exelastealer | 88e8854e22bfb9d313d8bbcd90af3288ab7de72242e88da22b02196e1a3e3b8f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 23:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Exela.exe
Size

10.9MB
MD5

8e58494c2a202912309668e193df5137
SHA1

b7c4192752bd3ffed8e6c734547bcf72913e42eb
SHA256

88e8854e22bfb9d313d8bbcd90af3288ab7de72242e88da22b02196e1a3e3b8f
SHA512

95bff5b38cb753118caba6c455bc0010595994b38f862c877b452f44c943f71c37e16e5429fea00fbc525c864245a2911ed5f1729465448f89fbed4b6b18f2d7
SSDEEP

196608:N+MGbhJb3tQk5tZurErvI9pWj+laeAnags22/zEHS9ZoQlLKvoBQ:XGbh7v5tZurEUWjEVkiYynrVRG

Score

10^/10

exelastealer collection credential_access defense_evasion discovery evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3260	netsh.exe
1508	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2116	cmd.exe
3440	powershell.exe

Loads dropped DLL 33 IoCs

pid	Process
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe
4084	Exela.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002348e-53.dat	upx
behavioral2/memory/4084-57-0x00007FFD86080000-0x00007FFD86745000-memory.dmp	upx
behavioral2/files/0x0007000000023456-59.dat	upx
behavioral2/files/0x0007000000023488-65.dat	upx
behavioral2/files/0x0007000000023487-66.dat	upx
behavioral2/files/0x0007000000023461-86.dat	upx
behavioral2/memory/4084-88-0x00007FFD9D7B0000-0x00007FFD9D7BF000-memory.dmp	upx
behavioral2/files/0x000700000002345d-82.dat	upx
behavioral2/files/0x000700000002348f-90.dat	upx
behavioral2/files/0x0007000000023454-93.dat	upx
behavioral2/files/0x0007000000023459-94.dat	upx
behavioral2/files/0x000700000002345e-100.dat	upx
behavioral2/files/0x0007000000023490-101.dat	upx
behavioral2/memory/4084-99-0x00007FFD98EA0000-0x00007FFD98ECD000-memory.dmp	upx
behavioral2/memory/4084-102-0x00007FFD98E70000-0x00007FFD98E94000-memory.dmp	upx
behavioral2/memory/4084-103-0x00007FFD85F00000-0x00007FFD8607E000-memory.dmp	upx
behavioral2/files/0x000700000002347c-104.dat	upx
behavioral2/memory/4084-98-0x00007FFD99270000-0x00007FFD9928A000-memory.dmp	upx
behavioral2/memory/4084-97-0x00007FFD99400000-0x00007FFD9940D000-memory.dmp	upx
behavioral2/memory/4084-96-0x00007FFD9CEE0000-0x00007FFD9CEED000-memory.dmp	upx
behavioral2/memory/4084-95-0x00007FFD9A610000-0x00007FFD9A629000-memory.dmp	upx
behavioral2/memory/4084-106-0x00007FFD85750000-0x00007FFD85EF1000-memory.dmp	upx
behavioral2/memory/4084-87-0x00007FFD99410000-0x00007FFD99435000-memory.dmp	upx
behavioral2/files/0x000700000002345f-84.dat	upx
behavioral2/files/0x0007000000023455-107.dat	upx
behavioral2/files/0x000700000002345c-81.dat	upx
behavioral2/memory/4084-108-0x00007FFD95B50000-0x00007FFD95B89000-memory.dmp	upx
behavioral2/files/0x000700000002345b-80.dat	upx
behavioral2/files/0x0007000000023489-110.dat	upx
behavioral2/files/0x000700000002345a-79.dat	upx
behavioral2/memory/4084-113-0x00007FFD95990000-0x00007FFD959C3000-memory.dmp	upx
behavioral2/memory/4084-116-0x00007FFD85070000-0x00007FFD85599000-memory.dmp	upx
behavioral2/memory/4084-114-0x00007FFD95580000-0x00007FFD9564D000-memory.dmp	upx
behavioral2/files/0x000700000002348b-121.dat	upx
behavioral2/files/0x0007000000023491-124.dat	upx
behavioral2/memory/4084-131-0x00007FFD95970000-0x00007FFD95984000-memory.dmp	upx
behavioral2/memory/4084-130-0x00007FFD95940000-0x00007FFD95962000-memory.dmp	upx
behavioral2/memory/4084-129-0x00007FFD84F50000-0x00007FFD8506B000-memory.dmp	upx
behavioral2/memory/4084-128-0x00007FFD95B30000-0x00007FFD95B44000-memory.dmp	upx
behavioral2/files/0x0007000000023493-127.dat	upx
behavioral2/memory/4084-126-0x00007FFD86080000-0x00007FFD86745000-memory.dmp	upx
behavioral2/files/0x0007000000023458-123.dat	upx
behavioral2/memory/4084-122-0x00007FFD98D40000-0x00007FFD98D52000-memory.dmp	upx
behavioral2/files/0x0007000000023453-117.dat	upx
behavioral2/memory/4084-118-0x00007FFD99250000-0x00007FFD99266000-memory.dmp	upx
behavioral2/files/0x0007000000023457-76.dat	upx
behavioral2/files/0x000700000002348c-68.dat	upx
behavioral2/files/0x0007000000023463-132.dat	upx
behavioral2/files/0x0007000000023465-134.dat	upx
behavioral2/files/0x0007000000023464-136.dat	upx
behavioral2/memory/4084-141-0x00007FFD95900000-0x00007FFD95919000-memory.dmp	upx
behavioral2/memory/4084-140-0x00007FFD95920000-0x00007FFD95937000-memory.dmp	upx
behavioral2/files/0x0007000000023466-139.dat	upx
behavioral2/memory/4084-144-0x00007FFD85750000-0x00007FFD85EF1000-memory.dmp	upx
behavioral2/memory/4084-149-0x00007FFD95780000-0x00007FFD9579E000-memory.dmp	upx
behavioral2/memory/4084-148-0x00007FFD957A0000-0x00007FFD957B1000-memory.dmp	upx
behavioral2/memory/4084-147-0x00007FFD95530000-0x00007FFD9557C000-memory.dmp	upx
behavioral2/memory/4084-146-0x00007FFD85F00000-0x00007FFD8607E000-memory.dmp	upx
behavioral2/memory/4084-145-0x00007FFD98E70000-0x00007FFD98E94000-memory.dmp	upx
behavioral2/memory/4084-194-0x00007FFD95760000-0x00007FFD9576D000-memory.dmp	upx
behavioral2/memory/4084-210-0x00007FFD85070000-0x00007FFD85599000-memory.dmp	upx
behavioral2/memory/4084-212-0x00007FFD95990000-0x00007FFD959C3000-memory.dmp	upx
behavioral2/memory/4084-213-0x00007FFD95580000-0x00007FFD9564D000-memory.dmp	upx
behavioral2/memory/4084-231-0x00007FFD85F00000-0x00007FFD8607E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
19	discord.com
20	discord.com
21	discord.com
22	discord.com
23	discord.com
27	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5036	cmd.exe
1048	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3844	tasklist.exe
2384	tasklist.exe
4808	tasklist.exe
1716	tasklist.exe
1756	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
692	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2176	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
860	cmd.exe
4640	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
5072	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4944	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1520	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5072	NETSTAT.EXE
2044	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2496	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3440	powershell.exe
3440	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1520	WMIC.exe
Token: SeSecurityPrivilege	1520	WMIC.exe
Token: SeTakeOwnershipPrivilege	1520	WMIC.exe
Token: SeLoadDriverPrivilege	1520	WMIC.exe
Token: SeSystemProfilePrivilege	1520	WMIC.exe
Token: SeSystemtimePrivilege	1520	WMIC.exe
Token: SeProfSingleProcessPrivilege	1520	WMIC.exe
Token: SeIncBasePriorityPrivilege	1520	WMIC.exe
Token: SeCreatePagefilePrivilege	1520	WMIC.exe
Token: SeBackupPrivilege	1520	WMIC.exe
Token: SeRestorePrivilege	1520	WMIC.exe
Token: SeShutdownPrivilege	1520	WMIC.exe
Token: SeDebugPrivilege	1520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1520	WMIC.exe
Token: SeRemoteShutdownPrivilege	1520	WMIC.exe
Token: SeUndockPrivilege	1520	WMIC.exe
Token: SeManageVolumePrivilege	1520	WMIC.exe
Token: 33	1520	WMIC.exe
Token: 34	1520	WMIC.exe
Token: 35	1520	WMIC.exe
Token: 36	1520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4776	WMIC.exe
Token: SeSecurityPrivilege	4776	WMIC.exe
Token: SeTakeOwnershipPrivilege	4776	WMIC.exe
Token: SeLoadDriverPrivilege	4776	WMIC.exe
Token: SeSystemProfilePrivilege	4776	WMIC.exe
Token: SeSystemtimePrivilege	4776	WMIC.exe
Token: SeProfSingleProcessPrivilege	4776	WMIC.exe
Token: SeIncBasePriorityPrivilege	4776	WMIC.exe
Token: SeCreatePagefilePrivilege	4776	WMIC.exe
Token: SeBackupPrivilege	4776	WMIC.exe
Token: SeRestorePrivilege	4776	WMIC.exe
Token: SeShutdownPrivilege	4776	WMIC.exe
Token: SeDebugPrivilege	4776	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4776	WMIC.exe
Token: SeRemoteShutdownPrivilege	4776	WMIC.exe
Token: SeUndockPrivilege	4776	WMIC.exe
Token: SeManageVolumePrivilege	4776	WMIC.exe
Token: 33	4776	WMIC.exe
Token: 34	4776	WMIC.exe
Token: 35	4776	WMIC.exe
Token: 36	4776	WMIC.exe
Token: SeDebugPrivilege	3844	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1520	WMIC.exe
Token: SeSecurityPrivilege	1520	WMIC.exe
Token: SeTakeOwnershipPrivilege	1520	WMIC.exe
Token: SeLoadDriverPrivilege	1520	WMIC.exe
Token: SeSystemProfilePrivilege	1520	WMIC.exe
Token: SeSystemtimePrivilege	1520	WMIC.exe
Token: SeProfSingleProcessPrivilege	1520	WMIC.exe
Token: SeIncBasePriorityPrivilege	1520	WMIC.exe
Token: SeCreatePagefilePrivilege	1520	WMIC.exe
Token: SeBackupPrivilege	1520	WMIC.exe
Token: SeRestorePrivilege	1520	WMIC.exe
Token: SeShutdownPrivilege	1520	WMIC.exe
Token: SeDebugPrivilege	1520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1520	WMIC.exe
Token: SeRemoteShutdownPrivilege	1520	WMIC.exe
Token: SeUndockPrivilege	1520	WMIC.exe
Token: SeManageVolumePrivilege	1520	WMIC.exe
Token: 33	1520	WMIC.exe
Token: 34	1520	WMIC.exe
Token: 35	1520	WMIC.exe
Token: 36	1520	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4824 wrote to memory of 4084	4824	Exela.exe	84
PID 4824 wrote to memory of 4084	4824	Exela.exe	84
PID 4084 wrote to memory of 1240	4084	Exela.exe	86
PID 4084 wrote to memory of 1240	4084	Exela.exe	86
PID 4084 wrote to memory of 4620	4084	Exela.exe	87
PID 4084 wrote to memory of 4620	4084	Exela.exe	87
PID 4084 wrote to memory of 3652	4084	Exela.exe	90
PID 4084 wrote to memory of 3652	4084	Exela.exe	90
PID 4084 wrote to memory of 4608	4084	Exela.exe	91
PID 4084 wrote to memory of 4608	4084	Exela.exe	91
PID 1240 wrote to memory of 1520	1240	cmd.exe	94
PID 1240 wrote to memory of 1520	1240	cmd.exe	94
PID 4620 wrote to memory of 4776	4620	cmd.exe	95
PID 4620 wrote to memory of 4776	4620	cmd.exe	95
PID 4608 wrote to memory of 3844	4608	cmd.exe	96
PID 4608 wrote to memory of 3844	4608	cmd.exe	96
PID 4084 wrote to memory of 764	4084	Exela.exe	97
PID 4084 wrote to memory of 764	4084	Exela.exe	97
PID 764 wrote to memory of 3108	764	cmd.exe	99
PID 764 wrote to memory of 3108	764	cmd.exe	99
PID 4084 wrote to memory of 3180	4084	Exela.exe	100
PID 4084 wrote to memory of 3180	4084	Exela.exe	100
PID 4084 wrote to memory of 3188	4084	Exela.exe	101
PID 4084 wrote to memory of 3188	4084	Exela.exe	101
PID 3180 wrote to memory of 3328	3180	cmd.exe	104
PID 3180 wrote to memory of 3328	3180	cmd.exe	104
PID 3188 wrote to memory of 2384	3188	cmd.exe	105
PID 3188 wrote to memory of 2384	3188	cmd.exe	105
PID 4084 wrote to memory of 692	4084	Exela.exe	106
PID 4084 wrote to memory of 692	4084	Exela.exe	106
PID 692 wrote to memory of 1528	692	cmd.exe	108
PID 692 wrote to memory of 1528	692	cmd.exe	108
PID 4084 wrote to memory of 3156	4084	Exela.exe	109
PID 4084 wrote to memory of 3156	4084	Exela.exe	109
PID 3156 wrote to memory of 1848	3156	cmd.exe	111
PID 3156 wrote to memory of 1848	3156	cmd.exe	111
PID 4084 wrote to memory of 1372	4084	Exela.exe	112
PID 4084 wrote to memory of 1372	4084	Exela.exe	112
PID 1372 wrote to memory of 4808	1372	cmd.exe	114
PID 1372 wrote to memory of 4808	1372	cmd.exe	114
PID 4084 wrote to memory of 2868	4084	Exela.exe	115
PID 4084 wrote to memory of 2868	4084	Exela.exe	115
PID 4084 wrote to memory of 1820	4084	Exela.exe	116
PID 4084 wrote to memory of 1820	4084	Exela.exe	116
PID 4084 wrote to memory of 4048	4084	Exela.exe	117
PID 4084 wrote to memory of 4048	4084	Exela.exe	117
PID 4084 wrote to memory of 2116	4084	Exela.exe	118
PID 4084 wrote to memory of 2116	4084	Exela.exe	118
PID 2116 wrote to memory of 3440	2116	cmd.exe	123
PID 2116 wrote to memory of 3440	2116	cmd.exe	123
PID 4048 wrote to memory of 1716	4048	cmd.exe	124
PID 4048 wrote to memory of 1716	4048	cmd.exe	124
PID 1820 wrote to memory of 5016	1820	cmd.exe	125
PID 1820 wrote to memory of 5016	1820	cmd.exe	125
PID 5016 wrote to memory of 3704	5016	cmd.exe	126
PID 5016 wrote to memory of 3704	5016	cmd.exe	126
PID 2868 wrote to memory of 1004	2868	cmd.exe	127
PID 2868 wrote to memory of 1004	2868	cmd.exe	127
PID 1004 wrote to memory of 2976	1004	cmd.exe	128
PID 1004 wrote to memory of 2976	1004	cmd.exe	128
PID 4084 wrote to memory of 860	4084	Exela.exe	129
PID 4084 wrote to memory of 860	4084	Exela.exe	129
PID 4084 wrote to memory of 5036	4084	Exela.exe	131
PID 4084 wrote to memory of 5036	4084	Exela.exe	131

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1528	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Exela.exe
"C:\Users\Admin\AppData\Local\Temp\Exela.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4824
- C:\Users\Admin\AppData\Local\Temp\Exela.exe
  "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:3652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4608
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3844
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:764
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:3108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3188
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:692
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:1528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3156
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
      4⤵
      Adds Run key to start application
      PID:1848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1004
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1820
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5016
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2116
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:860
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:5036
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2496
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:1240
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:4944
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:4188
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:2036
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:4620
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:3152
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:4024
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:3852
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:4448
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:2644
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:2720
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:60
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:3308
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:3328
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:2244
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:1756
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2044
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:2980
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:1048
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:5072
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:2176
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3260
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1508
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1848
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2188
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI48242\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_asyncio.pyd

Filesize
37KB

MD5
aa201667e71339521572d224ae77a1ea

SHA1
8da1f6c6ab2f3c38d28159c8844271be3a298f24

SHA256
de660cf4cd1da9e9cfbfe9702da76b9a3c40540022da9dbbbd6a17b2c0385904

SHA512
c149ad488bcb2c45505ec429564417472e0b96125f62ad0ae3ad95dbda9beffe0f13c8ed6cb814cc6b1a1eaf0e3c0329de17078849562b3a788b8defc7137327

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_bz2.pyd

Filesize
48KB

MD5
99614f713c9be905d87c0cf58200bc36

SHA1
41a599edac97c9f5dd9150116135413574614e60

SHA256
7b3b785cdfa2c1b5eb54481144021f21adc2b35c4b660b6478dacbf04ae90baf

SHA512
f7bff6f2f2700f5dba50dc08687705e03e4fddd252c3e2e6443c7d19422d5abf93fd237c10c835cdcaec21fb0b72478fd2d2db63cc4da7b659c003b6068d2b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
1c0cc15036c54930c1e61306a8be4658

SHA1
7d88a5a72198e2785c5514200ab8f85b50946fb9

SHA256
1666002cf4ff50cf337159e187ecf990d2ec23d5324736e66cf68df4c80cc12c

SHA512
bb235e55a69bbdc27102d7afea9089480a5de35f064e63bb3265b060906268f8065472c8d87da588a6ea6ce6a39f2079e218f3cd762692713a93ec5cef4473dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_ctypes.pyd

Filesize
59KB

MD5
fe45b5661bb06d3a2d6ee8dde64950f5

SHA1
4c5aaac580cbadd90cd130059302d2ab9b25fdb7

SHA256
a6a1a77fb313e650dbd15d9fb745f0f4987cf41b38328ae6b48bc4ca663ec058

SHA512
8307ec73f42c49743d7e81dac54bc76f80ec0a35207fb4f5ad2286e0d6323f8ba77862e6e800f9e55ca9469d1526411b012db9901884c127bcfcab5584a319ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_decimal.pyd

Filesize
105KB

MD5
ae175df8a381f9e1d408ef61e5cf7642

SHA1
b094b14f7672aeac8e50ae173b72351d1c17d496

SHA256
394573e22f7dc17eea87058c34d74378c4d290af3aa2d891b17c5968942d2ab4

SHA512
5ff46274d42037a2b6162470a5dd38065409a7b10b3d3f22f3c66defe09923dc954fb384e27da7bf51d195cfc58fccae93c036c10e1f6f34b25afa6119528fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_hashlib.pyd

Filesize
35KB

MD5
84a3ab6348f069b51543e187c484bd65

SHA1
29d984bce98ff562487ef40650f5beee528d8fb4

SHA256
dddcf0bf7fa2b47ecb98912ab9469a41b74fe94ed226b92695ec377e46c33420

SHA512
5b782f9ccdacfef9ac0b3513cce7544d41c8347276b02aaa8566fa283c4c084f568904abd18a504d50e585cd3d5863b4e6ac058264315468cd62eacc7f40fddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_lzma.pyd

Filesize
86KB

MD5
1dff217fe87e0843df6bc513995142a4

SHA1
59d79b2e261a330d6ae228f039e8bbf651ba2c0d

SHA256
579cc8d6eabdda5334d1a3245fd2831d986e0ec88bb8b42b7bbfbe7ee05d6e1e

SHA512
498d7f1fb0133630938af291ea0a2fcb78c3fa75cf1f00430bfd88b52a7b4a82532d3389093c2c8601aa73e3faeb0fe07adcd7ef3e789ef42c65027392c8514e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_multiprocessing.pyd

Filesize
27KB

MD5
b59224c22510792057d97076838c311f

SHA1
1682f47e14deabe0ad479786323eb1a6f65fe053

SHA256
4dec69fbe483165bd5eeb97425092d37345578e36d502f5431f369e41f007e9c

SHA512
f4a5a9cbea9a6379b15cd2553b2e337a3b664346412ec02fef790fcbfe817b81749a0660daeddb9a092ac1e3c4386f4544ceda9805d1b67608d6ccf6fc34bbc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_overlapped.pyd

Filesize
33KB

MD5
c84e798d88b53a5d3afc475770188358

SHA1
987fc82b36f36d023351c9466a7cf5353b9c40d0

SHA256
26357cb8a48e40898d0edbfc58c5ee63827f74679473df488769630c5f5abca6

SHA512
de3b8f60a62ab82a0a9d35673fbec0ca12b2a4bd55e036e1462f965aea0018f24ea75058a52c4eb9eeffe8d4dd63a7df2701a846f244b624ca81cab5a3d45706

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_queue.pyd

Filesize
26KB

MD5
7e37a5910710ecb893e1c9ce5f17c43b

SHA1
704eb1f38e3df1ff66a07416c4ea355b07bcf4cc

SHA256
907c536e91c7d40d9829290662a21bddf497adaae157b7b576dd2ebae8516e10

SHA512
1a73049845fb08b170ce080c4f8a37b11427328dfbf008b0dcf9b646c2dd775b180f5e741db164df628f128850550dd4f0e946d558a3484e7c9d3ecc89331d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_socket.pyd

Filesize
44KB

MD5
bf09a2ce93f8a0d5f404c15e1b025fa8

SHA1
29f815dd49b3c737f6c36d757653d39b307c31e8

SHA256
f7226bdc07ee5eedadd180d8d37f9d9916a3c1d63c92ad1d2d09c4aa39487116

SHA512
0e24c3c5785de7debf0c497ecd5f4435ee7c67d8cd34175985cd98943c8381631b10f9b6c8a56d00e2566c5bdd4858160920e3890b043bdcd49ee441644126c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_sqlite3.pyd

Filesize
57KB

MD5
b1c6aa12bb1589590b0629ea53432eae

SHA1
8a5b7011ac6dc15d839a057b3f7fa595e0b1d160

SHA256
cfa6335fc0b869d33d9e079c2e87d382c8d8cfff7189ebe51678ed7411c95ce8

SHA512
839404fe22a8f5b2bc74d494cd7a8e7e8d59bcfd0582ccd7a64d259ea3e050962cd048b7fd32c6f686cf3cebcb6f80e2d70b7d25d2a4d51137db5b110f1cbe55

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_ssl.pyd

Filesize
65KB

MD5
80b0b7893603ce10ca5b15dec847417b

SHA1
bcdeac717552621d893529c34da628c84ee4177b

SHA256
286a853cdd765a266295c4c23a1298ad8f26a43c798e7a80974fb4209fb1ce7e

SHA512
0e748eaca61afe1e512695d7a28693fe86799a46f3dbc480294bfaf4e82cfa15b8fdf087c61060c49f04506129684607f0cf1965df074f797106cfec5e0765e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_uuid.pyd

Filesize
24KB

MD5
353e11301ea38261e6b1cb261a81e0fe

SHA1
607c5ebe67e29eabc61978fb52e4ec23b9a3348e

SHA256
d132f754471bd8a6f6d7816453c2e542f250a4d8089b657392fe61a500ae7899

SHA512
fa990b3e9619d59ae3ad0aeffca7a3513ab143bfd0ac9277e711519010f7c453258a4b041be86a275f3c365e980fc857c23563f3b393d1e3a223973a673e88c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\_wmi.pyd

Filesize
28KB

MD5
a77a72bc52f5717d4a0a7303eacb24f5

SHA1
ac927a91f5410ee541bd8724819ff00a619dbaf0

SHA256
37dc27997ac84b8478c5beebda1fe8fe2618243ee3fd936a119f826d75a4038b

SHA512
c853b0ce6437f7ed38b377e12b7d1443950be27622cce1944b7a581b18e57672516fd4c6ef895d068100bcde24e1209e9c5abd916df00026bd6aa0047dd138b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\aiohttp\_helpers.cp312-win_amd64.pyd

Filesize
27KB

MD5
0572f1e880dfb9fa462fa24fcd4bdae7

SHA1
43ded6ad5365bf89a280cabf4be25ce4a4f78ad8

SHA256
d2aff330111bfedd39633f7af1ed7eb3ca3aba573ebde1611747d554f83119c5

SHA512
a6b87f3a108f73353e7871dca27033e53815b921ee28c09da92dc80c02b3a131120ee4c6f22fb0fed204acc5bb1773554411d1f80a0692ced4143451556215d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\aiohttp\_http_parser.cp312-win_amd64.pyd

Filesize
79KB

MD5
82ae6f49e9614bbd92c0f2a7115028b1

SHA1
2feb46714126179b2dd57d9944852ddfab2d2c51

SHA256
1afbf6144109cc89ba70eff6b565be977d996f4f2409cf4d4b521c323b421411

SHA512
1e02b09538440c37aca78ff9c517bcf9e54a424507c5e1ff04773a4eda2db3a707d5b5eff806b3e4c00cfee57ec480d121d604fcabaa34d059364cd3b2b3fdd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\aiohttp\_http_writer.cp312-win_amd64.pyd

Filesize
25KB

MD5
57bc34a51f9e152528029df68d639baf

SHA1
4e637a92766ec1eaa45db7bbcde6de4edc051e26

SHA256
382466deb7fe958df704453a4aa8048de9ddca74fb2abc02c84f0ef009107b98

SHA512
7e682f83c16cbf293dc7f36368fc27e9e8116c6c7a4cf66d22d6a86d23db0defaed334537e398e69e8abe49b7c363fc99ed4fd77bcbf5a6cd233789dd6a3cd63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\aiohttp\_websocket.cp312-win_amd64.pyd

Filesize
20KB

MD5
9060bad190641f825ed346205453093b

SHA1
b44c24adbab00905215db173024e180f35e9763e

SHA256
7186172e02074db0a788cb6124f2471519050b5f351a89b0aae72772ba87968f

SHA512
c190ed7cb8b383fe967b7a4fa4b50750d4b8517f9b35ccc6ecf2085493c05e3cbb267bc12052a208d96b431941ed2ec75684c5ffd7bbc9152e3d9ceea205d18d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\base_library.zip

Filesize
1.3MB

MD5
8dad91add129dca41dd17a332a64d593

SHA1
70a4ec5a17ed63caf2407bd76dc116aca7765c0d

SHA256
8de4f013bfecb9431aabaa97bb084fb7de127b365b9478d6f7610959bf0d2783

SHA512
2163414bc01fc30d47d1de763a8332afe96ea7b296665b1a0840d5197b7e56f4963938e69de35cd2bf89158e5e2240a1650d00d86634ac2a5e2ad825455a2d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.1MB

MD5
073606ea92928af7b2863782c0114949

SHA1
ec7b4dbf415af6a071a6ca3a0d4f4a0cf544515c

SHA256
9be10e3f170875a5b3e403f29d7241bf64957c01bfcae3504f5576578183610a

SHA512
5cd48348b475c9de7c2c8d85f36a1f8cf63ee5ee2bde60e2e5a1026f0e877b4c686ad07ab37c8ae37b46b719233b28aa699ce5a2fedd0247c7607da6e519a11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\libcrypto-3.dll

Filesize
1.6MB

MD5
443fd07a22ff1a688a3505d35f3c3dd1

SHA1
ab9f501aa1d3d523b45f8170e53981672cd69131

SHA256
f9c87ec6401039fd03b7c6732c74d1abfdb7c07c8e9803d00effe4c610baa9ee

SHA512
1de390d5d9872c9876662f89c57173391ecd300cabde69c655b2ade7eea56e67376839607cac52572111b88a025797060653dc8bb987c6a165f535b245309844

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\libffi-8.dll

Filesize
29KB

MD5
0d1c6b92d091cef3142e32ac4e0cc12e

SHA1
440dad5af38035cb0984a973e1f266deff2bd7fc

SHA256
11ee9c7fb70c3756c0392843245935517171b95cc5ba0d696b2c1742c8d46fb6

SHA512
5d514ecab93941e83c008f0e9749f99e330949580884bf4850b11cac08fe1ac4ac50033e8888045fe4a9d8b4d2e3ea667b39be18f77266d00f8d7d6797260233

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\libssl-3.dll

Filesize
222KB

MD5
364a71831c9bd0a09eeeceb6980c58c7

SHA1
9d084ccb83e12ddccd17250a009362d720e6271c

SHA256
3b20fb46f41234f8f7bbe342cfebfbbce5708d963cf5c7792d1237a1bc7b2676

SHA512
5abe19130f9306fd6fc3644412ef6c8c5b7da970cfaed69657a6cb62d431abfbba64fefcbfa82910d17d744e299e3ba5036bd490223b2bf28689cf2e70633dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\multidict\_multidict.cp312-win_amd64.pyd

Filesize
20KB

MD5
877e8f7f3c980020b1da6bdbc6f1741c

SHA1
184d162f6eea7cce343fe0c62fda49ca796ceb20

SHA256
65b96acd7b6517c4493491f31083e75d905b48466f021fab098655f0d953497c

SHA512
881332a6cbc7ab030f52bc46a8cf68c0ad922c54c68b3b8e35909f758aed9443cc90b49681f88c6c1f61741eb6507849857405a87dbbd78bb1a453ade3fe1ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\pyexpat.pyd

Filesize
88KB

MD5
4036f8f39f15413396465317522ae157

SHA1
398431ca1d476596bdaf213ace7599acbdf1fbf6

SHA256
31356a90e63b6fabbdb47373fbffeb33d28d8e6f6d5ca395113b3362ce9eee52

SHA512
b9750acaf86ae7bb942ece6067177a2b3ccc29672cffefbce213dd1b36acb5f143809331d657d6e7ffc7cac148d2e2793a6e9b941893c59b50dd32a982ddafaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\python3.DLL

Filesize
66KB

MD5
79b02450d6ca4852165036c8d4eaed1f

SHA1
ce9ff1b302426d4c94a2d3ea81531d3cb9e583e4

SHA256
d2e348e615a5d3b08b0bac29b91f79b32f0c1d0be48976450042462466b51123

SHA512
47044d18db3a4dd58a93b43034f4fafa66821d157dcfefb85fca2122795f4591dc69a82eb2e0ebd9183075184368850e4caf9c9fea0cfe6f766c73a60ffdf416

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\python312.dll

Filesize
1.7MB

MD5
3e5a523e2b08424c39a53dcba0c4f335

SHA1
c6bafbf6501b62f23e0c2f4f68db822827babd76

SHA256
d6864c703deb033db0c5bd9962d88b1e2e6b39f942f44558385ae9a0aff7eac3

SHA512
74533088aee88b27d1cc94e56e70066109e05d6f1cfd3b4d647d16dc8a5977262f91e16dd875683c7e13dec0ed88d5febdd2058ca5ecc413e17934d782ade8f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\select.pyd

Filesize
25KB

MD5
b6170b2e8b11051d2bbbc96583c6ba5e

SHA1
e142e392f8e247dc6745a6be7ac5e3fbb0f12ba4

SHA256
7cdd658961b23dfde1516ac43bf3b3de9314787c64a970cc169310d95a68709a

SHA512
956ed83bae9f0cbc10bfe26b7de0f41bfb39f304850d32084baba9ec9b25e5866dd94ec1de7ec91f42610c3b65f5a4d2538500da0c0ed3b95bd8051581e58194

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\sqlite3.dll

Filesize
644KB

MD5
23b8d930887ba4b256f91fb97bef6bcf

SHA1
045791bbd8354f5955ec14ca3ca8270a27ce2bf1

SHA256
002c755c90c0a4a108c5b27cd08b0bd2ac1732fadcec2ac3474a3e6b77df4013

SHA512
73f9a8d94f7b121433d5af19700c5f51ba39c7d59e27aa9ba27aeb8f0fa11e59b3ed5df2b3afd7a98f4ac8c6e8ab761d502f5fa41782946e350feb1f7910028c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\unicodedata.pyd

Filesize
295KB

MD5
e37488a62ea94e6dc09a8e3755e36e3f

SHA1
c485b3769c659c45853febdb2b3be5ab47e3a47a

SHA256
8e6de46ea542bbe99479f442dabafd44bfb51ee4f144ae493f37d6f9d5214135

SHA512
8128b609dca51a05186ec3bf894b8fb7911533b18fc70aea9682b5ae12d662aa174359ecddc98917ade9450a0c020ddcad2094afe5956be5ae3d6a38fd43c079

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI48242\yarl\_quoting_c.cp312-win_amd64.pyd

Filesize
40KB

MD5
4bbcf91653204023164d00202769fc4f

SHA1
ccdaf8e3ee4ae4b6ae0b85193afb5b0fa9e68970

SHA256
213e1ba2baabc331eb61461791c85498cefabc223c872fd57d0b98b43b5afd9f

SHA512
79ad58112c2b7f1200c6fbc8074f8992c094ea785a3ac88cecbafcc245bbe41bfd1acd87fd0b1aca13e2bd644a9be540807ac31152824f86ef0a2d113405a765

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eo5iuus4.z0v.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3440-199-0x0000029698E90000-0x0000029698EB2000-memory.dmp

Filesize
136KB

Download
memory/4084-130-0x00007FFD95940000-0x00007FFD95962000-memory.dmp

Filesize
136KB

Download
memory/4084-148-0x00007FFD957A0000-0x00007FFD957B1000-memory.dmp

Filesize
68KB

Download
memory/4084-114-0x00007FFD95580000-0x00007FFD9564D000-memory.dmp

Filesize
820KB

Download
memory/4084-115-0x0000026B63C80000-0x0000026B641A9000-memory.dmp

Filesize
5.2MB

Download
memory/4084-113-0x00007FFD95990000-0x00007FFD959C3000-memory.dmp

Filesize
204KB

Download
memory/4084-131-0x00007FFD95970000-0x00007FFD95984000-memory.dmp

Filesize
80KB

Download
memory/4084-108-0x00007FFD95B50000-0x00007FFD95B89000-memory.dmp

Filesize
228KB

Download
memory/4084-129-0x00007FFD84F50000-0x00007FFD8506B000-memory.dmp

Filesize
1.1MB

Download
memory/4084-128-0x00007FFD95B30000-0x00007FFD95B44000-memory.dmp

Filesize
80KB

Download
memory/4084-87-0x00007FFD99410000-0x00007FFD99435000-memory.dmp

Filesize
148KB

Download
memory/4084-126-0x00007FFD86080000-0x00007FFD86745000-memory.dmp

Filesize
6.8MB

Download
memory/4084-106-0x00007FFD85750000-0x00007FFD85EF1000-memory.dmp

Filesize
7.6MB

Download
memory/4084-122-0x00007FFD98D40000-0x00007FFD98D52000-memory.dmp

Filesize
72KB

Download
memory/4084-95-0x00007FFD9A610000-0x00007FFD9A629000-memory.dmp

Filesize
100KB

Download
memory/4084-118-0x00007FFD99250000-0x00007FFD99266000-memory.dmp

Filesize
88KB

Download
memory/4084-96-0x00007FFD9CEE0000-0x00007FFD9CEED000-memory.dmp

Filesize
52KB

Download
memory/4084-97-0x00007FFD99400000-0x00007FFD9940D000-memory.dmp

Filesize
52KB

Download
memory/4084-98-0x00007FFD99270000-0x00007FFD9928A000-memory.dmp

Filesize
104KB

Download
memory/4084-103-0x00007FFD85F00000-0x00007FFD8607E000-memory.dmp

Filesize
1.5MB

Download
memory/4084-102-0x00007FFD98E70000-0x00007FFD98E94000-memory.dmp

Filesize
144KB

Download
memory/4084-141-0x00007FFD95900000-0x00007FFD95919000-memory.dmp

Filesize
100KB

Download
memory/4084-140-0x00007FFD95920000-0x00007FFD95937000-memory.dmp

Filesize
92KB

Download
memory/4084-99-0x00007FFD98EA0000-0x00007FFD98ECD000-memory.dmp

Filesize
180KB

Download
memory/4084-144-0x00007FFD85750000-0x00007FFD85EF1000-memory.dmp

Filesize
7.6MB

Download
memory/4084-149-0x00007FFD95780000-0x00007FFD9579E000-memory.dmp

Filesize
120KB

Download
memory/4084-116-0x00007FFD85070000-0x00007FFD85599000-memory.dmp

Filesize
5.2MB

Download
memory/4084-147-0x00007FFD95530000-0x00007FFD9557C000-memory.dmp

Filesize
304KB

Download
memory/4084-146-0x00007FFD85F00000-0x00007FFD8607E000-memory.dmp

Filesize
1.5MB

Download
memory/4084-145-0x00007FFD98E70000-0x00007FFD98E94000-memory.dmp

Filesize
144KB

Download
memory/4084-194-0x00007FFD95760000-0x00007FFD9576D000-memory.dmp

Filesize
52KB

Download
memory/4084-88-0x00007FFD9D7B0000-0x00007FFD9D7BF000-memory.dmp

Filesize
60KB

Download
memory/4084-57-0x00007FFD86080000-0x00007FFD86745000-memory.dmp

Filesize
6.8MB

Download
memory/4084-210-0x00007FFD85070000-0x00007FFD85599000-memory.dmp

Filesize
5.2MB

Download
memory/4084-212-0x00007FFD95990000-0x00007FFD959C3000-memory.dmp

Filesize
204KB

Download
memory/4084-214-0x0000026B63C80000-0x0000026B641A9000-memory.dmp

Filesize
5.2MB

Download
memory/4084-213-0x00007FFD95580000-0x00007FFD9564D000-memory.dmp

Filesize
820KB

Download
memory/4084-231-0x00007FFD85F00000-0x00007FFD8607E000-memory.dmp

Filesize
1.5MB

Download
memory/4084-222-0x00007FFD86080000-0x00007FFD86745000-memory.dmp

Filesize
6.8MB

Download
memory/4084-246-0x00007FFD95530000-0x00007FFD9557C000-memory.dmp

Filesize
304KB

Download
memory/4084-245-0x00007FFD95900000-0x00007FFD95919000-memory.dmp

Filesize
100KB

Download
memory/4084-244-0x00007FFD95920000-0x00007FFD95937000-memory.dmp

Filesize
92KB

Download
memory/4084-236-0x00007FFD85070000-0x00007FFD85599000-memory.dmp

Filesize
5.2MB

Download
memory/4084-243-0x00007FFD95940000-0x00007FFD95962000-memory.dmp

Filesize
136KB

Download
memory/4084-238-0x00007FFD99250000-0x00007FFD99266000-memory.dmp

Filesize
88KB

Download
memory/4084-227-0x00007FFD99400000-0x00007FFD9940D000-memory.dmp

Filesize
52KB

Download
memory/4084-223-0x00007FFD99410000-0x00007FFD99435000-memory.dmp

Filesize
148KB

Download
memory/4084-249-0x00007FFD95760000-0x00007FFD9576D000-memory.dmp

Filesize
52KB

Download
memory/4084-264-0x00007FFD85070000-0x00007FFD85599000-memory.dmp

Filesize
5.2MB

Download
memory/4084-263-0x00007FFD95580000-0x00007FFD9564D000-memory.dmp

Filesize
820KB

Download
memory/4084-262-0x00007FFD95990000-0x00007FFD959C3000-memory.dmp

Filesize
204KB

Download
memory/4084-250-0x00007FFD86080000-0x00007FFD86745000-memory.dmp

Filesize
6.8MB

Download