Malware Analysis Report

2025-03-15 03:42

Sample ID 241102-gqfwbsyjcz
Target Test.exe
SHA256 c6784468e56bee420171416b973d6ef962ca4f5e58c55cf2a6862a9705246854
Tags
exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer pyinstaller
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c6784468e56bee420171416b973d6ef962ca4f5e58c55cf2a6862a9705246854

Threat Level: Known bad

The file Test.exe was found to be: Known bad.

Malicious Activity Summary

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer pyinstaller

Exela Stealer

Exelastealer family

Grants admin privileges

Modifies Windows Firewall

Clipboard Data

Loads dropped DLL

Reads user/profile data of web browsers

Network Service Discovery

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Enumerates processes with tasklist

Hide Artifacts: Hidden Files and Directories

Launches sc.exe

Detects Pyinstaller

Browser Information Discovery

Permission Groups Discovery: Local Groups

System Network Connections Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Event Triggered Execution: Netsh Helper DLL

Unsigned PE

Collects information from the system

Gathers system information

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Views/modifies file attributes

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Gathers network information

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-02 06:00

Signatures

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-02 06:00

Reported

2024-11-02 06:03

Platform

win7-20240708-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Test.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 824 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Users\Admin\AppData\Local\Temp\Test.exe
PID 824 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Users\Admin\AppData\Local\Temp\Test.exe
PID 824 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Users\Admin\AppData\Local\Temp\Test.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Test.exe"

C:\Users\Admin\AppData\Local\Temp\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Test.exe"

Network

N/A

Files

C:\Users\Admin\AppData\Local\Temp\_MEI8242\python312.dll

MD5 b243d61f4248909bc721674d70a633de
SHA1 1d2fb44b29c4ac3cfd5a7437038a0c541fce82fc
SHA256 93488fa7e631cc0a2bd808b9eee8617280ee9b6ff499ab424a1a1cbf24d77dc7
SHA512 10460c443c7b9a6d7e39ad6e2421b8ca4d8329f1c4a0ff5b71ce73352d2e9438d45f7d59edb13ce30fad3b4f260bd843f4d9b48522d448310d43e0988e075fcb

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-02 06:00

Reported

2024-11-02 06:04

Platform

win10v2004-20241007-en

Max time kernel

209s

Max time network

203s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Test.exe"

Signatures

Exela Stealer

stealer exelastealer

Exelastealer family

exelastealer

Grants admin privileges

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Test.exe N/A

Reads user/profile data of web browsers

spyware stealer

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\ARP.EXE N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2248 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Users\Admin\AppData\Local\Temp\Test.exe
PID 2248 wrote to memory of 3212 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Users\Admin\AppData\Local\Temp\Test.exe
PID 3212 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 4092 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 4092 wrote to memory of 1568 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4092 wrote to memory of 1568 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 548 wrote to memory of 4036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 548 wrote to memory of 4036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3212 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 4820 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 4820 wrote to memory of 2368 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3212 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 3276 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3276 wrote to memory of 2924 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3212 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 908 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 3988 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 3324 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 5040 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 908 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 908 wrote to memory of 3280 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3280 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3280 wrote to memory of 2348 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 5040 wrote to memory of 3692 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 5040 wrote to memory of 3692 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3988 wrote to memory of 3256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3988 wrote to memory of 3256 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 3256 wrote to memory of 3832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3256 wrote to memory of 3832 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\chcp.com
PID 3324 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3324 wrote to memory of 2264 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3212 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 3212 wrote to memory of 4964 N/A C:\Users\Admin\AppData\Local\Temp\Test.exe C:\Windows\system32\cmd.exe
PID 4160 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4160 wrote to memory of 5060 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\systeminfo.exe
PID 4964 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4964 wrote to memory of 2088 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\netsh.exe
PID 4160 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\HOSTNAME.EXE
PID 4160 wrote to memory of 1388 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\HOSTNAME.EXE
PID 4160 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4160 wrote to memory of 5028 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4160 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4160 wrote to memory of 324 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 324 wrote to memory of 768 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 324 wrote to memory of 768 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4160 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\query.exe
PID 4160 wrote to memory of 640 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\query.exe
PID 640 wrote to memory of 1392 N/A C:\Windows\system32\query.exe C:\Windows\system32\quser.exe
PID 640 wrote to memory of 1392 N/A C:\Windows\system32\query.exe C:\Windows\system32\quser.exe
PID 4160 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4160 wrote to memory of 884 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 884 wrote to memory of 2984 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 884 wrote to memory of 2984 N/A C:\Windows\system32\net.exe C:\Windows\system32\net1.exe
PID 4160 wrote to memory of 4036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe
PID 4160 wrote to memory of 4036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\net.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Test.exe"

C:\Users\Admin\AppData\Local\Temp\Test.exe

"C:\Users\Admin\AppData\Local\Temp\Test.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /0

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
N/A 127.0.0.1:54000 tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
N/A 127.0.0.1:54008 tcp
N/A 127.0.0.1:54012 tcp
N/A 127.0.0.1:54016 tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 api.gofile.io udp
FR 45.112.123.126:443 api.gofile.io tcp
US 8.8.8.8:53 store1.gofile.io udp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 8.8.8.8:53 126.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 227.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 162.159.138.232:443 discord.com tcp
N/A 127.0.0.1:54115 tcp
N/A 127.0.0.1:54117 tcp
FR 45.112.123.126:443 api.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI22482\python312.dll

MD5 b243d61f4248909bc721674d70a633de
SHA1 1d2fb44b29c4ac3cfd5a7437038a0c541fce82fc
SHA256 93488fa7e631cc0a2bd808b9eee8617280ee9b6ff499ab424a1a1cbf24d77dc7
SHA512 10460c443c7b9a6d7e39ad6e2421b8ca4d8329f1c4a0ff5b71ce73352d2e9438d45f7d59edb13ce30fad3b4f260bd843f4d9b48522d448310d43e0988e075fcb

C:\Users\Admin\AppData\Local\Temp\_MEI22482\VCRUNTIME140.dll

MD5 862f820c3251e4ca6fc0ac00e4092239
SHA1 ef96d84b253041b090c243594f90938e9a487a9a
SHA256 36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153
SHA512 2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

C:\Users\Admin\AppData\Local\Temp\_MEI22482\python3.dll

MD5 2e2bb725b92a3d30b1e42cc43275bb7b
SHA1 83af34fb6bbb3e24ff309e3ebc637dd3875592a5
SHA256 d52baca085f88b40f30c855e6c55791e5375c80f60f94057061e77e33f4cad7a
SHA512 e4a500287f7888b1935df40fd0d0f303b82cbcf0d5621592805f3bb507e8ee8de6b51ba2612500838d653566fad18a04f76322c3ab405ce2fdbbefb5ab89069e

C:\Users\Admin\AppData\Local\Temp\_MEI22482\_ctypes.pyd

MD5 302ddf5f83b5887ab9c4b8cc4e40b7a6
SHA1 0aa06af65d072eb835c8d714d0f0733dc2f47e20
SHA256 8250b4c102abd1dba49fc5b52030caa93ca34e00b86cee6547cc0a7f22326807
SHA512 5ddc2488fa192d8b662771c698a63faaf109862c8a4dd0df10fb113aef839d012df58346a87178aff9a1b369f82d8ae7819cef4aad542d8bd3f91327feace596

C:\Users\Admin\AppData\Local\Temp\_MEI22482\libffi-8.dll

MD5 0f8e4992ca92baaf54cc0b43aaccce21
SHA1 c7300975df267b1d6adcbac0ac93fd7b1ab49bd2
SHA256 eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a
SHA512 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

C:\Users\Admin\AppData\Local\Temp\_MEI22482\libssl-3.dll

MD5 4ff168aaa6a1d68e7957175c8513f3a2
SHA1 782f886709febc8c7cebcec4d92c66c4d5dbcf57
SHA256 2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950
SHA512 c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

C:\Users\Admin\AppData\Local\Temp\_MEI22482\_wmi.pyd

MD5 fda7d7aada1d15cab2add2f4bd2e59a1
SHA1 7e61473f2ad5e061ef59105bf4255dbe7db5117a
SHA256 b0ed1c62b73b291a1b57e3d8882cc269b2fcbb1253f2947da18d9036e0c985d9
SHA512 95c2934a75507ea2d8c817da7e76ee7567ec29a52018aef195fac779b7ffb440c27722d162f8e416b6ef5d3fd0936c71a55776233293b3dd0124d51118a2b628

C:\Users\Admin\AppData\Local\Temp\_MEI22482\_uuid.pyd

MD5 48c6cca2fdc2ec83fa0771d92bf1d72f
SHA1 723a8bb6e715616da003d7c658cf94fb129cd091
SHA256 869361adf2be930e5c8b492fa2116dc0d0edccbf2c231d39c859ce320be27b31
SHA512 42fdca831e8398638c06cd54186c63cb434da78234a23d80e0f400c64d4e0e4ef8fa307d115b3775b4f97248bd3ce498d764c6befe11b078ec9fcdd270e8f324

C:\Users\Admin\AppData\Local\Temp\_MEI22482\_ssl.pyd

MD5 eea3e12970e28545a964a95da7e84e0b
SHA1 c3ccac86975f2704dabc1ffc3918e81feb3b9ac1
SHA256 61f00b0543464bba61e0bd1128118326c9bd0cdc592854dd1a31c3d6d8df2b83
SHA512 9bd5c83e7e0ab24d6be40a31ac469a0d9b4621a2a279a5f3ab2fc6401a08c54aec421bc9461aed533a0211d7dbda0c264c5f05aeb39138403da25c8cda0339e6

C:\Users\Admin\AppData\Local\Temp\_MEI22482\_sqlite3.pyd

MD5 d3d748770f9bbcf22f20322250befd5b
SHA1 0b5ced1de5f6585cfd3edd9d00f75e56d2c0959d
SHA256 fef8e9f427b47e7758658a876ff1f2d718119af54dbb0498e14c8234571942df
SHA512 c8027eb9a71c5aaf9d714bfebebad091ed45952ca2867981fd1a4e1fdb9fa409addfbcb1d2dc01732a2216b257300d6a88aaea0742b6e1b1d1abbac5506feabc

C:\Users\Admin\AppData\Local\Temp\_MEI22482\_socket.pyd

MD5 632336eeead53cfad22eb57f795d5657
SHA1 62f5f73d21b86cd3b73b68e5faec032618196745
SHA256 ce3090fff8575b21287df5fc69ae98806646fc302eefadf85e369ad3debad92b
SHA512 77965b45060545e210cdb044f25e5fd68d6a9150caf1cad7645dbafcf1ce8e1ccbdf8436fbdcbf5f9c293321c8916e114de30ed8897c7db72df7f8d1f98dfb55

C:\Users\Admin\AppData\Local\Temp\_MEI22482\_queue.pyd

MD5 941a3757931719dd40898d88d04690cb
SHA1 177ede06a3669389512bfc8a9b282d918257bf8b
SHA256 bbe7736caed8c17c97e2b156f686521a788c25f2004aae34ab0c282c24d57da7
SHA512 7cfba5c69695c492bf967018b3827073b0c2797b24e1bd43b814fbbb39d1a8b32a2d7ef240e86046e4e07aa06f7266a31b5512d04d98a0d2d3736630c044546e

C:\Users\Admin\AppData\Local\Temp\_MEI22482\_overlapped.pyd

MD5 b89fca6edba418768147e455085f7cc7
SHA1 5d41e0990e19ee0d131b4fe8c6ac5b7371d1f83e
SHA256 2af91c5ab6f05c4be357b93673920eccf3ebcad5e5ec6b0a7b53ef94a5feaad7
SHA512 a6bd8d62fb1fbebbfa9fee9037effbcbbb48bfa2e6c8b398e036c0bd5f402a4b1c0bf0ad8d80585fe501e00d7fe21b387a0f0e05ad2fcdf3aeb248010cb3f1be

C:\Users\Admin\AppData\Local\Temp\_MEI22482\_multiprocessing.pyd

MD5 4daa82aafc49dd75daea468cc37ef4b0
SHA1 cbf05abc0eb9a6529aa01955d5feac200e602c89
SHA256 a197f3485bbe30b3a1612ea2198cef121af440ba799fd6cbf0ad3493150df3ca
SHA512 473caa70ec832b645296eba3da2dc0bbfc90df15281a9de612a2febf10b7e86d7f20f1c265c7be693bc0d25e11d3d2904f4c2b1039a81ae0e192cfca625408d5

C:\Users\Admin\AppData\Local\Temp\_MEI22482\_lzma.pyd

MD5 e3e7e99b3c2ea56065740b69f1a0bc12
SHA1 79fa083d6e75a18e8b1e81f612acb92d35bb2aea
SHA256 b095fa2eac97496b515031fbea5737988b18deee86a11f2784f5a551732ddc0c
SHA512 35cbc30b1ccdc4f5cc9560fc0149373ccd9399eb9297e61d52e6662bb8c56c6a7569d8cfad85aeb057c10558c9352ae086c0467f684fdcf72a137eadf563a909

C:\Users\Admin\AppData\Local\Temp\_MEI22482\_hashlib.pyd

MD5 0abfee1db6c16e8ddaff12cd3e86475b
SHA1 b2dda9635ede4f2841912cc50cb3ae67eea89fe7
SHA256 b4cec162b985d34ab768f66e8fa41ed28dc2f273fde6670eeace1d695789b137
SHA512 0a5cae4e3442af1d62b65e8bf91e0f2a61563c2b971bbf008bfb2de0f038ee472e7bfcc88663dc503b2712e92e6a7e6a5f518ddab1fab2eb435d387b740d2d44

C:\Users\Admin\AppData\Local\Temp\_MEI22482\_decimal.pyd

MD5 82321fb8245333842e1c31f874329170
SHA1 81abb1d3d5c55db53e8aca9bdf74f2dec0aba1a3
SHA256 b7f9603f98ef232a2c5bce7001d842c01d76ed35171afbd898e6d17facf38b56
SHA512 0cf932ee0d1242ea9377d054adcd71fdd7ec335abbac865e82987e3979e24cead6939cca19da63a08e08ac64face16950edce7918e02bfc7710f09645fd2fa19

C:\Users\Admin\AppData\Local\Temp\_MEI22482\_cffi_backend.cp312-win_amd64.pyd

MD5 fcb71ce882f99ec085d5875e1228bdc1
SHA1 763d9afa909c15fea8e016d321f32856ec722094
SHA256 86f136553ba301c70e7bada8416b77eb4a07f76ccb02f7d73c2999a38fa5fa5b
SHA512 4a0e98ab450453fd930edc04f0f30976abb9214b693db4b6742d784247fb062c57fafafb51eb04b7b4230039ab3b07d2ffd3454d6e261811f34749f2e35f04d6

C:\Users\Admin\AppData\Local\Temp\_MEI22482\_bz2.pyd

MD5 fe499b0a9f7f361fa705e7c81e1011fa
SHA1 cc1c98754c6dab53f5831b05b4df6635ad3f856d
SHA256 160b5218c2035cccbaab9dc4ca26d099f433dcb86dbbd96425c933dc796090df
SHA512 60520c5eb5ccc72ae2a4c0f06c8447d9e9922c5f9f1f195757362fc47651adcc1cdbfef193ae4fec7d7c1a47cf1d9756bd820be996ae145f0fbbbfba327c5742

C:\Users\Admin\AppData\Local\Temp\_MEI22482\_asyncio.pyd

MD5 e74e8b37bd359f581f368ba092eed90e
SHA1 e6bdc3494dbc5d4ae0434bf4dc3b2952e4827f18
SHA256 184fc13677c7856e7a8b31dfe79ce68dcea10cdf83a205de2b0d5497fb0ffdf3
SHA512 29d33593758945a02844e1333ed99d66a0e42eb7e8d0c881197f05d4ec9dad3f1bb490739bc2d64ea9451f4bbbfcc05089a57a7aa1ec22c4091c7edd604b7f7c

C:\Users\Admin\AppData\Local\Temp\_MEI22482\VCRUNTIME140_1.dll

MD5 68156f41ae9a04d89bb6625a5cd222d4
SHA1 3be29d5c53808186eba3a024be377ee6f267c983
SHA256 82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd
SHA512 f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57

C:\Users\Admin\AppData\Local\Temp\_MEI22482\unicodedata.pyd

MD5 098cc6ad04199442c3e2a60e1243c2dc
SHA1 4c92c464a8e1e56e1c4d77cd30a0da474a026aaf
SHA256 64a162d6b11ba10cb11509f3cc445f17beb7acfd064f030b4d59faa1c9894b29
SHA512 73c28488b42a0bc2f0d2861fed3f5dcccf8959ce19d3121c13c998db496f2822deb40f36f86240c8d3954fd2dc2ba5d63c8a125b62324dcd92fb6c8ba49ff170

C:\Users\Admin\AppData\Local\Temp\_MEI22482\sqlite3.dll

MD5 8c5644cb9cef2bb0702a4c8007521c98
SHA1 638af7d40162853d1be85c04125dbf18743bfa1b
SHA256 2f9c9940e87840ff1b5c4922d8b73c7302d1b12badc860990dfebdf77b4140ee
SHA512 1f0a6e969bcb37bcd131b1476f21a068f69b9224063e194b3a04a9454e50dd530d3474e82b24a9be727b94272fadfeaea76a896cd0fb579e15fdf7a48b00cc01

C:\Users\Admin\AppData\Local\Temp\_MEI22482\select.pyd

MD5 7e871444ca23860a25b888ee263e2eaf
SHA1 aa43c9d3abdb1aabda8379f301f8116d0674b590
SHA256 dca5e6d39c5094ce599143cb82f6d8470f0c2a4ce4443499e73f32ed13333fd0
SHA512 2e260d3123f7ca612901513b90fe40739e85248da913297d4cca3b2ebd398d9697880d148830e168e474ebfc3d30ede10668c7316ed7668f8b39da7bca59e57d

C:\Users\Admin\AppData\Local\Temp\_MEI22482\pyexpat.pyd

MD5 b34ca0fcd5e0e4f060fe211273ac2946
SHA1 f7e978eb8adda4bf74739ef71901e0e3aa12ea8c
SHA256 b6670d91a76e9f00609752ab19aae0b1ebe00d24d9d8d22068989bbb24d0aa44
SHA512 010774770dd5c4355c336ece7bfb729d2e616bba62bfb9961324d3b314396f1f535b5adf50621bfc0517c03587c912568e19602173a43f297a5f638aa9296500

C:\Users\Admin\AppData\Local\Temp\_MEI22482\libcrypto-3.dll

MD5 123ad0908c76ccba4789c084f7a6b8d0
SHA1 86de58289c8200ed8c1fc51d5f00e38e32c1aad5
SHA256 4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43
SHA512 80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

C:\Users\Admin\AppData\Local\Temp\_MEI22482\base_library.zip

MD5 bed03063e08a571088685625544ce144
SHA1 56519a1b60314ec43f3af0c5268ecc4647239ba3
SHA256 0d960743dbf746817b61ff7dd1c8c99b4f8c915de26946be56118cd6bedaebdc
SHA512 c136e16db86f94b007db42a9bf485a7c255dcc2843b40337e8f22a67028117f5bd5d48f7c1034d7446bb45ea16e530f1216d22740ddb7fab5b39cc33d4c6d995

C:\Users\Admin\AppData\Local\Temp\_MEI22482\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

MD5 4ce7501f6608f6ce4011d627979e1ae4
SHA1 78363672264d9cd3f72d5c1d3665e1657b1a5071
SHA256 37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b
SHA512 a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

C:\Users\Admin\AppData\Local\Temp\_MEI22482\yarl\_quoting_c.cp312-win_amd64.pyd

MD5 7af50f2b92c4bc2fc18ced5d322fcaae
SHA1 87df1b69cc0d1ed3bfdf43f7992430d629135f96
SHA256 7ddfe201d613b2a048768040a9cf4be7b7c1dcd0555cbde00f0cc99496c3ef7f
SHA512 9a44ae60e195f836d151104223b407d3ac9b8bcfcddf0f11f084660dbb4a5b8ebff37df61b3cdac8b997d5bd23a035c743553bfa273331b82a490a7c4f231ae9

C:\Users\Admin\AppData\Local\Temp\_MEI22482\multidict\_multidict.cp312-win_amd64.pyd

MD5 4eed96bbb1c4b6d63f50c433e9c0a16a
SHA1 cde34e8f1dac7f4e98d2b0aaf1186c6938de06c3
SHA256 b521b7e3b6bed424a0719c36735bc4bf2bb8b0926370b31c221c604e81f8d78b
SHA512 1cacb250d867fcbbc5224c3f66cb23a93f818bc1d0524cad6d1c52295d243af10f454fde13fa58671d3ee62281a2a3f71a69f28b08fd942fcedba3c9b09a774a

C:\Users\Admin\AppData\Local\Temp\_MEI22482\propcache\_helpers_c.cp312-win_amd64.pyd

MD5 93ccd2b7284bdc745f1adbb8f0927f26
SHA1 30043d4dad9a909b2d0841d279f5266f00315ad9
SHA256 c8c7c9259a47961321b6d913b3cb70215a37b9cff1dbde9e9cbc3250c1b5ad77
SHA512 1dd365345ff334183a1a4ad959ec07a732836d6f1768e935462f0ea62f24f50ee62fb1324fcd813ef7bc40ed092c33f5d5bf70b8d016b67be9a9274dad2868d6

C:\Users\Admin\AppData\Local\Temp\_MEI22482\aiohttp\_helpers.cp312-win_amd64.pyd

MD5 7c25230f2e4d1cbcc45f29ec7bf0d84a
SHA1 3d5a32ba222065c6b64657b940bd72495edc4f1e
SHA256 767cbef142e5e39c760c6f133cdadb39bd103d614ac2770023c4dac24271983e
SHA512 0d2d51d1fa7d201e7b6e2f10f32a245507416c96def8c0d10b861ab1475a87b3ba91319c4d4a700ff94c4783384aa7c7a8dab04df6cfa9a558a9f7e52b15cd67

C:\Users\Admin\AppData\Local\Temp\_MEI22482\aiohttp\_http_writer.cp312-win_amd64.pyd

MD5 1cb70be75767514b7f16356a57a58b3d
SHA1 0a1bff8845405cf9f036eb99ac118a60072c50ed
SHA256 ab2e84a94cd5009292216a8d4497ee04a5fd9cb1caa824833e573cce664f1ff7
SHA512 4ceecc7c7740c9a80df58667344481044b902031726df377a917baffd162dfd3ea9790f1439c0fd70e36bd158a97ba7734a27335533357a9cef1657cb177f28e

C:\Users\Admin\AppData\Local\Temp\_MEI22482\aiohttp\_http_parser.cp312-win_amd64.pyd

MD5 5ae4b8b1e0689a44d37a168065eb756e
SHA1 cb67ab1f4e1229ad4cf5afa6c8c00873faa41462
SHA256 17cd604b21acd9b07b26ec7a40303eed5c6a566d4abc0188d2ec00ab58b48638
SHA512 01ec46f174117f4ec5ab0b9f0af4e250face2179c94f8645722ab456f00b7a60cabec18b233b4c9fe56d59b8ec4b23cd57bc93976fe04de79c85b6241054e3bd

C:\Users\Admin\AppData\Local\Temp\_MEI22482\aiohttp\_websocket.cp312-win_amd64.pyd

MD5 d3f5b8de4546f7b8d0e74520462346b7
SHA1 0c7bd2e0e282b239f7935f79e7b12bb47668cf4d
SHA256 95f09d24ea5b708845dd324f5560475e08349d25b69f711047297f806911bda5
SHA512 0a94abe1409cb529fe5692ed8092296d73ca726d0fbb986bb52c6d1a9b43ec20126497bb27506d56a032f21e31f184ae6a13c024acf282a2a4c4211a227f8712

memory/3692-176-0x0000025D779E0000-0x0000025D77A02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jy4lmvus.5xe.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1312-194-0x000001CD76140000-0x000001CD76141000-memory.dmp

memory/1312-196-0x000001CD76140000-0x000001CD76141000-memory.dmp

memory/1312-195-0x000001CD76140000-0x000001CD76141000-memory.dmp

memory/1312-206-0x000001CD76140000-0x000001CD76141000-memory.dmp

memory/1312-205-0x000001CD76140000-0x000001CD76141000-memory.dmp

memory/1312-204-0x000001CD76140000-0x000001CD76141000-memory.dmp

memory/1312-203-0x000001CD76140000-0x000001CD76141000-memory.dmp

memory/1312-202-0x000001CD76140000-0x000001CD76141000-memory.dmp

memory/1312-201-0x000001CD76140000-0x000001CD76141000-memory.dmp

memory/1312-200-0x000001CD76140000-0x000001CD76141000-memory.dmp