exelastealer | cad96bc35378dbc2be23aca906392f0217cad6df8bb1c7002237033dc0654865

Analysis

max time kernel
142s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 19:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Exela.exe
Size

66.2MB
MD5

57a2dc05065b6c5bd7a16287574b44dd
SHA1

d0d6ea49375492259a5c7b00e1d52b37d9dcd704
SHA256

548b6d77905bfb2217782a2ea99e8e55dc2deddb94af1c43e79a33161328db26
SHA512

44661f3944119a01520a01c5a755a23bd6d608dac61aad006e27b96182aaea8b90547ce2c6c646e37fdd15e1b7e2b80a9c5f2bfa58e0f65309d317c792d3c23c
SSDEEP

393216:akTb3rVEzTGz7k0I1i8gYB+WYT4B888t:a6BEO7gBB+Wr88

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exe

pid	Process
3736	netsh.exe
4992	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

Processes:

cmd.exepowershell.exe

pid	Process
3528	cmd.exe
536	powershell.exe

Loads dropped DLL 34 IoCs

Processes:

Exela.exe

pid	Process
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe
2116	Exela.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

Processes:

flow	ioc
33	discord.com
31	discord.com
32	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
21	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

Processes:

cmd.exeARP.EXE

pid	Process
3876	cmd.exe
976	ARP.EXE

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exe

pid	Process
1316	tasklist.exe
2708	tasklist.exe
4940	tasklist.exe
5012	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Processes:

cmd.exe

pid	Process
3292	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023ce0-162.dat	upx
behavioral2/memory/2116-166-0x00007FFF17220000-0x00007FFF178E5000-memory.dmp	upx
behavioral2/files/0x0007000000023cb0-168.dat	upx
behavioral2/files/0x0007000000023cda-173.dat	upx
behavioral2/files/0x0007000000023cd9-176.dat	upx
behavioral2/files/0x0007000000023cbb-196.dat	upx
behavioral2/memory/2116-197-0x00007FFF30420000-0x00007FFF3042F000-memory.dmp	upx
behavioral2/files/0x0007000000023cb7-198.dat	upx
behavioral2/memory/2116-199-0x00007FFF2D4D0000-0x00007FFF2D4E9000-memory.dmp	upx
behavioral2/files/0x0007000000023ce1-200.dat	upx
behavioral2/memory/2116-201-0x00007FFF27B20000-0x00007FFF27B2D000-memory.dmp	upx
behavioral2/files/0x0007000000023cb9-194.dat	upx
behavioral2/files/0x0007000000023cb3-204.dat	upx
behavioral2/memory/2116-205-0x00007FFF27970000-0x00007FFF2799D000-memory.dmp	upx
behavioral2/memory/2116-203-0x00007FFF27B30000-0x00007FFF27B4A000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-202.dat	upx
behavioral2/files/0x0007000000023cb8-193.dat	upx
behavioral2/files/0x0007000000023cb6-191.dat	upx
behavioral2/files/0x0007000000023cb5-190.dat	upx
behavioral2/files/0x0007000000023cb4-189.dat	upx
behavioral2/files/0x0007000000023cb2-187.dat	upx
behavioral2/files/0x0007000000023cb1-186.dat	upx
behavioral2/files/0x0007000000023caf-185.dat	upx
behavioral2/files/0x0007000000023cad-183.dat	upx
behavioral2/files/0x0007000000023d71-181.dat	upx
behavioral2/files/0x0007000000023d68-180.dat	upx
behavioral2/files/0x0007000000023cde-178.dat	upx
behavioral2/files/0x0007000000023cdb-177.dat	upx
behavioral2/memory/2116-174-0x00007FFF27B50000-0x00007FFF27B75000-memory.dmp	upx
behavioral2/memory/2116-207-0x00007FFF27B10000-0x00007FFF27B1D000-memory.dmp	upx
behavioral2/memory/2116-209-0x00007FFF27960000-0x00007FFF2796F000-memory.dmp	upx
behavioral2/memory/2116-212-0x00007FFF27070000-0x00007FFF27084000-memory.dmp	upx
behavioral2/memory/2116-214-0x00007FFF17220000-0x00007FFF178E5000-memory.dmp	upx
behavioral2/memory/2116-215-0x00007FFF16CE0000-0x00007FFF17213000-memory.dmp	upx
behavioral2/memory/2116-217-0x00007FFF27B50000-0x00007FFF27B75000-memory.dmp	upx
behavioral2/memory/2116-218-0x00007FFF25520000-0x00007FFF25553000-memory.dmp	upx
behavioral2/memory/2116-220-0x00007FFF17FD0000-0x00007FFF1809E000-memory.dmp	upx
behavioral2/memory/2116-223-0x00007FFF2D4D0000-0x00007FFF2D4E9000-memory.dmp	upx
behavioral2/memory/2116-224-0x00007FFF20A30000-0x00007FFF20A66000-memory.dmp	upx
behavioral2/memory/2116-226-0x00007FFF26F80000-0x00007FFF26FA4000-memory.dmp	upx
behavioral2/memory/2116-228-0x00007FFF17E50000-0x00007FFF17FCF000-memory.dmp	upx
behavioral2/memory/2116-230-0x00007FFF26EB0000-0x00007FFF26EC6000-memory.dmp	upx
behavioral2/files/0x0007000000023cdd-234.dat	upx
behavioral2/memory/2116-233-0x00007FFF26970000-0x00007FFF26982000-memory.dmp	upx
behavioral2/memory/2116-236-0x00007FFF25310000-0x00007FFF25324000-memory.dmp	upx
behavioral2/memory/2116-235-0x00007FFF27960000-0x00007FFF2796F000-memory.dmp	upx
behavioral2/memory/2116-239-0x00007FFF16BC0000-0x00007FFF16CDA000-memory.dmp	upx
behavioral2/memory/2116-238-0x00007FFF27070000-0x00007FFF27084000-memory.dmp	upx
behavioral2/files/0x0007000000023d7b-240.dat	upx
behavioral2/files/0x0007000000023d7c-243.dat	upx
behavioral2/memory/2116-244-0x00007FFF16CE0000-0x00007FFF17213000-memory.dmp	upx
behavioral2/memory/2116-246-0x00007FFF18A60000-0x00007FFF18A82000-memory.dmp	upx
behavioral2/memory/2116-247-0x00007FFF25520000-0x00007FFF25553000-memory.dmp	upx
behavioral2/memory/2116-245-0x00007FFF22C00000-0x00007FFF22C17000-memory.dmp	upx
behavioral2/files/0x0007000000023cbd-248.dat	upx
behavioral2/files/0x0007000000023cbf-252.dat	upx
behavioral2/memory/2116-256-0x00007FFF1DFF0000-0x00007FFF1E009000-memory.dmp	upx
behavioral2/files/0x0007000000023cbe-255.dat	upx
behavioral2/memory/2116-254-0x00007FFF20A30000-0x00007FFF20A66000-memory.dmp	upx
behavioral2/memory/2116-253-0x00007FFF1E720000-0x00007FFF1E737000-memory.dmp	upx
behavioral2/memory/2116-251-0x00007FFF17FD0000-0x00007FFF1809E000-memory.dmp	upx
behavioral2/memory/2116-260-0x00007FFF16970000-0x00007FFF169BD000-memory.dmp	upx
behavioral2/memory/2116-259-0x00007FFF26F80000-0x00007FFF26FA4000-memory.dmp	upx
behavioral2/memory/2116-262-0x00007FFF18A40000-0x00007FFF18A51000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid	Process
468	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

Processes:

cmd.exenetsh.exe

pid	Process
4224	cmd.exe
3224	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

Processes:

NETSTAT.EXE

pid	Process
3596	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

Processes:

WMIC.exe

pid	Process
3760	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeNETSTAT.EXE

pid	Process
4896	ipconfig.exe
3596	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

Processes:

systeminfo.exe

pid	Process
4268	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exe

pid	Process
536	powershell.exe
536	powershell.exe
536	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exetasklist.exetasklist.exetasklist.exepowershell.exeWMIC.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1500	WMIC.exe
Token: SeSecurityPrivilege	1500	WMIC.exe
Token: SeTakeOwnershipPrivilege	1500	WMIC.exe
Token: SeLoadDriverPrivilege	1500	WMIC.exe
Token: SeSystemProfilePrivilege	1500	WMIC.exe
Token: SeSystemtimePrivilege	1500	WMIC.exe
Token: SeProfSingleProcessPrivilege	1500	WMIC.exe
Token: SeIncBasePriorityPrivilege	1500	WMIC.exe
Token: SeCreatePagefilePrivilege	1500	WMIC.exe
Token: SeBackupPrivilege	1500	WMIC.exe
Token: SeRestorePrivilege	1500	WMIC.exe
Token: SeShutdownPrivilege	1500	WMIC.exe
Token: SeDebugPrivilege	1500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1500	WMIC.exe
Token: SeRemoteShutdownPrivilege	1500	WMIC.exe
Token: SeUndockPrivilege	1500	WMIC.exe
Token: SeManageVolumePrivilege	1500	WMIC.exe
Token: 33	1500	WMIC.exe
Token: 34	1500	WMIC.exe
Token: 35	1500	WMIC.exe
Token: 36	1500	WMIC.exe
Token: SeDebugPrivilege	2708	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1500	WMIC.exe
Token: SeSecurityPrivilege	1500	WMIC.exe
Token: SeTakeOwnershipPrivilege	1500	WMIC.exe
Token: SeLoadDriverPrivilege	1500	WMIC.exe
Token: SeSystemProfilePrivilege	1500	WMIC.exe
Token: SeSystemtimePrivilege	1500	WMIC.exe
Token: SeProfSingleProcessPrivilege	1500	WMIC.exe
Token: SeIncBasePriorityPrivilege	1500	WMIC.exe
Token: SeCreatePagefilePrivilege	1500	WMIC.exe
Token: SeBackupPrivilege	1500	WMIC.exe
Token: SeRestorePrivilege	1500	WMIC.exe
Token: SeShutdownPrivilege	1500	WMIC.exe
Token: SeDebugPrivilege	1500	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1500	WMIC.exe
Token: SeRemoteShutdownPrivilege	1500	WMIC.exe
Token: SeUndockPrivilege	1500	WMIC.exe
Token: SeManageVolumePrivilege	1500	WMIC.exe
Token: 33	1500	WMIC.exe
Token: 34	1500	WMIC.exe
Token: 35	1500	WMIC.exe
Token: 36	1500	WMIC.exe
Token: SeDebugPrivilege	4940	tasklist.exe
Token: SeDebugPrivilege	5012	tasklist.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeIncreaseQuotaPrivilege	3760	WMIC.exe
Token: SeSecurityPrivilege	3760	WMIC.exe
Token: SeTakeOwnershipPrivilege	3760	WMIC.exe
Token: SeLoadDriverPrivilege	3760	WMIC.exe
Token: SeSystemProfilePrivilege	3760	WMIC.exe
Token: SeSystemtimePrivilege	3760	WMIC.exe
Token: SeProfSingleProcessPrivilege	3760	WMIC.exe
Token: SeIncBasePriorityPrivilege	3760	WMIC.exe
Token: SeCreatePagefilePrivilege	3760	WMIC.exe
Token: SeBackupPrivilege	3760	WMIC.exe
Token: SeRestorePrivilege	3760	WMIC.exe
Token: SeShutdownPrivilege	3760	WMIC.exe
Token: SeDebugPrivilege	3760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3760	WMIC.exe
Token: SeRemoteShutdownPrivilege	3760	WMIC.exe
Token: SeUndockPrivilege	3760	WMIC.exe
Token: SeManageVolumePrivilege	3760	WMIC.exe
Token: 33	3760	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

Exela.exeExela.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exenet.exequery.exe

description	pid	Process	procid_target
PID 4648 wrote to memory of 2116	4648	Exela.exe	87
PID 4648 wrote to memory of 2116	4648	Exela.exe	87
PID 2116 wrote to memory of 1232	2116	Exela.exe	92
PID 2116 wrote to memory of 1232	2116	Exela.exe	92
PID 2116 wrote to memory of 3440	2116	Exela.exe	93
PID 2116 wrote to memory of 3440	2116	Exela.exe	93
PID 1232 wrote to memory of 1500	1232	cmd.exe	96
PID 1232 wrote to memory of 1500	1232	cmd.exe	96
PID 3440 wrote to memory of 2708	3440	cmd.exe	97
PID 3440 wrote to memory of 2708	3440	cmd.exe	97
PID 2116 wrote to memory of 3292	2116	Exela.exe	98
PID 2116 wrote to memory of 3292	2116	Exela.exe	98
PID 3292 wrote to memory of 4068	3292	cmd.exe	100
PID 3292 wrote to memory of 4068	3292	cmd.exe	100
PID 2116 wrote to memory of 1556	2116	Exela.exe	101
PID 2116 wrote to memory of 1556	2116	Exela.exe	101
PID 2116 wrote to memory of 1272	2116	Exela.exe	102
PID 2116 wrote to memory of 1272	2116	Exela.exe	102
PID 1272 wrote to memory of 4940	1272	cmd.exe	105
PID 1272 wrote to memory of 4940	1272	cmd.exe	105
PID 1556 wrote to memory of 3752	1556	cmd.exe	106
PID 1556 wrote to memory of 3752	1556	cmd.exe	106
PID 2116 wrote to memory of 3748	2116	Exela.exe	107
PID 2116 wrote to memory of 3748	2116	Exela.exe	107
PID 2116 wrote to memory of 3936	2116	Exela.exe	108
PID 2116 wrote to memory of 3936	2116	Exela.exe	108
PID 2116 wrote to memory of 3240	2116	Exela.exe	109
PID 2116 wrote to memory of 3240	2116	Exela.exe	109
PID 2116 wrote to memory of 3528	2116	Exela.exe	110
PID 2116 wrote to memory of 3528	2116	Exela.exe	110
PID 3748 wrote to memory of 4336	3748	cmd.exe	115
PID 3748 wrote to memory of 4336	3748	cmd.exe	115
PID 3936 wrote to memory of 856	3936	cmd.exe	116
PID 3936 wrote to memory of 856	3936	cmd.exe	116
PID 4336 wrote to memory of 4892	4336	cmd.exe	117
PID 4336 wrote to memory of 4892	4336	cmd.exe	117
PID 3240 wrote to memory of 5012	3240	cmd.exe	118
PID 3240 wrote to memory of 5012	3240	cmd.exe	118
PID 3528 wrote to memory of 536	3528	cmd.exe	119
PID 3528 wrote to memory of 536	3528	cmd.exe	119
PID 856 wrote to memory of 5096	856	cmd.exe	120
PID 856 wrote to memory of 5096	856	cmd.exe	120
PID 2116 wrote to memory of 4224	2116	Exela.exe	121
PID 2116 wrote to memory of 4224	2116	Exela.exe	121
PID 2116 wrote to memory of 3876	2116	Exela.exe	123
PID 2116 wrote to memory of 3876	2116	Exela.exe	123
PID 4224 wrote to memory of 3224	4224	cmd.exe	125
PID 4224 wrote to memory of 3224	4224	cmd.exe	125
PID 3876 wrote to memory of 4268	3876	cmd.exe	126
PID 3876 wrote to memory of 4268	3876	cmd.exe	126
PID 3876 wrote to memory of 1848	3876	cmd.exe	130
PID 3876 wrote to memory of 1848	3876	cmd.exe	130
PID 3876 wrote to memory of 3760	3876	cmd.exe	131
PID 3876 wrote to memory of 3760	3876	cmd.exe	131
PID 3876 wrote to memory of 1724	3876	cmd.exe	132
PID 3876 wrote to memory of 1724	3876	cmd.exe	132
PID 1724 wrote to memory of 2380	1724	net.exe	133
PID 1724 wrote to memory of 2380	1724	net.exe	133
PID 3876 wrote to memory of 1836	3876	cmd.exe	134
PID 3876 wrote to memory of 1836	3876	cmd.exe	134
PID 1836 wrote to memory of 4512	1836	query.exe	135
PID 1836 wrote to memory of 4512	1836	query.exe	135
PID 3876 wrote to memory of 3124	3876	cmd.exe	136
PID 3876 wrote to memory of 3124	3876	cmd.exe	136

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exe

pid	Process
4068	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Exela.exe
"C:\Users\Admin\AppData\Local\Temp\Exela.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Users\Admin\AppData\Local\Temp\Exela.exe
  "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1232
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3292
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:4068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:3752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4336
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3936
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:856
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3240
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:5012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3528
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4224
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:3876
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4268
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:1848
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious use of AdjustPrivilegeToken
      PID:3760
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1724
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:2380
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1836
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:4512
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:3124
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:944
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:3216
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:3260
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:916
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:5024
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:4612
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:4044
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:1096
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:1316
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4896
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:2960
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:976
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:3596
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:468
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3736
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2784
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1128
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI46482\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_asyncio.pyd

Filesize
38KB

MD5
07fb4d6d21ce007476a53655659f69ae

SHA1
0e5618325c0128ef77118c692c14c12e68e51e90

SHA256
d4d85776c7bab9726d27b1fc5fb92ae7d38657cc18960f72acdfb51276d7ac67

SHA512
86c77a3617588baa94bc1fdd6fdd530a438f5270ca95f104242c29facebfe3a55d0c76ea704ef2b31ecc01eeccc56586188cc3fbd228fedf6d4ee94c85b735ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_bz2.pyd

Filesize
48KB

MD5
c9f84cbfff18bf88923802116a013aa0

SHA1
4aabe0b93098c3ac5b843599bd3cb6b9a7d464a1

SHA256
5f33cd309ae6f049a4d8c2b6b2a8cd5ade5e8886408ed2b81719e686b68b7d13

SHA512
d3b2a8b0fa84ce3bf34f3d04535c89c58ea5c359757f2924fecea613a7a041c9bd9a47ca5df254690c92705bbd7e8f4f4be4801414437d7a5749cffde5272fe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
27004b1f01511fd6743ee5535de8f570

SHA1
b97baa60d6c335670b8a923fa7e6411c8e602e55

SHA256
d2d3e9d9e5855a003e3d8c7502a9814191cf2b77b99ba67777ac170440dfdccf

SHA512
bdcd7a9b9bea5a16186d1a4e097253008d5ecd37a8d8652ec21b034abafbc7e5ff9ca838c5c4cb5618d87b1aceda09e920878c403abafafa867e2d679d4d98d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_ctypes.pyd

Filesize
59KB

MD5
dfd13a29d4871d14aeb3ef6e0aafae71

SHA1
b159bdbd5820dc3007a9b56b9489037aed7624d4

SHA256
d74b1c5b0b14e2379aad50ca5af0b1cd5979fd2f065b1beee47514e6f11deb2f

SHA512
45035d17f1aadd555edb595a4a0e656d4720771a58a7d8cd80b66740fe7f7565acae4b6a03fea4994a896f67fc5ca883d15dacb80d6146bfbf0ccb2bec9ef588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_decimal.pyd

Filesize
107KB

MD5
423186e586039fa189a65e843acf87e0

SHA1
8849f6038914de79f64daff868f69133c3354012

SHA256
302bd83bc48ca64cd9fe82465b5db16724f171ee7e91f28aa60b9074e9f92a7a

SHA512
c91030f91d9e0ba4ea5fcbadf2b4077d736bd7e9fa71351a85dbcca7204fecdbfd04c6afe451adb8ae1ab0c880c879e42e624645717a690ec75b5b88cac90f1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_hashlib.pyd

Filesize
35KB

MD5
2e27d0a121f60b37c72ac44b210e0f4f

SHA1
7e880cf5f2e49ca56f8a422c74ca4f4b34017a09

SHA256
cebc38091bd20b4e74bcb1f0b1920e2422eed044aa8d1fd4e1e3adc55dcf3501

SHA512
93362cd566d4a9d3d9253abd461c2c49ab0efe972d1a946a0eb2e34bb37b7723e3164a438b3378b8b1c9e87ac987b335a2ce0499d9a50bdf7104657bb6b28647

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_lzma.pyd

Filesize
86KB

MD5
96e99c539e2cb0683b148da367ce4389

SHA1
098c7b3ff65823236cd935d7cb80aa8009cecc3d

SHA256
72a7d452b3a164195b4a09b85a8e33ad4e6b658c10396b1a313e61da8f814304

SHA512
7572291adad01c60b9c1f266aff44ed63474436e2087a834103fc5f9e380d9c33adcdb3b82cc13f1e13caf4a84d0a8dac0511d39bf90966a821f80cafcc6eca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_multiprocessing.pyd

Filesize
27KB

MD5
7016551a054fe5e51b83e71242cb4662

SHA1
cec3cc32a79d77f212055a57856cac2cfe4096be

SHA256
5fb8194f04e0f05ab8ede8a68f906984c7f6770f19a76c0fca30dbbdaa069135

SHA512
5fae6fe874dcf74b78fd7978a804addd086001f3bf54b2a26bea48d36b04c5f5d02fdc9ded82b5e02757921db34afcc2c793ac4bd0c2bfa519ab97ca0a8c005e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_overlapped.pyd

Filesize
33KB

MD5
a849bfcef664851201326a739e1dba41

SHA1
f64332ffdb1dfcfc853f2b00914e7422a33b1ae3

SHA256
7e23125519f4c79b0651a36dd7820e278c0b124395d7f1fb0bc7dca78d14834b

SHA512
e33684226f445d2ec7df4452e482c4804ffd735e6c73aaa441fa3f476113de678b3945ef49d35653b614c605403f5c79cb497eb3d23025d88fc80c26206abfb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_queue.pyd

Filesize
26KB

MD5
51c7b2ca2871fa9d4a948f2abd22de05

SHA1
a915c58f1090a5cfa4386efbd31cbdd0391547cf

SHA256
36ec2ef3f553257912e3e3d17706920c1a52c3619d5c7b157c386c1dbe6e3f52

SHA512
f398891a152049506ed278b7383d6d7df1e304b6afb41ffe15b732b0c07fced977c29fe22bfa26cd454dc0d3576ec0218e8f0dedeff6ed7b7dd55daa9b10db62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_socket.pyd

Filesize
44KB

MD5
0a4bec3acc2db020d129e0e3f2d0cd95

SHA1
180b4d4c5802ae94fc041360bb652cde72eca620

SHA256
3c6bb84d34e46e4fdf1ba192a4b78c4caf9217f49208147e7c46e654d444f222

SHA512
5ffde27846b7acf5ff1da513930ead85c6e95f92c71ee630bcc8932fdf5e4f9c42b027e14df8e9596adf67f9d6467c5454b3bda5a39d69e20745f71eca7ed685

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_sqlite3.pyd

Filesize
57KB

MD5
337889448ecd97a305a96cf61f1b84b9

SHA1
c981100ec4b5921d5b7c865d4458b67af67cf325

SHA256
a35a017ee1c003290f4850b4c3d7140f5f0df98d2178bf67923a610aee1679be

SHA512
6f7789bcf2c63faff5842ecf8494a0f47446fa0dcb6890bf664cc661f030309d28fa3d5d18f20c7ddd9fda036068902b42fff7ae34b84ca035b2729ba4ef6306

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_ssl.pyd

Filesize
66KB

MD5
4dc99d3cbe1bb4b474d8c1bc70b5b7d0

SHA1
356565045cc67ee517900f13fb9b3042e336804a

SHA256
570e29e73fc398c52abeebb92654ac321dad50e625c1230d919d88da1fd8d8d0

SHA512
bc35069e407ba14c859e5d1372d19ca6dbdc2449f93760c012a492eee404e11255e9ea0d883b7a3807e1e0afcc223e27694acd794b7986f5ed5fdd6b7abd0000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_uuid.pyd

Filesize
25KB

MD5
d8c6d60ea44694015ba6123ff75bd38d

SHA1
813deb632f3f3747fe39c5b8ef67bada91184f62

SHA256
8ae23bfa84ce64c3240c61bedb06172bfd76be2ad30788d4499cb24047fce09f

SHA512
d3d408c79e291ed56ca3135b5043e555e53b70dff45964c8c8d7ffa92b27c6cdea1e717087b79159181f1258f9613fe6d05e3867d9c944f43a980b5bf27a75ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\_wmi.pyd

Filesize
28KB

MD5
d6731fc47332f01c741d8b64521d86a0

SHA1
29751383560d17029952fd1fa0e92168f8096b3d

SHA256
5632cc7e014771e3bfd0580d24244ed3b56447689d97bd851d02601f615baae4

SHA512
88838be8ca11afc5951a373ccd6e34b91e69a68a2ad9f3b042f708b54e1e7d9745ec59eab9ab58398de9ab1205546eb20c96469c59fa5809d350ccda35d29cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\aiohttp\_helpers.cp312-win_amd64.pyd

Filesize
27KB

MD5
0adf8f6fe076817cc310bb01e1b50e5a

SHA1
3bafe2f49ad10e21effc2655d9936d7dc48b9c17

SHA256
baf0189d19d149c29015621ab6249dc853e4e4782fadd900f02159a1d087ef04

SHA512
0ed840af4f69379312832ccaee279de5840b6cc4aa761211336f7fd326b88ccfa670a18549c8846f5775b955797415804d6fcad52211c61f17307ba45977d931

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\aiohttp\_http_parser.cp312-win_amd64.pyd

Filesize
80KB

MD5
3b69343e88afcb2313d7b1fb34990b9d

SHA1
d111ada603c94b8c2cdbe48831e390dc7a011e4d

SHA256
15cba8f41ba86fc435ed561584dcb1b49579d02168d524457ecb21498f22e193

SHA512
55312d238101d85d0a712a2d37390e4469fa940edaf2dd5aa76243c120587e535afad060a0901ec9a59704ccad8fef34b09be4be3310d6dbeeaa4bfbe2069500

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\aiohttp\_http_writer.cp312-win_amd64.pyd

Filesize
25KB

MD5
000be956e60043ac16ae2313adf36abc

SHA1
2f8f475dac6ba097485f611964a4462ee977e8cb

SHA256
b8ea9a78d47c7092f1be8df7a94cb142e99037e34201b5b97394eb056e95590d

SHA512
2cad6a8f9278afe52b15d764882584b86dc116d7bef4f418f126ce0f18b4b34f0ee55e056f0158b6c7b380a221fc2b7ccd72211f85264eac3e1975afccc75abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\aiohttp\_websocket.cp312-win_amd64.pyd

Filesize
20KB

MD5
640c6a2f0252f307bbd381f867bc2bfb

SHA1
07e0604861c8896bce3186ba2a26fff3ea9228eb

SHA256
6502a2208a7083d1b581aa5e8ba430e8853fe4c7d7c308356a63d15012e97458

SHA512
9c3bcba723f73e6244f5abc013ee81f92ce39a77facb53d9ce8bf35090c365f07207d2b7587f26004bc43af58749556489353dcd4eee88796150057f6079c230

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\base_library.zip

Filesize
1.3MB

MD5
fe165df1db950b64688a2e617b4aca88

SHA1
71cae64d1edd9931ef75e8ef28e812e518b14dde

SHA256
071241ac0fd6e733147a71625de5ead3d7702e73f8d1cbebf3d772cbdce0be35

SHA512
e492a6278676ef944363149a503c7fade9d229bddce7afa919f5e72138f49557619b0bdba68f523fffe7fbca2ccfd5e3269355febaf01f4830c1a4cc67d2e513

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\libcrypto-3.dll

Filesize
1.6MB

MD5
64c76a85cbc744a0a930e9cfc29e20a1

SHA1
e67b24269797d67e3e94042b8c333dc984bdddb8

SHA256
5bcb5de3eff2a80e7d57725ab9e5013f2df728e8a41278fe06d5ac4de91bd26c

SHA512
7e7fdb2356b18a188fd156e332f7ff03b29781063cadc80204159a789910763515b8150292b27f2ce2e9bdaf6c704e377561601d8a5871dcb6b9dd967d9ffa7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\libffi-8.dll

Filesize
29KB

MD5
be8ceb4f7cb0782322f0eb52bc217797

SHA1
280a7cc8d297697f7f818e4274a7edd3b53f1e4d

SHA256
7d08df2c496c32281bf9a010b62e8898b9743db8b95a7ebee12d746c2e95d676

SHA512
07318c71c3137114e0cfec7d8b4815fd6efa51ce70b377121f26dc469cefe041d5098e1c92af8ed0c53b21e9c845fddee4d6646d5bd8395a3f1370ba56a59571

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\libssl-3.dll

Filesize
221KB

MD5
860af4bc2bad883faef1715a1cebb0dd

SHA1
9e498e8267f0d680b7f8f572bc67ef9ec47e5dd9

SHA256
5027010163bfecded82cb733e971c37a4d71653974813e96839f1b4e99412a60

SHA512
9f5a130d566cf81d735b4d4f7816e7796becd5f9768391c0f73c6e9b45e69d72ee27ec9e2694648310f9de317ae0e42fab646a457758e4d506c5d4d460660b0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\multidict\_multidict.cp312-win_amd64.pyd

Filesize
20KB

MD5
e4d305dabcaa89ca7f9fb9da7c67c616

SHA1
71c30975e2809c96cf0e5ced047e33b6dd879237

SHA256
cd3f96e9d7bbc799bed701f4f9f391338a40d6490fe25d40ea69ec351fda330c

SHA512
97f2d6180d35671e0138865421bcf96c5e46e3e31f1fbe5c55915d6d844870753a93dc233705ba17a6eff984e338ec5b4a90761184aba2f2640e5120c0018528

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\pyexpat.pyd

Filesize
88KB

MD5
228e59c72c273970a4a7ab134f9cf282

SHA1
a19ff9c27f969c3657865ecc4202613a721c4610

SHA256
b255658ed4c5f8dc2d8de1652237f3199d3f10d560e8f4c9e8b81168b994849f

SHA512
5cc585172c65443f72f17dce87faafddf6c055a201c7899d046b14c67696aef4a1416faad81718476982f6fd191683e1126b9bb35666d9905b9c855aa8d9dedd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\python3.DLL

Filesize
66KB

MD5
5eace36402143b0205635818363d8e57

SHA1
ae7b03251a0bac083dec3b1802b5ca9c10132b4c

SHA256
25a39e721c26e53bec292395d093211bba70465280acfa2059fa52957ec975b2

SHA512
7cb3619ea46fbaaf45abfa3d6f29e7a5522777980e0a9d2da021d6c68bcc380abe38e8004e1f31d817371fb3cdd5425d4bb115cb2dc0d40d59d111a2d98b21d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\python312.dll

Filesize
1.7MB

MD5
5750b5cbbb8628436ce9a3557efad861

SHA1
fb6fda4ca5dd9415a2031a581c1e0f055fed63b5

SHA256
587598b6c81f4f4dce3afd40ca6d4814d6cfdb9161458d2161c33abfdadc9e48

SHA512
d23938796b4e7b6ae7601c3ab9c513eb458cccb13b597b2e20762e829ce4ace7b810039c713ec996c7e2ce8cfb12d1e7231903f06f424266f460a004bd3f6f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\select.pyd

Filesize
25KB

MD5
b14ab29e811eaa90076840426ab1ab1b

SHA1
14f18ed4eebcc9567dec7967a23d35429ab2edba

SHA256
231d5f116b86a46dad697b5f2725b58df0ceee5de057eec9363f86136c162707

SHA512
a382c0d311953b8fcf06c0758ac92060ccf04b344485025af4a466ecd8f84f5665e29b4169fe5ed4b1c2daeeaa5e44069a5f1cdf5fc59a00a16b8bd883a5d658

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\setuptools\_vendor\importlib_metadata-8.0.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\setuptools\_vendor\jaraco.functools-4.0.1.dist-info\LICENSE

Filesize
1023B

MD5
141643e11c48898150daa83802dbc65f

SHA1
0445ed0f69910eeaee036f09a39a13c6e1f37e12

SHA256
86da0f01aeae46348a3c3d465195dc1ceccde79f79e87769a64b8da04b2a4741

SHA512
ef62311602b466397baf0b23caca66114f8838f9e78e1b067787ceb709d09e0530e85a47bbcd4c5a0905b74fdb30df0cc640910c6cc2e67886e5b18794a3583f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\setuptools\_vendor\jaraco.text-3.12.1.dist-info\WHEEL

Filesize
92B

MD5
43136dde7dd276932f6197bb6d676ef4

SHA1
6b13c105452c519ea0b65ac1a975bd5e19c50122

SHA256
189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714

SHA512
e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

Filesize
1KB

MD5
4ce7501f6608f6ce4011d627979e1ae4

SHA1
78363672264d9cd3f72d5c1d3665e1657b1a5071

SHA256
37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b

SHA512
a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\sqlite3.dll

Filesize
644KB

MD5
89c7a4482b66a862b282a25a1903fde3

SHA1
15d9d4df5d6bdfef70e50cfaf56c405293ddd835

SHA256
1f7c0eef1a1c27826f056f8c931b130001b45337d6984b27f6f10355c119bba8

SHA512
e234c1769e8881683c821d2bf5b1c713493b4212fbfecec95eba3cf33ca23d66bcd07767f6e46506a4acc25f2db71c8b682a60be0ae8e349df1c844a5ccce067

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\unicodedata.pyd

Filesize
296KB

MD5
129b358732e77d400bcf38f00cdd197e

SHA1
384b16e35ed4b9a55f35cedbb71be354fa78242a

SHA256
e397fc3ccaee0233f1b793c953f7506426d64765a801a05259afd1a10a25b05a

SHA512
8af8e97fd52e9026da877ebe94b1c82e32ab19233f312f170bf589db9ec15b0736cfa39abd5cf6e1e4d9a3bc6a212578f81fdd9c04758b6ab5a2834b203067da

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\yarl\_helpers_c.cp312-win_amd64.pyd

Filesize
27KB

MD5
4dafdf5f5ab10b402c5c34a3a0606e87

SHA1
43b8fd44a622f09175bdceb6f567aa4a941428ac

SHA256
dea65ab63826a85b2566fce9d77a6cfbcfe689e8101eb31ab55e6e9ccd0233a1

SHA512
15f4127332b99030b19ab162e08d08fd03f5dc99143d215d3a2e525e0dbd0da5f7627cbc9cfcf548f5f5f766051ad88318b2d58458b4494cb9d1cfc07be40463

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI46482\yarl\_quoting_c.cp312-win_amd64.pyd

Filesize
41KB

MD5
3d6f41707f9a0b6f4d66049db52e23fc

SHA1
f89207701337ea1d458da46df9faaf94e966e1a6

SHA256
4b00036c298e8cf1233e415147172d4af8b3c92882178f01f3cb6d4a9d7c4d6f

SHA512
c4b89b127466955810364463696ba400968501c8b3cefca2f07fe95474a3d06b8da505163902bc19c4daf1990072bec7ba792b6410fa6079fea66792406e7bc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xvmzud4q.csf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/536-315-0x0000013796580000-0x00000137965A2000-memory.dmp

Filesize
136KB

Download
memory/2116-226-0x00007FFF26F80000-0x00007FFF26FA4000-memory.dmp

Filesize
144KB

Download
memory/2116-251-0x00007FFF17FD0000-0x00007FFF1809E000-memory.dmp

Filesize
824KB

Download
memory/2116-217-0x00007FFF27B50000-0x00007FFF27B75000-memory.dmp

Filesize
148KB

Download
memory/2116-218-0x00007FFF25520000-0x00007FFF25553000-memory.dmp

Filesize
204KB

Download
memory/2116-220-0x00007FFF17FD0000-0x00007FFF1809E000-memory.dmp

Filesize
824KB

Download
memory/2116-214-0x00007FFF17220000-0x00007FFF178E5000-memory.dmp

Filesize
6.8MB

Download
memory/2116-223-0x00007FFF2D4D0000-0x00007FFF2D4E9000-memory.dmp

Filesize
100KB

Download
memory/2116-224-0x00007FFF20A30000-0x00007FFF20A66000-memory.dmp

Filesize
216KB

Download
memory/2116-212-0x00007FFF27070000-0x00007FFF27084000-memory.dmp

Filesize
80KB

Download
memory/2116-228-0x00007FFF17E50000-0x00007FFF17FCF000-memory.dmp

Filesize
1.5MB

Download
memory/2116-230-0x00007FFF26EB0000-0x00007FFF26EC6000-memory.dmp

Filesize
88KB

Download
memory/2116-209-0x00007FFF27960000-0x00007FFF2796F000-memory.dmp

Filesize
60KB

Download
memory/2116-233-0x00007FFF26970000-0x00007FFF26982000-memory.dmp

Filesize
72KB

Download
memory/2116-236-0x00007FFF25310000-0x00007FFF25324000-memory.dmp

Filesize
80KB

Download
memory/2116-235-0x00007FFF27960000-0x00007FFF2796F000-memory.dmp

Filesize
60KB

Download
memory/2116-239-0x00007FFF16BC0000-0x00007FFF16CDA000-memory.dmp

Filesize
1.1MB

Download
memory/2116-238-0x00007FFF27070000-0x00007FFF27084000-memory.dmp

Filesize
80KB

Download
memory/2116-207-0x00007FFF27B10000-0x00007FFF27B1D000-memory.dmp

Filesize
52KB

Download
memory/2116-174-0x00007FFF27B50000-0x00007FFF27B75000-memory.dmp

Filesize
148KB

Download
memory/2116-244-0x00007FFF16CE0000-0x00007FFF17213000-memory.dmp

Filesize
5.2MB

Download
memory/2116-246-0x00007FFF18A60000-0x00007FFF18A82000-memory.dmp

Filesize
136KB

Download
memory/2116-247-0x00007FFF25520000-0x00007FFF25553000-memory.dmp

Filesize
204KB

Download
memory/2116-245-0x00007FFF22C00000-0x00007FFF22C17000-memory.dmp

Filesize
92KB

Download
memory/2116-203-0x00007FFF27B30000-0x00007FFF27B4A000-memory.dmp

Filesize
104KB

Download
memory/2116-205-0x00007FFF27970000-0x00007FFF2799D000-memory.dmp

Filesize
180KB

Download
memory/2116-256-0x00007FFF1DFF0000-0x00007FFF1E009000-memory.dmp

Filesize
100KB

Download
memory/2116-201-0x00007FFF27B20000-0x00007FFF27B2D000-memory.dmp

Filesize
52KB

Download
memory/2116-254-0x00007FFF20A30000-0x00007FFF20A66000-memory.dmp

Filesize
216KB

Download
memory/2116-253-0x00007FFF1E720000-0x00007FFF1E737000-memory.dmp

Filesize
92KB

Download
memory/2116-215-0x00007FFF16CE0000-0x00007FFF17213000-memory.dmp

Filesize
5.2MB

Download
memory/2116-260-0x00007FFF16970000-0x00007FFF169BD000-memory.dmp

Filesize
308KB

Download
memory/2116-259-0x00007FFF26F80000-0x00007FFF26FA4000-memory.dmp

Filesize
144KB

Download
memory/2116-262-0x00007FFF18A40000-0x00007FFF18A51000-memory.dmp

Filesize
68KB

Download
memory/2116-261-0x00007FFF17E50000-0x00007FFF17FCF000-memory.dmp

Filesize
1.5MB

Download
memory/2116-199-0x00007FFF2D4D0000-0x00007FFF2D4E9000-memory.dmp

Filesize
100KB

Download
memory/2116-263-0x00007FFF18A20000-0x00007FFF18A3E000-memory.dmp

Filesize
120KB

Download
memory/2116-264-0x00007FFF15E80000-0x00007FFF1661A000-memory.dmp

Filesize
7.6MB

Download
memory/2116-265-0x00007FFF15E40000-0x00007FFF15E78000-memory.dmp

Filesize
224KB

Download
memory/2116-273-0x00007FFF16BC0000-0x00007FFF16CDA000-memory.dmp

Filesize
1.1MB

Download
memory/2116-197-0x00007FFF30420000-0x00007FFF3042F000-memory.dmp

Filesize
60KB

Download
memory/2116-166-0x00007FFF17220000-0x00007FFF178E5000-memory.dmp

Filesize
6.8MB

Download
memory/2116-324-0x00007FFF18A60000-0x00007FFF18A82000-memory.dmp

Filesize
136KB

Download
memory/2116-325-0x00007FFF1E720000-0x00007FFF1E737000-memory.dmp

Filesize
92KB

Download
memory/2116-326-0x00007FFF1DFF0000-0x00007FFF1E009000-memory.dmp

Filesize
100KB

Download
memory/2116-327-0x00007FFF16970000-0x00007FFF169BD000-memory.dmp

Filesize
308KB

Download
memory/2116-364-0x00007FFF15E40000-0x00007FFF15E78000-memory.dmp

Filesize
224KB

Download
memory/2116-351-0x00007FFF17E50000-0x00007FFF17FCF000-memory.dmp

Filesize
1.5MB

Download
memory/2116-363-0x00007FFF15E80000-0x00007FFF1661A000-memory.dmp

Filesize
7.6MB

Download
memory/2116-344-0x00007FFF27960000-0x00007FFF2796F000-memory.dmp

Filesize
60KB

Download
memory/2116-343-0x00007FFF27B10000-0x00007FFF27B1D000-memory.dmp

Filesize
52KB

Download
memory/2116-337-0x00007FFF27B50000-0x00007FFF27B75000-memory.dmp

Filesize
148KB

Download
memory/2116-352-0x00007FFF26EB0000-0x00007FFF26EC6000-memory.dmp

Filesize
88KB

Download
memory/2116-336-0x00007FFF17220000-0x00007FFF178E5000-memory.dmp

Filesize
6.8MB

Download
memory/2116-377-0x00007FFF16CE0000-0x00007FFF17213000-memory.dmp

Filesize
5.2MB

Download
memory/2116-390-0x00007FFF1DFF0000-0x00007FFF1E009000-memory.dmp

Filesize
100KB

Download
memory/2116-388-0x00007FFF18A60000-0x00007FFF18A82000-memory.dmp

Filesize
136KB

Download
memory/2116-379-0x00007FFF17FD0000-0x00007FFF1809E000-memory.dmp

Filesize
824KB

Download
memory/2116-378-0x00007FFF25520000-0x00007FFF25553000-memory.dmp

Filesize
204KB

Download
memory/2116-367-0x00007FFF17220000-0x00007FFF178E5000-memory.dmp

Filesize
6.8MB

Download