exelastealer | hxxps://gofile[.]io/d/BUrsXq

Analysis

max time kernel
1045s
max time network
432s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
23/03/2025, 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/BUrsXq

Score

10^/10

exelastealer xworm collection defense_evasion discovery persistence privilege_escalation pyinstaller rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

127.0.0.1:4139

Attributes

install_file
USB.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000600000001e304-804.dat	family_xworm
behavioral1/memory/3576-809-0x0000000000590000-0x00000000005A6000-memory.dmp	family_xworm

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6104	netsh.exe
2572	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4652	cmd.exe
4460	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
4768	Stub.exe
3576	XClient.exe
3876	checker.exe
5560	checker.exe

Loads dropped DLL 56 IoCs

pid	Process
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
4768	Stub.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe
5560	checker.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 64 IoCs

Web Service

T1102

flow	ioc
293	discord.com
274	discord.com
359	discord.com
373	discord.com
398	discord.com
419	discord.com
446	discord.com
458	discord.com
477	discord.com
193	discord.com
216	discord.com
285	discord.com
336	discord.com
343	discord.com
374	discord.com
392	discord.com
402	discord.com
187	discord.com
249	discord.com
277	discord.com
386	discord.com
389	discord.com
422	discord.com
487	discord.com
493	discord.com
246	discord.com
358	discord.com
426	discord.com
471	discord.com
474	discord.com
490	discord.com
537	discord.com
317	discord.com
196	discord.com
210	discord.com
290	discord.com
399	discord.com
435	discord.com
508	discord.com
49	api.gofile.io
257	discord.com
272	discord.com
312	discord.com
330	discord.com
342	discord.com
362	discord.com
401	discord.com
46	api.gofile.io
266	discord.com
332	discord.com
352	discord.com
423	discord.com
433	discord.com
444	discord.com
463	discord.com
346	discord.com
172	discord.com
228	discord.com
253	discord.com
339	discord.com
379	discord.com
428	discord.com
438	discord.com
240	discord.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
146	ipinfo.io
147	ipinfo.io
158	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5812	cmd.exe
4040	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4320	tasklist.exe
4448	tasklist.exe
1760	tasklist.exe
5656	tasklist.exe
5916	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1044	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1200	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000500000001ed89-814.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4648	cmd.exe
2632	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
768	NETSTAT.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
2556	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3600	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
6036	ipconfig.exe
768	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2808	systeminfo.exe

Kills process with taskkill 8 IoCs

defense_evasion

pid	Process
384	taskkill.exe
5124	taskkill.exe
3888	taskkill.exe
5112	taskkill.exe
5576	taskkill.exe
4320	taskkill.exe
4816	taskkill.exe
5496	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133872273420118650"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-805952410-2104024357-1716932545-1000\{C1E16834-D572-4B3B-9767-78B388F279C7}	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
4256	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4460	powershell.exe
4460	powershell.exe
4460	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5088	WMIC.exe
Token: SeSecurityPrivilege	5088	WMIC.exe
Token: SeTakeOwnershipPrivilege	5088	WMIC.exe
Token: SeLoadDriverPrivilege	5088	WMIC.exe
Token: SeSystemProfilePrivilege	5088	WMIC.exe
Token: SeSystemtimePrivilege	5088	WMIC.exe
Token: SeProfSingleProcessPrivilege	5088	WMIC.exe
Token: SeIncBasePriorityPrivilege	5088	WMIC.exe
Token: SeCreatePagefilePrivilege	5088	WMIC.exe
Token: SeBackupPrivilege	5088	WMIC.exe
Token: SeRestorePrivilege	5088	WMIC.exe
Token: SeShutdownPrivilege	5088	WMIC.exe
Token: SeDebugPrivilege	5088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5088	WMIC.exe
Token: SeRemoteShutdownPrivilege	5088	WMIC.exe
Token: SeUndockPrivilege	5088	WMIC.exe
Token: SeManageVolumePrivilege	5088	WMIC.exe
Token: 33	5088	WMIC.exe
Token: 34	5088	WMIC.exe
Token: 35	5088	WMIC.exe
Token: 36	5088	WMIC.exe
Token: SeDebugPrivilege	1760	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3600	WMIC.exe
Token: SeSecurityPrivilege	3600	WMIC.exe
Token: SeTakeOwnershipPrivilege	3600	WMIC.exe
Token: SeLoadDriverPrivilege	3600	WMIC.exe
Token: SeSystemProfilePrivilege	3600	WMIC.exe
Token: SeSystemtimePrivilege	3600	WMIC.exe
Token: SeProfSingleProcessPrivilege	3600	WMIC.exe
Token: SeIncBasePriorityPrivilege	3600	WMIC.exe
Token: SeCreatePagefilePrivilege	3600	WMIC.exe
Token: SeBackupPrivilege	3600	WMIC.exe
Token: SeRestorePrivilege	3600	WMIC.exe
Token: SeShutdownPrivilege	3600	WMIC.exe
Token: SeDebugPrivilege	3600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3600	WMIC.exe
Token: SeRemoteShutdownPrivilege	3600	WMIC.exe
Token: SeUndockPrivilege	3600	WMIC.exe
Token: SeManageVolumePrivilege	3600	WMIC.exe
Token: 33	3600	WMIC.exe
Token: 34	3600	WMIC.exe
Token: 35	3600	WMIC.exe
Token: 36	3600	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3600	WMIC.exe
Token: SeSecurityPrivilege	3600	WMIC.exe
Token: SeTakeOwnershipPrivilege	3600	WMIC.exe
Token: SeLoadDriverPrivilege	3600	WMIC.exe
Token: SeSystemProfilePrivilege	3600	WMIC.exe
Token: SeSystemtimePrivilege	3600	WMIC.exe
Token: SeProfSingleProcessPrivilege	3600	WMIC.exe
Token: SeIncBasePriorityPrivilege	3600	WMIC.exe
Token: SeCreatePagefilePrivilege	3600	WMIC.exe
Token: SeBackupPrivilege	3600	WMIC.exe
Token: SeRestorePrivilege	3600	WMIC.exe
Token: SeShutdownPrivilege	3600	WMIC.exe
Token: SeDebugPrivilege	3600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3600	WMIC.exe
Token: SeRemoteShutdownPrivilege	3600	WMIC.exe
Token: SeUndockPrivilege	3600	WMIC.exe
Token: SeManageVolumePrivilege	3600	WMIC.exe
Token: 33	3600	WMIC.exe
Token: 34	3600	WMIC.exe
Token: 35	3600	WMIC.exe
Token: 36	3600	WMIC.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
5780	mshta.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe
1532	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 2496	1532	msedge.exe	88
PID 1532 wrote to memory of 2496	1532	msedge.exe	88
PID 1532 wrote to memory of 4700	1532	msedge.exe	89
PID 1532 wrote to memory of 4700	1532	msedge.exe	89
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 4368	1532	msedge.exe	90
PID 1532 wrote to memory of 1640	1532	msedge.exe	91
PID 1532 wrote to memory of 1640	1532	msedge.exe	91
PID 1532 wrote to memory of 1640	1532	msedge.exe	91
PID 1532 wrote to memory of 1640	1532	msedge.exe	91
PID 1532 wrote to memory of 1640	1532	msedge.exe	91
PID 1532 wrote to memory of 1640	1532	msedge.exe	91
PID 1532 wrote to memory of 1640	1532	msedge.exe	91
PID 1532 wrote to memory of 1640	1532	msedge.exe	91
PID 1532 wrote to memory of 1640	1532	msedge.exe	91

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1412	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/BUrsXq
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x268,0x7ffbfce0f208,0x7ffbfce0f214,0x7ffbfce0f220
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1948,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=2240 /prefetch:3
  2⤵
  PID:4700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2212,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:4368
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2544,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=2696 /prefetch:8
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3564,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=3616 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3576,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=3648 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4320,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=4456 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --extension-process --renderer-sub-type=extension --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=4328,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=4492 /prefetch:2
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4960,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=5356 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5464,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=5472 /prefetch:8
  2⤵
  PID:1344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --always-read-main-dll --field-trial-handle=5628,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5084,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=5884 /prefetch:8
  2⤵
  PID:804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5328,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=5860 /prefetch:8
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6396,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6396,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6500,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=6512 /prefetch:8
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6668,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=6496 /prefetch:8
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3720,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:2416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3580,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=6556 /prefetch:8
  2⤵
  PID:3136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3712,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=5592 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3876,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=3856 /prefetch:8
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6844,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=6824 /prefetch:8
  2⤵
  PID:3900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --always-read-main-dll --field-trial-handle=6556,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=3896 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6176,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6804,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=6608 /prefetch:8
  2⤵
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --always-read-main-dll --field-trial-handle=6596,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=6580 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6660,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=5500 /prefetch:8
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=564,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=4484 /prefetch:8
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4604,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=4780 /prefetch:8
  2⤵
  PID:5784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=4492,i,11087313262618307138,9858641773103604170,262144 --variations-seed-version --mojo-platform-channel-handle=5496 /prefetch:8
  2⤵
  PID:5792

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4168

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5684

C:\Users\Admin\Downloads\checker\checker\checker\setup.exe
"C:\Users\Admin\Downloads\checker\checker\checker\setup.exe"
1⤵
PID:2416
- C:\Users\Admin\AppData\Local\Temp\onefile_2416_133872273831778388\Stub.exe
  C:\Users\Admin\Downloads\checker\checker\checker\setup.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:384
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:736
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:3236
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:5628
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:3644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:5196
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5208
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:1044
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe"
      4⤵
      Views/modifies file attributes
      PID:1412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:2052
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      Suspicious use of FindShellTrayWindow
      PID:5780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5020
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1532"
    3⤵
    PID:5964
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1532
      4⤵
      Kills process with taskkill
      PID:4320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2496"
    3⤵
    PID:5460
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2496
      4⤵
      Kills process with taskkill
      PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4700"
    3⤵
    PID:2644
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4700
      4⤵
      Kills process with taskkill
      PID:5496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4368"
    3⤵
    PID:5464
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4368
      4⤵
      Kills process with taskkill
      PID:384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1640"
    3⤵
    PID:5724
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1640
      4⤵
      Kills process with taskkill
      PID:5124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4144"
    3⤵
    PID:5624
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4144
      4⤵
      Kills process with taskkill
      PID:3888
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3848"
    3⤵
    PID:772
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3848
      4⤵
      Kills process with taskkill
      PID:5112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4400"
    3⤵
    PID:220
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4400
      4⤵
      Kills process with taskkill
      PID:5576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:1992
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:1500
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:5988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:5916
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:2348
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5824
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4648
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:5812
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2808
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:3512
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:2556
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:6088
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:1572
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:2284
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:3380
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:6100
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:1912
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:1336
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:3240
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:3692
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4668
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:2816
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:3320
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:1012
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:4448
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:6036
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:4144
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:4040
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:768
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:1200
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:6104
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:6116
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3600
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5200

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\checker\checker\checker\discordWebhook.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:4256

C:\Users\Admin\Downloads\checker\checker\checker\generator4l.exe
"C:\Users\Admin\Downloads\checker\checker\checker\generator4l.exe"
1⤵
PID:5084
- C:\Users\Admin\AppData\Local\Temp\XClient.exe
  "C:\Users\Admin\AppData\Local\Temp\XClient.exe"
  2⤵
  - Executes dropped EXE
  PID:3576
- C:\Users\Admin\AppData\Local\Temp\checker.exe
  "C:\Users\Admin\AppData\Local\Temp\checker.exe"
  2⤵
  - Executes dropped EXE
  PID:3876
- - C:\Users\Admin\AppData\Local\Temp\checker.exe
    "C:\Users\Admin\AppData\Local\Temp\checker.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5560
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:2752
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c title Zero Tolerance Username Checker
      4⤵
      PID:1528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
0db1d88802048ff847bfcf47035335bd

SHA1
bb54059e5b145da464f6521ae67353889ce00771

SHA256
416525d2bfeaeab0950175c0eab55ad35e84518ef5299f10565023800788cf9a

SHA512
32c5b42febdb38c3a30eb5179b8aa20a5e731b0e83aab16ec73d27b4108bfc89eb6316f71a988388cb5df19267ba823f6d0220fab5584667ba0adb0da1152a30

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
8734b4a181214bb62f91cfa36c7e2c98

SHA1
9cff323f10778a23d73ac3dcffc038d3bf661b78

SHA256
e06afe980fa56c8dad3e7c6b8d0d8f1e7eb9a4860ac715e966026fb7631c3ba5

SHA512
e8648a54da9aa24b6cba1f0377a0ce33979ea097554bb6347f252cad894ad4134e1fe839abc80eb48e2510061d5c6937e80374d32f95afd4cc8567b57694ac36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
9bdfc7227ddaedef3a995738a242cf6f

SHA1
c66fa351161b92b4ffd849c8a4af270fe2faf9f1

SHA256
38dbaaf6db07c2c2eccae8a8000001dc36ac6e208e7af1b1f369b74dc7b92a52

SHA512
eb8d8576f8f2acbd9f6f1fa96a715ac07b7f431018ccd9159597ec94c15091698e30cfa539556a1f1ed218fa563a2b82faa92bc89c79eff6b68b81966ac07ee0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57f656.TMP

Filesize
3KB

MD5
2fe70a194753f09a905f34b4ce3fa6b1

SHA1
3a0f95eb7bbedd4f62c0da878bef07123d1ce96c

SHA256
ff9b893b10ad6ef7657a664fb97348a0b06d40541dbf8e739ce59a10a7be85fb

SHA512
a27387d939b3953df94e43410664813b4acff192783ef4d6d94bb54051740d91cdadc209b798ff956cc6c5a43f79e3e5bd86f85e8a4d1366d070397044e69a24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
69KB

MD5
164a788f50529fc93a6077e50675c617

SHA1
c53f6cd0531fd98d6abbd2a9e5fbb4319b221f48

SHA256
b305e470fb9f8b69a8cd53b5a8ffb88538c9f6a9c7c2c194a226e8f6c9b53c17

SHA512
ec7d173b55283f3e59a468a0037921dc4e1bf3fab1c693330b9d8e5826273c917b374c4b802f3234bbb5e5e210d55e52351426867e0eb8c9f6fba1a053cb05d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\jmjflgjpcpepeafmmgdpfkogkghcpiha\1.2.1_0\content.js

Filesize
9KB

MD5
3d20584f7f6c8eac79e17cca4207fb79

SHA1
3c16dcc27ae52431c8cdd92fbaab0341524d3092

SHA256
0d40a5153cb66b5bde64906ca3ae750494098f68ad0b4d091256939eea243643

SHA512
315d1b4cc2e70c72d7eb7d51e0f304f6e64ac13ae301fd2e46d585243a6c936b2ad35a0964745d291ae9b317c316a29760b9b9782c88cc6a68599db531f87d59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
14KB

MD5
6bfcef5f6e6b67886b120a353ec1f529

SHA1
b60ec6d29eeec11756752c945893dfdc1c96bf8d

SHA256
8e308130b50d6abbde3906fb7aecdf5cebea1074f8924f397a121881fd79076f

SHA512
df3166d7bf03489e8901e36d867558598181577c71494935c0e2c53790fb2fb0fc50f5a08421276ebbd88602c7eb5d2c094477fb373fe8fa2233909472a77176

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
fa79eba011921128dfccc7ed5d680a80

SHA1
7531d9ecbc9d58c82d5a5393f82d712b40fae7b7

SHA256
9a729c7956275e4215e82721efd3cfd8c0a55b1017fc845443eb6f88ef99bdc9

SHA512
94864e19dd03c8bf4338fa1c4a4970cb5a559dc368f3d6617a2aeacd2dd095650f396808ea23859c2252b7f2ae327fffa0ef3d2d5e6b319f3dd5a072b19b46f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
4KB

MD5
41ad86e587562a3d9cc2980a3ac35361

SHA1
90b6678e226cebfeefbb353277ba3d35c0e0a5fa

SHA256
f1d09085530eb268e4939a15f4dc86bc789948e15be830f53f908ef26ee418a1

SHA512
aa97076c01ac4f395da556f3cc633dcb01fde6edb59362bfa3eda2b4afa8c7c822de091282a5b3e2239ac8ee88f88052eadc4f391adc5f96d78a44e9de72813b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\favorites_diagnostic.log

Filesize
757B

MD5
2929b15cda5a06ec592dae0a5558fceb

SHA1
7af96dea8ad095ae2bd982461f16a2d5a6871bff

SHA256
923b9ba38d821381cbf644274d1d8459577de10196d6ef65bd335a4f7b27b36f

SHA512
6775af5c41b41106202e1f176f4c3d466c4e79cab4e305e2da89129157e18010639fdc08519a52aebec0659131c3f0042d6a4cd3e101661c6cc5feb04ea76fa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\favorites_diagnostic.log

Filesize
1KB

MD5
eff4d3d1c099f0dad5d4c313590800a1

SHA1
22fa1d0c3848c026cb8dda235b9ef63dea38b157

SHA256
03adb8b54dff7df571553cb7c1589a9658b673e10dc8039be2947a2868a32ce0

SHA512
5c94e03cbb8307a308816065758009fc5659ed2378af73a3b00c87f489ff9bd286f8e2549d4b1ee7ae0f701297a00ab89b1fcb36304f647a3bdb6b7c27c7bf7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
6KB

MD5
cc72752d5a292fab2d959c4c23234bb9

SHA1
a90efad99ab099108dea7461b12eb7a4924649ce

SHA256
57b7921356b3aff120f6e3c956defa6f3ffd811d8747e07a05b5f914f884a0e6

SHA512
d44a0a3860d20d7c25c9b405f14041807ae404a80f6671ba91b48f667a59657731b6605264876fa4e334a446c5d76575dc61d739b7499a01e0596b871bf93c06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
f4a8b47cb3ba70bc530b771e98fac73d

SHA1
4e622e9a8befc274ec6fc4cb61a5009bb73cf984

SHA256
89e6e1b457a9d1417f241e9926690b6c3971ea0fb360e99e422c1e36e5118ab5

SHA512
e1bf9cec40e96fd01a1b1ae187fafe52b7fb4346b55001ece347b965e23f7fe518d9c9d309eb9981022905ed3f80659012afbd13a57ef95d8f7831e4ab8b9571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
7KB

MD5
53319f9afa03a34b1953187a56cae197

SHA1
091171b53afb706397f690d576bc918d8db6ee7d

SHA256
8218060d7204c967105a8377517d0c70a7c05e1f04e7f85037f403e4f81719bf

SHA512
a80b226c06925ab611c99ee157c4c079908ca6f4495d08c5dcef97c2e76274eb609cf1066f216a289026bcd80d025c101d5b6ae20ce7566645863ad26517cbb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
30KB

MD5
9014db3bd7b525d9f9e495142972e701

SHA1
f9ae01aed386363e08d57a370563ee2db00e0a26

SHA256
f309adcd42bee39107af21ea6edd69be19d39b2997370a66dba01e598181efed

SHA512
ee2507792d68bb0475cb0f30740a23276c1343ec51d35969e884df19affa394cec2a83996c46719ed18fe6be8bdc37a4bcb14f15386f806902c6da9aa301c428

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
fd75912da37606c1fd48580c4ea5aee7

SHA1
e6d3f6986ade6eb44051973f66d82ed97ea4e890

SHA256
b69c1e77cb5f2eadcd7403bc5b8675ce521014eff716380fee70e278c5fb8483

SHA512
b7cccec15cbc60f30cc23ed0fda799cd7a82a6c21df2b7dc771f976a0b571a4aa27aa7d1ee0977aad8f75ae0c10932d051840cf0ec63611a8b5df96a87333f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\83cc6af9-436a-47bc-9157-0462e28fb1ef.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\CopyNew.xls

Filesize
708KB

MD5
81f722fb0b93bb56c9331df43e963c1a

SHA1
e4a233e4822214431868912e0770608f0ef232e7

SHA256
0f644dffe4b08d16eee24e440ae762f6d52dda71fa578d723e5a43250fd07130

SHA512
37353c204e96b26321db54626c9c4f6b1b08c4348a92d9fa4293219dcf8d07b18175b79751c1f36fc3b47cdf7c14d1bdf2783a063379afc49706c14f7acbed54

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\GrantConnect.docx

Filesize
12KB

MD5
3a2fd3c804583bd3070183b50d73acbe

SHA1
e5bf31cc70193c8e717b6859ba5fdee6aa17a3b8

SHA256
52087fa63edd023c5a8001d03e5e09411848602575f73aceae1202b59f2797b8

SHA512
1f26abb536a2c3cee69a5b7664f6e18186745af9eebbbf7589749963bd66ed8b6d59aea44c8f2d16435f349e3c2c895c1e75961d6e2f81c4b65cb0faf42c661e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\OptimizeSkip.docx

Filesize
13KB

MD5
f1ce39ada7d2ffb070ea2a7a5cf7d31f

SHA1
1247b66d7ad76a343f3e26495116a1603f8a69d2

SHA256
ad99a0066374abee5ebb3fde1a903630854c5aa9967a169307a562e08b2aea08

SHA512
aef4e19df6beb0acf0656ddaf4c28e214e515f3d7857c796f27e2ce4f9ea59d78375dd27477dc8e1a018eadb5548a0ed6331f9d18f42382170d419962b549514

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\RepairBackup.xlsx

Filesize
15KB

MD5
7a0850c13566efd4a4562f282a18d712

SHA1
79f234ffe2c22f006898ee4780fb0afb833f0c23

SHA256
18a79efa6e70c11c71b90cb665abd9ef8c9cbb6cfde873cdd5b1e928a546fe8f

SHA512
4d6d411ef7a41a2c7bcf888c0958162b9f5fd2d42a858720eddc4c7f9456bcb3996863acbf8c8b53269462c9d447dc0e11c4a87bc3ebd8c00a3d1c69412083be

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\ShowPop.docx

Filesize
408KB

MD5
575184f28f06f7f2c0525f68d98d9d08

SHA1
d3877b746478eaa12774b47d09621ea8c0b1fa4f

SHA256
86742793c4c16063736afdc230c0f5c139b5d13e219126b58f68efe06cf78339

SHA512
9d8aff12ef627e02877a26ea01f92bdcfc7eb810c6ca282b1838f164a1c96f9d59689512090dc9ee67d5b17c87b0de652af39849c647c895775d5b839d9b8a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Desktop\StartPublish.xlsx

Filesize
13KB

MD5
8699a55c40b0337494ebd5c5af0304d4

SHA1
cf37610b31e8a5017f22becddb00ae11ea8fb7ec

SHA256
109bcdb5135861eaa80a5aeb1146e2ef576f905feb97d9236b0f634a83f6a276

SHA512
cdb973347baa1be3ea4b91b110b79ee549fb22e592c1bcc4c87a3fd890a19bb133d6f65fcf44b31377658a8ee29edef1c50fdaad98b436911dc4930e94a836a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\AssertSearch.csv

Filesize
830KB

MD5
70962656219c495a5a06f071444e11f2

SHA1
f48479bd4fcefd599813ce11b661c670dfc476f2

SHA256
99d6fa8a186cf929663d34526452046bba7939244fc7d64d29c475a9511d5f57

SHA512
6912d99bbe09054251dcac78262ef4434c04a2415d623e91964764e59574f46453bf6b90ef159e221dcfc38646266866f1395c5cdb98aee287329b09856f986a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\AssertSelect.csv

Filesize
1.2MB

MD5
5e2d95636f5a54c96046dead0a53a2c2

SHA1
9634ccf26d9229df802fd54a5d07f40206311eef

SHA256
e631c9ab21c7d2dd962145202e9a8f51ec3997a21b3b9759db6de79c29993efd

SHA512
b56abf330675bcb86c585187683ae6a663777992411588fee22ea71eda2a166d544701e0f102f1336f0d6e9579ff0523f8898c40b7651b6ee0637c3670eaa6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\EnterSend.docx

Filesize
16KB

MD5
611edf79ac45c11c23a9077208ba45cd

SHA1
9c084d190049a1f777bbcdca210862389228e187

SHA256
8202178c3bfa085a820dcaaf5657507855360e0b24288366188de27590ef7ab5

SHA512
89ee4fadeeeb294e343abd858dfd78908a1268b95af1076e2490348bd5266078d71b1ec239ef8af89770ac1ef507281c615436fd376dc9c3d98a584139a43386

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\MountUninstall.docx

Filesize
1.2MB

MD5
c7bb4e6d0e5d4c3c4e6907592559fc98

SHA1
d65347b5da8bc1f780be718f02cebcbeb1a0b004

SHA256
56bba1ff92cd60f953379e3d82bb0894140587768cdc9525489d0784c79a537a

SHA512
81a877ccb4c8af64551553149e999580991a5018e48383c778e4f9653d4d6b96d194b382402af74ad9e6571986b16ae4251f02e7d408aa40c2730e52c4ffc599

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\SearchEnable.xlsx

Filesize
11KB

MD5
c870a5f303f3ddbfe58fbd80b4f46666

SHA1
803eda6eb5219406962da0927e070d84332f6642

SHA256
b1d574a610559e3636d911b411424517bd033eaf561472f31c0f645b78aa22ae

SHA512
f6f8374eda228e1756f1ea1eec25dc07ebd4fc901ad6551b70aea2d20688b9e497cac7c65a6da752c9275876d826b9c2ecc1d9ab41ecf1b547773ee13f69bdea

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\SelectRevoke.pdf

Filesize
880KB

MD5
449c5f175a69c47ba72a460d05438a80

SHA1
0c130660aa7ac61af60403622b395a5328f572f7

SHA256
6ef7f315227ef48335ac353323d2e29e301d0615fd667f91b32d71dff26d1668

SHA512
3feb5e22dd6e7e7196058212bc8967c4f01f40f0e0c2fc4c171c20f3eb4532e9d1a96f6352bf29dc3c376deb49e262e82fd34e17c6b96adc9b9f5d65dbe8dbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\SyncBackup.docx

Filesize
19KB

MD5
b8474b0a8a5d92ce276ef379704a49cf

SHA1
1e9c1cb2b9bc2c69cc64c9a5d6ba76245f7ed03d

SHA256
2c4663aa9393a03324fb32ab306112797402b0b3423a72ae7cd5f3af4b6afdb2

SHA512
a7b3593f9ccb0d6c79b2f0b0e1e7916facd929bb8502d53b7e39f572f25ed0690e845c98f7345cf29eb81dd64bf158fb33f4da60fa6c7f8347597f5c6571969d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\UninstallSelect.docx

Filesize
13KB

MD5
3838f497138f2a6cc5bf9db3fb69c867

SHA1
88ba1f3c1930b48962f2718ce653bf0ac0089e8e

SHA256
172ad057f8956840f9ed153a242b431878f7b3831a9b0a2c9c47a22505cdbe0f

SHA512
ed804bb826af1c8241140492048df281cbb75f6cd81202cac3cc8ff863e3a24b43e16db578de7d215297eb0306fd4e28954420ae16adf06f218d632d2be3cb72

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Documents\WriteBackup.vsdx

Filesize
729KB

MD5
73fc77a85fe3bd7c3f589b98458be765

SHA1
afe637194037e40d9c37448b08c06f13fa2dfa84

SHA256
be062dd67bce88d43eebd41a1f140a679837ab3d24789d798d62ca4f0e1d2b2d

SHA512
206474452ec29364d4a74f627786554f30a362db3e7f2b025fd6ec879fe8594ce66dd4ee65a5c2d77701ca5453918f81e79a2b12b093b122140d9d89558c29d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Downloads\RestoreResolve.jpg

Filesize
370KB

MD5
945bc76d77c56eb32f2fc81693786be7

SHA1
69b7ad5b1162596f7770bec5bcc9c9e37796e235

SHA256
55e970c5aadb44f779d0cb186dc4b820e52d1402606cef6f90b6a50cca110a7c

SHA512
9b78e9be35d128ea663d0b3bbdc0b82670c323116cd7b756aacd0d7a3791e6f3f829caa3ed3827aeb5e6272cea5160f48e149381172c323b253949b820cf7a6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Downloads\SetNew.docx

Filesize
538KB

MD5
e53f75d744a5dd6146b32385f732dd02

SHA1
cb0fc39bee092661b2986d8060a202aec2d05ab4

SHA256
6821aa3139f2dbf32e4718f767b890c79c59a476e71d3a2763c006f6849d7d86

SHA512
c1347d90cb73a4a8a4b337e0d3b9a6aebc48b5c4753fd797b685ac4b5d36684e2168d48588ac1ec9282212ae01c4751758e0164eea8ace757a626a7ff6478939

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Downloads\TestBlock.docx

Filesize
740KB

MD5
e3055edb45ad2d8e3821f3eeb749aa09

SHA1
13c98d6b10d9e54eb31b7e95a7b6d17c5445b074

SHA256
3ec856c9e6d6244b66ac8ba21961dac2a265e57ec911198f00941bed221e5e26

SHA512
29bbdeedbf48543f387b02d80104b84ba84b52e15930989d2b6591aa85e05bd18eac723e9bf624d4c982caf3443aa35778c5ea43c5f22ada65351895929f763d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Music\ExpandBackup.htm

Filesize
612KB

MD5
379e4c8f89ab56580bcbfcc7c60dcd49

SHA1
1e6ce820175ab884cb162f33e1147ab25753cfa3

SHA256
f8d84f7dbae0c27a58d29041dfabc68924166b516a9c1d2e025f32aca2a24685

SHA512
88c5d93eb7aba7ecf6f2dc93c1db9d1cf04951758cdad72eb8c423a21f08a3e960acc74944867d22df5c31b47e39f8fb4b735775a3029511219b971a0abc264d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Music\RepairCopy.txt

Filesize
720KB

MD5
16c06a23e5940c94361b48cce5d64665

SHA1
88860f92eb90355a308f4c4b2e6c97e3dfe49103

SHA256
06e703a509f2213c2d94c9e6bb7883ccd1c9865ecc81c8f1cfc7b7f3c93570fc

SHA512
c22cede683a2ab9b7cec7ce39d241d1d207e20fbea17e619c4737fc6d982571ccf8b7505b05929376dfcd7603d67d04f4587ca4918aa5b31e17f9cb1e20e9429

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\BackupUse.dxf

Filesize
133KB

MD5
f7accda94e2949179f719d04e6eff2ea

SHA1
4a4deff13197328d25f02d1e0630e56caec01f4b

SHA256
638fd7c68e9b276ee448db1debe7637481060245fa37eea035a33b9cf61296ad

SHA512
91077da4213305d318951e024d7410a421501ff6e02e48fa202fdcad076cdaa0f90fd5fa8b8d9648c5034294245dff9006e392a665523d15b9076f0d4eaf43b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\LimitComplete.png

Filesize
203KB

MD5
1a54b31240cb36677eb5fc356e1c673e

SHA1
0cdeaeac814af54540d85277a555889c7818b0e6

SHA256
dbf918847497000dd091f6d95f7ee147a43e179320ad49d7c61a01155f1afb7d

SHA512
4f2e3421daca51cc54c5ac3a7febe19ed1f17c19ff06fbfd2fe3c8a89c81509a9b2a78713d74332452473fadf50be0b76cd3b2cdd1b78c3afa60c69a057103fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\checker\discordWebhook.txt

Filesize
160B

MD5
42aac867ad5b877d22cb73531bfd3cc7

SHA1
158b0c7b7561a99afca302d0dd2e7318e2fdfb31

SHA256
102be433d3b8803480276be56fbfab1c3c205d4077a1dc1af367a94102b68e4e

SHA512
ef2f44f7b77e0f9cf88b1c55e18fb2aa59bd8f08bc79e89d04fb52d6245e10a3d22651d7c52b5ccc86a96260b9d47ee78122e237b50204954acf2fbe8276e52e

Download Submit
C:\Users\Admin\AppData\Local\Temp\HellionFILES\checker\wordlist.txt

Filesize
696B

MD5
3e9250ff57f51f13ca9829d0015cd663

SHA1
82769cf8ecb89ead819d84ac02bb51615f58e229

SHA256
4ae599fad0a67de6815107fcb0f496cd39bf42f2c32d03801c0a9b73d4312aea

SHA512
2fbe41c5200a32a1b3110c122001ea94dfc8589b62e69d6707e74070797efd38c1aa35491f8d7c19d10f4843135ae31e48ebe05419b7fc66f14ff9ea03807fb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
120KB

MD5
462fd515ca586048459b9d90a660cb93

SHA1
06089f5d5e2a6411a0d7b106d24d5203eb70ec60

SHA256
bf017767ac650420487ca3225b3077445d24260bf1a33e75f7361b0c6d3e96b4

SHA512
67851bdbf9ba007012b89c89b86fd430fce24790466fefbb54431a7c200884fc9eb2f90c36d57acd300018f607630248f1a3addc2aa5f212458eb7a5c27054b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libcrypto-1_1.dll

Filesize
3.3MB

MD5
80b72c24c74d59ae32ba2b0ea5e7dad2

SHA1
75f892e361619e51578b312605201571bfb67ff8

SHA256
eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d

SHA512
08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

Filesize
1.5MB

MD5
fcc7a468d46c90f5a71e3e9c99b1d50e

SHA1
91070cac3cdde28905a7bc695f8c0fd1290fd0d0

SHA256
215c02ac57378e48428d4b013f7bcedd2b58d73e83c54eca17a8c9bd7f3bdf55

SHA512
95bff194696436e590a5df8f18987ce6e5c20b6e50e552e7d049fec8da834c71cdbd87418fc85be73aaea4176aeb672d44e89256cd64bfade5959f3aabb0884d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\yarl\_quoting_c.pyd

Filesize
93KB

MD5
9401cdf989b17c78e5d0ea5702380877

SHA1
0f37031def8a227d0b0b09c208494ea5f2324e5b

SHA256
d4ed42ac3f6c002c4e3dbf6fd344d4f3ca5465e0db6e495a920aed7772efb454

SHA512
df4a5404e0aca31c5e4be851a7fced6bb0d1a25b1a5ea4aa66590e7115ffd66324159d5b03811c99dfe2c338867a2d0771afdc0c0888e6f43f2328c19c91a7b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XClient.exe

Filesize
63KB

MD5
50bd3fe74ab820e6642e625e1d4a9f85

SHA1
8fa03dbfaa6a92caccf80d143fe7897cac562da8

SHA256
1b4d0c1d60ee64acd021c9b67faa008cdbbce15403cead7b9cd0685763b90a80

SHA512
eb6870dd1f7ac65551bf62d700521deaaf48b07b2a8c54b097b7573a5750e7722e7ab7e4ffcb9da179422e7583879e3ac0946c7d234ac892e713c26173063f77

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vn2fij5n.cth.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b1e340fa-d268-4df2-8b8e-ca14fd0ab6dc.tmp

Filesize
10KB

MD5
78e47dda17341bed7be45dccfd89ac87

SHA1
1afde30e46997452d11e4a2adbbf35cce7a1404f

SHA256
67d161098be68cd24febc0c7b48f515f199dda72f20ae3bbb97fcf2542bb0550

SHA512
9574a66d3756540479dc955c4057144283e09cae11ce11ebce801053bb48e536e67dc823b91895a9e3ee8d3cb27c065d5e9030c39a26cbf3f201348385b418a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\checker.exe

Filesize
9.0MB

MD5
7b9d4a4dbe5e07243b9bdc43dca1531c

SHA1
3047842eb91b44bb36bbe9f42c12c94fa62fc5dc

SHA256
c7f2209903cd49faffa956c21e7d612adb1856a233f0a1dbaef590b46245e574

SHA512
27aaed7a9151ec0f300572af3363c2a84d00785c20186dd9640a87af5f245095bcedd2b5f789d14d2ca3f17d8fa0648f64fbb2261c04966c8f93a00712e48ad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2416_133872273831778388\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2416_133872273831778388\_asyncio.pyd

Filesize
63KB

MD5
686262283ba69cce7f3eaba7cdeb0372

SHA1
5b771e444ee97b246545affcdc8fa910c8f591ea

SHA256
02ec5cd22543c0ca298c598b7e13949a4e8247cec288d0bca0a1269059b548ef

SHA512
dca7403cfe2bfe14cf51f747a893f49db52d4d43691dbccecaa83796351b6f7e644cf8e455a0b9c38c6c006f481d5c45d32ae789756250a2b29978e9feb839d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2416_133872273831778388\_bz2.pyd

Filesize
81KB

MD5
56203038756826a0a683d5750ee04093

SHA1
93d5a07f49bdcc7eb8fba458b2428fe4afcc20d2

SHA256
31c2f21adf27ca77fa746c0fda9c7d7734587ab123b95f2310725aaf4bf4ff3c

SHA512
3da5ae98511300694c9e91617c152805761d3de567981b5ab3ef7cd3dbba3521aae0d49b1eb42123d241b5ed13e8637d5c5bc1b44b9eaa754657f30662159f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2416_133872273831778388\_hashlib.pyd

Filesize
63KB

MD5
7a74284813386818ada7bf55c8d8acf9

SHA1
380c4184eec7ca266e4c2b96bb92a504dfd8fe5f

SHA256
21a1819013de423bb3b9b682d0b3506c6ef57ee88c61edf4ba12d8d5f589c9c2

SHA512
f8bc4ac57ada754006bbbb0bfa1ccb6c659f9c4d3270970e26219005e872b60afb9242457d8eb3eae0ce1f608f730da3bf16715f04b47bea4c95519dd9994a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2416_133872273831778388\_lzma.pyd

Filesize
154KB

MD5
14ea9d8ba0c2379fb1a9f6f3e9bbd63b

SHA1
f7d4e7b86acaf796679d173e18f758c1e338de82

SHA256
c414a5a418c41a7a8316687047ed816cad576741bd09a268928e381a03e1eb39

SHA512
64a52fe41007a1cac4afedf2961727b823d7f1c4399d3465d22377b5a4a5935cee2598447aeff62f99c4e98bb3657cfae25b5c27de32107a3a829df5a25ba1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2416_133872273831778388\_overlapped.pyd

Filesize
48KB

MD5
a5bd529290006ef1ebc8d32ffe501ca5

SHA1
c59ef2157358fb8f79b5a37ee9abba802ae915ba

SHA256
eeaa26addf211b37e689d46cfac6b7fad0d5421adc4c0113872dac1347aff130

SHA512
6b026e62b0b37445a480599175161cf6a60284ef881e0f0d1da643ac80013c2005f790f099733d76cfcf855e2ecd3a0e6c8bfc19dbabff67869119676ee03b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2416_133872273831778388\_socket.pyd

Filesize
77KB

MD5
c389430e19f1cd4c2e7b8538e8c52459

SHA1
546ed5a85ad80a7b7db99f80c7080dc972e4f2a2

SHA256
a14efa68d8f7ec018fb867a6ba6c6c290a803b4001fd8c45db7bda66fb700067

SHA512
5bef6c90c65bf1d4be0ce0d0cb3f38fe288f5716c93e444cf12f89f066791850d8316d414f1d795ff148c9e841cda90ef9c35ceb4a499563f28d068a6b427671

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2416_133872273831778388\_sqlite3.pyd

Filesize
96KB

MD5
98228631212a443781d0ac72e4656b97

SHA1
7e87e1fb891439cf466648b37abdbd4053a5da66

SHA256
fab3440d88376c9c334333b80b50f20a273a08f1d319bf0a9a6eb8bd04d35250

SHA512
5d41384b0280415f581c13b4b47de3de845fd60fc0373613dc9a73d4e0ecf9e855cb0e4aaa1c88fdc2d98e973ca083a48c129529141a8fd65c74c104ad9015f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2416_133872273831778388\_ssl.pyd

Filesize
156KB

MD5
7c7223f28c0c27c85a979ad222d19288

SHA1
4185e671b1dc56b22134c97cd8a4a67747887b87

SHA256
4ec47beadc4fd0d38fa39092244c108674012874f3190ee0e484aa988b94f986

SHA512
f3e813b954357f1bc323d897edf308a99ed30ff451053b312f81b6baae188cda58d144072627398a19d8d12fe659e4f40636dbbdf22a45770c3ca71746ec2df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2416_133872273831778388\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2416_133872273831778388\libssl-1_1.dll

Filesize
686KB

MD5
86f2d9cc8cc54bbb005b15cabf715e5d

SHA1
396833cba6802cb83367f6313c6e3c67521c51ad

SHA256
d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771

SHA512
0013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2416_133872273831778388\multidict\_multidict.pyd

Filesize
46KB

MD5
95463f615865a472f75ddb365644a571

SHA1
91f22ef3f2ffd3e9d6ce6e58beea9a96287b090b

SHA256
9ee77474d244a17337d4ccc5113fe4af7b4d86f9969293a884927718d06e63c8

SHA512
e3cccce9ebf5e7cf33e68046d3e7b59e454ccb791635eb5f405977fd270126ef8b58e6288dbe58c96b681361d81ef28720eba8d0bd389bfb0f4c3114d098a117

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2416_133872273831778388\python310.dll

Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_2416_133872273831778388\select.pyd

Filesize
29KB

MD5
c6ef07e75eae2c147042d142e23d2173

SHA1
6ef3e912db5faf5a6b4225dbb6e34337a2271a60

SHA256
43ee736c8a93e28b1407bf5e057a7449f16ee665a6e51a0f1bc416e13cee7e78

SHA512
30e915566e7b934bdd49e708151c98f732ff338d7bc3a46797de9cca308621791276ea03372c5e2834b6b55e66e05d58cf1bb4cb9ff31fb0a1c1aca0fcdc0d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1532_731261907\43058271-2050-4b9f-80c9-e817f4ac3356.tmp

Filesize
152KB

MD5
dd9bf8448d3ddcfd067967f01e8bf6d7

SHA1
d7829475b2bd6a3baa8fabfaf39af57c6439b35e

SHA256
fa2232917a5656ea4f811936561ea6b7c92b3c0004c5e08ecb97636d3afc6f72

SHA512
65347df34378c2bbb34417e2cccfb3251a0b2412422cc190eed9df525b6e0a9948e0295ea3c33b3ad873ce81e369e89a138ac41d6eb7229546c3269107e661de

Download Submit
memory/2416-724-0x00007FF607110000-0x00007FF6097ED000-memory.dmp

Filesize
38.9MB

Download
memory/3576-809-0x0000000000590000-0x00000000005A6000-memory.dmp

Filesize
88KB

Download
memory/4460-769-0x000001C005850000-0x000001C005872000-memory.dmp

Filesize
136KB

Download
memory/4768-901-0x00007FF796440000-0x00007FF79BE52000-memory.dmp

Filesize
90.1MB

Download
memory/4768-870-0x00007FF796440000-0x00007FF79BE52000-memory.dmp

Filesize
90.1MB

Download
memory/4768-776-0x00007FF796440000-0x00007FF79BE52000-memory.dmp

Filesize
90.1MB

Download
memory/4768-789-0x00007FF796440000-0x00007FF79BE52000-memory.dmp

Filesize
90.1MB

Download
memory/4768-794-0x00007FF796440000-0x00007FF79BE52000-memory.dmp

Filesize
90.1MB

Download
memory/4768-797-0x00007FF796440000-0x00007FF79BE52000-memory.dmp

Filesize
90.1MB

Download
memory/4768-873-0x00007FF796440000-0x00007FF79BE52000-memory.dmp

Filesize
90.1MB

Download
memory/4768-867-0x00007FF796440000-0x00007FF79BE52000-memory.dmp

Filesize
90.1MB

Download
memory/4768-904-0x00007FF796440000-0x00007FF79BE52000-memory.dmp

Filesize
90.1MB

Download
memory/4768-777-0x0000025D63380000-0x0000025D63494000-memory.dmp

Filesize
1.1MB

Download
memory/4768-891-0x00007FF796440000-0x00007FF79BE52000-memory.dmp

Filesize
90.1MB

Download
memory/4768-888-0x00007FF796440000-0x00007FF79BE52000-memory.dmp

Filesize
90.1MB

Download
memory/4768-885-0x00007FF796440000-0x00007FF79BE52000-memory.dmp

Filesize
90.1MB

Download
memory/4768-882-0x00007FF796440000-0x00007FF79BE52000-memory.dmp

Filesize
90.1MB

Download
memory/4768-879-0x00007FF796440000-0x00007FF79BE52000-memory.dmp

Filesize
90.1MB

Download
memory/4768-876-0x00007FF796440000-0x00007FF79BE52000-memory.dmp

Filesize
90.1MB

Download
memory/5084-799-0x00000000005F0000-0x0000000000F12000-memory.dmp

Filesize
9.1MB

Download