exelastealer | fec6107f08e216d76cf05ee65f1894de778b386b61cb6c459f6c0f6657de2c6f

Resubmissions

18-07-2024 04:33

240718-e6n6jaydma 10

18-07-2024 04:29

240718-e4bsesvfkl 7

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
18-07-2024 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ElectronV3.exe
Size

37.2MB
MD5

35ff4b8cfa381b8c421d7f4278e5eea2
SHA1

c686165b7dd71d48433e5298be2fec7e6c6b64dd
SHA256

fec6107f08e216d76cf05ee65f1894de778b386b61cb6c459f6c0f6657de2c6f
SHA512

0f31fc013005b38cb0be2cd33780627364e4e70683670bbc0ab3ffd154c229b97dacffc895c503a4c8689f4d627ec5e6b3e69394871349ccd6c64977d11b4e0e
SSDEEP

786432:y9OQxKKj1YqIdryuIjHNOgi5EMkhqN+NhAiJ1piKvIeVrsgv3FdbfitHJblxb:EOQAKjSqMhIjHNm5Dkq4bAodvIeVrhdO

Score

10^/10

exelastealer defense_evasion evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2156	netsh.exe
2288	netsh.exe

Executes dropped EXE 2 IoCs

pid	Process
2768	bound.exe
3684	bound.exe

Loads dropped DLL 64 IoCs

pid	Process
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
3684	bound.exe
3684	bound.exe
3684	bound.exe
3684	bound.exe
3684	bound.exe
3684	bound.exe
3684	bound.exe
3684	bound.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002349c-129.dat	upx
behavioral2/memory/2524-133-0x00007FF963710000-0x00007FF963B75000-memory.dmp	upx
behavioral2/files/0x0007000000023453-135.dat	upx
behavioral2/files/0x0007000000023475-141.dat	upx
behavioral2/memory/2524-143-0x00007FF972360000-0x00007FF972384000-memory.dmp	upx
behavioral2/files/0x0007000000023456-146.dat	upx
behavioral2/files/0x000700000002345d-167.dat	upx
behavioral2/files/0x000700000002345a-172.dat	upx
behavioral2/files/0x000700000002349f-174.dat	upx
behavioral2/files/0x00070000000234ae-180.dat	upx
behavioral2/files/0x0007000000023459-181.dat	upx
behavioral2/files/0x00070000000234ab-182.dat	upx
behavioral2/memory/2524-189-0x00007FF9635F0000-0x00007FF963708000-memory.dmp	upx
behavioral2/memory/2524-188-0x00007FF972470000-0x00007FF97247D000-memory.dmp	upx
behavioral2/memory/2524-187-0x00007FF971E50000-0x00007FF971E7B000-memory.dmp	upx
behavioral2/memory/2524-186-0x00007FF9715B0000-0x00007FF97166C000-memory.dmp	upx
behavioral2/memory/2524-185-0x00007FF971EA0000-0x00007FF971ECE000-memory.dmp	upx
behavioral2/memory/2524-184-0x00007FF977140000-0x00007FF97714D000-memory.dmp	upx
behavioral2/memory/2524-183-0x00007FF9722F0000-0x00007FF972309000-memory.dmp	upx
behavioral2/files/0x000700000002349e-178.dat	upx
behavioral2/files/0x00070000000234a0-173.dat	upx
behavioral2/memory/2524-171-0x00007FF9720D0000-0x00007FF972105000-memory.dmp	upx
behavioral2/memory/2524-170-0x00007FF972310000-0x00007FF97233C000-memory.dmp	upx
behavioral2/files/0x000700000002349a-169.dat	upx
behavioral2/memory/2524-168-0x00007FF972340000-0x00007FF972359000-memory.dmp	upx
behavioral2/files/0x000700000002345c-166.dat	upx
behavioral2/files/0x000700000002345b-165.dat	upx
behavioral2/files/0x0007000000023458-162.dat	upx
behavioral2/files/0x0007000000023457-161.dat	upx
behavioral2/files/0x0007000000023455-160.dat	upx
behavioral2/files/0x0007000000023454-159.dat	upx
behavioral2/files/0x0007000000023452-158.dat	upx
behavioral2/files/0x0007000000023450-157.dat	upx
behavioral2/files/0x00070000000234aa-154.dat	upx
behavioral2/files/0x0007000000023476-150.dat	upx
behavioral2/files/0x0007000000023474-149.dat	upx
behavioral2/memory/2524-144-0x00007FF9772A0000-0x00007FF9772AF000-memory.dmp	upx
behavioral2/files/0x0007000000023451-142.dat	upx
behavioral2/memory/2524-191-0x00007FF9721B0000-0x00007FF9721DE000-memory.dmp	upx
behavioral2/memory/2524-196-0x00007FF962CA0000-0x00007FF963014000-memory.dmp	upx
behavioral2/files/0x00070000000234b7-198.dat	upx
behavioral2/files/0x0007000000023465-205.dat	upx
behavioral2/files/0x0007000000023464-204.dat	upx
behavioral2/memory/2524-212-0x00007FF971E20000-0x00007FF971E2A000-memory.dmp	upx
behavioral2/memory/2524-211-0x00007FF969AE0000-0x00007FF969B06000-memory.dmp	upx
behavioral2/memory/2524-210-0x00007FF9721A0000-0x00007FF9721AB000-memory.dmp	upx
behavioral2/memory/2524-209-0x00007FF963710000-0x00007FF963B75000-memory.dmp	upx
behavioral2/memory/2524-202-0x00007FF971590000-0x00007FF9715A5000-memory.dmp	upx
behavioral2/memory/2524-201-0x00007FF96ECA0000-0x00007FF96ED27000-memory.dmp	upx
behavioral2/memory/2524-195-0x00007FF963020000-0x00007FF9630D6000-memory.dmp	upx
behavioral2/memory/2524-215-0x00007FF964230000-0x00007FF964248000-memory.dmp	upx
behavioral2/files/0x0007000000023499-214.dat	upx
behavioral2/memory/2524-218-0x00007FF963300000-0x00007FF96346D000-memory.dmp	upx
behavioral2/memory/2524-217-0x00007FF978890000-0x00007FF9788AE000-memory.dmp	upx
behavioral2/memory/2524-223-0x00007FF971F20000-0x00007FF971F58000-memory.dmp	upx
behavioral2/memory/2524-222-0x00007FF9721B0000-0x00007FF9721DE000-memory.dmp	upx
behavioral2/memory/2524-221-0x00007FF971F60000-0x00007FF971F7C000-memory.dmp	upx
behavioral2/memory/2524-220-0x00007FF9722F0000-0x00007FF972309000-memory.dmp	upx
behavioral2/memory/2524-219-0x00007FF971F80000-0x00007FF971F8B000-memory.dmp	upx
behavioral2/memory/2524-225-0x00007FF963020000-0x00007FF9630D6000-memory.dmp	upx
behavioral2/memory/2524-235-0x00007FF96FE20000-0x00007FF96FE2E000-memory.dmp	upx
behavioral2/memory/2524-234-0x00007FF96FE40000-0x00007FF96FE4C000-memory.dmp	upx
behavioral2/memory/2524-233-0x00007FF96FE30000-0x00007FF96FE3C000-memory.dmp	upx
behavioral2/memory/2524-232-0x00007FF96FE50000-0x00007FF96FE5B000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
86	discord.com
87	discord.com
80	discord.com
81	discord.com
82	discord.com
83	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
73	ip-api.com

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
748	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1020	sc.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4384	WMIC.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1452	WMIC.exe
1684	WMIC.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
4816	tasklist.exe
628	tasklist.exe
3152	tasklist.exe
2808	tasklist.exe
424	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2028	ipconfig.exe
4148	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1456	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
2524	ElectronV3.exe
3120	powershell.exe
3120	powershell.exe
3120	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	ElectronV3.exe
Token: SeIncreaseQuotaPrivilege	2076	WMIC.exe
Token: SeSecurityPrivilege	2076	WMIC.exe
Token: SeTakeOwnershipPrivilege	2076	WMIC.exe
Token: SeLoadDriverPrivilege	2076	WMIC.exe
Token: SeSystemProfilePrivilege	2076	WMIC.exe
Token: SeSystemtimePrivilege	2076	WMIC.exe
Token: SeProfSingleProcessPrivilege	2076	WMIC.exe
Token: SeIncBasePriorityPrivilege	2076	WMIC.exe
Token: SeCreatePagefilePrivilege	2076	WMIC.exe
Token: SeBackupPrivilege	2076	WMIC.exe
Token: SeRestorePrivilege	2076	WMIC.exe
Token: SeShutdownPrivilege	2076	WMIC.exe
Token: SeDebugPrivilege	2076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2076	WMIC.exe
Token: SeRemoteShutdownPrivilege	2076	WMIC.exe
Token: SeUndockPrivilege	2076	WMIC.exe
Token: SeManageVolumePrivilege	2076	WMIC.exe
Token: 33	2076	WMIC.exe
Token: 34	2076	WMIC.exe
Token: 35	2076	WMIC.exe
Token: 36	2076	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2076	WMIC.exe
Token: SeSecurityPrivilege	2076	WMIC.exe
Token: SeTakeOwnershipPrivilege	2076	WMIC.exe
Token: SeLoadDriverPrivilege	2076	WMIC.exe
Token: SeSystemProfilePrivilege	2076	WMIC.exe
Token: SeSystemtimePrivilege	2076	WMIC.exe
Token: SeProfSingleProcessPrivilege	2076	WMIC.exe
Token: SeIncBasePriorityPrivilege	2076	WMIC.exe
Token: SeCreatePagefilePrivilege	2076	WMIC.exe
Token: SeBackupPrivilege	2076	WMIC.exe
Token: SeRestorePrivilege	2076	WMIC.exe
Token: SeShutdownPrivilege	2076	WMIC.exe
Token: SeDebugPrivilege	2076	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2076	WMIC.exe
Token: SeRemoteShutdownPrivilege	2076	WMIC.exe
Token: SeUndockPrivilege	2076	WMIC.exe
Token: SeManageVolumePrivilege	2076	WMIC.exe
Token: 33	2076	WMIC.exe
Token: 34	2076	WMIC.exe
Token: 35	2076	WMIC.exe
Token: 36	2076	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1452	WMIC.exe
Token: SeSecurityPrivilege	1452	WMIC.exe
Token: SeTakeOwnershipPrivilege	1452	WMIC.exe
Token: SeLoadDriverPrivilege	1452	WMIC.exe
Token: SeSystemProfilePrivilege	1452	WMIC.exe
Token: SeSystemtimePrivilege	1452	WMIC.exe
Token: SeProfSingleProcessPrivilege	1452	WMIC.exe
Token: SeIncBasePriorityPrivilege	1452	WMIC.exe
Token: SeCreatePagefilePrivilege	1452	WMIC.exe
Token: SeBackupPrivilege	1452	WMIC.exe
Token: SeRestorePrivilege	1452	WMIC.exe
Token: SeShutdownPrivilege	1452	WMIC.exe
Token: SeDebugPrivilege	1452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1452	WMIC.exe
Token: SeRemoteShutdownPrivilege	1452	WMIC.exe
Token: SeUndockPrivilege	1452	WMIC.exe
Token: SeManageVolumePrivilege	1452	WMIC.exe
Token: 33	1452	WMIC.exe
Token: 34	1452	WMIC.exe
Token: 35	1452	WMIC.exe
Token: 36	1452	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 452 wrote to memory of 2524	452	ElectronV3.exe	86
PID 452 wrote to memory of 2524	452	ElectronV3.exe	86
PID 2524 wrote to memory of 380	2524	ElectronV3.exe	88
PID 2524 wrote to memory of 380	2524	ElectronV3.exe	88
PID 2524 wrote to memory of 4936	2524	ElectronV3.exe	93
PID 2524 wrote to memory of 4936	2524	ElectronV3.exe	93
PID 2524 wrote to memory of 2808	2524	ElectronV3.exe	94
PID 2524 wrote to memory of 2808	2524	ElectronV3.exe	94
PID 2524 wrote to memory of 2488	2524	ElectronV3.exe	95
PID 2524 wrote to memory of 2488	2524	ElectronV3.exe	95
PID 2488 wrote to memory of 2076	2488	cmd.exe	97
PID 2488 wrote to memory of 2076	2488	cmd.exe	97
PID 2524 wrote to memory of 4652	2524	ElectronV3.exe	99
PID 2524 wrote to memory of 4652	2524	ElectronV3.exe	99
PID 4652 wrote to memory of 1452	4652	cmd.exe	101
PID 4652 wrote to memory of 1452	4652	cmd.exe	101
PID 2768 wrote to memory of 3684	2768	bound.exe	121
PID 2768 wrote to memory of 3684	2768	bound.exe	121
PID 3684 wrote to memory of 448	3684	bound.exe	122
PID 3684 wrote to memory of 448	3684	bound.exe	122
PID 3684 wrote to memory of 3588	3684	bound.exe	124
PID 3684 wrote to memory of 3588	3684	bound.exe	124
PID 3684 wrote to memory of 1152	3684	bound.exe	125
PID 3684 wrote to memory of 1152	3684	bound.exe	125
PID 3684 wrote to memory of 3048	3684	bound.exe	127
PID 3684 wrote to memory of 3048	3684	bound.exe	127
PID 3684 wrote to memory of 5072	3684	bound.exe	129
PID 3684 wrote to memory of 5072	3684	bound.exe	129
PID 5072 wrote to memory of 3152	5072	cmd.exe	132
PID 5072 wrote to memory of 3152	5072	cmd.exe	132
PID 1152 wrote to memory of 4452	1152	cmd.exe	133
PID 1152 wrote to memory of 4452	1152	cmd.exe	133
PID 3588 wrote to memory of 1684	3588	cmd.exe	134
PID 3588 wrote to memory of 1684	3588	cmd.exe	134
PID 3684 wrote to memory of 3372	3684	bound.exe	136
PID 3684 wrote to memory of 3372	3684	bound.exe	136
PID 3372 wrote to memory of 828	3372	cmd.exe	138
PID 3372 wrote to memory of 828	3372	cmd.exe	138
PID 3684 wrote to memory of 972	3684	bound.exe	139
PID 3684 wrote to memory of 972	3684	bound.exe	139
PID 3684 wrote to memory of 2596	3684	bound.exe	140
PID 3684 wrote to memory of 2596	3684	bound.exe	140
PID 972 wrote to memory of 4556	972	cmd.exe	143
PID 972 wrote to memory of 4556	972	cmd.exe	143
PID 2596 wrote to memory of 2808	2596	cmd.exe	144
PID 2596 wrote to memory of 2808	2596	cmd.exe	144
PID 3684 wrote to memory of 748	3684	bound.exe	145
PID 3684 wrote to memory of 748	3684	bound.exe	145
PID 748 wrote to memory of 528	748	cmd.exe	147
PID 748 wrote to memory of 528	748	cmd.exe	147
PID 3684 wrote to memory of 4848	3684	bound.exe	148
PID 3684 wrote to memory of 4848	3684	bound.exe	148
PID 4848 wrote to memory of 424	4848	cmd.exe	150
PID 4848 wrote to memory of 424	4848	cmd.exe	150
PID 3684 wrote to memory of 4812	3684	bound.exe	151
PID 3684 wrote to memory of 4812	3684	bound.exe	151
PID 3684 wrote to memory of 4924	3684	bound.exe	152
PID 3684 wrote to memory of 4924	3684	bound.exe	152
PID 3684 wrote to memory of 2008	3684	bound.exe	153
PID 3684 wrote to memory of 2008	3684	bound.exe	153
PID 3684 wrote to memory of 4460	3684	bound.exe	154
PID 3684 wrote to memory of 4460	3684	bound.exe	154
PID 4924 wrote to memory of 4124	4924	cmd.exe	159
PID 4924 wrote to memory of 4124	4924	cmd.exe	159

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
528	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ElectronV3.exe
"C:\Users\Admin\AppData\Local\Temp\ElectronV3.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:452
- C:\Users\Admin\AppData\Local\Temp\ElectronV3.exe
  "C:\Users\Admin\AppData\Local\Temp\ElectronV3.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
    3⤵
    PID:4936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "start bound.exe"
    3⤵
    PID:2808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1452

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\bound.exe
"C:\Users\Admin\AppData\Local\Temp\bound.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2768
- C:\Users\Admin\AppData\Local\Temp\bound.exe
  "C:\Users\Admin\AppData\Local\Temp\bound.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3588
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1152
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      PID:4452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5072
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3372
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2596
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:4812
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:3856
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4924
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4124
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2772
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2008
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    PID:4460
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:948
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:5036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    PID:676
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1456
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:3544
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:4384
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:4564
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4640
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:2840
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:508
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:4556
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:3000
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:848
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:3964
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:3292
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4852
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:1212
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:5108
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:1888
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:628
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2028
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:3680
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      PID:3064
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      PID:4148
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:1020
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2156
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2456
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1136
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4924
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5096

C:\Users\Admin\AppData\Local\Temp\ElectronV3.exe
"C:\Users\Admin\AppData\Local\Temp\ElectronV3.exe"
1⤵
PID:2436
- C:\Users\Admin\AppData\Local\Temp\ElectronV3.exe
  "C:\Users\Admin\AppData\Local\Temp\ElectronV3.exe"
  2⤵
  PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI27682\cryptography-42.0.2.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\VCRUNTIME140_1.dll

Filesize
36KB

MD5
7667b0883de4667ec87c3b75bed84d84

SHA1
e6f6df83e813ed8252614a46a5892c4856df1f58

SHA256
04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d

SHA512
968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\_asyncio.pyd

Filesize
31KB

MD5
56c8976ee1d4a06037e06f43bf0a4365

SHA1
7efae0428f10ad3280114b532020e69c7ff4da2d

SHA256
389b4b7d0e81a497270e6443ac1f33059b0532bac92488ddb93b73bd70da3202

SHA512
f1b9f484d1abd309106ca931e93609942c82cb02b6217baa002aa64e2870995825e630773e9ca0f6e6783126cf5066d3a4a8b59863adb7b8cd7c566bfc1d0826

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\_bz2.pyd

Filesize
43KB

MD5
464825c2e6a84345d103a81930415b58

SHA1
bb62771f9436f8f74fc3ca89c6a1c7bf87b44dca

SHA256
5cda0eacb52ee6c1f561b11b8a1ddce4a0f5295348fe999a73eed3dc2d1741e4

SHA512
4731ae77c7b50676757833bcf47299084a4afb7d2464512da56efd048c608034fc547fee073e48f8c39d0522539859ca195e2a209fe2434119098862b08d0dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
e3bcdf92f94fac36d74ca4d57fc651ed

SHA1
519264bc498e253a62f540d8f106343c6772ef68

SHA256
8fa7db27750c4351d403271dc525a411840844cc913415eca2b1866c5e9dbd7f

SHA512
520eb876eb2a090d126780f0e8457ebb948337499db815a23dc5231d2ae80aef2f9ada14f13aa347e8aec5385a1ed85cdc8b3162ed4ca5976b77228f97a85806

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\_ctypes.pyd

Filesize
53KB

MD5
792451d5b185d4a464c8484bc252f2c2

SHA1
8fbaa275c8e25cdd012c9142026cc75074d61686

SHA256
4c147a23e85541b326a4321e59053eeeba34eb65d7fead807853cee6a68a2fa4

SHA512
a6f3c1343f1a5d26b55ac606033e2bc70c6da8804bf496adcaac99da644a66f6027491f693d1025b9c4260f8f226678d1d248e7ba68fea8d978a845db5dec2a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\_decimal.pyd

Filesize
101KB

MD5
c102d880e34122a2c3af883850f2b4fe

SHA1
68a0625a6fe923857a33a2142b7df17b8816280b

SHA256
35d0c0ab98e96595d3701875a56eb2b46bcce6fae758e690320597c3557c4572

SHA512
e81d487ba368539db3e0e32ceda0466b7dea77f5b7e5c6a3a9af58fcbbc09f2bb4f292f2cfcb861be06b4d33c92f79885b245f48da57d5582c74c2cf968e4214

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\_hashlib.pyd

Filesize
30KB

MD5
eebc2dcb17da1a72ced13c2561988625

SHA1
2ec77b48f1bca79a23f20ed37a5c1db2c1efd0a4

SHA256
68263de179a6a54fa56aff38f5b0957cc133bfdaf016e6e9c8f2f30a2ebf9e85

SHA512
77cc9d9a56e343601237abed691771f4c03acf68a87527c2fc55f4e0bdfcc6ca0d6a3a2c0365e0add519ba1dcb9ca3cab92393674c3af7a97fb9a09c30bae59d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\_lzma.pyd

Filesize
81KB

MD5
09a2aa784f8b7851579fc538688f5a10

SHA1
7d542e906d292fd30b211dcf3eb05b4c75ed9c4c

SHA256
d1f5f981f5e544e24cfbe54dc149f5ff6ddf8142dc1abb796e5146682ddab211

SHA512
fc2fb0bb9ad98b49ef70f294f00d87871e43bda6b6dbf1681ce71cdec5566b492246b3c5d9339b672b3a836f97b5bfcf058ecaceadf42b8d7be24104fded1c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\_multiprocessing.pyd

Filesize
22KB

MD5
42bb39668f0241f7ab3a1bb18f0b37c5

SHA1
51cc4305729348f57c0eeaefd33d2acd6b196c35

SHA256
b359f9b8a349e1f94303ed6ca63b6dfc0969ae86cd3f0f09f01768592210e4cf

SHA512
0344f15c787d8adadbdb367509c08d6fb4d092f34e095c3c690e3eadaa53cf5c3dd72589ee598fd362232ddd2e11aadc64df5dc08534c6e8cd08c2ca1fd5707c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\_overlapped.pyd

Filesize
27KB

MD5
53d0dba0685e8a8a0a637c2756ca86f0

SHA1
da248c72976d1a5ba866bc93227857f59078bcd4

SHA256
c6ccc16c420e5ba8738791f446c485c11300a73103f73b0710a6cb09d6792804

SHA512
4d99e9e38cee80c6fc2de6a2d0c607eb6a6dba5f452d8d2ec85716e2dd32b61b4d2040403cbd3add713cdbe4efb0f432b5d8b4251dcc34ab150e326c71ea32d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\_queue.pyd

Filesize
21KB

MD5
f33e773d34287f274496893a22999fa8

SHA1
d6f134b5deec092267d04af8dacff8feacaeb310

SHA256
cf11391bdf4f78c0f087a9fa04e04a0ff2d04cd0810d93b22d041be5b314f006

SHA512
872df9066e1c6b63c6b68e87b42698361f4bee1658c6b24dc3c940c81f8963c1523945b7d80e1e618ba6a6eebda71b0fc1b00978bce93201627a344a30080d73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\_socket.pyd

Filesize
38KB

MD5
38c4cf8d721649584034bcbf4213a7fb

SHA1
440a9d9196575bebc7142fc010089889e4fc7862

SHA256
dc9ae31110be5e4c0df5ffa957b92c339ffdae8b13a27999a9cb316707b9d046

SHA512
067f2dd390d472c08ba96ee97341398f15aac2365ee3df3c9616806649b29a66316c219ca7e681821de91fab3093705497418e5537ecf6c661c2eaae3f553ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\_sqlite3.pyd

Filesize
45KB

MD5
a1f6465479ffae2af93c9c8e56783152

SHA1
69548b4fa2c605de196c60ee0bdd4f8100f88d14

SHA256
05b03868d999da947cb13f4340c9c893c4f35cd4756781d0c1b38143bcdbcf38

SHA512
281761f17005a7576372042f378c0925fd9a07e9a684dfc8ee1b51ed40a760b4f1a7f090d64fcf6df48304a522784e5fc1c6b85b9c21abdd6714ea05165c3595

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\_ssl.pyd

Filesize
57KB

MD5
9528ffddf9164cd37c8643eff66f413a

SHA1
d5bbd1fa8a89172b7ab6eced407dcebb81fb2993

SHA256
d1220bf3c040366ebb8d0e69b5a5d7198f35e3db1e90eb54e11c8d20a00ad690

SHA512
5fd173f6d652f8d3a9d7c2013183a82b75f8ac31fef9625bcc6ded82f26eaa4d46001593e33713c7f055be10fd2a26cdb319c4d4a488f8bdb7008af8a7ae8302

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\_uuid.pyd

Filesize
18KB

MD5
b7195a97d6d09625f3f2123e681c2dc9

SHA1
83eee7915ca795cedb1661040d236f866c35e1ad

SHA256
3ccd63c7f701e254597645644d121c1ad01cb3f76db0848be1b9e7f30e4c9402

SHA512
2c7a3c4a9d0beca5420d6c0285a4e2f02f379c040739db2db35d8e6c3178f28403f475a758f6bccf328249a328145be80071b7280aa20190b7270bb0bbf02d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\base_library.zip

Filesize
858KB

MD5
b15e945b2a74976b9e3417daff3de44a

SHA1
386f8146feab37861d1a3730469e3b56e1ef3d28

SHA256
3e835af0eaf18019a687ae4322fbf626462a8b2bf6c74bd9fdf671e4841fdfa6

SHA512
795e61c7be30db0da7c384dc6c11057e9064a6594fa9f4edf0d02ff80d0c56e49cf5ee50c95adeca842997f08c1afabc38b6256562b6a8d27bc49195f42fc179

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\bound.luna

Filesize
9.2MB

MD5
cf60d3bba53974aa9da2a3540d609ebe

SHA1
94a6af7b2c918c0bd9794ca897147cb8037348c2

SHA256
6b8d6112a46024ab88c09463b08cfddee088ea4e01dba8d15f2a81b28661e613

SHA512
a54118d2cccb7773994ef318163747a673625e0c518848330f192732663f17e7ca603f0b8048ddf1f8cc47627bb9d18603f25f3c68d62cfc54868498e8a71e68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\certifi\cacert.pem

Filesize
284KB

MD5
181ac9a809b1a8f1bc39c1c5c777cf2a

SHA1
9341e715cea2e6207329e7034365749fca1f37dc

SHA256
488ba960602bf07cc63f4ef7aec108692fec41820fc3328a8e3f3de038149aee

SHA512
e19a92b94aedcf1282b3ef561bd471ea19ed361334092c55d72425f9183ebd1d30a619e493841b6f75c629f26f28dc682960977941b486c59475f21cf86fff85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\charset_normalizer\md.cp310-win_amd64.pyd

Filesize
9KB

MD5
e8b4d1cb8570939208d373a453633173

SHA1
ee1fb7d18f65d56dbf4b46df9a457cf93c473b98

SHA256
595f85c233750daf228b7dc19c28327b06ac9964835a48811d126ea47ab063c1

SHA512
d9ae659e2919758825db32b26e0233689d0fdaad241a8edb9316ed1684841ad665cd3b3b5e9bbfb0375c3fe1ea8557aac11b7c824257347ee36258c779c72eea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\charset_normalizer\md__mypyc.cp310-win_amd64.pyd

Filesize
39KB

MD5
1fad2ff24ed0e2fcf6ea8063f0d52520

SHA1
7df4dd9333c58f3fe142fcb4d48af52d6196066e

SHA256
b8b328bb6cd58475d7235578f27aef4dfeeefe1abd7198af564cb541cccf5e30

SHA512
0447b2b7f1b72c7e9c2e4b5909b90495964f1979f299fdbda0fd291daeaf07e937fbf0373e89fb78bae66694ca6ac2c37571f2e04787ba1b2db0ebde95be0e58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\libcrypto-1_1.dll

Filesize
1.1MB

MD5
a43194bf570e11957d70a6bd7f4f5bf8

SHA1
cecf0d568b01069d7cdda34182bab79b1213eca9

SHA256
9ba9f077ad54ef08fff0740b934a151858e50ab86b6ffea260bd3dc806093ae2

SHA512
cc5a15ecc899520c4e3ac5f2d5f6a4a9b960405c2d7fd6726adb32137cb50c11f17b17afab23743f01cc89cc9b898a2bcd5eeed02676a984d91b348d244bd770

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\libffi-7.dll

Filesize
23KB

MD5
4e261cbb8247260ea91860986110f805

SHA1
1563d67c2aabcb5e00e25ef293456c6481a2adc3

SHA256
ddfd0755e011ea0df26d77cf3628e2cc59653aee02bf241b54b6b08561520453

SHA512
076cdc8759f9cbbf7f8dc7b1eaba3c51f6c40ae6043b1fb55aa2fb83f81e86933d0f885a61d83300173b9bd7c589ff126e2a5d858a3f4036390d02eb1e73d229

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\libssl-1_1.dll

Filesize
198KB

MD5
85a0098648e8cad7c5fba9990756ef5f

SHA1
441e30102a8f7dfc575d67ff3c8c9bb0f3339483

SHA256
724dafbe2532faec17507300013905149a7dc1c65233d27b85f74c8111f6197b

SHA512
b7873374d3eb15847d313c1aa3b71f756fe60be8ccdfd5285aa1f20b297aa8732c65477e45e90648e375a418f9212f6d27e2c2feafb86a7ffc67805c1c0c8cb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\luna.aes

Filesize
4.7MB

MD5
804a6c377b71af7943915ae562ec6fd0

SHA1
70192537a1fbefe3b3629ef675af89c209f33fcd

SHA256
10f606f493b2bd2393033bb52ab39766fc173077cf948b1ce818d6ec5fd7e7b0

SHA512
9e428307f7e4164f7d97a88f13891f4ae3a1fdb6517fad744b48b070384493e268e4816eb28dce20105e312464cd47a76192066d70948039cd61d45d8f54df3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\psutil\_psutil_windows.pyd

Filesize
31KB

MD5
3adca2ff39adeb3567b73a4ca6d0253c

SHA1
ae35dde2348c8490f484d1afd0648380090e74fc

SHA256
92202b877579b74a87be769d58f9d1e8aced8a97336ad70e97d09685a10afeb3

SHA512
358d109b23cf99eb7396c450660f193e9e16f85f13737ecf29f4369b44f8356041a08443d157b325ccb5125a5f10410659761eda55f24fcc03a082ac8acdd345

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\pyexpat.pyd

Filesize
81KB

MD5
a1db9097411cf381f68eb583fbf7d199

SHA1
178aac7a936689c36e7d16138108599d0443d112

SHA256
312b8173296b239d8cd312e8861d5afe19656e345dbca63601a0680b1facd0e8

SHA512
379d0f7332549c288725bee63471248100b4ca251fc239a5b8516cf4c2bdc8760eadae32f70ecafc843a8ac882282b3ebe4f9ee075bd4400196c799d21a3b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\python3.DLL

Filesize
60KB

MD5
a5471f05fd616b0f8e582211ea470a15

SHA1
cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

SHA256
8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

SHA512
e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\python310.dll

Filesize
1.4MB

MD5
fea8b50c9cd4738b0ca28fe61705a77d

SHA1
fb84ab201b017ca27099558b6fb26701efe9612b

SHA256
56cd8356f6e4d4bde52672f58cc657f527cd07f67207bfb17afa0017f3f5d325

SHA512
21d98cb5b87a7c553ec2f1f935987731d2d9ce788f27746f1255fb0a475ae832453f7672081d06fdc31774e0ed64bb6855f4daa9f099bb0ac37179cd491bbe10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\pywin32_system32\pythoncom310.dll

Filesize
193KB

MD5
202a8731825a75911a7c6ae1adc7dfac

SHA1
8c71aa55ed68a6abdf3db27938989c72fcbe8e21

SHA256
30b5dbd6d41f6128b063cc7f9854944dd0497b0d9cb6ba8e18c8d55f33b7733e

SHA512
1ae115ad229c378cb952b79b2923ad5209ce89c183d8a24503cf0cb05f77b45a6f04bf15f512472d04ea787aadc5254542b00c7ccd931061843f401874ab165d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\pywin32_system32\pywintypes310.dll

Filesize
62KB

MD5
95fed288c096235b736c0ffca46a9a5f

SHA1
bd868ccb83edb78b01c52649ee698abcb4eb0f3e

SHA256
6c4b09b003645f5a581a2406a003916847a60e689492b5d8c8be3cbbd4254244

SHA512
7adf8fc912a9b85bf2795c5d03d2f63a0cde5ae290be83411dd52099fc9d6f8d7d325f69f3bd064a242d01fd03271827a302c7a1dbe4905ac81387057c07f35b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\select.pyd

Filesize
21KB

MD5
5a3216c0883eef8bfae19c92ef1d6d1d

SHA1
a0ced6e6b47d2185184cd1a4da6803ddbb49d9cb

SHA256
f8252a6f79b819340113f89cfde61bbd9df0862fcf7b22197cb04f9666a76bb3

SHA512
144d9bc81cd12c74db89e05d435df3505603f65b0ac24e543c276031835fab2c10edaff68cde8269c0d50ec2c7504f01dd245fd30581398756d67f92dcfc48a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\sqlite3.dll

Filesize
605KB

MD5
25807738509d67f0723108e69a6fe68e

SHA1
6f45a883863a5d79e3bd7474c0266069c0406678

SHA256
90de31b062940b575e0ed0d25177573bd6f00c6f23423508ac197d5689635c20

SHA512
49d538c6d584be0bb669315453c5ab9991b1c00430d3c4a4fb617746d60af70b6ecb9d2904fb25eeff9a37ba0d9c0d34888bb879785eb600fe68bd4e5fd4b4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\unicodedata.pyd

Filesize
285KB

MD5
f1e6d290a2ad158254b290b3b1df93d2

SHA1
61fbdaea9358171762b114f763871947849182ca

SHA256
2065975efc17fdbee36c64a265dbd1e12c90fb2351f2df3a413c789073faa204

SHA512
d3f96567d51df9a3aa4e6ca3f8e1ebe936661013f0dacfb9b786427cc0aea384d3c43bf26c92438e2a5db961c26a9610fc4c1bcb1fbed2e7bdfcc74ba3b6b06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\win32\win32api.pyd

Filesize
48KB

MD5
71ec15831e6df0a2ef3bd6ba5c5df7e5

SHA1
18d2a5315668f5ae454d3466ba3b2abc13d98eb6

SHA256
1fca2edfada089e695d4ec071e4b59bfaca3bd30327f72a92a51ec2cb5de46eb

SHA512
50180c8b414787ba9c88a70abb1d28a38bb1250d81b8ffe17bd041f9ec8d99d2c68ac52df09286b77db3ac5b74395e804888804b8280eeda13a3fb160a4cd6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4522\zstandard\backend_c.cp310-win_amd64.pyd

Filesize
174KB

MD5
6aa20997ac4e2ed34c3977d46a28662e

SHA1
9618bb8038c6132f012cf5c9a8a1be24e5a65a26

SHA256
e07dda20d5403f5beca70c0db5229a7b4f81cc735ec3f9220da0475fce90146e

SHA512
6f5562e52f342c4e1ef3f763e63ef79f4796bdfadd19cb3d723cf0612368644917a62f64cd2fc8f8b93e918d69de6399fadf4c223bb2261b6154930001f43b07

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yp23bepd.el0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2524-230-0x00007FF971EE0000-0x00007FF971EEB000-memory.dmp

Filesize
44KB

Download
memory/2524-252-0x00007FF971F20000-0x00007FF971F58000-memory.dmp

Filesize
224KB

Download
memory/2524-170-0x00007FF972310000-0x00007FF97233C000-memory.dmp

Filesize
176KB

Download
memory/2524-171-0x00007FF9720D0000-0x00007FF972105000-memory.dmp

Filesize
212KB

Download
memory/2524-144-0x00007FF9772A0000-0x00007FF9772AF000-memory.dmp

Filesize
60KB

Download
memory/2524-183-0x00007FF9722F0000-0x00007FF972309000-memory.dmp

Filesize
100KB

Download
memory/2524-191-0x00007FF9721B0000-0x00007FF9721DE000-memory.dmp

Filesize
184KB

Download
memory/2524-197-0x000001F442010000-0x000001F442384000-memory.dmp

Filesize
3.5MB

Download
memory/2524-196-0x00007FF962CA0000-0x00007FF963014000-memory.dmp

Filesize
3.5MB

Download
memory/2524-184-0x00007FF977140000-0x00007FF97714D000-memory.dmp

Filesize
52KB

Download
memory/2524-185-0x00007FF971EA0000-0x00007FF971ECE000-memory.dmp

Filesize
184KB

Download
memory/2524-186-0x00007FF9715B0000-0x00007FF97166C000-memory.dmp

Filesize
752KB

Download
memory/2524-187-0x00007FF971E50000-0x00007FF971E7B000-memory.dmp

Filesize
172KB

Download
memory/2524-212-0x00007FF971E20000-0x00007FF971E2A000-memory.dmp

Filesize
40KB

Download
memory/2524-211-0x00007FF969AE0000-0x00007FF969B06000-memory.dmp

Filesize
152KB

Download
memory/2524-210-0x00007FF9721A0000-0x00007FF9721AB000-memory.dmp

Filesize
44KB

Download
memory/2524-209-0x00007FF963710000-0x00007FF963B75000-memory.dmp

Filesize
4.4MB

Download
memory/2524-202-0x00007FF971590000-0x00007FF9715A5000-memory.dmp

Filesize
84KB

Download
memory/2524-201-0x00007FF96ECA0000-0x00007FF96ED27000-memory.dmp

Filesize
540KB

Download
memory/2524-195-0x00007FF963020000-0x00007FF9630D6000-memory.dmp

Filesize
728KB

Download
memory/2524-215-0x00007FF964230000-0x00007FF964248000-memory.dmp

Filesize
96KB

Download
memory/2524-188-0x00007FF972470000-0x00007FF97247D000-memory.dmp

Filesize
52KB

Download
memory/2524-218-0x00007FF963300000-0x00007FF96346D000-memory.dmp

Filesize
1.4MB

Download
memory/2524-217-0x00007FF978890000-0x00007FF9788AE000-memory.dmp

Filesize
120KB

Download
memory/2524-224-0x000001F442010000-0x000001F442384000-memory.dmp

Filesize
3.5MB

Download
memory/2524-223-0x00007FF971F20000-0x00007FF971F58000-memory.dmp

Filesize
224KB

Download
memory/2524-222-0x00007FF9721B0000-0x00007FF9721DE000-memory.dmp

Filesize
184KB

Download
memory/2524-221-0x00007FF971F60000-0x00007FF971F7C000-memory.dmp

Filesize
112KB

Download
memory/2524-220-0x00007FF9722F0000-0x00007FF972309000-memory.dmp

Filesize
100KB

Download
memory/2524-219-0x00007FF971F80000-0x00007FF971F8B000-memory.dmp

Filesize
44KB

Download
memory/2524-225-0x00007FF963020000-0x00007FF9630D6000-memory.dmp

Filesize
728KB

Download
memory/2524-235-0x00007FF96FE20000-0x00007FF96FE2E000-memory.dmp

Filesize
56KB

Download
memory/2524-234-0x00007FF96FE40000-0x00007FF96FE4C000-memory.dmp

Filesize
48KB

Download
memory/2524-233-0x00007FF96FE30000-0x00007FF96FE3C000-memory.dmp

Filesize
48KB

Download
memory/2524-232-0x00007FF96FE50000-0x00007FF96FE5B000-memory.dmp

Filesize
44KB

Download
memory/2524-231-0x00007FF971ED0000-0x00007FF971EDC000-memory.dmp

Filesize
48KB

Download
memory/2524-189-0x00007FF9635F0000-0x00007FF963708000-memory.dmp

Filesize
1.1MB

Download
memory/2524-229-0x00007FF971EF0000-0x00007FF971EFC000-memory.dmp

Filesize
48KB

Download
memory/2524-228-0x00007FF971F00000-0x00007FF971F0B000-memory.dmp

Filesize
44KB

Download
memory/2524-227-0x00007FF971F10000-0x00007FF971F1B000-memory.dmp

Filesize
44KB

Download
memory/2524-226-0x00007FF962CA0000-0x00007FF963014000-memory.dmp

Filesize
3.5MB

Download
memory/2524-237-0x00007FF96EF90000-0x00007FF96EF9B000-memory.dmp

Filesize
44KB

Download
memory/2524-236-0x00007FF96FE10000-0x00007FF96FE1C000-memory.dmp

Filesize
48KB

Download
memory/2524-242-0x00007FF964200000-0x00007FF964212000-memory.dmp

Filesize
72KB

Download
memory/2524-241-0x00007FF964220000-0x00007FF96422D000-memory.dmp

Filesize
52KB

Download
memory/2524-240-0x00007FF969530000-0x00007FF96953C000-memory.dmp

Filesize
48KB

Download
memory/2524-243-0x00007FF964230000-0x00007FF964248000-memory.dmp

Filesize
96KB

Download
memory/2524-246-0x00007FF9632C0000-0x00007FF9632E9000-memory.dmp

Filesize
164KB

Download
memory/2524-245-0x00007FF9632F0000-0x00007FF9632FC000-memory.dmp

Filesize
48KB

Download
memory/2524-244-0x00007FF963300000-0x00007FF96346D000-memory.dmp

Filesize
1.4MB

Download
memory/2524-239-0x00007FF96BC60000-0x00007FF96BC6C000-memory.dmp

Filesize
48KB

Download
memory/2524-238-0x00007FF96EC90000-0x00007FF96EC9B000-memory.dmp

Filesize
44KB

Download
memory/2524-247-0x00007FF978890000-0x00007FF9788AE000-memory.dmp

Filesize
120KB

Download
memory/2524-248-0x00007FF961F90000-0x00007FF962374000-memory.dmp

Filesize
3.9MB

Download
memory/2524-249-0x00007FF95FDC0000-0x00007FF961EE6000-memory.dmp

Filesize
33.1MB

Download
memory/2524-250-0x00007FF9632A0000-0x00007FF9632B7000-memory.dmp

Filesize
92KB

Download
memory/2524-251-0x00007FF962600000-0x00007FF962621000-memory.dmp

Filesize
132KB

Download
memory/2524-168-0x00007FF972340000-0x00007FF972359000-memory.dmp

Filesize
100KB

Download
memory/2524-253-0x00007FF9623B0000-0x00007FF9625F8000-memory.dmp

Filesize
2.3MB

Download
memory/2524-256-0x00007FF963710000-0x00007FF963B75000-memory.dmp

Filesize
4.4MB

Download
memory/2524-291-0x00007FF972470000-0x00007FF97247D000-memory.dmp

Filesize
52KB

Download
memory/2524-314-0x00007FF96FE10000-0x00007FF96FE1C000-memory.dmp

Filesize
48KB

Download
memory/2524-313-0x00007FF971ED0000-0x00007FF971EDC000-memory.dmp

Filesize
48KB

Download
memory/2524-312-0x00007FF96FE30000-0x00007FF96FE3C000-memory.dmp

Filesize
48KB

Download
memory/2524-311-0x00007FF96FE50000-0x00007FF96FE5B000-memory.dmp

Filesize
44KB

Download
memory/2524-310-0x00007FF96FE20000-0x00007FF96FE2E000-memory.dmp

Filesize
56KB

Download
memory/2524-309-0x00007FF971EE0000-0x00007FF971EEB000-memory.dmp

Filesize
44KB

Download
memory/2524-308-0x00007FF971EF0000-0x00007FF971EFC000-memory.dmp

Filesize
48KB

Download
memory/2524-307-0x00007FF971F00000-0x00007FF971F0B000-memory.dmp

Filesize
44KB

Download
memory/2524-306-0x00007FF971F10000-0x00007FF971F1B000-memory.dmp

Filesize
44KB

Download
memory/2524-305-0x00007FF963300000-0x00007FF96346D000-memory.dmp

Filesize
1.4MB

Download
memory/2524-304-0x00007FF971F80000-0x00007FF971F8B000-memory.dmp

Filesize
44KB

Download
memory/2524-303-0x00007FF971F60000-0x00007FF971F7C000-memory.dmp

Filesize
112KB

Download
memory/2524-302-0x00007FF978890000-0x00007FF9788AE000-memory.dmp

Filesize
120KB

Download
memory/2524-301-0x00007FF964230000-0x00007FF964248000-memory.dmp

Filesize
96KB

Download
memory/2524-300-0x00007FF964200000-0x00007FF964212000-memory.dmp

Filesize
72KB

Download
memory/2524-299-0x00007FF9721A0000-0x00007FF9721AB000-memory.dmp

Filesize
44KB

Download
memory/2524-298-0x00007FF971E20000-0x00007FF971E2A000-memory.dmp

Filesize
40KB

Download
memory/2524-297-0x00007FF96ECA0000-0x00007FF96ED27000-memory.dmp

Filesize
540KB

Download
memory/2524-296-0x00007FF971F20000-0x00007FF971F58000-memory.dmp

Filesize
224KB

Download
memory/2524-295-0x00007FF96FE40000-0x00007FF96FE4C000-memory.dmp

Filesize
48KB

Download
memory/2524-294-0x00007FF963020000-0x00007FF9630D6000-memory.dmp

Filesize
728KB

Download
memory/2524-293-0x00007FF9721B0000-0x00007FF9721DE000-memory.dmp

Filesize
184KB

Download
memory/2524-292-0x00007FF9635F0000-0x00007FF963708000-memory.dmp

Filesize
1.1MB

Download
memory/2524-290-0x00007FF971E50000-0x00007FF971E7B000-memory.dmp

Filesize
172KB

Download
memory/2524-289-0x00007FF9715B0000-0x00007FF97166C000-memory.dmp

Filesize
752KB

Download
memory/2524-288-0x00007FF971EA0000-0x00007FF971ECE000-memory.dmp

Filesize
184KB

Download
memory/2524-287-0x00007FF977140000-0x00007FF97714D000-memory.dmp

Filesize
52KB

Download
memory/2524-286-0x00007FF9722F0000-0x00007FF972309000-memory.dmp

Filesize
100KB

Download
memory/2524-285-0x00007FF972310000-0x00007FF97233C000-memory.dmp

Filesize
176KB

Download
memory/2524-284-0x00007FF9720D0000-0x00007FF972105000-memory.dmp

Filesize
212KB

Download
memory/2524-283-0x00007FF972340000-0x00007FF972359000-memory.dmp

Filesize
100KB

Download
memory/2524-282-0x00007FF9772A0000-0x00007FF9772AF000-memory.dmp

Filesize
60KB

Download
memory/2524-281-0x00007FF972360000-0x00007FF972384000-memory.dmp

Filesize
144KB

Download
memory/2524-280-0x00007FF971590000-0x00007FF9715A5000-memory.dmp

Filesize
84KB

Download
memory/2524-271-0x00007FF962CA0000-0x00007FF963014000-memory.dmp

Filesize
3.5MB

Download
memory/2524-143-0x00007FF972360000-0x00007FF972384000-memory.dmp

Filesize
144KB

Download
memory/2524-133-0x00007FF963710000-0x00007FF963B75000-memory.dmp

Filesize
4.4MB

Download
memory/3684-554-0x00007FF962B40000-0x00007FF962CAD000-memory.dmp

Filesize
1.4MB

Download
memory/3684-547-0x00007FF9720B0000-0x00007FF9720D4000-memory.dmp

Filesize
144KB

Download
memory/3684-559-0x00007FF977090000-0x00007FF9770A0000-memory.dmp

Filesize
64KB

Download
memory/3684-558-0x00007FF96EC90000-0x00007FF96ECA4000-memory.dmp

Filesize
80KB

Download
memory/3684-566-0x00007FF964220000-0x00007FF964269000-memory.dmp

Filesize
292KB

Download
memory/3684-570-0x00007FF961010000-0x00007FF961702000-memory.dmp

Filesize
6.9MB

Download
memory/3684-564-0x00007FF964CD0000-0x00007FF964CE7000-memory.dmp

Filesize
92KB

Download
memory/3684-553-0x00007FF9721F0000-0x00007FF97220E000-memory.dmp

Filesize
120KB

Download
memory/3684-565-0x00007FF964CB0000-0x00007FF964CC9000-memory.dmp

Filesize
100KB

Download
memory/3684-546-0x00007FF961C70000-0x00007FF9620D5000-memory.dmp

Filesize
4.4MB

Download
memory/3684-758-0x00007FF961C70000-0x00007FF9620D5000-memory.dmp

Filesize
4.4MB

Download
memory/3684-770-0x00007FF96EC90000-0x00007FF96ECA4000-memory.dmp

Filesize
80KB

Download
memory/3684-769-0x00007FF961830000-0x00007FF961BA4000-memory.dmp

Filesize
3.5MB

Download
memory/3684-768-0x00007FF961BB0000-0x00007FF961C66000-memory.dmp

Filesize
728KB

Download
memory/3684-767-0x00007FF969AE0000-0x00007FF969B0E000-memory.dmp

Filesize
184KB

Download