exelastealer | c0449792325197ff37ce3f5e373ace685b4c5d74d356eee4f84c3cb3650f6525

Analysis

max time kernel
147s
max time network
143s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
10-08-2024 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

,.exe
Size

15.2MB
MD5

4a8811f374f8455bf8848d5cdbe15b2b
SHA1

fe289c7e82af4fdf5cdacec7ed78c2899180a3e6
SHA256

c0449792325197ff37ce3f5e373ace685b4c5d74d356eee4f84c3cb3650f6525
SHA512

f5afc74cb29ea2ad8216abb958ee5870cea5cec16d1c45a2306d648a32e42a7415ddcfae8b8cc86e0fa9adcd39cc5a6387f99dded79574e9f780bf09edb976ad
SSDEEP

393216:jNQ897GIdL01+l+uq+Vvz1+TtIiLf0VTp1k6HF:pQk5R01+l+uqgvz1QtIhjks

Score

10^/10

exelastealer collection credential_access defense_evasion discovery evasion execution persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1884	netsh.exe
380	netsh.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1964	cmd.exe
3788	powershell.exe

Executes dropped EXE 2 IoCs

pid	Process
5040	comet.exe
3960	comet.exe

Loads dropped DLL 55 IoCs

pid	Process
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3856	,.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe
3960	comet.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 52 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002ab5d-140.dat	upx
behavioral1/memory/3960-144-0x00007FFCA87E0000-0x00007FFCA8DC8000-memory.dmp	upx
behavioral1/files/0x000100000002ab57-151.dat	upx
behavioral1/files/0x000100000002ab2e-150.dat	upx
behavioral1/memory/3960-154-0x00007FFCBBB40000-0x00007FFCBBB4F000-memory.dmp	upx
behavioral1/memory/3960-153-0x00007FFCBBA10000-0x00007FFCBBA34000-memory.dmp	upx
behavioral1/memory/3960-158-0x00007FFCBB2D0000-0x00007FFCBB2FD000-memory.dmp	upx
behavioral1/memory/3960-160-0x00007FFCBB120000-0x00007FFCBB293000-memory.dmp	upx
behavioral1/memory/3960-159-0x00007FFCBB2A0000-0x00007FFCBB2C3000-memory.dmp	upx
behavioral1/memory/3960-157-0x00007FFCBB300000-0x00007FFCBB319000-memory.dmp	upx
behavioral1/memory/3960-156-0x00007FFCBB320000-0x00007FFCBB32D000-memory.dmp	upx
behavioral1/memory/3960-155-0x00007FFCBB9F0000-0x00007FFCBBA09000-memory.dmp	upx
behavioral1/memory/3960-161-0x00007FFCBB070000-0x00007FFCBB09E000-memory.dmp	upx
behavioral1/memory/3960-163-0x00007FFCA8FA0000-0x00007FFCA9315000-memory.dmp	upx
behavioral1/memory/3960-162-0x00007FFCAA460000-0x00007FFCAA518000-memory.dmp	upx
behavioral1/memory/3960-166-0x00007FFCBAFB0000-0x00007FFCBAFC2000-memory.dmp	upx
behavioral1/memory/3960-165-0x00007FFCBB050000-0x00007FFCBB065000-memory.dmp	upx
behavioral1/memory/3960-168-0x00007FFCBAC80000-0x00007FFCBAC94000-memory.dmp	upx
behavioral1/memory/3960-167-0x00007FFCBAF90000-0x00007FFCBAFA4000-memory.dmp	upx
behavioral1/memory/3960-169-0x00007FFCAA340000-0x00007FFCAA45C000-memory.dmp	upx
behavioral1/memory/3960-170-0x00007FFCB7270000-0x00007FFCB7292000-memory.dmp	upx
behavioral1/memory/3960-171-0x00007FFCB7250000-0x00007FFCB7267000-memory.dmp	upx
behavioral1/memory/3960-176-0x00007FFCB0120000-0x00007FFCB016D000-memory.dmp	upx
behavioral1/memory/3960-175-0x00007FFCB6740000-0x00007FFCB6759000-memory.dmp	upx
behavioral1/memory/3960-174-0x00007FFCBAF80000-0x00007FFCBAF8A000-memory.dmp	upx
behavioral1/memory/3960-173-0x00007FFCB6720000-0x00007FFCB6731000-memory.dmp	upx
behavioral1/memory/3960-172-0x00007FFCA87E0000-0x00007FFCA8DC8000-memory.dmp	upx
behavioral1/memory/3960-177-0x00007FFCB02A0000-0x00007FFCB02BE000-memory.dmp	upx
behavioral1/memory/3960-181-0x00007FFCA80E0000-0x00007FFCA87D5000-memory.dmp	upx
behavioral1/memory/3960-180-0x00007FFCBB120000-0x00007FFCBB293000-memory.dmp	upx
behavioral1/memory/3960-179-0x00007FFCBB2A0000-0x00007FFCBB2C3000-memory.dmp	upx
behavioral1/memory/3960-178-0x00007FFCBB9F0000-0x00007FFCBBA09000-memory.dmp	upx
behavioral1/memory/3960-183-0x00007FFCAA640000-0x00007FFCAA678000-memory.dmp	upx
behavioral1/memory/3960-182-0x00007FFCBB070000-0x00007FFCBB09E000-memory.dmp	upx
behavioral1/memory/3960-235-0x00007FFCBABE0000-0x00007FFCBABED000-memory.dmp	upx
behavioral1/memory/3960-233-0x00007FFCA8FA0000-0x00007FFCA9315000-memory.dmp	upx
behavioral1/memory/3960-232-0x00007FFCAA460000-0x00007FFCAA518000-memory.dmp	upx
behavioral1/memory/3960-252-0x00007FFCBAFB0000-0x00007FFCBAFC2000-memory.dmp	upx
behavioral1/memory/3960-251-0x00007FFCBB050000-0x00007FFCBB065000-memory.dmp	upx
behavioral1/memory/3960-260-0x00007FFCA87E0000-0x00007FFCA8DC8000-memory.dmp	upx
behavioral1/memory/3960-268-0x00007FFCBB120000-0x00007FFCBB293000-memory.dmp	upx
behavioral1/memory/3960-287-0x00007FFCAA340000-0x00007FFCAA45C000-memory.dmp	upx
behavioral1/memory/3960-285-0x00007FFCAA640000-0x00007FFCAA678000-memory.dmp	upx
behavioral1/memory/3960-280-0x00007FFCB0120000-0x00007FFCB016D000-memory.dmp	upx
behavioral1/memory/3960-279-0x00007FFCB6740000-0x00007FFCB6759000-memory.dmp	upx
behavioral1/memory/3960-278-0x00007FFCB7250000-0x00007FFCB7267000-memory.dmp	upx
behavioral1/memory/3960-277-0x00007FFCB7270000-0x00007FFCB7292000-memory.dmp	upx
behavioral1/memory/3960-284-0x00007FFCA80E0000-0x00007FFCA87D5000-memory.dmp	upx
behavioral1/memory/3960-272-0x00007FFCBB050000-0x00007FFCBB065000-memory.dmp	upx
behavioral1/memory/3960-261-0x00007FFCBBA10000-0x00007FFCBBA34000-memory.dmp	upx
behavioral1/memory/3960-288-0x00007FFCA87E0000-0x00007FFCA8DC8000-memory.dmp	upx
behavioral1/memory/3960-315-0x00007FFCA87E0000-0x00007FFCA8DC8000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
396	cmd.exe
2052	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2760	tasklist.exe
3056	tasklist.exe
1480	tasklist.exe
1204	tasklist.exe
4048	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3384	cmd.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
596	sc.exe
5092	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000300000002aac4-90.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4332	cmd.exe
332	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3192	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4136	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
380	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1108	ipconfig.exe
3192	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
248	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3788	powershell.exe
3788	powershell.exe
3788	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	380	WMIC.exe
Token: SeSecurityPrivilege	380	WMIC.exe
Token: SeTakeOwnershipPrivilege	380	WMIC.exe
Token: SeLoadDriverPrivilege	380	WMIC.exe
Token: SeSystemProfilePrivilege	380	WMIC.exe
Token: SeSystemtimePrivilege	380	WMIC.exe
Token: SeProfSingleProcessPrivilege	380	WMIC.exe
Token: SeIncBasePriorityPrivilege	380	WMIC.exe
Token: SeCreatePagefilePrivilege	380	WMIC.exe
Token: SeBackupPrivilege	380	WMIC.exe
Token: SeRestorePrivilege	380	WMIC.exe
Token: SeShutdownPrivilege	380	WMIC.exe
Token: SeDebugPrivilege	380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	380	WMIC.exe
Token: SeRemoteShutdownPrivilege	380	WMIC.exe
Token: SeUndockPrivilege	380	WMIC.exe
Token: SeManageVolumePrivilege	380	WMIC.exe
Token: 33	380	WMIC.exe
Token: 34	380	WMIC.exe
Token: 35	380	WMIC.exe
Token: 36	380	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3520	WMIC.exe
Token: SeSecurityPrivilege	3520	WMIC.exe
Token: SeTakeOwnershipPrivilege	3520	WMIC.exe
Token: SeLoadDriverPrivilege	3520	WMIC.exe
Token: SeSystemProfilePrivilege	3520	WMIC.exe
Token: SeSystemtimePrivilege	3520	WMIC.exe
Token: SeProfSingleProcessPrivilege	3520	WMIC.exe
Token: SeIncBasePriorityPrivilege	3520	WMIC.exe
Token: SeCreatePagefilePrivilege	3520	WMIC.exe
Token: SeBackupPrivilege	3520	WMIC.exe
Token: SeRestorePrivilege	3520	WMIC.exe
Token: SeShutdownPrivilege	3520	WMIC.exe
Token: SeDebugPrivilege	3520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3520	WMIC.exe
Token: SeRemoteShutdownPrivilege	3520	WMIC.exe
Token: SeUndockPrivilege	3520	WMIC.exe
Token: SeManageVolumePrivilege	3520	WMIC.exe
Token: 33	3520	WMIC.exe
Token: 34	3520	WMIC.exe
Token: 35	3520	WMIC.exe
Token: 36	3520	WMIC.exe
Token: SeDebugPrivilege	3056	tasklist.exe
Token: SeIncreaseQuotaPrivilege	380	WMIC.exe
Token: SeSecurityPrivilege	380	WMIC.exe
Token: SeTakeOwnershipPrivilege	380	WMIC.exe
Token: SeLoadDriverPrivilege	380	WMIC.exe
Token: SeSystemProfilePrivilege	380	WMIC.exe
Token: SeSystemtimePrivilege	380	WMIC.exe
Token: SeProfSingleProcessPrivilege	380	WMIC.exe
Token: SeIncBasePriorityPrivilege	380	WMIC.exe
Token: SeCreatePagefilePrivilege	380	WMIC.exe
Token: SeBackupPrivilege	380	WMIC.exe
Token: SeRestorePrivilege	380	WMIC.exe
Token: SeShutdownPrivilege	380	WMIC.exe
Token: SeDebugPrivilege	380	WMIC.exe
Token: SeSystemEnvironmentPrivilege	380	WMIC.exe
Token: SeRemoteShutdownPrivilege	380	WMIC.exe
Token: SeUndockPrivilege	380	WMIC.exe
Token: SeManageVolumePrivilege	380	WMIC.exe
Token: 33	380	WMIC.exe
Token: 34	380	WMIC.exe
Token: 35	380	WMIC.exe
Token: 36	380	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 3856	2172	,.exe	83
PID 2172 wrote to memory of 3856	2172	,.exe	83
PID 3856 wrote to memory of 3248	3856	,.exe	84
PID 3856 wrote to memory of 3248	3856	,.exe	84
PID 3248 wrote to memory of 596	3248	cmd.exe	86
PID 3248 wrote to memory of 596	3248	cmd.exe	86
PID 3856 wrote to memory of 1968	3856	,.exe	89
PID 3856 wrote to memory of 1968	3856	,.exe	89
PID 1968 wrote to memory of 5040	1968	cmd.exe	90
PID 1968 wrote to memory of 5040	1968	cmd.exe	90
PID 5040 wrote to memory of 3960	5040	comet.exe	91
PID 5040 wrote to memory of 3960	5040	comet.exe	91
PID 3960 wrote to memory of 1744	3960	comet.exe	92
PID 3960 wrote to memory of 1744	3960	comet.exe	92
PID 3960 wrote to memory of 1648	3960	comet.exe	94
PID 3960 wrote to memory of 1648	3960	comet.exe	94
PID 3960 wrote to memory of 4708	3960	comet.exe	95
PID 3960 wrote to memory of 4708	3960	comet.exe	95
PID 3960 wrote to memory of 4936	3960	comet.exe	97
PID 3960 wrote to memory of 4936	3960	comet.exe	97
PID 3960 wrote to memory of 428	3960	comet.exe	98
PID 3960 wrote to memory of 428	3960	comet.exe	98
PID 428 wrote to memory of 3056	428	cmd.exe	103
PID 428 wrote to memory of 3056	428	cmd.exe	103
PID 4708 wrote to memory of 3520	4708	cmd.exe	104
PID 4708 wrote to memory of 3520	4708	cmd.exe	104
PID 3960 wrote to memory of 2440	3960	comet.exe	107
PID 3960 wrote to memory of 2440	3960	comet.exe	107
PID 2440 wrote to memory of 4292	2440	cmd.exe	109
PID 2440 wrote to memory of 4292	2440	cmd.exe	109
PID 3960 wrote to memory of 4268	3960	comet.exe	110
PID 3960 wrote to memory of 4268	3960	comet.exe	110
PID 3960 wrote to memory of 4136	3960	comet.exe	111
PID 3960 wrote to memory of 4136	3960	comet.exe	111
PID 4268 wrote to memory of 2976	4268	cmd.exe	114
PID 4268 wrote to memory of 2976	4268	cmd.exe	114
PID 4136 wrote to memory of 1480	4136	cmd.exe	115
PID 4136 wrote to memory of 1480	4136	cmd.exe	115
PID 3960 wrote to memory of 3384	3960	comet.exe	117
PID 3960 wrote to memory of 3384	3960	comet.exe	117
PID 3384 wrote to memory of 4064	3384	cmd.exe	119
PID 3384 wrote to memory of 4064	3384	cmd.exe	119
PID 3960 wrote to memory of 4116	3960	comet.exe	120
PID 3960 wrote to memory of 4116	3960	comet.exe	120
PID 3960 wrote to memory of 2880	3960	comet.exe	121
PID 3960 wrote to memory of 2880	3960	comet.exe	121
PID 2880 wrote to memory of 1204	2880	cmd.exe	124
PID 2880 wrote to memory of 1204	2880	cmd.exe	124
PID 4116 wrote to memory of 2888	4116	cmd.exe	125
PID 4116 wrote to memory of 2888	4116	cmd.exe	125
PID 3960 wrote to memory of 3164	3960	comet.exe	126
PID 3960 wrote to memory of 3164	3960	comet.exe	126
PID 3960 wrote to memory of 1220	3960	comet.exe	127
PID 3960 wrote to memory of 1220	3960	comet.exe	127
PID 3960 wrote to memory of 3948	3960	comet.exe	128
PID 3960 wrote to memory of 3948	3960	comet.exe	128
PID 3960 wrote to memory of 1964	3960	comet.exe	129
PID 3960 wrote to memory of 1964	3960	comet.exe	129
PID 3948 wrote to memory of 4048	3948	cmd.exe	135
PID 3948 wrote to memory of 4048	3948	cmd.exe	135
PID 1964 wrote to memory of 3788	1964	cmd.exe	136
PID 1964 wrote to memory of 3788	1964	cmd.exe	136
PID 1220 wrote to memory of 1648	1220	cmd.exe	137
PID 1220 wrote to memory of 1648	1220	cmd.exe	137

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4064	attrib.exe

C:\Users\Admin\AppData\Local\Temp\,.exe
"C:\Users\Admin\AppData\Local\Temp\,.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Users\Admin\AppData\Local\Temp\,.exe
  "C:\Users\Admin\AppData\Local\Temp\,.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c sc stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3248
  - - C:\Windows\system32\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c comet.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1968
  - - C:\Users\Admin\AppData\Local\Temp\comet.exe
      comet.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5040
    - - C:\Users\Admin\AppData\Local\Temp\comet.exe
        
        comet.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3960
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        6⤵
        
        PID:1744
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        6⤵
        
        PID:1648
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        7⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        6⤵
        
        PID:4936
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:428
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        7⤵
        
        PID:4292
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4268
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:2976
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4136
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:1480
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
        6⤵
        Hide Artifacts: Hidden Files and Directories
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4064
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        7⤵
        
        PID:2888
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        7⤵
        Enumerates processes with tasklist
        
        PID:1204
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        6⤵
        
        PID:3164
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        7⤵
        
        PID:904
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:2044
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1220
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        7⤵
        
        PID:1648
        
        C:\Windows\system32\chcp.com
        
        chcp
        8⤵
        
        PID:1352
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        7⤵
        Enumerates processes with tasklist
        
        PID:4048
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        6⤵
        Clipboard Data
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        7⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:3788
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        6⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4332
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        7⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:332
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        6⤵
        Network Service Discovery
        
        PID:396
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        7⤵
        Gathers system information
        
        PID:248
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        7⤵
        
        PID:2476
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        7⤵
        Collects information from the system
        
        PID:4136
        
        C:\Windows\system32\net.exe
        
        net user
        7⤵
        
        PID:2004
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        8⤵
        
        PID:4084
        
        C:\Windows\system32\query.exe
        
        query user
        7⤵
        
        PID:2308
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        8⤵
        
        PID:3896
        
        C:\Windows\system32\net.exe
        
        net localgroup
        7⤵
        
        PID:4808
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        8⤵
        
        PID:5056
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        7⤵
        
        PID:5000
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        8⤵
        
        PID:3368
        
        C:\Windows\system32\net.exe
        
        net user guest
        7⤵
        
        PID:1204
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        8⤵
        
        PID:1332
        
        C:\Windows\system32\net.exe
        
        net user administrator
        7⤵
        
        PID:5116
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        8⤵
        
        PID:124
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        7⤵
        
        PID:3464
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        7⤵
        Enumerates processes with tasklist
        
        PID:2760
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        7⤵
        Gathers network information
        
        PID:1108
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        7⤵
        
        PID:1656
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        7⤵
        Network Service Discovery
        
        PID:2052
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        7⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3192
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        7⤵
        Launches sc.exe
        
        PID:5092
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1884
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        7⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:380
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:1912
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:1092
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        6⤵
        
        PID:3868
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        7⤵
        
        PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI21722\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\_bz2.pyd

Filesize
83KB

MD5
5bebc32957922fe20e927d5c4637f100

SHA1
a94ea93ee3c3d154f4f90b5c2fe072cc273376b3

SHA256
3ed0e5058d370fb14aa5469d81f96c5685559c054917c7280dd4125f21d25f62

SHA512
afbe80a73ee9bd63d9ffa4628273019400a75f75454667440f43beb253091584bf9128cbb78ae7b659ce67a5faefdba726edb37987a4fe92f082d009d523d5d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\_cffi_backend.cp312-win_amd64.pyd

Filesize
178KB

MD5
0572b13646141d0b1a5718e35549577c

SHA1
eeb40363c1f456c1c612d3c7e4923210eae4cdf7

SHA256
d8a76d1e31bbd62a482dea9115fc1a109cb39af4cf6d1323409175f3c93113a7

SHA512
67c28432ca8b389acc26e47eb8c4977fddd4af9214819f89df07fecbc8ed750d5f35807a1b195508dd1d77e2a7a9d7265049dcfbfe7665a7fd1ba45da1e4e842

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\_decimal.pyd

Filesize
251KB

MD5
492c0c36d8ed1b6ca2117869a09214da

SHA1
b741cae3e2c9954e726890292fa35034509ef0f6

SHA256
b8221d1c9e2c892dd6227a6042d1e49200cd5cb82adbd998e4a77f4ee0e9abf1

SHA512
b8f1c64ad94db0252d96082e73a8632412d1d73fb8095541ee423df6f00bc417a2b42c76f15d7e014e27baae0ef50311c3f768b1560db005a522373f442e4be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\_hashlib.pyd

Filesize
64KB

MD5
da02cefd8151ecb83f697e3bd5280775

SHA1
1c5d0437eb7e87842fde55241a5f0ca7f0fc25e7

SHA256
fd77a5756a17ec0788989f73222b0e7334dd4494b8c8647b43fe554cf3cfb354

SHA512
a13bc5c481730f48808905f872d92cb8729cc52cfb4d5345153ce361e7d6586603a58b964a1ebfd77dd6222b074e5dcca176eaaefecc39f75496b1f8387a2283

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\_lzma.pyd

Filesize
156KB

MD5
195defe58a7549117e06a57029079702

SHA1
3795b02803ca37f399d8883d30c0aa38ad77b5f2

SHA256
7bf9ff61babebd90c499a8ed9b62141f947f90d87e0bbd41a12e99d20e06954a

SHA512
c47a9b1066dd9744c51ed80215bd9645aab6cc9d6a3f9df99f618e3dd784f6c7ce6f53eabe222cf134ee649250834193d5973e6e88f8a93151886537c62e2e2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\_queue.pyd

Filesize
31KB

MD5
b7e5fbd7ef3eefff8f502290c0e2b259

SHA1
9decba47b1cdb0d511b58c3146d81644e56e3611

SHA256
dbdabb5fe0ccbc8b951a2c6ec033551836b072cab756aaa56b6f22730080d173

SHA512
b7568b9df191347d1a8d305bd8ddd27cbfa064121c785fa2e6afef89ec330b60cafc366be2b22409d15c9434f5e46e36c5cbfb10783523fdcac82c30360d36f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\_socket.pyd

Filesize
81KB

MD5
dd8ff2a3946b8e77264e3f0011d27704

SHA1
a2d84cfc4d6410b80eea4b25e8efc08498f78990

SHA256
b102522c23dac2332511eb3502466caf842d6bcd092fbc276b7b55e9cc01b085

SHA512
958224a974a3449bcfb97faab70c0a5b594fa130adc0c83b4e15bdd7aab366b58d94a4a9016cb662329ea47558645acd0e0cc6df54f12a81ac13a6ec0c895cd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\_ssl.pyd

Filesize
174KB

MD5
c87c5890039c3bdb55a8bc189256315f

SHA1
84ef3c2678314b7f31246471b3300da65cb7e9de

SHA256
a5d361707f7a2a2d726b20770e8a6fc25d753be30bcbcbbb683ffee7959557c2

SHA512
e750dc36ae00249ed6da1c9d816f1bd7f8bc84ddea326c0cd0410dbcfb1a945aac8c130665bfacdccd1ee2b7ac097c6ff241bfc6cc39017c9d1cde205f460c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\_wmi.pyd

Filesize
36KB

MD5
8a9a59559c614fc2bcebb50073580c88

SHA1
4e4ced93f2cb5fe6a33c1484a705e10a31d88c4d

SHA256
752fb80edb51f45d3cc1c046f3b007802432b91aef400c985640d6b276a67c12

SHA512
9b17c81ff89a41307740371cb4c2f5b0cf662392296a7ab8e5a9eba75224b5d9c36a226dce92884591636c343b8238c19ef61c1fdf50cc5aa2da86b1959db413

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\base_library.zip

Filesize
1.3MB

MD5
43935f81d0c08e8ab1dfe88d65af86d8

SHA1
abb6eae98264ee4209b81996c956a010ecf9159b

SHA256
c611943f0aeb3292d049437cb03500cc2f8d12f23faf55e644bca82f43679bc0

SHA512
06a9dcd310aa538664b08f817ec1c6cfa3f748810d76559c46878ea90796804904d41ac79535c7f63114df34c0e5de6d0452bb30df54b77118d925f21cfa1955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
10KB

MD5
d9e0217a89d9b9d1d778f7e197e0c191

SHA1
ec692661fcc0b89e0c3bde1773a6168d285b4f0d

SHA256
ecf12e2c0a00c0ed4e2343ea956d78eed55e5a36ba49773633b2dfe7b04335c0

SHA512
3b788ac88c1f2d682c1721c61d223a529697c7e43280686b914467b3b39e7d6debaff4c0e2f42e9dddb28b522f37cb5a3011e91c66d911609c63509f9228133d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
120KB

MD5
bf9a9da1cf3c98346002648c3eae6dcf

SHA1
db16c09fdc1722631a7a9c465bfe173d94eb5d8b

SHA256
4107b1d6f11d842074a9f21323290bbe97e8eed4aa778fbc348ee09cc4fa4637

SHA512
7371407d12e632fc8fb031393838d36e6a1fe1e978ced36ff750d84e183cde6dd20f75074f4597742c9f8d6f87af12794c589d596a81b920c6c62ee2ba2e5654

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\libcrypto-3.dll

Filesize
5.0MB

MD5
e547cf6d296a88f5b1c352c116df7c0c

SHA1
cafa14e0367f7c13ad140fd556f10f320a039783

SHA256
05fe080eab7fc535c51e10c1bd76a2f3e6217f9c91a25034774588881c3f99de

SHA512
9f42edf04c7af350a00fa4fdf92b8e2e6f47ab9d2d41491985b20cd0adde4f694253399f6a88f4bdd765c4f49792f25fb01e84ec03fd5d0be8bb61773d77d74d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\libssl-3.dll

Filesize
768KB

MD5
19a2aba25456181d5fb572d88ac0e73e

SHA1
656ca8cdfc9c3a6379536e2027e93408851483db

SHA256
2e9fbcd8f7fdc13a5179533239811456554f2b3aa2fb10e1b17be0df81c79006

SHA512
df17dc8a882363a6c5a1b78ba3cf448437d1118ccc4a6275cc7681551b13c1a4e0f94e30ffb94c3530b688b62bff1c03e57c2c185a7df2bf3e5737a06e114337

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\python3.dll

Filesize
66KB

MD5
a07661c5fad97379cf6d00332999d22c

SHA1
dca65816a049b3cce5c4354c3819fef54c6299b0

SHA256
5146005c36455e7ede4b8ecc0dc6f6fa8ea6b4a99fedbabc1994ae27dfab9d1b

SHA512
6ddeb9d89ccb4d2ec5d994d85a55e5e2cc7af745056dae030ab8d72ee7830f672003f4675b6040f123fc64c19e9b48cabd0da78101774dafacf74a88fbd74b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\python312.dll

Filesize
6.6MB

MD5
d521654d889666a0bc753320f071ef60

SHA1
5fd9b90c5d0527e53c199f94bad540c1e0985db6

SHA256
21700f0bad5769a1b61ea408dc0a140ffd0a356a774c6eb0cc70e574b929d2e2

SHA512
7a726835423a36de80fb29ef65dfe7150bd1567cac6f3569e24d9fe091496c807556d0150456429a3d1a6fd2ed0b8ae3128ea3b8674c97f42ce7c897719d2cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\pywin32_system32\pythoncom312.dll

Filesize
655KB

MD5
a2cc25338a9bb825237ef1653511a36a

SHA1
433ded40bab01ded8758141045e3e6658d435685

SHA256
698b9b005243163c245bfa22357b383e107a1d21a8c420d2ef458662e410422f

SHA512
8d55d3f908e2407662e101238dacdbd84ae197e6e951618171deeac9cfb3f4cb12425212dbfd691a0b930da43e1a344c5004de7e89d3aec47e9063a5312fa74b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\pywin32_system32\pywintypes312.dll

Filesize
131KB

MD5
26d752c8896b324ffd12827a5e4b2808

SHA1
447979fa03f78cb7210a4e4ba365085ab2f42c22

SHA256
bd33548dbdbb178873be92901b282bad9c6817e3eac154ca50a666d5753fd7ec

SHA512
99c87ab9920e79a03169b29a2f838d568ca4d4056b54a67bc51caf5c0ff5a4897ed02533ba504f884c6f983ebc400743e6ad52ac451821385b1e25c3b1ebcee0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\select.pyd

Filesize
30KB

MD5
d0cc9fc9a0650ba00bd206720223493b

SHA1
295bc204e489572b74cc11801ed8590f808e1618

SHA256
411d6f538bdbaf60f1a1798fa8aa7ed3a4e8fcc99c9f9f10d21270d2f3742019

SHA512
d3ebcb91d1b8aa247d50c2c4b2ba1bf3102317c593cbf6c63883e8bf9d6e50c0a40f149654797abc5b4f17aee282ddd972a8cd9189bfcd5b9cec5ab9c341e20b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\unicodedata.pyd

Filesize
1.1MB

MD5
cc8142bedafdfaa50b26c6d07755c7a6

SHA1
0fcab5816eaf7b138f22c29c6d5b5f59551b39fe

SHA256
bc2cf23b7b7491edcf03103b78dbaf42afd84a60ea71e764af9a1ddd0fe84268

SHA512
c3b0c1dbe5bf159ab7706f314a75a856a08ebb889f53fe22ab3ec92b35b5e211edab3934df3da64ebea76f38eb9bfc9504db8d7546a36bc3cabe40c5599a9cbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\win32\win32api.pyd

Filesize
130KB

MD5
3a80fea23a007b42cef8e375fc73ad40

SHA1
04319f7552ea968e2421c3936c3a9ee6f9cf30b2

SHA256
b70d69d25204381f19378e1bb35cc2b8c8430aa80a983f8d0e8e837050bb06ef

SHA512
a63bed03f05396b967858902e922b2fbfb4cf517712f91cfaa096ff0539cf300d6b9c659ffee6bf11c28e79e23115fd6b9c0b1aa95db1cbd4843487f060ccf40

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\win32com\shell\shell.pyd

Filesize
516KB

MD5
91244bf7d99d73496f22bd804a74993e

SHA1
0e8d158f944e761a63e37f11817b96eb33f1b208

SHA256
e5fca249ddcff94134145dfa6bca90fa6471b941ce351c867e8aa327395c7d09

SHA512
34d64c76df3bdc37dd841be50e29942f6fe398e31e81945834d3d136b31e6de2cea629645d89be24bd106228a96d1f86281371ddfe057dd7120b75a3d705faf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21722\zstandard\backend_c.cp312-win_amd64.pyd

Filesize
513KB

MD5
478583eb2f71fa1793829fbde4246bab

SHA1
d67331acf14354cfa4cf9ab3a3e0bc2e1288bcf9

SHA256
8c7c7929d3a2742f0407619da235d5b298882cc4c7ede3666ac21e9db22f8347

SHA512
f4e01565632756036eb38d9663295836b2379b8c4b57de7704a6ee7a24dbcb5a12506ac51d2540991f8fff53ffac1f6fa56814b3a009db6b0cc9f18ab3578fc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50402\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50402\_ctypes.pyd

Filesize
57KB

MD5
b4c41a4a46e1d08206c109ce547480c7

SHA1
9588387007a49ec2304160f27376aedca5bc854d

SHA256
9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9

SHA512
30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50402\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50402\libffi-8.dll

Filesize
24KB

MD5
decbba3add4c2246928ab385fb16a21e

SHA1
5f019eff11de3122ffa67a06d52d446a3448b75e

SHA256
4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d

SHA512
760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50402\python3.DLL

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50402\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_f4aoetty.xzh.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\comet.exe

Filesize
10.9MB

MD5
3648a657565b3537bbe7e56bf6a71a08

SHA1
4e81898d461e94da39a18c04aaa89e6e3971c649

SHA256
4c238ebf0c59b2554d05e8ed10597e9e453e37db5b1fafc5d26ec7c3425edf56

SHA512
04d35555d63921f603e945458fcde200dc8b9d564c679647478c86cd340e8b3adbf1e5fa57b4155c0dc428d5c400e6d781c6b633322abcab338c1380c3267d85

Download Submit
memory/3788-238-0x000001B7334E0000-0x000001B733502000-memory.dmp

Filesize
136KB

Download
memory/3960-163-0x00007FFCA8FA0000-0x00007FFCA9315000-memory.dmp

Filesize
3.5MB

Download
memory/3960-180-0x00007FFCBB120000-0x00007FFCBB293000-memory.dmp

Filesize
1.4MB

Download
memory/3960-159-0x00007FFCBB2A0000-0x00007FFCBB2C3000-memory.dmp

Filesize
140KB

Download
memory/3960-157-0x00007FFCBB300000-0x00007FFCBB319000-memory.dmp

Filesize
100KB

Download
memory/3960-156-0x00007FFCBB320000-0x00007FFCBB32D000-memory.dmp

Filesize
52KB

Download
memory/3960-155-0x00007FFCBB9F0000-0x00007FFCBBA09000-memory.dmp

Filesize
100KB

Download
memory/3960-158-0x00007FFCBB2D0000-0x00007FFCBB2FD000-memory.dmp

Filesize
180KB

Download
memory/3960-161-0x00007FFCBB070000-0x00007FFCBB09E000-memory.dmp

Filesize
184KB

Download
memory/3960-153-0x00007FFCBBA10000-0x00007FFCBBA34000-memory.dmp

Filesize
144KB

Download
memory/3960-162-0x00007FFCAA460000-0x00007FFCAA518000-memory.dmp

Filesize
736KB

Download
memory/3960-164-0x000002504C8D0000-0x000002504CC45000-memory.dmp

Filesize
3.5MB

Download
memory/3960-166-0x00007FFCBAFB0000-0x00007FFCBAFC2000-memory.dmp

Filesize
72KB

Download
memory/3960-165-0x00007FFCBB050000-0x00007FFCBB065000-memory.dmp

Filesize
84KB

Download
memory/3960-168-0x00007FFCBAC80000-0x00007FFCBAC94000-memory.dmp

Filesize
80KB

Download
memory/3960-167-0x00007FFCBAF90000-0x00007FFCBAFA4000-memory.dmp

Filesize
80KB

Download
memory/3960-169-0x00007FFCAA340000-0x00007FFCAA45C000-memory.dmp

Filesize
1.1MB

Download
memory/3960-170-0x00007FFCB7270000-0x00007FFCB7292000-memory.dmp

Filesize
136KB

Download
memory/3960-171-0x00007FFCB7250000-0x00007FFCB7267000-memory.dmp

Filesize
92KB

Download
memory/3960-176-0x00007FFCB0120000-0x00007FFCB016D000-memory.dmp

Filesize
308KB

Download
memory/3960-175-0x00007FFCB6740000-0x00007FFCB6759000-memory.dmp

Filesize
100KB

Download
memory/3960-174-0x00007FFCBAF80000-0x00007FFCBAF8A000-memory.dmp

Filesize
40KB

Download
memory/3960-173-0x00007FFCB6720000-0x00007FFCB6731000-memory.dmp

Filesize
68KB

Download
memory/3960-172-0x00007FFCA87E0000-0x00007FFCA8DC8000-memory.dmp

Filesize
5.9MB

Download
memory/3960-177-0x00007FFCB02A0000-0x00007FFCB02BE000-memory.dmp

Filesize
120KB

Download
memory/3960-181-0x00007FFCA80E0000-0x00007FFCA87D5000-memory.dmp

Filesize
7.0MB

Download
memory/3960-160-0x00007FFCBB120000-0x00007FFCBB293000-memory.dmp

Filesize
1.4MB

Download
memory/3960-179-0x00007FFCBB2A0000-0x00007FFCBB2C3000-memory.dmp

Filesize
140KB

Download
memory/3960-178-0x00007FFCBB9F0000-0x00007FFCBBA09000-memory.dmp

Filesize
100KB

Download
memory/3960-183-0x00007FFCAA640000-0x00007FFCAA678000-memory.dmp

Filesize
224KB

Download
memory/3960-182-0x00007FFCBB070000-0x00007FFCBB09E000-memory.dmp

Filesize
184KB

Download
memory/3960-235-0x00007FFCBABE0000-0x00007FFCBABED000-memory.dmp

Filesize
52KB

Download
memory/3960-234-0x000002504C8D0000-0x000002504CC45000-memory.dmp

Filesize
3.5MB

Download
memory/3960-233-0x00007FFCA8FA0000-0x00007FFCA9315000-memory.dmp

Filesize
3.5MB

Download
memory/3960-232-0x00007FFCAA460000-0x00007FFCAA518000-memory.dmp

Filesize
736KB

Download
memory/3960-154-0x00007FFCBBB40000-0x00007FFCBBB4F000-memory.dmp

Filesize
60KB

Download
memory/3960-144-0x00007FFCA87E0000-0x00007FFCA8DC8000-memory.dmp

Filesize
5.9MB

Download
memory/3960-252-0x00007FFCBAFB0000-0x00007FFCBAFC2000-memory.dmp

Filesize
72KB

Download
memory/3960-251-0x00007FFCBB050000-0x00007FFCBB065000-memory.dmp

Filesize
84KB

Download
memory/3960-260-0x00007FFCA87E0000-0x00007FFCA8DC8000-memory.dmp

Filesize
5.9MB

Download
memory/3960-268-0x00007FFCBB120000-0x00007FFCBB293000-memory.dmp

Filesize
1.4MB

Download
memory/3960-287-0x00007FFCAA340000-0x00007FFCAA45C000-memory.dmp

Filesize
1.1MB

Download
memory/3960-285-0x00007FFCAA640000-0x00007FFCAA678000-memory.dmp

Filesize
224KB

Download
memory/3960-280-0x00007FFCB0120000-0x00007FFCB016D000-memory.dmp

Filesize
308KB

Download
memory/3960-279-0x00007FFCB6740000-0x00007FFCB6759000-memory.dmp

Filesize
100KB

Download
memory/3960-278-0x00007FFCB7250000-0x00007FFCB7267000-memory.dmp

Filesize
92KB

Download
memory/3960-277-0x00007FFCB7270000-0x00007FFCB7292000-memory.dmp

Filesize
136KB

Download
memory/3960-284-0x00007FFCA80E0000-0x00007FFCA87D5000-memory.dmp

Filesize
7.0MB

Download
memory/3960-272-0x00007FFCBB050000-0x00007FFCBB065000-memory.dmp

Filesize
84KB

Download
memory/3960-261-0x00007FFCBBA10000-0x00007FFCBBA34000-memory.dmp

Filesize
144KB

Download
memory/3960-288-0x00007FFCA87E0000-0x00007FFCA8DC8000-memory.dmp

Filesize
5.9MB

Download
memory/3960-315-0x00007FFCA87E0000-0x00007FFCA8DC8000-memory.dmp

Filesize
5.9MB

Download