exelastealer | 22c715e0a0c48b1ee1cf110c6656dc441c04a6fb4acc6efacec7cdc98f5037c3

Analysis

max time kernel
71s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
24/08/2024, 05:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

auxia_loader.exe
Size

47.7MB
MD5

391e83a31bc6a4906f6f4c45d6c64296
SHA1

3a1b812e58966442f43e2253419dbc5c7a3728dc
SHA256

22c715e0a0c48b1ee1cf110c6656dc441c04a6fb4acc6efacec7cdc98f5037c3
SHA512

3c7634f2cfa8fe9b5f16016e11baddcff6c7d696ad37376b76bfac1a9005b84acbd29f26a720a6c912b64cdc72e1981478373950b4a14a418f78c2cb27856405
SSDEEP

196608:jWs51wJb3tQk5tcB6yavnlPzf+JiJCsVMvgLnKFLhSiJpmx:6N7v5tcBRavnlPSa7WvgeZrmx

Score

10^/10

exelastealer collection credential_access defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1496	netsh.exe
4896	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4652	cmd.exe
3864	powershell.exe

Loads dropped DLL 31 IoCs

pid	Process
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe
2548	auxia_loader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023510-45.dat	upx
behavioral2/memory/2548-48-0x00007FFD04000000-0x00007FFD045EA000-memory.dmp	upx
behavioral2/files/0x00070000000234e1-51.dat	upx
behavioral2/files/0x000700000002350a-56.dat	upx
behavioral2/memory/2548-78-0x00007FFD17100000-0x00007FFD1710F000-memory.dmp	upx
behavioral2/memory/2548-77-0x00007FFD13CE0000-0x00007FFD13D03000-memory.dmp	upx
behavioral2/files/0x0007000000023511-81.dat	upx
behavioral2/memory/2548-88-0x00007FFD136F0000-0x00007FFD13713000-memory.dmp	upx
behavioral2/files/0x0007000000023512-89.dat	upx
behavioral2/files/0x00070000000234ea-91.dat	upx
behavioral2/files/0x0007000000023509-95.dat	upx
behavioral2/files/0x000700000002350b-93.dat	upx
behavioral2/memory/2548-99-0x00007FFD03490000-0x00007FFD03805000-memory.dmp	upx
behavioral2/files/0x00070000000234de-100.dat	upx
behavioral2/files/0x000700000002350d-106.dat	upx
behavioral2/files/0x0007000000023513-108.dat	upx
behavioral2/files/0x0007000000023515-110.dat	upx
behavioral2/files/0x00070000000234ed-112.dat	upx
behavioral2/files/0x00070000000234f0-118.dat	upx
behavioral2/files/0x0007000000023506-122.dat	upx
behavioral2/memory/2548-131-0x00007FFD13320000-0x00007FFD1333E000-memory.dmp	upx
behavioral2/memory/2548-130-0x00007FFD13EB0000-0x00007FFD13EC1000-memory.dmp	upx
behavioral2/memory/2548-133-0x00007FFD13F40000-0x00007FFD13F54000-memory.dmp	upx
behavioral2/memory/2548-132-0x00007FFD02CE0000-0x00007FFD03481000-memory.dmp	upx
behavioral2/memory/2548-129-0x00007FFD0EE20000-0x00007FFD0EE6D000-memory.dmp	upx
behavioral2/memory/2548-128-0x00007FFD13ED0000-0x00007FFD13EE9000-memory.dmp	upx
behavioral2/memory/2548-127-0x00007FFD13EF0000-0x00007FFD13F07000-memory.dmp	upx
behavioral2/files/0x00070000000234e0-134.dat	upx
behavioral2/memory/2548-135-0x00007FFD0E430000-0x00007FFD0E468000-memory.dmp	upx
behavioral2/memory/2548-126-0x00007FFD13F10000-0x00007FFD13F32000-memory.dmp	upx
behavioral2/memory/2548-125-0x00007FFD046C0000-0x00007FFD047DC000-memory.dmp	upx
behavioral2/memory/2548-124-0x00007FFD13FE0000-0x00007FFD13FF4000-memory.dmp	upx
behavioral2/files/0x0007000000023508-121.dat	upx
behavioral2/files/0x00070000000234ee-116.dat	upx
behavioral2/files/0x00070000000234ef-114.dat	upx
behavioral2/files/0x00070000000234e3-107.dat	upx
behavioral2/memory/2548-105-0x00007FFD13CC0000-0x00007FFD13CD9000-memory.dmp	upx
behavioral2/memory/2548-104-0x00007FFD14000000-0x00007FFD14012000-memory.dmp	upx
behavioral2/memory/2548-103-0x00007FFD172E0000-0x00007FFD172F5000-memory.dmp	upx
behavioral2/files/0x00070000000234e6-101.dat	upx
behavioral2/memory/2548-97-0x00007FFD03810000-0x00007FFD038C8000-memory.dmp	upx
behavioral2/memory/2548-96-0x00007FFD04000000-0x00007FFD045EA000-memory.dmp	upx
behavioral2/memory/2548-92-0x00007FFD13340000-0x00007FFD1336E000-memory.dmp	upx
behavioral2/memory/2548-90-0x00007FFD038D0000-0x00007FFD03A3F000-memory.dmp	upx
behavioral2/files/0x00070000000234e9-87.dat	upx
behavioral2/memory/2548-86-0x00007FFD13720000-0x00007FFD1374D000-memory.dmp	upx
behavioral2/files/0x00070000000234e4-85.dat	upx
behavioral2/memory/2548-84-0x00007FFD13750000-0x00007FFD13769000-memory.dmp	upx
behavioral2/files/0x00070000000234df-83.dat	upx
behavioral2/memory/2548-82-0x00007FFD141A0000-0x00007FFD141AD000-memory.dmp	upx
behavioral2/memory/2548-80-0x00007FFD13CC0000-0x00007FFD13CD9000-memory.dmp	upx
behavioral2/files/0x00070000000234e8-79.dat	upx
behavioral2/files/0x00070000000234e7-72.dat	upx
behavioral2/files/0x00070000000234e5-70.dat	upx
behavioral2/files/0x00070000000234e2-67.dat	upx
behavioral2/files/0x000700000002350e-60.dat	upx
behavioral2/memory/2548-138-0x00007FFD136F0000-0x00007FFD13713000-memory.dmp	upx
behavioral2/memory/2548-139-0x00007FFD038D0000-0x00007FFD03A3F000-memory.dmp	upx
behavioral2/memory/2548-179-0x00007FFD13340000-0x00007FFD1336E000-memory.dmp	upx
behavioral2/memory/2548-180-0x00007FFD13A70000-0x00007FFD13A7D000-memory.dmp	upx
behavioral2/memory/2548-196-0x00007FFD03810000-0x00007FFD038C8000-memory.dmp	upx
behavioral2/memory/2548-198-0x00007FFD03490000-0x00007FFD03805000-memory.dmp	upx
behavioral2/memory/2548-200-0x00007FFD172E0000-0x00007FFD172F5000-memory.dmp	upx
behavioral2/memory/2548-201-0x00007FFD14000000-0x00007FFD14012000-memory.dmp	upx

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3876	ARP.EXE
1564	cmd.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
452	tasklist.exe
2512	tasklist.exe
2308	tasklist.exe
636	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1072	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2852	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0007000000023517-144.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1880	cmd.exe
4560	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
1088	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4788	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2228	ipconfig.exe
1088	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4928	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3864	powershell.exe
3864	powershell.exe
3864	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	636	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3928	WMIC.exe
Token: SeSecurityPrivilege	3928	WMIC.exe
Token: SeTakeOwnershipPrivilege	3928	WMIC.exe
Token: SeLoadDriverPrivilege	3928	WMIC.exe
Token: SeSystemProfilePrivilege	3928	WMIC.exe
Token: SeSystemtimePrivilege	3928	WMIC.exe
Token: SeProfSingleProcessPrivilege	3928	WMIC.exe
Token: SeIncBasePriorityPrivilege	3928	WMIC.exe
Token: SeCreatePagefilePrivilege	3928	WMIC.exe
Token: SeBackupPrivilege	3928	WMIC.exe
Token: SeRestorePrivilege	3928	WMIC.exe
Token: SeShutdownPrivilege	3928	WMIC.exe
Token: SeDebugPrivilege	3928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3928	WMIC.exe
Token: SeRemoteShutdownPrivilege	3928	WMIC.exe
Token: SeUndockPrivilege	3928	WMIC.exe
Token: SeManageVolumePrivilege	3928	WMIC.exe
Token: 33	3928	WMIC.exe
Token: 34	3928	WMIC.exe
Token: 35	3928	WMIC.exe
Token: 36	3928	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3928	WMIC.exe
Token: SeSecurityPrivilege	3928	WMIC.exe
Token: SeTakeOwnershipPrivilege	3928	WMIC.exe
Token: SeLoadDriverPrivilege	3928	WMIC.exe
Token: SeSystemProfilePrivilege	3928	WMIC.exe
Token: SeSystemtimePrivilege	3928	WMIC.exe
Token: SeProfSingleProcessPrivilege	3928	WMIC.exe
Token: SeIncBasePriorityPrivilege	3928	WMIC.exe
Token: SeCreatePagefilePrivilege	3928	WMIC.exe
Token: SeBackupPrivilege	3928	WMIC.exe
Token: SeRestorePrivilege	3928	WMIC.exe
Token: SeShutdownPrivilege	3928	WMIC.exe
Token: SeDebugPrivilege	3928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3928	WMIC.exe
Token: SeRemoteShutdownPrivilege	3928	WMIC.exe
Token: SeUndockPrivilege	3928	WMIC.exe
Token: SeManageVolumePrivilege	3928	WMIC.exe
Token: 33	3928	WMIC.exe
Token: 34	3928	WMIC.exe
Token: 35	3928	WMIC.exe
Token: 36	3928	WMIC.exe
Token: SeDebugPrivilege	452	tasklist.exe
Token: SeDebugPrivilege	2512	tasklist.exe
Token: SeDebugPrivilege	3864	powershell.exe
Token: SeIncreaseQuotaPrivilege	4788	WMIC.exe
Token: SeSecurityPrivilege	4788	WMIC.exe
Token: SeTakeOwnershipPrivilege	4788	WMIC.exe
Token: SeLoadDriverPrivilege	4788	WMIC.exe
Token: SeSystemProfilePrivilege	4788	WMIC.exe
Token: SeSystemtimePrivilege	4788	WMIC.exe
Token: SeProfSingleProcessPrivilege	4788	WMIC.exe
Token: SeIncBasePriorityPrivilege	4788	WMIC.exe
Token: SeCreatePagefilePrivilege	4788	WMIC.exe
Token: SeBackupPrivilege	4788	WMIC.exe
Token: SeRestorePrivilege	4788	WMIC.exe
Token: SeShutdownPrivilege	4788	WMIC.exe
Token: SeDebugPrivilege	4788	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4788	WMIC.exe
Token: SeRemoteShutdownPrivilege	4788	WMIC.exe
Token: SeUndockPrivilege	4788	WMIC.exe
Token: SeManageVolumePrivilege	4788	WMIC.exe
Token: 33	4788	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2548	2088	auxia_loader.exe	87
PID 2088 wrote to memory of 2548	2088	auxia_loader.exe	87
PID 2548 wrote to memory of 444	2548	auxia_loader.exe	88
PID 2548 wrote to memory of 444	2548	auxia_loader.exe	88
PID 2548 wrote to memory of 1980	2548	auxia_loader.exe	90
PID 2548 wrote to memory of 1980	2548	auxia_loader.exe	90
PID 2548 wrote to memory of 2844	2548	auxia_loader.exe	91
PID 2548 wrote to memory of 2844	2548	auxia_loader.exe	91
PID 2844 wrote to memory of 636	2844	cmd.exe	94
PID 2844 wrote to memory of 636	2844	cmd.exe	94
PID 1980 wrote to memory of 3928	1980	cmd.exe	95
PID 1980 wrote to memory of 3928	1980	cmd.exe	95
PID 2548 wrote to memory of 1072	2548	auxia_loader.exe	97
PID 2548 wrote to memory of 1072	2548	auxia_loader.exe	97
PID 1072 wrote to memory of 620	1072	cmd.exe	99
PID 1072 wrote to memory of 620	1072	cmd.exe	99
PID 2548 wrote to memory of 3236	2548	auxia_loader.exe	100
PID 2548 wrote to memory of 3236	2548	auxia_loader.exe	100
PID 3236 wrote to memory of 452	3236	cmd.exe	102
PID 3236 wrote to memory of 452	3236	cmd.exe	102
PID 2548 wrote to memory of 1928	2548	auxia_loader.exe	103
PID 2548 wrote to memory of 1928	2548	auxia_loader.exe	103
PID 2548 wrote to memory of 2996	2548	auxia_loader.exe	104
PID 2548 wrote to memory of 2996	2548	auxia_loader.exe	104
PID 2548 wrote to memory of 3096	2548	auxia_loader.exe	106
PID 2548 wrote to memory of 3096	2548	auxia_loader.exe	106
PID 2548 wrote to memory of 4652	2548	auxia_loader.exe	108
PID 2548 wrote to memory of 4652	2548	auxia_loader.exe	108
PID 1928 wrote to memory of 4500	1928	cmd.exe	111
PID 1928 wrote to memory of 4500	1928	cmd.exe	111
PID 3096 wrote to memory of 2512	3096	cmd.exe	115
PID 3096 wrote to memory of 2512	3096	cmd.exe	115
PID 2996 wrote to memory of 4304	2996	cmd.exe	116
PID 2996 wrote to memory of 4304	2996	cmd.exe	116
PID 4652 wrote to memory of 3864	4652	cmd.exe	117
PID 4652 wrote to memory of 3864	4652	cmd.exe	117
PID 4304 wrote to memory of 212	4304	cmd.exe	118
PID 4304 wrote to memory of 212	4304	cmd.exe	118
PID 2548 wrote to memory of 1564	2548	auxia_loader.exe	119
PID 2548 wrote to memory of 1564	2548	auxia_loader.exe	119
PID 2548 wrote to memory of 1880	2548	auxia_loader.exe	121
PID 2548 wrote to memory of 1880	2548	auxia_loader.exe	121
PID 1564 wrote to memory of 4928	1564	cmd.exe	123
PID 1564 wrote to memory of 4928	1564	cmd.exe	123
PID 1880 wrote to memory of 4560	1880	cmd.exe	124
PID 1880 wrote to memory of 4560	1880	cmd.exe	124
PID 1564 wrote to memory of 1724	1564	cmd.exe	127
PID 1564 wrote to memory of 1724	1564	cmd.exe	127
PID 1564 wrote to memory of 4788	1564	cmd.exe	128
PID 1564 wrote to memory of 4788	1564	cmd.exe	128
PID 1564 wrote to memory of 2332	1564	cmd.exe	129
PID 1564 wrote to memory of 2332	1564	cmd.exe	129
PID 2332 wrote to memory of 1660	2332	net.exe	130
PID 2332 wrote to memory of 1660	2332	net.exe	130
PID 1564 wrote to memory of 4796	1564	cmd.exe	131
PID 1564 wrote to memory of 4796	1564	cmd.exe	131
PID 4796 wrote to memory of 4748	4796	query.exe	132
PID 4796 wrote to memory of 4748	4796	query.exe	132
PID 1564 wrote to memory of 3180	1564	cmd.exe	133
PID 1564 wrote to memory of 3180	1564	cmd.exe	133
PID 3180 wrote to memory of 3992	3180	net.exe	134
PID 3180 wrote to memory of 3992	3180	net.exe	134
PID 1564 wrote to memory of 4548	1564	cmd.exe	135
PID 1564 wrote to memory of 4548	1564	cmd.exe	135

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
620	attrib.exe

C:\Users\Admin\AppData\Local\Temp\auxia_loader.exe
"C:\Users\Admin\AppData\Local\Temp\auxia_loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\auxia_loader.exe
  "C:\Users\Admin\AppData\Local\Temp\auxia_loader.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3236
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:452
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1928
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4500
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4304
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3096
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4652
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4928
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:1724
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious use of AdjustPrivilegeToken
      PID:4788
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2332
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:1660
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4796
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:4748
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3180
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:3992
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:4548
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:2328
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:3776
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:2988
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:1300
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:2816
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:1728
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:2308
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2228
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:1664
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:3876
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:1088
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:2852
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1496
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1880
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4780
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1416
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3104

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe

Filesize
47.7MB

MD5
391e83a31bc6a4906f6f4c45d6c64296

SHA1
3a1b812e58966442f43e2253419dbc5c7a3728dc

SHA256
22c715e0a0c48b1ee1cf110c6656dc441c04a6fb4acc6efacec7cdc98f5037c3

SHA512
3c7634f2cfa8fe9b5f16016e11baddcff6c7d696ad37376b76bfac1a9005b84acbd29f26a720a6c912b64cdc72e1981478373950b4a14a418f78c2cb27856405

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\_asyncio.pyd

Filesize
36KB

MD5
3f9190b92f01a91c6d0b90bd184d6abc

SHA1
abcc78fa001ab6cf75cc4e39941165001f85221e

SHA256
f42f9d41bf350379cae2665752f261c6e1a1eab009c25b78ad4b6163f62ec576

SHA512
6826734ed41026fa1f97522e4c1ddc5be2fb874774158ffeff5038536545d3bde8cc36fec8a8c5c98b7e7651d42e9f52285e1f7622b61c51b67f1f846a0f2fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\_bz2.pyd

Filesize
48KB

MD5
1f7fe39a2cd5deb52d5fe73b5374ee84

SHA1
8c1ebfa645a9686225daaf27dbf9b769c09f390f

SHA256
e36d2c8699037bb29343f82038105c57712da0ed5f91a01a97caaf9abbb9610b

SHA512
75048e19133b594abdd1750075b3dc4386745ed9208b38ed72ad93cb41e942177e8435cda883802dff696c0cbdd073a3a33d829cf8c0ccd69bb21111579f3853

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\_cffi_backend.cp311-win_amd64.pyd

Filesize
71KB

MD5
2443ecaddfe40ee5130539024324e7fc

SHA1
ea74aaf7848de0a078a1510c3430246708631108

SHA256
9a5892ac0cd00c44cd7744d60c9459f302d5984ddb395caea52e4d8fd9bca2da

SHA512
5896af78cf208e1350cf2c31f913aa100098dd1cf4bae77cd2a36ec7695015986ec9913df8d2ebc9992f8f7d48bba102647dc5ee7f776593ae7be36f46bd5c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\_ctypes.pyd

Filesize
58KB

MD5
d75c4bb09bb92aea8605876598cca0b7

SHA1
705f696028d137038a0a4a9396a1d80a7df2ba0c

SHA256
943139c952a1ff95e63a3ff3226c4815fd82488d4cf7e6b66c3d30cc9840c66d

SHA512
ca687ae62439d62454c6ebd3edffc6e516ef33dcb00538ddebbf2fca6d884d8ec3356dd69e285e00ca6def38684abb01654cbe9d03e81915c20c700e64201e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\_decimal.pyd

Filesize
106KB

MD5
72f1145a4a32aef82e2e6e723dfe83a8

SHA1
075f20493db64e955ea93011bb1cad011b6af1f7

SHA256
6da30bfe1dcd54367817947bb5cdfba7e83156ab97d69df7f373b13a1f1bb1e5

SHA512
f2a6331c4e639e5eaca1ccec8da156b4a7ea7ddfc402b102f4cdf6f6b5138e5b35ccc86b83a037119526e2e26534ac0cbb0e905434d74ca5853aad487cf4cab1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\_hashlib.pyd

Filesize
35KB

MD5
965e800632867a999ef07c373ef7465d

SHA1
6b6ee62de84bbd3d5868274331d873369735a0f6

SHA256
aa1a32a8b6d2ff445b73c145dafcae2373031f797a7922cec7b0ada83f8f00ed

SHA512
5de95c46567af043891e7b1e65f3b04cbc6899a0107c069b42140218a739efe227ec0b5a48b4d999eba096b7919bcdc0e69e05e89cf35431439945fedcb7b58a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\_lzma.pyd

Filesize
85KB

MD5
36ca956087c372d01938d27256d3b02b

SHA1
196b822034ae4ee2279cc13280a19db0a814dc7d

SHA256
7fb9bc77eda3cc5f33e4796856d50f361312273c36af08e7441592f6e460326b

SHA512
3f0b69d651b0cfe98f65efdd8a430c46fdf0d3507b2fc79c09d5efc03f3bc68823435409a7773896f1df6b5fbc9158244dd902468eb6898ae6b67d9a54c9645e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\_multiprocessing.pyd

Filesize
26KB

MD5
b9b7817052bd0343bf584d532c1154d9

SHA1
0eb4ee9b3441be384361d173563f4e33e33c3983

SHA256
791ecbd0abb0462a96a8fe23b6ee3373fe239c1a65a8e5c85edf6280c36f09ba

SHA512
a2f253f4f9a4fc71e765e736fd82c595b3ad6236851b526ded64d0dfeedc8afce33ff598531d6377918b080941f798c157f7ec024bf11a10a813e250bf52bc4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\_overlapped.pyd

Filesize
32KB

MD5
270a829c3295e3565abfdf44c0de37a2

SHA1
8f59262f3fbfd7c7eec181a0c1cb632d2a6aac77

SHA256
a0fd922a250951574961af2d80137e1f06ec3fa80b72e9fc3ca545601b851475

SHA512
e241689e5a3376bdf38c5e95ad7eaed363936ed029fc331ddf51de95182d43ef7fe5c6857511df03b773d801706660d56471fbf1d11d26044d2fe80d5c8f75a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\_queue.pyd

Filesize
25KB

MD5
145984b051cdeac6753e51b8b4bed1b3

SHA1
b2d939281b792cb15ee3c0e84ace4465fe7f04fa

SHA256
47bb32c1d2c61148aaf88b039a9e304754194b86a89b78796a873d99446f8c9e

SHA512
53a2e78abd1e8c21f4f28b95fca4577742a1a302307195b06da0636ba7683fe053a8d82839ce3435d7777c38c9cd27b9571dffb49a2f09d121081c3388182149

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\_socket.pyd

Filesize
43KB

MD5
32828d8c0b33d457e536f1af4363effb

SHA1
865d6e5b271de7111f11665f352bddafeb8bf726

SHA256
243017793b85e39cbd90ffa14b97feb9b2c16b4b70bd47121339671e47fecb15

SHA512
6b37a86a86fa6fb4f4abc6407306cc65ae2308c04ffacdb4a232f72494d34524c5bed83467236dcc2133b5cdb3e2e7d762b29c3cdbb765a2610e932221839e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\_sqlite3.pyd

Filesize
56KB

MD5
6eddc28265692ba8b5c25a1d5f26257d

SHA1
dadf3fc95b0fc1c76b463185f2f0c45a089ce862

SHA256
b8005a6e845acecd822596552d451d829c81f7cdb1195135b14840999d811b99

SHA512
b8c78c5f3300b8507f1ee323df41c89d4bd2f82837fe1e171cabfe3db082b5ad65a4e390064ea8dd5747d3c2285183fcde18d8356eb59dc5d25441ec0a95bc3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\_ssl.pyd

Filesize
62KB

MD5
c41938e204ea69aec5902144a6b57ae8

SHA1
6ae800edab188ea567320caba9c3b616c925f1a7

SHA256
df6cc2984f13bad2632aa3a65dd2895837c63caf9da215be8d7e14ce665ccfb8

SHA512
12db329d88bff6978451dd6ad3df22f2cfb9a365ed23946d9b7ac45c7e74621b1c6631436923a639232f7f292d1f5b15699a57042b4945cfa5765dc35fde27a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\_uuid.pyd

Filesize
24KB

MD5
a16b1acfdaadc7bb4f6ddf17659a8d12

SHA1
482982d623d88627c447f96703e4d166f9e51db4

SHA256
8af17a746533844b0f1b8f15f612e1cf0df76ac8f073388e80cfc60759e94de0

SHA512
03d65f37efc6aba325109b5a982be71380210d41dbf8c068d6a994228888d805adac1264851cc6f378e61c3aff1485cc6c059e83218b239397eda0cec87bd533

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\aiohttp\_helpers.cp311-win_amd64.pyd

Filesize
26KB

MD5
cfce0b2cfa84c1b1364912e4bfa854f0

SHA1
92ddadb37b87f54c2c1a244cab0b51b6fb306ec3

SHA256
4c173e67e018db851a1ccbb21d9163c05b11445bbeea44e433bfe3b900c82e9c

SHA512
932a0cd07b815b5cfa460651c058443454313de96c694842e0d22bbfbad3ef2b044624e689dede8409182cddb77583de22ab2c1fdbe48e69ef4ebd390bf80781

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\aiohttp\_http_parser.cp311-win_amd64.pyd

Filesize
80KB

MD5
8fa0c4c34ae5b6bb30f9e063c0d6ff74

SHA1
81172f9eeb5ba03575232d6c58ee1ec5488b53a2

SHA256
89651d43c08734e0b06c9869446461d815ea0d59dcafdce340920267108dd218

SHA512
f4e122b46e364711bc2cda034c845369673a2d62b9f2628685e420ae8697fa42ce9e2f678f9030703ecf24fbfcd6cc3e8f7d23aba5f127c27d679051d8db1f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\aiohttp\_http_writer.cp311-win_amd64.pyd

Filesize
24KB

MD5
5588be68b4025d1f7d44055a4a5bfb3b

SHA1
720ac28b851b3b50b058813c67c364de2ee05cb3

SHA256
dd82daaaef6677270b80ea23d8dd9bbb62bc8208c2f243e52abf97751fc94f48

SHA512
cdf635f191f5994f4e4cc5373b964a5db674abea144a36492a958b0181b85c85bfed0162eb85d130f822e0d6b0f2180144920dec356659ad47e475ae70ac9bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\aiohttp\_websocket.cp311-win_amd64.pyd

Filesize
19KB

MD5
6af681a880d0b41ec16d38f8d7603578

SHA1
be92c953f7b4f19763ac768ee961933051e6fcb0

SHA256
1211eb2986835d195bc7b80e16f03d5891d7088fe0c3ef19c41c55c517a4082e

SHA512
5a38db40a7a0540d77618d3dcd2cccacc9ec3a4c4084bdd113ababddfc0271f392d0356f0310e6850fc919b5a02099cce9b2a1490e79ca427784824f188a80c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\base_library.zip

Filesize
1.4MB

MD5
2efeab81308c47666dfffc980b9fe559

SHA1
8fbb7bbdb97e888220df45cc5732595961dbe067

SHA256
a20eeb4ba2069863d40e4feab2136ca5be183887b6368e32f1a12c780a5af1ad

SHA512
39b030931a7a5940edc40607dcc9da7ca1bf479e34ebf45a1623a67d38b98eb4337b047cc8261038d27ed9e9d6f2b120abbf140c6c90d866cdba0a4c810ac32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.1MB

MD5
073606ea92928af7b2863782c0114949

SHA1
ec7b4dbf415af6a071a6ca3a0d4f4a0cf544515c

SHA256
9be10e3f170875a5b3e403f29d7241bf64957c01bfcae3504f5576578183610a

SHA512
5cd48348b475c9de7c2c8d85f36a1f8cf63ee5ee2bde60e2e5a1026f0e877b4c686ad07ab37c8ae37b46b719233b28aa699ce5a2fedd0247c7607da6e519a11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\frozenlist\_frozenlist.cp311-win_amd64.pyd

Filesize
35KB

MD5
15b0df96344baf6a4c72766721943e52

SHA1
a3666e88594d1ec97de23b9242f346c43a34c070

SHA256
abb6f497003738db2407b01dfa0abc61f6bc7fdb2452c52f76ab11f5430d844f

SHA512
4fbf295d0882646b8c4b3284f11331fb12767fd1404d78d3e4d88a434896058c2df05dd1a2d9c8ce696d2d3aad8c7251d00d95c399df2e8c11bb319f87a4385e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\libcrypto-1_1.dll

Filesize
1.1MB

MD5
f82e744b74099c586a568ffeab9ab252

SHA1
b51cd9fca6c7e0a262fc3a0f66b95034b0c03a5f

SHA256
2d2c0a847d276b65a42b82ca92e466f33315d68a08a4ac25ee251b12c549b3e0

SHA512
f8512470f4325d33a1c881776877ec6cf2865430b04ea3eb86b61721a8c3b1daa724b7887411f7bc4842732f0441fc72990c39e1974fb986555c1e4c33cb59e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\libffi-8.dll

Filesize
27KB

MD5
002d812bed903fe40ec41f869b21832f

SHA1
ee066916e6966f05457d490332f5e0d925e11766

SHA256
0d85141dab86cfe0f276dfc5f8503b297505f8246cabf7c8deba0ac31a52c3f7

SHA512
5cea498444aac18b43b45c7fc6f111446d4381e29ccaa5eac04338714c12f7d25b693b1f31bb670b61f242429e9a20b21db1cab6338ad503aee6f35af0032240

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\libssl-1_1.dll

Filesize
203KB

MD5
9688c1b6b7d77fb1721168e4ba55f553

SHA1
611959e623906f6be155bbdb5ea4f2aaeb43c212

SHA256
e3f8264484e99c36c1a99aab96f7753f72da56c284ded7b1c802bc514bc9053b

SHA512
161ab9124bef12493a7ef232f089064e620203f77b1fa18812a8c51a8eaa6ca2436341fafaf24f0ac3840f395ed96a6600cb92b87ccb0ee31bcef7f636e1fba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\multidict\_multidict.cp311-win_amd64.pyd

Filesize
20KB

MD5
eeaded775eabfaaede5ca025f55fd273

SHA1
8eefb3b9d85b4d5ad4033308f8af2a24e8792e02

SHA256
db4d6a74a3301788d32905b2ccc525e9a8e2219f1a36924464871cf211f115a0

SHA512
a6055d5604cc53428d89b308c223634cd94082be0ba4081513974e1826775d6e9fc26180c816d9a38fead89b5e04c5e7cf729c056bfae0ed74d6885c921b70ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\pyexpat.pyd

Filesize
87KB

MD5
0b0a68ed0f1b01feccf9c13572279dcf

SHA1
914e4d43c448731cae6c767afd8d28065bce04ce

SHA256
9bb2d896280025f1eb2d85a78f3fc2a1c48939e1586497f4822e1d21f27b4035

SHA512
36e0f64e08c948ea5af741f0583e7a569fb7c8f80b2bce9734265dbb54e887adbf43a3daf5a2c854bcf73fda21f690819e20a6255b3cfc59d59ccafb3837a46b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\python3.DLL

Filesize
65KB

MD5
2ad3039bd03669f99e948f449d9f778b

SHA1
dae8f661990c57adb171667b9206c8d84c50ecad

SHA256
852b901e17022c437f8fc3039a5af2ee80c5d509c9ef5f512041af17c48fcd61

SHA512
8ffeaa6cd491d7068f9176fd628002c84256802bd47a17742909f561ca1da6a2e7c600e17cd983063e8a93c2bbe9b981bd43e55443d28e32dfb504d7f1e120c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\python311.dll

Filesize
1.6MB

MD5
a237b2d97fbda04e085291a0aa71d68a

SHA1
db59472798fadc68df15d792c28a2746d1acdeff

SHA256
9dad2734c89ef84ab48a0ecab7e65d285d81323198e3aa9dfa388569a7f1b571

SHA512
41f7111713ed9953daa2ecf34213fb2c20a9a22b3140d4517b2fc939f5c2b3d943234502c1c82d5361f841dbcd4f6e1922f61811edea5206bc1549f64c33e867

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\select.pyd

Filesize
25KB

MD5
079763bb25560c08756315b9310d632c

SHA1
6137b251469406a953d0cf10631461e9cdb1230c

SHA256
3d019c8c5d95dd2f7c08f9550ebf14070440234f2d22addf6a85bd8301f79c08

SHA512
8c57fbec6a86ea6e495662d5f4c89f294178be0ba1e5ae5c4ca835afe4e865a00768972afb6a926417e98c2b0781878e35b0b9428dc4c1a68fac5b4e2b4ccca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\sqlite3.dll

Filesize
607KB

MD5
d577e51e7672f520af75acf605e073d3

SHA1
b717545e44c9cc987242480451799d6a009a0f52

SHA256
7d1614f9cde129f455f5f569212c56d4d1d00564db0cdee4249c73b67a314619

SHA512
7e618882f90989c09c6ea547eb1a649453e330f419f78818bd3fbd843d838527de6918317d6fff3796d02ed75bbb86e461cc6935ff47f5ef842af7cb0cc755f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\unicodedata.pyd

Filesize
295KB

MD5
cc35caab6a657fd400260c1811fb530f

SHA1
909a4612d81ba012edebf6df69ab968d2fe6d571

SHA256
c416dc3161f514c6fd2ee1e0756c2d6124f3370ac16520f9a294e00315663dc6

SHA512
9eddfcc4bedb57852025df2a4e198905d2d9d8577a894ab1ed2c05701bf03f80fc31b4acc1e7f24065ee7edde4302b0b82a4e214178319fc19e374aab65ef5bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI20882\yarl\_quoting_c.cp311-win_amd64.pyd

Filesize
40KB

MD5
9a8f969ecdf0c15734c1d582d2ae35d8

SHA1
a40691e81982f610a062e49a5ad29cffb5a2f5a8

SHA256
874e52cceae9a3c967bac7b628f4144c32e51fc77f519542fc1bac19045ecde8

SHA512
e0deb59abef7440f30effb1aab6295b5a50c817f685be30b21a3c453e3099b97fd71984e6ca6a6c6e0021abb6e906838566f402b00a11813e67a4e00b119619f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b5lkldac.fm3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2548-97-0x00007FFD03810000-0x00007FFD038C8000-memory.dmp

Filesize
736KB

Download
memory/2548-139-0x00007FFD038D0000-0x00007FFD03A3F000-memory.dmp

Filesize
1.4MB

Download
memory/2548-125-0x00007FFD046C0000-0x00007FFD047DC000-memory.dmp

Filesize
1.1MB

Download
memory/2548-126-0x00007FFD13F10000-0x00007FFD13F32000-memory.dmp

Filesize
136KB

Download
memory/2548-105-0x00007FFD13CC0000-0x00007FFD13CD9000-memory.dmp

Filesize
100KB

Download
memory/2548-104-0x00007FFD14000000-0x00007FFD14012000-memory.dmp

Filesize
72KB

Download
memory/2548-103-0x00007FFD172E0000-0x00007FFD172F5000-memory.dmp

Filesize
84KB

Download
memory/2548-135-0x00007FFD0E430000-0x00007FFD0E468000-memory.dmp

Filesize
224KB

Download
memory/2548-98-0x000001AE371D0000-0x000001AE37545000-memory.dmp

Filesize
3.5MB

Download
memory/2548-127-0x00007FFD13EF0000-0x00007FFD13F07000-memory.dmp

Filesize
92KB

Download
memory/2548-96-0x00007FFD04000000-0x00007FFD045EA000-memory.dmp

Filesize
5.9MB

Download
memory/2548-92-0x00007FFD13340000-0x00007FFD1336E000-memory.dmp

Filesize
184KB

Download
memory/2548-90-0x00007FFD038D0000-0x00007FFD03A3F000-memory.dmp

Filesize
1.4MB

Download
memory/2548-128-0x00007FFD13ED0000-0x00007FFD13EE9000-memory.dmp

Filesize
100KB

Download
memory/2548-86-0x00007FFD13720000-0x00007FFD1374D000-memory.dmp

Filesize
180KB

Download
memory/2548-129-0x00007FFD0EE20000-0x00007FFD0EE6D000-memory.dmp

Filesize
308KB

Download
memory/2548-84-0x00007FFD13750000-0x00007FFD13769000-memory.dmp

Filesize
100KB

Download
memory/2548-132-0x00007FFD02CE0000-0x00007FFD03481000-memory.dmp

Filesize
7.6MB

Download
memory/2548-82-0x00007FFD141A0000-0x00007FFD141AD000-memory.dmp

Filesize
52KB

Download
memory/2548-80-0x00007FFD13CC0000-0x00007FFD13CD9000-memory.dmp

Filesize
100KB

Download
memory/2548-133-0x00007FFD13F40000-0x00007FFD13F54000-memory.dmp

Filesize
80KB

Download
memory/2548-130-0x00007FFD13EB0000-0x00007FFD13EC1000-memory.dmp

Filesize
68KB

Download
memory/2548-131-0x00007FFD13320000-0x00007FFD1333E000-memory.dmp

Filesize
120KB

Download
memory/2548-99-0x00007FFD03490000-0x00007FFD03805000-memory.dmp

Filesize
3.5MB

Download
memory/2548-88-0x00007FFD136F0000-0x00007FFD13713000-memory.dmp

Filesize
140KB

Download
memory/2548-77-0x00007FFD13CE0000-0x00007FFD13D03000-memory.dmp

Filesize
140KB

Download
memory/2548-138-0x00007FFD136F0000-0x00007FFD13713000-memory.dmp

Filesize
140KB

Download
memory/2548-124-0x00007FFD13FE0000-0x00007FFD13FF4000-memory.dmp

Filesize
80KB

Download
memory/2548-78-0x00007FFD17100000-0x00007FFD1710F000-memory.dmp

Filesize
60KB

Download
memory/2548-179-0x00007FFD13340000-0x00007FFD1336E000-memory.dmp

Filesize
184KB

Download
memory/2548-180-0x00007FFD13A70000-0x00007FFD13A7D000-memory.dmp

Filesize
52KB

Download
memory/2548-278-0x00007FFD13340000-0x00007FFD1336E000-memory.dmp

Filesize
184KB

Download
memory/2548-48-0x00007FFD04000000-0x00007FFD045EA000-memory.dmp

Filesize
5.9MB

Download
memory/2548-196-0x00007FFD03810000-0x00007FFD038C8000-memory.dmp

Filesize
736KB

Download
memory/2548-197-0x000001AE371D0000-0x000001AE37545000-memory.dmp

Filesize
3.5MB

Download
memory/2548-198-0x00007FFD03490000-0x00007FFD03805000-memory.dmp

Filesize
3.5MB

Download
memory/2548-200-0x00007FFD172E0000-0x00007FFD172F5000-memory.dmp

Filesize
84KB

Download
memory/2548-201-0x00007FFD14000000-0x00007FFD14012000-memory.dmp

Filesize
72KB

Download
memory/2548-202-0x00007FFD13F10000-0x00007FFD13F32000-memory.dmp

Filesize
136KB

Download
memory/2548-205-0x00007FFD0EE20000-0x00007FFD0EE6D000-memory.dmp

Filesize
308KB

Download
memory/2548-204-0x00007FFD13ED0000-0x00007FFD13EE9000-memory.dmp

Filesize
100KB

Download
memory/2548-203-0x00007FFD13EF0000-0x00007FFD13F07000-memory.dmp

Filesize
92KB

Download
memory/2548-206-0x00007FFD02CE0000-0x00007FFD03481000-memory.dmp

Filesize
7.6MB

Download
memory/2548-241-0x00007FFD0E430000-0x00007FFD0E468000-memory.dmp

Filesize
224KB

Download
memory/2548-227-0x00007FFD172E0000-0x00007FFD172F5000-memory.dmp

Filesize
84KB

Download
memory/2548-223-0x00007FFD038D0000-0x00007FFD03A3F000-memory.dmp

Filesize
1.4MB

Download
memory/2548-215-0x00007FFD04000000-0x00007FFD045EA000-memory.dmp

Filesize
5.9MB

Download
memory/2548-240-0x00007FFD13A70000-0x00007FFD13A7D000-memory.dmp

Filesize
52KB

Download
memory/2548-216-0x00007FFD13CE0000-0x00007FFD13D03000-memory.dmp

Filesize
140KB

Download
memory/2548-242-0x00007FFD04000000-0x00007FFD045EA000-memory.dmp

Filesize
5.9MB

Download
memory/2548-281-0x00007FFD172E0000-0x00007FFD172F5000-memory.dmp

Filesize
84KB

Download
memory/2548-279-0x00007FFD03810000-0x00007FFD038C8000-memory.dmp

Filesize
736KB

Download
memory/2548-269-0x00007FFD04000000-0x00007FFD045EA000-memory.dmp

Filesize
5.9MB

Download
memory/3864-188-0x0000017BCF860000-0x0000017BCF882000-memory.dmp

Filesize
136KB

Download