exelastealer | 5d99f5bf54c9d7728bbfd50f75b462d453130fff7df37a039cb8cfd490b2e397

Analysis

max time kernel
270s
max time network
273s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
25/03/2025, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0x001900000002b122-95.exe
Size

38.5MB
MD5

812fb887e9dba4a5484fef3e0affe368
SHA1

a96a4132b8f03810d0c3862fa90108da8cc0bce6
SHA256

5d99f5bf54c9d7728bbfd50f75b462d453130fff7df37a039cb8cfd490b2e397
SHA512

a615394160fdec370b37885291c23d6584cde8287a618d3eda782fa9b9166abd733902f5f800657c801ef47bd1b4201b90782748c9057dca57dc0a579b65b44e
SSDEEP

786432:gHrt2V0YlUNf5ajZV3p3vv8gt7usRxcJ+519jtD+/K48NJtvXdlxn8C4L:gL4uEUNf5WZggt5cmBRUK48rPlxC

Score

10^/10

exelastealer collection defense_evasion discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 4 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2940	netsh.exe
2204	netsh.exe
2480	netsh.exe
1220	netsh.exe

Clipboard Data 1 TTPs 4 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2420	powershell.exe
2916	cmd.exe
5260	powershell.exe
5168	cmd.exe

Executes dropped EXE 6 IoCs

pid	Process
2192	Stub.exe
4188	Stub.exe
5520	Stub.exe
4888	Stub.exe
4848	Stub.exe
3900	Stub.exe

Loads dropped DLL 64 IoCs

pid	Process
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
2192	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
4188	Stub.exe
5520	Stub.exe
5520	Stub.exe
5520	Stub.exe
5520	Stub.exe
5520	Stub.exe
5520	Stub.exe
5520	Stub.exe
5520	Stub.exe
5520	Stub.exe
5520	Stub.exe
5520	Stub.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
17	discord.com
36	discord.com
38	api.gofile.io
73	discord.com
84	api.gofile.io
16	discord.com
19	discord.com
37	api.gofile.io
74	discord.com
83	discord.com

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
24	ip-api.com
71	ipinfo.io
72	ipinfo.io
81	ip-api.com
14	ipinfo.io
15	ipinfo.io

Network Service Discovery 1 TTPs 4 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5908	cmd.exe
5264	ARP.EXE
5788	cmd.exe
236	ARP.EXE

Enumerates processes with tasklist 1 TTPs 10 IoCs

discovery

Process Discovery

T1057

pid	Process
4612	tasklist.exe
5456	tasklist.exe
4904	tasklist.exe
4140	tasklist.exe
4312	tasklist.exe
5096	tasklist.exe
6028	tasklist.exe
2584	tasklist.exe
5944	tasklist.exe
4872	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4592	cmd.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\CbsTemp	TiWorker.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
5328	sc.exe
3228	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Embeds OpenSSL 1 IoCs

Embeds OpenSSL, may be used to circumvent TLS interception.

resource	yara_rule
behavioral2/files/0x00070000000281e4-75.dat	embeds_openssl

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1416	cmd.exe
3868	netsh.exe
2100	cmd.exe
4968	netsh.exe

System Network Connections Discovery 1 TTPs 2 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2892	NETSTAT.EXE
1828	NETSTAT.EXE

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 18 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Collects information from the system 1 TTPs 2 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3632	WMIC.exe
1120	WMIC.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4724	WMIC.exe
3996	WMIC.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4532	ipconfig.exe
2892	NETSTAT.EXE
5052	ipconfig.exe
1828	NETSTAT.EXE

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
6056	systeminfo.exe
2692	systeminfo.exe

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
6092	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1702774510-645589634-1201277210-1000_Classes\Local Settings	firefox.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
3124	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4724	WMIC.exe
4724	WMIC.exe
4724	WMIC.exe
4724	WMIC.exe
4548	WMIC.exe
4548	WMIC.exe
4548	WMIC.exe
4548	WMIC.exe
1076	WMIC.exe
1076	WMIC.exe
1076	WMIC.exe
1076	WMIC.exe
2012	WMIC.exe
2012	WMIC.exe
2012	WMIC.exe
2012	WMIC.exe
5260	powershell.exe
5260	powershell.exe
3632	WMIC.exe
3632	WMIC.exe
3632	WMIC.exe
3632	WMIC.exe
4528	WMIC.exe
4528	WMIC.exe
4528	WMIC.exe
4528	WMIC.exe
3116	WMIC.exe
3116	WMIC.exe
3116	WMIC.exe
3116	WMIC.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4724	WMIC.exe
Token: SeSecurityPrivilege	4724	WMIC.exe
Token: SeTakeOwnershipPrivilege	4724	WMIC.exe
Token: SeLoadDriverPrivilege	4724	WMIC.exe
Token: SeSystemProfilePrivilege	4724	WMIC.exe
Token: SeSystemtimePrivilege	4724	WMIC.exe
Token: SeProfSingleProcessPrivilege	4724	WMIC.exe
Token: SeIncBasePriorityPrivilege	4724	WMIC.exe
Token: SeCreatePagefilePrivilege	4724	WMIC.exe
Token: SeBackupPrivilege	4724	WMIC.exe
Token: SeRestorePrivilege	4724	WMIC.exe
Token: SeShutdownPrivilege	4724	WMIC.exe
Token: SeDebugPrivilege	4724	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4724	WMIC.exe
Token: SeRemoteShutdownPrivilege	4724	WMIC.exe
Token: SeUndockPrivilege	4724	WMIC.exe
Token: SeManageVolumePrivilege	4724	WMIC.exe
Token: 33	4724	WMIC.exe
Token: 34	4724	WMIC.exe
Token: 35	4724	WMIC.exe
Token: 36	4724	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4724	WMIC.exe
Token: SeSecurityPrivilege	4724	WMIC.exe
Token: SeTakeOwnershipPrivilege	4724	WMIC.exe
Token: SeLoadDriverPrivilege	4724	WMIC.exe
Token: SeSystemProfilePrivilege	4724	WMIC.exe
Token: SeSystemtimePrivilege	4724	WMIC.exe
Token: SeProfSingleProcessPrivilege	4724	WMIC.exe
Token: SeIncBasePriorityPrivilege	4724	WMIC.exe
Token: SeCreatePagefilePrivilege	4724	WMIC.exe
Token: SeBackupPrivilege	4724	WMIC.exe
Token: SeRestorePrivilege	4724	WMIC.exe
Token: SeShutdownPrivilege	4724	WMIC.exe
Token: SeDebugPrivilege	4724	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4724	WMIC.exe
Token: SeRemoteShutdownPrivilege	4724	WMIC.exe
Token: SeUndockPrivilege	4724	WMIC.exe
Token: SeManageVolumePrivilege	4724	WMIC.exe
Token: 33	4724	WMIC.exe
Token: 34	4724	WMIC.exe
Token: 35	4724	WMIC.exe
Token: 36	4724	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4548	WMIC.exe
Token: SeSecurityPrivilege	4548	WMIC.exe
Token: SeTakeOwnershipPrivilege	4548	WMIC.exe
Token: SeLoadDriverPrivilege	4548	WMIC.exe
Token: SeSystemProfilePrivilege	4548	WMIC.exe
Token: SeSystemtimePrivilege	4548	WMIC.exe
Token: SeProfSingleProcessPrivilege	4548	WMIC.exe
Token: SeIncBasePriorityPrivilege	4548	WMIC.exe
Token: SeCreatePagefilePrivilege	4548	WMIC.exe
Token: SeBackupPrivilege	4548	WMIC.exe
Token: SeRestorePrivilege	4548	WMIC.exe
Token: SeShutdownPrivilege	4548	WMIC.exe
Token: SeDebugPrivilege	4548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4548	WMIC.exe
Token: SeRemoteShutdownPrivilege	4548	WMIC.exe
Token: SeUndockPrivilege	4548	WMIC.exe
Token: SeManageVolumePrivilege	4548	WMIC.exe
Token: 33	4548	WMIC.exe
Token: 34	4548	WMIC.exe
Token: 35	4548	WMIC.exe
Token: 36	4548	WMIC.exe
Token: SeDebugPrivilege	4312	tasklist.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe
3476	taskmgr.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1856	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 2192	3228	0x001900000002b122-95.exe	82
PID 3228 wrote to memory of 2192	3228	0x001900000002b122-95.exe	82
PID 2192 wrote to memory of 1768	2192	Stub.exe	85
PID 2192 wrote to memory of 1768	2192	Stub.exe	85
PID 2192 wrote to memory of 4760	2192	Stub.exe	89
PID 2192 wrote to memory of 4760	2192	Stub.exe	89
PID 2192 wrote to memory of 4808	2192	Stub.exe	90
PID 2192 wrote to memory of 4808	2192	Stub.exe	90
PID 2192 wrote to memory of 4856	2192	Stub.exe	91
PID 2192 wrote to memory of 4856	2192	Stub.exe	91
PID 2192 wrote to memory of 4868	2192	Stub.exe	93
PID 2192 wrote to memory of 4868	2192	Stub.exe	93
PID 4760 wrote to memory of 4724	4760	cmd.exe	97
PID 4760 wrote to memory of 4724	4760	cmd.exe	97
PID 4868 wrote to memory of 4312	4868	cmd.exe	98
PID 4868 wrote to memory of 4312	4868	cmd.exe	98
PID 4808 wrote to memory of 4548	4808	cmd.exe	99
PID 4808 wrote to memory of 4548	4808	cmd.exe	99
PID 2192 wrote to memory of 2312	2192	Stub.exe	100
PID 2192 wrote to memory of 2312	2192	Stub.exe	100
PID 2312 wrote to memory of 1076	2312	cmd.exe	102
PID 2312 wrote to memory of 1076	2312	cmd.exe	102
PID 2192 wrote to memory of 4960	2192	Stub.exe	103
PID 2192 wrote to memory of 4960	2192	Stub.exe	103
PID 2192 wrote to memory of 2200	2192	Stub.exe	104
PID 2192 wrote to memory of 2200	2192	Stub.exe	104
PID 2200 wrote to memory of 5096	2200	cmd.exe	107
PID 2200 wrote to memory of 5096	2200	cmd.exe	107
PID 4960 wrote to memory of 2012	4960	cmd.exe	108
PID 4960 wrote to memory of 2012	4960	cmd.exe	108
PID 2192 wrote to memory of 4592	2192	Stub.exe	109
PID 2192 wrote to memory of 4592	2192	Stub.exe	109
PID 4592 wrote to memory of 5948	4592	cmd.exe	111
PID 4592 wrote to memory of 5948	4592	cmd.exe	111
PID 2192 wrote to memory of 5776	2192	Stub.exe	112
PID 2192 wrote to memory of 5776	2192	Stub.exe	112
PID 2192 wrote to memory of 64	2192	Stub.exe	113
PID 2192 wrote to memory of 64	2192	Stub.exe	113
PID 64 wrote to memory of 4612	64	cmd.exe	116
PID 64 wrote to memory of 4612	64	cmd.exe	116
PID 5776 wrote to memory of 5340	5776	cmd.exe	117
PID 5776 wrote to memory of 5340	5776	cmd.exe	117
PID 2192 wrote to memory of 4260	2192	Stub.exe	118
PID 2192 wrote to memory of 4260	2192	Stub.exe	118
PID 2192 wrote to memory of 3664	2192	Stub.exe	119
PID 2192 wrote to memory of 3664	2192	Stub.exe	119
PID 2192 wrote to memory of 5712	2192	Stub.exe	120
PID 2192 wrote to memory of 5712	2192	Stub.exe	120
PID 2192 wrote to memory of 2916	2192	Stub.exe	121
PID 2192 wrote to memory of 2916	2192	Stub.exe	121
PID 3664 wrote to memory of 3212	3664	cmd.exe	127
PID 3664 wrote to memory of 3212	3664	cmd.exe	127
PID 2916 wrote to memory of 5260	2916	cmd.exe	128
PID 2916 wrote to memory of 5260	2916	cmd.exe	128
PID 4260 wrote to memory of 5292	4260	cmd.exe	129
PID 4260 wrote to memory of 5292	4260	cmd.exe	129
PID 3212 wrote to memory of 5640	3212	cmd.exe	130
PID 3212 wrote to memory of 5640	3212	cmd.exe	130
PID 5712 wrote to memory of 6028	5712	cmd.exe	131
PID 5712 wrote to memory of 6028	5712	cmd.exe	131
PID 5292 wrote to memory of 6072	5292	cmd.exe	132
PID 5292 wrote to memory of 6072	5292	cmd.exe	132
PID 2192 wrote to memory of 1416	2192	Stub.exe	133
PID 2192 wrote to memory of 1416	2192	Stub.exe	133

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5948	attrib.exe

C:\Users\Admin\AppData\Local\Temp\0x001900000002b122-95.exe
"C:\Users\Admin\AppData\Local\Temp\0x001900000002b122-95.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Users\Admin\AppData\Local\Temp\onefile_3228_133873433526427069\Stub.exe
  C:\Users\Admin\AppData\Local\Temp\0x001900000002b122-95.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:1768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4808
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:4856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2200
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4592
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe"
      4⤵
      Views/modifies file attributes
      PID:5948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5776
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:5340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:64
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5292
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:6072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3664
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3212
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:5640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5712
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:6028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:5260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1416
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:5788
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:6056
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:464
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious behavior: EnumeratesProcesses
      PID:3632
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:1828
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:5300
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:2480
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:3276
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:980
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:5276
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:5880
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1540
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:2028
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4468
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:2464
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:2768
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:2880
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:5456
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4532
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:2968
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:236
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:2892
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:5328
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2940
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3036
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2360
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3116

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:3468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ResolveCompare.cmd" "
1⤵
PID:5208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ResolveCompare.cmd" "
1⤵
PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ResolveCompare.cmd" "
1⤵
PID:460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\ResolveCompare.cmd" "
1⤵
PID:3536

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\ResolveCompare.cmd
1⤵
- Opens file in notepad (likely ransom note)
PID:3124

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2912

C:\Users\Admin\AppData\Local\Temp\0x001900000002b122-95.exe
"C:\Users\Admin\AppData\Local\Temp\0x001900000002b122-95.exe"
1⤵
PID:1392
- C:\Users\Admin\AppData\Local\Temp\onefile_1392_133873434389749197\Stub.exe
  C:\Users\Admin\AppData\Local\Temp\0x001900000002b122-95.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4188

C:\Users\Admin\Desktop\0x001900000002b122-95.exe
"C:\Users\Admin\Desktop\0x001900000002b122-95.exe"
1⤵
PID:5808
- C:\Users\Admin\AppData\Local\Temp\onefile_5808_133873434535842951\Stub.exe
  C:\Users\Admin\Desktop\0x001900000002b122-95.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5520

C:\Users\Admin\Desktop\0x001900000002b122-95.exe
"C:\Users\Admin\Desktop\0x001900000002b122-95.exe"
1⤵
PID:4836
- C:\Users\Admin\AppData\Local\Temp\onefile_4836_133873434735842950\Stub.exe
  C:\Users\Admin\Desktop\0x001900000002b122-95.exe
  2⤵
  - Executes dropped EXE
  PID:4888

C:\Users\Admin\AppData\Local\Temp\onefile_3228_133873433526427069\Stub.exe
"C:\Users\Admin\AppData\Local\Temp\onefile_3228_133873433526427069\Stub.exe"
1⤵
- Executes dropped EXE
PID:4848

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3476

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
PID:1940

C:\Users\Admin\Desktop\0x001900000002b122-95.exe
"C:\Users\Admin\Desktop\0x001900000002b122-95.exe"
1⤵
PID:1612
- C:\Users\Admin\AppData\Local\Temp\onefile_1612_133873435892436199\Stub.exe
  C:\Users\Admin\Desktop\0x001900000002b122-95.exe
  2⤵
  - Executes dropped EXE
  PID:3900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:6004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:2028
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:4532
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      PID:4596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:5524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2056
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2584
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:4036
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:4548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1016
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5768
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /IM "taskmgr.exe""
    3⤵
    PID:5364
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM "taskmgr.exe"
      4⤵
      Kills process with taskkill
      PID:6092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:5560
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:4920
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:4896
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:2272
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4256
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:6016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:2012
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:1480
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3156
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:5048
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:5168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      PID:2420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:5908
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2692
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:3000
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:1120
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:984
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4716
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:5860
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:4592
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:5308
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:5632
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:1244
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:3532
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:2376
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4368
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:5572
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:2344
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:5900
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:4140
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:5052
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:1928
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:5264
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:1828
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:3228
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2480
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2100
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2764
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:464
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2768

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5248

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1760
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:1856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 1992 -prefsLen 27100 -prefMapHandle 1996 -prefMapSize 270279 -ipcHandle 2072 -initialChannelId {092850ba-0676-4ca3-bb4c-9a3e2ae564d9} -parentPid 1856 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1856" -appDir "C:\Program Files\Mozilla Firefox\browser" - 1 gpu
    3⤵
    PID:5992
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 2380 -prefsLen 27136 -prefMapHandle 2368 -prefMapSize 270279 -ipcHandle 2480 -initialChannelId {0f359af7-7c1b-41d9-8878-3942de035c30} -parentPid 1856 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1856" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 2 socket
    3⤵
    PID:2392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 3824 -prefsLen 27277 -prefMapHandle 3828 -prefMapSize 270279 -jsInitHandle 3832 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3840 -initialChannelId {459ac4c3-9961-407b-af63-71c66db299f2} -parentPid 1856 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1856" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 3 tab
    3⤵
    - Checks processor information in registry
    PID:564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -prefsHandle 4032 -prefsLen 27277 -prefMapHandle 4036 -prefMapSize 270279 -ipcHandle 3864 -initialChannelId {e647bc79-8c9f-46e2-9911-9ccd927e89e7} -parentPid 1856 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1856" -appDir "C:\Program Files\Mozilla Firefox\browser" - 4 rdd
    3⤵
    PID:1056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 2800 -prefsLen 34776 -prefMapHandle 2804 -prefMapSize 270279 -jsInitHandle 2812 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 3040 -initialChannelId {a95ef0bb-747d-444a-a10f-133dd4a071f9} -parentPid 1856 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1856" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 5 tab
    3⤵
    - Checks processor information in registry
    PID:5208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -parentBuildID 20250130195129 -sandboxingKind 0 -prefsHandle 5088 -prefsLen 35013 -prefMapHandle 5124 -prefMapSize 270279 -ipcHandle 5132 -initialChannelId {3a45f44f-1fd2-4b1a-80dc-a51b1d56d542} -parentPid 1856 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1856" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 6 utility
    3⤵
    - Checks processor information in registry
    PID:1712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5616 -prefsLen 32952 -prefMapHandle 5620 -prefMapSize 270279 -jsInitHandle 5624 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 2928 -initialChannelId {9a0c2946-b2f2-48c1-b50f-2293cd03eb6e} -parentPid 1856 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1856" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 7 tab
    3⤵
    - Checks processor information in registry
    PID:5740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5764 -prefsLen 32952 -prefMapHandle 5768 -prefMapSize 270279 -jsInitHandle 5772 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5776 -initialChannelId {c64c5c1d-08d5-4a7d-99f1-12439d140f40} -parentPid 1856 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1856" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 8 tab
    3⤵
    - Checks processor information in registry
    PID:2596
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc -isForBrowser -prefsHandle 5948 -prefsLen 32952 -prefMapHandle 5952 -prefMapSize 270279 -jsInitHandle 5956 -jsInitLen 253512 -parentBuildID 20250130195129 -ipcHandle 5964 -initialChannelId {ecf717b1-143e-4b73-a101-2ecbaa2c25e6} -parentPid 1856 -crashReporter "\\.\pipe\gecko-crash-server-pipe.1856" -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - 9 tab
    3⤵
    - Checks processor information in registry
    PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\HellionUpdate\Hellion.exe

Filesize
38.5MB

MD5
812fb887e9dba4a5484fef3e0affe368

SHA1
a96a4132b8f03810d0c3862fa90108da8cc0bce6

SHA256
5d99f5bf54c9d7728bbfd50f75b462d453130fff7df37a039cb8cfd490b2e397

SHA512
a615394160fdec370b37885291c23d6584cde8287a618d3eda782fa9b9166abd733902f5f800657c801ef47bd1b4201b90782748c9057dca57dc0a579b65b44e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\1c7yivle.default-release\activity-stream.discovery_stream.json.tmp

Filesize
31KB

MD5
d83ce6d7957c47907d40ac14569befdf

SHA1
1ea6aeb07e1db1761e33a3226852c5d54a22dd90

SHA256
c419f1617ca896eb1e7ea3fe65dda2393921f24567dac188829cf7f322466c01

SHA512
8ec197f62b3060e94e1ed3ead5599ebd60acbeb930490882d94d62a4a67c580200167e669caf1d0a5929f65e96d100a8e7e7f697e449a30a2eabd4d81ef5eefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
192KB

MD5
83c468b78a1714944e5becf35401229b

SHA1
5bb1aaf85b2b973e4ba33fa8457aaf71e4987b34

SHA256
da5fdb5a9d869b349244f1ab62d95b0dbd05ac12ff45a6db157da829566a6690

SHA512
795aa24a35781ea1e91cdb1760aef90948a61c0f96f94f20585662bdce627443a702f7b2637472cb595e027b1989cec822959dcad4b121928dbb2f250b2df599

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
160KB

MD5
9b85a4b842b758be395bc19aba64799c

SHA1
c32922b745c9cf827e080b09f410b4378560acb3

SHA256
ecc8d7540d26e3c2c43589c761e94638fc5096af874d7df216e833b9599c673a

SHA512
fad80745bb64406d8f2947c1e69817cff57cc504d5a8cdca9e22da50402d27d005988f6759eaa91f1f7616d250772c9f5e4ec2f98ce7264501dd4f436d1665f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_asyncio.pyd

Filesize
63KB

MD5
686262283ba69cce7f3eaba7cdeb0372

SHA1
5b771e444ee97b246545affcdc8fa910c8f591ea

SHA256
02ec5cd22543c0ca298c598b7e13949a4e8247cec288d0bca0a1269059b548ef

SHA512
dca7403cfe2bfe14cf51f747a893f49db52d4d43691dbccecaa83796351b6f7e644cf8e455a0b9c38c6c006f481d5c45d32ae789756250a2b29978e9feb839d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_bz2.pyd

Filesize
81KB

MD5
56203038756826a0a683d5750ee04093

SHA1
93d5a07f49bdcc7eb8fba458b2428fe4afcc20d2

SHA256
31c2f21adf27ca77fa746c0fda9c7d7734587ab123b95f2310725aaf4bf4ff3c

SHA512
3da5ae98511300694c9e91617c152805761d3de567981b5ab3ef7cd3dbba3521aae0d49b1eb42123d241b5ed13e8637d5c5bc1b44b9eaa754657f30662159f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_cffi_backend.pyd

Filesize
174KB

MD5
2baaa98b744915339ae6c016b17c3763

SHA1
483c11673b73698f20ca2ff0748628c789b4dc68

SHA256
4f1ce205c2be986c9d38b951b6bcb6045eb363e06dacc069a41941f80be9068c

SHA512
2ae8df6e764c0813a4c9f7ac5a08e045b44daac551e8ff5f8aa83286be96aa0714d373b8d58e6d3aa4b821786a919505b74f118013d9fcd1ebc5a9e4876c2b5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

Filesize
120KB

MD5
462fd515ca586048459b9d90a660cb93

SHA1
06089f5d5e2a6411a0d7b106d24d5203eb70ec60

SHA256
bf017767ac650420487ca3225b3077445d24260bf1a33e75f7361b0c6d3e96b4

SHA512
67851bdbf9ba007012b89c89b86fd430fce24790466fefbb54431a7c200884fc9eb2f90c36d57acd300018f607630248f1a3addc2aa5f212458eb7a5c27054b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

Filesize
154KB

MD5
14ea9d8ba0c2379fb1a9f6f3e9bbd63b

SHA1
f7d4e7b86acaf796679d173e18f758c1e338de82

SHA256
c414a5a418c41a7a8316687047ed816cad576741bd09a268928e381a03e1eb39

SHA512
64a52fe41007a1cac4afedf2961727b823d7f1c4399d3465d22377b5a4a5935cee2598447aeff62f99c4e98bb3657cfae25b5c27de32107a3a829df5a25ba1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_overlapped.pyd

Filesize
48KB

MD5
a5bd529290006ef1ebc8d32ffe501ca5

SHA1
c59ef2157358fb8f79b5a37ee9abba802ae915ba

SHA256
eeaa26addf211b37e689d46cfac6b7fad0d5421adc4c0113872dac1347aff130

SHA512
6b026e62b0b37445a480599175161cf6a60284ef881e0f0d1da643ac80013c2005f790f099733d76cfcf855e2ecd3a0e6c8bfc19dbabff67869119676ee03b73

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_queue.pyd

Filesize
30KB

MD5
60dec90862b996e56aedafb2774c3475

SHA1
ce6ff24b2cc03aff2e825e1cf953cba10c139c9d

SHA256
9568ef8bae36edae7347b6573407c312ce3b19bbd899713551a1819d6632da46

SHA512
c4b2066975f5d204a7659a2c7c6bc6dfc9a2fc83d7614dbbc0396f3dcc8b142df9a803f001768bfd44ca6bfa61622836b20a9d68871954009435449ae6d76720

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

Filesize
77KB

MD5
c389430e19f1cd4c2e7b8538e8c52459

SHA1
546ed5a85ad80a7b7db99f80c7080dc972e4f2a2

SHA256
a14efa68d8f7ec018fb867a6ba6c6c290a803b4001fd8c45db7bda66fb700067

SHA512
5bef6c90c65bf1d4be0ce0d0cb3f38fe288f5716c93e444cf12f89f066791850d8316d414f1d795ff148c9e841cda90ef9c35ceb4a499563f28d068a6b427671

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_sqlite3.pyd

Filesize
96KB

MD5
98228631212a443781d0ac72e4656b97

SHA1
7e87e1fb891439cf466648b37abdbd4053a5da66

SHA256
fab3440d88376c9c334333b80b50f20a273a08f1d319bf0a9a6eb8bd04d35250

SHA512
5d41384b0280415f581c13b4b47de3de845fd60fc0373613dc9a73d4e0ecf9e855cb0e4aaa1c88fdc2d98e973ca083a48c129529141a8fd65c74c104ad9015f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_uuid.pyd

Filesize
24KB

MD5
ecf3d9de103ba77730ed021fe69a2804

SHA1
ce7eae927712fda0c70267f7db6bcb8406d83815

SHA256
7cf37a10023ebf6705963822a46f238395b1fbe8cb898899b3645c92d61b48ea

SHA512
c2bf0e2ba6080e03eca22d74ea7022fb9581036ce46055ea244773d26d8e5b07caf6ed2c44c479fda317000a9fa08ca6913c23fa4f54b08ee6d3427b9603dfba

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\cryptography\hazmat\bindings\_rust.pyd

Filesize
7.5MB

MD5
81ad4f91bb10900e3e2e8eaf917f42c9

SHA1
840f7aef02cda6672f0e3fc7a8d57f213ddd1dc6

SHA256
5f20d6cec04685075781996a9f54a78dc44ab8e39eb5a2bcf3234e36bef4b190

SHA512
11cd299d6812cdf6f0a74ba86eb44e9904ce4106167ebd6e0b81f60a5fcd04236cef5cff81e51ed391f5156430663056393dc07353c4a70a88024194768ffe9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\libffi-7.dll

Filesize
32KB

MD5
eef7981412be8ea459064d3090f4b3aa

SHA1
c60da4830ce27afc234b3c3014c583f7f0a5a925

SHA256
f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

SHA512
dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\multidict\_multidict.pyd

Filesize
46KB

MD5
95463f615865a472f75ddb365644a571

SHA1
91f22ef3f2ffd3e9d6ce6e58beea9a96287b090b

SHA256
9ee77474d244a17337d4ccc5113fe4af7b4d86f9969293a884927718d06e63c8

SHA512
e3cccce9ebf5e7cf33e68046d3e7b59e454ccb791635eb5f405977fd270126ef8b58e6288dbe58c96b681361d81ef28720eba8d0bd389bfb0f4c3114d098a117

Download Submit
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\sqlite3.dll

Filesize
1.5MB

MD5
fcc7a468d46c90f5a71e3e9c99b1d50e

SHA1
91070cac3cdde28905a7bc695f8c0fd1290fd0d0

SHA256
215c02ac57378e48428d4b013f7bcedd2b58d73e83c54eca17a8c9bd7f3bdf55

SHA512
95bff194696436e590a5df8f18987ce6e5c20b6e50e552e7d049fec8da834c71cdbd87418fc85be73aaea4176aeb672d44e89256cd64bfade5959f3aabb0884d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
228KB

MD5
ee463e048e56b687d02521cd12788e2c

SHA1
ee26598f8e8643df84711960e66a20ecbc6321b8

SHA256
3a07b3003758a79a574aa73032076567870389751f2a959537257070da3a10d8

SHA512
42b395bf6bd97da800385b9296b63a4b0edd7b3b50dc92f19e61a89235a42d37d204359b57d506e6b25ab95f16625cce035ed3b55ef2d54951c82332498dab0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
130KB

MD5
8edc5035b7d2156a13c4b40f25824b55

SHA1
7552f374747a1ef757c077d25189671faaa62e7c

SHA256
149873cc839ee7a9a0ef0c984fad6fbb02610c5db33b0beff6f76b15473fceee

SHA512
cc2cb2556a33607eb829feed2d58af1e7b46cd43751b535fbbe64b965797379e94519dbe6546eb37418a9a6f79105890dcf24c3968bff91bb048208904f754eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_23w0pzk2.b1f.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3228_133873433526427069\_decimal.pyd

Filesize
246KB

MD5
709613d7d7bc30abdaee015c331664b6

SHA1
84278fd8acc53c50b4e2ffa3f47b9ddad7dd7a70

SHA256
8600cae4f34cc64c406198e19539d0d4f5a574fc60b32b8aa8f32fd64c981da5

SHA512
4eb48bbcdf7cd9ebb9909e5269d4663bf14906a282a1f1418cc7e137f2be1c792019d78446d4d8bea63024cbf01bec14e28633d6e4ebbd85d7d074b948cab211

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3228_133873433526427069\_hashlib.pyd

Filesize
63KB

MD5
7a74284813386818ada7bf55c8d8acf9

SHA1
380c4184eec7ca266e4c2b96bb92a504dfd8fe5f

SHA256
21a1819013de423bb3b9b682d0b3506c6ef57ee88c61edf4ba12d8d5f589c9c2

SHA512
f8bc4ac57ada754006bbbb0bfa1ccb6c659f9c4d3270970e26219005e872b60afb9242457d8eb3eae0ce1f608f730da3bf16715f04b47bea4c95519dd9994a46

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3228_133873433526427069\_multiprocessing.pyd

Filesize
33KB

MD5
b3c8414bbcae9bcc3377a4df72a4aed7

SHA1
cf754caff33c158ef6377b6cb2dc11ab96a27678

SHA256
65413d49d81e5b939226a211fd40c9b7c6d61366651639446273988930f4a6fd

SHA512
3a1a85ff177d5521043a7a84b3aa56f567b9d1e0fb5b72441d50d0234e50519c86dfc24f6432be32460cbc63226ff3e4bc2d86e3154cdcd7a3d9b8d87b32b035

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3228_133873433526427069\_ssl.pyd

Filesize
156KB

MD5
7c7223f28c0c27c85a979ad222d19288

SHA1
4185e671b1dc56b22134c97cd8a4a67747887b87

SHA256
4ec47beadc4fd0d38fa39092244c108674012874f3190ee0e484aa988b94f986

SHA512
f3e813b954357f1bc323d897edf308a99ed30ff451053b312f81b6baae188cda58d144072627398a19d8d12fe659e4f40636dbbdf22a45770c3ca71746ec2df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3228_133873433526427069\libcrypto-1_1.dll

Filesize
3.3MB

MD5
80b72c24c74d59ae32ba2b0ea5e7dad2

SHA1
75f892e361619e51578b312605201571bfb67ff8

SHA256
eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d

SHA512
08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3228_133873433526427069\libssl-1_1.dll

Filesize
686KB

MD5
86f2d9cc8cc54bbb005b15cabf715e5d

SHA1
396833cba6802cb83367f6313c6e3c67521c51ad

SHA256
d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771

SHA512
0013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3228_133873433526427069\pyexpat.pyd

Filesize
194KB

MD5
ea36d6df8ab58a22421f01d6d673adf2

SHA1
6a22ea1f37e8655d1602823f18ac87727110a1b5

SHA256
32e8c601259ec029e44824116ad911426157ceeae55f9fdd15387af40660dd5a

SHA512
d23b7b4f46e99fa4c93e6adba24e30d09c445e85c7b2eae93a6efbffc5d8be166908f7ba7edf7b3e5089e712a4ce8e5bcdc32610f59bda94b90dd01aa3601035

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3228_133873433526427069\python3.dll

Filesize
64KB

MD5
24f4d5a96cd4110744766ea2da1b8ffa

SHA1
b12a2205d3f70f5c636418811ab2f8431247da15

SHA256
73b0f3952be222ce676672603ae3848ee6e8e479782bd06745116712a4834c53

SHA512
bd2f27441fe5c25c30bab22c967ef32306bcea2f6be6f4a5da8bbb5b54d3d5f59da1ffcb55172d2413fe0235dd7702d734654956e142e9a0810160b8c16225f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3228_133873433526427069\python310.dll

Filesize
4.3MB

MD5
e4533934b37e688106beac6c5919281e

SHA1
ada39f10ef0bbdcf05822f4260e43d53367b0017

SHA256
2bf761bae584ba67d9a41507b45ebd41ab6ae51755b1782496d0bc60cc1d41d5

SHA512
fa681a48ddd81854c9907026d4f36b008e509729f1d9a18a621f1d86cd1176c1a1ff4f814974306fa4d9e3886e2ce112a4f79b66713e1401f5dae4bcd8b898b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3228_133873433526427069\select.pyd

Filesize
29KB

MD5
c6ef07e75eae2c147042d142e23d2173

SHA1
6ef3e912db5faf5a6b4225dbb6e34337a2271a60

SHA256
43ee736c8a93e28b1407bf5e057a7449f16ee665a6e51a0f1bc416e13cee7e78

SHA512
30e915566e7b934bdd49e708151c98f732ff338d7bc3a46797de9cca308621791276ea03372c5e2834b6b55e66e05d58cf1bb4cb9ff31fb0a1c1aca0fcdc0d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3228_133873433526427069\unicodedata.pyd

Filesize
1.1MB

MD5
d4964a28a22078c30064c65e968f9e1f

SHA1
b9b95975bea97a55c888da66148d54bdb38b609b

SHA256
b204718d21952369726472ca12712047839119ccf87e16979af595c0a57b6703

SHA512
bfe200b255ae1ddba53d98d54479e7e1d0932fb27bbfdcb4170d3d4cbbbfc297e3b5fd273b830399b795feb64cd0d9c48d0e1e0eaf72d0e0992261864e2d7296

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3228_133873433526427069\vcruntime140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3228_133873433526427069\yarl\_helpers_c.pyd

Filesize
53KB

MD5
6fb550ddaee31afedd29bdb97e2525f2

SHA1
b58257f37c581f143176d0c7abd3a98fec75a12f

SHA256
33a9b6f1caede0dbc9ee83097dea21c6db0a5cabff27f2917ea94cf47688e9df

SHA512
dbeb69892c63238aea76422815e45b7b1e12a7d2a0bcc6170f690b68eb56bc04c071413885fce81cc6ce435d9c60c36d9b97c792c75c21541db612c48124df38

Download Submit
C:\Users\Admin\AppData\Local\Temp\onefile_3228_133873433526427069\yarl\_quoting_c.pyd

Filesize
93KB

MD5
6809491f7b8ad46a7281e222ca71745a

SHA1
138c75bfb03b1d54cd62fe14c3dc4501cb418397

SHA256
80660605ae26882225d02d130d0a84927635a79c78055c2eede010a28e84eb32

SHA512
97b498e3f69de6ccc4f3373683d9e2aae67cbe2532508a7677738702bbaf02ebd7c05c26e53cebb076f9943eea59b1ac4b9f7ee71a1626b8e31e539d009b39e8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1c7yivle.default-release\AlternateServices.bin

Filesize
6KB

MD5
2be5b970f8f3427bb86cb0c3b8e45d7b

SHA1
65b0a250a8b01139b559f4b8a40cbaf586065947

SHA256
2958b0a8b07257207c3eacf0f342649256336c9e243487f7ac344ce3f500038c

SHA512
600810865f3ddb0777536944b95657259af4309b5e3b33e46bd20e77c9b4201f1f37db4f616860c6b83516ef9d011c12d7b9af1ff80e8865ba689031e63a8361

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1c7yivle.default-release\datareporting\glean\db\data.safe.tmp

Filesize
29KB

MD5
2e40437cfaf6d979e992a2c2236913ff

SHA1
3f4df0c5b16f80752475f6ae5477d424f835b674

SHA256
94c4715f4c2080c3fd16dfe7ab6e1e83d8842301c09e4e41ba6987c9933d0e3e

SHA512
7c978a7e6685344c64f876e8d09a6e7802aa4f0782076ee485a38f056aedf408c343c9fa0f6c600bf15ed45a7f5467acab1ee89ec63ce8f3afd9342e16301e9a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1c7yivle.default-release\datareporting\glean\db\data.safe.tmp

Filesize
29KB

MD5
330374d9889b0dc7afa35d82f4896ca6

SHA1
d1ac01921fff329c5e9ad0aa92503b6ec1944121

SHA256
a43b0690cac6961576d8ac042a3841d3d19c5407f9a8efe35e7371675e0d771b

SHA512
fa200c69691b45ce1e30837ed5b22d84003da102798dee9f58873489d98efab68eaeda49fc97f43d3ddc68c40a69d25b1091f215dc62831c353652b4907450ca

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1c7yivle.default-release\datareporting\glean\events\events

Filesize
1KB

MD5
90496bddae69b093550417081e70d939

SHA1
8944978957005de9d00afa450baf89d7d7875226

SHA256
38ee9b02aa564fb7228a53a9bc2b9601843f6ac6bcd78a484719305b952885e3

SHA512
482e46ccdab089bf5a0f980baed841e1e3b9c3c4db9a643ce34a5602dbc45f3d23adfd1af710a01a6862312eed27677cb7cfb4268782c0b35b00db8fa7e5f409

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1c7yivle.default-release\datareporting\glean\pending_pings\43608e6d-3fac-4230-bdbf-6b5c8fac80ad

Filesize
235B

MD5
012910d3d0ef8ae16ea26146f26099f8

SHA1
01bfe76e0e453ff439987dce456e527f491a07c4

SHA256
93ff13cd67c6dd6cede9eb36a0d1d1e84bdd7a90dc4fa7fd002df1b658c2644d

SHA512
417d383b5670eddf486f57c2ad859b4eb2ecfbacdbc14332c1d2f736655fb1bd94e7c30de1b55c33c84e20952b195eba1378a2e4d490c2e964b27a1102a1b07b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1c7yivle.default-release\datareporting\glean\pending_pings\4e4852d2-bf5b-4137-9844-41d6d1ce5956

Filesize
2KB

MD5
0156e2eb68c802a395bf5b45db9fa793

SHA1
150719379e156ce3dbd52d8b4f22dfdbd485aa7f

SHA256
387e272cad2ade3bea3c053a7170b141438670a5e49de40eba2d15bbc543887f

SHA512
86bc669f4557af73bba0adcaa1f2f6d9dca74cc3472518e3bf5354c080f52deb0acf4e590d7324b7574996ffab1491481aa01a639dafe524280c83b07bb84656

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1c7yivle.default-release\datareporting\glean\pending_pings\624443b4-cbe2-48a5-a1a8-6f322263fa24

Filesize
235B

MD5
5a9c60f07294f27bdab7c6b2be01ae87

SHA1
5f2c0d47211b79b1a6ca27a81ecafeffb6cf0312

SHA256
e9197bf91fed0c277587df0ba0e494f320cf98b1ffa30b0620bfdc0c55887030

SHA512
1e805d4c34a3a6cff6e418705eaf25f46c19f42f2eba2ffce5d6bdb9e4c76340d97cc42b403eddc36867d71dd4432dc8e0a8e13d198cbed67fb1fa304d22f97b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1c7yivle.default-release\datareporting\glean\pending_pings\ec562308-eb29-4b19-9455-78bfbf93762e

Filesize
871B

MD5
13628ae4244f1a35d205ad5f02489282

SHA1
2ac7d75ad6066a4b546fe8521a40342920d44f43

SHA256
5c0d082cb0e6c19a378d8daac61e87a17fd6888b5afe8ef141f52943858475af

SHA512
f8506aa1979e9a27ce9d4b5c3cd76fe3efe9a4a6630654d3f6b5f3f98a61d90e4eb86e6842d1999b0e0a4aee4b5472a97e382b972eea0fc5d89b1992d43b15da

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1c7yivle.default-release\datareporting\glean\pending_pings\f3428a64-3067-41a8-936b-c04b606bf472

Filesize
886B

MD5
56ea74cdc69ed2da2e054d81c3152d1d

SHA1
29309b188fb4f19e43604e4ba475ff46c1eee51e

SHA256
d91785438c893524bf8bd84dffb63dbee72d5dc58b7418bcacdadc135437294f

SHA512
6715dc20d440f81a86b855be67c83120b375c934c05607afbe57722182fe59b3b2baafe32fcc72bf0d4b8e7df61c0c7082be553f0a3b1468e0090d73ed81b99a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1c7yivle.default-release\prefs-1.js

Filesize
6KB

MD5
727fcbf1a9be5d8ba7d3e897297d7d0e

SHA1
aa427daf87c50482cf10965c9ed465984cd9489d

SHA256
58a1b7e5cc78b862af33a09db1b2d475b2e12ba5de13953c51c4a1e1022057ca

SHA512
c14ac5bd1e44b28252be3467139bd4fa68eb950f7aabbdb8bc0a576537251a8f0b7e80624133bfc3a6a9021070d22292173a056e44df59f0064af34c46cfd18e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1c7yivle.default-release\prefs.js

Filesize
6KB

MD5
61434a9d78c8f85c5bb3074357a3ede0

SHA1
f624febd7e21286e2b11b4c0e82a755e2b902041

SHA256
6f27d50c15209fc73a8651f236eeddb36a6cef3a4b918250988c08cb6e95d7aa

SHA512
c93c2199d91f8cbe2e3182e03cc8e0749cacc174c49225d1a1340b18cf84e59ac8d3fe82294f5d6fbf1f4933fae8b30606a9283971dbe00d8ed9e95216c0b1c0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\1c7yivle.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.8MB

MD5
081dd23e2e884b43b9013349aca0d3c7

SHA1
0dfa4fe1e299bf77889b35a9dd5d8aca7031d175

SHA256
53801f2ab1d114b2d3ab00c5d4beb59bf0d1653b6c408c7b483ce33750aa590d

SHA512
93571f0484849c16a875676147347525b38fd139a1ad467197f1c05b8d11c7a5992d1ba91fef63632412596b8a3b6091871c2027baddb2b9cbd69cdcf711086d

Download Submit
memory/1392-222-0x00007FF7DBCA0000-0x00007FF7DE350000-memory.dmp

Filesize
38.7MB

Download
memory/2192-255-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-224-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-304-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-307-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-309-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-153-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-166-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-172-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-174-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-176-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-178-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-180-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-182-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-264-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-266-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-337-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-325-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-327-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-329-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-331-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-333-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/2192-335-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/3228-152-0x00007FF7DBCA0000-0x00007FF7DE350000-memory.dmp

Filesize
38.7MB

Download
memory/3476-323-0x000001E80A160000-0x000001E80A161000-memory.dmp

Filesize
4KB

Download
memory/3476-313-0x000001E80A160000-0x000001E80A161000-memory.dmp

Filesize
4KB

Download
memory/3476-317-0x000001E80A160000-0x000001E80A161000-memory.dmp

Filesize
4KB

Download
memory/3476-322-0x000001E80A160000-0x000001E80A161000-memory.dmp

Filesize
4KB

Download
memory/3476-318-0x000001E80A160000-0x000001E80A161000-memory.dmp

Filesize
4KB

Download
memory/3476-311-0x000001E80A160000-0x000001E80A161000-memory.dmp

Filesize
4KB

Download
memory/3476-320-0x000001E80A160000-0x000001E80A161000-memory.dmp

Filesize
4KB

Download
memory/3476-319-0x000001E80A160000-0x000001E80A161000-memory.dmp

Filesize
4KB

Download
memory/3476-312-0x000001E80A160000-0x000001E80A161000-memory.dmp

Filesize
4KB

Download
memory/3476-321-0x000001E80A160000-0x000001E80A161000-memory.dmp

Filesize
4KB

Download
memory/4188-217-0x00007FF7B7860000-0x00007FF7BD2A1000-memory.dmp

Filesize
90.3MB

Download
memory/4836-302-0x00007FF7DBCA0000-0x00007FF7DE350000-memory.dmp

Filesize
38.7MB

Download
memory/4848-310-0x00007FF603430000-0x00007FF608E71000-memory.dmp

Filesize
90.3MB

Download
memory/4888-297-0x00007FF7B5180000-0x00007FF7BABC1000-memory.dmp

Filesize
90.3MB

Download
memory/5260-147-0x0000029ADE4B0000-0x0000029ADE4D2000-memory.dmp

Filesize
136KB

Download
memory/5520-257-0x00007FF7CBCE0000-0x00007FF7D1721000-memory.dmp

Filesize
90.3MB

Download
memory/5808-262-0x00007FF7DBCA0000-0x00007FF7DE350000-memory.dmp

Filesize
38.7MB

Download