exelastealer | 8ef807d213e1d7461dd13de75004d24625088d9c9f4008420c64cb3791586e17

Analysis

max time kernel
17s
max time network
34s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
07/03/2025, 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NIXWARE_Slayed.exe
Size

39.9MB
MD5

d4752331cbd993efc8978cc66c7c2b38
SHA1

b4aded4122cb3d93593519c6d72d6778a736549c
SHA256

8ef807d213e1d7461dd13de75004d24625088d9c9f4008420c64cb3791586e17
SHA512

5c5ba7dbcb7e174d1f97bd706abf62273f017c12e6bef50d12d828c2a9d4799d1619ca34b8014d526f7dbb9ba955d8abc7bd33c3f6424aeb21aa01af2c85c402
SSDEEP

786432:DGOlEaoPvuMMXU2o3SIkDhSdKqlH7R32AsKpDW800m70T+eUzN4v5aF+SaSs3QWt:DHIPvuMwUp3SVMpHldxM80n7Q+MaeSi/

Score

10^/10

exelastealer xworm collection defense_evasion discovery execution persistence pyinstaller rat spyware stealer trojan upx

Malware Config

Extracted

Family

xworm

aboltustimoha-43339.portmap.host:43339

Attributes

Install_directory
%Userprofile%
install_file
svchost.exe

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000b000000027e09-173.dat	family_xworm
behavioral1/memory/3536-183-0x0000000000B00000-0x0000000000B1A000-memory.dmp	family_xworm

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
396	powershell.exe
2516	powershell.exe
1432	powershell.exe
1956	powershell.exe
1784	powershell.exe
4528	powershell.exe

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
760	netsh.exe
4780	netsh.exe

Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

ACProtect 1.3x - 1.4x DLL software 26 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000a000000027e07-121.dat	acprotect
behavioral1/files/0x000a000000027dd5-131.dat	acprotect
behavioral1/files/0x000a000000027dff-133.dat	acprotect
behavioral1/files/0x000a000000027dd8-147.dat	acprotect
behavioral1/files/0x000a000000027dd3-155.dat	acprotect
behavioral1/files/0x000a000000027e08-161.dat	acprotect
behavioral1/files/0x000a000000027dfe-195.dat	acprotect
behavioral1/files/0x000a000000027e00-196.dat	acprotect
behavioral1/files/0x000a000000027dde-194.dat	acprotect
behavioral1/files/0x000a000000027dd2-200.dat	acprotect
behavioral1/files/0x000a000000027e0c-215.dat	acprotect
behavioral1/files/0x000a000000027e0e-212.dat	acprotect
behavioral1/files/0x000a000000027dd7-204.dat	acprotect
behavioral1/files/0x000a000000027e02-203.dat	acprotect
behavioral1/files/0x000a000000027dda-201.dat	acprotect
behavioral1/files/0x000a000000027e0b-163.dat	acprotect
behavioral1/files/0x000a000000027ddd-162.dat	acprotect
behavioral1/files/0x000a000000027ddc-159.dat	acprotect
behavioral1/files/0x000a000000027ddb-150.dat	acprotect
behavioral1/files/0x000a000000027dd9-148.dat	acprotect
behavioral1/files/0x000a000000027dd6-145.dat	acprotect
behavioral1/files/0x000a000000027dd4-144.dat	acprotect
behavioral1/files/0x000a000000027e05-138.dat	acprotect
behavioral1/files/0x000a000000027e04-217.dat	acprotect
behavioral1/files/0x000a000000027de2-220.dat	acprotect
behavioral1/files/0x000a000000027de1-222.dat	acprotect

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000\Control Panel\International\Geo\Nation	ExLoader_Installer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000\Control Panel\International\Geo\Nation	NIXWARE_Slayed.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3724	cmd.exe
4748	powershell.exe

Executes dropped EXE 6 IoCs

pid	Process
4728	system.exe
460	Exela.exe
1788	Exela.exe
3536	checker-cheats.exe
4108	ExLoader_Installer.exe
5088	ExLoader_Installer.exe

Loads dropped DLL 37 IoCs

pid	Process
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
1788	Exela.exe
5088	ExLoader_Installer.exe
5088	ExLoader_Installer.exe
5088	ExLoader_Installer.exe
5088	ExLoader_Installer.exe
5088	ExLoader_Installer.exe
5088	ExLoader_Installer.exe
1788	Exela.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ExLoader_Installer = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ExLoader_Installer.exe"	NIXWARE_Slayed.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\system = "C:\\Users\\Admin\\AppData\\Local\\Temp\\system.exe"	NIXWARE_Slayed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	NIXWARE_Slayed.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1639757381-2759246526-4253643256-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\checker-cheats = "C:\\Users\\Admin\\AppData\\Local\\Temp\\checker-cheats.exe"	NIXWARE_Slayed.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
46	pastebin.com
47	pastebin.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2484	cmd.exe
5924	ARP.EXE

Power Settings 1 TTPs 8 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
3724	powercfg.exe
3396	powercfg.exe
3876	powercfg.exe
5284	powercfg.exe
5012	powercfg.exe
5292	powercfg.exe
3596	powercfg.exe
4748	powercfg.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
1308	tasklist.exe
4780	tasklist.exe
192	tasklist.exe
392	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2144	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000027e07-121.dat	upx
behavioral1/memory/1788-125-0x0000000074E50000-0x000000007535B000-memory.dmp	upx
behavioral1/files/0x000a000000027dd5-131.dat	upx
behavioral1/memory/1788-135-0x0000000074DF0000-0x0000000074DFD000-memory.dmp	upx
behavioral1/memory/1788-134-0x0000000074E00000-0x0000000074E1F000-memory.dmp	upx
behavioral1/files/0x000a000000027dff-133.dat	upx
behavioral1/files/0x000a000000027dd8-147.dat	upx
behavioral1/files/0x000a000000027dd3-155.dat	upx
behavioral1/memory/1788-156-0x0000000074DD0000-0x0000000074DE8000-memory.dmp	upx
behavioral1/files/0x000a000000027e08-161.dat	upx
behavioral1/memory/1788-167-0x0000000074D10000-0x0000000074D2B000-memory.dmp	upx
behavioral1/files/0x000a000000027dfe-195.dat	upx
behavioral1/memory/1788-199-0x00000000748A0000-0x0000000074934000-memory.dmp	upx
behavioral1/memory/1788-198-0x0000000074940000-0x0000000074B9A000-memory.dmp	upx
behavioral1/memory/1788-197-0x0000000074BA0000-0x0000000074BC8000-memory.dmp	upx
behavioral1/files/0x000a000000027e00-196.dat	upx
behavioral1/files/0x000a000000027dde-194.dat	upx
behavioral1/memory/1788-166-0x0000000074BD0000-0x0000000074D07000-memory.dmp	upx
behavioral1/memory/1788-165-0x0000000074D30000-0x0000000074D3C000-memory.dmp	upx
behavioral1/files/0x000a000000027dd2-200.dat	upx
behavioral1/memory/1788-211-0x0000000074870000-0x000000007487F000-memory.dmp	upx
behavioral1/files/0x000a000000027e0c-215.dat	upx
behavioral1/memory/1788-216-0x00000000746B0000-0x00000000747C9000-memory.dmp	upx
behavioral1/memory/1788-214-0x00000000747D0000-0x00000000747EE000-memory.dmp	upx
behavioral1/memory/1788-213-0x0000000074DF0000-0x0000000074DFD000-memory.dmp	upx
behavioral1/files/0x000a000000027e0e-212.dat	upx
behavioral1/memory/1788-210-0x00000000747F0000-0x0000000074800000-memory.dmp	upx
behavioral1/memory/1788-209-0x0000000074800000-0x000000007480F000-memory.dmp	upx
behavioral1/memory/1788-208-0x0000000074880000-0x0000000074892000-memory.dmp	upx
behavioral1/memory/1788-207-0x0000000074E00000-0x0000000074E1F000-memory.dmp	upx
behavioral1/memory/1788-206-0x0000000074E50000-0x000000007535B000-memory.dmp	upx
behavioral1/files/0x000a000000027dd7-204.dat	upx
behavioral1/files/0x000a000000027e02-203.dat	upx
behavioral1/files/0x000a000000027dda-201.dat	upx
behavioral1/files/0x000a000000027e0b-163.dat	upx
behavioral1/files/0x000a000000027ddd-162.dat	upx
behavioral1/memory/1788-160-0x0000000074D80000-0x0000000074D96000-memory.dmp	upx
behavioral1/files/0x000a000000027ddc-159.dat	upx
behavioral1/memory/1788-158-0x0000000074DA0000-0x0000000074DC7000-memory.dmp	upx
behavioral1/files/0x000a000000027ddb-150.dat	upx
behavioral1/files/0x000a000000027dd9-148.dat	upx
behavioral1/files/0x000a000000027dd6-145.dat	upx
behavioral1/files/0x000a000000027dd4-144.dat	upx
behavioral1/files/0x000a000000027e05-138.dat	upx
behavioral1/files/0x000a000000027e04-217.dat	upx
behavioral1/memory/1788-219-0x0000000074690000-0x00000000746A8000-memory.dmp	upx
behavioral1/files/0x000a000000027de2-220.dat	upx
behavioral1/files/0x000a000000027de1-222.dat	upx
behavioral1/memory/1788-224-0x0000000074670000-0x0000000074686000-memory.dmp	upx
behavioral1/memory/1788-223-0x0000000074D80000-0x0000000074D96000-memory.dmp	upx
behavioral1/memory/1788-230-0x0000000074D10000-0x0000000074D2B000-memory.dmp	upx
behavioral1/memory/1788-234-0x00000000745A0000-0x00000000745BA000-memory.dmp	upx
behavioral1/memory/1788-233-0x00000000748A0000-0x0000000074934000-memory.dmp	upx
behavioral1/memory/1788-232-0x0000000074940000-0x0000000074B9A000-memory.dmp	upx
behavioral1/memory/1788-231-0x0000000074BA0000-0x0000000074BC8000-memory.dmp	upx
behavioral1/memory/1788-229-0x00000000745E0000-0x000000007460E000-memory.dmp	upx
behavioral1/memory/1788-228-0x0000000074610000-0x000000007461F000-memory.dmp	upx
behavioral1/memory/1788-227-0x0000000074620000-0x0000000074664000-memory.dmp	upx
behavioral1/memory/1788-226-0x0000000074BD0000-0x0000000074D07000-memory.dmp	upx
behavioral1/memory/1788-235-0x0000000073FA0000-0x0000000074592000-memory.dmp	upx
behavioral1/memory/1788-244-0x0000000073F70000-0x0000000073F9F000-memory.dmp	upx
behavioral1/memory/1788-898-0x00000000747D0000-0x00000000747EE000-memory.dmp	upx
behavioral1/memory/1788-906-0x00000000746B0000-0x00000000747C9000-memory.dmp	upx
behavioral1/memory/1788-955-0x0000000073F40000-0x0000000073F4C000-memory.dmp	upx

Launches sc.exe 15 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
572	sc.exe
900	sc.exe
4516	sc.exe
3708	sc.exe
540	sc.exe
4432	sc.exe
6012	sc.exe
3076	sc.exe
3800	sc.exe
4932	sc.exe
1196	sc.exe
884	sc.exe
4684	sc.exe
3892	sc.exe
6004	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x000b000000027dcf-51.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 25 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exela.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Exela.exe

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2780	cmd.exe
904	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
5960	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
884	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
904	ipconfig.exe
5960	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
376	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
396	powershell.exe
396	powershell.exe
2516	powershell.exe
2516	powershell.exe
1432	powershell.exe
1432	powershell.exe
1956	powershell.exe
1956	powershell.exe
2180	WMIC.exe
2180	WMIC.exe
2180	WMIC.exe
2180	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	396	powershell.exe
Token: SeIncreaseQuotaPrivilege	396	powershell.exe
Token: SeSecurityPrivilege	396	powershell.exe
Token: SeTakeOwnershipPrivilege	396	powershell.exe
Token: SeLoadDriverPrivilege	396	powershell.exe
Token: SeSystemProfilePrivilege	396	powershell.exe
Token: SeSystemtimePrivilege	396	powershell.exe
Token: SeProfSingleProcessPrivilege	396	powershell.exe
Token: SeIncBasePriorityPrivilege	396	powershell.exe
Token: SeCreatePagefilePrivilege	396	powershell.exe
Token: SeBackupPrivilege	396	powershell.exe
Token: SeRestorePrivilege	396	powershell.exe
Token: SeShutdownPrivilege	396	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeSystemEnvironmentPrivilege	396	powershell.exe
Token: SeRemoteShutdownPrivilege	396	powershell.exe
Token: SeUndockPrivilege	396	powershell.exe
Token: SeManageVolumePrivilege	396	powershell.exe
Token: 33	396	powershell.exe
Token: 34	396	powershell.exe
Token: 35	396	powershell.exe
Token: 36	396	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeIncreaseQuotaPrivilege	2516	powershell.exe
Token: SeSecurityPrivilege	2516	powershell.exe
Token: SeTakeOwnershipPrivilege	2516	powershell.exe
Token: SeLoadDriverPrivilege	2516	powershell.exe
Token: SeSystemProfilePrivilege	2516	powershell.exe
Token: SeSystemtimePrivilege	2516	powershell.exe
Token: SeProfSingleProcessPrivilege	2516	powershell.exe
Token: SeIncBasePriorityPrivilege	2516	powershell.exe
Token: SeCreatePagefilePrivilege	2516	powershell.exe
Token: SeBackupPrivilege	2516	powershell.exe
Token: SeRestorePrivilege	2516	powershell.exe
Token: SeShutdownPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeSystemEnvironmentPrivilege	2516	powershell.exe
Token: SeRemoteShutdownPrivilege	2516	powershell.exe
Token: SeUndockPrivilege	2516	powershell.exe
Token: SeManageVolumePrivilege	2516	powershell.exe
Token: 33	2516	powershell.exe
Token: 34	2516	powershell.exe
Token: 35	2516	powershell.exe
Token: 36	2516	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeIncreaseQuotaPrivilege	1432	powershell.exe
Token: SeSecurityPrivilege	1432	powershell.exe
Token: SeTakeOwnershipPrivilege	1432	powershell.exe
Token: SeLoadDriverPrivilege	1432	powershell.exe
Token: SeSystemProfilePrivilege	1432	powershell.exe
Token: SeSystemtimePrivilege	1432	powershell.exe
Token: SeProfSingleProcessPrivilege	1432	powershell.exe
Token: SeIncBasePriorityPrivilege	1432	powershell.exe
Token: SeCreatePagefilePrivilege	1432	powershell.exe
Token: SeBackupPrivilege	1432	powershell.exe
Token: SeRestorePrivilege	1432	powershell.exe
Token: SeShutdownPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeSystemEnvironmentPrivilege	1432	powershell.exe
Token: SeRemoteShutdownPrivilege	1432	powershell.exe
Token: SeUndockPrivilege	1432	powershell.exe
Token: SeManageVolumePrivilege	1432	powershell.exe
Token: 33	1432	powershell.exe
Token: 34	1432	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
5088	ExLoader_Installer.exe
5088	ExLoader_Installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3348 wrote to memory of 396	3348	NIXWARE_Slayed.exe	86
PID 3348 wrote to memory of 396	3348	NIXWARE_Slayed.exe	86
PID 3348 wrote to memory of 4728	3348	NIXWARE_Slayed.exe	91
PID 3348 wrote to memory of 4728	3348	NIXWARE_Slayed.exe	91
PID 3348 wrote to memory of 2516	3348	NIXWARE_Slayed.exe	93
PID 3348 wrote to memory of 2516	3348	NIXWARE_Slayed.exe	93
PID 3348 wrote to memory of 460	3348	NIXWARE_Slayed.exe	95
PID 3348 wrote to memory of 460	3348	NIXWARE_Slayed.exe	95
PID 3348 wrote to memory of 460	3348	NIXWARE_Slayed.exe	95
PID 3348 wrote to memory of 1432	3348	NIXWARE_Slayed.exe	96
PID 3348 wrote to memory of 1432	3348	NIXWARE_Slayed.exe	96
PID 460 wrote to memory of 1788	460	Exela.exe	98
PID 460 wrote to memory of 1788	460	Exela.exe	98
PID 460 wrote to memory of 1788	460	Exela.exe	98
PID 3348 wrote to memory of 3536	3348	NIXWARE_Slayed.exe	99
PID 3348 wrote to memory of 3536	3348	NIXWARE_Slayed.exe	99
PID 3348 wrote to memory of 1956	3348	NIXWARE_Slayed.exe	100
PID 3348 wrote to memory of 1956	3348	NIXWARE_Slayed.exe	100
PID 1788 wrote to memory of 1164	1788	Exela.exe	103
PID 1788 wrote to memory of 1164	1788	Exela.exe	103
PID 1788 wrote to memory of 1164	1788	Exela.exe	103
PID 1788 wrote to memory of 1692	1788	Exela.exe	106
PID 1788 wrote to memory of 1692	1788	Exela.exe	106
PID 1788 wrote to memory of 1692	1788	Exela.exe	106
PID 1788 wrote to memory of 2132	1788	Exela.exe	107
PID 1788 wrote to memory of 2132	1788	Exela.exe	107
PID 1788 wrote to memory of 2132	1788	Exela.exe	107
PID 3348 wrote to memory of 4108	3348	NIXWARE_Slayed.exe	105
PID 3348 wrote to memory of 4108	3348	NIXWARE_Slayed.exe	105
PID 2132 wrote to memory of 392	2132	cmd.exe	110
PID 2132 wrote to memory of 392	2132	cmd.exe	110
PID 2132 wrote to memory of 392	2132	cmd.exe	110
PID 1692 wrote to memory of 2180	1692	cmd.exe	115
PID 1692 wrote to memory of 2180	1692	cmd.exe	115
PID 1692 wrote to memory of 2180	1692	cmd.exe	115
PID 1788 wrote to memory of 2144	1788	Exela.exe	112
PID 1788 wrote to memory of 2144	1788	Exela.exe	112
PID 1788 wrote to memory of 2144	1788	Exela.exe	112
PID 2144 wrote to memory of 2180	2144	cmd.exe	115
PID 2144 wrote to memory of 2180	2144	cmd.exe	115
PID 2144 wrote to memory of 2180	2144	cmd.exe	115
PID 1788 wrote to memory of 3640	1788	Exela.exe	119
PID 1788 wrote to memory of 3640	1788	Exela.exe	119
PID 1788 wrote to memory of 3640	1788	Exela.exe	119
PID 3640 wrote to memory of 3032	3640	cmd.exe	121
PID 3640 wrote to memory of 3032	3640	cmd.exe	121
PID 3640 wrote to memory of 3032	3640	cmd.exe	121
PID 4108 wrote to memory of 5088	4108	ExLoader_Installer.exe	122
PID 4108 wrote to memory of 5088	4108	ExLoader_Installer.exe	122
PID 1788 wrote to memory of 3380	1788	Exela.exe	123
PID 1788 wrote to memory of 3380	1788	Exela.exe	123
PID 1788 wrote to memory of 3380	1788	Exela.exe	123
PID 3380 wrote to memory of 1308	3380	cmd.exe	125
PID 3380 wrote to memory of 1308	3380	cmd.exe	125
PID 3380 wrote to memory of 1308	3380	cmd.exe	125
PID 1788 wrote to memory of 2112	1788	Exela.exe	156
PID 1788 wrote to memory of 2112	1788	Exela.exe	156
PID 1788 wrote to memory of 2112	1788	Exela.exe	156
PID 1788 wrote to memory of 3388	1788	Exela.exe	127
PID 1788 wrote to memory of 3388	1788	Exela.exe	127
PID 1788 wrote to memory of 3388	1788	Exela.exe	127
PID 1788 wrote to memory of 4488	1788	Exela.exe	128
PID 1788 wrote to memory of 4488	1788	Exela.exe	128
PID 1788 wrote to memory of 4488	1788	Exela.exe	128

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2180	attrib.exe

C:\Users\Admin\AppData\Local\Temp\NIXWARE_Slayed.exe
"C:\Users\Admin\AppData\Local\Temp\NIXWARE_Slayed.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\system.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:396
- C:\Users\Admin\AppData\Local\Temp\system.exe
  "C:\Users\Admin\AppData\Local\Temp\system.exe"
  2⤵
  - Executes dropped EXE
  PID:4728
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:1784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:876
  - - C:\Windows\system32\wusa.exe
      wusa /uninstall /kb:890830 /quiet /norestart
      4⤵
      PID:4668
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:3076
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:4516
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop wuauserv
    3⤵
    - Launches sc.exe
    PID:3800
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop bits
    3⤵
    - Launches sc.exe
    PID:4932
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop dosvc
    3⤵
    - Launches sc.exe
    PID:1196
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:4748
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:3876
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:3396
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:3724
- - C:\Windows\system32\dialer.exe
    C:\Windows\system32\dialer.exe
    3⤵
    PID:1632
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "VLKIAJCI"
    3⤵
    - Launches sc.exe
    PID:3892
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "VLKIAJCI" binpath= "C:\ProgramData\sqqlezmfstqp\ixoqduepyxci.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:884
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:3708
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "VLKIAJCI"
    3⤵
    - Launches sc.exe
    PID:540
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2516
- C:\Users\Admin\AppData\Local\Temp\Exela.exe
  "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:460
- - C:\Users\Admin\AppData\Local\Temp\Exela.exe
    "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1164
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1692
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2132
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:392
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2144
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2180
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3640
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:3032
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3380
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:1308
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2112
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3092
      - C:\Windows\SysWOW64\chcp.com
        
        chcp
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1440
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3388
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
      - C:\Windows\SysWOW64\chcp.com
        
        chcp
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3404
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4488
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        System Location Discovery: System Language Discovery
        
        PID:4780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      System Location Discovery: System Language Discovery
      PID:3724
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        System Location Discovery: System Language Discovery
        
        PID:4748
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2780
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh wlan show profiles
        5⤵
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:904
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      System Location Discovery: System Language Discovery
      PID:2484
    - - C:\Windows\SysWOW64\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:376
    - - C:\Windows\SysWOW64\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:2516
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        
        PID:884
    - - C:\Windows\SysWOW64\net.exe
        
        net user
        5⤵
        
        PID:3708
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:1676
    - - C:\Windows\SysWOW64\net.exe
        
        net localgroup
        5⤵
        
        PID:3816
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:3404
    - - C:\Windows\SysWOW64\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:2112
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:1128
    - - C:\Windows\SysWOW64\net.exe
        
        net user guest
        5⤵
        
        PID:4656
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:4600
    - - C:\Windows\SysWOW64\net.exe
        
        net user administrator
        5⤵
        
        PID:4624
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:1240
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:1644
    - - C:\Windows\SysWOW64\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:192
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:904
    - - C:\Windows\SysWOW64\ROUTE.EXE
        
        route print
        5⤵
        
        PID:4536
    - - C:\Windows\SysWOW64\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:5924
    - - C:\Windows\SysWOW64\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:5960
    - - C:\Windows\SysWOW64\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:6004
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        
        PID:760
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        
        PID:4780
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:6088
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:3876
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3032
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1332
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\checker-cheats.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1432
- C:\Users\Admin\AppData\Local\Temp\checker-cheats.exe
  "C:\Users\Admin\AppData\Local\Temp\checker-cheats.exe"
  2⤵
  - Executes dropped EXE
  PID:3536
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:1956
- C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe
  "C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    PID:5088

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
PID:4420

C:\ProgramData\sqqlezmfstqp\ixoqduepyxci.exe
C:\ProgramData\sqqlezmfstqp\ixoqduepyxci.exe
1⤵
PID:3348
- C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:4528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart
  2⤵
  PID:5996
- - C:\Windows\system32\wusa.exe
    wusa /uninstall /kb:890830 /quiet /norestart
    3⤵
    PID:740
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop UsoSvc
  2⤵
  - Launches sc.exe
  PID:6012
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop WaaSMedicSvc
  2⤵
  - Launches sc.exe
  PID:572
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop wuauserv
  2⤵
  - Launches sc.exe
  PID:4432
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop bits
  2⤵
  - Launches sc.exe
  PID:900
- C:\Windows\system32\sc.exe
  C:\Windows\system32\sc.exe stop dosvc
  2⤵
  - Launches sc.exe
  PID:4684
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  - Power Settings
  PID:5284
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  - Power Settings
  PID:5292
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  - Power Settings
  PID:5012
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:3596
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:932
- C:\Windows\system32\dialer.exe
  C:\Windows\system32\dialer.exe
  2⤵
  PID:5432
- C:\Windows\system32\dialer.exe
  dialer.exe
  2⤵
  PID:5532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
3eb3833f769dd890afc295b977eab4b4

SHA1
e857649b037939602c72ad003e5d3698695f436f

SHA256
c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485

SHA512
c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
73fd21e21176268bda8300180d019196

SHA1
cca444133c29a9540ace354c5ea18cb25d28c20b

SHA256
613c036439748efdeb68321da78143aa167565b82595a7add9aa1bdef864bf82

SHA512
2fac71079e6bd5f0a11b6d8b84e9af94f876689ecb37218903420f7b4cd31af2fbddeecfd2bd72849b77dacd7130d37f4f53bc778c05452b9bb5c1c3f415ed6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
548f94fff5d24bde2d40f75b3174b9a8

SHA1
c55523794628e2e8c70ed6787c9a7e5fb2ff21b1

SHA256
d444f8a512e28eb1f2baa3231771b971030ffa940211b26c4a0c54f1b2053c46

SHA512
f6167facf286d204820c00a81b36d3da3143318233fa2ecebecabd934b1eca68443fe4ea09341ccc7c3c73b0986328909a86df23a807bc7f7d816c1b9114f4ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
60b3262c3163ee3d466199160b9ed07d

SHA1
994ece4ea4e61de0be2fdd580f87e3415f9e1ff6

SHA256
e3b30f16d41f94cba2b8a75f35c91ae7418465abfbfe5477ec0551d1952b2fdb

SHA512
081d2015cb94477eb0fbc38f44b6d9b4a3204fb3ad0b7d0e146a88ab4ab9a0d475207f1adae03f4a81ccc5beb7568dc8be1249f69e32fe56efd9ee2f6ee3b1af

Download Submit
C:\Users\Admin\AppData\Local\Temp\ExLoader_Installer.exe

Filesize
26.5MB

MD5
dcd3344e5bdca9492706ed74cbf8b233

SHA1
ed0ad8d0e65d27d34644b75fbd73b7ee8a825bc6

SHA256
75243dbdd7668c07417eb463d1b4f24d8ff4781b6d5aa0522afb2509b920cf9c

SHA512
9d31001b90e2610a74aa66b7d9a383094b3d904ad105b50c55be3aa46ef8be2f2a45a082e990a905b8673e4bcf320b4f078a53fe1435bd96e08df0bc9e09bca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Exela.exe

Filesize
9.5MB

MD5
e7c61dbcc53cbf37a1fddea9ce93fbf8

SHA1
f6d4813534064eb0b213db0870a9bc18e675fe27

SHA256
f3f45a028210e0078d14bdcaaa3547506bf0426b20240c4b9b4b1a0f5ee00e86

SHA512
4b7bd2d0ad8480f508719c13de620d4f6c4c1003b807cbff59159e37c7739a7a32d2129ee855b4efacdbbebc4597c992438497d5d46fac664b2509ba3587184e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\ExLoader_Installer.exe

Filesize
184KB

MD5
672d8f840df04da81a68c12354c67602

SHA1
f14a9a358bce7225435a4f9327722edf363139cf

SHA256
cc8522a81ca478837e76ee0975f820c0211242f859769dad4349afc9892dd6b2

SHA512
4ac90decbf88025c7ed0484b030d484b3659541ad4bf2f029d74657bcb4fc4d7f5f66a84ac9bfe8184e21fd412c1ad367c8ebf6a9e19761736bbeaf9722db962

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\VCRUNTIME140.dll

Filesize
78KB

MD5
1e6e97d60d411a2dee8964d3d05adb15

SHA1
0a2fe6ec6b6675c44998c282dbb1cd8787612faf

SHA256
8598940e498271b542f2c04998626aa680f2172d0ff4f8dbd4ffec1a196540f9

SHA512
3f7d79079c57786051a2f7facfb1046188049e831f12b549609a8f152664678ee35ad54d1fff4447428b6f76bea1c7ca88fa96aab395a560c6ec598344fcc7fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\_asyncio.pyd

Filesize
32KB

MD5
140261084b0d5eac9b480970b76726cb

SHA1
72d47c28a50f32f26cb5f650e1673bb3bf1b7b87

SHA256
fbdf50454e1e74d28bd3c195a57528f18af29339bd016bc5b9f5cd57b2e77df3

SHA512
1c78117841f44d0f4afa4dee5b16524851a5a983810ea928d994f942eae127e7d471dbf8be0c7b7e11b92bed210cf7cac5cea7e7407be7dcc1710473ab7cff84

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\_bz2.pyd

Filesize
43KB

MD5
8df17a44f2c197bd23aeb8a3e68df30c

SHA1
3aa2d329e70e73ea3952e98302edba9d862cb20e

SHA256
bb9142d284c6c401dc9c3581a5c8e50da575af2801a9fc5036a5bdf2144e9a29

SHA512
712fb32769367ce443c210d3962233d0eedda309b19656b8c77cbc77ec8553bc4b8760bc26c6d7d4f849f38e5a21dcd0966d9d1dd0470bd511d0904bdccf8bd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\_cffi_backend.cp311-win32.pyd

Filesize
60KB

MD5
700f9722fef74f92506b398fa6408591

SHA1
1498b56466e9a1a7dbfd3a20653317a584a2512e

SHA256
60b6f17567ce3f114a33b65919cdc78d867b33a72134f4c619c8d2344010b970

SHA512
c30e914cc09e06c299e2222442b5e1c5c27aeb50bed57a30d20b804c4f9f7d2b8e7f7ab24b4396da36f1af85ae63e48072c13ad7d378f8368592dd114b931086

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\_ctypes.pyd

Filesize
51KB

MD5
35f9c685c12def0b43484f24133a81d8

SHA1
5d9bfa5cf9a8c99d901ed52a593eafaa543a914d

SHA256
14a4bb9dde27cbb8ea5a10baa0bfc37cfd7b11d8325d332a4a960397ea6f0e77

SHA512
7b268bfdd137bb98137a73ccfefea686c59dc6fbb79ccd68c73debf4c171189f0ad9b89afac60998fca1580ab557b149c8edd1396d4e53a2ffe27ade098bf163

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\_decimal.pyd

Filesize
77KB

MD5
9aae203f1c75b03764dd0edf81fb5c5e

SHA1
6208bcb6b5f9a2f033260f01aad117d44034c678

SHA256
be03b9ab01dbc972dcbd08b2605a4c5814752d23225766ff7725f9e2d4c6b060

SHA512
2f7f801638b1775079bb519e32137f2ab81f2b7a1873eb05054ff541a5ff79dec73425db143c39d23f29a8374b96812ab9dba5e25bb85c5007ee20af5292ed10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\_hashlib.pyd

Filesize
28KB

MD5
34001fe9953d32df87b76333d90f6c95

SHA1
f8da5142fa8ed196d0682b9ec9dc011b701096b8

SHA256
8c535f8bc125f4cc966447551e9fc3a6a07f33c5298d0f5db9f8a12536482ed3

SHA512
da989737afd6d592cb6dd2aecd5569344989971a0addcd2240591152711da89988400e34d5272c44d6beaeae684098747afe4ab3225d83f930b9c21979fecea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\_lzma.pyd

Filesize
78KB

MD5
b58ec68fe28a4959ca3232335d8ec732

SHA1
69d9e6252e501423930766b8c0a9efc31978e326

SHA256
9de489435f8c9baf8d9ce06c023e3b27ffa4c81a75c22f6a515b7f2d67b20426

SHA512
ef74190b3c010e0a40055746c3cba091ca775e4d73f5eb3e44a2acbf6332e93f70ebe905dfe7a04d5016aedc5eafef016eec1293f5f1e264aa4e444c0e38fb18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\_multiprocessing.pyd

Filesize
23KB

MD5
184a3b2389a484a4aeb6b8b45e8b315e

SHA1
205899fb7637cd3c240e10a8e823dbec6f1057b9

SHA256
1a2102192f64d63e482cd9bc0227b7ac2db82b54f38591d6d1dee00ed97f13e0

SHA512
7444b9e2607442bca85e36f2228bd0efdff7532b5c1632bb2183b39b50146ce8b3478f1dff9e395a4107dae0f23ad0310b8949ad63d4c62a4941bb569a63c11d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\_overlapped.pyd

Filesize
27KB

MD5
2269121a4c214a26d28ddd21a37a0239

SHA1
74e633e29d0ba6085764dde538c84b6350e63975

SHA256
13b3d027c73a356019981c18059ba3a7133c3b06adf029f16f9065bade77d387

SHA512
ee8e03573541061bb42e2800a4a7eaac2c3638a715eab103ea1c5369bdb8f4146c745acd27604d9b7a506f756e9df4c3fcb391e22d6f3e87b3d11d5165c4d4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\_queue.pyd

Filesize
23KB

MD5
db2891c7e3c42f9550cfdf263113553d

SHA1
c49d520878c20eb2129f97eca28f9e6893fe03d4

SHA256
c8487a9e40fc8499f1075dcfebb811cd3c9b1a7f2299a758b4eaf7e9851b209d

SHA512
dcf41ca1737503e7d0cbfecda8f51a96c3d4a5d508f25be8b60df3be4439c7294d0fce4c7ffc1b4a21c1806171d4659e4fcb0982b608e44e2287a00cee7b68a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\_socket.pyd

Filesize
37KB

MD5
2c7417030d8bb988c27afbbfd2d76a09

SHA1
1a4a37b205d8a98c200840ed32b29e2d09a94b1f

SHA256
e858ac5eb10efb4151838209738d20d86bacaa3d8ac96b37846e47c5ec9fc7cb

SHA512
28e409c536ea26f5881035622d67e435fc82795d656ed2e4ac3b87963387df5defb8cfc8b069fdc3748f5203262374cbb2b20d761d0da5f8002dfebfed1a5929

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\_sqlite3.pyd

Filesize
43KB

MD5
4a6770da61441dcd88094ec3db230060

SHA1
b9d2424f7f9ba5ca8c082971ba8670d6141b4c92

SHA256
f96a669ae6e312d8b2e2a203088d2376b85b586ac3e7c9050e2089907c2a6dfd

SHA512
f22f8125f51f970e5fc7cbbf1f801e50b2da52e84eb64830b29faca63c14f265934e0633aeccc0d0b325de07d0043b61b3ff567198560043052910b3a717f18d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\_ssl.pyd

Filesize
56KB

MD5
74337381b7a112673ac33f1c18c3bfa9

SHA1
87ad66be55d163185e5096918f08e36c9db49cbf

SHA256
e27e46ae88e20ac46393a0588c50a2b22ae73c9584db2e040654c7c4856e319e

SHA512
fe01a945f41e63a361b814a2b9739e518f4019351169b487b08417f7d8b62f5e65a311e9934beac35eded0f24066482bc4fa856062d72c3a7fd3dd489bf7c76c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\_uuid.pyd

Filesize
21KB

MD5
954767d0bc7124d947b29991dee2ad2e

SHA1
b50ec8a88ed8c6df6cde99c561f1ec04e1bf72a5

SHA256
661f277751684b612708b21afad5ac70a00094774185f1f5d32981d72e6a922e

SHA512
2f6990676f731c112479e453feac6069388fb0068ee57ef756f2fc8e5dd7b5951d14cddadf14773684d045eba99f99f39b0bdbd25d021fb5a9d0abca36707c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\aiohttp\_http_parser.cp311-win32.pyd

Filesize
70KB

MD5
e24e5bfe799c3048a9da30a820cbad19

SHA1
c457593cd954f9690a72e8ad5a05f36983c022c3

SHA256
6b88e706ea368cc778a9c71d3983c41aa7923eaf8b744cb1f448bab43bb34c32

SHA512
18cafb5753a52e802f38a44cc76920bc8a9cc96d8808c7583e644ac4687d3c93f83146500244e578cba2310c4842110413947314feafd493761a17562654a2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\aiohttp\_http_writer.cp311-win32.pyd

Filesize
21KB

MD5
d1bc6ba33849107309ac70398ba3175e

SHA1
7388e57ebc7dd437c33d7af8fa516d3b1571dd9a

SHA256
c50d21793472b81a6053577a6aca29c22b2b53a6434953fee44de35ae730cdf8

SHA512
89ed77290f24dbabdf0e4df5a223ea5d909ba0a3fa9b1d6793e29256bb7584fc1c71534ab084b9185f39cb4acbe6ecfe1292978e2d519f2fb6939e178cdf4fd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\base_library.zip

Filesize
1.4MB

MD5
c476dc883c19fcb34cc933f4a399bc22

SHA1
9116ef79b1fd0566e5231e5087da43bf2f68bad6

SHA256
0b7944cabeba47f5c65fe307ab9b2e918551f686a14ad08a34c02fb01c1f4efc

SHA512
af5ad29ed40264f5fa58e72a2b25086ca6a0eb88002c6c5557d1e7f59269d452088d1d9f60121f488c4d0585ab7641fa3b4b95c08e92d1d7d6c38e39fc9d15be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\libcrypto-1_1.dll

Filesize
753KB

MD5
2eb116a4507e1b0a2a9bab42349fd1ae

SHA1
e7cfeb42eb91e87dfe431c9b7fb068c766cc2245

SHA256
573b05deab62b1d1623995e27923576898050d00008dfdc5d82d6cf278c14944

SHA512
4b27b64d20e3bc710cb6d8b8491b47e7c39cf1fc5c885b89a1ceb42b73060fae8288a8c7500ce5420e2b1b2948c717d3a4ab860e75ae159555a6cca8c368493a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\libffi-8.dll

Filesize
23KB

MD5
78621a7664d5e32ffdd35709bf7c9da9

SHA1
75179be2b3b1f81388d2d594600fcafdb4455228

SHA256
a86d2c3acae805abff393bb109936e2b4a2b47414e4c5ee04a9c035ec42647f9

SHA512
07e06117b9da7d2ea25b8d49c0a0fe89db07050aa2a4103000c8ed6701a89cb5f16c2660c6829398536bc925b57634a1b1f53b6a79e855770964b87a61d080c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\libssl-1_1.dll

Filesize
171KB

MD5
fcf946a6a60ed95e084aa1de9a7a4a36

SHA1
8da6dfd6531816ba03f2e06a61c83ca378082c3d

SHA256
c1acad5cb0fc77abf7f553fc7340fa934b903d454b48588b0b172c964ef9c036

SHA512
70086254be4e8bf1bda2fa30eaec7b4f6ed46c28d9a95169938c6d9725ab056ee33ed811da965c4c0411ea754f49edb8fd23716f0e980a367ee7942401f4a0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\multidict\_multidict.cp311-win32.pyd

Filesize
17KB

MD5
e41325ca17292eac8599ac9e7913ed4f

SHA1
52e4e3f77f6c6d375f319437097aaf993e3e6d77

SHA256
e891680867c48b835ac54285095095c528fa370938e1542e91c8483fc4e5066f

SHA512
7c77ac6c0997969b6c09679460e2f197b14f571fe1861079345da12a7db5d30c875bcae1d8e05cca9ac8ef494e51368f4ff5acd783c874c9c188f875d486cbe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\propcache\_helpers_c.cp311-win32.pyd

Filesize
26KB

MD5
8d15b0249d241d09d536a409bdc44b6d

SHA1
83672ae13d947e9589071b8b927914393c7d1924

SHA256
5ae84d82cf738dbf672e3c641ed0d275f8e97fc054ffa638d5fe0ff4eaaa3a65

SHA512
bac0b5a7152e0dfcd1e2d0c3e45177c82b791b1ed66297b08d098acc0551f6940531c4725556070045f093069909377bd69e2418676e54920ecd446a1ba1412a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\pyexpat.pyd

Filesize
70KB

MD5
ea6c8866d5be5efc338edac62138bb1e

SHA1
4d7fdc901409f5fefd1257ed0a7bf65b78c45f22

SHA256
47c4a5ba9e88f1a89ef758e9934445a5407bcfd9a61b7e3f9cc4191dbd950cc3

SHA512
9c188f6a8d54b42fdc83808ebc92ea9e76aeddbd17b11f4b64f471c37422ca65e852405d6bbe2e148609a5aedeefe3eb162998e76d038be8a7201ca05c997992

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\python3.DLL

Filesize
63KB

MD5
3a7aa7235f582933b181ae4e991fdba0

SHA1
eee530f6e8fbd0f7b9003c17ce87b0d3eb83de74

SHA256
711285652a92e4e1889289b757f405eac7c77bb114f4c325a67a1f89442d3889

SHA512
257c7bf955ef5ba005676dda7eefed22ed25085246ce9daa563c45732c45028f2cdf50c63fefa0391fd65878087c693fcacedfa926a788c8f6e40ed608712d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\python311.dll

Filesize
1.4MB

MD5
28f7b68c03ddfd1b1d0e240340f7f194

SHA1
c75315b59157679980a79143f2c32f3938abea45

SHA256
0a0207eda8c5b43369d433599081615ec45d98ef42a3a5c207caf6807e488d11

SHA512
066119c69292be8abe6e3c6fac42658e7e136d96a8da0223d9001c4e6c566d3211900752f6d703d5878b90af463b0cb54fe420b1d4587c28fde86a13324c3f5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\select.pyd

Filesize
23KB

MD5
2877f6f6d5c3289a4f9514a7affe7b90

SHA1
66f7abd82979413d32049d1532bf4cb11dfcffc5

SHA256
96858ca959acc6cbff621b73c3c787f1666b02cc7acd773e653d3f53dd4ddc00

SHA512
2de4b8810e1149023ca98cb06d7a800f37f905c638133f41b0abbd312c91049bfb1ce25504177a490ff32c15d6aaec96c3430bbd78a567c9847b82e5dbe0599c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\sqlite3.dll

Filesize
496KB

MD5
745073ef12b8e3ff6beb8d851903f221

SHA1
360cd9407021e7e1b3d7ca47f084d5ab5ca36981

SHA256
d2c5bef79dea339037caf4a78ca7b37d9c504722fc8ffdd218323036c59f0240

SHA512
85c264b01b7b373e2a24e0aa8a47b8037f1d1b5814c74fb1e789e0502ae037c03baad23bc21cd584c873d7b9b72fc2ccef2df4c9a2cdb85409c8ca460c7b4fea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\unicodedata.pyd

Filesize
291KB

MD5
c9264bda88577d485bbc68e3caa9649a

SHA1
1d8ad6766dcbe17e63b319980d18d281915999a9

SHA256
1e6e3be7078368ede73c09cd4890328cec2dc706e78521fd6ca516d6052ad196

SHA512
e548081ff98fe2fef4aaf0b419e3034effc3569657cd35ac444c816c266365ab2f28588e6b3e9332624bb38c4a044353db031a76de7c4937ec6f233dbff605c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI4602\yarl\_quoting_c.cp311-win32.pyd

Filesize
34KB

MD5
414cfc645ca1432a711cef2322aa68bc

SHA1
8ec8085cf9b9efde98682bc3de2896c2a87e79d4

SHA256
ea8f56a79a3fe77a536aab92c8088750c45f3a2834f05265c178670aad706718

SHA512
5e2857d0eeea41a311f787959415f53603281aa75ce87e479c67e6cf59f3f20262aa4a95bbeb62f71eca2f11a4274b83126e68edc9670788b816e2a5fa6114b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wgrrvssi.h1u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\checker-cheats.exe

Filesize
75KB

MD5
04e6de63f885854bc352dcaedf70f687

SHA1
2ab12179885dc57bbf255564012fa8e2b82a3330

SHA256
e7e69559f54ae11b078702201d788c1825a79b8e88a77b1b2fde01c1da1f8b06

SHA512
fe8d496253ceb225c29ed5c3e6074a7d4736fb51b77bee1ee6a118e21f05e461e27462604ff167bc6b468b62a3b6716ebd6cbb1201c9337aac31814661ce0c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\system.exe

Filesize
5.2MB

MD5
332a796dafffbfba2d0655e2f5d72b79

SHA1
41540d6e81ef9afff85b7623115655c245d286e4

SHA256
c26fb59378ead10e14125f1c86c54fb5db72c08eb268d0d01dce864353829769

SHA512
63b91400d5675da0cc290205d845e6fc584c1ed99c2df97fc33f63ddc17e915b605640241e201c8cf1c089213b36dcb0d389ca8aa78db925b46a301503efe9a8

Download Submit
C:\Users\Admin\AppData\Roaming\com.swiftsoft\ExLoader_Installer\shared_preferences.json

Filesize
269B

MD5
85df01f53ad121b54eb00bc5268d879d

SHA1
bef931fb35d25b4b016368cf36410458ab0c9012

SHA256
d4edd107b93eae2a221ad430269882b30ccaa5ecbf3f3d553e76cd25c2bf374b

SHA512
13b430b07b6f13de3017bcb75579a1075acd78e928cd2142eca850a897895402dd94991d556a17b11683a08a33499dc275109f06d6aabbafcb28dd7d62577bff

Download Submit
memory/396-12-0x00007FFF750B0000-0x00007FFF75B72000-memory.dmp

Filesize
10.8MB

Download
memory/396-19-0x00007FFF750B0000-0x00007FFF75B72000-memory.dmp

Filesize
10.8MB

Download
memory/396-7-0x00000207DF430000-0x00000207DF452000-memory.dmp

Filesize
136KB

Download
memory/396-13-0x00007FFF750B0000-0x00007FFF75B72000-memory.dmp

Filesize
10.8MB

Download
memory/396-14-0x00007FFF750B0000-0x00007FFF75B72000-memory.dmp

Filesize
10.8MB

Download
memory/396-15-0x00007FFF750B0000-0x00007FFF75B72000-memory.dmp

Filesize
10.8MB

Download
memory/396-16-0x00007FFF750B0000-0x00007FFF75B72000-memory.dmp

Filesize
10.8MB

Download
memory/636-1064-0x0000018E66350000-0x0000018E6637B000-memory.dmp

Filesize
172KB

Download
memory/636-1066-0x00007FFF53510000-0x00007FFF53520000-memory.dmp

Filesize
64KB

Download
memory/636-1058-0x0000018E66320000-0x0000018E66344000-memory.dmp

Filesize
144KB

Download
memory/688-1062-0x00007FFF53510000-0x00007FFF53520000-memory.dmp

Filesize
64KB

Download
memory/688-1061-0x00000194DA150000-0x00000194DA17B000-memory.dmp

Filesize
172KB

Download
memory/1080-1072-0x000002130AA90000-0x000002130AABB000-memory.dmp

Filesize
172KB

Download
memory/1080-1073-0x00007FFF53510000-0x00007FFF53520000-memory.dmp

Filesize
64KB

Download
memory/1632-1030-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1632-1032-0x00007FFF93390000-0x00007FFF9344D000-memory.dmp

Filesize
756KB

Download
memory/1632-1027-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1632-1026-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1632-1028-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1632-1031-0x00007FFF93490000-0x00007FFF93688000-memory.dmp

Filesize
2.0MB

Download
memory/1632-1055-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1632-1025-0x0000000140000000-0x000000014002B000-memory.dmp

Filesize
172KB

Download
memory/1788-199-0x00000000748A0000-0x0000000074934000-memory.dmp

Filesize
592KB

Download
memory/1788-989-0x0000000074E00000-0x0000000074E1F000-memory.dmp

Filesize
124KB

Download
memory/1788-160-0x0000000074D80000-0x0000000074D96000-memory.dmp

Filesize
88KB

Download
memory/1788-125-0x0000000074E50000-0x000000007535B000-memory.dmp

Filesize
5.0MB

Download
memory/1788-206-0x0000000074E50000-0x000000007535B000-memory.dmp

Filesize
5.0MB

Download
memory/1788-207-0x0000000074E00000-0x0000000074E1F000-memory.dmp

Filesize
124KB

Download
memory/1788-208-0x0000000074880000-0x0000000074892000-memory.dmp

Filesize
72KB

Download
memory/1788-219-0x0000000074690000-0x00000000746A8000-memory.dmp

Filesize
96KB

Download
memory/1788-209-0x0000000074800000-0x000000007480F000-memory.dmp

Filesize
60KB

Download
memory/1788-210-0x00000000747F0000-0x0000000074800000-memory.dmp

Filesize
64KB

Download
memory/1788-224-0x0000000074670000-0x0000000074686000-memory.dmp

Filesize
88KB

Download
memory/1788-223-0x0000000074D80000-0x0000000074D96000-memory.dmp

Filesize
88KB

Download
memory/1788-230-0x0000000074D10000-0x0000000074D2B000-memory.dmp

Filesize
108KB

Download
memory/1788-234-0x00000000745A0000-0x00000000745BA000-memory.dmp

Filesize
104KB

Download
memory/1788-233-0x00000000748A0000-0x0000000074934000-memory.dmp

Filesize
592KB

Download
memory/1788-232-0x0000000074940000-0x0000000074B9A000-memory.dmp

Filesize
2.4MB

Download
memory/1788-231-0x0000000074BA0000-0x0000000074BC8000-memory.dmp

Filesize
160KB

Download
memory/1788-229-0x00000000745E0000-0x000000007460E000-memory.dmp

Filesize
184KB

Download
memory/1788-228-0x0000000074610000-0x000000007461F000-memory.dmp

Filesize
60KB

Download
memory/1788-227-0x0000000074620000-0x0000000074664000-memory.dmp

Filesize
272KB

Download
memory/1788-226-0x0000000074BD0000-0x0000000074D07000-memory.dmp

Filesize
1.2MB

Download
memory/1788-235-0x0000000073FA0000-0x0000000074592000-memory.dmp

Filesize
5.9MB

Download
memory/1788-213-0x0000000074DF0000-0x0000000074DFD000-memory.dmp

Filesize
52KB

Download
memory/1788-244-0x0000000073F70000-0x0000000073F9F000-memory.dmp

Filesize
188KB

Download
memory/1788-135-0x0000000074DF0000-0x0000000074DFD000-memory.dmp

Filesize
52KB

Download
memory/1788-214-0x00000000747D0000-0x00000000747EE000-memory.dmp

Filesize
120KB

Download
memory/1788-898-0x00000000747D0000-0x00000000747EE000-memory.dmp

Filesize
120KB

Download
memory/1788-134-0x0000000074E00000-0x0000000074E1F000-memory.dmp

Filesize
124KB

Download
memory/1788-156-0x0000000074DD0000-0x0000000074DE8000-memory.dmp

Filesize
96KB

Download
memory/1788-167-0x0000000074D10000-0x0000000074D2B000-memory.dmp

Filesize
108KB

Download
memory/1788-198-0x0000000074940000-0x0000000074B9A000-memory.dmp

Filesize
2.4MB

Download
memory/1788-197-0x0000000074BA0000-0x0000000074BC8000-memory.dmp

Filesize
160KB

Download
memory/1788-906-0x00000000746B0000-0x00000000747C9000-memory.dmp

Filesize
1.1MB

Download
memory/1788-216-0x00000000746B0000-0x00000000747C9000-memory.dmp

Filesize
1.1MB

Download
memory/1788-955-0x0000000073F40000-0x0000000073F4C000-memory.dmp

Filesize
48KB

Download
memory/1788-954-0x0000000074690000-0x00000000746A8000-memory.dmp

Filesize
96KB

Download
memory/1788-166-0x0000000074BD0000-0x0000000074D07000-memory.dmp

Filesize
1.2MB

Download
memory/1788-165-0x0000000074D30000-0x0000000074D3C000-memory.dmp

Filesize
48KB

Download
memory/1788-211-0x0000000074870000-0x000000007487F000-memory.dmp

Filesize
60KB

Download
memory/1788-996-0x0000000074BD0000-0x0000000074D07000-memory.dmp

Filesize
1.2MB

Download
memory/1788-158-0x0000000074DA0000-0x0000000074DC7000-memory.dmp

Filesize
156KB

Download
memory/1788-988-0x0000000074E50000-0x000000007535B000-memory.dmp

Filesize
5.0MB

Download
memory/1788-1000-0x0000000074880000-0x0000000074892000-memory.dmp

Filesize
72KB

Download
memory/1788-1001-0x0000000074870000-0x000000007487F000-memory.dmp

Filesize
60KB

Download
memory/1788-979-0x00000000745E0000-0x000000007460E000-memory.dmp

Filesize
184KB

Download
memory/1788-978-0x0000000074620000-0x0000000074664000-memory.dmp

Filesize
272KB

Download
memory/1788-1007-0x0000000074670000-0x0000000074686000-memory.dmp

Filesize
88KB

Download
memory/1788-1012-0x0000000073FA0000-0x0000000074592000-memory.dmp

Filesize
5.9MB

Download
memory/1788-1014-0x0000000073F40000-0x0000000073F4C000-memory.dmp

Filesize
48KB

Download
memory/1788-1013-0x0000000073F70000-0x0000000073F9F000-memory.dmp

Filesize
188KB

Download
memory/3348-1-0x0000000000B40000-0x0000000003330000-memory.dmp

Filesize
39.9MB

Download
memory/3348-164-0x00007FFF750B0000-0x00007FFF75B72000-memory.dmp

Filesize
10.8MB

Download
memory/3348-52-0x00007FFF750B3000-0x00007FFF750B5000-memory.dmp

Filesize
8KB

Download
memory/3348-20-0x00007FFF750B0000-0x00007FFF75B72000-memory.dmp

Filesize
10.8MB

Download
memory/3348-249-0x00007FFF750B0000-0x00007FFF75B72000-memory.dmp

Filesize
10.8MB

Download
memory/3348-0-0x00007FFF750B3000-0x00007FFF750B5000-memory.dmp

Filesize
8KB

Download
memory/3536-183-0x0000000000B00000-0x0000000000B1A000-memory.dmp

Filesize
104KB

Download
memory/4528-1054-0x0000023FF4750000-0x0000023FF475A000-memory.dmp

Filesize
40KB

Download
memory/4528-1053-0x0000023FF4980000-0x0000023FF4A35000-memory.dmp

Filesize
724KB

Download
memory/4528-1052-0x0000023FF4960000-0x0000023FF497C000-memory.dmp

Filesize
112KB

Download
memory/4748-975-0x0000000006810000-0x000000000682E000-memory.dmp

Filesize
120KB

Download
memory/4748-961-0x0000000005AC0000-0x000000000618A000-memory.dmp

Filesize
6.8MB

Download
memory/4748-958-0x0000000002E60000-0x0000000002E96000-memory.dmp

Filesize
216KB

Download
memory/4748-968-0x0000000006190000-0x00000000061F6000-memory.dmp

Filesize
408KB

Download
memory/4748-985-0x0000000007920000-0x00000000079B2000-memory.dmp

Filesize
584KB

Download
memory/4748-962-0x00000000057C0000-0x00000000057E2000-memory.dmp

Filesize
136KB

Download
memory/4748-969-0x0000000006200000-0x0000000006266000-memory.dmp

Filesize
408KB

Download
memory/4748-974-0x0000000006370000-0x00000000066C7000-memory.dmp

Filesize
3.3MB

Download
memory/4748-976-0x0000000006860000-0x00000000068AC000-memory.dmp

Filesize
304KB

Download
memory/4748-982-0x0000000006D20000-0x0000000006D3A000-memory.dmp

Filesize
104KB

Download
memory/4748-981-0x00000000077E0000-0x0000000007876000-memory.dmp

Filesize
600KB

Download
memory/4748-983-0x0000000006DA0000-0x0000000006DC2000-memory.dmp

Filesize
136KB

Download
memory/4748-984-0x0000000007E30000-0x00000000083D6000-memory.dmp

Filesize
5.6MB

Download
memory/5088-903-0x000001E0ABE30000-0x000001E0ACC15000-memory.dmp

Filesize
13.9MB

Download
memory/5088-900-0x000001E0ABC40000-0x000001E0ABC41000-memory.dmp

Filesize
4KB

Download
memory/5088-904-0x000001E0ABC50000-0x000001E0ABC51000-memory.dmp

Filesize
4KB

Download
memory/5088-901-0x000001E0ABE30000-0x000001E0ACC15000-memory.dmp

Filesize
13.9MB

Download
memory/5088-902-0x000001E0ABE30000-0x000001E0ACC15000-memory.dmp

Filesize
13.9MB

Download