exelastealer | 555193b4bf22d78d744acb28089caf091ca95bdd57653dd3ac267c71708dd001

Resubmissions

20/06/2024, 20:02

240620-yr3vxsvgqg 7

20/06/2024, 19:59

240620-yqfc8svgjd 10

Analysis

max time kernel
17s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/06/2024, 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Exela.exe
Size

21.0MB
MD5

78352c63f0742abb60ef2c4d3d6d5056
SHA1

e546b7f2f3b8415af09130bb50bec5fb3d94a6fd
SHA256

555193b4bf22d78d744acb28089caf091ca95bdd57653dd3ac267c71708dd001
SHA512

e2e91829fc1ecc67d5e8512b9064a5423dc2f718db2644d2aa67c2d3a66fce22b4c6d0f6d50d4224fffc3c37761463df3779250856bffb04a32b1aa86f0a11e7
SSDEEP

196608:KGlZOOepe+x+aPXq7n0jc/bPeNlInY7/s/bRy8rlMxRW5ygjbM:NY+X7n0jcwlIus/b02r

Score

10^/10

exelastealer defense_evasion evasion persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1556	netsh.exe
3976	netsh.exe

Loads dropped DLL 32 IoCs

pid	Process
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe
2388	Exela.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023443-47.dat	upx
behavioral1/memory/2388-51-0x00007FFB95EF0000-0x00007FFB9635E000-memory.dmp	upx
behavioral1/files/0x000700000002343d-59.dat	upx
behavioral1/memory/2388-61-0x00007FFBAB820000-0x00007FFBAB82F000-memory.dmp	upx
behavioral1/memory/2388-60-0x00007FFBAA6D0000-0x00007FFBAA6F4000-memory.dmp	upx
behavioral1/files/0x0007000000023426-57.dat	upx
behavioral1/files/0x000700000002342d-62.dat	upx
behavioral1/files/0x0007000000023444-64.dat	upx
behavioral1/files/0x0007000000023424-68.dat	upx
behavioral1/memory/2388-67-0x00007FFBAA5E0000-0x00007FFBAA5ED000-memory.dmp	upx
behavioral1/memory/2388-71-0x00007FFBA5E90000-0x00007FFBA5EA9000-memory.dmp	upx
behavioral1/files/0x0007000000023429-72.dat	upx
behavioral1/files/0x000700000002342e-73.dat	upx
behavioral1/files/0x0007000000023445-75.dat	upx
behavioral1/memory/2388-78-0x00007FFBA5E40000-0x00007FFBA5E5F000-memory.dmp	upx
behavioral1/files/0x000700000002342f-81.dat	upx
behavioral1/files/0x000700000002343e-84.dat	upx
behavioral1/files/0x000700000002343c-87.dat	upx
behavioral1/memory/2388-88-0x00007FFB96550000-0x00007FFB96608000-memory.dmp	upx
behavioral1/memory/2388-89-0x00007FFB95330000-0x00007FFB956A5000-memory.dmp	upx
behavioral1/memory/2388-83-0x00007FFBA5BF0000-0x00007FFBA5C1E000-memory.dmp	upx
behavioral1/memory/2388-79-0x00007FFB96610000-0x00007FFB96779000-memory.dmp	upx
behavioral1/files/0x0007000000023422-92.dat	upx
behavioral1/files/0x000700000002342b-94.dat	upx
behavioral1/files/0x0007000000023428-98.dat	upx
behavioral1/memory/2388-102-0x00007FFBA52F0000-0x00007FFBA5304000-memory.dmp	upx
behavioral1/files/0x0007000000023448-106.dat	upx
behavioral1/memory/2388-107-0x00007FFB95EF0000-0x00007FFB9635E000-memory.dmp	upx
behavioral1/files/0x0007000000023446-104.dat	upx
behavioral1/memory/2388-103-0x00007FFBA5090000-0x00007FFBA50A4000-memory.dmp	upx
behavioral1/memory/2388-109-0x00007FFBA1C90000-0x00007FFBA1CB2000-memory.dmp	upx
behavioral1/files/0x0007000000023432-110.dat	upx
behavioral1/files/0x0007000000023423-112.dat	upx
behavioral1/memory/2388-126-0x00007FFB957C0000-0x00007FFB957D1000-memory.dmp	upx
behavioral1/memory/2388-129-0x00007FFBA58F0000-0x00007FFBA58FA000-memory.dmp	upx
behavioral1/memory/2388-128-0x00007FFBA5C20000-0x00007FFBA5C39000-memory.dmp	upx
behavioral1/files/0x0007000000023430-127.dat	upx
behavioral1/memory/2388-125-0x00007FFB96360000-0x00007FFB963AC000-memory.dmp	upx
behavioral1/memory/2388-124-0x00007FFB963B0000-0x00007FFB963C9000-memory.dmp	upx
behavioral1/memory/2388-123-0x00007FFB957E0000-0x00007FFB958AF000-memory.dmp	upx
behavioral1/memory/2388-122-0x00007FFB9C0B0000-0x00007FFB9C0C7000-memory.dmp	upx
behavioral1/memory/2388-121-0x00007FFBAA6D0000-0x00007FFBAA6F4000-memory.dmp	upx
behavioral1/files/0x0007000000023435-119.dat	upx
behavioral1/files/0x0007000000023433-117.dat	upx
behavioral1/files/0x0007000000023434-115.dat	upx
behavioral1/files/0x000700000002343b-131.dat	upx
behavioral1/files/0x0007000000023439-132.dat	upx
behavioral1/memory/2388-133-0x00007FFB95720000-0x00007FFB9573E000-memory.dmp	upx
behavioral1/memory/2388-108-0x00007FFB958B0000-0x00007FFB959C8000-memory.dmp	upx
behavioral1/memory/2388-101-0x00007FFBA5920000-0x00007FFBA5930000-memory.dmp	upx
behavioral1/memory/2388-100-0x00007FFBA5AA0000-0x00007FFBA5AB5000-memory.dmp	upx
behavioral1/files/0x0007000000023440-96.dat	upx
behavioral1/memory/2388-77-0x00007FFBA5E60000-0x00007FFBA5E8D000-memory.dmp	upx
behavioral1/memory/2388-135-0x00007FFB94650000-0x00007FFB94D45000-memory.dmp	upx
behavioral1/memory/2388-66-0x00007FFBA5C20000-0x00007FFBA5C39000-memory.dmp	upx
behavioral1/files/0x0007000000023425-136.dat	upx
behavioral1/memory/2388-138-0x00007FFBA5E40000-0x00007FFBA5E5F000-memory.dmp	upx
behavioral1/memory/2388-140-0x00007FFBA59B0000-0x00007FFBA59E8000-memory.dmp	upx
behavioral1/memory/2388-139-0x00007FFB96610000-0x00007FFB96779000-memory.dmp	upx
behavioral1/files/0x000700000002342c-188.dat	upx
behavioral1/memory/2388-190-0x00007FFBA5BF0000-0x00007FFBA5C1E000-memory.dmp	upx
behavioral1/memory/2388-191-0x00007FFBA5E30000-0x00007FFBA5E3D000-memory.dmp	upx
behavioral1/memory/2388-208-0x00007FFB96550000-0x00007FFB96608000-memory.dmp	upx
behavioral1/memory/2388-209-0x00007FFB95330000-0x00007FFB956A5000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1156	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2064	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00030000000229d4-152.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4756	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
536	WMIC.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
1216	tasklist.exe
4736	tasklist.exe
2156	tasklist.exe
3604	tasklist.exe
5052	tasklist.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4076	ipconfig.exe
1648	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2556	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2676	powershell.exe
2676	powershell.exe
2676	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	536	WMIC.exe
Token: SeSecurityPrivilege	536	WMIC.exe
Token: SeTakeOwnershipPrivilege	536	WMIC.exe
Token: SeLoadDriverPrivilege	536	WMIC.exe
Token: SeSystemProfilePrivilege	536	WMIC.exe
Token: SeSystemtimePrivilege	536	WMIC.exe
Token: SeProfSingleProcessPrivilege	536	WMIC.exe
Token: SeIncBasePriorityPrivilege	536	WMIC.exe
Token: SeCreatePagefilePrivilege	536	WMIC.exe
Token: SeBackupPrivilege	536	WMIC.exe
Token: SeRestorePrivilege	536	WMIC.exe
Token: SeShutdownPrivilege	536	WMIC.exe
Token: SeDebugPrivilege	536	WMIC.exe
Token: SeSystemEnvironmentPrivilege	536	WMIC.exe
Token: SeRemoteShutdownPrivilege	536	WMIC.exe
Token: SeUndockPrivilege	536	WMIC.exe
Token: SeManageVolumePrivilege	536	WMIC.exe
Token: 33	536	WMIC.exe
Token: 34	536	WMIC.exe
Token: 35	536	WMIC.exe
Token: 36	536	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2212	WMIC.exe
Token: SeSecurityPrivilege	2212	WMIC.exe
Token: SeTakeOwnershipPrivilege	2212	WMIC.exe
Token: SeLoadDriverPrivilege	2212	WMIC.exe
Token: SeSystemProfilePrivilege	2212	WMIC.exe
Token: SeSystemtimePrivilege	2212	WMIC.exe
Token: SeProfSingleProcessPrivilege	2212	WMIC.exe
Token: SeIncBasePriorityPrivilege	2212	WMIC.exe
Token: SeCreatePagefilePrivilege	2212	WMIC.exe
Token: SeBackupPrivilege	2212	WMIC.exe
Token: SeRestorePrivilege	2212	WMIC.exe
Token: SeShutdownPrivilege	2212	WMIC.exe
Token: SeDebugPrivilege	2212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2212	WMIC.exe
Token: SeRemoteShutdownPrivilege	2212	WMIC.exe
Token: SeUndockPrivilege	2212	WMIC.exe
Token: SeManageVolumePrivilege	2212	WMIC.exe
Token: 33	2212	WMIC.exe
Token: 34	2212	WMIC.exe
Token: 35	2212	WMIC.exe
Token: 36	2212	WMIC.exe
Token: SeDebugPrivilege	3604	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2212	WMIC.exe
Token: SeSecurityPrivilege	2212	WMIC.exe
Token: SeTakeOwnershipPrivilege	2212	WMIC.exe
Token: SeLoadDriverPrivilege	2212	WMIC.exe
Token: SeSystemProfilePrivilege	2212	WMIC.exe
Token: SeSystemtimePrivilege	2212	WMIC.exe
Token: SeProfSingleProcessPrivilege	2212	WMIC.exe
Token: SeIncBasePriorityPrivilege	2212	WMIC.exe
Token: SeCreatePagefilePrivilege	2212	WMIC.exe
Token: SeBackupPrivilege	2212	WMIC.exe
Token: SeRestorePrivilege	2212	WMIC.exe
Token: SeShutdownPrivilege	2212	WMIC.exe
Token: SeDebugPrivilege	2212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2212	WMIC.exe
Token: SeRemoteShutdownPrivilege	2212	WMIC.exe
Token: SeUndockPrivilege	2212	WMIC.exe
Token: SeManageVolumePrivilege	2212	WMIC.exe
Token: 33	2212	WMIC.exe
Token: 34	2212	WMIC.exe
Token: 35	2212	WMIC.exe
Token: 36	2212	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2388	Exela.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 2388	224	Exela.exe	84
PID 224 wrote to memory of 2388	224	Exela.exe	84
PID 2388 wrote to memory of 1288	2388	Exela.exe	87
PID 2388 wrote to memory of 1288	2388	Exela.exe	87
PID 2388 wrote to memory of 2640	2388	Exela.exe	89
PID 2388 wrote to memory of 2640	2388	Exela.exe	89
PID 2388 wrote to memory of 2144	2388	Exela.exe	90
PID 2388 wrote to memory of 2144	2388	Exela.exe	90
PID 2388 wrote to memory of 2892	2388	Exela.exe	92
PID 2388 wrote to memory of 2892	2388	Exela.exe	92
PID 2388 wrote to memory of 2824	2388	Exela.exe	93
PID 2388 wrote to memory of 2824	2388	Exela.exe	93
PID 2640 wrote to memory of 536	2640	cmd.exe	97
PID 2640 wrote to memory of 536	2640	cmd.exe	97
PID 2144 wrote to memory of 2212	2144	cmd.exe	98
PID 2144 wrote to memory of 2212	2144	cmd.exe	98
PID 2824 wrote to memory of 3604	2824	cmd.exe	99
PID 2824 wrote to memory of 3604	2824	cmd.exe	99
PID 2388 wrote to memory of 968	2388	Exela.exe	101
PID 2388 wrote to memory of 968	2388	Exela.exe	101
PID 968 wrote to memory of 2160	968	cmd.exe	103
PID 968 wrote to memory of 2160	968	cmd.exe	103
PID 2388 wrote to memory of 876	2388	Exela.exe	104
PID 2388 wrote to memory of 876	2388	Exela.exe	104
PID 2388 wrote to memory of 408	2388	Exela.exe	105
PID 2388 wrote to memory of 408	2388	Exela.exe	105
PID 876 wrote to memory of 4180	876	cmd.exe	108
PID 876 wrote to memory of 4180	876	cmd.exe	108
PID 408 wrote to memory of 5052	408	cmd.exe	109
PID 408 wrote to memory of 5052	408	cmd.exe	109
PID 2388 wrote to memory of 1156	2388	Exela.exe	110
PID 2388 wrote to memory of 1156	2388	Exela.exe	110
PID 1156 wrote to memory of 2176	1156	cmd.exe	114
PID 1156 wrote to memory of 2176	1156	cmd.exe	114
PID 2388 wrote to memory of 3868	2388	Exela.exe	115
PID 2388 wrote to memory of 3868	2388	Exela.exe	115
PID 2388 wrote to memory of 4440	2388	Exela.exe	117
PID 2388 wrote to memory of 4440	2388	Exela.exe	117
PID 3868 wrote to memory of 4160	3868	cmd.exe	119
PID 3868 wrote to memory of 4160	3868	cmd.exe	119
PID 4440 wrote to memory of 1216	4440	cmd.exe	120
PID 4440 wrote to memory of 1216	4440	cmd.exe	120
PID 2388 wrote to memory of 996	2388	Exela.exe	121
PID 2388 wrote to memory of 996	2388	Exela.exe	121
PID 2388 wrote to memory of 5000	2388	Exela.exe	122
PID 2388 wrote to memory of 5000	2388	Exela.exe	122
PID 2388 wrote to memory of 2752	2388	Exela.exe	123
PID 2388 wrote to memory of 2752	2388	Exela.exe	123
PID 2388 wrote to memory of 2044	2388	Exela.exe	124
PID 2388 wrote to memory of 2044	2388	Exela.exe	124
PID 2752 wrote to memory of 4736	2752	cmd.exe	129
PID 2752 wrote to memory of 4736	2752	cmd.exe	129
PID 996 wrote to memory of 2360	996	cmd.exe	130
PID 996 wrote to memory of 2360	996	cmd.exe	130
PID 5000 wrote to memory of 4596	5000	cmd.exe	131
PID 5000 wrote to memory of 4596	5000	cmd.exe	131
PID 2360 wrote to memory of 5004	2360	cmd.exe	132
PID 2360 wrote to memory of 5004	2360	cmd.exe	132
PID 2044 wrote to memory of 2676	2044	cmd.exe	133
PID 2044 wrote to memory of 2676	2044	cmd.exe	133
PID 4596 wrote to memory of 816	4596	cmd.exe	134
PID 4596 wrote to memory of 816	4596	cmd.exe	134
PID 2388 wrote to memory of 1936	2388	Exela.exe	135
PID 2388 wrote to memory of 1936	2388	Exela.exe	135

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2176	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Exela.exe
"C:\Users\Admin\AppData\Local\Temp\Exela.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:224
- C:\Users\Admin\AppData\Local\Temp\Exela.exe
  "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:1288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:2892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3604
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:968
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:2160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:876
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4180
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:5052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1156
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:2176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:4160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4440
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2360
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:5004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5000
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2752
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    PID:1936
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      PID:4360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    PID:1908
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2556
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:1896
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:4756
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:760
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:1600
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:2312
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:3248
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:376
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:3064
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:2040
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:4828
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:408
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:2108
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:1584
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:372
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:1248
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:2156
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4076
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:3476
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      PID:4956
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      Gathers network information
      PID:1648
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:2064
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1556
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4832
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2360
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe

Filesize
21.0MB

MD5
78352c63f0742abb60ef2c4d3d6d5056

SHA1
e546b7f2f3b8415af09130bb50bec5fb3d94a6fd

SHA256
555193b4bf22d78d744acb28089caf091ca95bdd57653dd3ac267c71708dd001

SHA512
e2e91829fc1ecc67d5e8512b9064a5423dc2f718db2644d2aa67c2d3a66fce22b4c6d0f6d50d4224fffc3c37761463df3779250856bffb04a32b1aa86f0a11e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_asyncio.pyd

Filesize
34KB

MD5
ab7aea7bb7671b3f59609df0b629b42c

SHA1
7b1ae7eecdee0bf9e5cf623ab8d83ec1b40694ad

SHA256
ee09c6b8c936fe1ca6b53db6e29e96f7b086beeb4665fb84c8097f59dd34a978

SHA512
3090f8711c87fa79c92fdfbfd782a198f6d29837171e90d27e9d39ffae9a7e129269621e021844f75ccc8576bad3ebd2efffe662c7e49407bb6a0d9c46fa18e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_brotli.cp310-win_amd64.pyd

Filesize
274KB

MD5
9c5a11f077905cbd3dc42a233461b22e

SHA1
adb51dd54404d9018238a05218ae8e293c514b80

SHA256
5b56a8861637db3cde975d5f7c1a38616d7df89a34adeaa62f715bbf3e7889bb

SHA512
cd52b809d621aeed2a7b4b4e843388cf222b793ca34d76f7b89f0cc587fb6592b4221b938b69a152bfb9e01baca134a34c1b382ecd56cb4a9dc1f434a32d4b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_bz2.pyd

Filesize
46KB

MD5
5de42dcdda26e4aa3d67feaea37d8e14

SHA1
1f76eba020b7699253609aaa4716740ab68212f0

SHA256
1ebf1762129ffd0a1186b51741301e74309744b068f5c5e9f9a4292b7406b992

SHA512
03d2c363335e91dfb653e08ae5b13a1bbce525f7d031514c62b756a92c4d0a259d4dd6a56a8fc291f0a14b4ffd20bad528fe587dfb80dc6f36f184dde821a4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
0d43a42cb44ecb9785ccc090a3de3d8f

SHA1
2f77cfa195cfe024d42e2ed287e2194685ec5d7d

SHA256
fdaa50a83947ec292e1773043f077cddfefbb52e53d5575b175eab5987de3242

SHA512
5968654a976699b4653d44912b34fc67a59d821d9e45f271d7d94b18b1a255c265f9e85460b570be04983b15268547a451e5385064616ab750b825b156c4643e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_ctypes.pyd

Filesize
56KB

MD5
01157576d82ed340222e0ff076d157f1

SHA1
6479423eb11d47287174a2484ad9529581de3420

SHA256
36ac4f79c8d502f4dc7a6dd963a595b9df735e33f1b384159782180d71ca441a

SHA512
2821cfb5ee1df2ff22b181a35d4525f60d25d1c049b04f5eddb4f61d66216456954483eccbce5363c5be4b5835a8fbafeebeec4b8846d05826d18621735ba656

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_hashlib.pyd

Filesize
33KB

MD5
b854bac8dc98fa9d95773e3e53a34d25

SHA1
a500ed4b7c4ce15e9f172214119d3dc6d65bd917

SHA256
9184904bee283ca3e5b57c62f3abea51379a4689267a2305f4baf0116385d2f4

SHA512
0c245a38d949f3e8cf9b330fbaafcdfc26eecfbc0f08afeedbc3e78142263d88841a5f0e650807acc77d63c87d7e0ed918d9d1418eede67dbabb73a4ba2648a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_lzma.pyd

Filesize
84KB

MD5
5184313f1019787971f9794cf66a4d43

SHA1
0ff09555a726584edf1c87f9d5a52afd40c0ebbc

SHA256
b8735ad1cbc4249d442ae54c0bca50def626fc642178d14e8be80c11ce081cd7

SHA512
b8f187b5cf8d5148f6d501fe361da6545b267156d22dc57761cbf53c9345950c5f92f3ff3180f53d851076092014f7576a2436c0e1993c346b97ea013343d232

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_overlapped.pyd

Filesize
30KB

MD5
176f0247368a95c1f80657f4815f18b1

SHA1
7b4dc38c54f8acfc8c09aed83379052f5ca05feb

SHA256
5d4de99ef2b2da52bb780adc4c6a3777e852f9adf48daf8fe12108ff3d4ff7c0

SHA512
8f8818357fdf03880ba9b04acb613860874262c42e7352bba7734e6f42c11fa7ee9e16002da99428a1a02f5ba9fc7fd0e7d0f63cdddba95a4f1fb1805b32728f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_queue.pyd

Filesize
24KB

MD5
c918ba828af3ff81deb38850f1c06ca1

SHA1
74531d22587f183237ab5418f5ece4c4bdbe2d0a

SHA256
3437a4f24b25c527f6db9d883b1070639e396d25bbea7c9e60f0ceb102dfdec4

SHA512
22d759f77fc4b3f4b4c542a1d67e3ef0c69bfdd2bf69d53feca709a26ed78de1320b90feec8225b44de612d95a6b71ec9400062dbd509e0099d5759fbdc1826e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_socket.pyd

Filesize
41KB

MD5
8fd42cb0e0ce00652b848ed97b3cce8a

SHA1
c9e7cf4b274d4ed54063b038908846c09aea499b

SHA256
f3990dc1a32db5508e599633d3568c4041899edaeacc44712c685bc559ff2cab

SHA512
20aa93ae7bf2d4cca3777ec566f6e173db05f7f087e10e322fe977939f069e5cb62e96942c5ce0eb8461cd13a5017f265752ea807249b53fe90ce5f6802cbcd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_sqlite3.pyd

Filesize
48KB

MD5
03c9a8df0b71fb8a1dde39d8e13604e7

SHA1
19c7d73a8b4d92a486a702b7e61fd5bf881edfa1

SHA256
d8252ae3cd3a8a3df7ec666e37dfb1bd033b9ea03d77f4943dde8d1060e83874

SHA512
ab4aa9a6fc2e5c2041e54039a37ea2b81f03b68ab3996eecea7da66f298992537e95da6c83c57cb63a45ed6498b4c9fa007f11675322adc2aa24546842b3f10c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_ssl.pyd

Filesize
60KB

MD5
fb89150cbed66664ffe65ac8439cfb2d

SHA1
f5cdbcbf77827e2a5afc03e2a26e9fa9dbce11eb

SHA256
57ff22d8431ae1e74f7dfcb410f1f13deb347e5bc7d40f5eaf59eb58cf7e1019

SHA512
3abb9a23e12731c8b7bab9a73c2564f11c9e3dd1a2eea1b53658bd7d93f4ba8ed63125fad419251a8217343d4c125c52170e018f7ab692a9abdee789c5305531

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\_uuid.pyd

Filesize
21KB

MD5
a491e321dcec51d082d3cd568101f551

SHA1
9fce893ee676b01265694c735dfe7591c1d9e0c0

SHA256
feab661f17c839821ce0dc07d89bf714442ad2d3826e603afa1a1f05372c33c8

SHA512
d8efe3091a39fe7b71f8837f154dbfbcda8a1bf187884c55a2d9488e7ab634db856b1c926f398ac509c79c314ce59e3cae5d47e048bbc7b6a5a213251b50a5b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\aiohttp\_helpers.cp310-win_amd64.pyd

Filesize
26KB

MD5
24b04e53107114e2dc13f44774e31832

SHA1
01d1d62f47f0d18795c2ccf7ea660a9d20a760e2

SHA256
aaebb74eee86318e3e40b13ae29b0cd2fb53a7b5963dc8ad47a5acf6b3ea9bf4

SHA512
7fec582436b54148459dac4565b801a227831b04bb3f2da1fad6cfa340882009df82327c7992fa40e72635fc472bbc4d936c9c91935edeb0ca1dc13b3c3de2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\aiohttp\_http_parser.cp310-win_amd64.pyd

Filesize
80KB

MD5
fa4f8f1f441d4484676434f3259d2636

SHA1
3cc48b6fd3a9e095ad260db1e0b63089d2790974

SHA256
30107fa8ac62ae46dd41b60f7aff883cfff7e61c225986bf942a332738b915fa

SHA512
aefd22279ebc75d1b9c8af9176e69a935ba6257680fa4ad0c4662a83470b1e201a42e20776cc0bcb9e6981b7861d6805b1d2154237b42b759fcd0df3707c8e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\aiohttp\_http_writer.cp310-win_amd64.pyd

Filesize
24KB

MD5
50dea505ca281aa212ed274c4a6c8dee

SHA1
9c00ebb80f75016122f0e17d16b4e328930c97f2

SHA256
cf37a3202197a4a51ad604ad054ca056daa23e86d8b4d731aeba76128bd463f2

SHA512
0ff2345a05c8333eda7f68017ca0fb9979ebf2d73575bb9fe17979e86ce226d43bc8942ff5f217cd48afebec782963483c7c00e8de9ad70c377f026a1606afc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\aiohttp\_websocket.cp310-win_amd64.pyd

Filesize
19KB

MD5
d568b417c5f56eda3d369c1ec727cbed

SHA1
eea5b25c417c87913ce0cd7a2d78e80ea658115c

SHA256
6dfa4510da740660fc4f70a79a83b817e55cdb31dd8a393fe78db223ea7b20f3

SHA512
d1749d01a2d64dc1a3182af9b840f4ddadb8f587c403f8a99963fa5a23621f695dc19f6531e1c182219e28d89e4e2f8f55e7b4b9f1f90d673c45302871cbd4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\base_library.zip

Filesize
812KB

MD5
df49d14d6d87d17ccb2232ed029d8510

SHA1
ca56b190e4084b80b9d877b82fe7844bfb1582e5

SHA256
6ac784b703838cd3ff725b2b694e9656d09075db7a42d5ea1616c7ab0198be30

SHA512
d6dd9c42ce66381b9a2be1b72492ff8b71aee5be58d2d5e23d480f335330008ab512e462ce5826e6ab8d4ad480727a45039a2fa8dd7c3a37c09c9cf8864b29ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.0MB

MD5
b9f1c1de19b85486e36f7dfcfb5da708

SHA1
939d97a69b46ec9b8cc34da2623b141a608b4c35

SHA256
a502a97210240cd31bab64285a22050e409553de03b7cff981dd17c409d8829b

SHA512
d7cb707837c113579d6130ae3bfb7dc066521efb6ae843d31b27306ae81ea435c5a20408bdb917025b56073dfdf5955198570585f8ab226f36ffe77edf6090d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\frozenlist\_frozenlist.cp310-win_amd64.pyd

Filesize
36KB

MD5
703c3909c2a463ae1a766e10c45c9e5a

SHA1
37a1db87e074e9cd9191b1b8d8cc60894adeaf73

SHA256
e7f39b40ba621edfd0dceda41ccdead7c8e96dd1fa34035186db41d26ddee803

SHA512
1c46832b1b7645e3720da6cca170516a38b9fe6a10657e3f5a905166b770c611416c563683ce540b33bc36d37c4a594231e0757458091e3ae9968da2ff029515

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\libcrypto-1_1.dll

Filesize
1.1MB

MD5
9c2ffedb0ae90b3985e5cdbedd3363e9

SHA1
a475fbe289a716e1fbe2eab97f76dbba1da322a9

SHA256
7c9418ad6fb6d15acb7d340b7a6533f76337ad302a18e2b4e08d4ee37689913a

SHA512
70d2635d42e24c7426cf5306ed010808f2222049915adb43ffc12c13259c8e7a9fee3a49e096d5ba2b6b733fef18574823d00df2e8d7fb1532e1d65d0c478008

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\libffi-7.dll

Filesize
23KB

MD5
8e1d2a11b94e84eaa382d6a680d93f17

SHA1
07750d78022d387292525a7d8385687229795cf1

SHA256
090a90cd17b74abefddf9f82d145effe5c676e7c62cf1a59834528f512d7ee82

SHA512
213bf92a707b14211941e5e071f1926be4b5795babc6df0d168b623ecd6cb7c7e0ae4320369c51d75c75b38ec282b5bf77f15eb94018ae74c8fd14f328b45a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\libssl-1_1.dll

Filesize
203KB

MD5
87bb1a8526b475445b2d7fd298c57587

SHA1
aaad18ea92b132ca74942fd5a9f4c901d02d9b09

SHA256
c35a97d8f24ea84d1e39a8621b6b3027c9ac24885bdd37386c9fcaad1858419d

SHA512
956bd8e9f35c917cbfb570fc633bb2df0d1c2686731fa7179f5e7cd8789e665dd6ff8443e712eafa4e3f8d8661f933cb5675aeb1a2efc195c3bb32211e6d2506

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\multidict\_multidict.cp310-win_amd64.pyd

Filesize
20KB

MD5
d282e94282a608185de94e591889e067

SHA1
7d510c2c89c9bd5546cee8475e801df555e620bc

SHA256
84726536b40ff136c6d739d290d7660cd9514e787ab8cefbcbb7c3a8712b69aa

SHA512
e413f7d88dd896d387af5c3cfe3943ba794925c70ffb5f523a200c890bf9ceb6e4da74abe0b1b07d5e7818628cd9bc1f45ebc4e9d1e4316dd4ae27ea5f5450d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\python3.DLL

Filesize
63KB

MD5
e0ca371cb1e69e13909bfbd2a7afc60e

SHA1
955c31d85770ae78e929161d6b73a54065187f9e

SHA256
abb50921ef463263acd7e9be19862089045074ea332421d82e765c5f2163e78a

SHA512
dd5a980ba72e4e7be81b927d140e408ad06c7be51b4f509737faee5514e85a42d47518213da1c3e77c25f9bd2eb2109fca173d73d710ff57e6a88a2ff971d0b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\python310.dll

Filesize
1.4MB

MD5
c37c30d5cae995bffccc0da265f585ad

SHA1
635668cc5979b81116e0773ab668b1321a91f1c4

SHA256
0b0fc0295c3dbde7021a8224c0c3c842857b416cbccc386b3fce68e442831efe

SHA512
cdaac867ad82eee964a44c41fa8b726b227d10e95e89842dfec8cf29fea71ad53f535e5cb4249af62fbc343ca699795919ba18efde786048fdc9fa74b1fd3d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\select.pyd

Filesize
24KB

MD5
95d036555ab54da526acb5420d54848f

SHA1
3c96a901a428e9dae904001eedc270045c043382

SHA256
08031745dc12a3c96349a3f94f04a7756bd8b7e5eb9b9ce6ce77aca82194f9b7

SHA512
a603ad7ea9c2182e46d92db347b34db6974d9e8db8c53c5cd1ad34262771acd137605cc6303ea81745d3a548126fd0e677e402168f3468b7316e745ef5cfb8be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\sqlite3.dll

Filesize
606KB

MD5
c59f0b781b3ef33cf7caba7017b5f6f1

SHA1
ac5c99d8c2cb4ab43bc81526ecde6cef63c41540

SHA256
1c7502d800a0b7f884de8fba2e39c59102c828f6b2d4e1152f1edef70d30c880

SHA512
fd6d22aff8470fa2c516f669d37495b977c32ca4325f37990860e6133781397f6525547c8ae0230bbb9d658d89f9904d6a744232a2ee2f5dd58671ce07d4bef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\unicodedata.pyd

Filesize
288KB

MD5
5e0ed31e6ca1ad3d9b055c2684e7c029

SHA1
896a2155855531793ee7d753ce980ba434463982

SHA256
0fc3b411684836f4731e08fadaaa59f198dbb2b576a267def19eea33b29e51c5

SHA512
02a6bb34d750ea95f6b52562729dc30aad9bef332cb04f98b0fbe45f76510766c0ffc0dca5356136c1738116543645743c0aca44251bdaae226a3e2c59a58ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI2242\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
40KB

MD5
50dee02b7fe56be5b7ae5bd09faa41ef

SHA1
69123e3aabd7070a551e44336f9ed83d96d333f8

SHA256
91067e48b7dff282a92995afaffff637f8a3b1164d05a25aea0393d5366c6b52

SHA512
7a67c23513a695b2fc527df264564ee08d29d98f0d99ff0700d1c54fbca0c519fa224fc2b5ff696cf016da9001e41842d35afb4fb4c06acf9e9aff08ca2d7dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_omfejlq2.jnc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2388-77-0x00007FFBA5E60000-0x00007FFBA5E8D000-memory.dmp

Filesize
180KB

Download
memory/2388-211-0x00007FFBA5AA0000-0x00007FFBA5AB5000-memory.dmp

Filesize
84KB

Download
memory/2388-103-0x00007FFBA5090000-0x00007FFBA50A4000-memory.dmp

Filesize
80KB

Download
memory/2388-107-0x00007FFB95EF0000-0x00007FFB9635E000-memory.dmp

Filesize
4.4MB

Download
memory/2388-126-0x00007FFB957C0000-0x00007FFB957D1000-memory.dmp

Filesize
68KB

Download
memory/2388-129-0x00007FFBA58F0000-0x00007FFBA58FA000-memory.dmp

Filesize
40KB

Download
memory/2388-128-0x00007FFBA5C20000-0x00007FFBA5C39000-memory.dmp

Filesize
100KB

Download
memory/2388-102-0x00007FFBA52F0000-0x00007FFBA5304000-memory.dmp

Filesize
80KB

Download
memory/2388-125-0x00007FFB96360000-0x00007FFB963AC000-memory.dmp

Filesize
304KB

Download
memory/2388-124-0x00007FFB963B0000-0x00007FFB963C9000-memory.dmp

Filesize
100KB

Download
memory/2388-123-0x00007FFB957E0000-0x00007FFB958AF000-memory.dmp

Filesize
828KB

Download
memory/2388-122-0x00007FFB9C0B0000-0x00007FFB9C0C7000-memory.dmp

Filesize
92KB

Download
memory/2388-121-0x00007FFBAA6D0000-0x00007FFBAA6F4000-memory.dmp

Filesize
144KB

Download
memory/2388-79-0x00007FFB96610000-0x00007FFB96779000-memory.dmp

Filesize
1.4MB

Download
memory/2388-83-0x00007FFBA5BF0000-0x00007FFBA5C1E000-memory.dmp

Filesize
184KB

Download
memory/2388-89-0x00007FFB95330000-0x00007FFB956A5000-memory.dmp

Filesize
3.5MB

Download
memory/2388-90-0x00000127AC150000-0x00000127AC4C5000-memory.dmp

Filesize
3.5MB

Download
memory/2388-88-0x00007FFB96550000-0x00007FFB96608000-memory.dmp

Filesize
736KB

Download
memory/2388-133-0x00007FFB95720000-0x00007FFB9573E000-memory.dmp

Filesize
120KB

Download
memory/2388-108-0x00007FFB958B0000-0x00007FFB959C8000-memory.dmp

Filesize
1.1MB

Download
memory/2388-101-0x00007FFBA5920000-0x00007FFBA5930000-memory.dmp

Filesize
64KB

Download
memory/2388-100-0x00007FFBA5AA0000-0x00007FFBA5AB5000-memory.dmp

Filesize
84KB

Download
memory/2388-78-0x00007FFBA5E40000-0x00007FFBA5E5F000-memory.dmp

Filesize
124KB

Download
memory/2388-71-0x00007FFBA5E90000-0x00007FFBA5EA9000-memory.dmp

Filesize
100KB

Download
memory/2388-135-0x00007FFB94650000-0x00007FFB94D45000-memory.dmp

Filesize
7.0MB

Download
memory/2388-66-0x00007FFBA5C20000-0x00007FFBA5C39000-memory.dmp

Filesize
100KB

Download
memory/2388-67-0x00007FFBAA5E0000-0x00007FFBAA5ED000-memory.dmp

Filesize
52KB

Download
memory/2388-138-0x00007FFBA5E40000-0x00007FFBA5E5F000-memory.dmp

Filesize
124KB

Download
memory/2388-140-0x00007FFBA59B0000-0x00007FFBA59E8000-memory.dmp

Filesize
224KB

Download
memory/2388-139-0x00007FFB96610000-0x00007FFB96779000-memory.dmp

Filesize
1.4MB

Download
memory/2388-60-0x00007FFBAA6D0000-0x00007FFBAA6F4000-memory.dmp

Filesize
144KB

Download
memory/2388-61-0x00007FFBAB820000-0x00007FFBAB82F000-memory.dmp

Filesize
60KB

Download
memory/2388-190-0x00007FFBA5BF0000-0x00007FFBA5C1E000-memory.dmp

Filesize
184KB

Download
memory/2388-191-0x00007FFBA5E30000-0x00007FFBA5E3D000-memory.dmp

Filesize
52KB

Download
memory/2388-51-0x00007FFB95EF0000-0x00007FFB9635E000-memory.dmp

Filesize
4.4MB

Download
memory/2388-276-0x00007FFBA59B0000-0x00007FFBA59E8000-memory.dmp

Filesize
224KB

Download
memory/2388-208-0x00007FFB96550000-0x00007FFB96608000-memory.dmp

Filesize
736KB

Download
memory/2388-209-0x00007FFB95330000-0x00007FFB956A5000-memory.dmp

Filesize
3.5MB

Download
memory/2388-210-0x00000127AC150000-0x00000127AC4C5000-memory.dmp

Filesize
3.5MB

Download
memory/2388-109-0x00007FFBA1C90000-0x00007FFBA1CB2000-memory.dmp

Filesize
136KB

Download
memory/2388-212-0x00007FFBA5920000-0x00007FFBA5930000-memory.dmp

Filesize
64KB

Download
memory/2388-222-0x00007FFBAA6D0000-0x00007FFBAA6F4000-memory.dmp

Filesize
144KB

Download
memory/2388-242-0x00007FFB96360000-0x00007FFB963AC000-memory.dmp

Filesize
304KB

Download
memory/2388-247-0x00007FFBA59B0000-0x00007FFBA59E8000-memory.dmp

Filesize
224KB

Download
memory/2388-246-0x00007FFB94650000-0x00007FFB94D45000-memory.dmp

Filesize
7.0MB

Download
memory/2388-241-0x00007FFB963B0000-0x00007FFB963C9000-memory.dmp

Filesize
100KB

Download
memory/2388-239-0x00007FFB9C0B0000-0x00007FFB9C0C7000-memory.dmp

Filesize
92KB

Download
memory/2388-238-0x00007FFBA1C90000-0x00007FFBA1CB2000-memory.dmp

Filesize
136KB

Download
memory/2388-233-0x00007FFBA5AA0000-0x00007FFBA5AB5000-memory.dmp

Filesize
84KB

Download
memory/2388-229-0x00007FFB96610000-0x00007FFB96779000-memory.dmp

Filesize
1.4MB

Download
memory/2388-228-0x00007FFBA5E40000-0x00007FFBA5E5F000-memory.dmp

Filesize
124KB

Download
memory/2388-221-0x00007FFB95EF0000-0x00007FFB9635E000-memory.dmp

Filesize
4.4MB

Download
memory/2388-279-0x00007FFBAA6D0000-0x00007FFBAA6F4000-memory.dmp

Filesize
144KB

Download
memory/2388-288-0x00007FFB96550000-0x00007FFB96608000-memory.dmp

Filesize
736KB

Download
memory/2388-289-0x00007FFB95330000-0x00007FFB956A5000-memory.dmp

Filesize
3.5MB

Download
memory/2388-287-0x00007FFBA5BF0000-0x00007FFBA5C1E000-memory.dmp

Filesize
184KB

Download
memory/2388-286-0x00007FFB96610000-0x00007FFB96779000-memory.dmp

Filesize
1.4MB

Download
memory/2388-285-0x00007FFBA5E40000-0x00007FFBA5E5F000-memory.dmp

Filesize
124KB

Download
memory/2388-284-0x00007FFBA5E60000-0x00007FFBA5E8D000-memory.dmp

Filesize
180KB

Download
memory/2388-283-0x00007FFBA5E90000-0x00007FFBA5EA9000-memory.dmp

Filesize
100KB

Download
memory/2388-282-0x00007FFBA1C90000-0x00007FFBA1CB2000-memory.dmp

Filesize
136KB

Download
memory/2388-281-0x00007FFBA5C20000-0x00007FFBA5C39000-memory.dmp

Filesize
100KB

Download
memory/2388-280-0x00007FFBAB820000-0x00007FFBAB82F000-memory.dmp

Filesize
60KB

Download
memory/2388-275-0x00007FFB94650000-0x00007FFB94D45000-memory.dmp

Filesize
7.0MB

Download
memory/2388-274-0x00007FFB95720000-0x00007FFB9573E000-memory.dmp

Filesize
120KB

Download
memory/2388-273-0x00007FFBA58F0000-0x00007FFBA58FA000-memory.dmp

Filesize
40KB

Download
memory/2388-272-0x00007FFB957C0000-0x00007FFB957D1000-memory.dmp

Filesize
68KB

Download
memory/2388-271-0x00007FFB96360000-0x00007FFB963AC000-memory.dmp

Filesize
304KB

Download
memory/2388-270-0x00007FFB963B0000-0x00007FFB963C9000-memory.dmp

Filesize
100KB

Download
memory/2388-269-0x00007FFB957E0000-0x00007FFB958AF000-memory.dmp

Filesize
828KB

Download
memory/2388-268-0x00007FFB9C0B0000-0x00007FFB9C0C7000-memory.dmp

Filesize
92KB

Download
memory/2388-266-0x00007FFB958B0000-0x00007FFB959C8000-memory.dmp

Filesize
1.1MB

Download
memory/2388-265-0x00007FFBA5090000-0x00007FFBA50A4000-memory.dmp

Filesize
80KB

Download
memory/2388-264-0x00007FFBA52F0000-0x00007FFBA5304000-memory.dmp

Filesize
80KB

Download
memory/2388-263-0x00007FFBA5920000-0x00007FFBA5930000-memory.dmp

Filesize
64KB

Download
memory/2388-262-0x00007FFBA5AA0000-0x00007FFBA5AB5000-memory.dmp

Filesize
84KB

Download
memory/2388-250-0x00007FFB95EF0000-0x00007FFB9635E000-memory.dmp

Filesize
4.4MB

Download
memory/2388-278-0x00007FFBAA5E0000-0x00007FFBAA5ED000-memory.dmp

Filesize
52KB

Download
memory/2388-277-0x00007FFBA5E30000-0x00007FFBA5E3D000-memory.dmp

Filesize
52KB

Download
memory/2676-203-0x000001D410500000-0x000001D410522000-memory.dmp

Filesize
136KB

Download