exelastealer | 6ea2842ccf19304196d42ba48068eaa501d5c9a1cae360493324e75067a78c3d

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
27-10-2024 13:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Comet.exe
Size

12.5MB
MD5

24a3aac021d51f514c7e5f066d82ab0d
SHA1

ef5349826152e545921f268bde54a2a791c0630f
SHA256

6ea2842ccf19304196d42ba48068eaa501d5c9a1cae360493324e75067a78c3d
SHA512

34e516994f3d640c3a188ad0cf290b2c2985575ae2167285899383bde61ccedd1c3ca1ef6008182002c4c972d387a00ec0e8da1d4e1cdd506dd765abb735c5fb
SSDEEP

393216:0/+csXJdkPRDxPXdvOezIUUsXuWrpw562o2sG:XQPRDxPtxFXuWrylmG

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation pyinstaller ransomware spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Renames multiple (55) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2820	netsh.exe
3488	netsh.exe
3992	netsh.exe
3528	netsh.exe

Clipboard Data 1 TTPs 4 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4356	cmd.exe
4408	powershell.exe
1532	cmd.exe
3148	powershell.exe

Executes dropped EXE 64 IoCs

pid	Process
4816	Screenshare.dll.exe
2756	Screenshare.dll.exe
2420	Screenshare.dll.exe
3156	Screenshare.dll.exe
3580	Screenshare.dll.exe
1628	Screenshare.dll.exe
3064	Screenshare.dll.exe
3108	Screenshare.dll.exe
2488	Screenshare.dll.exe
2184	Screenshare.dll.exe
884	Screenshare.dll.exe
2804	Screenshare.dll.exe
4388	Screenshare.dll.exe
1224	Screenshare.dll.exe
3080	Screenshare.dll.exe
2484	Screenshare.dll.exe
3888	Screenshare.dll.exe
4564	Screenshare.dll.exe
1928	Screenshare.dll.exe
4680	Screenshare.dll.exe
4484	Screenshare.dll.exe
4784	Screenshare.dll.exe
4692	Screenshare.dll.exe
4876	Screenshare.dll.exe
4964	Screenshare.dll.exe
4388	Screenshare.dll.exe
4348	Screenshare.dll.exe
1328	Screenshare.dll.exe
2660	Screenshare.dll.exe
3276	Screenshare.dll.exe
2532	Screenshare.dll.exe
912	Screenshare.dll.exe
4976	Screenshare.dll.exe
2160	Screenshare.dll.exe
2424	Screenshare.dll.exe
4088	Screenshare.dll.exe
3220	Screenshare.dll.exe
3200	Screenshare.dll.exe
1308	Screenshare.dll.exe
2508	Screenshare.dll.exe
2564	Screenshare.dll.exe
2532	Screenshare.dll.exe
4400	Screenshare.dll.exe
3600	Screenshare.dll.exe
3340	Screenshare.dll.exe
1664	Screenshare.dll.exe
3668	Screenshare.dll.exe
3212	Screenshare.dll.exe
4828	Screenshare.dll.exe
4484	Screenshare.dll.exe
3836	Screenshare.dll.exe
4692	Screenshare.dll.exe
2156	Screenshare.dll.exe
2484	Screenshare.dll.exe
1224	Screenshare.dll.exe
1964	Screenshare.dll.exe
4112	Screenshare.dll.exe
4464	Screenshare.dll.exe
3644	Screenshare.dll.exe
352	Screenshare.dll.exe
1372	Screenshare.dll.exe
4632	Screenshare.dll.exe
2032	Screenshare.dll.exe
1576	Screenshare.dll.exe

Loads dropped DLL 64 IoCs

pid	Process
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
2756	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe
3156	Screenshare.dll.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
8	discord.com
9	discord.com
23	discord.com
30	discord.com
37	discord.com
38	discord.com
1	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com
12	ip-api.com

Network Service Discovery 1 TTPs 4 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3680	ARP.EXE
1368	cmd.exe
1988	ARP.EXE
4172	cmd.exe

Enumerates processes with tasklist 1 TTPs 10 IoCs

discovery

Process Discovery

T1057

pid	Process
5076	tasklist.exe
1028	tasklist.exe
460	tasklist.exe
1884	tasklist.exe
4696	tasklist.exe
1976	tasklist.exe
5076	tasklist.exe
3476	tasklist.exe
4828	tasklist.exe
1576	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2744	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002aaa8-74.dat	upx
behavioral1/memory/2756-79-0x00007FFDB3AE0000-0x00007FFDB41A5000-memory.dmp	upx
behavioral1/files/0x001900000002aa6e-81.dat	upx
behavioral1/files/0x001900000002aaa0-88.dat	upx
behavioral1/memory/2756-87-0x00007FFDCBF30000-0x00007FFDCBF55000-memory.dmp	upx
behavioral1/files/0x001900000002aaab-94.dat	upx
behavioral1/memory/2756-110-0x00007FFDD28B0000-0x00007FFDD28BF000-memory.dmp	upx
behavioral1/files/0x001900000002aa79-109.dat	upx
behavioral1/files/0x001900000002aa77-107.dat	upx
behavioral1/files/0x001900000002aa76-106.dat	upx
behavioral1/files/0x001900000002aa75-105.dat	upx
behavioral1/files/0x001900000002aa74-104.dat	upx
behavioral1/files/0x001900000002aa73-103.dat	upx
behavioral1/files/0x001900000002aa72-102.dat	upx
behavioral1/files/0x001900000002aa71-101.dat	upx
behavioral1/files/0x001900000002aa70-100.dat	upx
behavioral1/files/0x001900000002aa6f-99.dat	upx
behavioral1/files/0x001900000002aa6d-98.dat	upx
behavioral1/files/0x001900000002aa6c-97.dat	upx
behavioral1/files/0x001900000002aa6b-96.dat	upx
behavioral1/files/0x001900000002aaaa-93.dat	upx
behavioral1/files/0x001900000002aaa9-92.dat	upx
behavioral1/files/0x001900000002aaa6-91.dat	upx
behavioral1/files/0x001900000002aaa1-90.dat	upx
behavioral1/files/0x001900000002aa9f-89.dat	upx
behavioral1/memory/2756-113-0x00007FFDCE620000-0x00007FFDCE639000-memory.dmp	upx
behavioral1/memory/2756-114-0x00007FFDCC6E0000-0x00007FFDCC6ED000-memory.dmp	upx
behavioral1/memory/2756-116-0x00007FFDCC6D0000-0x00007FFDCC6DF000-memory.dmp	upx
behavioral1/memory/2756-119-0x00007FFDC91C0000-0x00007FFDC91DA000-memory.dmp	upx
behavioral1/memory/2756-125-0x00007FFDC8DF0000-0x00007FFDC8E14000-memory.dmp	upx
behavioral1/files/0x001900000002aa95-126.dat	upx
behavioral1/memory/2756-124-0x00007FFDC88B0000-0x00007FFDC8A2F000-memory.dmp	upx
behavioral1/memory/2756-123-0x00007FFDC8EC0000-0x00007FFDC8EED000-memory.dmp	upx
behavioral1/memory/2756-129-0x00007FFDB3330000-0x00007FFDB3AD1000-memory.dmp	upx
behavioral1/memory/2756-130-0x00007FFDB3AE0000-0x00007FFDB41A5000-memory.dmp	upx
behavioral1/memory/2756-132-0x00007FFDCBF30000-0x00007FFDCBF55000-memory.dmp	upx
behavioral1/memory/2756-133-0x00007FFDC8DB0000-0x00007FFDC8DE8000-memory.dmp	upx
behavioral1/memory/2756-135-0x00007FFDC8D70000-0x00007FFDC8DA3000-memory.dmp	upx
behavioral1/memory/2756-137-0x00007FFDC87E0000-0x00007FFDC88AE000-memory.dmp	upx
behavioral1/memory/2756-142-0x00007FFDCC6D0000-0x00007FFDCC6DF000-memory.dmp	upx
behavioral1/memory/2756-140-0x00007FFDC4750000-0x00007FFDC4C83000-memory.dmp	upx
behavioral1/files/0x001900000002aaa5-156.dat	upx
behavioral1/memory/2756-162-0x00007FFDC8680000-0x00007FFDC869B000-memory.dmp	upx
behavioral1/memory/2756-161-0x00007FFDC8650000-0x00007FFDC8672000-memory.dmp	upx
behavioral1/memory/2756-160-0x00007FFDB3330000-0x00007FFDB3AD1000-memory.dmp	upx
behavioral1/memory/3156-221-0x00007FFDB51E0000-0x00007FFDB58A5000-memory.dmp	upx
behavioral1/memory/2756-222-0x00007FFDC8DB0000-0x00007FFDC8DE8000-memory.dmp	upx
behavioral1/memory/2756-225-0x00007FFDC8D70000-0x00007FFDC8DA3000-memory.dmp	upx
behavioral1/memory/3156-224-0x00007FFDCC310000-0x00007FFDCC31F000-memory.dmp	upx
behavioral1/memory/2756-226-0x00007FFDC87E0000-0x00007FFDC88AE000-memory.dmp	upx
behavioral1/memory/3156-223-0x00007FFDC8FF0000-0x00007FFDC9015000-memory.dmp	upx
behavioral1/memory/3156-235-0x00007FFDC8FA0000-0x00007FFDC8FBA000-memory.dmp	upx
behavioral1/memory/3156-233-0x00007FFDC84D0000-0x00007FFDC864F000-memory.dmp	upx
behavioral1/memory/3156-232-0x00007FFDC8F40000-0x00007FFDC8F64000-memory.dmp	upx
behavioral1/memory/3156-236-0x00007FFDB2100000-0x00007FFDB28A1000-memory.dmp	upx
behavioral1/memory/3156-231-0x00007FFDC8F70000-0x00007FFDC8F9D000-memory.dmp	upx
behavioral1/memory/3156-230-0x00007FFDC9120000-0x00007FFDC912F000-memory.dmp	upx
behavioral1/memory/3156-229-0x00007FFDC91B0000-0x00007FFDC91BD000-memory.dmp	upx
behavioral1/memory/3156-228-0x00007FFDC8FD0000-0x00007FFDC8FE9000-memory.dmp	upx
behavioral1/memory/2756-227-0x00007FFDC4750000-0x00007FFDC4C83000-memory.dmp	upx
behavioral1/files/0x001900000002aaad-159.dat	upx
behavioral1/memory/3156-246-0x00007FFDC8420000-0x00007FFDC8453000-memory.dmp	upx
behavioral1/memory/3156-248-0x00007FFDC4680000-0x00007FFDC474E000-memory.dmp	upx
behavioral1/memory/2756-249-0x00007FFDC8A40000-0x00007FFDC8A5E000-memory.dmp	upx

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4868	sc.exe
4200	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001e00000002aa60-7.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3836	cmd.exe
4868	netsh.exe
3800	cmd.exe
972	netsh.exe

System Network Connections Discovery 1 TTPs 2 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
976	NETSTAT.EXE
1808	NETSTAT.EXE

Collects information from the system 1 TTPs 2 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4848	WMIC.exe
1132	WMIC.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1048	WMIC.exe
4108	WMIC.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3212	ipconfig.exe
1808	NETSTAT.EXE
3448	ipconfig.exe
976	NETSTAT.EXE

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2384	systeminfo.exe
412	systeminfo.exe

Modifies registry class 3 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2384	schtasks.exe
3948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3148	powershell.exe
3148	powershell.exe
4408	powershell.exe
4408	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5088	WMIC.exe
Token: SeSecurityPrivilege	5088	WMIC.exe
Token: SeTakeOwnershipPrivilege	5088	WMIC.exe
Token: SeLoadDriverPrivilege	5088	WMIC.exe
Token: SeSystemProfilePrivilege	5088	WMIC.exe
Token: SeSystemtimePrivilege	5088	WMIC.exe
Token: SeProfSingleProcessPrivilege	5088	WMIC.exe
Token: SeIncBasePriorityPrivilege	5088	WMIC.exe
Token: SeCreatePagefilePrivilege	5088	WMIC.exe
Token: SeBackupPrivilege	5088	WMIC.exe
Token: SeRestorePrivilege	5088	WMIC.exe
Token: SeShutdownPrivilege	5088	WMIC.exe
Token: SeDebugPrivilege	5088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5088	WMIC.exe
Token: SeRemoteShutdownPrivilege	5088	WMIC.exe
Token: SeUndockPrivilege	5088	WMIC.exe
Token: SeManageVolumePrivilege	5088	WMIC.exe
Token: 33	5088	WMIC.exe
Token: 34	5088	WMIC.exe
Token: 35	5088	WMIC.exe
Token: 36	5088	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1048	WMIC.exe
Token: SeSecurityPrivilege	1048	WMIC.exe
Token: SeTakeOwnershipPrivilege	1048	WMIC.exe
Token: SeLoadDriverPrivilege	1048	WMIC.exe
Token: SeSystemProfilePrivilege	1048	WMIC.exe
Token: SeSystemtimePrivilege	1048	WMIC.exe
Token: SeProfSingleProcessPrivilege	1048	WMIC.exe
Token: SeIncBasePriorityPrivilege	1048	WMIC.exe
Token: SeCreatePagefilePrivilege	1048	WMIC.exe
Token: SeBackupPrivilege	1048	WMIC.exe
Token: SeRestorePrivilege	1048	WMIC.exe
Token: SeShutdownPrivilege	1048	WMIC.exe
Token: SeDebugPrivilege	1048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1048	WMIC.exe
Token: SeRemoteShutdownPrivilege	1048	WMIC.exe
Token: SeUndockPrivilege	1048	WMIC.exe
Token: SeManageVolumePrivilege	1048	WMIC.exe
Token: 33	1048	WMIC.exe
Token: 34	1048	WMIC.exe
Token: 35	1048	WMIC.exe
Token: 36	1048	WMIC.exe
Token: SeDebugPrivilege	1884	tasklist.exe
Token: SeIncreaseQuotaPrivilege	5088	WMIC.exe
Token: SeSecurityPrivilege	5088	WMIC.exe
Token: SeTakeOwnershipPrivilege	5088	WMIC.exe
Token: SeLoadDriverPrivilege	5088	WMIC.exe
Token: SeSystemProfilePrivilege	5088	WMIC.exe
Token: SeSystemtimePrivilege	5088	WMIC.exe
Token: SeProfSingleProcessPrivilege	5088	WMIC.exe
Token: SeIncBasePriorityPrivilege	5088	WMIC.exe
Token: SeCreatePagefilePrivilege	5088	WMIC.exe
Token: SeBackupPrivilege	5088	WMIC.exe
Token: SeRestorePrivilege	5088	WMIC.exe
Token: SeShutdownPrivilege	5088	WMIC.exe
Token: SeDebugPrivilege	5088	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5088	WMIC.exe
Token: SeRemoteShutdownPrivilege	5088	WMIC.exe
Token: SeUndockPrivilege	5088	WMIC.exe
Token: SeManageVolumePrivilege	5088	WMIC.exe
Token: 33	5088	WMIC.exe
Token: 34	5088	WMIC.exe
Token: 35	5088	WMIC.exe
Token: 36	5088	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3476 wrote to memory of 4816	3476	Comet.exe	77
PID 3476 wrote to memory of 4816	3476	Comet.exe	77
PID 3476 wrote to memory of 716	3476	Comet.exe	78
PID 3476 wrote to memory of 716	3476	Comet.exe	78
PID 4816 wrote to memory of 2756	4816	Screenshare.dll.exe	79
PID 4816 wrote to memory of 2756	4816	Screenshare.dll.exe	79
PID 716 wrote to memory of 2420	716	Comet.exe	80
PID 716 wrote to memory of 2420	716	Comet.exe	80
PID 716 wrote to memory of 4800	716	Comet.exe	81
PID 716 wrote to memory of 4800	716	Comet.exe	81
PID 2420 wrote to memory of 3156	2420	Screenshare.dll.exe	82
PID 2420 wrote to memory of 3156	2420	Screenshare.dll.exe	82
PID 2756 wrote to memory of 1688	2756	Screenshare.dll.exe	83
PID 2756 wrote to memory of 1688	2756	Screenshare.dll.exe	83
PID 2756 wrote to memory of 1896	2756	Screenshare.dll.exe	86
PID 2756 wrote to memory of 1896	2756	Screenshare.dll.exe	86
PID 2756 wrote to memory of 4872	2756	Screenshare.dll.exe	87
PID 2756 wrote to memory of 4872	2756	Screenshare.dll.exe	87
PID 2756 wrote to memory of 1432	2756	Screenshare.dll.exe	88
PID 2756 wrote to memory of 1432	2756	Screenshare.dll.exe	88
PID 2756 wrote to memory of 1692	2756	Screenshare.dll.exe	89
PID 2756 wrote to memory of 1692	2756	Screenshare.dll.exe	89
PID 4872 wrote to memory of 5088	4872	cmd.exe	131
PID 4872 wrote to memory of 5088	4872	cmd.exe	131
PID 1896 wrote to memory of 1048	1896	cmd.exe	95
PID 1896 wrote to memory of 1048	1896	cmd.exe	95
PID 1692 wrote to memory of 1884	1692	cmd.exe	96
PID 1692 wrote to memory of 1884	1692	cmd.exe	96
PID 2756 wrote to memory of 1980	2756	Screenshare.dll.exe	97
PID 2756 wrote to memory of 1980	2756	Screenshare.dll.exe	97
PID 1980 wrote to memory of 4040	1980	cmd.exe	99
PID 1980 wrote to memory of 4040	1980	cmd.exe	99
PID 2756 wrote to memory of 4212	2756	Screenshare.dll.exe	100
PID 2756 wrote to memory of 4212	2756	Screenshare.dll.exe	100
PID 2756 wrote to memory of 3984	2756	Screenshare.dll.exe	101
PID 2756 wrote to memory of 3984	2756	Screenshare.dll.exe	101
PID 4212 wrote to memory of 1536	4212	cmd.exe	104
PID 4212 wrote to memory of 1536	4212	cmd.exe	104
PID 3984 wrote to memory of 1576	3984	cmd.exe	105
PID 3984 wrote to memory of 1576	3984	cmd.exe	105
PID 2756 wrote to memory of 2744	2756	Screenshare.dll.exe	106
PID 2756 wrote to memory of 2744	2756	Screenshare.dll.exe	106
PID 2744 wrote to memory of 4920	2744	cmd.exe	108
PID 2744 wrote to memory of 4920	2744	cmd.exe	108
PID 2756 wrote to memory of 1684	2756	Screenshare.dll.exe	109
PID 2756 wrote to memory of 1684	2756	Screenshare.dll.exe	109
PID 1684 wrote to memory of 2428	1684	cmd.exe	111
PID 1684 wrote to memory of 2428	1684	cmd.exe	111
PID 2756 wrote to memory of 2736	2756	Screenshare.dll.exe	112
PID 2756 wrote to memory of 2736	2756	Screenshare.dll.exe	112
PID 2736 wrote to memory of 2384	2736	cmd.exe	114
PID 2736 wrote to memory of 2384	2736	cmd.exe	114
PID 4800 wrote to memory of 3580	4800	Comet.exe	115
PID 4800 wrote to memory of 3580	4800	Comet.exe	115
PID 4800 wrote to memory of 2084	4800	Comet.exe	116
PID 4800 wrote to memory of 2084	4800	Comet.exe	116
PID 3580 wrote to memory of 1628	3580	Screenshare.dll.exe	117
PID 3580 wrote to memory of 1628	3580	Screenshare.dll.exe	117
PID 2756 wrote to memory of 2172	2756	Screenshare.dll.exe	118
PID 2756 wrote to memory of 2172	2756	Screenshare.dll.exe	118
PID 2172 wrote to memory of 3948	2172	cmd.exe	120
PID 2172 wrote to memory of 3948	2172	cmd.exe	120
PID 2756 wrote to memory of 2908	2756	Screenshare.dll.exe	121
PID 2756 wrote to memory of 2908	2756	Screenshare.dll.exe	121

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4920	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Comet.exe
"C:\Users\Admin\AppData\Local\Temp\Comet.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3476
- C:\Users\Admin\AppData\Local\Screenshare.dll.exe
  "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4816
- - C:\Users\Admin\AppData\Local\Screenshare.dll.exe
    "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1896
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4872
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5088
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "gdb --version"
      4⤵
      PID:1432
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        5⤵
        
        PID:4040
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1536
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3984
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:1576
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "schtasks /query /TN "ExelaUpdateService""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1684
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /query /TN "ExelaUpdateService"
        5⤵
        
        PID:2428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2384
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2172
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:2908
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:4696
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:1352
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:3880
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:2488
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:1372
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:4860
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:4876
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:1720
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:1976
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1532
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:3148
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      PID:4172
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:412
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:2696
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        
        PID:4848
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:2952
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:1792
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:3952
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:4872
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:3196
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:4616
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:2352
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:860
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:4400
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:4456
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:1564
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:1452
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:4332
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:5076
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:3212
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:1480
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:3680
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:1808
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:4868
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3488
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3836
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4868
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:1216
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:3204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:2920
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1432
- C:\Users\Admin\AppData\Local\Temp\Comet.exe
  "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:716
- - C:\Users\Admin\AppData\Local\Screenshare.dll.exe
    "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Users\Admin\AppData\Local\Screenshare.dll.exe
      "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3156
- - C:\Users\Admin\AppData\Local\Temp\Comet.exe
    "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4800
  - - C:\Users\Admin\AppData\Local\Screenshare.dll.exe
      "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:3580
    - - C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        5⤵
        Executes dropped EXE
        
        PID:1628
  - - C:\Users\Admin\AppData\Local\Temp\Comet.exe
      "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
      4⤵
      PID:2084
    - - C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        5⤵
        Executes dropped EXE
        
        PID:3064
      - C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        6⤵
        Executes dropped EXE
        
        PID:3108
    - - C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        5⤵
        
        PID:3216
      - C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        6⤵
        Executes dropped EXE
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        7⤵
        Executes dropped EXE
        
        PID:2184
      - C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        6⤵
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        7⤵
        Executes dropped EXE
        
        PID:884
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        8⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        7⤵
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        8⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        9⤵
        Executes dropped EXE
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        8⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        9⤵
        Executes dropped EXE
        
        PID:3080
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        10⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        9⤵
        
        PID:4208
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        10⤵
        Executes dropped EXE
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        11⤵
        Executes dropped EXE
        
        PID:4564
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        10⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        11⤵
        Executes dropped EXE
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        12⤵
        Executes dropped EXE
        
        PID:4680
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        11⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        12⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        13⤵
        Executes dropped EXE
        
        PID:4784
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        12⤵
        
        PID:3136
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        13⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        14⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        13⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        14⤵
        Executes dropped EXE
        
        PID:4964
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        15⤵
        Executes dropped EXE
        
        PID:4388
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        14⤵
        
        PID:1980
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        15⤵
        Executes dropped EXE
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        16⤵
        Executes dropped EXE
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        15⤵
        
        PID:4908
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        16⤵
        Executes dropped EXE
        
        PID:2660
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        17⤵
        Executes dropped EXE
        
        PID:3276
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        16⤵
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        17⤵
        Executes dropped EXE
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        18⤵
        Executes dropped EXE
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        17⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        18⤵
        Executes dropped EXE
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        19⤵
        Executes dropped EXE
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        18⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        19⤵
        Executes dropped EXE
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        20⤵
        Executes dropped EXE
        
        PID:4088
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        19⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        20⤵
        Executes dropped EXE
        
        PID:3220
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        21⤵
        Executes dropped EXE
        
        PID:3200
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        20⤵
        
        PID:4264
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        21⤵
        Executes dropped EXE
        
        PID:1308
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        22⤵
        Executes dropped EXE
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        21⤵
        
        PID:880
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        22⤵
        Executes dropped EXE
        
        PID:2564
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        23⤵
        Executes dropped EXE
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        22⤵
        
        PID:2924
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        23⤵
        Executes dropped EXE
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        24⤵
        Executes dropped EXE
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        23⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        24⤵
        Executes dropped EXE
        
        PID:3340
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        25⤵
        Executes dropped EXE
        
        PID:1664
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        24⤵
        
        PID:4076
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        25⤵
        Executes dropped EXE
        
        PID:3668
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        26⤵
        Executes dropped EXE
        
        PID:3212
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        25⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        26⤵
        Executes dropped EXE
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        27⤵
        Executes dropped EXE
        
        PID:4484
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        26⤵
        
        PID:5012
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        27⤵
        Executes dropped EXE
        
        PID:3836
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        28⤵
        Executes dropped EXE
        
        PID:4692
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        27⤵
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        28⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        29⤵
        Executes dropped EXE
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        28⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        29⤵
        Executes dropped EXE
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        30⤵
        Executes dropped EXE
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        29⤵
        
        PID:4700
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        30⤵
        Executes dropped EXE
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        31⤵
        Executes dropped EXE
        
        PID:4464
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        30⤵
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        31⤵
        Executes dropped EXE
        
        PID:3644
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        32⤵
        Executes dropped EXE
        
        PID:352
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        31⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        32⤵
        Executes dropped EXE
        
        PID:1372
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        33⤵
        Executes dropped EXE
        
        PID:4632
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        32⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        33⤵
        Executes dropped EXE
        
        PID:2032
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        34⤵
        Executes dropped EXE
        
        PID:1576
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        33⤵
        
        PID:4864
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        34⤵
        
        PID:2484
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        35⤵
        
        PID:3680
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        34⤵
        
        PID:3208
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        35⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        36⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        35⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        36⤵
        
        PID:4876
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        37⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        36⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        37⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        38⤵
        
        PID:1592
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        37⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        38⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        39⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        38⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        39⤵
        
        PID:4776
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        40⤵
        
        PID:4652
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        39⤵
        
        PID:4892
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        40⤵
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        41⤵
        
        PID:1564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        42⤵
        
        PID:416
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        43⤵
        Detects videocard installed
        
        PID:4108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        42⤵
        
        PID:1576
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        43⤵
        
        PID:3112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        42⤵
        
        PID:1124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        42⤵
        
        PID:3980
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        43⤵
        Enumerates processes with tasklist
        
        PID:3476
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        42⤵
        
        PID:2300
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        43⤵
        
        PID:3028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        42⤵
        
        PID:4220
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        43⤵
        
        PID:2508
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        42⤵
        
        PID:4028
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        43⤵
        Enumerates processes with tasklist
        
        PID:5076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "schtasks /query /TN "ExelaUpdateService""
        42⤵
        
        PID:1048
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /query /TN "ExelaUpdateService"
        43⤵
        
        PID:4416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        42⤵
        
        PID:3912
        
        C:\Windows\system32\tasklist.exe
        
        tasklist
        43⤵
        Enumerates processes with tasklist
        
        PID:4828
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        42⤵
        
        PID:976
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        43⤵
        
        PID:2804
        
        C:\Windows\system32\chcp.com
        
        chcp
        44⤵
        
        PID:5080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        42⤵
        
        PID:2452
        
        C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        43⤵
        
        PID:3932
        
        C:\Windows\system32\chcp.com
        
        chcp
        44⤵
        
        PID:3448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        42⤵
        
        PID:404
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        43⤵
        Enumerates processes with tasklist
        
        PID:1028
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        42⤵
        Clipboard Data
        
        PID:4356
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        43⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:4408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        42⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:3800
        
        C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        43⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        42⤵
        Network Service Discovery
        
        PID:1368
        
        C:\Windows\system32\systeminfo.exe
        
        systeminfo
        43⤵
        Gathers system information
        
        PID:2384
        
        C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        43⤵
        
        PID:3028
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        43⤵
        Collects information from the system
        
        PID:1132
        
        C:\Windows\system32\net.exe
        
        net user
        43⤵
        
        PID:4908
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        44⤵
        
        PID:4496
        
        C:\Windows\system32\query.exe
        
        query user
        43⤵
        
        PID:888
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        44⤵
        
        PID:2200
        
        C:\Windows\system32\net.exe
        
        net localgroup
        43⤵
        
        PID:1152
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        44⤵
        
        PID:2508
        
        C:\Windows\system32\net.exe
        
        net localgroup administrators
        43⤵
        
        PID:4488
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        44⤵
        
        PID:4568
        
        C:\Windows\system32\net.exe
        
        net user guest
        43⤵
        
        PID:824
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        44⤵
        
        PID:4744
        
        C:\Windows\system32\net.exe
        
        net user administrator
        43⤵
        
        PID:4400
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        44⤵
        
        PID:3772
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        43⤵
        
        PID:1760
        
        C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        43⤵
        Enumerates processes with tasklist
        
        PID:460
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        43⤵
        Gathers network information
        
        PID:3448
        
        C:\Windows\system32\ROUTE.EXE
        
        route print
        43⤵
        
        PID:1668
        
        C:\Windows\system32\ARP.EXE
        
        arp -a
        43⤵
        Network Service Discovery
        
        PID:1988
        
        C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        43⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:976
        
        C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        43⤵
        Launches sc.exe
        
        PID:4200
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        43⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3528
        
        C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        43⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        42⤵
        
        PID:2424
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        43⤵
        
        PID:2448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        42⤵
        
        PID:416
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        43⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        40⤵
        
        PID:3600
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        41⤵
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        42⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        41⤵
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        42⤵
        
        PID:1184
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        43⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        42⤵
        
        PID:2848
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        43⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        44⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        43⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        44⤵
        
        PID:4040
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        45⤵
        
        PID:3432
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        44⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        45⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        46⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        45⤵
        
        PID:4284
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        46⤵
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        47⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        46⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        47⤵
        
        PID:3824
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        48⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        47⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        48⤵
        
        PID:1340
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        49⤵
        
        PID:3804
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        48⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        49⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        50⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        49⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        50⤵
        
        PID:4416
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        51⤵
        
        PID:3932
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        50⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        51⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        52⤵
        
        PID:2712
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        51⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        52⤵
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        53⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        52⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        53⤵
        
        PID:3112
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        54⤵
        
        PID:824
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        53⤵
        
        PID:2616
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        54⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        55⤵
        
        PID:1588
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        54⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        55⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        56⤵
        
        PID:2808
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        55⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        56⤵
        
        PID:3192
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        57⤵
        
        PID:1988
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        56⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        57⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        58⤵
        
        PID:2820
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        57⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        58⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        59⤵
        
        PID:3540
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        58⤵
        
        PID:1432
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        59⤵
        
        PID:1952
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        60⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        59⤵
        
        PID:3132
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        60⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        61⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        60⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        61⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Local\Screenshare.dll.exe
        
        "C:\Users\Admin\AppData\Local\Screenshare.dll.exe"
        62⤵
        
        PID:1820
        
        C:\Users\Admin\AppData\Local\Temp\Comet.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Comet.exe"
        61⤵
        
        PID:2956

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:4296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Comet.exe.log

Filesize
654B

MD5
2cbbb74b7da1f720b48ed31085cbd5b8

SHA1
79caa9a3ea8abe1b9c4326c3633da64a5f724964

SHA256
e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3

SHA512
ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9

Download Submit
C:\Users\Admin\AppData\Local\Screenshare.dll.exe

Filesize
11.0MB

MD5
98debcb4fbd69724f9103a45e1453b05

SHA1
1f41f334341b43ed01178dabea0d08e2684c211f

SHA256
119e67c1ee9c531f32b61eb14ae6606d8633e66918b28851a774deaaf6d637f1

SHA512
e9b08be32ce12dc8df7fc5ec51a0251289e14ad6568c86070a51b523dc9d7cb57e1494b6757328122afd6457c685a3e26c9dd124e078f716a80f1d80c490fd62

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
114KB

MD5
9c2aff15e8621453f4e0816211285ea4

SHA1
528523d2aaa3d8e34a7403135f392b6f46b27e8d

SHA256
8ca103b28c1ecfd5080f6412883cc69b6e86edf3b5dd7ef75924746bb75424da

SHA512
770117d15d333a499bce01f6b7d9097ce1c779edac0a341701fa00bf266bee17f80e336e1538a74d9dd28c13628d3d39bdd08deb42cf08662b881b7a0526142d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24202\cryptography-43.0.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\aiohttp\_helpers.cp312-win_amd64.pyd

Filesize
25KB

MD5
e20545d76cddf7208ec91416329214cb

SHA1
f111735d2186bbf43f7b28d5f58cc2d5d032f32e

SHA256
7f87aa499e664c6b375cef5eacb45895ca2695ce347808e3cba4cc14339a71a4

SHA512
83b105dd73097e768c254d88ef955faf1eea102f99f7b8d8633de010b383fa3ac15889091b6fe0545dbf91d1a75c068d4c70f33f6eec06f5f8424b4617f8e7b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\aiohttp\_http_parser.cp312-win_amd64.pyd

Filesize
80KB

MD5
4aeec26301254e34b8044e5beef18d62

SHA1
5e370573cf56789644d3cd3dbfb328a210837266

SHA256
23941c10b0e85ebe7f7f5e423c2d3228c8aa1d3c1472308115a01f4e16f54002

SHA512
89ce6d29d37049404a5dcb96a31fdb31b67dba7b9585adaa8ae928b440353196a8cb4e7f11702fb2c9c66da439be6c61b8792d1d453546cbf810905fbb98012e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\aiohttp\_http_writer.cp312-win_amd64.pyd

Filesize
25KB

MD5
fdd645b907fa2c0ccaa3a03ab6ac6980

SHA1
90c1e3d688e3d2d306b79f41fb5f61972e295815

SHA256
401d1fbf42f3938cc81a0d8faa2d950e8da53d14efae7b0d9da4dcaff03865d3

SHA512
c6bc2e918b4072e28ad91f44e4b5ef88c34332529269acc5700468843a5360a4ec35bd708421894d7c262e2adece615beb8b9906b330245fc0685f42c9e85b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\aiohttp\_websocket.cp312-win_amd64.pyd

Filesize
20KB

MD5
e27b2be1a6d3144f6719b7719d562592

SHA1
1a8c8440a328605e38ec3c88d6c6d1aedb6a6265

SHA256
a175c27219471298ea797574158822cc3fcd3b5563ada4e313fa959688c05b96

SHA512
724e7cd4b0c785e36f81f95e328e7ba0bd63d4277bd87123471874cf90e3539d242ed47541d330885a609589a1476b1e8eb8dd00d9bc45d828b7401fc1ce2679

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\attrs-24.2.0.dist-info\METADATA

Filesize
11KB

MD5
49cabcb5f8da14c72c8c3d00adb3c115

SHA1
f575becf993ecdf9c6e43190c1cb74d3556cf912

SHA256
dc9824e25afd635480a8073038b3cdfe6a56d3073a54e1a6fb21edd4bb0f207c

SHA512
923daeee0861611d230df263577b3c382ae26400ca5f1830ee309bd6737eed2ad934010d61cdd4796618bedb3436cd772d9429a5bed0a106ef7de60e114e505c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\attrs-24.2.0.dist-info\RECORD

Filesize
3KB

MD5
4b6973d2285295cf5e3a45e64eb7a455

SHA1
1089f2f3c35303d6d5dd19f0c0f707b9609ee3f2

SHA256
2b368dfc37283970c33cc8d4eec129f668eb99ebf9d3aa27f49a1b149658f2b0

SHA512
a5150ecb625a3cfdc3f22c60eb7b16fdbed01cd47505bd520491b477ae24e8c59ffae2334948122e656f6f0a5f2af0635b6d976241745583a3d7af9e3781718d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\attrs-24.2.0.dist-info\WHEEL

Filesize
87B

MD5
52adfa0c417902ee8f0c3d1ca2372ac3

SHA1
b67635615eef7e869d74f4813b5dc576104825dd

SHA256
d7215d7625cc9af60aed0613aad44db57eba589d0ccfc3d8122114a0e514c516

SHA512
bfa87e7b0e76e544c2108ef40b9fac8c5ff4327ab8ede9feb2891bd5d38fea117bd9eebaf62f6c357b4deaddad5a5220e0b4a54078c8c2de34cb1dd5e00f2d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\attrs-24.2.0.dist-info\licenses\LICENSE

Filesize
1KB

MD5
5e55731824cf9205cfabeab9a0600887

SHA1
243e9dd038d3d68c67d42c0c4ba80622c2a56246

SHA256
882115c95dfc2af1eeb6714f8ec6d5cbcabf667caff8729f42420da63f714e9f

SHA512
21b242bf6dcbafa16336d77a40e69685d7e64a43cc30e13e484c72a93cd4496a7276e18137dc601b6a8c3c193cb775db89853ecc6d6eb2956deee36826d5ebfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\cryptography-43.0.0.dist-info\METADATA

Filesize
5KB

MD5
1682e8458a9f3565fd0941626cbe4302

SHA1
e5937d80b6ba976905491c9dbd8e16d0226795b5

SHA256
24f9838874233de69f9de9aebd95359e499498508d962b605d90186288d7d8c0

SHA512
2dc669a07dd263c967d637ac2e76ed3788830d96b91e256e16125997c4e3a68d268dc220c056bbfbc3b5e7def7d063b776d9d1da303a840ff203dae668d7a366

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\cryptography-43.0.0.dist-info\RECORD

Filesize
15KB

MD5
5dab0466b10a7d1ac693bd7c63aa73cd

SHA1
f16ccd811d0362d1cf9815dc59988b72710ccf30

SHA256
86aebc99f91d4d4661465b9e0caab5b9e1c4068d3e12a1c7a0f0c50b6d53267a

SHA512
2592269f1bc2a6575ebebb2a34fbee955b181d971b034bc89b9a2ebf52f5324b5d71f01245f715210ba3c5f30af3d474ef5c9387ef3f585315522c53e2b4b1f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\cryptography-43.0.0.dist-info\WHEEL

Filesize
94B

MD5
c869d30012a100adeb75860f3810c8c9

SHA1
42fd5cfa75566e8a9525e087a2018e8666ed22cb

SHA256
f3fe049eb2ef6e1cc7db6e181fc5b2a6807b1c59febe96f0affcc796bdd75012

SHA512
b29feaf6587601bbe0edad3df9a87bfc82bb2c13e91103699babd7e039f05558c0ac1ef7d904bcfaf85d791b96bc26fa9e39988dd83a1ce8ecca85029c5109f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\cryptography-43.0.0.dist-info\license_files\LICENSE

Filesize
197B

MD5
8c3617db4fb6fae01f1d253ab91511e4

SHA1
e442040c26cd76d1b946822caf29011a51f75d6d

SHA256
3e0c7c091a948b82533ba98fd7cbb40432d6f1a9acbf85f5922d2f99a93ae6bb

SHA512
77a1919e380730bcce5b55d76fbffba2f95874254fad955bd2fe1de7fc0e4e25b5fdaab0feffd6f230fa5dc895f593cf8bfedf8fdc113efbd8e22fadab0b8998

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\cryptography-43.0.0.dist-info\license_files\LICENSE.APACHE

Filesize
11KB

MD5
4e168cce331e5c827d4c2b68a6200e1b

SHA1
de33ead2bee64352544ce0aa9e410c0c44fdf7d9

SHA256
aac73b3148f6d1d7111dbca32099f68d26c644c6813ae1e4f05f6579aa2663fe

SHA512
f451048e81a49fbfa11b49de16ff46c52a8e3042d1bcc3a50aaf7712b097bed9ae9aed9149c21476c2a1e12f1583d4810a6d36569e993fe1ad3879942e5b0d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\cryptography-43.0.0.dist-info\license_files\LICENSE.BSD

Filesize
1KB

MD5
5ae30ba4123bc4f2fa49aa0b0dce887b

SHA1
ea5b412c09f3b29ba1d81a61b878c5c16ffe69d8

SHA256
602c4c7482de6479dd2e9793cda275e5e63d773dacd1eca689232ab7008fb4fb

SHA512
ddbb20c80adbc8f4118c10d3e116a5cd6536f72077c5916d87258e155be561b89eb45c6341a1e856ec308b49a4cb4dba1408eabd6a781fbe18d6c71c32b72c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\frozenlist\_frozenlist.cp312-win_amd64.pyd

Filesize
35KB

MD5
4e68f4faaa82abdc50b0a23551f8ba79

SHA1
37c2d1e10c7ccc8e669b6986deda01e0f3a4c766

SHA256
d9524af75b21b5688299a5547e7c5d838b55a6189308f6622cb0ad0442263e19

SHA512
0a7c75472e3fa400bf005ae007b39da4061d941065f4a6152079608c0fddc528b4c73febe68d1574cd45bf18fa6f8cb6e4348c400674712090dc6af6b36384f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\importlib_metadata-8.5.0.dist-info\LICENSE

Filesize
11KB

MD5
3b83ef96387f14655fc854ddc3c6bd57

SHA1
2b8b815229aa8a61e483fb4ba0588b8b6c491890

SHA256
cfc7749b96f63bd31c3c42b5c471bf756814053e847c10f3eb003417bc523d30

SHA512
98f6b79b778f7b0a15415bd750c3a8a097d650511cb4ec8115188e115c47053fe700f578895c097051c9bc3dfb6197c2b13a15de203273e1a3218884f86e90e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\importlib_metadata-8.5.0.dist-info\METADATA

Filesize
4KB

MD5
1561127b96da63642d7a9bcdfd5f3600

SHA1
01c697ff4ceb61732f58217a1abfb315e0ff8708

SHA256
1d78a40e966eb78ad8d83e19ba10315e72d40dbf9ffd73ff0b2a7d898985e06d

SHA512
b0d7d648a8ef5d0789440b793e47539df21b322ad6c879cac5e8cc8c36c4d4ab1016971519f462923f8b1747641d441f8aa841113df96f131c9e0dc28e125ece

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\importlib_metadata-8.5.0.dist-info\RECORD

Filesize
2KB

MD5
0b7a1d6b9571d55933014f6aa02a7673

SHA1
654e865839caa010bcba80c9a3f27761355f2e84

SHA256
62aa0e81a4725aace5c3683f9dad987c141e23582e32083ab5719ae5723f2b4c

SHA512
a860679c0ebf1d101e53b317510ed34b1fdd5b1bd23a71e4fa863be8800c1fadc6bdaddca71cd12302b9cadf1b7790fbc2c136506ea6b9f40817ded2f35a492f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\importlib_metadata-8.5.0.dist-info\WHEEL

Filesize
91B

MD5
1659d01495817c8cfa161658cff5fb4c

SHA1
0e9a0f7c2de9bb7eaab715e32a8b908c6aba16cd

SHA256
715c5c07d026b93717aa6c2bb4f84d2bcf1dafb211fdbeaa6a04e3d14bc811b6

SHA512
68f2d504dcd752370cf59de1d00136b84c2c150a8beaa615baccd5316eef9c51a27226973bd0b6b4045f7d6163bbfc7eb16d16c05d79d9a910a997c494991382

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI24882\importlib_metadata-8.5.0.dist-info\top_level.txt

Filesize
19B

MD5
a24465f7850ba59507bf86d89165525c

SHA1
4e61f9264de74783b5924249bcfe1b06f178b9ad

SHA256
08eddf0fdcb29403625e4acca38a872d5fe6a972f6b02e4914a82dd725804fe0

SHA512
ecf1f6b777970f5257bddd353305447083008cebd8e5a27c3d1da9c7bdc3f9bf3abd6881265906d6d5e11992653185c04a522f4db5655ff75eedb766f93d5d48

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\_asyncio.pyd

Filesize
38KB

MD5
f582681942b621e34cc2bba6fafb457d

SHA1
8fe79df56fb758670f616f053343238f57cbe9e3

SHA256
3a9412cc3cb5f8e9e1a73379f1315718d88ffb58f4480b0d211988cd38d2c59a

SHA512
7e63b03b7cf6937fe16b6e3c064c56071e3ff3f4d08743359bea6693f7ed5a77c1fe6a585b214347d805d80e0a656182b11f136733fa583b8fc21536c41b3130

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\_bz2.pyd

Filesize
48KB

MD5
5e0df9547919afd387af750b8aa2fbdc

SHA1
99fe9ae415874cc2d52c34b9036fdd3b80d09d80

SHA256
eb80b094686392023226efac42cac0ba2e2eeaf6243c0f196ce30c222b171484

SHA512
362933959e9d589de38e477be388f6ab2bbca5061c7ecd90424797d912a526d6ecaeebdc0a373ecbb8f14870b98c3b84cc94b563fa7b1a778b60375f3f2b8d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
1929f892db7964ba600f61dc0c895082

SHA1
52f36e75a59d932dfb359bcd312464734c09c87e

SHA256
ca280476c5f86b8a7c3104988554212c873d8ceb07abf208c92f2393ea2814c0

SHA512
a7057863afefe7453e1bff61370d4a9158ea4b23d1e84fe5f3420f96af88c4398a4815c4352335a0b10f7420af2f9d3723ebc248195b01798c792441e9384a70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\_ctypes.pyd

Filesize
59KB

MD5
2829ec84adc492dec1f9f907ec042889

SHA1
bc0850d10cb9430c5161ac143f776fc5bc1dad7b

SHA256
876f74f0e8115d0111007c501ede4103098fe7fb09573c3994edb26df39e4f49

SHA512
8ef40cbe3609ae8b698ab7f6a0e0142f37cee95957db395ce22070aa6ab67246ce0d9213fc7b76a31d43dfda0d050c16cddfbc0aeb714923bc624a59f5e5e2df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\_decimal.pyd

Filesize
107KB

MD5
c7a976775f2c181da9b97fd428c08c0a

SHA1
0d33757c3a816bb0364b1c445713cad090994e08

SHA256
8bef05f4ca14af73a12035a4b107b0ddaec8ffb15b5e5d406a447b8905cd92b9

SHA512
35a3ffeaa7b36ab036d2c5679238f16505782fcd4185db5ead50679278fcaad25050fe4105fa72730c9f054dbc2639786fbdc589ffe78b8142204b92d0d05ff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\_hashlib.pyd

Filesize
35KB

MD5
9c4d608c2537a872e4a81dff9d07cd46

SHA1
0bb45f0d3ef113fe4c0c58a20fe2a0c1644c271c

SHA256
0b6a8cbedf32c4a2c8f1484dd8734c6858649374089e1aa0ed39f56b3070db19

SHA512
a233c95ae5f303c18fc89518606fa2543455014273efaf697b23ff29ffbcf77359f5a4fe3638a4c5cdb2f906b7a8021191a8ec51c29c985523162448417e2d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\_lzma.pyd

Filesize
86KB

MD5
457436cbb61772f6154796856e062c57

SHA1
c687fe9fa50b97bcc637abcb47eeffe127e9f838

SHA256
176d875956d5e5728e9a7cd0419d5c61189f0e760d8026f4bd7acdbc8e051cbe

SHA512
b7a95c3041d08e87c1761500f446abe3e65b474b5016116bf4a734052a47b7fa3e7109f72a0518c15b2f74e3decd5a785387985459e450c421fddb14160faa30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\_multiprocessing.pyd

Filesize
27KB

MD5
8b1ab591d39e5da2f1f7ec83bfab4636

SHA1
3fdbae75d330942aede2bc2df6967855b46da6e6

SHA256
e2ad899346d0aa0105cd7bac9eac96d43a2af7f230d20f461bd1a4ccdce90879

SHA512
d452ab478a999a7f4fde0dc096e7ed7fd871e4ab5fb62ed3dd3593201c7ee2fd7b790dd9c011ec2a2a94d3da15fe0057f511abf356022b281221172a7d589720

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\_overlapped.pyd

Filesize
33KB

MD5
748df61a25f997abda992e2593e3ac6d

SHA1
92e1570067b4f5647ae9b5dfe1f65a93513df794

SHA256
4454c07082b9558b0b3a76b55c258d764896cf56a6c4edcbfad018b81a660919

SHA512
c6c9e20339f567744bcd189c14f2cbcd89188c9d4d11c35826a58f90c62faf7723ceb2ccff64dc5e9b10ea1ced1d58747030becd7a9f5fb9e3df1f9d77367ddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\_queue.pyd

Filesize
26KB

MD5
9348bb06460a0aa43904b92a8b84b77f

SHA1
894bfedde79faf2819ba9865ffe317d2d0258a50

SHA256
80baa5a80f074e695f3f3421e142fb453baa7f0082f7fff135dc7b2f15227c5f

SHA512
f65a4021f6511be764ef0e28425aaf0af8090ca36cbc52ecdb0b0e5a0a70d08336a576d5cb13119c4a6bbb53ae3b7f613095a8506996be7e6b85c5eb155ec218

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\_socket.pyd

Filesize
44KB

MD5
841d99d9412c35a0bc4c94832eb1ff30

SHA1
fc7bf1ab3a0cc35d815220751d50fbf5ea500503

SHA256
797a3b460c9d8a04bae1ef2819359d834b79371f869ad27ee0d2112fa7b86b2a

SHA512
9c011b2d453d5641d1042d3d3838adecf35420bf997cd6aeb4261e6d1676313ce6d085919ac33315d96373ee793a3a4cbe8569be7e79d1fdc3aaeb6d1ba4ac97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\_sqlite3.pyd

Filesize
57KB

MD5
7cb7d17df70d7d9fbd3c345a20e0fff6

SHA1
2bf10c6cbc52808276e22fa50d84ba1e14bdf16c

SHA256
1ea9a5334b3fb38f758f5759ebfee2e9040e6bed3a15bd92f20bc08055854b83

SHA512
0653286d06233cad9ed75de861da2c56e45d41eb1475b4aa8d1e18adc64befe6511e3d320cdc9426fac093708dedf39637f239d6047bc2d2abac132d4fcc37a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\_ssl.pyd

Filesize
66KB

MD5
24b00d3cd5da86e80ed545c184e6fb68

SHA1
e03f3c5e8446b3e614dd320e2af190dd30121320

SHA256
12207375462f48549caba42c26eacdf95b3df4c99a8fd398da981e1b550ec806

SHA512
810d69cedbf58aca644443de62dd395217ecbc6edbe62e48259a4d4f21cf67162e38eb7c294b5e6bee7ee6a4057af542821170360ddb3f5269307673a4f3b162

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\_uuid.pyd

Filesize
25KB

MD5
d8c6d60ea44694015ba6123ff75bd38d

SHA1
813deb632f3f3747fe39c5b8ef67bada91184f62

SHA256
8ae23bfa84ce64c3240c61bedb06172bfd76be2ad30788d4499cb24047fce09f

SHA512
d3d408c79e291ed56ca3135b5043e555e53b70dff45964c8c8d7ffa92b27c6cdea1e717087b79159181f1258f9613fe6d05e3867d9c944f43a980b5bf27a75ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\_wmi.pyd

Filesize
28KB

MD5
19b674c8287552547d4783d35cd36ea7

SHA1
d3fdf7b47aad394d613d802c22c8e6b35065f804

SHA256
a78f53ef5e9db72ab22da9b5ae6871eb8af910823112b4af68bfda152f2c19dd

SHA512
69b6494d99a4285a009956b67b050ac8d9edbcad782b55292a1ce27e662c8a0b4a18cab4ab1e2f1eefc2544bf931b9802b543c5779539e6b8e526eab50705b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\base_library.zip

Filesize
1.3MB

MD5
2db365a52938affbd48d0d4baea7d0f2

SHA1
f530a799eea65921004e7e0c13eee2dceec3a828

SHA256
9d3079fc901314f3d4d9760a46187444c9f0d78cb01a7e6ce6881cf8137d1839

SHA512
b975bb5167a1b0bcfa3434dd9e388a52094220ef9d260d5b2399b8a847cd37f99b473cd91b683b912497b270b7e17c5f6821e6c7bb06cbb64d5489a8ed7dcf6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.1MB

MD5
073606ea92928af7b2863782c0114949

SHA1
ec7b4dbf415af6a071a6ca3a0d4f4a0cf544515c

SHA256
9be10e3f170875a5b3e403f29d7241bf64957c01bfcae3504f5576578183610a

SHA512
5cd48348b475c9de7c2c8d85f36a1f8cf63ee5ee2bde60e2e5a1026f0e877b4c686ad07ab37c8ae37b46b719233b28aa699ce5a2fedd0247c7607da6e519a11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\libcrypto-3.dll

Filesize
1.6MB

MD5
f5c66bbd34fc2839f2c8afa5a70c4e2c

SHA1
a085085dbf5396ca45801d63d9681b20f091414c

SHA256
7ff3ccb7903f8bc1b872c948cfff4520c51539ae184f93b7bd9c04bf60f4a7f4

SHA512
fc108dfa1ef75b4a4c45c3fae1ccb9257e8950a17f6374fef5080df69ffd52928e5bcac0490772d4d57091e0d81ea58cd1d6d34ec6993e30c1b4c5704be7044b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\libffi-8.dll

Filesize
29KB

MD5
0d1c6b92d091cef3142e32ac4e0cc12e

SHA1
440dad5af38035cb0984a973e1f266deff2bd7fc

SHA256
11ee9c7fb70c3756c0392843245935517171b95cc5ba0d696b2c1742c8d46fb6

SHA512
5d514ecab93941e83c008f0e9749f99e330949580884bf4850b11cac08fe1ac4ac50033e8888045fe4a9d8b4d2e3ea667b39be18f77266d00f8d7d6797260233

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\libssl-3.dll

Filesize
221KB

MD5
fc9d8dea869ea56ff6612a2c577394bf

SHA1
f30bc2bceb36e5e08c348936c791abaa93fd5b25

SHA256
8ec0a7ac78f483bf55585d53f77d23934a4d15665e06fbd73c4addf1c9e6c959

SHA512
929f5e08142e56f2d8067dac5d7457c72221da73e4cf6259da1982c5308b93dbec77d87cef89294a68441da77fa1923d6c9f812f714f6061ff9952f4f17783df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\multidict\_multidict.cp312-win_amd64.pyd

Filesize
20KB

MD5
877e8f7f3c980020b1da6bdbc6f1741c

SHA1
184d162f6eea7cce343fe0c62fda49ca796ceb20

SHA256
65b96acd7b6517c4493491f31083e75d905b48466f021fab098655f0d953497c

SHA512
881332a6cbc7ab030f52bc46a8cf68c0ad922c54c68b3b8e35909f758aed9443cc90b49681f88c6c1f61741eb6507849857405a87dbbd78bb1a453ade3fe1ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\propcache\_helpers_c.cp312-win_amd64.pyd

Filesize
31KB

MD5
1c63399815347ecbac387ea4f1b64801

SHA1
7e52d28bc12961f1b5c9f89f6e7445728019428d

SHA256
dab90382907e7f83ccdceb8711cea356ad97a3ed8c30087a140055313924d977

SHA512
3af2e3d530aef4a0891f39a79a1f7b4ccd572119c87d6d63690c67828e93ebf7cc5669225e2034554e4d24655ef581d277219ad8058b358789c20e2bac832e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\pyexpat.pyd

Filesize
88KB

MD5
7b5be6b85bcc8d51eb07aa7b425b9643

SHA1
57dcaf9498b3c467b451fc58d5a263640307bb92

SHA256
ebbd49414d7b4fbdd2d30a933454172d539c0e18cb0952d197bd6043c9dc2983

SHA512
724b1bf880e7378544cf60853b993c0b1d045b4ecd4a0c7dd5b0b5e3c1ac9630df6c571e30076514c8ea4a1bea6ad287c2d942fe3281df7127742ccce51480a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\python3.dll

Filesize
66KB

MD5
5eace36402143b0205635818363d8e57

SHA1
ae7b03251a0bac083dec3b1802b5ca9c10132b4c

SHA256
25a39e721c26e53bec292395d093211bba70465280acfa2059fa52957ec975b2

SHA512
7cb3619ea46fbaaf45abfa3d6f29e7a5522777980e0a9d2da021d6c68bcc380abe38e8004e1f31d817371fb3cdd5425d4bb115cb2dc0d40d59d111a2d98b21d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\python312.dll

Filesize
1.7MB

MD5
b18e85ccf4de7a1fc0a36a56913f5ea6

SHA1
480625bc351b656a0b627f191bedcbb0d79ad033

SHA256
599c632a5e56004f2d05133ac66ad20292f1866d19669aa48876e86695843bbb

SHA512
7c80f6af6e4527454205c4617140c9cdfc81e99eada4430275f1626eedf577482851796c84c120360393fe7f1915e16d942fcac879ea74170b4276399dc78b70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\select.pyd

Filesize
25KB

MD5
e4ec04e77e06fc4e22b42f69251cab13

SHA1
b7f510266d31ec08a371928a8db784eab86619bf

SHA256
55a6b9337d352ef6ea085395905f71b2f824940a5e8b4a0ddbbc0809018ec0e4

SHA512
bb1a2155a2130f826eb28b3e321176d0aad82fd45229807bf48f2e21fa75177431250feaef37f6826c035957323b97819ae7c3841898e8d3aaacc137df2abf13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\sqlite3.dll

Filesize
644KB

MD5
caef97fa200a833c1373169315d3436b

SHA1
56c513ae02d796e138a3a8204f52faec36ec1991

SHA256
6fc85d9fc3771d23c2de8027d5923c0540cc728f0d79f362b25b31c970c78b31

SHA512
730e596ac26324aee8af9cbd8f969ec715e2ceb57b06c0fdc6b67ea90b8f19c1086a997c1b68bf3b3bc5f31be35f476a5e11d5aceb15c522ee3ae7de9bd458c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\unicodedata.pyd

Filesize
296KB

MD5
4553e6ddf128dbec9a584f324a22cee9

SHA1
3636ab981a705269e7ff3b7d1738e57d0810e785

SHA256
107f7e4be37c98d1001dcd49cf21d23303c056bdfaad6a9f9611858eb1a4a9f5

SHA512
faad9d86951cdd7d242f3ecf2fa79d504c269f7f517ffdef7a29fd8461e5f195f5aa37a79fb8d2cd82853f638103f91c05e8c58cdb187872efd8ccf697511da6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48162\yarl\_quoting_c.cp312-win_amd64.pyd

Filesize
41KB

MD5
8342cd776b72786ffe3c81feb27a7558

SHA1
c894d5dc52e01730a6f00be70d122c50b728e9f3

SHA256
f6228f6458672852f8ee5906900c5c5497e0733030aa2e71f0604b829fed5aa8

SHA512
f053819daa1e42986008195394dbf6e3f32de2fe2185fbc9ae886024330ef52ab43404a8a8be31895a5e2e010c3d90aa8733d9f7ec7159ea6a617874d081b555

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5gg2hcb1.qji.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/716-195-0x00007FFDB6EB0000-0x00007FFDB7972000-memory.dmp

Filesize
10.8MB

Download
memory/716-73-0x00007FFDB6EB0000-0x00007FFDB7972000-memory.dmp

Filesize
10.8MB

Download
memory/716-128-0x00007FFDB6EB0000-0x00007FFDB7972000-memory.dmp

Filesize
10.8MB

Download
memory/1628-482-0x00007FFDB2100000-0x00007FFDB28A1000-memory.dmp

Filesize
7.6MB

Download
memory/1628-481-0x00007FFDC84D0000-0x00007FFDC864F000-memory.dmp

Filesize
1.5MB

Download
memory/1628-479-0x00007FFDC8F70000-0x00007FFDC8F9D000-memory.dmp

Filesize
180KB

Download
memory/1628-483-0x00007FFDC8490000-0x00007FFDC84C8000-memory.dmp

Filesize
224KB

Download
memory/1628-484-0x00007FFDC8420000-0x00007FFDC8453000-memory.dmp

Filesize
204KB

Download
memory/1628-486-0x00007FFDB19F0000-0x00007FFDB1F23000-memory.dmp

Filesize
5.2MB

Download
memory/1628-493-0x00007FFDC4650000-0x00007FFDC4672000-memory.dmp

Filesize
136KB

Download
memory/1628-491-0x00007FFDBD4C0000-0x00007FFDBD5DA000-memory.dmp

Filesize
1.1MB

Download
memory/1628-489-0x00007FFDC83C0000-0x00007FFDC83D4000-memory.dmp

Filesize
80KB

Download
memory/1628-487-0x00007FFDC8400000-0x00007FFDC8416000-memory.dmp

Filesize
88KB

Download
memory/2756-238-0x00007FFDC8AD0000-0x00007FFDC8AE9000-memory.dmp

Filesize
100KB

Download
memory/2756-265-0x00007FFDC8A80000-0x00007FFDC8ACD000-memory.dmp

Filesize
308KB

Download
memory/2756-79-0x00007FFDB3AE0000-0x00007FFDB41A5000-memory.dmp

Filesize
6.8MB

Download
memory/2756-87-0x00007FFDCBF30000-0x00007FFDCBF55000-memory.dmp

Filesize
148KB

Download
memory/2756-227-0x00007FFDC4750000-0x00007FFDC4C83000-memory.dmp

Filesize
5.2MB

Download
memory/2756-110-0x00007FFDD28B0000-0x00007FFDD28BF000-memory.dmp

Filesize
60KB

Download
memory/2756-113-0x00007FFDCE620000-0x00007FFDCE639000-memory.dmp

Filesize
100KB

Download
memory/2756-114-0x00007FFDCC6E0000-0x00007FFDCC6ED000-memory.dmp

Filesize
52KB

Download
memory/2756-249-0x00007FFDC8A40000-0x00007FFDC8A5E000-memory.dmp

Filesize
120KB

Download
memory/2756-116-0x00007FFDCC6D0000-0x00007FFDCC6DF000-memory.dmp

Filesize
60KB

Download
memory/2756-119-0x00007FFDC91C0000-0x00007FFDC91DA000-memory.dmp

Filesize
104KB

Download
memory/2756-244-0x00007FFDC8A60000-0x00007FFDC8A71000-memory.dmp

Filesize
68KB

Download
memory/2756-125-0x00007FFDC8DF0000-0x00007FFDC8E14000-memory.dmp

Filesize
144KB

Download
memory/2756-240-0x00007FFDC86A0000-0x00007FFDC87BA000-memory.dmp

Filesize
1.1MB

Download
memory/2756-124-0x00007FFDC88B0000-0x00007FFDC8A2F000-memory.dmp

Filesize
1.5MB

Download
memory/2756-123-0x00007FFDC8EC0000-0x00007FFDC8EED000-memory.dmp

Filesize
180KB

Download
memory/2756-260-0x00007FFDC8AF0000-0x00007FFDC8B05000-memory.dmp

Filesize
84KB

Download
memory/2756-129-0x00007FFDB3330000-0x00007FFDB3AD1000-memory.dmp

Filesize
7.6MB

Download
memory/2756-130-0x00007FFDB3AE0000-0x00007FFDB41A5000-memory.dmp

Filesize
6.8MB

Download
memory/2756-132-0x00007FFDCBF30000-0x00007FFDCBF55000-memory.dmp

Filesize
148KB

Download
memory/2756-133-0x00007FFDC8DB0000-0x00007FFDC8DE8000-memory.dmp

Filesize
224KB

Download
memory/2756-135-0x00007FFDC8D70000-0x00007FFDC8DA3000-memory.dmp

Filesize
204KB

Download
memory/2756-137-0x00007FFDC87E0000-0x00007FFDC88AE000-memory.dmp

Filesize
824KB

Download
memory/2756-142-0x00007FFDCC6D0000-0x00007FFDCC6DF000-memory.dmp

Filesize
60KB

Download
memory/2756-141-0x0000022FB8CC0000-0x0000022FB91F3000-memory.dmp

Filesize
5.2MB

Download
memory/2756-239-0x00007FFDC8A80000-0x00007FFDC8ACD000-memory.dmp

Filesize
308KB

Download
memory/2756-140-0x00007FFDC4750000-0x00007FFDC4C83000-memory.dmp

Filesize
5.2MB

Download
memory/2756-162-0x00007FFDC8680000-0x00007FFDC869B000-memory.dmp

Filesize
108KB

Download
memory/2756-161-0x00007FFDC8650000-0x00007FFDC8672000-memory.dmp

Filesize
136KB

Download
memory/2756-160-0x00007FFDB3330000-0x00007FFDB3AD1000-memory.dmp

Filesize
7.6MB

Download
memory/2756-222-0x00007FFDC8DB0000-0x00007FFDC8DE8000-memory.dmp

Filesize
224KB

Download
memory/2756-225-0x00007FFDC8D70000-0x00007FFDC8DA3000-memory.dmp

Filesize
204KB

Download
memory/2756-226-0x00007FFDC87E0000-0x00007FFDC88AE000-memory.dmp

Filesize
824KB

Download
memory/2756-234-0x0000022FB8CC0000-0x0000022FB91F3000-memory.dmp

Filesize
5.2MB

Download
memory/2756-148-0x00007FFDC8D50000-0x00007FFDC8D66000-memory.dmp

Filesize
88KB

Download
memory/2756-149-0x00007FFDC8D30000-0x00007FFDC8D42000-memory.dmp

Filesize
72KB

Download
memory/2756-150-0x00007FFDC87C0000-0x00007FFDC87D4000-memory.dmp

Filesize
80KB

Download
memory/2756-151-0x00007FFDC88B0000-0x00007FFDC8A2F000-memory.dmp

Filesize
1.5MB

Download
memory/2756-152-0x00007FFDC8D10000-0x00007FFDC8D24000-memory.dmp

Filesize
80KB

Download
memory/2756-154-0x00007FFDC8DF0000-0x00007FFDC8E14000-memory.dmp

Filesize
144KB

Download
memory/2756-155-0x00007FFDC86A0000-0x00007FFDC87BA000-memory.dmp

Filesize
1.1MB

Download
memory/2756-237-0x00007FFDC8AF0000-0x00007FFDC8B05000-memory.dmp

Filesize
84KB

Download
memory/3156-269-0x00007FFDB19F0000-0x00007FFDB1F23000-memory.dmp

Filesize
5.2MB

Download
memory/3156-308-0x00007FFDC8490000-0x00007FFDC84C8000-memory.dmp

Filesize
224KB

Download
memory/3156-293-0x00007FFDC8290000-0x00007FFDC82A5000-memory.dmp

Filesize
84KB

Download
memory/3156-290-0x00007FFDBD4C0000-0x00007FFDBD5DA000-memory.dmp

Filesize
1.1MB

Download
memory/3156-281-0x00007FFDB2100000-0x00007FFDB28A1000-memory.dmp

Filesize
7.6MB

Download
memory/3156-280-0x00007FFDC84D0000-0x00007FFDC864F000-memory.dmp

Filesize
1.5MB

Download
memory/3156-272-0x00007FFDC8FF0000-0x00007FFDC9015000-memory.dmp

Filesize
148KB

Download
memory/3156-298-0x00007FFDC8FA0000-0x00007FFDC8FBA000-memory.dmp

Filesize
104KB

Download
memory/3156-292-0x00007FFDC7C50000-0x00007FFDC7C72000-memory.dmp

Filesize
136KB

Download
memory/3156-291-0x00007FFDC8380000-0x00007FFDC839B000-memory.dmp

Filesize
108KB

Download
memory/3156-271-0x00007FFDB51E0000-0x00007FFDB58A5000-memory.dmp

Filesize
6.8MB

Download
memory/3156-268-0x00007FFDC8420000-0x00007FFDC8453000-memory.dmp

Filesize
204KB

Download
memory/3156-267-0x00007FFDBE770000-0x00007FFDBE7BD000-memory.dmp

Filesize
308KB

Download
memory/3156-266-0x00007FFDC4660000-0x00007FFDC4679000-memory.dmp

Filesize
100KB

Download
memory/3156-295-0x00007FFDBE770000-0x00007FFDBE7BD000-memory.dmp

Filesize
308KB

Download
memory/3156-264-0x00007FFDC8290000-0x00007FFDC82A5000-memory.dmp

Filesize
84KB

Download
memory/3156-229-0x00007FFDC91B0000-0x00007FFDC91BD000-memory.dmp

Filesize
52KB

Download
memory/3156-299-0x00007FFDC83E0000-0x00007FFDC83F2000-memory.dmp

Filesize
72KB

Download
memory/3156-300-0x00007FFDCC310000-0x00007FFDCC31F000-memory.dmp

Filesize
60KB

Download
memory/3156-301-0x00007FFDC8FD0000-0x00007FFDC8FE9000-memory.dmp

Filesize
100KB

Download
memory/3156-302-0x00007FFDC91B0000-0x00007FFDC91BD000-memory.dmp

Filesize
52KB

Download
memory/3156-303-0x00007FFDC9120000-0x00007FFDC912F000-memory.dmp

Filesize
60KB

Download
memory/3156-304-0x00007FFDC8F70000-0x00007FFDC8F9D000-memory.dmp

Filesize
180KB

Download
memory/3156-305-0x00007FFDC8F40000-0x00007FFDC8F64000-memory.dmp

Filesize
144KB

Download
memory/3156-306-0x00007FFDC83A0000-0x00007FFDC83B4000-memory.dmp

Filesize
80KB

Download
memory/3156-236-0x00007FFDB2100000-0x00007FFDB28A1000-memory.dmp

Filesize
7.6MB

Download
memory/3156-232-0x00007FFDC8F40000-0x00007FFDC8F64000-memory.dmp

Filesize
144KB

Download
memory/3156-233-0x00007FFDC84D0000-0x00007FFDC864F000-memory.dmp

Filesize
1.5MB

Download
memory/3156-307-0x00007FFDC83C0000-0x00007FFDC83D4000-memory.dmp

Filesize
80KB

Download
memory/3156-235-0x00007FFDC8FA0000-0x00007FFDC8FBA000-memory.dmp

Filesize
104KB

Download
memory/3156-223-0x00007FFDC8FF0000-0x00007FFDC9015000-memory.dmp

Filesize
148KB

Download
memory/3156-294-0x00007FFDC4660000-0x00007FFDC4679000-memory.dmp

Filesize
100KB

Download
memory/3156-224-0x00007FFDCC310000-0x00007FFDCC31F000-memory.dmp

Filesize
60KB

Download
memory/3156-310-0x00007FFDC4680000-0x00007FFDC474E000-memory.dmp

Filesize
824KB

Download
memory/3156-311-0x00007FFDBE750000-0x00007FFDBE761000-memory.dmp

Filesize
68KB

Download
memory/3156-221-0x00007FFDB51E0000-0x00007FFDB58A5000-memory.dmp

Filesize
6.8MB

Download
memory/3156-312-0x00007FFDBC760000-0x00007FFDBC77E000-memory.dmp

Filesize
120KB

Download
memory/3156-313-0x00007FFDB19F0000-0x00007FFDB1F23000-memory.dmp

Filesize
5.2MB

Download
memory/3156-309-0x00007FFDC8420000-0x00007FFDC8453000-memory.dmp

Filesize
204KB

Download
memory/3156-230-0x00007FFDC9120000-0x00007FFDC912F000-memory.dmp

Filesize
60KB

Download
memory/3156-250-0x00007FFDC8400000-0x00007FFDC8416000-memory.dmp

Filesize
88KB

Download
memory/3156-251-0x00007FFDC83E0000-0x00007FFDC83F2000-memory.dmp

Filesize
72KB

Download
memory/3156-253-0x00007FFDC84D0000-0x00007FFDC864F000-memory.dmp

Filesize
1.5MB

Download
memory/3156-255-0x00007FFDB2100000-0x00007FFDB28A1000-memory.dmp

Filesize
7.6MB

Download
memory/3156-256-0x00007FFDC83A0000-0x00007FFDC83B4000-memory.dmp

Filesize
80KB

Download
memory/3156-257-0x00007FFDBD4C0000-0x00007FFDBD5DA000-memory.dmp

Filesize
1.1MB

Download
memory/3156-258-0x00007FFDC8380000-0x00007FFDC839B000-memory.dmp

Filesize
108KB

Download
memory/3156-259-0x00007FFDC7C50000-0x00007FFDC7C72000-memory.dmp

Filesize
136KB

Download
memory/3156-254-0x00007FFDC83C0000-0x00007FFDC83D4000-memory.dmp

Filesize
80KB

Download
memory/3156-252-0x00007FFDC8F40000-0x00007FFDC8F64000-memory.dmp

Filesize
144KB

Download
memory/3156-243-0x00007FFDB51E0000-0x00007FFDB58A5000-memory.dmp

Filesize
6.8MB

Download
memory/3156-245-0x00007FFDC8490000-0x00007FFDC84C8000-memory.dmp

Filesize
224KB

Download
memory/3156-247-0x00007FFDB19F0000-0x00007FFDB1F23000-memory.dmp

Filesize
5.2MB

Download
memory/3156-248-0x00007FFDC4680000-0x00007FFDC474E000-memory.dmp

Filesize
824KB

Download
memory/3156-246-0x00007FFDC8420000-0x00007FFDC8453000-memory.dmp

Filesize
204KB

Download
memory/3156-231-0x00007FFDC8F70000-0x00007FFDC8F9D000-memory.dmp

Filesize
180KB

Download
memory/3156-228-0x00007FFDC8FD0000-0x00007FFDC8FE9000-memory.dmp

Filesize
100KB

Download
memory/3476-75-0x00007FFDB6EB0000-0x00007FFDB7972000-memory.dmp

Filesize
10.8MB

Download
memory/3476-0-0x00007FFDB6EB3000-0x00007FFDB6EB5000-memory.dmp

Filesize
8KB

Download
memory/3476-4-0x00007FFDB6EB0000-0x00007FFDB7972000-memory.dmp

Filesize
10.8MB

Download
memory/3476-1-0x0000000000FE0000-0x0000000001C68000-memory.dmp

Filesize
12.5MB

Download