exelastealer | e7e2ce6247bb6f94b3c9d8807ed485a22e47af42693eb4b748a1ca0240623705

Analysis

max time kernel
484s
max time network
488s
platform
windows11-21h2_x64
resource
win11-20240419-en
resource tags

arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
submitted
28/05/2024, 00:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

winAPI.exe
Size

28.5MB
MD5

c5d2e9a56b577c13cb458f596c2472ce
SHA1

3a22fac5737859fa2659744a977b5fc0fd16a7a9
SHA256

e7e2ce6247bb6f94b3c9d8807ed485a22e47af42693eb4b748a1ca0240623705
SHA512

9ef3fac51dd920f82025adf0e8af13b0345c73b884f39bcd3fe3312b180c802f66771cffa9a49ad891c4605450a0d6d25807fa06a4730efa0582914cced5b2d1
SSDEEP

393216:Em+sFHI7EzNFAUYl8XRQo/gCcT5NB35jmxEsYAwD6UWsNWcxjQT:Em+GCl3nNWclw

Score

10^/10

exelastealer persistence pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer

Executes dropped EXE 4 IoCs

pid	Process
4932	zjpqix.exe
3144	zjpqix.exe
2932	xjzyxz.exe
1700	xjzyxz.exe

Loads dropped DLL 64 IoCs

pid	Process
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
3144	zjpqix.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
3144	zjpqix.exe
3144	zjpqix.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
3144	zjpqix.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
3144	zjpqix.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral3/files/0x001900000002ab4a-47.dat	upx
behavioral3/memory/3144-51-0x00007FF84EEE0000-0x00007FF84F345000-memory.dmp	upx
behavioral3/files/0x001900000002ab22-54.dat	upx
behavioral3/files/0x001900000002ab44-60.dat	upx
behavioral3/files/0x001900000002ab2c-79.dat	upx
behavioral3/files/0x001900000002ab29-82.dat	upx
behavioral3/files/0x001900000002ab4b-83.dat	upx
behavioral3/files/0x001900000002ab25-85.dat	upx
behavioral3/files/0x001900000002ab2a-86.dat	upx
behavioral3/files/0x001900000002ab4c-87.dat	upx
behavioral3/memory/3144-93-0x00007FF860920000-0x00007FF860A8D000-memory.dmp	upx
behavioral3/memory/3144-92-0x00007FF860FA0000-0x00007FF860FBE000-memory.dmp	upx
behavioral3/memory/3144-91-0x00007FF860B70000-0x00007FF860B9C000-memory.dmp	upx
behavioral3/memory/3144-90-0x00007FF8640A0000-0x00007FF8640B9000-memory.dmp	upx
behavioral3/memory/3144-89-0x00007FF864BF0000-0x00007FF864BFD000-memory.dmp	upx
behavioral3/memory/3144-88-0x00007FF866400000-0x00007FF866419000-memory.dmp	upx
behavioral3/files/0x001900000002ab20-84.dat	upx
behavioral3/files/0x001900000002ab2b-94.dat	upx
behavioral3/files/0x001900000002ab43-97.dat	upx
behavioral3/memory/3144-100-0x00007FF860830000-0x00007FF8608E6000-memory.dmp	upx
behavioral3/memory/3144-139-0x00007FF84EB60000-0x00007FF84EED4000-memory.dmp	upx
behavioral3/files/0x001900000002ab1f-152.dat	upx
behavioral3/memory/3144-176-0x00007FF860B50000-0x00007FF860B64000-memory.dmp	upx
behavioral3/files/0x001900000002ab47-193.dat	upx
behavioral3/memory/3144-211-0x00007FF860810000-0x00007FF860824000-memory.dmp	upx
behavioral3/memory/3144-217-0x00007FF85FEA0000-0x00007FF85FFB8000-memory.dmp	upx
behavioral3/files/0x001900000002ab4f-224.dat	upx
behavioral3/files/0x001900000002abca-232.dat	upx
behavioral3/memory/3144-229-0x00007FF8607C0000-0x00007FF8607E2000-memory.dmp	upx
behavioral3/memory/3144-216-0x00007FF8607F0000-0x00007FF860805000-memory.dmp	upx
behavioral3/files/0x001900000002ab4d-213.dat	upx
behavioral3/memory/3144-210-0x00007FF863BF0000-0x00007FF863C00000-memory.dmp	upx
behavioral3/files/0x001900000002ab24-199.dat	upx
behavioral3/files/0x001900000002ab27-186.dat	upx
behavioral3/memory/3144-99-0x00007FF8608F0000-0x00007FF86091E000-memory.dmp	upx
behavioral3/files/0x001900000002ab45-95.dat	upx
behavioral3/memory/3144-81-0x00007FF866520000-0x00007FF86652F000-memory.dmp	upx
behavioral3/memory/3144-80-0x00007FF861050000-0x00007FF861074000-memory.dmp	upx
behavioral3/files/0x001900000002ab28-75.dat	upx
behavioral3/files/0x001900000002ab26-73.dat	upx
behavioral3/files/0x001900000002ab23-70.dat	upx
behavioral3/files/0x001900000002ab21-69.dat	upx
behavioral3/files/0x001900000002ab48-63.dat	upx
behavioral3/memory/1700-235-0x00007FF84E6F0000-0x00007FF84EB54000-memory.dmp	upx
behavioral3/files/0x001900000002ab42-237.dat	upx
behavioral3/memory/3144-238-0x00007FF861270000-0x00007FF86127A000-memory.dmp	upx
behavioral3/memory/3144-243-0x00007FF84DFF0000-0x00007FF84E6E5000-memory.dmp	upx
behavioral3/memory/1700-246-0x00007FF861040000-0x00007FF86104D000-memory.dmp	upx
behavioral3/memory/1700-250-0x00007FF85FE80000-0x00007FF85FE98000-memory.dmp	upx
behavioral3/memory/1700-251-0x00007FF85D410000-0x00007FF85D43C000-memory.dmp	upx
behavioral3/memory/1700-258-0x00007FF8604F0000-0x00007FF86051E000-memory.dmp	upx
behavioral3/memory/3144-259-0x00007FF85CCB0000-0x00007FF85CCE8000-memory.dmp	upx
behavioral3/memory/3144-257-0x00007FF860920000-0x00007FF860A8D000-memory.dmp	upx
behavioral3/memory/3144-256-0x00007FF860FA0000-0x00007FF860FBE000-memory.dmp	upx
behavioral3/memory/3144-255-0x00007FF866400000-0x00007FF866419000-memory.dmp	upx
behavioral3/memory/1700-254-0x00007FF856840000-0x00007FF856875000-memory.dmp	upx
behavioral3/memory/1700-253-0x00007FF85D3E0000-0x00007FF85D40B000-memory.dmp	upx
behavioral3/memory/1700-252-0x00007FF84F830000-0x00007FF84F8EC000-memory.dmp	upx
behavioral3/memory/1700-249-0x00007FF860540000-0x00007FF860564000-memory.dmp	upx
behavioral3/memory/1700-245-0x00007FF860520000-0x00007FF860539000-memory.dmp	upx
behavioral3/memory/1700-244-0x00007FF861100000-0x00007FF86110F000-memory.dmp	upx
behavioral3/files/0x001900000002ab9f-242.dat	upx
behavioral3/memory/3144-241-0x00007FF84EEE0000-0x00007FF84F345000-memory.dmp	upx
behavioral3/memory/3144-308-0x00007FF84EB60000-0x00007FF84EED4000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs

Web Service

T1102

flow	ioc
1	raw.githubusercontent.com
4	discord.com
9	discord.com
10	raw.githubusercontent.com
17	discord.com
20	discord.com
25	discord.com

Looks up external IP address via web service 6 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipapi.co
8	ipapi.co
19	ipapi.co
22	ipapi.co
24	ipapi.co
4	ip-api.com

Detects Pyinstaller 2 IoCs

pyinstaller

resource	yara_rule
behavioral3/files/0x001f00000002aaf4-3.dat	pyinstaller
behavioral3/files/0x001b00000002ab15-102.dat	pyinstaller

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2208	WMIC.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

Process Discovery

T1057

pid	Process
3172	tasklist.exe
2936	tasklist.exe
1108	tasklist.exe
1488	tasklist.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
832	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1252	powershell.exe
1252	powershell.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe
1700	xjzyxz.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1784	WMIC.exe
Token: SeSecurityPrivilege	1784	WMIC.exe
Token: SeTakeOwnershipPrivilege	1784	WMIC.exe
Token: SeLoadDriverPrivilege	1784	WMIC.exe
Token: SeSystemProfilePrivilege	1784	WMIC.exe
Token: SeSystemtimePrivilege	1784	WMIC.exe
Token: SeProfSingleProcessPrivilege	1784	WMIC.exe
Token: SeIncBasePriorityPrivilege	1784	WMIC.exe
Token: SeCreatePagefilePrivilege	1784	WMIC.exe
Token: SeBackupPrivilege	1784	WMIC.exe
Token: SeRestorePrivilege	1784	WMIC.exe
Token: SeShutdownPrivilege	1784	WMIC.exe
Token: SeDebugPrivilege	1784	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1784	WMIC.exe
Token: SeRemoteShutdownPrivilege	1784	WMIC.exe
Token: SeUndockPrivilege	1784	WMIC.exe
Token: SeManageVolumePrivilege	1784	WMIC.exe
Token: 33	1784	WMIC.exe
Token: 34	1784	WMIC.exe
Token: 35	1784	WMIC.exe
Token: 36	1784	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2208	WMIC.exe
Token: SeSecurityPrivilege	2208	WMIC.exe
Token: SeTakeOwnershipPrivilege	2208	WMIC.exe
Token: SeLoadDriverPrivilege	2208	WMIC.exe
Token: SeSystemProfilePrivilege	2208	WMIC.exe
Token: SeSystemtimePrivilege	2208	WMIC.exe
Token: SeProfSingleProcessPrivilege	2208	WMIC.exe
Token: SeIncBasePriorityPrivilege	2208	WMIC.exe
Token: SeCreatePagefilePrivilege	2208	WMIC.exe
Token: SeBackupPrivilege	2208	WMIC.exe
Token: SeRestorePrivilege	2208	WMIC.exe
Token: SeShutdownPrivilege	2208	WMIC.exe
Token: SeDebugPrivilege	2208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2208	WMIC.exe
Token: SeRemoteShutdownPrivilege	2208	WMIC.exe
Token: SeUndockPrivilege	2208	WMIC.exe
Token: SeManageVolumePrivilege	2208	WMIC.exe
Token: 33	2208	WMIC.exe
Token: 34	2208	WMIC.exe
Token: 35	2208	WMIC.exe
Token: 36	2208	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2208	WMIC.exe
Token: SeSecurityPrivilege	2208	WMIC.exe
Token: SeTakeOwnershipPrivilege	2208	WMIC.exe
Token: SeLoadDriverPrivilege	2208	WMIC.exe
Token: SeSystemProfilePrivilege	2208	WMIC.exe
Token: SeSystemtimePrivilege	2208	WMIC.exe
Token: SeProfSingleProcessPrivilege	2208	WMIC.exe
Token: SeIncBasePriorityPrivilege	2208	WMIC.exe
Token: SeCreatePagefilePrivilege	2208	WMIC.exe
Token: SeBackupPrivilege	2208	WMIC.exe
Token: SeRestorePrivilege	2208	WMIC.exe
Token: SeShutdownPrivilege	2208	WMIC.exe
Token: SeDebugPrivilege	2208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2208	WMIC.exe
Token: SeRemoteShutdownPrivilege	2208	WMIC.exe
Token: SeUndockPrivilege	2208	WMIC.exe
Token: SeManageVolumePrivilege	2208	WMIC.exe
Token: 33	2208	WMIC.exe
Token: 34	2208	WMIC.exe
Token: 35	2208	WMIC.exe
Token: 36	2208	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1784	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 760 wrote to memory of 2708	760	winAPI.exe	79
PID 760 wrote to memory of 2708	760	winAPI.exe	79
PID 2708 wrote to memory of 4932	2708	cmd.exe	81
PID 2708 wrote to memory of 4932	2708	cmd.exe	81
PID 4932 wrote to memory of 3144	4932	zjpqix.exe	82
PID 4932 wrote to memory of 3144	4932	zjpqix.exe	82
PID 760 wrote to memory of 4908	760	winAPI.exe	83
PID 760 wrote to memory of 4908	760	winAPI.exe	83
PID 4908 wrote to memory of 2932	4908	cmd.exe	85
PID 4908 wrote to memory of 2932	4908	cmd.exe	85
PID 2932 wrote to memory of 1700	2932	xjzyxz.exe	86
PID 2932 wrote to memory of 1700	2932	xjzyxz.exe	86
PID 3144 wrote to memory of 5108	3144	zjpqix.exe	87
PID 3144 wrote to memory of 5108	3144	zjpqix.exe	87
PID 3144 wrote to memory of 4904	3144	zjpqix.exe	88
PID 3144 wrote to memory of 4904	3144	zjpqix.exe	88
PID 3144 wrote to memory of 3276	3144	zjpqix.exe	89
PID 3144 wrote to memory of 3276	3144	zjpqix.exe	89
PID 4904 wrote to memory of 1784	4904	cmd.exe	93
PID 4904 wrote to memory of 1784	4904	cmd.exe	93
PID 5108 wrote to memory of 2208	5108	cmd.exe	94
PID 5108 wrote to memory of 2208	5108	cmd.exe	94
PID 3144 wrote to memory of 1996	3144	zjpqix.exe	95
PID 3144 wrote to memory of 1996	3144	zjpqix.exe	95
PID 3144 wrote to memory of 1904	3144	zjpqix.exe	96
PID 3144 wrote to memory of 1904	3144	zjpqix.exe	96
PID 1904 wrote to memory of 3172	1904	cmd.exe	100
PID 1904 wrote to memory of 3172	1904	cmd.exe	100
PID 3144 wrote to memory of 3756	3144	zjpqix.exe	101
PID 3144 wrote to memory of 3756	3144	zjpqix.exe	101
PID 3756 wrote to memory of 4836	3756	cmd.exe	103
PID 3756 wrote to memory of 4836	3756	cmd.exe	103
PID 3144 wrote to memory of 656	3144	zjpqix.exe	104
PID 3144 wrote to memory of 656	3144	zjpqix.exe	104
PID 3144 wrote to memory of 4428	3144	zjpqix.exe	105
PID 3144 wrote to memory of 4428	3144	zjpqix.exe	105
PID 656 wrote to memory of 2704	656	cmd.exe	108
PID 656 wrote to memory of 2704	656	cmd.exe	108
PID 4428 wrote to memory of 2936	4428	cmd.exe	109
PID 4428 wrote to memory of 2936	4428	cmd.exe	109
PID 3144 wrote to memory of 3180	3144	zjpqix.exe	110
PID 3144 wrote to memory of 3180	3144	zjpqix.exe	110
PID 3180 wrote to memory of 3200	3180	cmd.exe	112
PID 3180 wrote to memory of 3200	3180	cmd.exe	112
PID 3144 wrote to memory of 4912	3144	zjpqix.exe	113
PID 3144 wrote to memory of 4912	3144	zjpqix.exe	113
PID 4912 wrote to memory of 2480	4912	cmd.exe	115
PID 4912 wrote to memory of 2480	4912	cmd.exe	115
PID 3144 wrote to memory of 4936	3144	zjpqix.exe	116
PID 3144 wrote to memory of 4936	3144	zjpqix.exe	116
PID 4936 wrote to memory of 1108	4936	cmd.exe	118
PID 4936 wrote to memory of 1108	4936	cmd.exe	118
PID 1700 wrote to memory of 1272	1700	xjzyxz.exe	119
PID 1700 wrote to memory of 1272	1700	xjzyxz.exe	119
PID 3144 wrote to memory of 3508	3144	zjpqix.exe	121
PID 3144 wrote to memory of 3508	3144	zjpqix.exe	121
PID 3144 wrote to memory of 1204	3144	zjpqix.exe	122
PID 3144 wrote to memory of 1204	3144	zjpqix.exe	122
PID 3144 wrote to memory of 5112	3144	zjpqix.exe	123
PID 3144 wrote to memory of 5112	3144	zjpqix.exe	123
PID 3144 wrote to memory of 692	3144	zjpqix.exe	124
PID 3144 wrote to memory of 692	3144	zjpqix.exe	124
PID 692 wrote to memory of 1252	692	cmd.exe	129
PID 692 wrote to memory of 1252	692	cmd.exe	129

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3200	attrib.exe

C:\Users\Admin\AppData\Local\Temp\winAPI.exe
"C:\Users\Admin\AppData\Local\Temp\winAPI.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start C:\Users\Admin\AppData\Local\Temp\zjpqix.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\zjpqix.exe
    C:\Users\Admin\AppData\Local\Temp\zjpqix.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:4932
  - - C:\Users\Admin\AppData\Local\Temp\zjpqix.exe
      C:\Users\Admin\AppData\Local\Temp\zjpqix.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3144
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5108
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4904
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:3276
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        5⤵
        
        PID:1996
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1904
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:3172
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3756
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        6⤵
        
        PID:4836
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:656
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:2704
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4428
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2936
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3180
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        6⤵
        Views/modifies file attributes
        
        PID:3200
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4912
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:2480
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4936
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1108
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        5⤵
        
        PID:3508
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        6⤵
        
        PID:1156
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:936
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        5⤵
        
        PID:1204
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        6⤵
        
        PID:1508
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:3780
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:5112
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:1488
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:692
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1252
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        
        PID:4496
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        
        PID:2148
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        5⤵
        
        PID:4668
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:3184
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:3036
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:2388
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:1640
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start C:\Users\Admin\AppData\Local\Temp\xjzyxz.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4908
- - C:\Users\Admin\AppData\Local\Temp\xjzyxz.exe
    C:\Users\Admin\AppData\Local\Temp\xjzyxz.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2932
  - - C:\Users\Admin\AppData\Local\Temp\xjzyxz.exe
      C:\Users\Admin\AppData\Local\Temp\xjzyxz.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1700
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:1272
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
        5⤵
        
        PID:4972
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        6⤵
        
        PID:3140
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
        5⤵
        
        PID:4520
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        6⤵
        
        PID:800
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
        5⤵
        
        PID:3716
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        6⤵
        
        PID:1832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
        5⤵
        
        PID:1268
      - C:\Windows\System32\wbem\WMIC.exe
        
        C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
        6⤵
        
        PID:2808
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        
        PID:1312
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        
        PID:3552
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        
        PID:3464
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        
        PID:2196
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        
        PID:1036
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        
        PID:2572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI29322\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29322\_ctypes.pyd

Filesize
55KB

MD5
91ce50ef25d06d7379719d50fac1f974

SHA1
f3c1485bd346f114976b17bc091025fd8c75c484

SHA256
149cf22c6f31f884690b9d99ca281e4ddcd6518bd5bff16d4ed137c723aaefd7

SHA512
413540a6019c9d23f5be142dedf067ba234fa9d782be1264e4bcb218e1b0b17abdab3f8cf85f4c8e7bcddb6428261120159d916537cbc2613b7bb3397f465092

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29322\base_library.zip

Filesize
812KB

MD5
94ad142417be446afea14d873ec8d4ec

SHA1
4350cbaeb7f4862c4c410f7eee1bd4d58fd50397

SHA256
46f865463b8144dd30eeaecf0a0c7b52d18e797ebc3d3056e171e01bcbb70ca8

SHA512
535ce2289f93a3b285e98e527604157d61c4ef8f7e6285adeddaff31be305dd98592690094993d97b299efb1a81eca7a6ebb29d4657dddc334b7d4ac111cf152

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29322\pyinstaller-5.1.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI29322\python310.dll

Filesize
1.4MB

MD5
99cb804abc9a8f4cb8d08d77e515dcb7

SHA1
0d833cb729f3d5c845491b61b47018c82065f4ad

SHA256
8d23914f6eaa371f2e0c15816c7ab62573d428e750d1bbcd9a07498264d7d240

SHA512
43252d45803957ba79d42afdd12b956c3b829c9b00a78199c35e3eeb863d8c56f4f0b467faae227b7c058f59a3f11152f670090e2212eb6a2837378bca53ac82

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_asyncio.pyd

Filesize
31KB

MD5
480d3f4496e16d54bb5313d206164134

SHA1
3db3a9f21be88e0b759855bf4f937d0bbfdf1734

SHA256
568fb5c3d9b170ce1081ad12818b9a12f44ab1577449425a3ef30c2efbee613d

SHA512
8e887e8de9c31dbb6d0a85b4d6d4157e917707e63ce5f119bb4b03cb28d41af90d087e3843f3a4c2509bca70cdac3941e00b8a5144ade8532a97166a5d0a7bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_bz2.pyd

Filesize
43KB

MD5
39b487c3e69816bd473e93653dbd9b7f

SHA1
bdce6fde092a3f421193ddb65df893c40542a4e2

SHA256
a1629c455be2cf55e36021704716f4b16a96330fe993aae9e818f67c4026fcdc

SHA512
7543c1555e8897d15c952b89427e7d06c32e250223e85fafae570f8a0fa13c39fb6fc322d043324a31b2f2f08d2f36e0da59dfd741d09c035d0429173b6badc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
641e49ce0c4fa963d347fbf915aabdbe

SHA1
1351f6c4ac5dcda7e3ffbf3d5e355b4bb864eb10

SHA256
1c795df278c7f64be8e6973f8dbf1a625997cb39ae2dcb5bee0ca4c1b90c8906

SHA512
766b9adb5143e89d663177c2fb0e951afb84c0a43ec690ae2c477ee0bbe036df6f4161a6012430d42e4913fd5fbe7e49af6d13ac7c62d042a484861fc5a04616

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_ctypes.pyd

Filesize
53KB

MD5
b1f12f4bfc0bd49a6646a0786bc5bc00

SHA1
acb7d8c665bb8ca93e5f21e178870e3d141d7cbc

SHA256
1fe61645ed626fc1dec56b2e90e8e551066a7ff86edbd67b41cb92211358f3d7

SHA512
a3fb041bd122638873c395b95f1a541007123f271572a8a988c9d01d2b2d7bb20d70e1d97fc3abffd28cb704990b41d8984974c344faea98dd0c6b07472b5731

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_decimal.pyd

Filesize
101KB

MD5
b7f498da5aec35140a6d928a8f792911

SHA1
95ab794a2d4cb8074a23d84b10cd62f7d12a4cd0

SHA256
b15f0dc3ce6955336162c9428077dcedfa1c52e60296251521819f3239c26ee8

SHA512
5fcb2d5325a6a4b7aff047091957ba7f13de548c5330f0149682d44140ac0af06837465871c598db71830fd3b2958220f80ae8744ef16fdb7336b3d6a5039e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_hashlib.pyd

Filesize
30KB

MD5
31dfa2caaee02cc38adf4897b192d6d1

SHA1
9be57a9bad1cb420675f5b9e04c48b76d18f4a19

SHA256
dc045ac7d4bde60b0f122d307fcd2bbaf5e1261a280c4fb67cfc43de5c0c2a0f

SHA512
3e58c083e1e3201a9fbbf6a4fcbc2b0273cf22badabab8701b10b3f8fdd20b11758cdcfead557420393948434e340aad751a4c7aa740097ab29d1773ea3a0100

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_lzma.pyd

Filesize
81KB

MD5
95badb08cd77e563c9753fadc39a34dd

SHA1
b3c3dfe64e89b5e7afb5f064bbf9d8d458f626a0

SHA256
5545627b465d780b6107680922ef44144a22939dd406deae44858b79747e301a

SHA512
eb36934b73f36ba2162e75f0866435f57088777dc40379f766366c26d40f185de5be3da55d17f5b82cb498025d8d90bc16152900502eb7f5de88bbef84ace2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_multiprocessing.pyd

Filesize
22KB

MD5
28f6fcc0b7bb10a45ff1370c9e1b9561

SHA1
c7669f406b5ec2306a402e872dec17380219907a

SHA256
6dd33d49554ee61490725ea2c9129c15544791ab7a65fb523cc9b4f88d38744b

SHA512
2aef40344e80c3518afc07bf6ad4c96c4fff44434f8307e2efa544290d59504d7b014d7ea94af0377e342a632d6c4c74bfdf16d26f92ccc7062be618ea4dbee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_overlapped.pyd

Filesize
27KB

MD5
745706ab482fe9c9f92383292f121072

SHA1
439f00978795d0845aceaf007fd76ff5947567fd

SHA256
4d98e7d1b74bd209f8c66e1a276f60b470f6a5d6f519f76a91eb75be157a903d

SHA512
52fe3dfc45c380dfb1d9b6e453bdffcd92d57ad7b7312d0b9a86a76d437c512a17da33822f8e81760710d8ff4fd6a4b702d2abfffc600c9350d4d463451d38d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_queue.pyd

Filesize
21KB

MD5
18b8b2b0aefcee9527299c464b7f6d3d

SHA1
a565216faee2534bbda5b3f65aeb2eef5fd9bcda

SHA256
6f334fa1474116dd499a125f3b5ca4cd698039446faf50340f9a3f7af3adb8c2

SHA512
0b56e9d89f4dd3da830954b6561c49c06775854e0b27bc2b07ea8e9c79829d66dae186b95209c8c4cc7c3a7ba6b03cdf134b2e0036cea929e61d755d4709abcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_socket.pyd

Filesize
38KB

MD5
f675cf3cdd836cacfab9c89ab9f97108

SHA1
3e077bf518f7a4cb30ea4607338cff025d4d476e

SHA256
bb82a23d8dc6bf4c9aeb91d3f3bef069276ae3b14eeca100b988b85dd21e2dd3

SHA512
e2344b5f59bd0fad3570977edf0505aa2e05618e66d07c9f93b163fc151c4e1d6fbc0e25b7c989505c1270f8cd4840c6120a73a7ad64591ee3c4fb282375465e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_sqlite3.pyd

Filesize
45KB

MD5
1dbec8753e5cd062cd71a8bb294f28f9

SHA1
c32e9b577f588408a732047863e04a1db6ca231e

SHA256
6d95d41a36b5c9e3a895eff91149978aa383b6a8617d542accef2080737c3cad

SHA512
a1c95dbb1a9e2ffbcc9422f53780b35fbc77cb56ac3562afb8753161a233e5efa8da8ad67f5bde5a094beb8331d9dab5c3d5e673a8d09fd6d0383a8a6ffda087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_ssl.pyd

Filesize
57KB

MD5
2edf5c4e534a45966a68033e7395f40d

SHA1
478ef27474eec0fd966d1663d2397e8fb47fec17

SHA256
7abc2b326f5b7c3011827eb7a5a4d896cc6b2619246826519b3f57d2bb99d3bd

SHA512
f83b698cfe702a15eb0267f254c593b90fa155ad2aefe75e5ba0ee5d4f38976882796cba2a027b42a910f244360177ac809891d505b3d0ae9276156b64850b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\_uuid.pyd

Filesize
18KB

MD5
b3e7fc44f12d2db5bad6922e0b1d927f

SHA1
3fe8ef4b6fb0bc590a1c0c0f5710453e8e340f8f

SHA256
6b93290a74fb288489405044a7dee7cca7c25fa854be9112427930dd739ebace

SHA512
a0465a38aaac2d501e9a12a67d5d71c9eeeb425f535c473fc27ac13c2bb307641cc3cef540472f916e341d7bada80a84b99d78850d94c95ee14139f8540d0c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\base_library.zip

Filesize
858KB

MD5
7b2903144d2ab90e0e8c34c0c5fc8b30

SHA1
4f435ff09b472607c96c9fbc38ca1cac8cb4725c

SHA256
76f8cfff0ca0997ba4fead6d7883316f32688cb9872a86df23148cd94c1511b2

SHA512
257ed12db69532081c3b6050779b021e46dcc26377d69310a2352eecb285ed74cb9ca63f3dbfb9e9c2289c6add588a1512b7f0ae547952b6d4b578953dc36701

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.0MB

MD5
2fcce5a4be27c1f03c07f28442c519c2

SHA1
720309702539887f00b604ef9482e6f4e90267fe

SHA256
eed558d5a0fe7cea03d6b52950594ec8a7c2e451daca1018118a7c640af4990a

SHA512
71629b36b48bb353b7cd97c23cef116a006a61582cb7064e38cfd6e0769a8f8edbb51e7e141e365c0be2dbb0985cb3ef3cc0f0d3fd4eeb32322f8c406352b4e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\libcrypto-1_1.dll

Filesize
1.1MB

MD5
700f32459dca0f54c982cd1c1ddd6b8b

SHA1
2538711c091ac3f572cb0f13539a68df0f228f28

SHA256
1de22bd1a0154d49f48b3fab94fb1fb1abd8bfed37d18e79a86ecd7cdab893c9

SHA512
99de1f5cb78c83fc6af0a475fb556f1ac58a1ba734efc69d507bf5dc1b0535a401d901324be845d7a59db021f8967cf33a7b105b2ddcb2e02a39dc0311e7c36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\libssl-1_1.dll

Filesize
198KB

MD5
45498cefc9ead03a63c2822581cd11c6

SHA1
f96b6373237317e606b3715705a71db47e2cafad

SHA256
a84174a00dc98c98240ad5ee16c35e6ef932cebd5b8048ff418d3dd80f20deca

SHA512
4d3d8d33e7f3c2bf1cad3afbfba6ba53852d1314713ad60eeae1d51cc299a52b73da2c629273f9e0b7983ca01544c3645451cfa247911af4f81ca88a82cf6a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\multidict\_multidict.cp310-win_amd64.pyd

Filesize
20KB

MD5
58a0ff76a0d7d3cd86ceb599d247c612

SHA1
af52bdb9556ef4b9d38cf0f0b9283494daa556a6

SHA256
2079d8be068f67fb2ece4fb3f5927c91c1c25edecb9d1c480829eb1cd21d7cc5

SHA512
e2d4f80cdeba2f5749a4d3de542e09866055d8aee1d308b96cb61bc53f4495c781e9b2559cc6a5f160be96b307539a8b6e06cabeffcc0ddb9ad4107dcacd8a76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\pyexpat.pyd

Filesize
81KB

MD5
b4cf065f5e5b7a5bc2dd2b2e09bea305

SHA1
d289a500ffd399053767ee7339e48c161655b532

SHA256
9b5f407a2a1feaa76c6d3058a2f04c023b1c50b31d417bbfee69024098e4938b

SHA512
ddd9e216b11152d6a50481e06bb409335d36ce7fe63072aa0c7789c541593f2d7e8b4373be67a018c59f5e418e5a39a3ad729b732f11fa253f6275a64e125989

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\python3.DLL

Filesize
60KB

MD5
a5471f05fd616b0f8e582211ea470a15

SHA1
cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

SHA256
8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

SHA512
e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\python310.dll

Filesize
1.4MB

MD5
90d5b8ba675bbb23f01048712813c746

SHA1
f2906160f9fc2fa719fea7d37e145156742ea8a7

SHA256
3a7d497d779ff13082835834a1512b0c11185dd499ab86be830858e7f8aaeb3e

SHA512
872c2bf56c3fe180d9b4fb835a92e1dc188822e9d9183aab34b305408bb82fba1ead04711e8ad2bef1534e86cd49f2445d728851206d7899c1a7a83e5a62058e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\select.pyd

Filesize
21KB

MD5
740424368fb6339d67941015e7ac4096

SHA1
64f3fab24f469a027ddfcf0329eca121f4164e45

SHA256
a389eae40188282c91e0cdf38c79819f475375860225b6963deb11623485b76d

SHA512
6d17dc3f294f245b4ca2eca8e62f4c070c7b8a5325349bc25ebaeea291a5a5ebd268bd1321c08755141aa58de0f985adc67335b4f83bc1aeec4b398d0f538e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\sqlite3.dll

Filesize
605KB

MD5
7055e9008e847cb6015b1bb89f26c7ac

SHA1
c7c844cb46f8287a88bec3bd5d02647f5a07ae80

SHA256
2884d8e9007461ab6e8bbdd37c6bc4f6de472bbd52ec5b53e0a635075d86b871

SHA512
651b7b8c2518e4826d84c89be5052fd944f58f558c51cc905da181049850186d0a87fd2e05734fbe6a69618a6e48261a9fdd043ab17eb01620c6510e96d57008

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\unicodedata.pyd

Filesize
285KB

MD5
0c26e9925bea49d7cf03cfc371283a9b

SHA1
89290d3e43e18165cb07a7a4f99855b9e8466b21

SHA256
13c2ea04a1d40588536f1d7027c8d0ea228a9fb328ca720d6c53b96a8e1ae724

SHA512
6a3cd4b48f7c0087f4a1bdc1241df71d56bd90226759481f17f56baa1b991d1af0ba5798a2b7ba57d9ffa9ec03a12bfac81df2fba88765bd369435ff21a941e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49322\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
40KB

MD5
c14493cd3cc9b9b5f850b5fadcbe936e

SHA1
eddb260ff89bfa132a479fdf783c67098011fb85

SHA256
1782f3c12b3eb01716fcd59b0cd69c02c2fb888db4377f4d5fe00f07986be8e3

SHA512
0a7b85322b8fa566fb3d24b8e4021fb64433be06c3c4dbeb06d9633e4af0a5b76252fb2228de0abd818be5f4a18fffc712c727816632dd8c8585c9a9a7bf0fb6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e2ghn4cl.paz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cards_db

Filesize
114KB

MD5
ea3bbda11253a0ddfa0bd6d750a7c9fc

SHA1
6b920bcafd8036b42657e50c84a1da2cea4d1307

SHA256
0a2bfcd7ad484f317f01b03ed4475015a2182137cb3daf7cd5717a9f8d081f89

SHA512
d885aeb00d919689b020bbf541d548578fa415150c2a7a160603a7d397bdb4238fa518eb076bdbbc3401325e517334a5da361e894939954d9bc29560d5d13268

Download Submit
C:\Users\Admin\AppData\Local\Temp\cards_db

Filesize
112KB

MD5
87210e9e528a4ddb09c6b671937c79c6

SHA1
3c75314714619f5b55e25769e0985d497f0062f2

SHA256
eeb23424586eb7bc62b51b19f1719c6571b71b167f4d63f25984b7f5c5436db1

SHA512
f8cb8098dc8d478854cddddeac3396bc7b602c4d0449491ecacea7b9106672f36b55b377c724dc6881bee407c6b6c5c3352495ed4b852dd578aa3643a43e37c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\cookie_db

Filesize
20KB

MD5
a603e09d617fea7517059b4924b1df93

SHA1
31d66e1496e0229c6a312f8be05da3f813b3fa9e

SHA256
ccd15f9c7a997ae2b5320ea856c7efc54b5055254d41a443d21a60c39c565cb7

SHA512
eadb844a84f8a660c578a2f8e65ebcb9e0b9ab67422be957f35492ff870825a4b363f96fd1c546eaacfd518f6812fcf57268ef03c149e5b1a7af145c7100e2cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\login_db

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\login_db

Filesize
46KB

MD5
14ccc9293153deacbb9a20ee8f6ff1b7

SHA1
46b4d7b004ff4f1f40ad9f107fe7c7e3abc9a9f3

SHA256
3195ce0f7aa2eae2b21c447f264e2bd4e1dc5208353ac72d964a750de9a83511

SHA512
916f2178be05dc329461d2739271972238b22052b5935883da31e6c98d2697bd2435c9f6a2d1fcafb4811a1d867c761055532669aac2ea1a3a78c346cdeba765

Download Submit
C:\Users\Admin\AppData\Local\Temp\web_history_db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\web_history_db

Filesize
116KB

MD5
4e2922249bf476fb3067795f2fa5e794

SHA1
d2db6b2759d9e650ae031eb62247d457ccaa57d2

SHA256
c2c17166e7468877d1e80822f8a5f35a7700ac0b68f3b369a1f4154ae4f811e1

SHA512
8e5e12daf11f9f6e73fb30f563c8f2a64bbc7bb9deffe4969e23081ec1c4073cdf6c74e8dbcc65a271142083ad8312ec7d59505c90e718a5228d369f4240e1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\xjzyxz.exe

Filesize
17.4MB

MD5
97ece3fa1e45b885d4d967c566ec97a7

SHA1
294bae8fd5fa3e37259decd35207317f9de585c7

SHA256
aa03cfb045ab653679bc1f3c56452814ebf1c9e01d6b5da682d7e3b112a2b61b

SHA512
48be1c9ad424580b447238094274c8a45890d2b3cb2e87f8bfa76744dc43dc6e4be7087028581a34c4d74f46d0f876a18992d4ddf418c8a5ee05b33a5c4c3409

Download Submit
C:\Users\Admin\AppData\Local\Temp\zjpqix.exe

Filesize
9.3MB

MD5
14efd584d86ddbe8ee40e57032ebd17f

SHA1
65990e752ae180a45a8f00a96f7327bbb486f776

SHA256
6525af6f43275bc3247468af68ce9850031823f657ada0be49249e5ce3c04062

SHA512
cc3fee67b9d716acb19109acda53456a20295a4efaaf6030dcc3d1c8fb9762b71bcb6600a8d95c7ee36384c4a6f188f88044889e4f9c937ab007a27ff95ead42

Download Submit
memory/1252-337-0x0000026BDAE50000-0x0000026BDAE72000-memory.dmp

Filesize
136KB

Download
memory/1252-385-0x0000026BC29A0000-0x0000026BC29BA000-memory.dmp

Filesize
104KB

Download
memory/1252-384-0x0000026BC2980000-0x0000026BC2996000-memory.dmp

Filesize
88KB

Download
memory/1700-314-0x00007FF85FE70000-0x00007FF85FE7A000-memory.dmp

Filesize
40KB

Download
memory/1700-332-0x00007FF84E6F0000-0x00007FF84EB54000-memory.dmp

Filesize
4.4MB

Download
memory/1700-491-0x00007FF85D410000-0x00007FF85D43C000-memory.dmp

Filesize
176KB

Download
memory/1700-492-0x00007FF84F830000-0x00007FF84F8EC000-memory.dmp

Filesize
752KB

Download
memory/1700-455-0x00007FF860540000-0x00007FF860564000-memory.dmp

Filesize
144KB

Download
memory/1700-235-0x00007FF84E6F0000-0x00007FF84EB54000-memory.dmp

Filesize
4.4MB

Download
memory/1700-459-0x00007FF8604F0000-0x00007FF86051E000-memory.dmp

Filesize
184KB

Download
memory/1700-467-0x00007FF856820000-0x00007FF85683C000-memory.dmp

Filesize
112KB

Download
memory/1700-468-0x00007FF84D150000-0x00007FF84D17E000-memory.dmp

Filesize
184KB

Download
memory/1700-246-0x00007FF861040000-0x00007FF86104D000-memory.dmp

Filesize
52KB

Download
memory/1700-250-0x00007FF85FE80000-0x00007FF85FE98000-memory.dmp

Filesize
96KB

Download
memory/1700-251-0x00007FF85D410000-0x00007FF85D43C000-memory.dmp

Filesize
176KB

Download
memory/1700-258-0x00007FF8604F0000-0x00007FF86051E000-memory.dmp

Filesize
184KB

Download
memory/1700-469-0x00007FF84BA90000-0x00007FF84BB47000-memory.dmp

Filesize
732KB

Download
memory/1700-470-0x00007FF84B710000-0x00007FF84BA87000-memory.dmp

Filesize
3.5MB

Download
memory/1700-476-0x00007FF849D80000-0x00007FF849D9E000-memory.dmp

Filesize
120KB

Download
memory/1700-477-0x00007FF848FD0000-0x00007FF849141000-memory.dmp

Filesize
1.4MB

Download
memory/1700-254-0x00007FF856840000-0x00007FF856875000-memory.dmp

Filesize
212KB

Download
memory/1700-253-0x00007FF85D3E0000-0x00007FF85D40B000-memory.dmp

Filesize
172KB

Download
memory/1700-252-0x00007FF84F830000-0x00007FF84F8EC000-memory.dmp

Filesize
752KB

Download
memory/1700-249-0x00007FF860540000-0x00007FF860564000-memory.dmp

Filesize
144KB

Download
memory/1700-245-0x00007FF860520000-0x00007FF860539000-memory.dmp

Filesize
100KB

Download
memory/1700-244-0x00007FF861100000-0x00007FF86110F000-memory.dmp

Filesize
60KB

Download
memory/1700-462-0x00007FF84F830000-0x00007FF84F8EC000-memory.dmp

Filesize
752KB

Download
memory/1700-454-0x00007FF84E6F0000-0x00007FF84EB54000-memory.dmp

Filesize
4.4MB

Download
memory/1700-319-0x00007FF84BA90000-0x00007FF84BB47000-memory.dmp

Filesize
732KB

Download
memory/1700-318-0x00007FF84B710000-0x00007FF84BA87000-memory.dmp

Filesize
3.5MB

Download
memory/1700-333-0x00007FF849EF0000-0x00007FF849F05000-memory.dmp

Filesize
84KB

Download
memory/1700-334-0x00007FF856810000-0x00007FF85681D000-memory.dmp

Filesize
52KB

Download
memory/1700-339-0x00007FF849DA0000-0x00007FF849EB8000-memory.dmp

Filesize
1.1MB

Download
memory/1700-344-0x00007FF848640000-0x00007FF84864B000-memory.dmp

Filesize
44KB

Download
memory/1700-345-0x00007FF848630000-0x00007FF84863B000-memory.dmp

Filesize
44KB

Download
memory/1700-312-0x00007FF84F7E0000-0x00007FF84F822000-memory.dmp

Filesize
264KB

Download
memory/1700-346-0x00007FF848620000-0x00007FF84862C000-memory.dmp

Filesize
48KB

Download
memory/1700-315-0x00007FF856820000-0x00007FF85683C000-memory.dmp

Filesize
112KB

Download
memory/1700-347-0x00007FF848600000-0x00007FF84860C000-memory.dmp

Filesize
48KB

Download
memory/1700-317-0x00007FF84D150000-0x00007FF84D17E000-memory.dmp

Filesize
184KB

Download
memory/1700-348-0x00007FF848610000-0x00007FF84861B000-memory.dmp

Filesize
44KB

Download
memory/1700-321-0x0000018424010000-0x0000018424387000-memory.dmp

Filesize
3.5MB

Download
memory/1700-350-0x00007FF84B710000-0x00007FF84BA87000-memory.dmp

Filesize
3.5MB

Download
memory/1700-336-0x00007FF855540000-0x00007FF85554B000-memory.dmp

Filesize
44KB

Download
memory/1700-335-0x00007FF849EC0000-0x00007FF849EE6000-memory.dmp

Filesize
152KB

Download
memory/1700-351-0x00007FF8485D0000-0x00007FF8485DD000-memory.dmp

Filesize
52KB

Download
memory/1700-342-0x00007FF849D80000-0x00007FF849D9E000-memory.dmp

Filesize
120KB

Download
memory/1700-341-0x00007FF860520000-0x00007FF860539000-memory.dmp

Filesize
100KB

Download
memory/1700-340-0x00007FF848FD0000-0x00007FF849141000-memory.dmp

Filesize
1.4MB

Download
memory/1700-343-0x00007FF860540000-0x00007FF860564000-memory.dmp

Filesize
144KB

Download
memory/1700-349-0x00007FF84F7E0000-0x00007FF84F822000-memory.dmp

Filesize
264KB

Download
memory/1700-363-0x00007FF84D150000-0x00007FF84D17E000-memory.dmp

Filesize
184KB

Download
memory/1700-362-0x00007FF8482A0000-0x00007FF8482B2000-memory.dmp

Filesize
72KB

Download
memory/1700-361-0x00007FF8485E0000-0x00007FF8485EC000-memory.dmp

Filesize
48KB

Download
memory/1700-372-0x00007FF848200000-0x00007FF848213000-memory.dmp

Filesize
76KB

Download
memory/1700-374-0x00007FF8481D0000-0x00007FF8481DE000-memory.dmp

Filesize
56KB

Download
memory/1700-373-0x00007FF848010000-0x00007FF848051000-memory.dmp

Filesize
260KB

Download
memory/1700-371-0x00007FF8481E0000-0x00007FF8481F5000-memory.dmp

Filesize
84KB

Download
memory/1700-370-0x00007FF848220000-0x00007FF84823C000-memory.dmp

Filesize
112KB

Download
memory/1700-369-0x00007FF848240000-0x00007FF848254000-memory.dmp

Filesize
80KB

Download
memory/1700-368-0x00007FF848260000-0x00007FF848270000-memory.dmp

Filesize
64KB

Download
memory/1700-367-0x00007FF848270000-0x00007FF848284000-memory.dmp

Filesize
80KB

Download
memory/1700-366-0x00007FF848290000-0x00007FF84829C000-memory.dmp

Filesize
48KB

Download
memory/1700-365-0x0000018424010000-0x0000018424387000-memory.dmp

Filesize
3.5MB

Download
memory/1700-364-0x00007FF84BA90000-0x00007FF84BB47000-memory.dmp

Filesize
732KB

Download
memory/1700-360-0x00007FF8485F0000-0x00007FF8485FB000-memory.dmp

Filesize
44KB

Download
memory/1700-359-0x00007FF8482C0000-0x00007FF8482CD000-memory.dmp

Filesize
52KB

Download
memory/1700-358-0x00007FF8482D0000-0x00007FF8482DC000-memory.dmp

Filesize
48KB

Download
memory/1700-357-0x00007FF8482E0000-0x00007FF8482EC000-memory.dmp

Filesize
48KB

Download
memory/1700-356-0x00007FF848440000-0x00007FF84844B000-memory.dmp

Filesize
44KB

Download
memory/1700-355-0x00007FF848450000-0x00007FF84845B000-memory.dmp

Filesize
44KB

Download
memory/1700-354-0x00007FF8485A0000-0x00007FF8485AC000-memory.dmp

Filesize
48KB

Download
memory/1700-353-0x00007FF8485B0000-0x00007FF8485BC000-memory.dmp

Filesize
48KB

Download
memory/1700-352-0x00007FF8485C0000-0x00007FF8485CE000-memory.dmp

Filesize
56KB

Download
memory/3144-91-0x00007FF860B70000-0x00007FF860B9C000-memory.dmp

Filesize
176KB

Download
memory/3144-92-0x00007FF860FA0000-0x00007FF860FBE000-memory.dmp

Filesize
120KB

Download
memory/3144-316-0x00007FF85FEA0000-0x00007FF85FFB8000-memory.dmp

Filesize
1.1MB

Download
memory/3144-313-0x00007FF863BF0000-0x00007FF863C00000-memory.dmp

Filesize
64KB

Download
memory/3144-211-0x00007FF860810000-0x00007FF860824000-memory.dmp

Filesize
80KB

Download
memory/3144-310-0x00007FF860B50000-0x00007FF860B64000-memory.dmp

Filesize
80KB

Download
memory/3144-309-0x0000023CB72F0000-0x0000023CB7664000-memory.dmp

Filesize
3.5MB

Download
memory/3144-311-0x00007FF8604B0000-0x00007FF8604BD000-memory.dmp

Filesize
52KB

Download
memory/3144-338-0x00007FF84DFF0000-0x00007FF84E6E5000-memory.dmp

Filesize
7.0MB

Download
memory/3144-306-0x00007FF8608F0000-0x00007FF86091E000-memory.dmp

Filesize
184KB

Download
memory/3144-307-0x00007FF860830000-0x00007FF8608E6000-memory.dmp

Filesize
728KB

Download
memory/3144-80-0x00007FF861050000-0x00007FF861074000-memory.dmp

Filesize
144KB

Download
memory/3144-308-0x00007FF84EB60000-0x00007FF84EED4000-memory.dmp

Filesize
3.5MB

Download
memory/3144-320-0x00007FF8607C0000-0x00007FF8607E2000-memory.dmp

Filesize
136KB

Download
memory/3144-217-0x00007FF85FEA0000-0x00007FF85FFB8000-memory.dmp

Filesize
1.1MB

Download
memory/3144-139-0x00007FF84EB60000-0x00007FF84EED4000-memory.dmp

Filesize
3.5MB

Download
memory/3144-100-0x00007FF860830000-0x00007FF8608E6000-memory.dmp

Filesize
728KB

Download
memory/3144-88-0x00007FF866400000-0x00007FF866419000-memory.dmp

Filesize
100KB

Download
memory/3144-89-0x00007FF864BF0000-0x00007FF864BFD000-memory.dmp

Filesize
52KB

Download
memory/3144-90-0x00007FF8640A0000-0x00007FF8640B9000-memory.dmp

Filesize
100KB

Download
memory/3144-176-0x00007FF860B50000-0x00007FF860B64000-memory.dmp

Filesize
80KB

Download
memory/3144-93-0x00007FF860920000-0x00007FF860A8D000-memory.dmp

Filesize
1.4MB

Download
memory/3144-146-0x0000023CB72F0000-0x0000023CB7664000-memory.dmp

Filesize
3.5MB

Download
memory/3144-51-0x00007FF84EEE0000-0x00007FF84F345000-memory.dmp

Filesize
4.4MB

Download
memory/3144-439-0x00007FF860B50000-0x00007FF860B64000-memory.dmp

Filesize
80KB

Download
memory/3144-435-0x00007FF860920000-0x00007FF860A8D000-memory.dmp

Filesize
1.4MB

Download
memory/3144-427-0x00007FF84EEE0000-0x00007FF84F345000-memory.dmp

Filesize
4.4MB

Download
memory/3144-434-0x00007FF860FA0000-0x00007FF860FBE000-memory.dmp

Filesize
120KB

Download
memory/3144-428-0x00007FF861050000-0x00007FF861074000-memory.dmp

Filesize
144KB

Download
memory/3144-241-0x00007FF84EEE0000-0x00007FF84F345000-memory.dmp

Filesize
4.4MB

Download
memory/3144-229-0x00007FF8607C0000-0x00007FF8607E2000-memory.dmp

Filesize
136KB

Download
memory/3144-255-0x00007FF866400000-0x00007FF866419000-memory.dmp

Filesize
100KB

Download
memory/3144-256-0x00007FF860FA0000-0x00007FF860FBE000-memory.dmp

Filesize
120KB

Download
memory/3144-257-0x00007FF860920000-0x00007FF860A8D000-memory.dmp

Filesize
1.4MB

Download
memory/3144-259-0x00007FF85CCB0000-0x00007FF85CCE8000-memory.dmp

Filesize
224KB

Download
memory/3144-243-0x00007FF84DFF0000-0x00007FF84E6E5000-memory.dmp

Filesize
7.0MB

Download
memory/3144-238-0x00007FF861270000-0x00007FF86127A000-memory.dmp

Filesize
40KB

Download
memory/3144-216-0x00007FF8607F0000-0x00007FF860805000-memory.dmp

Filesize
84KB

Download
memory/3144-210-0x00007FF863BF0000-0x00007FF863C00000-memory.dmp

Filesize
64KB

Download
memory/3144-99-0x00007FF8608F0000-0x00007FF86091E000-memory.dmp

Filesize
184KB

Download
memory/3144-81-0x00007FF866520000-0x00007FF86652F000-memory.dmp

Filesize
60KB

Download