exelastealer | hxxps://github[.]com/Azizishot/Shrek-tools

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 16:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Azizishot/Shrek-tools

Score

10^/10

exelastealer defense_evasion evasion persistence privilege_escalation stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

4352 netsh.exe
740 netsh.exe

pid	process
4352	netsh.exe
740	netsh.exe

Drops startup file 2 IoCs

Processes:

pyinsatller.exeattrib.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security.exe	pyinsatller.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security.exe	attrib.exe

Loads dropped DLL 31 IoCs

Processes:

pyinsatller.exe

pid	process
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe
3400	pyinsatller.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI13522\python311.dll	upx
behavioral1/memory/3400-52-0x00007FF842070000-0x00007FF842658000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_uuid.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\sqlite3.dll	upx
behavioral1/memory/3400-94-0x00007FF841E40000-0x00007FF841FB3000-memory.dmp	upx
behavioral1/memory/3400-93-0x00007FF841FC0000-0x00007FF841FE3000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\libssl-1_1.dll	upx
behavioral1/memory/3400-102-0x00007FF8419D0000-0x00007FF841D45000-memory.dmp	upx
behavioral1/memory/3400-100-0x00007FF841D50000-0x00007FF841E08000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\libcrypto-1_1.dll	upx
behavioral1/memory/3400-96-0x00007FF841E10000-0x00007FF841E3E000-memory.dmp	upx
behavioral1/memory/3400-92-0x00007FF841FF0000-0x00007FF84201D000-memory.dmp	upx
behavioral1/memory/3400-88-0x00007FF842020000-0x00007FF842039000-memory.dmp	upx
behavioral1/memory/3400-87-0x00007FF852E80000-0x00007FF852E8D000-memory.dmp	upx
behavioral1/memory/3400-86-0x00007FF84EC40000-0x00007FF84EC59000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\select.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_overlapped.pyd	upx
behavioral1/memory/3400-111-0x00007FF841950000-0x00007FF841964000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_brotli.cp311-win_amd64.pyd	upx
behavioral1/memory/3400-121-0x00007FF841730000-0x00007FF8417FF000-memory.dmp	upx
behavioral1/memory/3400-120-0x00007FF84EC40000-0x00007FF84EC59000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\cryptography\hazmat\bindings\_rust.pyd	upx
behavioral1/memory/3400-125-0x00007FF852880000-0x00007FF85288A000-memory.dmp	upx
behavioral1/memory/3400-129-0x00007FF841D50000-0x00007FF841E08000-memory.dmp	upx
behavioral1/memory/3400-128-0x00007FF841E10000-0x00007FF841E3E000-memory.dmp	upx
behavioral1/memory/3400-130-0x00007FF841030000-0x00007FF841724000-memory.dmp	upx
behavioral1/memory/3400-124-0x00007FF841E40000-0x00007FF841FB3000-memory.dmp	upx
behavioral1/memory/3400-123-0x00007FF841FC0000-0x00007FF841FE3000-memory.dmp	upx
behavioral1/memory/3400-118-0x00007FF842040000-0x00007FF842064000-memory.dmp	upx
behavioral1/memory/3400-117-0x00007FF841800000-0x00007FF841822000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_cffi_backend.cp311-win_amd64.pyd	upx
behavioral1/memory/3400-116-0x00007FF841830000-0x00007FF84194C000-memory.dmp	upx
behavioral1/memory/3400-115-0x00007FF842070000-0x00007FF842658000-memory.dmp	upx
behavioral1/memory/3400-133-0x00007FF840FF0000-0x00007FF841028000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\yarl\_quoting_c.cp311-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\zstandard\backend_c.cp311-win_amd64.pyd	upx
behavioral1/memory/3400-150-0x00007FF840F10000-0x00007FF840F36000-memory.dmp	upx
behavioral1/memory/3400-149-0x00007FF84BD20000-0x00007FF84BD2B000-memory.dmp	upx
behavioral1/memory/3400-148-0x00007FF841950000-0x00007FF841964000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\charset_normalizer\md__mypyc.cp311-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\charset_normalizer\md.cp311-win_amd64.pyd	upx
behavioral1/memory/3400-143-0x00007FF84C480000-0x00007FF84C48D000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_queue.pyd	upx
behavioral1/memory/3400-139-0x00007FF840FD0000-0x00007FF840FE8000-memory.dmp	upx
behavioral1/memory/3400-141-0x00007FF8419B0000-0x00007FF8419C5000-memory.dmp	upx
behavioral1/memory/3400-140-0x00007FF840F40000-0x00007FF840FC7000-memory.dmp	upx
behavioral1/memory/3400-138-0x00007FF8419D0000-0x00007FF841D45000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\psutil\_psutil_windows.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_hashlib.pyd	upx
behavioral1/memory/3400-109-0x00007FF841970000-0x00007FF841984000-memory.dmp	upx
behavioral1/memory/3400-108-0x00007FF841990000-0x00007FF8419A2000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\multidict\_multidict.cp311-win_amd64.pyd	upx
behavioral1/memory/3400-104-0x00007FF8419B0000-0x00007FF8419C5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_asyncio.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_multiprocessing.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI13522\pyexpat.pyd	upx
behavioral1/memory/3400-62-0x00007FF8535B0000-0x00007FF8535BF000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 27 IoCs

Web Service

T1102

Processes:

flow	ioc
230	camo.githubusercontent.com
54	camo.githubusercontent.com
96	raw.githubusercontent.com
173	discord.com
227	camo.githubusercontent.com
228	camo.githubusercontent.com
49	camo.githubusercontent.com
229	camo.githubusercontent.com
52	camo.githubusercontent.com
157	discord.com
172	discord.com
95	raw.githubusercontent.com
233	camo.githubusercontent.com
231	camo.githubusercontent.com
232	camo.githubusercontent.com
53	camo.githubusercontent.com
56	camo.githubusercontent.com
156	discord.com
171	discord.com
175	discord.com
50	camo.githubusercontent.com
51	camo.githubusercontent.com
55	camo.githubusercontent.com
94	raw.githubusercontent.com
158	discord.com
159	discord.com
174	discord.com

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

146 ip-api.com
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
defense_evasion

Hidden Files and Directories
T1564.001

Processes:

cmd.exe

pid process

3892 cmd.exe
Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

4336 sc.exe

flow	ioc
146	ip-api.com

pid	process
3892	cmd.exe

pid	process
4336	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.

Data from Local System
T1005

Processes:

WMIC.exe

pid process

4856 WMIC.exe
Enumerates processes with tasklist 1 TTPs 3 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exe

pid process

3736 tasklist.exe
2388 tasklist.exe
3892 tasklist.exe

pid	process
4856	WMIC.exe

pid	process
3736	tasklist.exe
2388	tasklist.exe
3892	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXEipconfig.exe

pid process

3628 NETSTAT.EXE
2080 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

5088 systeminfo.exe

pid	process
3628	NETSTAT.EXE
2080	ipconfig.exe

pid	process
5088	systeminfo.exe

Kills process with taskkill 12 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
660	taskkill.exe
4924	taskkill.exe
4640	taskkill.exe
1248	taskkill.exe
1672	taskkill.exe
888	taskkill.exe
2072	taskkill.exe
4484	taskkill.exe
2512	taskkill.exe
4332	taskkill.exe
5116	taskkill.exe
820	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643251388910499"	chrome.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

pyinsatller.exepowershell.exechrome.exe

pid process

3400 pyinsatller.exe
3400 pyinsatller.exe
3400 pyinsatller.exe
3400 pyinsatller.exe
3096 powershell.exe
3096 powershell.exe
3096 powershell.exe
2700 chrome.exe
2700 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

2700 chrome.exe
2700 chrome.exe
2700 chrome.exe
2700 chrome.exe
2700 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

pyinsatller.exetasklist.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetasklist.exepowershell.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3400	pyinsatller.exe
Token: SeDebugPrivilege	3736	tasklist.exe
Token: SeDebugPrivilege	1248	taskkill.exe
Token: SeDebugPrivilege	4640	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	2512	taskkill.exe
Token: SeDebugPrivilege	4332	taskkill.exe
Token: SeDebugPrivilege	888	taskkill.exe
Token: SeDebugPrivilege	2072	taskkill.exe
Token: SeDebugPrivilege	4484	taskkill.exe
Token: SeDebugPrivilege	5116	taskkill.exe
Token: SeDebugPrivilege	660	taskkill.exe
Token: SeDebugPrivilege	820	taskkill.exe
Token: SeDebugPrivilege	4924	taskkill.exe
Token: SeDebugPrivilege	2388	tasklist.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeIncreaseQuotaPrivilege	4856	WMIC.exe
Token: SeSecurityPrivilege	4856	WMIC.exe
Token: SeTakeOwnershipPrivilege	4856	WMIC.exe
Token: SeLoadDriverPrivilege	4856	WMIC.exe
Token: SeSystemProfilePrivilege	4856	WMIC.exe
Token: SeSystemtimePrivilege	4856	WMIC.exe
Token: SeProfSingleProcessPrivilege	4856	WMIC.exe
Token: SeIncBasePriorityPrivilege	4856	WMIC.exe
Token: SeCreatePagefilePrivilege	4856	WMIC.exe
Token: SeBackupPrivilege	4856	WMIC.exe
Token: SeRestorePrivilege	4856	WMIC.exe
Token: SeShutdownPrivilege	4856	WMIC.exe
Token: SeDebugPrivilege	4856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4856	WMIC.exe
Token: SeRemoteShutdownPrivilege	4856	WMIC.exe
Token: SeUndockPrivilege	4856	WMIC.exe
Token: SeManageVolumePrivilege	4856	WMIC.exe
Token: 33	4856	WMIC.exe
Token: 34	4856	WMIC.exe
Token: 35	4856	WMIC.exe
Token: 36	4856	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4856	WMIC.exe
Token: SeSecurityPrivilege	4856	WMIC.exe
Token: SeTakeOwnershipPrivilege	4856	WMIC.exe
Token: SeLoadDriverPrivilege	4856	WMIC.exe
Token: SeSystemProfilePrivilege	4856	WMIC.exe
Token: SeSystemtimePrivilege	4856	WMIC.exe
Token: SeProfSingleProcessPrivilege	4856	WMIC.exe
Token: SeIncBasePriorityPrivilege	4856	WMIC.exe
Token: SeCreatePagefilePrivilege	4856	WMIC.exe
Token: SeBackupPrivilege	4856	WMIC.exe
Token: SeRestorePrivilege	4856	WMIC.exe
Token: SeShutdownPrivilege	4856	WMIC.exe
Token: SeDebugPrivilege	4856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4856	WMIC.exe
Token: SeRemoteShutdownPrivilege	4856	WMIC.exe
Token: SeUndockPrivilege	4856	WMIC.exe
Token: SeManageVolumePrivilege	4856	WMIC.exe
Token: 33	4856	WMIC.exe
Token: 34	4856	WMIC.exe
Token: 35	4856	WMIC.exe
Token: 36	4856	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2552	WMIC.exe
Token: SeSecurityPrivilege	2552	WMIC.exe
Token: SeTakeOwnershipPrivilege	2552	WMIC.exe
Token: SeLoadDriverPrivilege	2552	WMIC.exe
Token: SeSystemProfilePrivilege	2552	WMIC.exe
Token: SeSystemtimePrivilege	2552	WMIC.exe

Suspicious use of FindShellTrayWindow 62 IoCs

Processes:

chrome.exe

pid	process
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe
2700	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

pyinsatller.exepyinsatller.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1352 wrote to memory of 3400	1352	pyinsatller.exe	pyinsatller.exe
PID 1352 wrote to memory of 3400	1352	pyinsatller.exe	pyinsatller.exe
PID 3400 wrote to memory of 3892	3400	pyinsatller.exe	tasklist.exe
PID 3400 wrote to memory of 3892	3400	pyinsatller.exe	tasklist.exe
PID 3892 wrote to memory of 688	3892	cmd.exe	attrib.exe
PID 3892 wrote to memory of 688	3892	cmd.exe	attrib.exe
PID 3400 wrote to memory of 4648	3400	pyinsatller.exe	cmd.exe
PID 3400 wrote to memory of 4648	3400	pyinsatller.exe	cmd.exe
PID 4648 wrote to memory of 3736	4648	cmd.exe	tasklist.exe
PID 4648 wrote to memory of 3736	4648	cmd.exe	tasklist.exe
PID 3400 wrote to memory of 4692	3400	pyinsatller.exe	cmd.exe
PID 3400 wrote to memory of 4692	3400	pyinsatller.exe	cmd.exe
PID 4692 wrote to memory of 1248	4692	cmd.exe	taskkill.exe
PID 4692 wrote to memory of 1248	4692	cmd.exe	taskkill.exe
PID 3400 wrote to memory of 396	3400	pyinsatller.exe	cmd.exe
PID 3400 wrote to memory of 396	3400	pyinsatller.exe	cmd.exe
PID 396 wrote to memory of 4640	396	cmd.exe	net.exe
PID 396 wrote to memory of 4640	396	cmd.exe	net.exe
PID 3400 wrote to memory of 2388	3400	pyinsatller.exe	cmd.exe
PID 3400 wrote to memory of 2388	3400	pyinsatller.exe	cmd.exe
PID 2388 wrote to memory of 1672	2388	cmd.exe	taskkill.exe
PID 2388 wrote to memory of 1672	2388	cmd.exe	taskkill.exe
PID 3400 wrote to memory of 2224	3400	pyinsatller.exe	cmd.exe
PID 3400 wrote to memory of 2224	3400	pyinsatller.exe	cmd.exe
PID 2224 wrote to memory of 2512	2224	cmd.exe	taskkill.exe
PID 2224 wrote to memory of 2512	2224	cmd.exe	taskkill.exe
PID 3400 wrote to memory of 3668	3400	pyinsatller.exe	cmd.exe
PID 3400 wrote to memory of 3668	3400	pyinsatller.exe	cmd.exe
PID 3668 wrote to memory of 4332	3668	cmd.exe	taskkill.exe
PID 3668 wrote to memory of 4332	3668	cmd.exe	taskkill.exe
PID 3400 wrote to memory of 4884	3400	pyinsatller.exe	cmd.exe
PID 3400 wrote to memory of 4884	3400	pyinsatller.exe	cmd.exe
PID 4884 wrote to memory of 888	4884	cmd.exe	taskkill.exe
PID 4884 wrote to memory of 888	4884	cmd.exe	taskkill.exe
PID 3400 wrote to memory of 3420	3400	pyinsatller.exe	cmd.exe
PID 3400 wrote to memory of 3420	3400	pyinsatller.exe	cmd.exe
PID 3420 wrote to memory of 2072	3420	cmd.exe	taskkill.exe
PID 3420 wrote to memory of 2072	3420	cmd.exe	taskkill.exe
PID 3400 wrote to memory of 3944	3400	pyinsatller.exe	cmd.exe
PID 3400 wrote to memory of 3944	3400	pyinsatller.exe	cmd.exe
PID 3944 wrote to memory of 4484	3944	cmd.exe	wmiprvse.exe
PID 3944 wrote to memory of 4484	3944	cmd.exe	wmiprvse.exe
PID 3400 wrote to memory of 3416	3400	pyinsatller.exe	net.exe
PID 3400 wrote to memory of 3416	3400	pyinsatller.exe	net.exe
PID 3416 wrote to memory of 5116	3416	cmd.exe	taskkill.exe
PID 3416 wrote to memory of 5116	3416	cmd.exe	taskkill.exe
PID 3400 wrote to memory of 444	3400	pyinsatller.exe	cmd.exe
PID 3400 wrote to memory of 444	3400	pyinsatller.exe	cmd.exe
PID 444 wrote to memory of 660	444	cmd.exe	taskkill.exe
PID 444 wrote to memory of 660	444	cmd.exe	taskkill.exe
PID 3400 wrote to memory of 1076	3400	pyinsatller.exe	cmd.exe
PID 3400 wrote to memory of 1076	3400	pyinsatller.exe	cmd.exe
PID 1076 wrote to memory of 820	1076	cmd.exe	taskkill.exe
PID 1076 wrote to memory of 820	1076	cmd.exe	taskkill.exe
PID 3400 wrote to memory of 1224	3400	pyinsatller.exe	cmd.exe
PID 3400 wrote to memory of 1224	3400	pyinsatller.exe	cmd.exe
PID 1224 wrote to memory of 4924	1224	cmd.exe	taskkill.exe
PID 1224 wrote to memory of 4924	1224	cmd.exe	taskkill.exe
PID 3400 wrote to memory of 4436	3400	pyinsatller.exe	cmd.exe
PID 3400 wrote to memory of 4436	3400	pyinsatller.exe	cmd.exe
PID 3400 wrote to memory of 4444	3400	pyinsatller.exe	cmd.exe
PID 3400 wrote to memory of 4444	3400	pyinsatller.exe	cmd.exe
PID 3400 wrote to memory of 1080	3400	pyinsatller.exe	cmd.exe
PID 3400 wrote to memory of 1080	3400	pyinsatller.exe	cmd.exe

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

688 attrib.exe

pid	process
688	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/Azizishot/Shrek-tools
1⤵
PID:3324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4904,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=4048 /prefetch:1
1⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --field-trial-handle=4900,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=5052 /prefetch:1
1⤵
PID:2232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4008,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=5320 /prefetch:1
1⤵
PID:3548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=5448,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=5464 /prefetch:8
1⤵
PID:3460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5468,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=5532 /prefetch:8
1⤵
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5952,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=5996 /prefetch:1
1⤵
PID:1172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6028,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=6132 /prefetch:8
1⤵
PID:3660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --no-appcompat-clear --field-trial-handle=6420,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=6484 /prefetch:8
1⤵
PID:2472

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=5944,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=6632 /prefetch:1
1⤵
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6928,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=6956 /prefetch:8
1⤵
PID:2796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=7120,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=7116 /prefetch:8
1⤵
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --field-trial-handle=6868,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=6968 /prefetch:1
1⤵
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --field-trial-handle=6792,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=6964 /prefetch:1
1⤵
PID:4532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=6540,i,13879737908471496610,15335851594401413307,262144 --variations-seed-version --mojo-platform-channel-handle=7340 /prefetch:8
1⤵
PID:1576

C:\Users\Admin\Downloads\pyinsatller.exe
"C:\Users\Admin\Downloads\pyinsatller.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\Downloads\pyinsatller.exe
"C:\Users\Admin\Downloads\pyinsatller.exe"
2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security.exe""
3⤵
- Hide Artifacts: Hidden Files and Directories
- Suspicious use of WriteProcessMemory
PID:3892

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Security.exe"
4⤵
- Drops startup file
- Views/modifies file attributes
PID:688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
3⤵
- Suspicious use of WriteProcessMemory
PID:4648

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5096"
3⤵
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\system32\taskkill.exe
taskkill /F /PID 5096
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4000"
3⤵
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4000
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1884"
3⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\system32\taskkill.exe
taskkill /F /PID 1884
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4756"
3⤵
- Suspicious use of WriteProcessMemory
PID:2224

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4756
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4512"
3⤵
- Suspicious use of WriteProcessMemory
PID:3668

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4512
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2232"
3⤵
- Suspicious use of WriteProcessMemory
PID:4884

C:\Windows\system32\taskkill.exe
taskkill /F /PID 2232
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:888

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3548"
3⤵
- Suspicious use of WriteProcessMemory
PID:3420

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3548
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3460"
3⤵
- Suspicious use of WriteProcessMemory
PID:3944

C:\Windows\system32\taskkill.exe
taskkill /F /PID 3460
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4188"
3⤵
- Suspicious use of WriteProcessMemory
PID:3416

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4188
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2472"
3⤵
- Suspicious use of WriteProcessMemory
PID:444

C:\Windows\system32\taskkill.exe
taskkill /F /PID 2472
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4356"
3⤵
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4356
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4532"
3⤵
- Suspicious use of WriteProcessMemory
PID:1224

C:\Windows\system32\taskkill.exe
taskkill /F /PID 4532
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
3⤵
PID:4436

C:\Windows\system32\cmd.exe
cmd.exe /c chcp
4⤵
PID:4420

C:\Windows\system32\chcp.com
chcp
5⤵
PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
3⤵
PID:4444

C:\Windows\system32\cmd.exe
cmd.exe /c chcp
4⤵
PID:1668

C:\Windows\system32\chcp.com
chcp
5⤵
PID:3852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:1080

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
3⤵
PID:1864

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
3⤵
PID:2164

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:5088

C:\Windows\system32\HOSTNAME.EXE
hostname
4⤵
PID:2488

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
4⤵
- Collects information from the system
- Suspicious use of AdjustPrivilegeToken
PID:4856

C:\Windows\system32\net.exe
net user
4⤵
PID:3416

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
5⤵
PID:2076

C:\Windows\system32\query.exe
query user
4⤵
PID:3780

C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
5⤵
PID:2752

C:\Windows\system32\net.exe
net localgroup
4⤵
PID:3292

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
5⤵
PID:1500

C:\Windows\system32\net.exe
net localgroup administrators
4⤵
PID:1144

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
5⤵
PID:436

C:\Windows\system32\net.exe
net user guest
4⤵
PID:4640

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
5⤵
PID:2376

C:\Windows\system32\net.exe
net user administrator
4⤵
PID:2568

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
5⤵
PID:3784

C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2552

C:\Windows\system32\tasklist.exe
tasklist /svc
4⤵
- Enumerates processes with tasklist
PID:3892

C:\Windows\system32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:2080

C:\Windows\system32\ROUTE.EXE
route print
4⤵
PID:3752

C:\Windows\system32\ARP.EXE
arp -a
4⤵
PID:508

C:\Windows\system32\NETSTAT.EXE
netstat -ano
4⤵
- Gathers network information
PID:3628

C:\Windows\system32\sc.exe
sc query type= service state= all
4⤵
- Launches sc.exe
PID:4336

C:\Windows\system32\netsh.exe
netsh firewall show state
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:4352

C:\Windows\system32\netsh.exe
netsh firewall show config
4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
PID:740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
3⤵
PID:1676

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
- Event Triggered Execution: Netsh Helper DLL
PID:4004

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:4836

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:4436

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:2052

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4484

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff85373ab58,0x7ff85373ab68,0x7ff85373ab78
2⤵
PID:2844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=2004,i,12505766972047305161,10207841828422262493,131072 /prefetch:2
2⤵
PID:664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 --field-trial-handle=2004,i,12505766972047305161,10207841828422262493,131072 /prefetch:8
2⤵
PID:4672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2216 --field-trial-handle=2004,i,12505766972047305161,10207841828422262493,131072 /prefetch:8
2⤵
PID:1008

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3076 --field-trial-handle=2004,i,12505766972047305161,10207841828422262493,131072 /prefetch:1
2⤵
PID:2512

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=2004,i,12505766972047305161,10207841828422262493,131072 /prefetch:1
2⤵
PID:3920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3628 --field-trial-handle=2004,i,12505766972047305161,10207841828422262493,131072 /prefetch:1
2⤵
PID:3756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4348 --field-trial-handle=2004,i,12505766972047305161,10207841828422262493,131072 /prefetch:8
2⤵
PID:2552

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4636 --field-trial-handle=2004,i,12505766972047305161,10207841828422262493,131072 /prefetch:8
2⤵
PID:1868

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4484 --field-trial-handle=2004,i,12505766972047305161,10207841828422262493,131072 /prefetch:8
2⤵
PID:1656

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4568 --field-trial-handle=2004,i,12505766972047305161,10207841828422262493,131072 /prefetch:8
2⤵
PID:4172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4876 --field-trial-handle=2004,i,12505766972047305161,10207841828422262493,131072 /prefetch:8
2⤵
PID:3576

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4772 --field-trial-handle=2004,i,12505766972047305161,10207841828422262493,131072 /prefetch:8
2⤵
PID:4164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4484 --field-trial-handle=2004,i,12505766972047305161,10207841828422262493,131072 /prefetch:8
2⤵
PID:4980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5092 --field-trial-handle=2004,i,12505766972047305161,10207841828422262493,131072 /prefetch:8
2⤵
PID:760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5256 --field-trial-handle=2004,i,12505766972047305161,10207841828422262493,131072 /prefetch:8
2⤵
PID:1144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5188 --field-trial-handle=2004,i,12505766972047305161,10207841828422262493,131072 /prefetch:1
2⤵
PID:3144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=5308 --field-trial-handle=2004,i,12505766972047305161,10207841828422262493,131072 /prefetch:1
2⤵
PID:4408

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5288 --field-trial-handle=2004,i,12505766972047305161,10207841828422262493,131072 /prefetch:8
2⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 --field-trial-handle=2004,i,12505766972047305161,10207841828422262493,131072 /prefetch:8
2⤵
PID:4212

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\179c381c-a47c-4174-8f45-9f5253873472.tmp
Filesize
16KB

MD5
db9276fccf1323ebef72e0e1694988c3

SHA1
a1a6257202391290561c94866f1542970d287f1c

SHA256
1fb2451ba3269f76ef446f6714b3e85dc0faebbc1bba2f7d4bd5ef989f5e3c43

SHA512
c153b72e5d7e7aa900416a035502df519d3c0976c4c6754342f0e257c5aec736787e14df5005de3efdcf621615535590d34cee7f3fc0be2b818ec3f3e2a9ed4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
1KB

MD5
39b4c363a6d5ec7770239ec04153ac9f

SHA1
da3f50875958961672f631ba4558ff7b57cf1761

SHA256
268010a76b89447c37b99cde5385151bb14f880e47494b91ff5e30489575db6f

SHA512
a593d54ee1d7f2d870df71d39cf31e00f1056c364632aca95b5549c83f01d29c28f9549a6f0ca6c9514f00a59a6a34798fc2bf83cf8401d1017cd3b2c5a39141

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.78.1_0\_locales\en_CA\messages.json
Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.78.1_0\dasherSettingSchema.json
Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
6e12f86885083cff34e90c6bcfea738c

SHA1
9244729e6af24e75caf6ca61c47a06fa827c8f65

SHA256
b5d3226e78b15096110fd9deebfb8e7502797a95092524a20f4f6e0a426434e2

SHA512
806a89e46073c788510519cb6e9e9087d0f3ad5d15e1973d08d426a349fba188ec07d21a9a24318c2aea53ec2f9dd399fa585322547966d1815451438f21f52a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
a966ee180934747b001b152494257bd8

SHA1
0077e623f30a0ca20dbc4cc61c9c63a2f23455a4

SHA256
700d7a0436b5e467349d680b40652aed9b7ec549b43c7f8bd33dc77216d33be5

SHA512
b2f51b5aae6f514a90aadfe1ca6018aa79c589908c2e233a76bcb2bedb3d12ba15baa7573c8aadf3f43091873be2a122675ca3dd8606d5dbba1b451fe1cd9186

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
1KB

MD5
de2392c93b8ff82a442a42d18bee7e26

SHA1
2771161cc66b3983f86bb429f390320f672354f1

SHA256
fe60b3feeb5a80b621119fbc4aa8254f1cbb6110936444520d30c8195b86b1ed

SHA512
add5916d8264a035100cee5aa242cdfdb80eed650e31a91d70bc2ff41877ed85cb79fb186e742723ceda302b69ccbcfd642d95be705001ce3bb0965da883497c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
575426665d21e40c1b86e6b58715ec0a

SHA1
fa52169af10d617867b7addad44db97f7a7e5700

SHA256
a3dfc313ff08a172e14c338597d3b259954dd7be60d5edd9c812b3924b18bbc1

SHA512
c171d65474d0f64b94a33bcb55fc41389c02131163bad615fd6f0d50192bf862e3c646ba3e7cf4e9133f5882e0de57ef287afa381ca9ddf3e280e2d3983a6ab3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
d0d52220a2eb385449c3b9b7b8f1b9ed

SHA1
32b4ed34ace78c21f5d5c9241ca05bd10d4d9307

SHA256
a31c6d1867db2e306e1680012c2f24455938aee162987dd53d0cc3dc3bc9a243

SHA512
c7c6225bd62d50c93294e316a63ae4ce367e045700fd19c4d49b2b1ef90642a2e8d3b1097de012a60bfdf48a7bc714ca8ae2eb99f63a8cf612de75195f065d13

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
788e76793916a553d4e548ad8600ac8e

SHA1
d5b9c9ab815c4feea4dc8b6da0502dd5dfca317c

SHA256
3b282654c394f621ddeddcf7225f820637fc88fcb311d5b9557aeccef3b3ca81

SHA512
177fe6490b73bed5035d4e00279a295c33c3e32ab270308f039b89c82e52ed73ae8c38dff7f94c731a2da6ed4e9572c3ed7af794ea0073a95e606d44226570da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
2c43cab8476ea32534e85bf43f1f37b7

SHA1
f6c96d83b7d1b6b063a5175a1a33ef7fd230eadf

SHA256
1d738f7331064660d018aac5a15c9435a3265fedb74f4773f4127498773e6203

SHA512
8daa5885f821ba1ab969e7896e184e64acb1ff78b086ce647aec2849f23f3237aaae41043fd1bfe8c4258cb70448fd0e44c6f4d957070fa08bd139b9215ba895

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe59b210.TMP
Filesize
72B

MD5
3c2f41f0626a4ef3abc95687c9299a84

SHA1
af6c97da6d03b444c53e83d79eeccd6d1b1956b4

SHA256
faa25ba7746bfab8eede260761a90c752e6d7423b53c7b965d180914de35610b

SHA512
e11abb38f757576c9c0deaf56cfd9c32912178cf42312415474ce785c39497e4f64406c37da1866c179f24590b80bb55a2a6b91fc39bde2e61fa21f68b45f5c4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
269KB

MD5
05b677ad01a40684d1064d1e60d0dbe5

SHA1
ea01f1594db8992eea1ac073ca363849a56c538f

SHA256
0c494b0b76ee1ae7bc45ff92a8535c77d600685e82f787c0faedbfa1f58555a9

SHA512
45cd171fe315dfdb76ef291420e53c91dd10535024ff4260501f33291585374dd671e9eeb847d0e7c80c89c0586b74e2eaec6ee63be7e552d6591067bc975a67

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
94KB

MD5
3c4df2ba7941be2a2cecbede86e0ad28

SHA1
fb4da1f2fdd6dcd93601f97be8062319e0a9f111

SHA256
279066c16bed1cd3c52424cdd29ad85b5e8c2919c22400abade209f286f32e01

SHA512
c4bc38439731fc570c61bfc60011c64e5b30df3ff5a8c4261b8b5accf37805893133b577adbf4d6b99085e4c0171fe6224888d88ed04a71f2ec513de04b5b635

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59c50b.TMP
Filesize
88KB

MD5
b29eeb4109bc6b9ca43e2240f2d2707b

SHA1
01b63f57ff36ca570a21ec038184af5b2a5a7922

SHA256
c7ac1e7a9b61c60f1383500d97dde612d01433386e885f4708624a88ad4f57f6

SHA512
ec6fd270d184b296a5c1839fa9ab63ce63c73c0a5ad965d26b2cf7d2c2b63ec90f5cfb56df637dac1c218af814aa004b99265c5af0c35207c7133157e3ee6416

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Desktop\BackupUnblock.ini
Filesize
506KB

MD5
2f9a327feba773dfd93cd4486c5258a2

SHA1
4f7e1f1f2f1fcd7a3c0283b3cfbc3bdf38ff8587

SHA256
4dec6de714111e0f297e7e471f95c7f9d45b94ef7e36d7c776c2f8fdf2d9c0c0

SHA512
88b2807afca6331bdb45beed8683861766a46a475eaafed782315c758329116b8bd13ef9fcadb05eb6a25d6694fdf02a3f67a04f0d8913d8ab98ed024406c7bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Desktop\HideReset.csv
Filesize
414KB

MD5
378f1465281b6807e3bcecf837c22b05

SHA1
7b8bd9d091014125407d96af56bf860527d9ffe5

SHA256
3bf87c7d0c41edec0677f1cebb103fd9437318ce52a26b1bfef2688c6398ae2c

SHA512
9e0c05fe6f2f192faee28c82585f7b9106f76e5deb398362d8d6e772c0080e53beb3827a6c8070ba7e08e9632a571a4fe9248a0c0955d9b91aa51a9501ac3d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Desktop\UnblockTest.mp3
Filesize
276KB

MD5
81862936575022dc37f1bf8fd6cf324b

SHA1
bba3c0389a1e2c490974ea92d7e27782058eff99

SHA256
23081355b0e934466a0bb6fe98f66a5608764c5affc0db0d19f038fbd2b87463

SHA512
74b2bded6731f31cb652de0532ea5a1a7083a346e01c2656f4ff6ff3a412deedf283d7bb8647a84b645513471a8497e77e251b910fc895777cf8b9819083d4da

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Documents\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Documents\Files.docx
Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Documents\Opened.docx
Filesize
11KB

MD5
bfbc1a403197ac8cfc95638c2da2cf0e

SHA1
634658f4dd9747e87fa540f5ba47e218acfc8af2

SHA256
272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6

SHA512
b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Documents\ReceiveSync.doc
Filesize
1.0MB

MD5
0c24d21a1961618ae61f93102a3be6dc

SHA1
61d7c60490deb901bd304d1f85995091a0e765ba

SHA256
6e11e4180fca8e4529b62c45377fcd1f6f1289e2044d456b90f8c2062c003e07

SHA512
3713d6a189202f1637058321eec2248b30465acf46ff966bda8ef6ca4ced3e2b64316bc5d2e38ed7439eb52ee960fd88d47c9644f3f8e89ab22d22d8e54adb03

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Documents\Recently.docx
Filesize
11KB

MD5
3b068f508d40eb8258ff0b0592ca1f9c

SHA1
59ac025c3256e9c6c86165082974fe791ff9833a

SHA256
07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7

SHA512
e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Documents\SelectBlock.xls
Filesize
750KB

MD5
4f858f7e236d4a55d9a038f72c68fdc3

SHA1
44ee862f7843d6cdcc5370e196b3e0325bdac206

SHA256
4147703c63aecbe1d4f93c690619997f105d536c504b69e815c0059aa9f1a806

SHA512
efd784d177e77ec61db9fde47fdb4e5ea4db5e500ed44006c330fd5b136cf84bde7b8fd5060865b6536deab76b306de39feee2a2cb4f4b9daf7b79d6be49b4dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Documents\These.docx
Filesize
11KB

MD5
87cbab2a743fb7e0625cc332c9aac537

SHA1
50f858caa7f4ac3a93cf141a5d15b4edeb447ee7

SHA256
57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023

SHA512
6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Downloads\BlockUnlock.xls
Filesize
640KB

MD5
b5f4a07612b9d07d6449d386eb81c44f

SHA1
e0d0fdc31272c58b4d703491a930bb927dca83d7

SHA256
7eecb46daf56219b0394cde69e5644fe7d6b871c2d07ec11af473d4413aab83f

SHA512
21c53d2c4a94d1ba504b0a9c289326e0b23f63d351f2765d2f8309f19006d5adc54a790f8fe292511d6592f81ae20fb3ad0ec6699cbc26fef6a1f8a14fa949da

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Downloads\DisableClear.jpg
Filesize
508KB

MD5
6eca85aeef30c02070d1b605e2811c7d

SHA1
0c90c92e313d8b6a38df39947c847882cc72ba98

SHA256
53540d31885ce84dfb8bbd106f673fb218951ad5fa2c93362c86841cb0ee46d1

SHA512
e20298ea041c13d73173cda0b37444e117ab68187ae0a06a47620c1895e2b36355af811c2f16df0fa2060939f81a12059c365416179403fb96b3f100738bc3b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Downloads\DisconnectStart.png
Filesize
353KB

MD5
0e02029844228fd304c6316debfc5a88

SHA1
72d81e0f414a8c14029f610ef8cee3bca879189f

SHA256
a69f0ac6803a90245442dd90e9922b069a9952a995dadb67bc32a711d1074e34

SHA512
88c04e6d752b6f359201e775aee5afa699a0e769b88143874f2826456f51a079f904b71223e0a54d48f4c90a9194bb59ad96251d15e8c1033cde3b7f98782653

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Downloads\SplitHide.mp3
Filesize
269KB

MD5
1be970cd8466a7abf70dbfe7b6a6b09a

SHA1
bee7a402868a1b794575cce13f6f693b7d74aa97

SHA256
363d9392619d76db483788c22b74dbd32c9798d95baed7aa075f3dd01f7b7c3e

SHA512
2a11638a202e41d1b37994c3c2c46fb6ea66f921ec31d3a3e56de4cc370f86870f71d2e924fb0816ee5af93d8e416748d2b843ac22ec7b97987d93879d1fadd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Downloads\SplitUnlock.jpeg
Filesize
365KB

MD5
e2a33d4126e4cce9c8c53aaa96204cfc

SHA1
542da4c447df059ad16364fa4ff08c3e3e21baa8

SHA256
8a8b7c172856a231449f041dd23d45e80ea94449114ebbb698125821be20afc8

SHA512
06095595a8fd57f0ef9fd7853b069fa6ca64f82880a2b2abd59abeab1fbda1a3cb420adcc909209dd4a059496278c84a380969cb9f76d6d8e1923cfebc4a730e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Downloads\StartPing.docx
Filesize
317KB

MD5
87d174d7e85dcb231182a2bac6ac6849

SHA1
eab5435e2120bde83c829a3e0d0a8c95d0527be7

SHA256
75af27e2f3884296303273bd6a07a14e45df8115257667a0bd393bd0fe65c119

SHA512
bbfc35743daaa1859af9625d30936a3e9ce74ea1d3bd256740b9d8e0b6f7128846680ab0c475aacbda6b3b512378e8877d9383256725b45cddf308902e742b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Music\CloseMove.zip
Filesize
357KB

MD5
9ab505dcb08afd3cbec6a7d278e96de4

SHA1
095f6f36b27315fc1c4172df04cf033df28d4762

SHA256
5a6221d0ab885f8a8cc24c78eccba31bf2ac383942d487a3018da529d879af8b

SHA512
6fc08f65c82ab00d9c2bcf0940167e5fe81c7453877a3841d9f658c7bff659c01e07931fcf8b45ef17d991e042c176bcc24fe839bb0667efe1da185b32236df0

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Music\DismountOpen.zip
Filesize
327KB

MD5
3a5d8b0a0c0853bb52d2d9c9202be39d

SHA1
38baabf20a9d40026b892114a0160967d78ddff1

SHA256
62e2a874e06c99407ab1c18f3eb0dd28259947b56ed0f8ff22424ed693bca44b

SHA512
fd6933254873c3140c8923210d754809538e523668d7672bb2ead7148b88e12ff123c9877b15a8af2af0b7fc026b986b29d59d94d31612d90b1ad2c5b706d1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Music\SplitImport.jpeg
Filesize
334KB

MD5
1c9ee01c6dcdcf3c37648695563ac762

SHA1
a303086ec1fe37c173b08edf480634b056c5f723

SHA256
2ba66a1835206748a0551efe5086c91a94a214b0e292cb0094e78784de16c87e

SHA512
1597ae8a12162b635c78c7af7355aee9ce08ffb267da1611dd5b754a147fa684306323df70d9063f000ff461ef37b8a1fa4daaa3e29f7531b840ea62495fa0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Music\UnregisterEdit.xls
Filesize
379KB

MD5
b12063645d126dbfaea588a802bfe552

SHA1
c90e078cfda3411c62328b9944a35ed99835a380

SHA256
8419723ff1822c318d22988fa2e126632f89e8b4ef7b60db42ab94451ac24fbf

SHA512
051d20469229ee3f84128bfa0640e61d128b282eb51f897a9fdfb67b1cb8a95bccb3b0591bc8370176a33a94aa4384e9977518f733e9a4daee327cc209c130fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Pictures\My Wallpaper.jpg
Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Pictures\ProtectRemove.jpeg
Filesize
960KB

MD5
6dd67161c0ce30e48199783affbc500e

SHA1
6da47183469bca9a8552ae8e13b4d5ab5ce66461

SHA256
e587f5c0c2ff6d0a7fc8b1eb0513964a35881a735f80530842bea0deb5beaad8

SHA512
1e4489c63fa941d4ab71a4cd52cc7dce6c32a876a798a2b0a95272376d135bb1110ba4e6b0f8c6d0906cfe0b995655352d0d646a4f4593656b6054d7b852bef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AZFILESTEALER\Pictures\ReadUse.jpeg
Filesize
840KB

MD5
f90b69adedd36f88db02c8ace4a78be4

SHA1
e9b60ff5ff0473df5cf943edf36c890725e3ac21

SHA256
d7e7d5e216d70ba1d0132650562494cc7d682ace4c567b34d67157019e85d2e9

SHA512
0639282a3e060a996fc35001748bdd54dd897ee3d7badd4cb55ac9c0dfecd67247c3bf40f3a79565fb2c4292698e71f5063e30a12f6b0950488115e3b6cf431f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\VCRUNTIME140.dll
Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_asyncio.pyd
Filesize
34KB

MD5
1b8ce772a230a5da8cbdccd8914080a5

SHA1
40d4faf1308d1af6ef9f3856a4f743046fd0ead5

SHA256
fa5a1e7031de5849ab2ab5a177e366b41e1df6bbd90c8d2418033a01c740771f

SHA512
d2fc21b9f58b57065b337c3513e7e6c3e2243b73c5a230e81c91dafcb6724b521ad766667848ba8d0a428d530691ffc4020de6ce9ce1eaa2bf5e15338114a603

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_brotli.cp311-win_amd64.pyd
Filesize
274KB

MD5
22a42d16bc447746b0845c637ac70128

SHA1
546af128ff40982c487e747a19aafd825cf1120d

SHA256
c0a4f520f06425500d07ead20fb8c9aaff4b9efb9c771725bbd94bc018cc4dfa

SHA512
8259104d9fb8f1045037755af661b942a42432ad255c709f11e42cf215feffcc2ee160c6884cb2cc7256ea55409c362352bc09219bf54c77dbc0a72a487093de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_bz2.pyd
Filesize
46KB

MD5
80c69a1d87f0c82d6c4268e5a8213b78

SHA1
bae059da91d48eaac4f1bb45ca6feee2c89a2c06

SHA256
307359f1b2552b60839385eb63d74cbfe75cd5efdb4e7cd0bb7d296fa67d8a87

SHA512
542cf4ba19dd6a91690340779873e0cb8864b28159f55917f98a192ff9c449aba2d617e9b2b3932ddfeee13021706577ab164e5394e0513fe4087af6bc39d40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_cffi_backend.cp311-win_amd64.pyd
Filesize
71KB

MD5
2443ecaddfe40ee5130539024324e7fc

SHA1
ea74aaf7848de0a078a1510c3430246708631108

SHA256
9a5892ac0cd00c44cd7744d60c9459f302d5984ddb395caea52e4d8fd9bca2da

SHA512
5896af78cf208e1350cf2c31f913aa100098dd1cf4bae77cd2a36ec7695015986ec9913df8d2ebc9992f8f7d48bba102647dc5ee7f776593ae7be36f46bd5c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_ctypes.pyd
Filesize
57KB

MD5
b4c41a4a46e1d08206c109ce547480c7

SHA1
9588387007a49ec2304160f27376aedca5bc854d

SHA256
9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9

SHA512
30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_decimal.pyd
Filesize
104KB

MD5
e9501519a447b13dcca19e09140c9e84

SHA1
472b1aa072454d065dfe415a05036ffd8804c181

SHA256
6b5fe2dea13b84e40b0278d1702aa29e9e2091f9dc09b64bbff5fd419a604c3c

SHA512
ef481e0e4f9b277642652cd090634e1c04702df789e2267a87205e0fe12b00f1de6cdd4fafb51da01efa726606c0b57fcb2ea373533c772983fc4777dc0acc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_hashlib.pyd
Filesize
33KB

MD5
0629bdb5ff24ce5e88a2ddcede608aee

SHA1
47323370992b80dafb6f210b0d0229665b063afb

SHA256
f404bb8371618bbd782201f092a3bcd7a96d3c143787ebea1d8d86ded1f4b3b8

SHA512
3faeff1a19893257c17571b89963af37534c189421585ea03dd6a3017d28803e9d08b0e4daceee01ffeda21da60e68d10083fe7dbdbbde313a6b489a40e70952

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_lzma.pyd
Filesize
84KB

MD5
bfca96ed7647b31dd2919bedebb856b8

SHA1
7d802d5788784f8b6bfbb8be491c1f06600737ac

SHA256
032b1a139adcff84426b6e156f9987b501ad42ecfb18170b10fb54da0157392e

SHA512
3a2926b79c90c3153c88046d316a081c8ddfb181d5f7c849ea6ae55cb13c6adba3a0434f800c4a30017d2fbab79d459432a2e88487914b54a897c4301c778551

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_multiprocessing.pyd
Filesize
25KB

MD5
849b4203c5f9092db9022732d8247c97

SHA1
ed7bd0d6dcdcfa07f754b98acf44a7cfe5dcb353

SHA256
45bfbab1d2373cf7a8af19e5887579b8a306b3ad0c4f57e8f666339177f1f807

SHA512
cc618b4fc918b423e5dbdcbc45206653133df16bf2125fd53bafef8f7850d2403564cf80f8a5d4abb4a8928ff1262f80f23c633ea109a18556d1871aff81cd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_overlapped.pyd
Filesize
30KB

MD5
97a40f53a81c39469cc7c8dd00f51b5d

SHA1
6c3916fe42e7977d8a6b53bfbc5a579abcf22a83

SHA256
11879a429c996fee8be891af2bec7d00f966593f1e01ca0a60bd2005feb4176f

SHA512
02af654ab73b6c8bf15a81c0e9071c8faf064c529b1439a2ab476e1026c860cf7d01472945112d4583e5da8e4c57f1df2700331440be80066dbb6a7e89e1c5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_queue.pyd
Filesize
24KB

MD5
0614691624f99748ef1d971419bdb80d

SHA1
39c52450ed7e31e935b5b0e49d03330f2057747d

SHA256
ac7972502144e9e01e53001e8eec3fc9ab063564678b784d024da2036ba7384d

SHA512
184bc172c7bb8a1fb55c4c23950cbe5e0b5a3c96c1c555ed8476edf79c5c729ed297112ee01b45d771e5c0055d2dc402b566967d1900b5abf683ee8e668c5b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_socket.pyd
Filesize
41KB

MD5
04e7eb0b6861495233247ac5bb33a89a

SHA1
c4d43474e0b378a00845cca044f68e224455612a

SHA256
7efe25284a4663df9458603bf0988b0f47c7dcf56119e3e853e6bda80831a383

SHA512
d4ea0484363edf284ac08a1c3356cc3112d410dd80fe5010c1777acf88dbd830e9f668b593e252033d657a3431a79f7b68d09eb071d0c2ceb51632dbe9b8ed97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_sqlite3.pyd
Filesize
54KB

MD5
d9eeeeacc3a586cf2dbf6df366f6029e

SHA1
4ff9fb2842a13e9371ce7894ec4fe331b6af9219

SHA256
67649e1e8acd348834efb2c927ab6a7599cf76b2c0c0a50b137b3be89c482e29

SHA512
0b9f1d80fb92c796682dba94a75fbce0e4fbeaedccd50e21d42d4b9366463a830109a8cd4300aa62b41910655f8ca96ecc609ea8a1b84236250b6fd08c965830

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_ssl.pyd
Filesize
60KB

MD5
fd0f4aed22736098dc146936cbf0ad1d

SHA1
e520def83b8efdbca9dd4b384a15880b036ee0cf

SHA256
50404a6a3de89497e9a1a03ff3df65c6028125586dced1a006d2abb9009a9892

SHA512
c8f3c04d87da19041f28e1d474c8eb052fe8c03ffd88f0681ef4a2ffe29755cfd5b9c100a1b1d2fdb233cb0f70e367af500cbd3cd4ce77475f441f2b2aa0ab8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\_uuid.pyd
Filesize
21KB

MD5
3377ae26c2987cfee095dff160f2c86c

SHA1
0ca6aa60618950e6d91a7dea530a65a1cdf16625

SHA256
9534cb9c997a17f0004fb70116e0141bdd516373b37bbd526d91ad080daa3a2b

SHA512
8e408b84e2130ff48b8004154d1bdf6a08109d0b40f9fafb6f55e9f215e418e05dca819f411c802792a9d9936a55d6b90460121583e5568579a0fda6935852ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\base_library.zip
Filesize
1.4MB

MD5
d4e8ffbca0d63150c26798c458bd7d60

SHA1
b673d7629c6c307c1005a120d6e8d79b30b84d26

SHA256
fbe42d1b2c8b2157b1a015d6354ca40c9468f207b50a9cbbe80b5de8d3e2ff5c

SHA512
aa0065697cc3e6cbc200c7180a87941aec9f172988bb615bc3c33f67453abfcecb92bd11bfb25f7b34ca62739750ff04753e01ff2a0e4eaa3e4f8370e5e8ebcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\charset_normalizer\md.cp311-win_amd64.pyd
Filesize
9KB

MD5
351716e8c896f52bb9f646fdd2e9426a

SHA1
3b7287956cc2a83bf0ce6e5506299d137e5cd8e2

SHA256
8b96589636a860bc793d793cd1571bb5de8a73d56a7a4778f3f6b4c40de81506

SHA512
81aaa6e404f0c4b3112cad16597dff70f841506b766b4c6bd86947c04a64e77c3bb50196884ca633fc3912e62f8266e6d470498e0206bc709c9ac24556bd3331

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\charset_normalizer\md__mypyc.cp311-win_amd64.pyd
Filesize
39KB

MD5
fe25c057a924b06e0ec524c8bb809c5f

SHA1
b3ad1fc755273d1f4577dee0525919bfcb323b93

SHA256
35c25de8080987e5a9280cd185134d7a37f0086dea53ec53156126b780999d0b

SHA512
8816e65538090ecdd4b52edabbe909142c3ce23c5bbf781cd1b381f70059e194e117abd67d0a4634d83b6a7e7395c7c9aab0c9ebfee0756a8c97ffa5122bc059

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\cryptography\hazmat\bindings\_rust.pyd
Filesize
2.0MB

MD5
001536e476bf36e77c61e5e60d96ea76

SHA1
79f4768cf796262febd62f7d9d3d510f6c9d816f

SHA256
364c6887349315afe5343bb2613002cd2b860af427a76aeceab591272b6f50a5

SHA512
948141c8eee69e20f3497520fcdd2836aab6d01a16a9639aef0869795ca454b684bec79a77bf1c16da2a339ee4adaf56ac6c839c15b5e4ef912d5d94edb83a90

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\libcrypto-1_1.dll
Filesize
1.1MB

MD5
86cfc84f8407ab1be6cc64a9702882ef

SHA1
86f3c502ed64df2a5e10b085103c2ffc9e3a4130

SHA256
11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307

SHA512
b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\libffi-8.dll
Filesize
24KB

MD5
decbba3add4c2246928ab385fb16a21e

SHA1
5f019eff11de3122ffa67a06d52d446a3448b75e

SHA256
4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d

SHA512
760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\libssl-1_1.dll
Filesize
203KB

MD5
6cd33578bc5629930329ca3303f0fae1

SHA1
f2f8e3248a72f98d27f0cfa0010e32175a18487f

SHA256
4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0

SHA512
c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\multidict\_multidict.cp311-win_amd64.pyd
Filesize
20KB

MD5
eeaded775eabfaaede5ca025f55fd273

SHA1
8eefb3b9d85b4d5ad4033308f8af2a24e8792e02

SHA256
db4d6a74a3301788d32905b2ccc525e9a8e2219f1a36924464871cf211f115a0

SHA512
a6055d5604cc53428d89b308c223634cd94082be0ba4081513974e1826775d6e9fc26180c816d9a38fead89b5e04c5e7cf729c056bfae0ed74d6885c921b70ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\psutil\_psutil_windows.pyd
Filesize
31KB

MD5
d3c9a34f90361ae0d897aadfd002cfc7

SHA1
f66bce501451e3ee42b01fa43a84b289c404ec8b

SHA256
e348d1a333ed889d574d94f907a6459f24bc1d2068cd7bedd06618b0815b92dc

SHA512
cabd6375650cdf16057ae37da14a031b181402d3bad4268063941606adaf170b47b9f3bd8be2ed144a9a8159be59b08ed84ee5051ac88d2c78170a0ad299a8fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\pyexpat.pyd
Filesize
86KB

MD5
fe0e32bfe3764ed5321454e1a01c81ec

SHA1
7690690df0a73bdcc54f0f04b674fc8a9a8f45fb

SHA256
b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92

SHA512
d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\python3.dll
Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\python311.dll
Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\select.pyd
Filesize
24KB

MD5
c39459806c712b3b3242f8376218c1e1

SHA1
85d254fb6cc5d6ed20a04026bff1158c8fd0a530

SHA256
7cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9

SHA512
b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\sqlite3.dll
Filesize
608KB

MD5
895f001ae969364432372329caf08b6a

SHA1
4567fc6672501648b277fe83e6b468a7a2155ddf

SHA256
f5dd29e1e99cf8967f7f81487dc624714dcbec79c1630f929d5507fc95cbfad7

SHA512
05b4559d283ea84174da72a6c11b8b93b1586b4e7d8cda8d745c814f8f6dff566e75f9d7890f32bd9dfe43485244973860f83f96ba39296e28127c9396453261

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\unicodedata.pyd
Filesize
293KB

MD5
06a5e52caf03426218f0c08fc02cc6b8

SHA1
ae232c63620546716fbb97452d73948ebfd06b35

SHA256
118c31faa930f2849a14c3133df36420a5832114df90d77b09cde0ad5f96f33a

SHA512
546b1a01f36d3689b0fdeeda8b1ce55e7d3451731ca70fffe6627d542fff19d7a70e27147cab1920aae8bed88272342908d4e9d671d7aba74abb5db398b90718

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\yarl\_quoting_c.cp311-win_amd64.pyd
Filesize
40KB

MD5
9a8f969ecdf0c15734c1d582d2ae35d8

SHA1
a40691e81982f610a062e49a5ad29cffb5a2f5a8

SHA256
874e52cceae9a3c967bac7b628f4144c32e51fc77f519542fc1bac19045ecde8

SHA512
e0deb59abef7440f30effb1aab6295b5a50c817f685be30b21a3c453e3099b97fd71984e6ca6a6c6e0021abb6e906838566f402b00a11813e67a4e00b119619f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13522\zstandard\backend_c.cp311-win_amd64.pyd
Filesize
174KB

MD5
3c918d247619b80ae9e6f758787d67de

SHA1
6184988ad32f19f23b4590bdb43f73b10e335fb9

SHA256
0689b393bee3e4d62818d18cf4bca417ef0749ca7cbe81b3f4ea85ba0dfa1041

SHA512
8c9c4026cfb0a39f9a6cfb19c8a6a04a86a9566f3b40ccd78d80a42ad47dc28bed729fe3ad48b3755c1db7d1a2e96cce3b80e058fecbec8874a4f29c76928efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_d15bthvf.sov.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2700_1692634956\0c0d9151-a0a5-4d3d-9e2a-1e1e7521fe0f.tmp
Filesize
132KB

MD5
f8e609603d53c701422bbc4e026740c8

SHA1
5d08ba917111a8fce835be950477156720e57437

SHA256
aea99c066addc7157626d59326d8e5589402f6aac551a0560b92710ba68ded8a

SHA512
5cbdfc06d076665752b4a1aefd697f8af7dd2f673c2a65d363dde5e27e97451bbf6d6097c0b9003cccc886b1ec0cc3cd66be58c57076c181d2749249395462bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir2700_1692634956\CRX_INSTALL\_locales\en_CA\messages.json
Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/3096-214-0x0000019E9BD40000-0x0000019E9BD62000-memory.dmp

Filesize
136KB

Download
memory/3400-255-0x00007FF840F40000-0x00007FF840FC7000-memory.dmp

Filesize
540KB

Download
memory/3400-440-0x00007FF841990000-0x00007FF8419A2000-memory.dmp

Filesize
72KB

Download
memory/3400-243-0x00007FF8419D0000-0x00007FF841D45000-memory.dmp

Filesize
3.5MB

Download
memory/3400-252-0x00007FF841030000-0x00007FF841724000-memory.dmp

Filesize
7.0MB

Download
memory/3400-249-0x00007FF841800000-0x00007FF841822000-memory.dmp

Filesize
136KB

Download
memory/3400-245-0x00007FF841990000-0x00007FF8419A2000-memory.dmp

Filesize
72KB

Download
memory/3400-244-0x00007FF8419B0000-0x00007FF8419C5000-memory.dmp

Filesize
84KB

Download
memory/3400-242-0x00007FF841D50000-0x00007FF841E08000-memory.dmp

Filesize
736KB

Download
memory/3400-241-0x00007FF841E10000-0x00007FF841E3E000-memory.dmp

Filesize
184KB

Download
memory/3400-240-0x00007FF841E40000-0x00007FF841FB3000-memory.dmp

Filesize
1.4MB

Download
memory/3400-235-0x00007FF84EC40000-0x00007FF84EC59000-memory.dmp

Filesize
100KB

Download
memory/3400-232-0x00007FF842070000-0x00007FF842658000-memory.dmp

Filesize
5.9MB

Download
memory/3400-233-0x00007FF842040000-0x00007FF842064000-memory.dmp

Filesize
144KB

Download
memory/3400-229-0x00007FF841730000-0x00007FF8417FF000-memory.dmp

Filesize
828KB

Download
memory/3400-219-0x00007FF841800000-0x00007FF841822000-memory.dmp

Filesize
136KB

Download
memory/3400-61-0x00007FF842040000-0x00007FF842064000-memory.dmp

Filesize
144KB

Download
memory/3400-62-0x00007FF8535B0000-0x00007FF8535BF000-memory.dmp

Filesize
60KB

Download
memory/3400-104-0x00007FF8419B0000-0x00007FF8419C5000-memory.dmp

Filesize
84KB

Download
memory/3400-108-0x00007FF841990000-0x00007FF8419A2000-memory.dmp

Filesize
72KB

Download
memory/3400-109-0x00007FF841970000-0x00007FF841984000-memory.dmp

Filesize
80KB

Download
memory/3400-138-0x00007FF8419D0000-0x00007FF841D45000-memory.dmp

Filesize
3.5MB

Download
memory/3400-140-0x00007FF840F40000-0x00007FF840FC7000-memory.dmp

Filesize
540KB

Download
memory/3400-141-0x00007FF8419B0000-0x00007FF8419C5000-memory.dmp

Filesize
84KB

Download
memory/3400-139-0x00007FF840FD0000-0x00007FF840FE8000-memory.dmp

Filesize
96KB

Download
memory/3400-143-0x00007FF84C480000-0x00007FF84C48D000-memory.dmp

Filesize
52KB

Download
memory/3400-148-0x00007FF841950000-0x00007FF841964000-memory.dmp

Filesize
80KB

Download
memory/3400-149-0x00007FF84BD20000-0x00007FF84BD2B000-memory.dmp

Filesize
44KB

Download
memory/3400-150-0x00007FF840F10000-0x00007FF840F36000-memory.dmp

Filesize
152KB

Download
memory/3400-132-0x0000017CB4990000-0x0000017CB4D05000-memory.dmp

Filesize
3.5MB

Download
memory/3400-133-0x00007FF840FF0000-0x00007FF841028000-memory.dmp

Filesize
224KB

Download
memory/3400-115-0x00007FF842070000-0x00007FF842658000-memory.dmp

Filesize
5.9MB

Download
memory/3400-116-0x00007FF841830000-0x00007FF84194C000-memory.dmp

Filesize
1.1MB

Download
memory/3400-117-0x00007FF841800000-0x00007FF841822000-memory.dmp

Filesize
136KB

Download
memory/3400-118-0x00007FF842040000-0x00007FF842064000-memory.dmp

Filesize
144KB

Download
memory/3400-123-0x00007FF841FC0000-0x00007FF841FE3000-memory.dmp

Filesize
140KB

Download
memory/3400-124-0x00007FF841E40000-0x00007FF841FB3000-memory.dmp

Filesize
1.4MB

Download
memory/3400-400-0x00007FF842070000-0x00007FF842658000-memory.dmp

Filesize
5.9MB

Download
memory/3400-437-0x00007FF840F40000-0x00007FF840FC7000-memory.dmp

Filesize
540KB

Download
memory/3400-443-0x00007FF841830000-0x00007FF84194C000-memory.dmp

Filesize
1.1MB

Download
memory/3400-442-0x00007FF841950000-0x00007FF841964000-memory.dmp

Filesize
80KB

Download
memory/3400-441-0x00007FF841970000-0x00007FF841984000-memory.dmp

Filesize
80KB

Download
memory/3400-256-0x00007FF84C480000-0x00007FF84C48D000-memory.dmp

Filesize
52KB

Download
memory/3400-439-0x00007FF8419B0000-0x00007FF8419C5000-memory.dmp

Filesize
84KB

Download
memory/3400-438-0x00007FF841D50000-0x00007FF841E08000-memory.dmp

Filesize
736KB

Download
memory/3400-436-0x00007FF841E10000-0x00007FF841E3E000-memory.dmp

Filesize
184KB

Download
memory/3400-435-0x00007FF841E40000-0x00007FF841FB3000-memory.dmp

Filesize
1.4MB

Download
memory/3400-434-0x00007FF841FC0000-0x00007FF841FE3000-memory.dmp

Filesize
140KB

Download
memory/3400-433-0x00007FF841FF0000-0x00007FF84201D000-memory.dmp

Filesize
180KB

Download
memory/3400-432-0x00007FF842020000-0x00007FF842039000-memory.dmp

Filesize
100KB

Download
memory/3400-431-0x00007FF852E80000-0x00007FF852E8D000-memory.dmp

Filesize
52KB

Download
memory/3400-430-0x00007FF84EC40000-0x00007FF84EC59000-memory.dmp

Filesize
100KB

Download
memory/3400-429-0x00007FF8535B0000-0x00007FF8535BF000-memory.dmp

Filesize
60KB

Download
memory/3400-428-0x00007FF842040000-0x00007FF842064000-memory.dmp

Filesize
144KB

Download
memory/3400-427-0x00007FF841800000-0x00007FF841822000-memory.dmp

Filesize
136KB

Download
memory/3400-426-0x00007FF840F10000-0x00007FF840F36000-memory.dmp

Filesize
152KB

Download
memory/3400-425-0x00007FF84BD20000-0x00007FF84BD2B000-memory.dmp

Filesize
44KB

Download
memory/3400-424-0x00007FF84C480000-0x00007FF84C48D000-memory.dmp

Filesize
52KB

Download
memory/3400-422-0x00007FF840FD0000-0x00007FF840FE8000-memory.dmp

Filesize
96KB

Download
memory/3400-421-0x00007FF840FF0000-0x00007FF841028000-memory.dmp

Filesize
224KB

Download
memory/3400-420-0x00007FF841030000-0x00007FF841724000-memory.dmp

Filesize
7.0MB

Download
memory/3400-419-0x00007FF852880000-0x00007FF85288A000-memory.dmp

Filesize
40KB

Download
memory/3400-418-0x00007FF841730000-0x00007FF8417FF000-memory.dmp

Filesize
828KB

Download
memory/3400-411-0x00007FF8419D0000-0x00007FF841D45000-memory.dmp

Filesize
3.5MB

Download
memory/3400-130-0x00007FF841030000-0x00007FF841724000-memory.dmp

Filesize
7.0MB

Download
memory/3400-128-0x00007FF841E10000-0x00007FF841E3E000-memory.dmp

Filesize
184KB

Download
memory/3400-129-0x00007FF841D50000-0x00007FF841E08000-memory.dmp

Filesize
736KB

Download
memory/3400-125-0x00007FF852880000-0x00007FF85288A000-memory.dmp

Filesize
40KB

Download
memory/3400-120-0x00007FF84EC40000-0x00007FF84EC59000-memory.dmp

Filesize
100KB

Download
memory/3400-121-0x00007FF841730000-0x00007FF8417FF000-memory.dmp

Filesize
828KB

Download
memory/3400-111-0x00007FF841950000-0x00007FF841964000-memory.dmp

Filesize
80KB

Download
memory/3400-86-0x00007FF84EC40000-0x00007FF84EC59000-memory.dmp

Filesize
100KB

Download
memory/3400-87-0x00007FF852E80000-0x00007FF852E8D000-memory.dmp

Filesize
52KB

Download
memory/3400-88-0x00007FF842020000-0x00007FF842039000-memory.dmp

Filesize
100KB

Download
memory/3400-92-0x00007FF841FF0000-0x00007FF84201D000-memory.dmp

Filesize
180KB

Download
memory/3400-96-0x00007FF841E10000-0x00007FF841E3E000-memory.dmp

Filesize
184KB

Download
memory/3400-100-0x00007FF841D50000-0x00007FF841E08000-memory.dmp

Filesize
736KB

Download
memory/3400-102-0x00007FF8419D0000-0x00007FF841D45000-memory.dmp

Filesize
3.5MB

Download
memory/3400-101-0x0000017CB4990000-0x0000017CB4D05000-memory.dmp

Filesize
3.5MB

Download
memory/3400-93-0x00007FF841FC0000-0x00007FF841FE3000-memory.dmp

Filesize
140KB

Download
memory/3400-94-0x00007FF841E40000-0x00007FF841FB3000-memory.dmp

Filesize
1.4MB

Download
memory/3400-52-0x00007FF842070000-0x00007FF842658000-memory.dmp

Filesize
5.9MB

Download