exelastealer | 4ed12162a9488d67a393f4c455b9e613fc6b18c7df363188fc35da2e13295b34

Analysis

max time kernel
140s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
Size

11.1MB
MD5

28b40022d29441c18d99e53ab64c5bd1
SHA1

b368059d622f01825857d35fc91224087dd04faa
SHA256

6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d
SHA512

78101e5e1b9ff327f79d81a7fbe78a0fbc853b62ec8f5875866cb9c33b3bc5ae0f264f8ad5e31ccfdf5810a03b6dcc5c64ee390b5be7a6ab6887e613f2ee8101
SSDEEP

196608:xab1fJpDqAlz2Jp5UfDC3njkY4KeNM++2Pfm/pf+xZTdnRSZZWKsnqrMWOzW0Djc:afaAh2Jp5qC3njklM++2m/pWvTlRS7B3

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
884	netsh.exe
3380	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1608	cmd.exe
1916	powershell.exe

Loads dropped DLL 31 IoCs

pid	Process
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
29	discord.com
30	discord.com
31	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4684	cmd.exe
1176	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3236	tasklist.exe
4004	tasklist.exe
5024	tasklist.exe
2160	tasklist.exe
1640	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
760	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cd2-46.dat	upx
behavioral2/memory/2288-50-0x00007FF9E8BB0000-0x00007FF9E9197000-memory.dmp	upx
behavioral2/files/0x0007000000023cb5-52.dat	upx
behavioral2/files/0x0007000000023ccc-57.dat	upx
behavioral2/memory/2288-60-0x00007FF9FF750000-0x00007FF9FF75F000-memory.dmp	upx
behavioral2/memory/2288-59-0x00007FF9FF760000-0x00007FF9FF784000-memory.dmp	upx
behavioral2/files/0x0007000000023cbc-61.dat	upx
behavioral2/files/0x0007000000023cd3-65.dat	upx
behavioral2/memory/2288-66-0x00007FF9FF740000-0x00007FF9FF74D000-memory.dmp	upx
behavioral2/memory/2288-64-0x00007FF9FD160000-0x00007FF9FD179000-memory.dmp	upx
behavioral2/files/0x0007000000023cb3-68.dat	upx
behavioral2/files/0x0007000000023cb8-71.dat	upx
behavioral2/files/0x0007000000023cbd-74.dat	upx
behavioral2/files/0x0007000000023cd4-75.dat	upx
behavioral2/memory/2288-76-0x00007FF9F8320000-0x00007FF9F8343000-memory.dmp	upx
behavioral2/memory/2288-73-0x00007FF9F8640000-0x00007FF9F866D000-memory.dmp	upx
behavioral2/memory/2288-78-0x00007FF9F7C60000-0x00007FF9F7DD3000-memory.dmp	upx
behavioral2/memory/2288-70-0x00007FF9FB7C0000-0x00007FF9FB7D9000-memory.dmp	upx
behavioral2/files/0x0007000000023cbe-80.dat	upx
behavioral2/files/0x0007000000023ccb-81.dat	upx
behavioral2/memory/2288-87-0x00007FF9F8230000-0x00007FF9F825E000-memory.dmp	upx
behavioral2/memory/2288-86-0x00007FF9E8BB0000-0x00007FF9E9197000-memory.dmp	upx
behavioral2/memory/2288-90-0x00007FF9F7790000-0x00007FF9F7848000-memory.dmp	upx
behavioral2/memory/2288-88-0x00007FF9E8830000-0x00007FF9E8BA5000-memory.dmp	upx
behavioral2/files/0x0007000000023ccd-83.dat	upx
behavioral2/memory/2288-94-0x00007FF9F86E0000-0x00007FF9F86F5000-memory.dmp	upx
behavioral2/memory/2288-93-0x00007FF9FF760000-0x00007FF9FF784000-memory.dmp	upx
behavioral2/files/0x0007000000023cba-95.dat	upx
behavioral2/files/0x0007000000023ccf-99.dat	upx
behavioral2/files/0x0007000000023cb7-103.dat	upx
behavioral2/files/0x0007000000023cd5-106.dat	upx
behavioral2/memory/2288-105-0x00007FF9F8210000-0x00007FF9F8224000-memory.dmp	upx
behavioral2/files/0x0007000000023cd7-109.dat	upx
behavioral2/memory/2288-111-0x00007FF9F81E0000-0x00007FF9F8202000-memory.dmp	upx
behavioral2/memory/2288-110-0x00007FF9F7FC0000-0x00007FF9F80DC000-memory.dmp	upx
behavioral2/memory/2288-104-0x00007FF9FF740000-0x00007FF9FF74D000-memory.dmp	upx
behavioral2/memory/2288-102-0x00007FF9F8300000-0x00007FF9F8314000-memory.dmp	upx
behavioral2/memory/2288-101-0x00007FF9FD160000-0x00007FF9FD179000-memory.dmp	upx
behavioral2/memory/2288-98-0x00007FF9F8620000-0x00007FF9F8632000-memory.dmp	upx
behavioral2/files/0x0007000000023cb2-92.dat	upx
behavioral2/files/0x0007000000023cc1-112.dat	upx
behavioral2/memory/2288-115-0x00007FF9F81C0000-0x00007FF9F81D7000-memory.dmp	upx
behavioral2/files/0x0007000000023cc3-116.dat	upx
behavioral2/files/0x0007000000023cc4-122.dat	upx
behavioral2/memory/2288-124-0x00007FF9E8830000-0x00007FF9E8BA5000-memory.dmp	upx
behavioral2/files/0x0007000000023cbf-126.dat	upx
behavioral2/memory/2288-132-0x00007FF9FC4F0000-0x00007FF9FC4FA000-memory.dmp	upx
behavioral2/files/0x0007000000023cca-127.dat	upx
behavioral2/memory/2288-136-0x00007FF9F7E90000-0x00007FF9F7EAE000-memory.dmp	upx
behavioral2/files/0x0007000000023cc8-137.dat	upx
behavioral2/memory/2288-135-0x00007FF9F86E0000-0x00007FF9F86F5000-memory.dmp	upx
behavioral2/memory/2288-138-0x00007FF9E7900000-0x00007FF9E7FF4000-memory.dmp	upx
behavioral2/memory/2288-131-0x00007FF9F7F80000-0x00007FF9F7F91000-memory.dmp	upx
behavioral2/files/0x0007000000023cb4-140.dat	upx
behavioral2/memory/2288-130-0x00007FF9F7790000-0x00007FF9F7848000-memory.dmp	upx
behavioral2/memory/2288-141-0x00007FF9F76E0000-0x00007FF9F7718000-memory.dmp	upx
behavioral2/memory/2288-129-0x00007FF9F7EB0000-0x00007FF9F7EFD000-memory.dmp	upx
behavioral2/memory/2288-121-0x00007FF9F8230000-0x00007FF9F825E000-memory.dmp	upx
behavioral2/files/0x0007000000023cc2-120.dat	upx
behavioral2/memory/2288-119-0x00007FF9F7FA0000-0x00007FF9F7FB9000-memory.dmp	upx
behavioral2/memory/2288-114-0x00007FF9F8320000-0x00007FF9F8343000-memory.dmp	upx
behavioral2/memory/2288-147-0x00007FF9F7FC0000-0x00007FF9F80DC000-memory.dmp	upx
behavioral2/memory/2288-193-0x00007FF9F8190000-0x00007FF9F819D000-memory.dmp	upx
behavioral2/memory/2288-192-0x00007FF9F81E0000-0x00007FF9F8202000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1316	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0007000000023ceb-154.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1272	cmd.exe
1356	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3432	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
2212	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1712	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2024	ipconfig.exe
3432	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4840	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1916	powershell.exe
1916	powershell.exe
1916	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3356	WMIC.exe
Token: SeSecurityPrivilege	3356	WMIC.exe
Token: SeTakeOwnershipPrivilege	3356	WMIC.exe
Token: SeLoadDriverPrivilege	3356	WMIC.exe
Token: SeSystemProfilePrivilege	3356	WMIC.exe
Token: SeSystemtimePrivilege	3356	WMIC.exe
Token: SeProfSingleProcessPrivilege	3356	WMIC.exe
Token: SeIncBasePriorityPrivilege	3356	WMIC.exe
Token: SeCreatePagefilePrivilege	3356	WMIC.exe
Token: SeBackupPrivilege	3356	WMIC.exe
Token: SeRestorePrivilege	3356	WMIC.exe
Token: SeShutdownPrivilege	3356	WMIC.exe
Token: SeDebugPrivilege	3356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3356	WMIC.exe
Token: SeRemoteShutdownPrivilege	3356	WMIC.exe
Token: SeUndockPrivilege	3356	WMIC.exe
Token: SeManageVolumePrivilege	3356	WMIC.exe
Token: 33	3356	WMIC.exe
Token: 34	3356	WMIC.exe
Token: 35	3356	WMIC.exe
Token: 36	3356	WMIC.exe
Token: SeDebugPrivilege	1640	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1712	WMIC.exe
Token: SeSecurityPrivilege	1712	WMIC.exe
Token: SeTakeOwnershipPrivilege	1712	WMIC.exe
Token: SeLoadDriverPrivilege	1712	WMIC.exe
Token: SeSystemProfilePrivilege	1712	WMIC.exe
Token: SeSystemtimePrivilege	1712	WMIC.exe
Token: SeProfSingleProcessPrivilege	1712	WMIC.exe
Token: SeIncBasePriorityPrivilege	1712	WMIC.exe
Token: SeCreatePagefilePrivilege	1712	WMIC.exe
Token: SeBackupPrivilege	1712	WMIC.exe
Token: SeRestorePrivilege	1712	WMIC.exe
Token: SeShutdownPrivilege	1712	WMIC.exe
Token: SeDebugPrivilege	1712	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1712	WMIC.exe
Token: SeRemoteShutdownPrivilege	1712	WMIC.exe
Token: SeUndockPrivilege	1712	WMIC.exe
Token: SeManageVolumePrivilege	1712	WMIC.exe
Token: 33	1712	WMIC.exe
Token: 34	1712	WMIC.exe
Token: 35	1712	WMIC.exe
Token: 36	1712	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3356	WMIC.exe
Token: SeSecurityPrivilege	3356	WMIC.exe
Token: SeTakeOwnershipPrivilege	3356	WMIC.exe
Token: SeLoadDriverPrivilege	3356	WMIC.exe
Token: SeSystemProfilePrivilege	3356	WMIC.exe
Token: SeSystemtimePrivilege	3356	WMIC.exe
Token: SeProfSingleProcessPrivilege	3356	WMIC.exe
Token: SeIncBasePriorityPrivilege	3356	WMIC.exe
Token: SeCreatePagefilePrivilege	3356	WMIC.exe
Token: SeBackupPrivilege	3356	WMIC.exe
Token: SeRestorePrivilege	3356	WMIC.exe
Token: SeShutdownPrivilege	3356	WMIC.exe
Token: SeDebugPrivilege	3356	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3356	WMIC.exe
Token: SeRemoteShutdownPrivilege	3356	WMIC.exe
Token: SeUndockPrivilege	3356	WMIC.exe
Token: SeManageVolumePrivilege	3356	WMIC.exe
Token: 33	3356	WMIC.exe
Token: 34	3356	WMIC.exe
Token: 35	3356	WMIC.exe
Token: 36	3356	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1080 wrote to memory of 2288	1080	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	86
PID 1080 wrote to memory of 2288	1080	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	86
PID 2288 wrote to memory of 4676	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	87
PID 2288 wrote to memory of 4676	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	87
PID 2288 wrote to memory of 4868	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	92
PID 2288 wrote to memory of 4868	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	92
PID 2288 wrote to memory of 1956	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	93
PID 2288 wrote to memory of 1956	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	93
PID 2288 wrote to memory of 4840	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	140
PID 2288 wrote to memory of 4840	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	140
PID 2288 wrote to memory of 3032	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	95
PID 2288 wrote to memory of 3032	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	95
PID 1956 wrote to memory of 3356	1956	cmd.exe	100
PID 1956 wrote to memory of 3356	1956	cmd.exe	100
PID 3032 wrote to memory of 1640	3032	cmd.exe	101
PID 3032 wrote to memory of 1640	3032	cmd.exe	101
PID 4868 wrote to memory of 1712	4868	cmd.exe	102
PID 4868 wrote to memory of 1712	4868	cmd.exe	102
PID 2288 wrote to memory of 1936	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	104
PID 2288 wrote to memory of 1936	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	104
PID 1936 wrote to memory of 456	1936	cmd.exe	106
PID 1936 wrote to memory of 456	1936	cmd.exe	106
PID 2288 wrote to memory of 4468	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	107
PID 2288 wrote to memory of 4468	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	107
PID 2288 wrote to memory of 4820	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	145
PID 2288 wrote to memory of 4820	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	145
PID 4820 wrote to memory of 3236	4820	cmd.exe	111
PID 4820 wrote to memory of 3236	4820	cmd.exe	111
PID 4468 wrote to memory of 4876	4468	cmd.exe	112
PID 4468 wrote to memory of 4876	4468	cmd.exe	112
PID 2288 wrote to memory of 760	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	146
PID 2288 wrote to memory of 760	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	146
PID 760 wrote to memory of 4512	760	cmd.exe	115
PID 760 wrote to memory of 4512	760	cmd.exe	115
PID 2288 wrote to memory of 1492	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	158
PID 2288 wrote to memory of 1492	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	158
PID 2288 wrote to memory of 4532	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	117
PID 2288 wrote to memory of 4532	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	117
PID 1492 wrote to memory of 2780	1492	cmd.exe	120
PID 1492 wrote to memory of 2780	1492	cmd.exe	120
PID 4532 wrote to memory of 4004	4532	cmd.exe	121
PID 4532 wrote to memory of 4004	4532	cmd.exe	121
PID 2288 wrote to memory of 3640	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	122
PID 2288 wrote to memory of 3640	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	122
PID 2288 wrote to memory of 4460	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	123
PID 2288 wrote to memory of 4460	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	123
PID 2288 wrote to memory of 4236	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	124
PID 2288 wrote to memory of 4236	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	124
PID 2288 wrote to memory of 1608	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	126
PID 2288 wrote to memory of 1608	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	126
PID 4460 wrote to memory of 2160	4460	cmd.exe	162
PID 4460 wrote to memory of 2160	4460	cmd.exe	162
PID 3640 wrote to memory of 3004	3640	cmd.exe	131
PID 3640 wrote to memory of 3004	3640	cmd.exe	131
PID 1608 wrote to memory of 1916	1608	cmd.exe	132
PID 1608 wrote to memory of 1916	1608	cmd.exe	132
PID 3004 wrote to memory of 1316	3004	cmd.exe	167
PID 3004 wrote to memory of 1316	3004	cmd.exe	167
PID 2160 wrote to memory of 4580	2160	cmd.exe	134
PID 2160 wrote to memory of 4580	2160	cmd.exe	134
PID 4236 wrote to memory of 5024	4236	cmd.exe	135
PID 4236 wrote to memory of 5024	4236	cmd.exe	135
PID 2288 wrote to memory of 4684	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	136
PID 2288 wrote to memory of 4684	2288	6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe	136

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4512	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
"C:\Users\Admin\AppData\Local\Temp\6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1080
- C:\Users\Admin\AppData\Local\Temp\6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe
  "C:\Users\Admin\AppData\Local\Temp\6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1956
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:4840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1936
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:760
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:4512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1492
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:2780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4532
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4460
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4236
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5024
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1608
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1916
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:4684
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4840
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:4064
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:2212
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:4924
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4424
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:1376
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:1072
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:528
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:2448
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:2284
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1500
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:3136
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:1492
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:2320
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:4300
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:2904
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:2160
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2024
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:3852
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:1176
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:3432
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:1316
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:884
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1272
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1848
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4204
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3040

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
1⤵
PID:4820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
1⤵
PID:760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe

Filesize
11.1MB

MD5
28b40022d29441c18d99e53ab64c5bd1

SHA1
b368059d622f01825857d35fc91224087dd04faa

SHA256
6999c181cd66d568c3c58020a7b616b0bc7c35bb5e2c467f2eced88a458d7a1d

SHA512
78101e5e1b9ff327f79d81a7fbe78a0fbc853b62ec8f5875866cb9c33b3bc5ae0f264f8ad5e31ccfdf5810a03b6dcc5c64ee390b5be7a6ab6887e613f2ee8101

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_asyncio.pyd

Filesize
34KB

MD5
7aba633225a9efe918d40c803f580a86

SHA1
bcf944b4ab962ca289bfaa354e5a5834a7d6ea5a

SHA256
23af66f34c12c9148f4a55c034fe1a36641b6ff2288ca385d03a369be053f699

SHA512
4ecb14cb1a6547d45dd6c3f3feea68b56829c1bf3f2413f5256669ed2cce8068f4df46615880ab9c7f3c02e9507f7f0c13f92c366ac385cce8aac50ca971f88e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_bz2.pyd

Filesize
46KB

MD5
13ca9d614b2fad14df6dae63f09a7f1d

SHA1
47bb6802dc8ea1f668eecebafa2aa89f7c560b7d

SHA256
f3c03bf8167a038c769b7e4138c7317ab6abbc3dffca5cf68837e16946fe4e3f

SHA512
bba4d0ef66101dbf6335d814ae0cc4fe33fc2db015753bacd02cfa251ff56a57fc60b72ee01e7989b7f65b97fd2bfa573c5a20f15b0d408f072252ae3ad77ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_cffi_backend.cp311-win_amd64.pyd

Filesize
71KB

MD5
988a1b64ad3b6aa856784996d6b27c6c

SHA1
c680f882b875e208b47607164a54bf95ebecd0aa

SHA256
d4b629d5a24574399bfec29db0aa20f35c81338596ada10a0896e75ffdcfd9a8

SHA512
87c3a7bd449a4e144b90d428b19a5d9c4a8ae7f0f68e262dd82bc49fa5fc38ef34268f407d7ccd00f1009fb75dde8d9bf97afdcf39d98f4b19019c6d8f5a14e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_ctypes.pyd

Filesize
57KB

MD5
4aab5887ebdd7f0031f4635c6941b2ad

SHA1
88979cc0cbb1d592cd7f67c03207b3ed9f78721b

SHA256
4c09339cd35518c312861a93a8854f128472e894e22d08dfb9719b8fdbf21e02

SHA512
82d39c716f0ac82c55ebd8cda44aaa4668a9c1425287023c45baf7bfe85367d44b71d2641da18561d43ab2c73f909a91dd39009794d094f15600ec05e301db2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_hashlib.pyd

Filesize
33KB

MD5
d41dc04ffef63a0de45fe243eefca746

SHA1
1e44b3fa201f04b0349a73bcf3bc6a5ae3738cfe

SHA256
d7ba8112b69683027eb03ec07aebadf6687d9a52bc82156b22a2cae176c08185

SHA512
b65f3c7c280ece3521525530cc9e591185dfa91b164804e3a6967e6041140b9aa7753b575ce96b01c9ae7cb03e64850a7e4c6d6df22d81d84dbeb00af71748f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_lzma.pyd

Filesize
84KB

MD5
17b991325312d7cf2a693258260586eb

SHA1
28b8bd9250c35b579b599c5f41d95a5245486d4c

SHA256
fa5b4120fabd142abec01d2e1b8d2931c566f7034e339023f19453c1ce032ea3

SHA512
87b312c66916f2ffa84df26cb47dadd590b80d09768b76fe0cde5cd22c599179649bd22d619403ebac4f3c87371c0e0f1e2a2987f00d857dfcc6ebfdaabe36df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_overlapped.pyd

Filesize
30KB

MD5
6d42cb72bc132a066d2ee369e98092f3

SHA1
7273625e339cffb842d6b86c7605fb01a62a1700

SHA256
2134a894e66cd459bbe27008f35b821508003c38c4e4f2f3be34c586973ca936

SHA512
f7b6dfc3aa087cd6ffff86d05b0d35cbb69b41fdad71c046d653f61ca222f3b6fbe283c4fc5868560d7879a4eb67ae9f8996efb4de2b7b92e40544578b5065f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_queue.pyd

Filesize
24KB

MD5
c95b814dfb4df76581ffb9b94f9e4971

SHA1
756d3f30dc795bccf3f84dc69409c6b988a0c5b2

SHA256
d62ce06044705dc09ab31719b086a93a951c06f2d3768f6047f1134bd8861f5a

SHA512
3a5dad81043e9b1991b9621e742a36254d2712f7ae77483b73f3e67cbe8050bcbee2d985bf78534807a268dab61e2758170d8b431ca1e33bb7895d2c08d348a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_socket.pyd

Filesize
41KB

MD5
0a69997bc03a986bc7d75c60006945d8

SHA1
0786395d697bdaed9333c7ce038f523aa73a2646

SHA256
3798453f4d01c98253f8ee2305711375c55fc1b1388afd5c4b21342eb3979ba1

SHA512
2eeb383f7087a1ae1069b74e78ede4ed99647973c3ff2312a1e41245bb7f3ede13d7545a3f4288687717058ce7eea62eb88297e697932863363c141be8e32ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_sqlite3.pyd

Filesize
54KB

MD5
56ff4b8b3d857f50669453bbb5c97781

SHA1
6d002a8f3f0d89ba577f351b7389ca6817494302

SHA256
d6cf90759d53e6dc909e5a70dae6a6e62721440488b0016ce2e65225b1a46582

SHA512
d04b643e71c1dddf739c34706fd862b78e2fd7ef158d69aea7a652e6d94158c6297713301b5169994ba1b1554419485925f1e5e48104eadf7628f299ccaea090

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_ssl.pyd

Filesize
60KB

MD5
8c44f81c7fd61d1f8209c8311a97ee28

SHA1
df1916c936d54cf52e50ab7288bc81bbfeff95e4

SHA256
3be13390721bd3f985a4bee28aabfa18c26c6467585021f9d64d091374bf2982

SHA512
e55ccdb2e1dc3300caa3509f7968f6489d674c2a109241aebcf128008c0c502e3ef32f4f7e9900ee98aed16aec8ea771a251be6244655f3213bd135fa6227223

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\_uuid.pyd

Filesize
21KB

MD5
5c27cd798a3bdd169f876f846170a0ac

SHA1
4afbfe633e847544b9648a53134cc29ed1784d8b

SHA256
6fdfa272c94e606ab0133b6d9d465d648a31bf72b67101ee4ba001714f6631ec

SHA512
b683b092571aa01596269ecebc6eb8f68c0027f58ab9984182354ca2ed7df09e0a58c76fe37715bf6275c5c847a9b0524b4a95f70871ec958ca3df4b957c978c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\aiohttp\_helpers.cp311-win_amd64.pyd

Filesize
26KB

MD5
b49608e12a3f68c1584d10a76c48d4ed

SHA1
ba01d8d1c5e19c6ab550e1e86b4e14483335d4de

SHA256
16248d5f337acb7fb3a713952ad355b62e2b81870d2121ad10d156e2db83197b

SHA512
a3c1bd06b58453129c6e9b4fba9934a3484812083d95ae26287ef7e8cc346eba6a5fe7d9bb285fe3d2a0fa15630bbc224317d8372c7b1bb5045532c181e2dc46

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\aiohttp\_http_parser.cp311-win_amd64.pyd

Filesize
80KB

MD5
f9ed4c075b768652b231f094829def04

SHA1
40fecb53184f7941d9bafa20cf4f9741b10147aa

SHA256
ece6529b53f6839a5725868da5f82e00f08da08b6c649cedded89b8faedd96ae

SHA512
c0eb174f0426133d1f0270e3f36663d98702b73872430a3638b31997d8e91c05c41a0df846ca0e1b5c2679a8c6c79bd155c2d9794dc0fe41a0d1ee7f8a809f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\aiohttp\_http_writer.cp311-win_amd64.pyd

Filesize
24KB

MD5
3118914d29786e0247f1c528507cc4e6

SHA1
7ce6a43d9770762ff2cff1c7866a1ef8e1c94089

SHA256
454d73a55843e8242224391a0bbc210434cf4ecba23ba1ba6415a9fce997115a

SHA512
13987cc529309580adafa56c91d9297f162c9cf696c626571223d810ac2487c39b6a50fa5afb8df386438b4ff0d87ad1f00b3e8f116863296642611fb0a3d4e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\aiohttp\_websocket.cp311-win_amd64.pyd

Filesize
19KB

MD5
66d90563f45f50368cfe8095a0e7c3e3

SHA1
f9db82759d4abfc82dce0576ac4a5668ebde69a7

SHA256
33c224f02b172bb3c5a9e501560d205b5c14b279cd2c511fdc46550d2f517976

SHA512
bd77fcafdb8a03113d182a6fc7cb96197e4a5e6aeee975883d488ba0e20e709d9b625d274e4596b96ec7cd33901c940a66fc2c0e1e427c2b8cb93511f0ba980e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\base_library.zip

Filesize
1.7MB

MD5
334e5d6e591eccd91d2121194db22815

SHA1
821d70c44dc7f25a784e9938d74e75a3471e1ad0

SHA256
9e830533f6e67b84d9dbc502db38a6f25d3c984f1a6a195a50f838d48d5b3ba5

SHA512
bac4a1283745e5eb4db953227bbf00831c8a0c3c831f5889e0d0630841e59c8ad96c3386ce3ad48300f4754fde188212edc79b78c9c98f76bca21987c1c05866

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.0MB

MD5
6c63db65af4dfa891a8cb9dac7207c08

SHA1
f52a68e0fd609b0b81cc7ab68c5b86de192ff0ff

SHA256
09b758ac4233114ddff0c47bb6f74702183eee7e92f1b8f320f35c9cf8254150

SHA512
f10c454230697d678ddde0bef906a2a66ace0b5cb529a2fd4997f9230e13496296394b39a10cdf52f5efe020cec607bbdd3d72a1edc369e2ce9119fe5fb161c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\frozenlist\_frozenlist.cp311-win_amd64.pyd

Filesize
35KB

MD5
e1071be0938855e1651fcf6faa03f1bf

SHA1
2c6fbb2d7d695029883ddf6fad14f3e640d320cf

SHA256
319d49c4dce4fa20f120aefbbde1bef3383ab3ba60d8da9afb48b87fddde3361

SHA512
b1976fb8550ccfe52bf7db752e0f650858be41df9d40bd36fe2d8fe7e555cefa78cef865f6314a0f62bd54cd4e0369dda7499a9284305b1436791be95d299f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\libcrypto-1_1.dll

Filesize
1.1MB

MD5
27de3adb1aa7b1ff0067d89a845c0c82

SHA1
7a384a012c1735ad6888085ebdc5e22b77415e66

SHA256
ceb845924d20130a3f6f146c760c5c6865c671ca8ac8b0c69082bc5c02c6b8dc

SHA512
4477af703c645a6f9df898e96c15a1a264b7611073f0cb3e26bcdcc526147c851ea78bb968447c45c47fda81ba23c652a62da5e46fba5798ba5b5924a76be5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\libffi-8.dll

Filesize
24KB

MD5
8c3dfeb336b269a16912185fec18560a

SHA1
809f6454a7d1ae80bf503ca50a3400cf7162706c

SHA256
92038b9c69411bc4e32fbb7c0c995688261382066d40be1b3d19d15fe2c78587

SHA512
ee7515332aaf12feedd0b906e0d5f73cb076093ffd39ed90ce5545069acb737049f95733fe18e84fb04777d9895bded04038710832f6810cc0efa77e14879e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\libssl-1_1.dll

Filesize
203KB

MD5
b782398ddafd39b3dd9aa6159a4c560d

SHA1
8531c0e6b40895789f74f46441b1c62a4ad90f62

SHA256
416a018f4065f9c243b75971c8bbfd2e1e89aef0e20ffc61c131b96503a0037a

SHA512
3785e2de21a942b239f05fc3f6972836c9445d00420dbcfbdcec2b543e32b6b197ff7d2812dc3943ea849d26b00bd1a0ab97845fd05c81f73b77e84e722a857e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\multidict\_multidict.cp311-win_amd64.pyd

Filesize
20KB

MD5
025b9e660270df93a0197dde5afbc6fa

SHA1
487bb4bc3583e94a466d27f98a3728772e9cf17d

SHA256
30cb3487d462b9c86ff46c0e476d4def11a1a728c6f3d4ef24b5e2b0fe608d65

SHA512
09c8c5b5041bc923a623c3f770f5ab33c7a0fd9c083e33ccc1b00eb9c629ad610f0c27b5f1b03994286847e32fbd505d381aa0c64fa2fa96e6244020803d374f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\python3.DLL

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\python311.dll

Filesize
1.6MB

MD5
bd98d92c8c8b8c5983ef725a9bc953a9

SHA1
1ad5435b23116ad85a55a55754c42bb788c36388

SHA256
e41f2d9e02e8498ec53f8286e86011c75e9da0f6b24b2d9979e6e5726ef28913

SHA512
48fa76a57c12088d3e24b56e1ace114f028aac5ae383f7810b02dce2768820a7190fc1cc3fd4684a2f06e98c1ccc0641a3f1906e992d7a5736194989c072959e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\select.pyd

Filesize
24KB

MD5
51dbde6a032c1cb33fe0867c74a214d8

SHA1
435cf4a6eb85973d536deac09ace2d086ed62eee

SHA256
8231b643a70605bb0127093a81b637ecae3628b3f4515ea3623af1ebd9988811

SHA512
71fa7471cebea3b50e85b9b87c2e655b653a90b2277218efa277facbf052b638db8149adfb869d845f1214ed8c951dc724af972bc3e4bee6bd2656698ed58887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\sqlite3.dll

Filesize
608KB

MD5
8eef4e258e9eac8803b00a8b8862cf1f

SHA1
9cd6cc933070dbf7cb4acb17f117968450fcfd0d

SHA256
b0546222f0e1002773086118aee36743de4379bdd0d983db32091c814298a2ee

SHA512
77682ede590f1fced245cf1baeaa1b8108411385d2dd1a7aa62702791eb8dc59b27f45b1899ce20284fe7ebca8d19e5cd3b6f642763ffab1fe8b05fb1817798e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\unicodedata.pyd

Filesize
293KB

MD5
298d946d3b6602290dea169a5abdc8e1

SHA1
0edef75f214b978b0181b9bb0de19d6f340d176b

SHA256
b04ea233b5688f11cc967b747eb8e26e4fce48f31534fdbf8b5fee472c518dd2

SHA512
9e93147f082d4fcb15be384244a0f490137d4fc616c98c9f4a17d6989559436da6bf12010e2571317067e2c10a341f1fca00a170e294f9c5d519e03fb92a4b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10802\yarl\_quoting_c.cp311-win_amd64.pyd

Filesize
40KB

MD5
72c9f075649f274214a8abaccf17b2a1

SHA1
cb93eec3b632f7b150fa82eb5e4340175629ff02

SHA256
b75cc24aca7c33e0b04d896b99e33ff0c01781bdfe91739e001b7e3d14573b8c

SHA512
07568c2a42fd53f991a94158e285cb01055ebacff95c66000b790b474f7a472ab001c91bc315f1ef047aaa67fa1b6654d31be1f6ed3bc34c5c839eaa741f904b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_binf3v3o.i3z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1916-201-0x000001BF7E400000-0x000001BF7E422000-memory.dmp

Filesize
136KB

Download
memory/2288-87-0x00007FF9F8230000-0x00007FF9F825E000-memory.dmp

Filesize
184KB

Download
memory/2288-114-0x00007FF9F8320000-0x00007FF9F8343000-memory.dmp

Filesize
140KB

Download
memory/2288-93-0x00007FF9FF760000-0x00007FF9FF784000-memory.dmp

Filesize
144KB

Download
memory/2288-111-0x00007FF9F81E0000-0x00007FF9F8202000-memory.dmp

Filesize
136KB

Download
memory/2288-110-0x00007FF9F7FC0000-0x00007FF9F80DC000-memory.dmp

Filesize
1.1MB

Download
memory/2288-104-0x00007FF9FF740000-0x00007FF9FF74D000-memory.dmp

Filesize
52KB

Download
memory/2288-102-0x00007FF9F8300000-0x00007FF9F8314000-memory.dmp

Filesize
80KB

Download
memory/2288-101-0x00007FF9FD160000-0x00007FF9FD179000-memory.dmp

Filesize
100KB

Download
memory/2288-98-0x00007FF9F8620000-0x00007FF9F8632000-memory.dmp

Filesize
72KB

Download
memory/2288-94-0x00007FF9F86E0000-0x00007FF9F86F5000-memory.dmp

Filesize
84KB

Download
memory/2288-88-0x00007FF9E8830000-0x00007FF9E8BA5000-memory.dmp

Filesize
3.5MB

Download
memory/2288-115-0x00007FF9F81C0000-0x00007FF9F81D7000-memory.dmp

Filesize
92KB

Download
memory/2288-89-0x00000247B2D40000-0x00000247B30B5000-memory.dmp

Filesize
3.5MB

Download
memory/2288-90-0x00007FF9F7790000-0x00007FF9F7848000-memory.dmp

Filesize
736KB

Download
memory/2288-124-0x00007FF9E8830000-0x00007FF9E8BA5000-memory.dmp

Filesize
3.5MB

Download
memory/2288-86-0x00007FF9E8BB0000-0x00007FF9E9197000-memory.dmp

Filesize
5.9MB

Download
memory/2288-132-0x00007FF9FC4F0000-0x00007FF9FC4FA000-memory.dmp

Filesize
40KB

Download
memory/2288-70-0x00007FF9FB7C0000-0x00007FF9FB7D9000-memory.dmp

Filesize
100KB

Download
memory/2288-136-0x00007FF9F7E90000-0x00007FF9F7EAE000-memory.dmp

Filesize
120KB

Download
memory/2288-78-0x00007FF9F7C60000-0x00007FF9F7DD3000-memory.dmp

Filesize
1.4MB

Download
memory/2288-135-0x00007FF9F86E0000-0x00007FF9F86F5000-memory.dmp

Filesize
84KB

Download
memory/2288-138-0x00007FF9E7900000-0x00007FF9E7FF4000-memory.dmp

Filesize
7.0MB

Download
memory/2288-131-0x00007FF9F7F80000-0x00007FF9F7F91000-memory.dmp

Filesize
68KB

Download
memory/2288-73-0x00007FF9F8640000-0x00007FF9F866D000-memory.dmp

Filesize
180KB

Download
memory/2288-130-0x00007FF9F7790000-0x00007FF9F7848000-memory.dmp

Filesize
736KB

Download
memory/2288-141-0x00007FF9F76E0000-0x00007FF9F7718000-memory.dmp

Filesize
224KB

Download
memory/2288-129-0x00007FF9F7EB0000-0x00007FF9F7EFD000-memory.dmp

Filesize
308KB

Download
memory/2288-128-0x00000247B2D40000-0x00000247B30B5000-memory.dmp

Filesize
3.5MB

Download
memory/2288-121-0x00007FF9F8230000-0x00007FF9F825E000-memory.dmp

Filesize
184KB

Download
memory/2288-76-0x00007FF9F8320000-0x00007FF9F8343000-memory.dmp

Filesize
140KB

Download
memory/2288-119-0x00007FF9F7FA0000-0x00007FF9F7FB9000-memory.dmp

Filesize
100KB

Download
memory/2288-105-0x00007FF9F8210000-0x00007FF9F8224000-memory.dmp

Filesize
80KB

Download
memory/2288-147-0x00007FF9F7FC0000-0x00007FF9F80DC000-memory.dmp

Filesize
1.1MB

Download
memory/2288-64-0x00007FF9FD160000-0x00007FF9FD179000-memory.dmp

Filesize
100KB

Download
memory/2288-193-0x00007FF9F8190000-0x00007FF9F819D000-memory.dmp

Filesize
52KB

Download
memory/2288-192-0x00007FF9F81E0000-0x00007FF9F8202000-memory.dmp

Filesize
136KB

Download
memory/2288-66-0x00007FF9FF740000-0x00007FF9FF74D000-memory.dmp

Filesize
52KB

Download
memory/2288-59-0x00007FF9FF760000-0x00007FF9FF784000-memory.dmp

Filesize
144KB

Download
memory/2288-60-0x00007FF9FF750000-0x00007FF9FF75F000-memory.dmp

Filesize
60KB

Download
memory/2288-210-0x00007FF9F81C0000-0x00007FF9F81D7000-memory.dmp

Filesize
92KB

Download
memory/2288-211-0x00007FF9F7FA0000-0x00007FF9F7FB9000-memory.dmp

Filesize
100KB

Download
memory/2288-212-0x00007FF9F7EB0000-0x00007FF9F7EFD000-memory.dmp

Filesize
308KB

Download
memory/2288-50-0x00007FF9E8BB0000-0x00007FF9E9197000-memory.dmp

Filesize
5.9MB

Download
memory/2288-244-0x00007FF9F76E0000-0x00007FF9F7718000-memory.dmp

Filesize
224KB

Download
memory/2288-245-0x00007FF9F8190000-0x00007FF9F819D000-memory.dmp

Filesize
52KB

Download
memory/2288-237-0x00007FF9F81C0000-0x00007FF9F81D7000-memory.dmp

Filesize
92KB

Download
memory/2288-236-0x00007FF9F81E0000-0x00007FF9F8202000-memory.dmp

Filesize
136KB

Download
memory/2288-232-0x00007FF9F8620000-0x00007FF9F8632000-memory.dmp

Filesize
72KB

Download
memory/2288-231-0x00007FF9F86E0000-0x00007FF9F86F5000-memory.dmp

Filesize
84KB

Download
memory/2288-227-0x00007FF9F7C60000-0x00007FF9F7DD3000-memory.dmp

Filesize
1.4MB

Download
memory/2288-220-0x00007FF9FF760000-0x00007FF9FF784000-memory.dmp

Filesize
144KB

Download
memory/2288-218-0x00007FF9E7900000-0x00007FF9E7FF4000-memory.dmp

Filesize
7.0MB

Download
memory/2288-219-0x00007FF9E8BB0000-0x00007FF9E9197000-memory.dmp

Filesize
5.9MB

Download
memory/2288-264-0x00007FF9E8830000-0x00007FF9E8BA5000-memory.dmp

Filesize
3.5MB

Download
memory/2288-272-0x00007FF9F7FA0000-0x00007FF9F7FB9000-memory.dmp

Filesize
100KB

Download
memory/2288-270-0x00007FF9F81E0000-0x00007FF9F8202000-memory.dmp

Filesize
136KB

Download
memory/2288-263-0x00007FF9F7790000-0x00007FF9F7848000-memory.dmp

Filesize
736KB

Download
memory/2288-253-0x00007FF9E8BB0000-0x00007FF9E9197000-memory.dmp

Filesize
5.9MB

Download
memory/2288-265-0x00007FF9F86E0000-0x00007FF9F86F5000-memory.dmp

Filesize
84KB

Download
memory/2288-262-0x00007FF9F8230000-0x00007FF9F825E000-memory.dmp

Filesize
184KB

Download
memory/2288-280-0x00007FF9E8BB0000-0x00007FF9E9197000-memory.dmp

Filesize
5.9MB

Download