exelastealer | d612dca4a8fdbb3f559bec6e238183b4def59d16c9e6daa6bcd7ebc681788d78

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22-07-2024 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GC-Cracked.exe
Size

38.7MB
MD5

1dfb83bd1064ce3ea06668d695502adf
SHA1

909d179c2da984fd233ef1c80db3c8274b52e02b
SHA256

d612dca4a8fdbb3f559bec6e238183b4def59d16c9e6daa6bcd7ebc681788d78
SHA512

87af398a38226c30bde7ddf56196ad7075c271b70610f05858bc5e3c9e799d9185aef31dc331dec1b69248bf165fc098c1fe6cbf868c73d4173b34d333823632
SSDEEP

786432:KGzxfrl5B5Hxc5RVqe+K+jrqrWBA1y3z+pOMoDoBXuO0WCN/:KmNzbHIUKNrO0BXuB

Score

10^/10

exelastealer defense_evasion evasion persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4916	netsh.exe
4336	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation	GC-Cracked.exe

Deletes itself 1 IoCs

pid	Process
2328	Random.exe

Executes dropped EXE 3 IoCs

pid	Process
1204	Random.exe
2328	Random.exe
3596	gc.exe

Loads dropped DLL 32 IoCs

pid	Process
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe
2328	Random.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023487-61.dat	upx
behavioral2/memory/2328-65-0x00007FFA79A10000-0x00007FFA7A0D5000-memory.dmp	upx
behavioral2/files/0x0007000000023481-78.dat	upx
behavioral2/files/0x000700000002345e-102.dat	upx
behavioral2/files/0x0007000000023488-104.dat	upx
behavioral2/files/0x000700000002345a-111.dat	upx
behavioral2/memory/2328-116-0x00007FFA885B0000-0x00007FFA885D4000-memory.dmp	upx
behavioral2/files/0x000700000002347d-119.dat	upx
behavioral2/memory/2328-117-0x00007FFA79890000-0x00007FFA79A0E000-memory.dmp	upx
behavioral2/memory/2328-121-0x00007FFA790E0000-0x00007FFA79881000-memory.dmp	upx
behavioral2/memory/2328-115-0x00007FFA89680000-0x00007FFA896AD000-memory.dmp	upx
behavioral2/memory/2328-114-0x00007FFA89BC0000-0x00007FFA89BDA000-memory.dmp	upx
behavioral2/files/0x000700000002345f-112.dat	upx
behavioral2/files/0x0007000000023456-122.dat	upx
behavioral2/files/0x0007000000023482-127.dat	upx
behavioral2/files/0x0007000000023480-126.dat	upx
behavioral2/memory/2328-125-0x00007FFA7FCA0000-0x00007FFA7FCD3000-memory.dmp	upx
behavioral2/memory/2328-129-0x00007FFA78590000-0x00007FFA7865D000-memory.dmp	upx
behavioral2/memory/2328-128-0x00007FFA78660000-0x00007FFA78B89000-memory.dmp	upx
behavioral2/files/0x0007000000023484-133.dat	upx
behavioral2/files/0x0007000000023459-137.dat	upx
behavioral2/files/0x000700000002348c-141.dat	upx
behavioral2/memory/2328-145-0x00007FFA78370000-0x00007FFA78392000-memory.dmp	upx
behavioral2/memory/2328-144-0x00007FFA79A10000-0x00007FFA7A0D5000-memory.dmp	upx
behavioral2/memory/2328-142-0x00007FFA783A0000-0x00007FFA784BB000-memory.dmp	upx
behavioral2/files/0x000700000002348a-140.dat	upx
behavioral2/memory/2328-139-0x00007FFA7FC80000-0x00007FFA7FC94000-memory.dmp	upx
behavioral2/memory/2328-138-0x00007FFA80280000-0x00007FFA80294000-memory.dmp	upx
behavioral2/memory/2328-135-0x00007FFA83FC0000-0x00007FFA83FD2000-memory.dmp	upx
behavioral2/memory/2328-134-0x00007FFA846B0000-0x00007FFA846C6000-memory.dmp	upx
behavioral2/files/0x000700000002345c-132.dat	upx
behavioral2/files/0x0007000000023454-131.dat	upx
behavioral2/memory/2328-124-0x00007FFA83FE0000-0x00007FFA84019000-memory.dmp	upx
behavioral2/files/0x0007000000023460-123.dat	upx
behavioral2/files/0x0007000000023489-113.dat	upx
behavioral2/files/0x0007000000023455-110.dat	upx
behavioral2/memory/2328-109-0x00007FFA89F90000-0x00007FFA89F9D000-memory.dmp	upx
behavioral2/memory/2328-107-0x00007FFA8A250000-0x00007FFA8A25D000-memory.dmp	upx
behavioral2/memory/2328-106-0x00007FFA896B0000-0x00007FFA896C9000-memory.dmp	upx
behavioral2/files/0x0007000000023462-105.dat	upx
behavioral2/files/0x0007000000023464-147.dat	upx
behavioral2/files/0x0007000000023466-151.dat	upx
behavioral2/memory/2328-150-0x00007FFA8D470000-0x00007FFA8D487000-memory.dmp	upx
behavioral2/memory/2328-149-0x00007FFA89E20000-0x00007FFA89E45000-memory.dmp	upx
behavioral2/memory/2328-158-0x00007FFA89CF0000-0x00007FFA89D0E000-memory.dmp	upx
behavioral2/memory/2328-157-0x00007FFA89E80000-0x00007FFA89E91000-memory.dmp	upx
behavioral2/memory/2328-156-0x00007FFA89D10000-0x00007FFA89D5C000-memory.dmp	upx
behavioral2/memory/2328-155-0x00007FFA89EA0000-0x00007FFA89EB9000-memory.dmp	upx
behavioral2/memory/2328-154-0x00007FFA89F90000-0x00007FFA89F9D000-memory.dmp	upx
behavioral2/files/0x000700000002345d-96.dat	upx
behavioral2/files/0x000700000002345b-94.dat	upx
behavioral2/files/0x0007000000023458-91.dat	upx
behavioral2/files/0x0007000000023485-83.dat	upx
behavioral2/memory/2328-80-0x00007FFA8D3D0000-0x00007FFA8D3DF000-memory.dmp	upx
behavioral2/memory/2328-79-0x00007FFA89E20000-0x00007FFA89E45000-memory.dmp	upx
behavioral2/files/0x0007000000023457-76.dat	upx
behavioral2/memory/2328-214-0x00007FFA885B0000-0x00007FFA885D4000-memory.dmp	upx
behavioral2/memory/2328-216-0x00007FFA88A50000-0x00007FFA88A5D000-memory.dmp	upx
behavioral2/memory/2328-215-0x00007FFA79890000-0x00007FFA79A0E000-memory.dmp	upx
behavioral2/memory/2328-263-0x00007FFA89D10000-0x00007FFA89D5C000-memory.dmp	upx
behavioral2/memory/2328-266-0x00007FFA88A50000-0x00007FFA88A5D000-memory.dmp	upx
behavioral2/memory/2328-262-0x00007FFA89EA0000-0x00007FFA89EB9000-memory.dmp	upx
behavioral2/memory/2328-261-0x00007FFA8D470000-0x00007FFA8D487000-memory.dmp	upx
behavioral2/memory/2328-260-0x00007FFA78370000-0x00007FFA78392000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
38	discord.com
40	discord.com
41	discord.com
45	discord.com
36	discord.com
37	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
26	ip-api.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\eicar.com	gc.exe
File created	C:\Windows\System32\eicar.com	gc.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1432	cmd.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
3596	gc.exe
3596	gc.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3328	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x00090000000233fa-4.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

EICAR Anti-Malware test file 1 IoCs

resource	yara_rule
behavioral2/files/0x0007000000023494-219.dat	eicar_test_file

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3936	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4932	WMIC.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
2540	tasklist.exe
544	tasklist.exe
1696	tasklist.exe
3012	tasklist.exe
1284	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2080	ipconfig.exe
1532	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1572	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3596	gc.exe
3596	gc.exe
4776	powershell.exe
4776	powershell.exe
4776	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4668	WMIC.exe
Token: SeSecurityPrivilege	4668	WMIC.exe
Token: SeTakeOwnershipPrivilege	4668	WMIC.exe
Token: SeLoadDriverPrivilege	4668	WMIC.exe
Token: SeSystemProfilePrivilege	4668	WMIC.exe
Token: SeSystemtimePrivilege	4668	WMIC.exe
Token: SeProfSingleProcessPrivilege	4668	WMIC.exe
Token: SeIncBasePriorityPrivilege	4668	WMIC.exe
Token: SeCreatePagefilePrivilege	4668	WMIC.exe
Token: SeBackupPrivilege	4668	WMIC.exe
Token: SeRestorePrivilege	4668	WMIC.exe
Token: SeShutdownPrivilege	4668	WMIC.exe
Token: SeDebugPrivilege	4668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4668	WMIC.exe
Token: SeRemoteShutdownPrivilege	4668	WMIC.exe
Token: SeUndockPrivilege	4668	WMIC.exe
Token: SeManageVolumePrivilege	4668	WMIC.exe
Token: 33	4668	WMIC.exe
Token: 34	4668	WMIC.exe
Token: 35	4668	WMIC.exe
Token: 36	4668	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4932	WMIC.exe
Token: SeSecurityPrivilege	4932	WMIC.exe
Token: SeTakeOwnershipPrivilege	4932	WMIC.exe
Token: SeLoadDriverPrivilege	4932	WMIC.exe
Token: SeSystemProfilePrivilege	4932	WMIC.exe
Token: SeSystemtimePrivilege	4932	WMIC.exe
Token: SeProfSingleProcessPrivilege	4932	WMIC.exe
Token: SeIncBasePriorityPrivilege	4932	WMIC.exe
Token: SeCreatePagefilePrivilege	4932	WMIC.exe
Token: SeBackupPrivilege	4932	WMIC.exe
Token: SeRestorePrivilege	4932	WMIC.exe
Token: SeShutdownPrivilege	4932	WMIC.exe
Token: SeDebugPrivilege	4932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4932	WMIC.exe
Token: SeRemoteShutdownPrivilege	4932	WMIC.exe
Token: SeUndockPrivilege	4932	WMIC.exe
Token: SeManageVolumePrivilege	4932	WMIC.exe
Token: 33	4932	WMIC.exe
Token: 34	4932	WMIC.exe
Token: 35	4932	WMIC.exe
Token: 36	4932	WMIC.exe
Token: SeDebugPrivilege	1696	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4668	WMIC.exe
Token: SeSecurityPrivilege	4668	WMIC.exe
Token: SeTakeOwnershipPrivilege	4668	WMIC.exe
Token: SeLoadDriverPrivilege	4668	WMIC.exe
Token: SeSystemProfilePrivilege	4668	WMIC.exe
Token: SeSystemtimePrivilege	4668	WMIC.exe
Token: SeProfSingleProcessPrivilege	4668	WMIC.exe
Token: SeIncBasePriorityPrivilege	4668	WMIC.exe
Token: SeCreatePagefilePrivilege	4668	WMIC.exe
Token: SeBackupPrivilege	4668	WMIC.exe
Token: SeRestorePrivilege	4668	WMIC.exe
Token: SeShutdownPrivilege	4668	WMIC.exe
Token: SeDebugPrivilege	4668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4668	WMIC.exe
Token: SeRemoteShutdownPrivilege	4668	WMIC.exe
Token: SeUndockPrivilege	4668	WMIC.exe
Token: SeManageVolumePrivilege	4668	WMIC.exe
Token: 33	4668	WMIC.exe
Token: 34	4668	WMIC.exe
Token: 35	4668	WMIC.exe
Token: 36	4668	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4164 wrote to memory of 1204	4164	GC-Cracked.exe	87
PID 4164 wrote to memory of 1204	4164	GC-Cracked.exe	87
PID 1204 wrote to memory of 2328	1204	Random.exe	88
PID 1204 wrote to memory of 2328	1204	Random.exe	88
PID 4164 wrote to memory of 3596	4164	GC-Cracked.exe	89
PID 4164 wrote to memory of 3596	4164	GC-Cracked.exe	89
PID 2328 wrote to memory of 3244	2328	Random.exe	92
PID 2328 wrote to memory of 3244	2328	Random.exe	92
PID 2328 wrote to memory of 1164	2328	Random.exe	93
PID 2328 wrote to memory of 1164	2328	Random.exe	93
PID 2328 wrote to memory of 1716	2328	Random.exe	94
PID 2328 wrote to memory of 1716	2328	Random.exe	94
PID 2328 wrote to memory of 316	2328	Random.exe	95
PID 2328 wrote to memory of 316	2328	Random.exe	95
PID 1164 wrote to memory of 4668	1164	cmd.exe	100
PID 1164 wrote to memory of 4668	1164	cmd.exe	100
PID 3244 wrote to memory of 4932	3244	cmd.exe	101
PID 3244 wrote to memory of 4932	3244	cmd.exe	101
PID 316 wrote to memory of 1696	316	cmd.exe	102
PID 316 wrote to memory of 1696	316	cmd.exe	102
PID 2328 wrote to memory of 3192	2328	Random.exe	103
PID 2328 wrote to memory of 3192	2328	Random.exe	103
PID 3192 wrote to memory of 3276	3192	cmd.exe	105
PID 3192 wrote to memory of 3276	3192	cmd.exe	105
PID 2328 wrote to memory of 3156	2328	Random.exe	145
PID 2328 wrote to memory of 3156	2328	Random.exe	145
PID 2328 wrote to memory of 1660	2328	Random.exe	107
PID 2328 wrote to memory of 1660	2328	Random.exe	107
PID 3156 wrote to memory of 4284	3156	cmd.exe	111
PID 3156 wrote to memory of 4284	3156	cmd.exe	111
PID 2328 wrote to memory of 1432	2328	Random.exe	112
PID 2328 wrote to memory of 1432	2328	Random.exe	112
PID 1432 wrote to memory of 4920	1432	cmd.exe	114
PID 1432 wrote to memory of 4920	1432	cmd.exe	114
PID 2328 wrote to memory of 2792	2328	Random.exe	115
PID 2328 wrote to memory of 2792	2328	Random.exe	115
PID 2328 wrote to memory of 3300	2328	Random.exe	116
PID 2328 wrote to memory of 3300	2328	Random.exe	116
PID 3300 wrote to memory of 1284	3300	cmd.exe	119
PID 3300 wrote to memory of 1284	3300	cmd.exe	119
PID 2792 wrote to memory of 2076	2792	cmd.exe	120
PID 2792 wrote to memory of 2076	2792	cmd.exe	120
PID 2328 wrote to memory of 2220	2328	Random.exe	165
PID 2328 wrote to memory of 2220	2328	Random.exe	165
PID 2328 wrote to memory of 1108	2328	Random.exe	124
PID 2328 wrote to memory of 1108	2328	Random.exe	124
PID 2328 wrote to memory of 2384	2328	Random.exe	125
PID 2328 wrote to memory of 2384	2328	Random.exe	125
PID 2328 wrote to memory of 1876	2328	Random.exe	126
PID 2328 wrote to memory of 1876	2328	Random.exe	126
PID 1876 wrote to memory of 4776	1876	cmd.exe	131
PID 1876 wrote to memory of 4776	1876	cmd.exe	131
PID 2384 wrote to memory of 2540	2384	cmd.exe	132
PID 2384 wrote to memory of 2540	2384	cmd.exe	132
PID 2220 wrote to memory of 868	2220	cmd.exe	133
PID 2220 wrote to memory of 868	2220	cmd.exe	133
PID 1108 wrote to memory of 3716	1108	cmd.exe	134
PID 1108 wrote to memory of 3716	1108	cmd.exe	134
PID 868 wrote to memory of 4260	868	cmd.exe	135
PID 868 wrote to memory of 4260	868	cmd.exe	135
PID 3716 wrote to memory of 4692	3716	cmd.exe	136
PID 3716 wrote to memory of 4692	3716	cmd.exe	136
PID 2328 wrote to memory of 4456	2328	Random.exe	137
PID 2328 wrote to memory of 4456	2328	Random.exe	137

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4920	attrib.exe

C:\Users\Admin\AppData\Local\Temp\GC-Cracked.exe
"C:\Users\Admin\AppData\Local\Temp\GC-Cracked.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4164
- C:\Users\Admin\AppData\Local\Temp\Random.exe
  "C:\Users\Admin\AppData\Local\Temp\Random.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Users\Admin\AppData\Local\Temp\Random.exe
    "C:\Users\Admin\AppData\Local\Temp\Random.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3244
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:4932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4668
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "gdb --version"
      4⤵
      PID:1716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:316
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3192
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        5⤵
        
        PID:3276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3156
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:1660
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:3012
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      Suspicious use of WriteProcessMemory
      PID:1432
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        5⤵
        
        PID:2076
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3300
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2220
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:868
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:4260
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1108
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3716
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:4692
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:2540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:4776
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      PID:4456
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      PID:1160
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:1572
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:5040
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        
        PID:3936
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:4728
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:4480
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:4780
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:2820
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:2184
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:3960
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:1852
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:1808
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:3660
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:2500
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:452
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:1476
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:1100
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:544
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:2080
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:864
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        
        PID:2220
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        Gathers network information
        
        PID:1532
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:3328
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4336
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4916
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:640
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1360
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:860
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1016
- C:\Users\Admin\AppData\Local\Temp\gc.exe
  "C:\Users\Admin\AppData\Local\Temp\gc.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  PID:3596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c cls
    3⤵
    PID:4516

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:3156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Random.exe

Filesize
10.8MB

MD5
6d1350a0bf5967f1ba997dedffe269c3

SHA1
62c6acf6290d228cdaf6831a453843d48ff48bea

SHA256
b081ff18e10debb0c42c059e33b04cf04d9fdfe52b48be421552b48989f28463

SHA512
8468c3fb5c6f807354c2ad532214deac8b446c7b362d1c4eeb97d28a02954b8c8971ed5bd3bf76e58e892c13d72faf79365a5dee6c4b3948ed387b8c1280e037

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_asyncio.pyd

Filesize
37KB

MD5
aa201667e71339521572d224ae77a1ea

SHA1
8da1f6c6ab2f3c38d28159c8844271be3a298f24

SHA256
de660cf4cd1da9e9cfbfe9702da76b9a3c40540022da9dbbbd6a17b2c0385904

SHA512
c149ad488bcb2c45505ec429564417472e0b96125f62ad0ae3ad95dbda9beffe0f13c8ed6cb814cc6b1a1eaf0e3c0329de17078849562b3a788b8defc7137327

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_bz2.pyd

Filesize
48KB

MD5
99614f713c9be905d87c0cf58200bc36

SHA1
41a599edac97c9f5dd9150116135413574614e60

SHA256
7b3b785cdfa2c1b5eb54481144021f21adc2b35c4b660b6478dacbf04ae90baf

SHA512
f7bff6f2f2700f5dba50dc08687705e03e4fddd252c3e2e6443c7d19422d5abf93fd237c10c835cdcaec21fb0b72478fd2d2db63cc4da7b659c003b6068d2b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
1c0cc15036c54930c1e61306a8be4658

SHA1
7d88a5a72198e2785c5514200ab8f85b50946fb9

SHA256
1666002cf4ff50cf337159e187ecf990d2ec23d5324736e66cf68df4c80cc12c

SHA512
bb235e55a69bbdc27102d7afea9089480a5de35f064e63bb3265b060906268f8065472c8d87da588a6ea6ce6a39f2079e218f3cd762692713a93ec5cef4473dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_ctypes.pyd

Filesize
59KB

MD5
fe45b5661bb06d3a2d6ee8dde64950f5

SHA1
4c5aaac580cbadd90cd130059302d2ab9b25fdb7

SHA256
a6a1a77fb313e650dbd15d9fb745f0f4987cf41b38328ae6b48bc4ca663ec058

SHA512
8307ec73f42c49743d7e81dac54bc76f80ec0a35207fb4f5ad2286e0d6323f8ba77862e6e800f9e55ca9469d1526411b012db9901884c127bcfcab5584a319ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_decimal.pyd

Filesize
105KB

MD5
ae175df8a381f9e1d408ef61e5cf7642

SHA1
b094b14f7672aeac8e50ae173b72351d1c17d496

SHA256
394573e22f7dc17eea87058c34d74378c4d290af3aa2d891b17c5968942d2ab4

SHA512
5ff46274d42037a2b6162470a5dd38065409a7b10b3d3f22f3c66defe09923dc954fb384e27da7bf51d195cfc58fccae93c036c10e1f6f34b25afa6119528fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_hashlib.pyd

Filesize
35KB

MD5
84a3ab6348f069b51543e187c484bd65

SHA1
29d984bce98ff562487ef40650f5beee528d8fb4

SHA256
dddcf0bf7fa2b47ecb98912ab9469a41b74fe94ed226b92695ec377e46c33420

SHA512
5b782f9ccdacfef9ac0b3513cce7544d41c8347276b02aaa8566fa283c4c084f568904abd18a504d50e585cd3d5863b4e6ac058264315468cd62eacc7f40fddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_lzma.pyd

Filesize
86KB

MD5
1dff217fe87e0843df6bc513995142a4

SHA1
59d79b2e261a330d6ae228f039e8bbf651ba2c0d

SHA256
579cc8d6eabdda5334d1a3245fd2831d986e0ec88bb8b42b7bbfbe7ee05d6e1e

SHA512
498d7f1fb0133630938af291ea0a2fcb78c3fa75cf1f00430bfd88b52a7b4a82532d3389093c2c8601aa73e3faeb0fe07adcd7ef3e789ef42c65027392c8514e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_multiprocessing.pyd

Filesize
27KB

MD5
b59224c22510792057d97076838c311f

SHA1
1682f47e14deabe0ad479786323eb1a6f65fe053

SHA256
4dec69fbe483165bd5eeb97425092d37345578e36d502f5431f369e41f007e9c

SHA512
f4a5a9cbea9a6379b15cd2553b2e337a3b664346412ec02fef790fcbfe817b81749a0660daeddb9a092ac1e3c4386f4544ceda9805d1b67608d6ccf6fc34bbc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_overlapped.pyd

Filesize
33KB

MD5
c84e798d88b53a5d3afc475770188358

SHA1
987fc82b36f36d023351c9466a7cf5353b9c40d0

SHA256
26357cb8a48e40898d0edbfc58c5ee63827f74679473df488769630c5f5abca6

SHA512
de3b8f60a62ab82a0a9d35673fbec0ca12b2a4bd55e036e1462f965aea0018f24ea75058a52c4eb9eeffe8d4dd63a7df2701a846f244b624ca81cab5a3d45706

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_queue.pyd

Filesize
26KB

MD5
7e37a5910710ecb893e1c9ce5f17c43b

SHA1
704eb1f38e3df1ff66a07416c4ea355b07bcf4cc

SHA256
907c536e91c7d40d9829290662a21bddf497adaae157b7b576dd2ebae8516e10

SHA512
1a73049845fb08b170ce080c4f8a37b11427328dfbf008b0dcf9b646c2dd775b180f5e741db164df628f128850550dd4f0e946d558a3484e7c9d3ecc89331d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_socket.pyd

Filesize
44KB

MD5
bf09a2ce93f8a0d5f404c15e1b025fa8

SHA1
29f815dd49b3c737f6c36d757653d39b307c31e8

SHA256
f7226bdc07ee5eedadd180d8d37f9d9916a3c1d63c92ad1d2d09c4aa39487116

SHA512
0e24c3c5785de7debf0c497ecd5f4435ee7c67d8cd34175985cd98943c8381631b10f9b6c8a56d00e2566c5bdd4858160920e3890b043bdcd49ee441644126c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_sqlite3.pyd

Filesize
57KB

MD5
b1c6aa12bb1589590b0629ea53432eae

SHA1
8a5b7011ac6dc15d839a057b3f7fa595e0b1d160

SHA256
cfa6335fc0b869d33d9e079c2e87d382c8d8cfff7189ebe51678ed7411c95ce8

SHA512
839404fe22a8f5b2bc74d494cd7a8e7e8d59bcfd0582ccd7a64d259ea3e050962cd048b7fd32c6f686cf3cebcb6f80e2d70b7d25d2a4d51137db5b110f1cbe55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_ssl.pyd

Filesize
65KB

MD5
80b0b7893603ce10ca5b15dec847417b

SHA1
bcdeac717552621d893529c34da628c84ee4177b

SHA256
286a853cdd765a266295c4c23a1298ad8f26a43c798e7a80974fb4209fb1ce7e

SHA512
0e748eaca61afe1e512695d7a28693fe86799a46f3dbc480294bfaf4e82cfa15b8fdf087c61060c49f04506129684607f0cf1965df074f797106cfec5e0765e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_uuid.pyd

Filesize
24KB

MD5
353e11301ea38261e6b1cb261a81e0fe

SHA1
607c5ebe67e29eabc61978fb52e4ec23b9a3348e

SHA256
d132f754471bd8a6f6d7816453c2e542f250a4d8089b657392fe61a500ae7899

SHA512
fa990b3e9619d59ae3ad0aeffca7a3513ab143bfd0ac9277e711519010f7c453258a4b041be86a275f3c365e980fc857c23563f3b393d1e3a223973a673e88c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\_wmi.pyd

Filesize
28KB

MD5
a77a72bc52f5717d4a0a7303eacb24f5

SHA1
ac927a91f5410ee541bd8724819ff00a619dbaf0

SHA256
37dc27997ac84b8478c5beebda1fe8fe2618243ee3fd936a119f826d75a4038b

SHA512
c853b0ce6437f7ed38b377e12b7d1443950be27622cce1944b7a581b18e57672516fd4c6ef895d068100bcde24e1209e9c5abd916df00026bd6aa0047dd138b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\aiohttp\_helpers.cp312-win_amd64.pyd

Filesize
26KB

MD5
c410bbefad892761e0740ecd8f4d5e6f

SHA1
7c9cd82661bca55ff73f69605014b6a44f446474

SHA256
c5b4fed2e40f482525e2b2594636cb0ef4e8b3bd96ebf5e09a6faf7c211ee048

SHA512
7e7a416c71afa8a6482e643ef5a90c7642c41fe6cdb308df0079dfeb3dd64d823f895dc3a96f9417c4d45986b89bff44456dd06fdc24f997ebdd1a874bdc7179

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\aiohttp\_http_writer.cp312-win_amd64.pyd

Filesize
25KB

MD5
195c022969f2f44c4fcbd84639c7ed8c

SHA1
45681fbdf37461000ebab627e63a95c1224a1a9c

SHA256
7f60b20705d75ef92022e2cb39bab1888e1b3d2a9cf8e8f38f7f1513daeedf85

SHA512
adca54b638b57269b9aecb59e94d881569829b89323d28e8831be1f09b57261cbf712e99f10b5f7174e47597d8102634080792199d452e5ed1c83a052f228d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\base_library.zip

Filesize
1.3MB

MD5
8dad91add129dca41dd17a332a64d593

SHA1
70a4ec5a17ed63caf2407bd76dc116aca7765c0d

SHA256
8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783

SHA512
2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.1MB

MD5
073606ea92928af7b2863782c0114949

SHA1
ec7b4dbf415af6a071a6ca3a0d4f4a0cf544515c

SHA256
9be10e3f170875a5b3e403f29d7241bf64957c01bfcae3504f5576578183610a

SHA512
5cd48348b475c9de7c2c8d85f36a1f8cf63ee5ee2bde60e2e5a1026f0e877b4c686ad07ab37c8ae37b46b719233b28aa699ce5a2fedd0247c7607da6e519a11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\libcrypto-3.dll

Filesize
1.6MB

MD5
443fd07a22ff1a688a3505d35f3c3dd1

SHA1
ab9f501aa1d3d523b45f8170e53981672cd69131

SHA256
f9c87ec6401039fd03b7c6732c74d1abfdb7c07c8e9803d00effe4c610baa9ee

SHA512
1de390d5d9872c9876662f89c57173391ecd300cabde69c655b2ade7eea56e67376839607cac52572111b88a025797060653dc8bb987c6a165f535b245309844

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\libffi-8.dll

Filesize
29KB

MD5
0d1c6b92d091cef3142e32ac4e0cc12e

SHA1
440dad5af38035cb0984a973e1f266deff2bd7fc

SHA256
11ee9c7fb70c3756c0392843245935517171b95cc5ba0d696b2c1742c8d46fb6

SHA512
5d514ecab93941e83c008f0e9749f99e330949580884bf4850b11cac08fe1ac4ac50033e8888045fe4a9d8b4d2e3ea667b39be18f77266d00f8d7d6797260233

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\libssl-3.dll

Filesize
222KB

MD5
364a71831c9bd0a09eeeceb6980c58c7

SHA1
9d084ccb83e12ddccd17250a009362d720e6271c

SHA256
3b20fb46f41234f8f7bbe342cfebfbbce5708d963cf5c7792d1237a1bc7b2676

SHA512
5abe19130f9306fd6fc3644412ef6c8c5b7da970cfaed69657a6cb62d431abfbba64fefcbfa82910d17d744e299e3ba5036bd490223b2bf28689cf2e70633dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\multidict\_multidict.cp312-win_amd64.pyd

Filesize
20KB

MD5
877e8f7f3c980020b1da6bdbc6f1741c

SHA1
184d162f6eea7cce343fe0c62fda49ca796ceb20

SHA256
65b96acd7b6517c4493491f31083e75d905b48466f021fab098655f0d953497c

SHA512
881332a6cbc7ab030f52bc46a8cf68c0ad922c54c68b3b8e35909f758aed9443cc90b49681f88c6c1f61741eb6507849857405a87dbbd78bb1a453ade3fe1ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\pyexpat.pyd

Filesize
88KB

MD5
4036f8f39f15413396465317522ae157

SHA1
398431ca1d476596bdaf213ace7599acbdf1fbf6

SHA256
31356a90e63b6fabbdb47373fbffeb33d28d8e6f6d5ca395113b3362ce9eee52

SHA512
b9750acaf86ae7bb942ece6067177a2b3ccc29672cffefbce213dd1b36acb5f143809331d657d6e7ffc7cac148d2e2793a6e9b941893c59b50dd32a982ddafaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\python3.DLL

Filesize
66KB

MD5
79b02450d6ca4852165036c8d4eaed1f

SHA1
ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4

SHA256
d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123

SHA512
47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\python312.dll

Filesize
1.7MB

MD5
3e5a523e2b08424c39a53dcba0c4f335

SHA1
c6bafbf6501b62f23e0c2f4f68db822827babd76

SHA256
d6864c703deb033db0c5bd9962d88b1e2e6b39f942f44558385ae9a0aff7eac3

SHA512
74533088aee88b27d1cc94e56e70066109e05d6f1cfd3b4d647d16dc8a5977262f91e16dd875683c7e13dec0ed88d5febdd2058ca5ecc413e17934d782ade8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\select.pyd

Filesize
25KB

MD5
b6170b2e8b11051d2bbbc96583c6ba5e

SHA1
e142e392f8e247dc6745a6be7ac5e3fbb0f12ba4

SHA256
7cdd658961b23dfde1516ac43bf3b3de9314787c64a970cc169310d95a68709a

SHA512
956ed83bae9f0cbc10bfe26b7de0f41bfb39f304850d32084baba9ec9b25e5866dd94ec1de7ec91f42610c3b65f5a4d2538500da0c0ed3b95bd8051581e58194

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\sqlite3.dll

Filesize
644KB

MD5
23b8d930887ba4b256f91fb97bef6bcf

SHA1
045791bbd8354f5955ec14ca3ca8270a27ce2bf1

SHA256
002c755c90c0a4a108c5b27cd08b0bd2ac1732fadcec2ac3474a3e6b77df4013

SHA512
73f9a8d94f7b121433d5af19700c5f51ba39c7d59e27aa9ba27aeb8f0fa11e59b3ed5df2b3afd7a98f4ac8c6e8ab761d502f5fa41782946e350feb1f7910028c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\unicodedata.pyd

Filesize
295KB

MD5
e37488a62ea94e6dc09a8e3755e36e3f

SHA1
c485b3769c659c45853febdb2b3be5ab47e3a47a

SHA256
8e6de46ea542bbe99479f442dabafd44bfb51ee4f144ae493f37d6f9d5214135

SHA512
8128b609dca51a05186ec3bf894b8fb7911533b18fc70aea9682b5ae12d662aa174359ecddc98917ade9450a0c020ddcad2094afe5956be5ae3d6a38fd43c079

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12042\yarl\_quoting_c.cp312-win_amd64.pyd

Filesize
40KB

MD5
4bbcf91653204023164d00202769fc4f

SHA1
ccdaf8e3ee4ae4b6ae0b85193afb5b0fa9e68970

SHA256
213e1ba2baabc331eb61461791c85498cefabc223c872fd57d0b98b43b5afd9f

SHA512
79ad58112c2b7f1200c6fbc8074f8992c094ea785a3ac88cecbafcc245bbe41bfd1acd87fd0b1aca13e2bd644a9be540807ac31152824f86ef0a2d113405a765

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_tv0n0frv.pwc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gc.exe

Filesize
27.9MB

MD5
e763a1fec822fbd77b99d43397e92661

SHA1
1bd59e61bbdd226357445a927a222afa5c06b347

SHA256
5e47cbd87cd87c776732724c6c64c7ee1d4454ee0e05dc09d75b46e13ef009a4

SHA512
61e48f175f2aeee0227505ae7fa4b71ff1265124826a47d1578509755d3933a0bc6e11bbbca6ce7b6d3fe55094b9ff9575dc807a1e65fed9aef5f5c5b282e013

Download Submit
C:\Users\Admin\AppData\Local\eicar.com

Filesize
68B

MD5
44d88612fea8a8f36de82e1278abb02f

SHA1
3395856ce81f2b7382dee72602f798b642f14140

SHA256
275a021bbfb6489e54d471899f7db9d1663fc695ec2fe2a2c4538aabf651fd0f

SHA512
cc805d5fab1fd71a4ab352a9c533e65fb2d5b885518f4e565e68847223b8e6b85cb48f3afad842726d99239c9e36505c64b0dc9a061d9e507d833277ada336ab

Download Submit
memory/2328-129-0x00007FFA78590000-0x00007FFA7865D000-memory.dmp

Filesize
820KB

Download
memory/2328-260-0x00007FFA78370000-0x00007FFA78392000-memory.dmp

Filesize
136KB

Download
memory/2328-134-0x00007FFA846B0000-0x00007FFA846C6000-memory.dmp

Filesize
88KB

Download
memory/2328-135-0x00007FFA83FC0000-0x00007FFA83FD2000-memory.dmp

Filesize
72KB

Download
memory/2328-109-0x00007FFA89F90000-0x00007FFA89F9D000-memory.dmp

Filesize
52KB

Download
memory/2328-138-0x00007FFA80280000-0x00007FFA80294000-memory.dmp

Filesize
80KB

Download
memory/2328-107-0x00007FFA8A250000-0x00007FFA8A25D000-memory.dmp

Filesize
52KB

Download
memory/2328-106-0x00007FFA896B0000-0x00007FFA896C9000-memory.dmp

Filesize
100KB

Download
memory/2328-139-0x00007FFA7FC80000-0x00007FFA7FC94000-memory.dmp

Filesize
80KB

Download
memory/2328-142-0x00007FFA783A0000-0x00007FFA784BB000-memory.dmp

Filesize
1.1MB

Download
memory/2328-144-0x00007FFA79A10000-0x00007FFA7A0D5000-memory.dmp

Filesize
6.8MB

Download
memory/2328-150-0x00007FFA8D470000-0x00007FFA8D487000-memory.dmp

Filesize
92KB

Download
memory/2328-149-0x00007FFA89E20000-0x00007FFA89E45000-memory.dmp

Filesize
148KB

Download
memory/2328-145-0x00007FFA78370000-0x00007FFA78392000-memory.dmp

Filesize
136KB

Download
memory/2328-158-0x00007FFA89CF0000-0x00007FFA89D0E000-memory.dmp

Filesize
120KB

Download
memory/2328-157-0x00007FFA89E80000-0x00007FFA89E91000-memory.dmp

Filesize
68KB

Download
memory/2328-156-0x00007FFA89D10000-0x00007FFA89D5C000-memory.dmp

Filesize
304KB

Download
memory/2328-155-0x00007FFA89EA0000-0x00007FFA89EB9000-memory.dmp

Filesize
100KB

Download
memory/2328-154-0x00007FFA89F90000-0x00007FFA89F9D000-memory.dmp

Filesize
52KB

Download
memory/2328-128-0x00007FFA78660000-0x00007FFA78B89000-memory.dmp

Filesize
5.2MB

Download
memory/2328-125-0x00007FFA7FCA0000-0x00007FFA7FCD3000-memory.dmp

Filesize
204KB

Download
memory/2328-114-0x00007FFA89BC0000-0x00007FFA89BDA000-memory.dmp

Filesize
104KB

Download
memory/2328-115-0x00007FFA89680000-0x00007FFA896AD000-memory.dmp

Filesize
180KB

Download
memory/2328-80-0x00007FFA8D3D0000-0x00007FFA8D3DF000-memory.dmp

Filesize
60KB

Download
memory/2328-79-0x00007FFA89E20000-0x00007FFA89E45000-memory.dmp

Filesize
148KB

Download
memory/2328-121-0x00007FFA790E0000-0x00007FFA79881000-memory.dmp

Filesize
7.6MB

Download
memory/2328-117-0x00007FFA79890000-0x00007FFA79A0E000-memory.dmp

Filesize
1.5MB

Download
memory/2328-288-0x00007FFA7FCA0000-0x00007FFA7FCD3000-memory.dmp

Filesize
204KB

Download
memory/2328-289-0x00007FFA78660000-0x00007FFA78B89000-memory.dmp

Filesize
5.2MB

Download
memory/2328-214-0x00007FFA885B0000-0x00007FFA885D4000-memory.dmp

Filesize
144KB

Download
memory/2328-216-0x00007FFA88A50000-0x00007FFA88A5D000-memory.dmp

Filesize
52KB

Download
memory/2328-215-0x00007FFA79890000-0x00007FFA79A0E000-memory.dmp

Filesize
1.5MB

Download
memory/2328-116-0x00007FFA885B0000-0x00007FFA885D4000-memory.dmp

Filesize
144KB

Download
memory/2328-276-0x00007FFA79A10000-0x00007FFA7A0D5000-memory.dmp

Filesize
6.8MB

Download
memory/2328-65-0x00007FFA79A10000-0x00007FFA7A0D5000-memory.dmp

Filesize
6.8MB

Download
memory/2328-290-0x00007FFA78590000-0x00007FFA7865D000-memory.dmp

Filesize
820KB

Download
memory/2328-263-0x00007FFA89D10000-0x00007FFA89D5C000-memory.dmp

Filesize
304KB

Download
memory/2328-266-0x00007FFA88A50000-0x00007FFA88A5D000-memory.dmp

Filesize
52KB

Download
memory/2328-262-0x00007FFA89EA0000-0x00007FFA89EB9000-memory.dmp

Filesize
100KB

Download
memory/2328-261-0x00007FFA8D470000-0x00007FFA8D487000-memory.dmp

Filesize
92KB

Download
memory/2328-124-0x00007FFA83FE0000-0x00007FFA84019000-memory.dmp

Filesize
228KB

Download
memory/2328-255-0x00007FFA846B0000-0x00007FFA846C6000-memory.dmp

Filesize
88KB

Download
memory/2328-254-0x00007FFA78590000-0x00007FFA7865D000-memory.dmp

Filesize
820KB

Download
memory/2328-250-0x00007FFA790E0000-0x00007FFA79881000-memory.dmp

Filesize
7.6MB

Download
memory/2328-252-0x00007FFA7FCA0000-0x00007FFA7FCD3000-memory.dmp

Filesize
204KB

Download
memory/2328-249-0x00007FFA79890000-0x00007FFA79A0E000-memory.dmp

Filesize
1.5MB

Download
memory/2328-241-0x00007FFA89E20000-0x00007FFA89E45000-memory.dmp

Filesize
148KB

Download
memory/2328-240-0x00007FFA79A10000-0x00007FFA7A0D5000-memory.dmp

Filesize
6.8MB

Download
memory/2328-253-0x00007FFA78660000-0x00007FFA78B89000-memory.dmp

Filesize
5.2MB

Download
memory/2328-296-0x00007FFA78370000-0x00007FFA78392000-memory.dmp

Filesize
136KB

Download
memory/3596-172-0x00007FF693580000-0x00007FF6963BF000-memory.dmp

Filesize
46.2MB

Download
memory/3596-171-0x00007FFA97FD0000-0x00007FFA97FD2000-memory.dmp

Filesize
8KB

Download
memory/4776-237-0x00000241EE490000-0x00000241EE4AE000-memory.dmp

Filesize
120KB

Download
memory/4776-230-0x00000241EE560000-0x00000241EE582000-memory.dmp

Filesize
136KB

Download