37518331ca75a42f665e5a53af21d

SHA1
d5a8714119ae203ca9ae1d94800d2821c0fc57b6

SHA256
6f402932d609adabe0f1bbccb848c7c41e6a58f41f9ad5f539ae0d5d683c03e8

SHA512
74d4a7e1e6cc85f7f950f23619131fbc6cb9629f5cd6aa67f44890eb7e3869a82d86c9df31d6e5305b0a2fb2b5fa06a5aec0e3da6856fed2a9efabc0a913d216

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Edge Cloud Config\OperationConfig

Filesize
19KB

MD5
41c1930548d8b99ff1dbb64ba7fecb3d

SHA1
d8acfeaf7c74e2b289be37687f886f50c01d4f2f

SHA256
16cee17a989167242dd7ee2755721e357dd23bcfcb61f5789cc19deafe7ca502

SHA512
a684d61324c71ac15f3a907788ab2150f61e7e2b2bf13ca08c14e9822b22336d0d45d9ff2a2a145aa7321d28d6b71408f9515131f8a1bd9f4927b105e6471b75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
50KB

MD5
3f5e4f696259434a05a825d4ad7a3892

SHA1
4aed43a3b0814ebfe19e6bc3724ef023685a703f

SHA256
58892482583142166b3451d7c59530498f7e5d1969eb50c255299a1c7fee5e4d

SHA512
aa4aeb8576581247bd23f20c0696cb2d20900efb4beb467a61493f06046172857c5e87ebb13bcbe3ffd0cf568dc751a4ad1f5f1c1b741d81385695d67cbb1881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
623ce6bc86087a110272140b1b8750f9

SHA1
4c9554eda4662c2c5b798a0b4f1962c3f3292730

SHA256
ddc2bb0770ae3b46550815c234fe57f1cf0ae096cb2dbfd335a72651e76334ba

SHA512
a7988753bd0f1c2ca393c4fb3d956c42768d3b13555d1bf90f381f5595d5a0ec8c0aa44c471e41a5de037678494a98702473d63e81bc6f6561f88aa38c741dab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
ddbc07eb6b01b4b732379082f21d5341

SHA1
94cd3c5f89347e070b8fb2aa358cc9d9969ff051

SHA256
7298e8bcfea0b7f24433f63b2da188ec9932d7ff998bcd9035b72da298bf89ab

SHA512
d982839d0bd6f41925881a8ce2798a9db85e1f54794cff9ab6cbaf80754c111a0c6f63bd6655d5a6ec5890c41b33dac1cb8762f6f33cbd26c38bcc146d9c950c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
e5cd1ac170d905bcbf7463592a64d66b

SHA1
b16810b9220b8cf7f88beb709e9150e92e228f5d

SHA256
833deaffbd3d582bc4e9f64795a326bca9f90b72964ba158efd35b71fb8ccad0

SHA512
13ceb331b7bb8743951296b99ab796d2e1cc74b5568d051f2f7313846d08a41991377d3c389b919b49da20f75caa7e02312f6cab93f22e55e1a1b32bdf6349c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
77KB

MD5
c389430e19f1cd4c2e7b8538e8c52459

SHA1
546ed5a85ad80a7b7db99f80c7080dc972e4f2a2

SHA256
a14efa68d8f7ec018fb867a6ba6c6c290a803b4001fd8c45db7bda66fb700067

SHA512
5bef6c90c65bf1d4be0ce0d0cb3f38fe288f5716c93e444cf12f89f066791850d8316d414f1d795ff148c9e841cda90ef9c35ceb4a499563f28d068a6b427671

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_sqlite3.pyd

Filesize
96KB

MD5
98228631212a443781d0ac72e4656b97

SHA1
7e87e1fb891439cf466648b37abdbd4053a5da66

SHA256
fab3440d88376c9c334333b80b50f20a273a08f1d319bf0a9a6eb8bd04d35250

SHA512
5d41384b0280415f581c13b4b47de3de845fd60fc0373613dc9a73d4e0ecf9e855cb0e4aaa1c88fdc2d98e973ca083a48c129529141a8fd65c74c104ad9015f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

Filesize
156KB

MD5
7c7223f28c0c27c85a979ad222d19288

SHA1
4185e671b1dc56b22134c97cd8a4a67747887b87

SHA256
4ec47beadc4fd0d38fa39092244c108674012874f3190ee0e484aa988b94f986

SHA512
f3e813b954357f1bc323d897edf308a99ed30ff451053b312f81b6baae188cda58d144072627398a19d8d12fe659e4f40636dbbdf22a45770c3ca71746ec2df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\aiohttp\_http_parser.pyd

Filesize
258KB

MD5
43f3c5b856d5cafde6af3908522dc86a

SHA1
ab79574afe39598b48cad0becb8d8dbe4676c890

SHA256
63cc216fb73fc2e263d2838e2d69ed0708d04de2e61f3a946f9956feb6294dd1

SHA512
850ef61c141b3e29cb4921853ecd90f51b6bed54e30e1281e4537df0aec352a4183c7c08207c7875332e5a6a04d0000fa06789a859fbbdf29b75ea83f630553d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\aiohttp\_websocket\mask.pyd

Filesize
35KB

MD5
e2f273c2a1e066bc0531724271519724

SHA1
47cddfc0f1b57e180a5fc8ea082f44fad486c067

SHA256
59385161f55b1516410be560b2ee8737d45a7b3ba2c0a4c984555c238a7f963f

SHA512
681b327dde2bbc5bf4329b4b5354fadef2c107f36b8c9ad8233ac339c620acbdcd6b447d6f63f0616df7088672dbad098297fe81f00044a16f39e6b2030d2718

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

Filesize
3.3MB

MD5
80b72c24c74d59ae32ba2b0ea5e7dad2

SHA1
75f892e361619e51578b312605201571bfb67ff8

SHA256
eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d

SHA512
08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libssl-1_1.dll

Filesize
686KB

MD5
86f2d9cc8cc54bbb005b15cabf715e5d

SHA1
396833cba6802cb83367f6313c6e3c67521c51ad

SHA256
d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771

SHA512
0013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\multidict\_multidict.pyd

Filesize
46KB

MD5
95463f615865a472f75ddb365644a571

SHA1
91f22ef3f2ffd3e9d6ce6e58beea9a96287b090b

SHA256
9ee77474d244a17337d4ccc5113fe4af7b4d86f9969293a884927718d06e63c8

SHA512
e3cccce9ebf5e7cf33e68046d3e7b59e454ccb791635eb5f405977fd270126ef8b58e6288dbe58c96b681361d81ef28720eba8d0bd389bfb0f4c3114d098a117

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\select.pyd

Filesize
29KB

MD5
c6ef07e75eae2c147042d142e23d2173

SHA1
6ef3e912db5faf5a6b4225dbb6e34337a2271a60

SHA256
43ee736c8a93e28b1407bf5e057a7449f16ee665a6e51a0f1bc416e13cee7e78

SHA512
30e915566e7b934bdd49e708151c98f732ff338d7bc3a46797de9cca308621791276ea03372c5e2834b6b55e66e05d58cf1bb4cb9ff31fb0a1c1aca0fcdc0d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

Filesize
1.5MB

MD5
fcc7a468d46c90f5a71e3e9c99b1d50e

SHA1
91070cac3cdde28905a7bc695f8c0fd1290fd0d0

SHA256
215c02ac57378e48428d4b013f7bcedd2b58d73e83c54eca17a8c9bd7f3bdf55

SHA512
95bff194696436e590a5df8f18987ce6e5c20b6e50e552e7d049fec8da834c71cdbd87418fc85be73aaea4176aeb672d44e89256cd64bfade5959f3aabb0884d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd

Filesize
1.1MB

MD5
d4964a28a22078c30064c65e968f9e1f

SHA1
b9b95975bea97a55c888da66148d54bdb38b609b

SHA256
b204718d21952369726472ca12712047839119ccf87e16979af595c0a57b6703

SHA512
bfe200b255ae1ddba53d98d54479e7e1d0932fb27bbfdcb4170d3d4cbbbfc297e3b5fd273b830399b795feb64cd0d9c48d0e1e0eaf72d0e0992261864e2d7296

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
63KB

MD5
50bd3fe74ab820e6642e625e1d4a9f85

SHA1
8fa03dbfaa6a92caccf80d143fe7897cac562da8

SHA256
1b4d0c1d60ee64acd021c9b67faa008cdbbce15403cead7b9cd0685763b90a80

SHA512
eb6870dd1f7ac65551bf62d700521deaaf48b07b2a8c54b097b7573a5750e7722e7ab7e4ffcb9da179422e7583879e3ac0946c7d234ac892e713c26173063f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uoxzr5er.4le.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\checker.exe

Filesize
9.0MB

MD5
7b9d4a4dbe5e07243b9bdc43dca1531c

SHA1
3047842eb91b44bb36bbe9f42c12c94fa62fc5dc

SHA256
c7f2209903cd49faffa956c21e7d612adb1856a233f0a1dbaef590b46245e574

SHA512
27aaed7a9151ec0f300572af3363c2a84d00785c20186dd9640a87af5f245095bcedd2b5f789d14d2ca3f17d8fa0648f64fbb2261c04966c8f93a00712e48ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_460_133872271923726723\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_460_133872271923726723\_asyncio.pyd

Filesize
63KB

MD5
686262283ba69cce7f3eaba7cdeb0372

SHA1
5b771e444ee97b246545affcdc8fa910c8f591ea

SHA256
02ec5cd22543c0ca298c598b7e13949a4e8247cec288d0bca0a1269059b548ef

SHA512
dca7403cfe2bfe14cf51f747a893f49db52d4d43691dbccecaa83796351b6f7e644cf8e455a0b9c38c6c006f481d5c45d32ae789756250a2b29978e9feb839d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_460_133872271923726723\_bz2.pyd

Filesize
81KB

MD5
56203038756826a0a683d5750ee04093

SHA1
93d5a07f49bdcc7eb8fba458b2428fe4afcc20d2

SHA256
31c2f21adf27ca77fa746c0fda9c7d7734587ab123b95f2310725aaf4bf4ff3c

SHA512
3da5ae98511300694c9e91617c152805761d3de567981b5ab3ef7cd3dbba3521aae0d49b1eb42123d241b5ed13e8637d5c5bc1b44b9eaa754657f30662159f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_460_133872271923726723\_ctypes.pyd

Filesize
120KB

MD5
462fd515ca586048459b9d90a660cb93

SHA1
06089f5d5e2a6411a0d7b106d24d5203eb70ec60

SHA256
bf017767ac650420487ca3225b3077445d24260bf1a33e75f7361b0c6d3e96b4

SHA512
67851bdbf9ba007012b89c89b86fd430fce24790466fefbb54431a7c200884fc9eb2f90c36d57acd300018f607630248f1a3addc2aa5f212458eb7a5c27054b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_460_133872271923726723\_hashlib.pyd

Filesize
63KB

MD5
7a74284813386818ada7bf55c8d8acf9

SHA1
380c4184eec7ca266e4c2b96bb92a504dfd8fe5f

SHA256
21a1819013de423bb3b9b682d0b3506c6ef57ee88c61edf4ba12d8d5f589c9c2

SHA512
f8bc4ac57ada754006bbbb0bfa1ccb6c659f9c4d3270970e26219005e872b60afb9242457d8eb3eae0ce1f608f730da3bf16715f04b47bea4c95519dd9994a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_460_133872271923726723\_lzma.pyd

Filesize
154KB

MD5
14ea9d8ba0c2379fb1a9f6f3e9bbd63b

SHA1
f7d4e7b86acaf796679d173e18f758c1e338de82

SHA256
c414a5a418c41a7a8316687047ed816cad576741bd09a268928e381a03e1eb39

SHA512
64a52fe41007a1cac4afedf2961727b823d7f1c4399d3465d22377b5a4a5935cee2598447aeff62f99c4e98bb3657cfae25b5c27de32107a3a829df5a25ba1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_460_133872271923726723\_overlapped.pyd

Filesize
48KB

MD5
a5bd529290006ef1ebc8d32ffe501ca5

SHA1
c59ef2157358fb8f79b5a37ee9abba802ae915ba

SHA256
eeaa26addf211b37e689d46cfac6b7fad0d5421adc4c0113872dac1347aff130

SHA512
6b026e62b0b37445a480599175161cf6a60284ef881e0f0d1da643ac80013c2005f790f099733d76cfcf855e2ecd3a0e6c8bfc19dbabff67869119676ee03b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_460_133872271923726723\aiohttp\_http_writer.pyd

Filesize
46KB

MD5
cf98d8b77a22708a99ac3848f35a210b

SHA1
9dd719a0d9fe9e7b4fde8a247bc1709691fb15c6

SHA256
a4ff6573750a4f68f3ca221bfabc7756a10bed394606f73489d612cdcc6f670f

SHA512
67245c460289ec15b0230a921548dda64c01814088f8e1bc9b1edb4878f77bfa577fd8b42e86545caee853cc7380e6be5f7ce70b245b923039f84cc028c91a52

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_460_133872271923726723\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_460_133872271923726723\propcache\_helpers_c.pyd

Filesize
71KB

MD5
666376a78c5fc64d77cc14f14021b073

SHA1
8561262b705be2684f4de7233b86aa25c112482d

SHA256
e2f44ae3695d55958b0d34d6697fb0be6378ae11b29ade94bae7024adcc7eae3

SHA512
519b4af20186ae5388a5adc9ae9ae9a7d90c5c4807b7da936a0dc04a1acd4bf5e4c08498808bd0916bd2d774411ced5aeb98228e72bc229f8a6949557ae14e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_460_133872271923726723\python310.dll

Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_460_133872271923726723\yarl\_quoting_c.pyd

Filesize
93KB

MD5
9401cdf989b17c78e5d0ea5702380877

SHA1
0f37031def8a227d0b0b09c208494ea5f2324e5b

SHA256
d4ed42ac3f6c002c4e3dbf6fd344d4f3ca5465e0db6e495a920aed7772efb454

SHA512
df4a5404e0aca31c5e4be851a7fced6bb0d1a25b1a5ea4aa66590e7115ffd66324159d5b03811c99dfe2c338867a2d0771afdc0c0888e6f43f2328c19c91a7b5

Download Submit
memory/460-472-0x00007FF6F20F0000-0x00007FF6F47CD000-memory.dmp

Filesize
38.9MB

Download
memory/1180-462-0x000001E66A680000-0x000001E66A6A2000-memory.dmp

Filesize
136KB

Download
memory/1180-470-0x000001E66AB40000-0x000001E66AD5D000-memory.dmp

Filesize
2.1MB

Download
memory/3980-546-0x00007FF747AD0000-0x00007FF74D4E2000-memory.dmp

Filesize
90.1MB

Download
memory/3980-485-0x00007FF747AD0000-0x00007FF74D4E2000-memory.dmp

Filesize
90.1MB

Download
memory/3980-544-0x00007FF747AD0000-0x00007FF74D4E2000-memory.dmp

Filesize
90.1MB

Download
memory/3980-475-0x00007FF747AD0000-0x00007FF74D4E2000-memory.dmp

Filesize
90.1MB

Download
memory/3980-548-0x00007FF747AD0000-0x00007FF74D4E2000-memory.dmp

Filesize
90.1MB

Download
memory/3980-550-0x00007FF747AD0000-0x00007FF74D4E2000-memory.dmp

Filesize
90.1MB

Download
memory/3980-552-0x00007FF747AD0000-0x00007FF74D4E2000-memory.dmp

Filesize
90.1MB

Download
memory/3980-554-0x00007FF747AD0000-0x00007FF74D4E2000-memory.dmp

Filesize
90.1MB

Download
memory/4544-499-0x00000000005B0000-0x00000000005C6000-memory.dmp

Filesize
88KB

Download
memory/4756-486-0x00000000009B0000-0x00000000012D2000-memory.dmp

Filesize
9.1MB

Download