exelastealer | cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf

Analysis

max time kernel
140s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-11-2024 19:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
Size

12.8MB
MD5

af07c2cf51596a75173523156e27297f
SHA1

9f205a5a6e4ce65d3d313b1f5c160412fa04d58e
SHA256

cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf
SHA512

1bf467eb605f8dcdca18c5aec8402a7184b806737465fe2d1b2413d01cacccec8cee3a51e8523396d332dbacf1ce5b4b3aaa92f4475c9cd781bba6b9ad89bf08
SSDEEP

393216:UJdkewtByxjBIn8iK1piXLGVEgMoEODXXs5kYHZsbAo:U+tAjhDiXHjoRLAsbAo

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exe

pid	Process
1848	netsh.exe
220	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

Processes:

cmd.exepowershell.exe

pid	Process
4760	cmd.exe
448	powershell.exe

Loads dropped DLL 34 IoCs

Processes:

cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe

pid	Process
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
23	discord.com
25	discord.com
27	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
13	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

Processes:

cmd.exeARP.EXE

pid	Process
5080	cmd.exe
2616	ARP.EXE

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid	Process
4612	tasklist.exe
4352	tasklist.exe
2540	tasklist.exe
2868	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Processes:

cmd.exe

pid	Process
512	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023d19-61.dat	upx
behavioral2/memory/4152-65-0x00007FFC53C90000-0x00007FFC542F3000-memory.dmp	upx
behavioral2/files/0x0007000000023d11-72.dat	upx
behavioral2/memory/4152-75-0x00007FFC6C6B0000-0x00007FFC6C6BF000-memory.dmp	upx
behavioral2/memory/4152-73-0x00007FFC67400000-0x00007FFC67427000-memory.dmp	upx
behavioral2/files/0x0007000000023ce6-71.dat	upx
behavioral2/files/0x0007000000023ce4-76.dat	upx
behavioral2/memory/4152-79-0x00007FFC68E60000-0x00007FFC68E79000-memory.dmp	upx
behavioral2/memory/4152-100-0x00007FFC67200000-0x00007FFC6722B000-memory.dmp	upx
behavioral2/files/0x0007000000023cf1-99.dat	upx
behavioral2/files/0x0007000000023cef-97.dat	upx
behavioral2/files/0x0007000000023cee-96.dat	upx
behavioral2/files/0x0007000000023ced-95.dat	upx
behavioral2/files/0x0007000000023cec-94.dat	upx
behavioral2/files/0x0007000000023ceb-93.dat	upx
behavioral2/files/0x0007000000023cea-92.dat	upx
behavioral2/files/0x0007000000023ce8-91.dat	upx
behavioral2/files/0x0007000000023ce7-90.dat	upx
behavioral2/files/0x0007000000023ce5-89.dat	upx
behavioral2/files/0x0007000000023ce3-88.dat	upx
behavioral2/files/0x0007000000023d31-86.dat	upx
behavioral2/files/0x0007000000023d30-85.dat	upx
behavioral2/files/0x0007000000023d1a-84.dat	upx
behavioral2/files/0x0007000000023d17-83.dat	upx
behavioral2/files/0x0007000000023d12-82.dat	upx
behavioral2/files/0x0007000000023d10-81.dat	upx
behavioral2/files/0x0007000000023ce9-78.dat	upx
behavioral2/memory/4152-102-0x00007FFC68580000-0x00007FFC68599000-memory.dmp	upx
behavioral2/memory/4152-106-0x00007FFC67880000-0x00007FFC6788D000-memory.dmp	upx
behavioral2/memory/4152-104-0x00007FFC6B6A0000-0x00007FFC6B6AD000-memory.dmp	upx
behavioral2/memory/4152-108-0x00007FFC671F0000-0x00007FFC671FF000-memory.dmp	upx
behavioral2/memory/4152-111-0x00007FFC671C0000-0x00007FFC671D4000-memory.dmp	upx
behavioral2/memory/4152-114-0x00007FFC53750000-0x00007FFC53C83000-memory.dmp	upx
behavioral2/memory/4152-113-0x00007FFC53C90000-0x00007FFC542F3000-memory.dmp	upx
behavioral2/memory/4152-116-0x00007FFC67400000-0x00007FFC67427000-memory.dmp	upx
behavioral2/memory/4152-119-0x00007FFC633C0000-0x00007FFC6348E000-memory.dmp	upx
behavioral2/memory/4152-118-0x00007FFC63930000-0x00007FFC63964000-memory.dmp	upx
behavioral2/memory/4152-122-0x00007FFC637B0000-0x00007FFC637E6000-memory.dmp	upx
behavioral2/memory/4152-127-0x00007FFC63000000-0x00007FFC6317F000-memory.dmp	upx
behavioral2/memory/4152-126-0x00007FFC68580000-0x00007FFC68599000-memory.dmp	upx
behavioral2/memory/4152-124-0x00007FFC63A30000-0x00007FFC63A55000-memory.dmp	upx
behavioral2/files/0x0007000000023d0d-128.dat	upx
behavioral2/memory/4152-130-0x00007FFC52DD0000-0x00007FFC5355A000-memory.dmp	upx
behavioral2/files/0x0007000000023d16-145.dat	upx
behavioral2/files/0x0007000000023d33-142.dat	upx
behavioral2/memory/4152-141-0x00007FFC63350000-0x00007FFC63366000-memory.dmp	upx
behavioral2/memory/4152-140-0x00007FFC671F0000-0x00007FFC671FF000-memory.dmp	upx
behavioral2/memory/4152-150-0x00007FFC62D90000-0x00007FFC62E43000-memory.dmp	upx
behavioral2/memory/4152-149-0x00007FFC62E50000-0x00007FFC62E72000-memory.dmp	upx
behavioral2/memory/4152-148-0x00007FFC671C0000-0x00007FFC671D4000-memory.dmp	upx
behavioral2/memory/4152-147-0x00007FFC62D70000-0x00007FFC62D8B000-memory.dmp	upx
behavioral2/memory/4152-146-0x00007FFC53750000-0x00007FFC53C83000-memory.dmp	upx
behavioral2/memory/4152-139-0x00007FFC631E0000-0x00007FFC631F4000-memory.dmp	upx
behavioral2/memory/4152-138-0x00007FFC63330000-0x00007FFC63342000-memory.dmp	upx
behavioral2/memory/4152-137-0x00007FFC63570000-0x00007FFC635A8000-memory.dmp	upx
behavioral2/files/0x0007000000023d14-135.dat	upx
behavioral2/files/0x0007000000023cf4-151.dat	upx
behavioral2/files/0x0007000000023cf3-153.dat	upx
behavioral2/memory/4152-154-0x00007FFC63930000-0x00007FFC63964000-memory.dmp	upx
behavioral2/memory/4152-155-0x00007FFC636E0000-0x00007FFC636F8000-memory.dmp	upx
behavioral2/memory/4152-159-0x00007FFC636C0000-0x00007FFC636D1000-memory.dmp	upx
behavioral2/memory/4152-158-0x00007FFC63370000-0x00007FFC633BD000-memory.dmp	upx
behavioral2/memory/4152-157-0x00007FFC633C0000-0x00007FFC6348E000-memory.dmp	upx
behavioral2/memory/4152-161-0x00007FFC59DE0000-0x00007FFC59E12000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid	Process
3728	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

Processes:

cmd.exenetsh.exe

pid	Process
4012	cmd.exe
2216	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

Processes:

NETSTAT.EXE

pid	Process
4352	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

Processes:

WMIC.exe

pid	Process
2200	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid	Process
544	ipconfig.exe
4352	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

Processes:

systeminfo.exe

pid	Process
1240	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exe

pid	Process
448	powershell.exe
448	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exeWMIC.exetasklist.exetasklist.exepowershell.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	4352	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3932	WMIC.exe
Token: SeSecurityPrivilege	3932	WMIC.exe
Token: SeTakeOwnershipPrivilege	3932	WMIC.exe
Token: SeLoadDriverPrivilege	3932	WMIC.exe
Token: SeSystemProfilePrivilege	3932	WMIC.exe
Token: SeSystemtimePrivilege	3932	WMIC.exe
Token: SeProfSingleProcessPrivilege	3932	WMIC.exe
Token: SeIncBasePriorityPrivilege	3932	WMIC.exe
Token: SeCreatePagefilePrivilege	3932	WMIC.exe
Token: SeBackupPrivilege	3932	WMIC.exe
Token: SeRestorePrivilege	3932	WMIC.exe
Token: SeShutdownPrivilege	3932	WMIC.exe
Token: SeDebugPrivilege	3932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3932	WMIC.exe
Token: SeRemoteShutdownPrivilege	3932	WMIC.exe
Token: SeUndockPrivilege	3932	WMIC.exe
Token: SeManageVolumePrivilege	3932	WMIC.exe
Token: 33	3932	WMIC.exe
Token: 34	3932	WMIC.exe
Token: 35	3932	WMIC.exe
Token: 36	3932	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3932	WMIC.exe
Token: SeSecurityPrivilege	3932	WMIC.exe
Token: SeTakeOwnershipPrivilege	3932	WMIC.exe
Token: SeLoadDriverPrivilege	3932	WMIC.exe
Token: SeSystemProfilePrivilege	3932	WMIC.exe
Token: SeSystemtimePrivilege	3932	WMIC.exe
Token: SeProfSingleProcessPrivilege	3932	WMIC.exe
Token: SeIncBasePriorityPrivilege	3932	WMIC.exe
Token: SeCreatePagefilePrivilege	3932	WMIC.exe
Token: SeBackupPrivilege	3932	WMIC.exe
Token: SeRestorePrivilege	3932	WMIC.exe
Token: SeShutdownPrivilege	3932	WMIC.exe
Token: SeDebugPrivilege	3932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3932	WMIC.exe
Token: SeRemoteShutdownPrivilege	3932	WMIC.exe
Token: SeUndockPrivilege	3932	WMIC.exe
Token: SeManageVolumePrivilege	3932	WMIC.exe
Token: 33	3932	WMIC.exe
Token: 34	3932	WMIC.exe
Token: 35	3932	WMIC.exe
Token: 36	3932	WMIC.exe
Token: SeDebugPrivilege	2540	tasklist.exe
Token: SeDebugPrivilege	2868	tasklist.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeIncreaseQuotaPrivilege	2200	WMIC.exe
Token: SeSecurityPrivilege	2200	WMIC.exe
Token: SeTakeOwnershipPrivilege	2200	WMIC.exe
Token: SeLoadDriverPrivilege	2200	WMIC.exe
Token: SeSystemProfilePrivilege	2200	WMIC.exe
Token: SeSystemtimePrivilege	2200	WMIC.exe
Token: SeProfSingleProcessPrivilege	2200	WMIC.exe
Token: SeIncBasePriorityPrivilege	2200	WMIC.exe
Token: SeCreatePagefilePrivilege	2200	WMIC.exe
Token: SeBackupPrivilege	2200	WMIC.exe
Token: SeRestorePrivilege	2200	WMIC.exe
Token: SeShutdownPrivilege	2200	WMIC.exe
Token: SeDebugPrivilege	2200	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2200	WMIC.exe
Token: SeRemoteShutdownPrivilege	2200	WMIC.exe
Token: SeUndockPrivilege	2200	WMIC.exe
Token: SeManageVolumePrivilege	2200	WMIC.exe
Token: 33	2200	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.execca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exenet.exequery.exenet.exe

description	pid	Process	procid_target
PID 4860 wrote to memory of 4152	4860	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	84
PID 4860 wrote to memory of 4152	4860	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	84
PID 4152 wrote to memory of 4032	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	86
PID 4152 wrote to memory of 4032	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	86
PID 4152 wrote to memory of 4996	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	87
PID 4152 wrote to memory of 4996	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	87
PID 4996 wrote to memory of 4352	4996	cmd.exe	90
PID 4996 wrote to memory of 4352	4996	cmd.exe	90
PID 4032 wrote to memory of 3932	4032	cmd.exe	91
PID 4032 wrote to memory of 3932	4032	cmd.exe	91
PID 4152 wrote to memory of 512	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	92
PID 4152 wrote to memory of 512	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	92
PID 512 wrote to memory of 784	512	cmd.exe	94
PID 512 wrote to memory of 784	512	cmd.exe	94
PID 4152 wrote to memory of 3568	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	95
PID 4152 wrote to memory of 3568	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	95
PID 3568 wrote to memory of 2540	3568	cmd.exe	97
PID 3568 wrote to memory of 2540	3568	cmd.exe	97
PID 4152 wrote to memory of 3800	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	99
PID 4152 wrote to memory of 3800	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	99
PID 4152 wrote to memory of 3652	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	100
PID 4152 wrote to memory of 3652	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	100
PID 4152 wrote to memory of 2820	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	101
PID 4152 wrote to memory of 2820	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	101
PID 4152 wrote to memory of 4760	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	104
PID 4152 wrote to memory of 4760	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	104
PID 3800 wrote to memory of 1736	3800	cmd.exe	108
PID 3800 wrote to memory of 1736	3800	cmd.exe	108
PID 1736 wrote to memory of 3760	1736	cmd.exe	109
PID 1736 wrote to memory of 3760	1736	cmd.exe	109
PID 3652 wrote to memory of 1224	3652	cmd.exe	110
PID 3652 wrote to memory of 1224	3652	cmd.exe	110
PID 4760 wrote to memory of 448	4760	cmd.exe	111
PID 4760 wrote to memory of 448	4760	cmd.exe	111
PID 2820 wrote to memory of 2868	2820	cmd.exe	112
PID 2820 wrote to memory of 2868	2820	cmd.exe	112
PID 1224 wrote to memory of 3264	1224	cmd.exe	113
PID 1224 wrote to memory of 3264	1224	cmd.exe	113
PID 4152 wrote to memory of 5080	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	114
PID 4152 wrote to memory of 5080	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	114
PID 4152 wrote to memory of 4012	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	116
PID 4152 wrote to memory of 4012	4152	cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe	116
PID 5080 wrote to memory of 1240	5080	cmd.exe	118
PID 5080 wrote to memory of 1240	5080	cmd.exe	118
PID 4012 wrote to memory of 2216	4012	cmd.exe	119
PID 4012 wrote to memory of 2216	4012	cmd.exe	119
PID 5080 wrote to memory of 3196	5080	cmd.exe	122
PID 5080 wrote to memory of 3196	5080	cmd.exe	122
PID 5080 wrote to memory of 2200	5080	cmd.exe	123
PID 5080 wrote to memory of 2200	5080	cmd.exe	123
PID 5080 wrote to memory of 2340	5080	cmd.exe	124
PID 5080 wrote to memory of 2340	5080	cmd.exe	124
PID 2340 wrote to memory of 4804	2340	net.exe	125
PID 2340 wrote to memory of 4804	2340	net.exe	125
PID 5080 wrote to memory of 5028	5080	cmd.exe	126
PID 5080 wrote to memory of 5028	5080	cmd.exe	126
PID 5028 wrote to memory of 1404	5028	query.exe	127
PID 5028 wrote to memory of 1404	5028	query.exe	127
PID 5080 wrote to memory of 4308	5080	cmd.exe	128
PID 5080 wrote to memory of 4308	5080	cmd.exe	128
PID 4308 wrote to memory of 4532	4308	net.exe	129
PID 4308 wrote to memory of 4532	4308	net.exe	129
PID 5080 wrote to memory of 2032	5080	cmd.exe	130
PID 5080 wrote to memory of 2032	5080	cmd.exe	130

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
784	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
"C:\Users\Admin\AppData\Local\Temp\cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Users\Admin\AppData\Local\Temp\cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
  "C:\Users\Admin\AppData\Local\Temp\cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4032
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4996
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\InfinityUpdateService\Infinity.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:512
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\InfinityUpdateService\Infinity.exe"
      4⤵
      Views/modifies file attributes
      PID:784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3568
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3800
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1736
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3652
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1224
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:5080
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1240
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:3196
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious use of AdjustPrivilegeToken
      PID:2200
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2340
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4804
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:1404
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4308
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:4532
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:2032
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:3064
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:2936
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:2028
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:1828
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:1900
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:2400
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:4612
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:544
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:1928
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:2616
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:4352
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:3728
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:220
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1768
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3808
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI48602\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\VCRUNTIME140_1.dll

Filesize
48KB

MD5
68156f41ae9a04d89bb6625a5cd222d4

SHA1
3be29d5c53808186eba3a024be377ee6f267c983

SHA256
82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd

SHA512
f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_asyncio.pyd

Filesize
37KB

MD5
fe4f2e32ed0ea1ef93188939ed5b9564

SHA1
082396142b4c17343695d9ad0d841e73372cddba

SHA256
7319ca620123e4664d6a6aff95ebb43a7a5b0b3cc0df0acb665be1330ed1d6ed

SHA512
3c2ce4589e1ca7f544585bf9fd6bbfe21c49141516a503c6f55ed1eb57b0bc3c53222062599e7213ad82d1b85e6c4e81b3b4bebf0efad4f1acbacd4132f9790c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_bz2.pyd

Filesize
48KB

MD5
76dda2f9e6796b85d4c80b7a49585bd0

SHA1
9d8eb7052fd218d75094c87c669a7e4d6d1614b9

SHA256
1ddc1386f8bec84b4c7d17e75a84fd2b7abef20bd3d5cdc648b3884252e78ca3

SHA512
602bfb0b42d3f8184f15082b61692796c18715c9581dbc840069209a2550545bb4af54e35c1f971a6a9a9830b94fb491f4c9f8d5f4899cf1b534ee6388505019

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_cffi_backend.cp313-win_amd64.pyd

Filesize
71KB

MD5
feb838919a9cbc39fa2f7e47b2cf2fa0

SHA1
4cfb8e03dc507587be9183e08c81c710ca368b86

SHA256
85508735f87ab59af7343101b96337a12d51d6e54227abc3fc139156565c5d8b

SHA512
317913492b361678bc9d7565c011eb201f8bf36fd3c4e3218e00554122db429ca583fa2c0fd782073ab9ae98ba4c228a291d4e71cfc443a8e6d79c051591656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_ctypes.pyd

Filesize
62KB

MD5
83f2a420d3a54dc73dc553faead3bbd4

SHA1
954525c475713acc04fa2116191bd5a914cd881a

SHA256
b50b87720095fe7ed8dfad73f7a6a0bbeb408a24b561a2cfd7e3b333f87bed90

SHA512
21a80a2a6e3ca2e87df87bf3c34f0a61be441ca5d7bcb9fe7d35dfbce17a02ec04153e72864b284c001f6edcf4f7260476b21c2881614d0f632eeaa34656b1ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_decimal.pyd

Filesize
117KB

MD5
2bbe0345bba0ceb1dfead3bd326e32f7

SHA1
7675f9a476b2ba7a3a76d825faddc9795d2e5afd

SHA256
79e9cf484191193a12126625bf8f8a929c51de8c0dd743f52eab49f86b313818

SHA512
9da97707bf77240ff8557d0a9f6c4cbefd0bd4d4c9b5528de9f588135f98fe9cd7b6d854068fb85df4d95d29b9981daf6d26f8abb94d483d0671bd9a79fbf53a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_hashlib.pyd

Filesize
35KB

MD5
e34a96f476a486da9f3a461abc2df8cc

SHA1
d70836f9ac2cd98c25b51c96f268674e95f53b26

SHA256
72d71d3e5ab403221d8e6ab292b97652fa194cf038fbd31afdf8ef61f1fbcf8e

SHA512
0e2ee8d50a85c450d29002975df616c2318d6e4d52caa0172d2ba46439a9c1fd0b639593852035b0585ccd6d84ba66ba46c79b6cb50e99dc5cff4988ea8af724

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_lzma.pyd

Filesize
86KB

MD5
4c91d0d2bd873740d3b835cd29ba4806

SHA1
76a4a59ea939d87177dc2e600a444bc908729d9a

SHA256
95578954b3282a5ed9c2db1e214cf3b4459afd955eabc898a896344b02908aba

SHA512
f551a17495b7620dbf6d60cf40c29f6a4ceb5afee31472e398492491308023e7401a334c50883f37b60767d209801be4611a6f57ed16a419b06ab8ad5c967565

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_multiprocessing.pyd

Filesize
27KB

MD5
3694bc10cac00d42b50bcf99cb9a8fc6

SHA1
3cffdb605d1e063dba0539400dbf6458a0351a03

SHA256
7bdefee7fbea26a231335cf4b58e6bafe2016275cd274339fdebfd7738d0be1d

SHA512
f5c905689ed17478c1cf66836fe43de656339a678b3f2c0028f196430e9e8d0431621158f03c4368a4eeceafd20904cd7ee89d554b839c21436a48ee65337159

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_overlapped.pyd

Filesize
33KB

MD5
ff936ad394f51e00cfa20b497820dc24

SHA1
02bc239848b717c0a71cefaa85ec7de44ef2e266

SHA256
c7a497d8bb056b55b7e8882c34e250afe3e3bf76f8691d6a90b3f24361ff672d

SHA512
2bccb9399b478516b85535cfb8ceb9c48ab9ab69df70f230a2f0e12506486f1935204bd931ea8cb4f3298bd00f9f7254278fa6739446c14ae0f0e9a0839f313e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_queue.pyd

Filesize
26KB

MD5
c7fdadca43547314c311fd077520000e

SHA1
c166a575e2896bd2700af2c43f7edae023304252

SHA256
6a984ba75337e4487a97646227a14a559eb752e76c831ff413165b5938b6fc69

SHA512
44be37526ddacdde4406a150d72278b2c2689051475d4ace5262d8a6425ab752fd22d0873b8e35620adae12f7c2c75b8feba8315863fb14c1ec1f8d311fc0431

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_socket.pyd

Filesize
44KB

MD5
574c2fee96efa2d63952a6042ee3272f

SHA1
22146b2592bd9aa086632c554f252a5ca92305cd

SHA256
66a745d27d7fdbe039f3ba2b82273eddcdcb8613cd17588682153fafd4b93384

SHA512
078e15e0a508c4035c2b83e458bab95ea56ef941d5505280fc207053be90d072699ec39b5094490ab495fd5041d2c684d0260e5a88ad2c68b199d04340ab4a1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_sqlite3.pyd

Filesize
58KB

MD5
d8a9c98fae2b577c8cb4246e9875de10

SHA1
27b2a31ec26009a4c8a242f3c54b56e46d606070

SHA256
ccf4c7a8efce2a995a91548efc894859922be003ae1c2a00c75123c3453c711b

SHA512
cc519d00f67fc493ed9d9dccc0f6daa2c110247096d12ffdc9da69f7f0f11b11a1a333e6449f2c713b167c629ba9179a8c0083726cf25d8a04196045aed7cd66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_ssl.pyd

Filesize
66KB

MD5
51296f2f4ba52ad6a1f88471b34a42fa

SHA1
6e97e59a6438774ab8502157cc6139864cf8dff8

SHA256
edca2535998bc0f193f706d33f92324224587b353ce8cd1ad00836ad9093ffd1

SHA512
4bf99768f09cebf94c66f359b4e5c0fa03a44b7cd9f6df085d8d5287d66962cf4d654df243e853d9c4fb172a4b366d97a20367c7b3f4fcab81c63b0af3d6c21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_uuid.pyd

Filesize
25KB

MD5
3acf3138d5550ca6de7e2580e076e0f7

SHA1
3e878a18df2362aa6f0bdbfa058dca115e70d0b8

SHA256
f9d5008f0772aa0720bc056a6ecd5a2a3f24965e4b470b022d88627a436c1ffe

SHA512
f05e90a0feaa2994b425884af32149fbbe2e11cb7499fc88ca92d8a74410edcd62b2b2c0f1ecd1a46985133f7e89575f2c114bd01f619c22ce52f3cf2a7e37c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_wmi.pyd

Filesize
28KB

MD5
b263987e0a3cc69177351ef8c72931c0

SHA1
662f37a7c48feee8ddc2acfac21267ed168f0060

SHA256
9a72f30c62104ee4218519c244f9883890f7e116b546e77ca294d4c39cddf289

SHA512
f9a6ac77bf31e3ad42bb410197915e8c06f06d50053befd488df237b88a3554117f58c172045eea2a606034908dfe30874514abd93e06c8bf7d0d0903aa27c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\aiohttp\_http_parser.cp313-win_amd64.pyd

Filesize
80KB

MD5
4fea7cc469ae54798233e3b29fb97217

SHA1
45239758065eb81f463b7d75b2f262f61fbde103

SHA256
29f4ae910b7615778e4adf0102a37d1668a2645cbabff95e3d182769674a0ebd

SHA512
bcc084b022fa7199357b86f43658e03e7cfec84902d0eeb44bbf26d7397238cb8bcffbd184d8257664e1440b3ecf1e7674a7108c9176f5468790982362b4361d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\aiohttp\_http_writer.cp313-win_amd64.pyd

Filesize
24KB

MD5
4fbd128e1bbabcc1bca750957c02c6e9

SHA1
4b4ec26140ab190c05aa5649408da7048388a01c

SHA256
1ad797bfdc4ec7b27f48070b8bf4f1484bb3d6d01b903cfa6a5e186be34b5a3a

SHA512
60efa10b89b5b4d9ea918ff13a26725c0399d652563910e467a1f8b09db886b435d7a9560eb0871a9fef7440230a451fcfd8bec062aaa2cea6cdd7932c56188c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\base_library.zip

Filesize
1.3MB

MD5
a9cbd0455b46c7d14194d1f18ca8719e

SHA1
e1b0c30bccd9583949c247854f617ac8a14cbac7

SHA256
df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19

SHA512
b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.1MB

MD5
27bfdc1a00eb382f490991a6507cc3f2

SHA1
162bc0ddf111968bfd69246660cf650f89b5b7bc

SHA256
788d5c28a70e2bc4e695c827aec70e0869ad7bfdd1f0f4f75231d6f8d83450c2

SHA512
6fcc538c0f901f8543cf296b981a68eb6271f72ddcd106b69b45e0ebd166a355299ce23e999aa855d23edd69f95f53b653f92772435a42c72001386cdb423899

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\libcrypto-3.dll

Filesize
1.6MB

MD5
f5c66bbd34fc2839f2c8afa5a70c4e2c

SHA1
a085085dbf5396ca45801d63d9681b20f091414c

SHA256
7ff3ccb7903f8bc1b872c948cfff4520c51539ae184f93b7bd9c04bf60f4a7f4

SHA512
fc108dfa1ef75b4a4c45c3fae1ccb9257e8950a17f6374fef5080df69ffd52928e5bcac0490772d4d57091e0d81ea58cd1d6d34ec6993e30c1b4c5704be7044b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\libffi-8.dll

Filesize
29KB

MD5
0d1c6b92d091cef3142e32ac4e0cc12e

SHA1
440dad5af38035cb0984a973e1f266deff2bd7fc

SHA256
11ee9c7fb70c3756c0392843245935517171b95cc5ba0d696b2c1742c8d46fb6

SHA512
5d514ecab93941e83c008f0e9749f99e330949580884bf4850b11cac08fe1ac4ac50033e8888045fe4a9d8b4d2e3ea667b39be18f77266d00f8d7d6797260233

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\libssl-3.dll

Filesize
221KB

MD5
fc9d8dea869ea56ff6612a2c577394bf

SHA1
f30bc2bceb36e5e08c348936c791abaa93fd5b25

SHA256
8ec0a7ac78f483bf55585d53f77d23934a4d15665e06fbd73c4addf1c9e6c959

SHA512
929f5e08142e56f2d8067dac5d7457c72221da73e4cf6259da1982c5308b93dbec77d87cef89294a68441da77fa1923d6c9f812f714f6061ff9952f4f17783df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\multidict\_multidict.cp313-win_amd64.pyd

Filesize
20KB

MD5
3c58269113cfce41c884db5b857bdc2d

SHA1
a7170fcf559c18acd9e5b9f1f07f557629ea1b30

SHA256
5513d20e607a6926737c8f83994d92e100e94b7117201a07d0c44531830b9daf

SHA512
d7dd460089dd9f6179aa3942b16553a4bd7a96fceb0a5d506f1499958409fadda666c43e2552227c1549e596c1a254374253bacc60b7ad3ea09db4864f9030cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\propcache\_helpers_c.cp313-win_amd64.pyd

Filesize
31KB

MD5
259dbfe970670d71dd3aba04f8489c03

SHA1
6c80ba0abfe89f599b74cf3da36ada926df22296

SHA256
64d60c63dcfd09a383f97bd7b75b891dbe215f7b0331bb7d7dcbbaed4108263c

SHA512
79d6b4180fd647f8146c57da7df1c1e178c40a6403ee57dea3da0342e0ad1c5616c8d89e6d45b1ac337f8c58ff2c4162da3274325f06a24051788144dbf47b81

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\pyexpat.pyd

Filesize
88KB

MD5
59c087c4a65839c69e3a59e129512563

SHA1
e5a39768dbd0be72f03c45a2d2eea9c802bb0f35

SHA256
1bba10c40afdad06f99d51624ecd0dfef43a4cee0beec5e5a21d61ae06cbdb49

SHA512
7c6f8164f0270b6aee2b30a66a44a094b987b6e6aaa2e34fdfcbc16b80143b76c430fd65871e5dcbe5338b8ad8b4635ff343bdfd09017b1d00663f31d4e5ef6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\python3.dll

Filesize
68KB

MD5
16855ebef31c5b1ebe767f1c617645b3

SHA1
315521f3a748abfa35cd4d48e8dd09d0556d989b

SHA256
a5c6a329698490a035133433928d04368ce6285bb91a9d074fc285de4c9a32a4

SHA512
c3957b3bd36b10c7ad6ea1ff3bc7bd65cdceb3e6b4195a25d0649aa0da179276ce170da903d77b50a38fc3d5147a45be32dbcfdbfbf76cc46301199c529adea4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\python313.dll

Filesize
1.8MB

MD5
d99ac8bac1343105b642295397ca2ffc

SHA1
93fd73c1fb9ee99ddc66d38885a657cf81f62836

SHA256
9116e56cedeb1c4ae82b4bde560f2fe0b83a16764865012cbf5501673d3c5536

SHA512
89d30bc84978daf469008ffc347cbd3e189f1df2c1a302dedfc2b700267cc28c671c7c35b5e95ba29a300e7fda75ccfc720d2173ea6db6eb69978772c0b8339f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\select.pyd

Filesize
25KB

MD5
9d6ec4a3d6011af6c1a18163d2f2dcd8

SHA1
04ff12fc1c8e185a65051b5ccd0e467bb997fe73

SHA256
fe525f24259716b6786c4ef169e106a977b06d7ef6661e63668551d96e03f31c

SHA512
6e9fc605f3319e563d880a573522f4361d24fc5731bff90f069fed053ab7f5159e69a8292929fbc0c56aa369fb350b5eee0c1dedb692e26221b7d7e7bd2d92b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

Filesize
1KB

MD5
4ce7501f6608f6ce4011d627979e1ae4

SHA1
78363672264d9cd3f72d5c1d3665e1657b1a5071

SHA256
37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b

SHA512
a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\sqlite3.dll

Filesize
643KB

MD5
739c7cfbb423ecc578012a1e968845c4

SHA1
b33937e491e611afbb1f7588647bdbf7ca36721e

SHA256
f71744ff7a6fb0bfe988b15453c258e53d6db7f08f3e6a50753dcc2a2990b72c

SHA512
4bb21339c39de65c604b73c46963d2e7e5cf31d33a1cdd7ac5c4b8ccc1fd88863a6342f7ba48d694ca6944764f7eec4e0b64851334781e3eddad743d8a8ed47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\unicodedata.pyd

Filesize
260KB

MD5
d06c37a2f1e9298433c1f40b2b5dfac6

SHA1
86a3b9edcae4ef141ce40d96551e73fd8d886b66

SHA256
c1eec492fccad5913c86e43cd6f2ed8d9660561ff15e43a2649f6848ef2105aa

SHA512
e40d1042a36145b7f233c6f8af1c191f622629aacfb5dffbd9ba99132b68cddd2fda194068a07ace2b351c0050172815bbfc1bc5e3e3cdc5135239384384f0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48602\yarl\_quoting_c.cp313-win_amd64.pyd

Filesize
41KB

MD5
f8851964d34e012fc786945cf8e3737a

SHA1
364a9f9f5f01297f2f0206fd6947d107c2f8140a

SHA256
9c2e2220a2ef4c16cd677cfb28bf23cc7850efe6e863a304068ab117557a381e

SHA512
29b88e4e1df3f6b50ec07bba771dadcb8ae26621ed7ae44628587cc74006c6f46e09ae1f922bf641c201cbb51ae04df53a39778f30d376a8d2cd0e52a60c6b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hinzzveh.khd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/448-209-0x0000018267860000-0x0000018267882000-memory.dmp

Filesize
136KB

Download
memory/4152-126-0x00007FFC68580000-0x00007FFC68599000-memory.dmp

Filesize
100KB

Download
memory/4152-155-0x00007FFC636E0000-0x00007FFC636F8000-memory.dmp

Filesize
96KB

Download
memory/4152-113-0x00007FFC53C90000-0x00007FFC542F3000-memory.dmp

Filesize
6.4MB

Download
memory/4152-116-0x00007FFC67400000-0x00007FFC67427000-memory.dmp

Filesize
156KB

Download
memory/4152-111-0x00007FFC671C0000-0x00007FFC671D4000-memory.dmp

Filesize
80KB

Download
memory/4152-119-0x00007FFC633C0000-0x00007FFC6348E000-memory.dmp

Filesize
824KB

Download
memory/4152-118-0x00007FFC63930000-0x00007FFC63964000-memory.dmp

Filesize
208KB

Download
memory/4152-122-0x00007FFC637B0000-0x00007FFC637E6000-memory.dmp

Filesize
216KB

Download
memory/4152-127-0x00007FFC63000000-0x00007FFC6317F000-memory.dmp

Filesize
1.5MB

Download
memory/4152-108-0x00007FFC671F0000-0x00007FFC671FF000-memory.dmp

Filesize
60KB

Download
memory/4152-124-0x00007FFC63A30000-0x00007FFC63A55000-memory.dmp

Filesize
148KB

Download
memory/4152-104-0x00007FFC6B6A0000-0x00007FFC6B6AD000-memory.dmp

Filesize
52KB

Download
memory/4152-130-0x00007FFC52DD0000-0x00007FFC5355A000-memory.dmp

Filesize
7.5MB

Download
memory/4152-106-0x00007FFC67880000-0x00007FFC6788D000-memory.dmp

Filesize
52KB

Download
memory/4152-102-0x00007FFC68580000-0x00007FFC68599000-memory.dmp

Filesize
100KB

Download
memory/4152-141-0x00007FFC63350000-0x00007FFC63366000-memory.dmp

Filesize
88KB

Download
memory/4152-140-0x00007FFC671F0000-0x00007FFC671FF000-memory.dmp

Filesize
60KB

Download
memory/4152-150-0x00007FFC62D90000-0x00007FFC62E43000-memory.dmp

Filesize
716KB

Download
memory/4152-149-0x00007FFC62E50000-0x00007FFC62E72000-memory.dmp

Filesize
136KB

Download
memory/4152-148-0x00007FFC671C0000-0x00007FFC671D4000-memory.dmp

Filesize
80KB

Download
memory/4152-147-0x00007FFC62D70000-0x00007FFC62D8B000-memory.dmp

Filesize
108KB

Download
memory/4152-146-0x00007FFC53750000-0x00007FFC53C83000-memory.dmp

Filesize
5.2MB

Download
memory/4152-139-0x00007FFC631E0000-0x00007FFC631F4000-memory.dmp

Filesize
80KB

Download
memory/4152-138-0x00007FFC63330000-0x00007FFC63342000-memory.dmp

Filesize
72KB

Download
memory/4152-137-0x00007FFC63570000-0x00007FFC635A8000-memory.dmp

Filesize
224KB

Download
memory/4152-100-0x00007FFC67200000-0x00007FFC6722B000-memory.dmp

Filesize
172KB

Download
memory/4152-79-0x00007FFC68E60000-0x00007FFC68E79000-memory.dmp

Filesize
100KB

Download
memory/4152-73-0x00007FFC67400000-0x00007FFC67427000-memory.dmp

Filesize
156KB

Download
memory/4152-154-0x00007FFC63930000-0x00007FFC63964000-memory.dmp

Filesize
208KB

Download
memory/4152-114-0x00007FFC53750000-0x00007FFC53C83000-memory.dmp

Filesize
5.2MB

Download
memory/4152-159-0x00007FFC636C0000-0x00007FFC636D1000-memory.dmp

Filesize
68KB

Download
memory/4152-158-0x00007FFC63370000-0x00007FFC633BD000-memory.dmp

Filesize
308KB

Download
memory/4152-157-0x00007FFC633C0000-0x00007FFC6348E000-memory.dmp

Filesize
824KB

Download
memory/4152-161-0x00007FFC59DE0000-0x00007FFC59E12000-memory.dmp

Filesize
200KB

Download
memory/4152-160-0x00007FFC63A30000-0x00007FFC63A55000-memory.dmp

Filesize
148KB

Download
memory/4152-166-0x00007FFC636A0000-0x00007FFC636BE000-memory.dmp

Filesize
120KB

Download
memory/4152-165-0x00007FFC52DD0000-0x00007FFC5355A000-memory.dmp

Filesize
7.5MB

Download
memory/4152-162-0x00007FFC63000000-0x00007FFC6317F000-memory.dmp

Filesize
1.5MB

Download
memory/4152-75-0x00007FFC6C6B0000-0x00007FFC6C6BF000-memory.dmp

Filesize
60KB

Download
memory/4152-65-0x00007FFC53C90000-0x00007FFC542F3000-memory.dmp

Filesize
6.4MB

Download
memory/4152-219-0x00007FFC63350000-0x00007FFC63366000-memory.dmp

Filesize
88KB

Download
memory/4152-237-0x00007FFC63000000-0x00007FFC6317F000-memory.dmp

Filesize
1.5MB

Download
memory/4152-252-0x00007FFC63370000-0x00007FFC633BD000-memory.dmp

Filesize
308KB

Download
memory/4152-251-0x00007FFC636E0000-0x00007FFC636F8000-memory.dmp

Filesize
96KB

Download
memory/4152-249-0x00007FFC59DE0000-0x00007FFC59E12000-memory.dmp

Filesize
200KB

Download
memory/4152-240-0x00007FFC63350000-0x00007FFC63366000-memory.dmp

Filesize
88KB

Download
memory/4152-239-0x00007FFC63570000-0x00007FFC635A8000-memory.dmp

Filesize
224KB

Download
memory/4152-234-0x00007FFC633C0000-0x00007FFC6348E000-memory.dmp

Filesize
824KB

Download
memory/4152-233-0x00007FFC63930000-0x00007FFC63964000-memory.dmp

Filesize
208KB

Download
memory/4152-232-0x00007FFC53750000-0x00007FFC53C83000-memory.dmp

Filesize
5.2MB

Download
memory/4152-230-0x00007FFC671F0000-0x00007FFC671FF000-memory.dmp

Filesize
60KB

Download
memory/4152-229-0x00007FFC67880000-0x00007FFC6788D000-memory.dmp

Filesize
52KB

Download
memory/4152-222-0x00007FFC53C90000-0x00007FFC542F3000-memory.dmp

Filesize
6.4MB

Download
memory/4152-238-0x00007FFC52DD0000-0x00007FFC5355A000-memory.dmp

Filesize
7.5MB

Download
memory/4152-263-0x00007FFC53C90000-0x00007FFC542F3000-memory.dmp

Filesize
6.4MB

Download
memory/4152-278-0x00007FFC63000000-0x00007FFC6317F000-memory.dmp

Filesize
1.5MB

Download
memory/4152-273-0x00007FFC53750000-0x00007FFC53C83000-memory.dmp

Filesize
5.2MB

Download
memory/4152-287-0x00007FFC636E0000-0x00007FFC636F8000-memory.dmp

Filesize
96KB

Download
memory/4152-274-0x00007FFC63930000-0x00007FFC63964000-memory.dmp

Filesize
208KB

Download