fa9e580d42e1779416aacd9e607f91ffb317411485f1ea7576b53e07ad8d4df1

Analysis

max time kernel
32s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 15:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xylex-Executor.exe
Size

10.9MB
MD5

13193ff628a2dcb77215278237789854
SHA1

5f7f1dbafc5a0b72db0425bb7be081f227034994
SHA256

fa9e580d42e1779416aacd9e607f91ffb317411485f1ea7576b53e07ad8d4df1
SHA512

35037d4bef970b27bc8f40d8859b6dc19ae6596af880124cb7e173d1876e96867a3fcf8e21fb28559d3c3d4d03481780cb1c3d80626905aef3b7f32245af1286
SSDEEP

196608:Gt6LxwYlz2Jp5UfDC3njkY49eNz4+2Pfm/pf+xZfdcRBZZWKsnqrMWOzW0DjqT:M6KYh2Jp5qC3njkGz4+2m/pWvfCRB7B3

Score

9^/10

evasion pyinstaller spyware stealer upx

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
868	netsh.exe
4968	netsh.exe

Loads dropped DLL 31 IoCs

pid	Process
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe
3504	Xylex-Executor.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023bb1-46.dat	upx
behavioral2/memory/3504-50-0x00007FFDDC3E0000-0x00007FFDDC9C7000-memory.dmp	upx
behavioral2/files/0x000a000000023b94-52.dat	upx
behavioral2/files/0x000a000000023bab-57.dat	upx
behavioral2/memory/3504-59-0x00007FFDEBB30000-0x00007FFDEBB54000-memory.dmp	upx
behavioral2/memory/3504-60-0x00007FFDF5010000-0x00007FFDF501F000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-61.dat	upx
behavioral2/memory/3504-63-0x00007FFDF0CC0000-0x00007FFDF0CD9000-memory.dmp	upx
behavioral2/files/0x000a000000023bb2-64.dat	upx
behavioral2/memory/3504-66-0x00007FFDEFE90000-0x00007FFDEFE9D000-memory.dmp	upx
behavioral2/files/0x000a000000023b92-67.dat	upx
behavioral2/memory/3504-70-0x00007FFDEEDD0000-0x00007FFDEEDE9000-memory.dmp	upx
behavioral2/files/0x000a000000023b97-69.dat	upx
behavioral2/files/0x000a000000023b9c-72.dat	upx
behavioral2/memory/3504-73-0x00007FFDEBA50000-0x00007FFDEBA7D000-memory.dmp	upx
behavioral2/memory/3504-76-0x00007FFDEBA20000-0x00007FFDEBA43000-memory.dmp	upx
behavioral2/files/0x000a000000023bb3-75.dat	upx
behavioral2/files/0x000a000000023b9d-80.dat	upx
behavioral2/files/0x000a000000023baa-82.dat	upx
behavioral2/memory/3504-81-0x00007FFDEB500000-0x00007FFDEB52E000-memory.dmp	upx
behavioral2/files/0x000a000000023bac-84.dat	upx
behavioral2/memory/3504-78-0x00007FFDDBE40000-0x00007FFDDBFB3000-memory.dmp	upx
behavioral2/memory/3504-85-0x00007FFDEB3B0000-0x00007FFDEB468000-memory.dmp	upx
behavioral2/memory/3504-88-0x00007FFDDC3E0000-0x00007FFDDC9C7000-memory.dmp	upx
behavioral2/files/0x000a000000023b91-92.dat	upx
behavioral2/files/0x000a000000023b99-94.dat	upx
behavioral2/files/0x000a000000023b96-98.dat	upx
behavioral2/files/0x0031000000023bb6-102.dat	upx
behavioral2/files/0x000a000000023ba0-104.dat	upx
behavioral2/files/0x000a000000023ba3-109.dat	upx
behavioral2/files/0x000a000000023ba9-114.dat	upx
behavioral2/files/0x000a000000023ba7-115.dat	upx
behavioral2/memory/3504-129-0x00007FFDEB0C0000-0x00007FFDEB0DE000-memory.dmp	upx
behavioral2/memory/3504-130-0x00007FFDDB3C0000-0x00007FFDDBAB4000-memory.dmp	upx
behavioral2/memory/3504-128-0x00007FFDEED20000-0x00007FFDEED2A000-memory.dmp	upx
behavioral2/memory/3504-127-0x00007FFDEB310000-0x00007FFDEB321000-memory.dmp	upx
behavioral2/files/0x000a000000023b93-132.dat	upx
behavioral2/memory/3504-134-0x00007FFDE23C0000-0x00007FFDE23F8000-memory.dmp	upx
behavioral2/memory/3504-133-0x00007FFDF0CC0000-0x00007FFDF0CD9000-memory.dmp	upx
behavioral2/memory/3504-126-0x00007FFDEABA0000-0x00007FFDEABED000-memory.dmp	upx
behavioral2/memory/3504-125-0x00007FFDEB670000-0x00007FFDEB689000-memory.dmp	upx
behavioral2/memory/3504-124-0x00007FFDEB690000-0x00007FFDEB6A7000-memory.dmp	upx
behavioral2/memory/3504-123-0x00007FFDEB6B0000-0x00007FFDEB6D2000-memory.dmp	upx
behavioral2/memory/3504-122-0x00007FFDEABF0000-0x00007FFDEAD0C000-memory.dmp	upx
behavioral2/memory/3504-121-0x00007FFDEB6E0000-0x00007FFDEB6F4000-memory.dmp	upx
behavioral2/memory/3504-120-0x00007FFDEB700000-0x00007FFDEB714000-memory.dmp	upx
behavioral2/memory/3504-119-0x00007FFDEB9C0000-0x00007FFDEB9D2000-memory.dmp	upx
behavioral2/memory/3504-118-0x00007FFDEB9F0000-0x00007FFDEBA05000-memory.dmp	upx
behavioral2/memory/3504-117-0x00007FFDEBB30000-0x00007FFDEBB54000-memory.dmp	upx
behavioral2/files/0x000a000000023b9e-112.dat	upx
behavioral2/files/0x000a000000023ba1-108.dat	upx
behavioral2/files/0x000a000000023ba2-106.dat	upx
behavioral2/files/0x000a000000023bb4-100.dat	upx
behavioral2/files/0x000a000000023bae-96.dat	upx
behavioral2/memory/3504-91-0x00007FFDDBAC0000-0x00007FFDDBE35000-memory.dmp	upx
behavioral2/files/0x000a000000023b9a-183.dat	upx
behavioral2/memory/3504-185-0x00007FFDEAB00000-0x00007FFDEAB0D000-memory.dmp	upx
behavioral2/memory/3504-223-0x00007FFDDBAC0000-0x00007FFDDBE35000-memory.dmp	upx
behavioral2/memory/3504-239-0x00007FFDEBA20000-0x00007FFDEBA43000-memory.dmp	upx
behavioral2/memory/3504-236-0x00007FFDDB3C0000-0x00007FFDDBAB4000-memory.dmp	upx
behavioral2/memory/3504-232-0x00007FFDEABA0000-0x00007FFDEABED000-memory.dmp	upx
behavioral2/memory/3504-231-0x00007FFDEB670000-0x00007FFDEB689000-memory.dmp	upx
behavioral2/memory/3504-230-0x00007FFDEB690000-0x00007FFDEB6A7000-memory.dmp	upx
behavioral2/memory/3504-229-0x00007FFDEB6B0000-0x00007FFDEB6D2000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
39	discord.com
40	discord.com
35	discord.com
36	discord.com
37	discord.com
38	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3388	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x000a000000023bcb-146.dat	pyinstaller

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4336	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3272	WMIC.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
4128	tasklist.exe
3052	tasklist.exe
1648	tasklist.exe
2388	tasklist.exe
3000	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1420	ipconfig.exe
3772	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3588	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3924	powershell.exe
3924	powershell.exe
3924	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3272	WMIC.exe
Token: SeSecurityPrivilege	3272	WMIC.exe
Token: SeTakeOwnershipPrivilege	3272	WMIC.exe
Token: SeLoadDriverPrivilege	3272	WMIC.exe
Token: SeSystemProfilePrivilege	3272	WMIC.exe
Token: SeSystemtimePrivilege	3272	WMIC.exe
Token: SeProfSingleProcessPrivilege	3272	WMIC.exe
Token: SeIncBasePriorityPrivilege	3272	WMIC.exe
Token: SeCreatePagefilePrivilege	3272	WMIC.exe
Token: SeBackupPrivilege	3272	WMIC.exe
Token: SeRestorePrivilege	3272	WMIC.exe
Token: SeShutdownPrivilege	3272	WMIC.exe
Token: SeDebugPrivilege	3272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3272	WMIC.exe
Token: SeRemoteShutdownPrivilege	3272	WMIC.exe
Token: SeUndockPrivilege	3272	WMIC.exe
Token: SeManageVolumePrivilege	3272	WMIC.exe
Token: 33	3272	WMIC.exe
Token: 34	3272	WMIC.exe
Token: 35	3272	WMIC.exe
Token: 36	3272	WMIC.exe
Token: SeDebugPrivilege	4128	tasklist.exe
Token: SeIncreaseQuotaPrivilege	4884	WMIC.exe
Token: SeSecurityPrivilege	4884	WMIC.exe
Token: SeTakeOwnershipPrivilege	4884	WMIC.exe
Token: SeLoadDriverPrivilege	4884	WMIC.exe
Token: SeSystemProfilePrivilege	4884	WMIC.exe
Token: SeSystemtimePrivilege	4884	WMIC.exe
Token: SeProfSingleProcessPrivilege	4884	WMIC.exe
Token: SeIncBasePriorityPrivilege	4884	WMIC.exe
Token: SeCreatePagefilePrivilege	4884	WMIC.exe
Token: SeBackupPrivilege	4884	WMIC.exe
Token: SeRestorePrivilege	4884	WMIC.exe
Token: SeShutdownPrivilege	4884	WMIC.exe
Token: SeDebugPrivilege	4884	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4884	WMIC.exe
Token: SeRemoteShutdownPrivilege	4884	WMIC.exe
Token: SeUndockPrivilege	4884	WMIC.exe
Token: SeManageVolumePrivilege	4884	WMIC.exe
Token: 33	4884	WMIC.exe
Token: 34	4884	WMIC.exe
Token: 35	4884	WMIC.exe
Token: 36	4884	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3272	WMIC.exe
Token: SeSecurityPrivilege	3272	WMIC.exe
Token: SeTakeOwnershipPrivilege	3272	WMIC.exe
Token: SeLoadDriverPrivilege	3272	WMIC.exe
Token: SeSystemProfilePrivilege	3272	WMIC.exe
Token: SeSystemtimePrivilege	3272	WMIC.exe
Token: SeProfSingleProcessPrivilege	3272	WMIC.exe
Token: SeIncBasePriorityPrivilege	3272	WMIC.exe
Token: SeCreatePagefilePrivilege	3272	WMIC.exe
Token: SeBackupPrivilege	3272	WMIC.exe
Token: SeRestorePrivilege	3272	WMIC.exe
Token: SeShutdownPrivilege	3272	WMIC.exe
Token: SeDebugPrivilege	3272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3272	WMIC.exe
Token: SeRemoteShutdownPrivilege	3272	WMIC.exe
Token: SeUndockPrivilege	3272	WMIC.exe
Token: SeManageVolumePrivilege	3272	WMIC.exe
Token: 33	3272	WMIC.exe
Token: 34	3272	WMIC.exe
Token: 35	3272	WMIC.exe
Token: 36	3272	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 3504	4192	Xylex-Executor.exe	85
PID 4192 wrote to memory of 3504	4192	Xylex-Executor.exe	85
PID 3504 wrote to memory of 1356	3504	Xylex-Executor.exe	88
PID 3504 wrote to memory of 1356	3504	Xylex-Executor.exe	88
PID 3504 wrote to memory of 3388	3504	Xylex-Executor.exe	91
PID 3504 wrote to memory of 3388	3504	Xylex-Executor.exe	91
PID 3504 wrote to memory of 2132	3504	Xylex-Executor.exe	92
PID 3504 wrote to memory of 2132	3504	Xylex-Executor.exe	92
PID 3504 wrote to memory of 4668	3504	Xylex-Executor.exe	94
PID 3504 wrote to memory of 4668	3504	Xylex-Executor.exe	94
PID 3504 wrote to memory of 404	3504	Xylex-Executor.exe	95
PID 3504 wrote to memory of 404	3504	Xylex-Executor.exe	95
PID 3388 wrote to memory of 3272	3388	cmd.exe	99
PID 3388 wrote to memory of 3272	3388	cmd.exe	99
PID 404 wrote to memory of 4128	404	cmd.exe	100
PID 404 wrote to memory of 4128	404	cmd.exe	100
PID 2132 wrote to memory of 4884	2132	cmd.exe	101
PID 2132 wrote to memory of 4884	2132	cmd.exe	101
PID 3504 wrote to memory of 1484	3504	Xylex-Executor.exe	103
PID 3504 wrote to memory of 1484	3504	Xylex-Executor.exe	103
PID 1484 wrote to memory of 3168	1484	cmd.exe	105
PID 1484 wrote to memory of 3168	1484	cmd.exe	105
PID 3504 wrote to memory of 4596	3504	Xylex-Executor.exe	106
PID 3504 wrote to memory of 4596	3504	Xylex-Executor.exe	106
PID 3504 wrote to memory of 432	3504	Xylex-Executor.exe	107
PID 3504 wrote to memory of 432	3504	Xylex-Executor.exe	107
PID 432 wrote to memory of 3052	432	cmd.exe	110
PID 432 wrote to memory of 3052	432	cmd.exe	110
PID 4596 wrote to memory of 2752	4596	cmd.exe	111
PID 4596 wrote to memory of 2752	4596	cmd.exe	111
PID 3504 wrote to memory of 1052	3504	Xylex-Executor.exe	112
PID 3504 wrote to memory of 1052	3504	Xylex-Executor.exe	112
PID 1052 wrote to memory of 4440	1052	cmd.exe	115
PID 1052 wrote to memory of 4440	1052	cmd.exe	115
PID 3504 wrote to memory of 3256	3504	Xylex-Executor.exe	116
PID 3504 wrote to memory of 3256	3504	Xylex-Executor.exe	116
PID 3256 wrote to memory of 1648	3256	cmd.exe	118
PID 3256 wrote to memory of 1648	3256	cmd.exe	118
PID 3504 wrote to memory of 1184	3504	Xylex-Executor.exe	119
PID 3504 wrote to memory of 1184	3504	Xylex-Executor.exe	119
PID 3504 wrote to memory of 3748	3504	Xylex-Executor.exe	120
PID 3504 wrote to memory of 3748	3504	Xylex-Executor.exe	120
PID 3504 wrote to memory of 3852	3504	Xylex-Executor.exe	121
PID 3504 wrote to memory of 3852	3504	Xylex-Executor.exe	121
PID 3504 wrote to memory of 4848	3504	Xylex-Executor.exe	122
PID 3504 wrote to memory of 4848	3504	Xylex-Executor.exe	122
PID 3852 wrote to memory of 2388	3852	cmd.exe	127
PID 3852 wrote to memory of 2388	3852	cmd.exe	127
PID 4848 wrote to memory of 3924	4848	cmd.exe	128
PID 4848 wrote to memory of 3924	4848	cmd.exe	128
PID 1184 wrote to memory of 1496	1184	cmd.exe	129
PID 1184 wrote to memory of 1496	1184	cmd.exe	129
PID 3748 wrote to memory of 3668	3748	cmd.exe	130
PID 3748 wrote to memory of 3668	3748	cmd.exe	130
PID 1496 wrote to memory of 4984	1496	cmd.exe	131
PID 1496 wrote to memory of 4984	1496	cmd.exe	131
PID 3668 wrote to memory of 4668	3668	cmd.exe	132
PID 3668 wrote to memory of 4668	3668	cmd.exe	132
PID 3504 wrote to memory of 536	3504	Xylex-Executor.exe	133
PID 3504 wrote to memory of 536	3504	Xylex-Executor.exe	133
PID 3504 wrote to memory of 4344	3504	Xylex-Executor.exe	134
PID 3504 wrote to memory of 4344	3504	Xylex-Executor.exe	134
PID 536 wrote to memory of 3588	536	cmd.exe	137
PID 536 wrote to memory of 3588	536	cmd.exe	137

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4440	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Xylex-Executor.exe
"C:\Users\Admin\AppData\Local\Temp\Xylex-Executor.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Users\Admin\AppData\Local\Temp\Xylex-Executor.exe
  "C:\Users\Admin\AppData\Local\Temp\Xylex-Executor.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:1356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3388
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3272
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:404
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:3168
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4596
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:432
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1052
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3256
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1184
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1496
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3668
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:536
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3588
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:4056
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:4336
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:3520
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:1120
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:1376
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:3432
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:4880
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:1332
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:1036
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:4428
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:4852
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:3144
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:4240
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:3484
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:916
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:3000
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1420
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:2484
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      PID:1464
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      PID:3772
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:3388
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      PID:868
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      PID:4968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:4344
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4848
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1440
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe

Filesize
10.9MB

MD5
13193ff628a2dcb77215278237789854

SHA1
5f7f1dbafc5a0b72db0425bb7be081f227034994

SHA256
fa9e580d42e1779416aacd9e607f91ffb317411485f1ea7576b53e07ad8d4df1

SHA512
35037d4bef970b27bc8f40d8859b6dc19ae6596af880124cb7e173d1876e96867a3fcf8e21fb28559d3c3d4d03481780cb1c3d80626905aef3b7f32245af1286

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\_asyncio.pyd

Filesize
34KB

MD5
4c048d296ebfa5f994136333a4adf323

SHA1
4958fa06e050d1661e94cf2acf483a58ef0f0cc0

SHA256
6529fbf5371e78ee12b6038814dced3369def45cab265d5b0c511e82cd141cfb

SHA512
6df5fa74aa9a9a1e9de1d902e27d7095061c76e734cc5e614277f13ae0e67af03c4dee1fa2752252cc1cbbff9351e48d0ebcd285e25c7fd0f43c3e3a82e9bf75

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\_bz2.pyd

Filesize
46KB

MD5
6595f8375a6261c5e5ec75df3b43312e

SHA1
d7968d753e3b4006f3e5936412a5329b2ed4bd6c

SHA256
79d3755a1cc631146f480c8637620d840f5c51a08f78c3db11b25390e0cad51f

SHA512
7bc5c33a1c9ac6e3f19fa892e3e3accf5e04f53459abbb3feaea550a22ae12d43147a9369635d2337c12601574b4758c1795055170df12408e09c0bd33eb1aa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\_cffi_backend.cp311-win_amd64.pyd

Filesize
71KB

MD5
b138dbd0e88b3e879fdb5e790090e2f9

SHA1
6e61a55b7d66e9e5dc8fb777fa1c9d379abb89d5

SHA256
19aad3ff24963ebd308a7086699d318c6043a0481f86c76e4084110d426929f0

SHA512
94cdd4d7cefb5ee00053bfac7c28791d57a55d8d9888f3fe44bf695859ddedcb70ba6ee2055a89b55e6a876a04bba3abd523a87e4f0f4953e9422c181ef4ed29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\_ctypes.pyd

Filesize
57KB

MD5
a93f53ad8470c4ee7ffa8cef138b2b1f

SHA1
6dfb57e51fdd2e68c8ae40cef09c6b9cb7213e6a

SHA256
de7cf774fb9aefd4c63680052fac07d1a131a643612bcbce1314a8f0ca0c8bad

SHA512
05d5826831dd795cfd08754f043bc5c9f2cca4fba0c5083d8eb6b43d04b04bf7422b97d93e21267cd123b60394239e2a2ae7a0089199fc5f92659be4de0f1892

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\_hashlib.pyd

Filesize
33KB

MD5
c3b00aec855bad560e5220b4a6d251ba

SHA1
a8f693212fefa3bab7687c70c5ca41714ab1405c

SHA256
6f9780138039f2ca57786b850c19e8e82d9ecbe12d4638a08f862ce39ab2cdd3

SHA512
0ead5d3d9d50b44ea3b724ea33f06be347843cdedebff28db72e241cbcf15b5ab1d2be7f839ec9b352ec9b2bd7970622e17cdbba5d8eb42a8a59024f3d8b4553

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\_lzma.pyd

Filesize
84KB

MD5
379a83fc8408b9a66113ca6eaab49468

SHA1
ddd5434e3cd81b9065001ffb11df19984dba33c7

SHA256
b7e41a80c5af2323533f80ce8d5feef3b450ec64ad1310ccdeaf220332f09a55

SHA512
e404a704981a5badcb9199434daafa4707ed33b03e73a113448c6120d7d6768d61adb8bf859c4806ed5b3338fa434c740af8a33d68cc09a0412a4ab16f660909

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\_overlapped.pyd

Filesize
30KB

MD5
2b319604e5dfcbb2d0287782e3fe338e

SHA1
e764c28222e8d297e2d2cab9412967af97e79a00

SHA256
6ff5713d6377e29aade27f634ef44c7e3d02cf3936a75dcb29b3ac0d7c346db7

SHA512
19f0edbf729e10ee15d263769844cccab61006c085e0a2e8700c1ff2c173aba966e22f31367eb47df776f59a3384088dd38f1726568ca2357510ca0347062d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\_queue.pyd

Filesize
24KB

MD5
572b7317adb471db2026e7a1fa79271c

SHA1
fb65da3c8dd30bca091a2f915313033b302236e4

SHA256
3e689887768bf342b15fe1a7dd0450f090bfa3008590836e5a2b0eb0301f9a2b

SHA512
1d6a96219692babe85ebfbadf6ae0b6006f65a79ee299a41f2802255b01902f888f3ceafaa0c28eb2c4829b9f1ff047902f69fec26d593455374f29f17fb0278

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\_socket.pyd

Filesize
41KB

MD5
c198a07f6bc1c157bd570942cee24fb8

SHA1
4065ece086dd8921ce674cb63402bcef57391cdc

SHA256
ef64e93489b5ede7e657b375249a7b3f688e27e31a3e674c7f5ef732a6f2d1a3

SHA512
99d72d7137da130c4b3433c43057442f499336566fc5d7fd690ecb6a1217f7bca889f0ca45522ede10bdadedf18294da0490b8fc6f49e4467a13cd021ba8d309

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\_sqlite3.pyd

Filesize
54KB

MD5
b54f269ced880a62c44666e880104074

SHA1
69548006aec8dd40dd44c6cd7bcae8b111c9814c

SHA256
ca261a176594232a5d639c49282ba3dea15557bd8d6000e8e369b5d91c1062be

SHA512
927ae36b4a82d2e742c99eb6a79948a6c8c5d567f1c2ad8bd5ed20d37f3a4b957f6e700fa8f5ef2f06c7ed025ae3660ffd83e4c2e50304fe68ca54019ee1ee7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\_ssl.pyd

Filesize
60KB

MD5
b9e58dc5e1303fc436ffa1c9ea227f4b

SHA1
9a1c360eb602ee08520ec474a71611ebbe60e60b

SHA256
9af4dfc951acf2dd10097c782c3941c65e3cf62e5977ed0609390d638da49ee0

SHA512
4f6952422ba4bbd3cb15645b04c42dcce131903e50e80eedac4fcf74dd905c73ad9b9613ee35f6f8bc6dc79262430176bd78937496098170e80c6547d4ab8aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\_uuid.pyd

Filesize
21KB

MD5
01bbe98c61b7010d2341f7dbf0f92750

SHA1
567f9dfcf1ce689a4099c5903b031ecba7ad2318

SHA256
89373579c32cc502897b90ed8f83ec526f8b97f4b4fbb6bdb44492beb4cbe9a8

SHA512
dd900d869d165024351113e80133b7f5e690a1a8c1c334272596a9d59e8ed9bc5b3e1ce295b6b0bc582a96414bccf3fa96c1963380e89ce2d135301511068763

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\aiohttp\_helpers.cp311-win_amd64.pyd

Filesize
26KB

MD5
bb044c574c6173d8f0b79ee882c1c7b7

SHA1
8cda12f6903f04ac79a7e69dc9fb906ba1cc294a

SHA256
14feceb73c66908df8de837620b0de584ec1eb0acd5bc9937154e6cef003e78f

SHA512
c90cccaef6a888909cb50a8049cc6b60302dfd155bcf99d4a851af5d7e0f3bbd7f971924fb85b038798a62683227920ab4226da2322b701c1956cfd8aa7ef8a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\aiohttp\_http_parser.cp311-win_amd64.pyd

Filesize
80KB

MD5
af6ee9959d8b1a60c6d5091e7900fc7f

SHA1
a34b2dca060c890025a54107148590aae14ce570

SHA256
f1325cd788c81ac2534215f528f6c58849c7143f41fd6af539cf9f50e01a6d87

SHA512
4a2b5b4a56db59664a2052be5ba5366fe24196560e905991bdcffd0e0cc12a788a2de1ac717044eb42ce075278f1ab80ce2c7da483e2bf27d42fa0ef8b4c13b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\aiohttp\_http_writer.cp311-win_amd64.pyd

Filesize
24KB

MD5
f5b8ab9b88273615699cbec6e922bd8e

SHA1
e1bec9f7e051a19c0d9727298ac01396bae06c7d

SHA256
abb8100362cd6f5270a0e54eb700d8242fa40d27ca58b2e9272fdde11beb50a2

SHA512
32c298134d392fc5d3125c84309c0840d349148bdf1fc501eb7fa446e578994a2cf7cd015d7c7831be560c3777f7ed80ef78737cca5116fb091122d7597342e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\aiohttp\_websocket.cp311-win_amd64.pyd

Filesize
19KB

MD5
cbbb0e67432c2e17e5aacb38b89cbc87

SHA1
852c363197e3d8468803c49bfabb6bb43508daec

SHA256
22ba49f7633c2bf26d768fdcd0f0d89dac325dd262afe042cc35023afa1f07f5

SHA512
aeda665a587b3f771d0ecdeb970bbbfee05a61e5bb1688fd2eb24a44b0f866879d85ae1810e17085126143445d70e41f6e609321318b146008497d70382a2a1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\base_library.zip

Filesize
1.7MB

MD5
334e5d6e591eccd91d2121194db22815

SHA1
821d70c44dc7f25a784e9938d74e75a3471e1ad0

SHA256
9e830533f6e67b84d9dbc502db38a6f25d3c984f1a6a195a50f838d48d5b3ba5

SHA512
bac4a1283745e5eb4db953227bbf00831c8a0c3c831f5889e0d0630841e59c8ad96c3386ce3ad48300f4754fde188212edc79b78c9c98f76bca21987c1c05866

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.0MB

MD5
29029cacb83854cc386584efd26b4ecf

SHA1
2e7b1bdb625184f1a814ad7c5b8b6a817c1a84cf

SHA256
b3906df5b31bf7f0604df4a449a67bd9aea37701e0c2d78a78ac0935a55c37e9

SHA512
fecd5368a51004685e78edc54d254e49c9361c588a0f2d4ea1de5971584d48d161fa88d46de22fabba7f6aef6c8b5d0fbcd2526a426d100c3a4d8933ed97e05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\frozenlist\_frozenlist.cp311-win_amd64.pyd

Filesize
35KB

MD5
85e6033d6e87510d84b68dc7cba4b363

SHA1
9fcf2d9eb40d25ee676f72f3348676ba70ac9971

SHA256
9b8805eba76c1f6d1d62eede5e7ee3e4b7d62fea87afc345a357fc45ddc060ef

SHA512
b19cccad0406a5652277d22e47971c41f85d6e2cf909b8f2cb5b26da1c395c4030a00c17ad8072852804c3592a548594e5a9a1119ae84743b65beb68890c7e9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\libcrypto-1_1.dll

Filesize
1.1MB

MD5
9c2ffedb0ae90b3985e5cdbedd3363e9

SHA1
a475fbe289a716e1fbe2eab97f76dbba1da322a9

SHA256
7c9418ad6fb6d15acb7d340b7a6533f76337ad302a18e2b4e08d4ee37689913a

SHA512
70d2635d42e24c7426cf5306ed010808f2222049915adb43ffc12c13259c8e7a9fee3a49e096d5ba2b6b733fef18574823d00df2e8d7fb1532e1d65d0c478008

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\libffi-8.dll

Filesize
24KB

MD5
8996f66621b860b8dbdac8dfced15ed4

SHA1
6e5c6e9140565f016eeb4005930fc9809c1dd06c

SHA256
f28a9c3e6430fb3628f1cf79ad6c56f6314da8158aee666ba635d0310c69bff6

SHA512
868567802d15c0a643b58eb4b72445b909ff8d8f505785ad734c5399c68c634e881efdbd601775f35906b6ca43a26f6df8cd239f19536b92730883df662d4401

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\libssl-1_1.dll

Filesize
203KB

MD5
87bb1a8526b475445b2d7fd298c57587

SHA1
aaad18ea92b132ca74942fd5a9f4c901d02d9b09

SHA256
c35a97d8f24ea84d1e39a8621b6b3027c9ac24885bdd37386c9fcaad1858419d

SHA512
956bd8e9f35c917cbfb570fc633bb2df0d1c2686731fa7179f5e7cd8789e665dd6ff8443e712eafa4e3f8d8661f933cb5675aeb1a2efc195c3bb32211e6d2506

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\multidict\_multidict.cp311-win_amd64.pyd

Filesize
20KB

MD5
62617acd2ba89a39afc13734208e1285

SHA1
a6319eab3da0886a798bb00a05fb790ed3a7eada

SHA256
56437457c4145c4ab9bb6affe71000907ee36b5552618b2c1a7779b76fbad2dc

SHA512
d97f172dac58c11119ee78c9beaea99a907f744eea462ece3185f48a048632956fdb3da42e8120a867d0751cf8f272c5c3f9cd3aa6a5d610b32107aa54f4fa15

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\python3.DLL

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\python311.dll

Filesize
1.6MB

MD5
85efe50152d2f52183074085dcf571db

SHA1
392e27ba3948d790cf44b7dbda1bd34e7e17f2e8

SHA256
0244ff0d1daa49748db7b9c9d492c914da2a465789456b3dbe4af2526d33c695

SHA512
15c954880cc117ec17d193852fdbc9df78379b18bd8cb66c2f08f7fda0dc2351518826dbfa046863f8606b71bc72ab3d1cf7936a1498e282f854267d4be015b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\select.pyd

Filesize
24KB

MD5
f4c341cf38f0722feac000e62dee82e8

SHA1
9d1e1e3d7f20d04c196fe4cc8ee7aee221b653c2

SHA256
dcde2f0def7bf83d6ea93bca38870b6bbef3ab30e11a9a4668d74b43251370e9

SHA512
0fb73f275c70ab3b14bd2c744004647ce7dcb39e036fd5fcff89389e195a4a7e903cb9050cdeb779d27674f7bbef5b9101f55e2689d257590132dc615e6efc23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\sqlite3.dll

Filesize
608KB

MD5
8659e2b9551ecd719fc97d193ed34a46

SHA1
e1a64923285d481585b8d045ba409d3ceea3bad5

SHA256
4b4df95850e30681a30d236cf46a6e338a45f133dabe972f286a938a23db6599

SHA512
2bc7ef5fcbfdd74aebd4e97b0ea5efe307656066a55e5c97a165552700ffa796fce43aae79489b2139ffb14792b1179ffbd446a88dfd48d23b5fc0bb52684c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\unicodedata.pyd

Filesize
293KB

MD5
7ba9655be9b97bad709f7813b3e25353

SHA1
dd06a59dad58f3924eaf993462c9d5df92c3a9d1

SHA256
051eab8fd2b9910b8871865977ae8aca09f526f7e9665c53cce74369aa8d84e9

SHA512
65e90f511dd3d6c8f99152e342e6b2fc3f74d29431aac9f25e20ec3897244e30f0c1b259f2d7d3f0572522deddf12f39cfcf2d46f38e610f0cfcea4f1da3840e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41922\yarl\_quoting_c.cp311-win_amd64.pyd

Filesize
40KB

MD5
822ec26b5534355847871db109eaae65

SHA1
fb9b1d0441b1775a286eb4fa12eae031f25bbd2c

SHA256
0da6b978316acfb08495fc09034ff2d8e319fb04e336fe40a195dea59f272fd7

SHA512
75a98c9177ca182cd3576da18efca8ba172db3e2256dbef090ed93f4416d4d42d822464a737d9166bcbd09caa35738fbbab798fa3f019251c41d112f49f179ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jk4pf3td.dey.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3504-130-0x00007FFDDB3C0000-0x00007FFDDBAB4000-memory.dmp

Filesize
7.0MB

Download
memory/3504-76-0x00007FFDEBA20000-0x00007FFDEBA43000-memory.dmp

Filesize
140KB

Download
memory/3504-129-0x00007FFDEB0C0000-0x00007FFDEB0DE000-memory.dmp

Filesize
120KB

Download
memory/3504-81-0x00007FFDEB500000-0x00007FFDEB52E000-memory.dmp

Filesize
184KB

Download
memory/3504-128-0x00007FFDEED20000-0x00007FFDEED2A000-memory.dmp

Filesize
40KB

Download
memory/3504-127-0x00007FFDEB310000-0x00007FFDEB321000-memory.dmp

Filesize
68KB

Download
memory/3504-63-0x00007FFDF0CC0000-0x00007FFDF0CD9000-memory.dmp

Filesize
100KB

Download
memory/3504-134-0x00007FFDE23C0000-0x00007FFDE23F8000-memory.dmp

Filesize
224KB

Download
memory/3504-133-0x00007FFDF0CC0000-0x00007FFDF0CD9000-memory.dmp

Filesize
100KB

Download
memory/3504-126-0x00007FFDEABA0000-0x00007FFDEABED000-memory.dmp

Filesize
308KB

Download
memory/3504-125-0x00007FFDEB670000-0x00007FFDEB689000-memory.dmp

Filesize
100KB

Download
memory/3504-124-0x00007FFDEB690000-0x00007FFDEB6A7000-memory.dmp

Filesize
92KB

Download
memory/3504-123-0x00007FFDEB6B0000-0x00007FFDEB6D2000-memory.dmp

Filesize
136KB

Download
memory/3504-122-0x00007FFDEABF0000-0x00007FFDEAD0C000-memory.dmp

Filesize
1.1MB

Download
memory/3504-121-0x00007FFDEB6E0000-0x00007FFDEB6F4000-memory.dmp

Filesize
80KB

Download
memory/3504-120-0x00007FFDEB700000-0x00007FFDEB714000-memory.dmp

Filesize
80KB

Download
memory/3504-119-0x00007FFDEB9C0000-0x00007FFDEB9D2000-memory.dmp

Filesize
72KB

Download
memory/3504-118-0x00007FFDEB9F0000-0x00007FFDEBA05000-memory.dmp

Filesize
84KB

Download
memory/3504-117-0x00007FFDEBB30000-0x00007FFDEBB54000-memory.dmp

Filesize
144KB

Download
memory/3504-60-0x00007FFDF5010000-0x00007FFDF501F000-memory.dmp

Filesize
60KB

Download
memory/3504-59-0x00007FFDEBB30000-0x00007FFDEBB54000-memory.dmp

Filesize
144KB

Download
memory/3504-70-0x00007FFDEEDD0000-0x00007FFDEEDE9000-memory.dmp

Filesize
100KB

Download
memory/3504-73-0x00007FFDEBA50000-0x00007FFDEBA7D000-memory.dmp

Filesize
180KB

Download
memory/3504-66-0x00007FFDEFE90000-0x00007FFDEFE9D000-memory.dmp

Filesize
52KB

Download
memory/3504-91-0x00007FFDDBAC0000-0x00007FFDDBE35000-memory.dmp

Filesize
3.5MB

Download
memory/3504-89-0x000002093F170000-0x000002093F4E5000-memory.dmp

Filesize
3.5MB

Download
memory/3504-88-0x00007FFDDC3E0000-0x00007FFDDC9C7000-memory.dmp

Filesize
5.9MB

Download
memory/3504-50-0x00007FFDDC3E0000-0x00007FFDDC9C7000-memory.dmp

Filesize
5.9MB

Download
memory/3504-185-0x00007FFDEAB00000-0x00007FFDEAB0D000-memory.dmp

Filesize
52KB

Download
memory/3504-267-0x000002093F170000-0x000002093F4E5000-memory.dmp

Filesize
3.5MB

Download
memory/3504-85-0x00007FFDEB3B0000-0x00007FFDEB468000-memory.dmp

Filesize
736KB

Download
memory/3504-78-0x00007FFDDBE40000-0x00007FFDDBFB3000-memory.dmp

Filesize
1.4MB

Download
memory/3504-223-0x00007FFDDBAC0000-0x00007FFDDBE35000-memory.dmp

Filesize
3.5MB

Download
memory/3504-239-0x00007FFDEBA20000-0x00007FFDEBA43000-memory.dmp

Filesize
140KB

Download
memory/3504-236-0x00007FFDDB3C0000-0x00007FFDDBAB4000-memory.dmp

Filesize
7.0MB

Download
memory/3504-232-0x00007FFDEABA0000-0x00007FFDEABED000-memory.dmp

Filesize
308KB

Download
memory/3504-231-0x00007FFDEB670000-0x00007FFDEB689000-memory.dmp

Filesize
100KB

Download
memory/3504-230-0x00007FFDEB690000-0x00007FFDEB6A7000-memory.dmp

Filesize
92KB

Download
memory/3504-229-0x00007FFDEB6B0000-0x00007FFDEB6D2000-memory.dmp

Filesize
136KB

Download
memory/3504-222-0x00007FFDEB3B0000-0x00007FFDEB468000-memory.dmp

Filesize
736KB

Download
memory/3504-220-0x00007FFDDBE40000-0x00007FFDDBFB3000-memory.dmp

Filesize
1.4MB

Download
memory/3504-212-0x00007FFDDC3E0000-0x00007FFDDC9C7000-memory.dmp

Filesize
5.9MB

Download
memory/3504-225-0x00007FFDEB9C0000-0x00007FFDEB9D2000-memory.dmp

Filesize
72KB

Download
memory/3504-224-0x00007FFDEB9F0000-0x00007FFDEBA05000-memory.dmp

Filesize
84KB

Download
memory/3504-221-0x00007FFDEB500000-0x00007FFDEB52E000-memory.dmp

Filesize
184KB

Download
memory/3504-213-0x00007FFDEBB30000-0x00007FFDEBB54000-memory.dmp

Filesize
144KB

Download
memory/3924-188-0x0000020FBEFB0000-0x0000020FBEFD2000-memory.dmp

Filesize
136KB

Download