exelastealer | d13b50e2bcf90995477010372b0170eebb6830adcbc55e36d038a7286e329bbd

Analysis

max time kernel
138s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-11-2024 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup.exe
Size

9.8MB
MD5

4d563c46d8553f7d2b7551dd17541821
SHA1

53746b017cba01648f4efd81c620feab96c8316f
SHA256

d13b50e2bcf90995477010372b0170eebb6830adcbc55e36d038a7286e329bbd
SHA512

473a634d531b56018405d6648c9314f7d63dd9077ef51fdf3bb2c211aeed0cf7ef1851423d457be0188ddbfa40a8af8ba4a309dfe2eb595ac381e48da63865b4
SSDEEP

196608:14HuwpeVWzdppWh9ydVG9eNVYFJMIDJ+gsAGKpRRErxkYK:syyde98+Fqy+gsiREN

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4968	netsh.exe
4284	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4364	cmd.exe
216	powershell.exe

Loads dropped DLL 28 IoCs

pid	Process
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe
4984	setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4628	cmd.exe
2516	ARP.EXE

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
1980	tasklist.exe
2736	tasklist.exe
3660	tasklist.exe
1100	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
740	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c95-48.dat	upx
behavioral2/memory/4984-52-0x00007FFA08400000-0x00007FFA0886E000-memory.dmp	upx
behavioral2/files/0x0007000000023c7d-54.dat	upx
behavioral2/files/0x0007000000023c8d-59.dat	upx
behavioral2/memory/4984-62-0x00007FFA1FB40000-0x00007FFA1FB4F000-memory.dmp	upx
behavioral2/memory/4984-61-0x00007FFA17F20000-0x00007FFA17F44000-memory.dmp	upx
behavioral2/files/0x0007000000023c84-63.dat	upx
behavioral2/memory/4984-66-0x00007FFA1F380000-0x00007FFA1F399000-memory.dmp	upx
behavioral2/files/0x0007000000023c96-65.dat	upx
behavioral2/memory/4984-68-0x00007FFA1D510000-0x00007FFA1D51D000-memory.dmp	upx
behavioral2/files/0x0007000000023c7b-69.dat	upx
behavioral2/memory/4984-71-0x00007FFA1C780000-0x00007FFA1C799000-memory.dmp	upx
behavioral2/files/0x0007000000023c80-72.dat	upx
behavioral2/memory/4984-74-0x00007FFA17EF0000-0x00007FFA17F1D000-memory.dmp	upx
behavioral2/files/0x0007000000023c85-75.dat	upx
behavioral2/memory/4984-78-0x00007FFA17ED0000-0x00007FFA17EEF000-memory.dmp	upx
behavioral2/files/0x0007000000023c97-77.dat	upx
behavioral2/memory/4984-80-0x00007FFA07E70000-0x00007FFA07FE1000-memory.dmp	upx
behavioral2/files/0x0007000000023c86-82.dat	upx
behavioral2/files/0x0007000000023c8e-84.dat	upx
behavioral2/files/0x0007000000023c8c-86.dat	upx
behavioral2/memory/4984-92-0x00007FFA17D10000-0x00007FFA17DC8000-memory.dmp	upx
behavioral2/memory/4984-91-0x00007FFA07AF0000-0x00007FFA07E65000-memory.dmp	upx
behavioral2/memory/4984-89-0x00007FFA17EA0000-0x00007FFA17ECE000-memory.dmp	upx
behavioral2/memory/4984-88-0x00007FFA08400000-0x00007FFA0886E000-memory.dmp	upx
behavioral2/files/0x0007000000023c79-93.dat	upx
behavioral2/memory/4984-96-0x00007FFA17C50000-0x00007FFA17C65000-memory.dmp	upx
behavioral2/files/0x0007000000023c82-95.dat	upx
behavioral2/files/0x0007000000023c90-99.dat	upx
behavioral2/memory/4984-98-0x00007FFA1D500000-0x00007FFA1D510000-memory.dmp	upx
behavioral2/memory/4984-101-0x00007FFA1F380000-0x00007FFA1F399000-memory.dmp	upx
behavioral2/files/0x0007000000023c7f-102.dat	upx
behavioral2/memory/4984-105-0x00007FFA17810000-0x00007FFA17824000-memory.dmp	upx
behavioral2/memory/4984-104-0x00007FFA179D0000-0x00007FFA179E4000-memory.dmp	upx
behavioral2/files/0x0007000000023c98-106.dat	upx
behavioral2/memory/4984-108-0x00007FFA1C780000-0x00007FFA1C799000-memory.dmp	upx
behavioral2/memory/4984-109-0x00007FFA172B0000-0x00007FFA173C8000-memory.dmp	upx
behavioral2/files/0x0007000000023c92-110.dat	upx
behavioral2/memory/4984-114-0x00007FFA176B0000-0x00007FFA176CB000-memory.dmp	upx
behavioral2/memory/4984-113-0x00007FFA17EF0000-0x00007FFA17F1D000-memory.dmp	upx
behavioral2/files/0x0007000000023c9a-112.dat	upx
behavioral2/memory/4984-117-0x00007FFA17680000-0x00007FFA176A2000-memory.dmp	upx
behavioral2/memory/4984-116-0x00007FFA17ED0000-0x00007FFA17EEF000-memory.dmp	upx
behavioral2/files/0x0007000000023c7a-118.dat	upx
behavioral2/memory/4984-123-0x00007FFA07540000-0x00007FFA0760F000-memory.dmp	upx
behavioral2/files/0x0007000000023c87-122.dat	upx
behavioral2/memory/4984-125-0x00007FFA17EA0000-0x00007FFA17ECE000-memory.dmp	upx
behavioral2/memory/4984-127-0x00007FFA1C830000-0x00007FFA1C83A000-memory.dmp	upx
behavioral2/files/0x0007000000023c8b-128.dat	upx
behavioral2/memory/4984-121-0x00007FFA07AF0000-0x00007FFA07E65000-memory.dmp	upx
behavioral2/memory/4984-120-0x00007FFA07E70000-0x00007FFA07FE1000-memory.dmp	upx
behavioral2/memory/4984-130-0x00007FFA17D10000-0x00007FFA17DC8000-memory.dmp	upx
behavioral2/memory/4984-131-0x00007FFA06DA0000-0x00007FFA0753A000-memory.dmp	upx
behavioral2/files/0x0007000000023c7c-132.dat	upx
behavioral2/memory/4984-135-0x00007FFA13650000-0x00007FFA13687000-memory.dmp	upx
behavioral2/memory/4984-134-0x00007FFA17C50000-0x00007FFA17C65000-memory.dmp	upx
behavioral2/files/0x0007000000023c83-177.dat	upx
behavioral2/memory/4984-179-0x00007FFA17C10000-0x00007FFA17C1D000-memory.dmp	upx
behavioral2/memory/4984-196-0x00007FFA17810000-0x00007FFA17824000-memory.dmp	upx
behavioral2/memory/4984-197-0x00007FFA172B0000-0x00007FFA173C8000-memory.dmp	upx
behavioral2/memory/4984-199-0x00007FFA176B0000-0x00007FFA176CB000-memory.dmp	upx
behavioral2/memory/4984-201-0x00007FFA17680000-0x00007FFA176A2000-memory.dmp	upx
behavioral2/files/0x0007000000023c93-210.dat	upx
behavioral2/files/0x0007000000023c7e-211.dat	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4988	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0007000000023cb7-142.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3144	cmd.exe
2912	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3136	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4692	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3136	NETSTAT.EXE
2360	ipconfig.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4504	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
216	powershell.exe
216	powershell.exe
216	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3132	WMIC.exe
Token: SeSecurityPrivilege	3132	WMIC.exe
Token: SeTakeOwnershipPrivilege	3132	WMIC.exe
Token: SeLoadDriverPrivilege	3132	WMIC.exe
Token: SeSystemProfilePrivilege	3132	WMIC.exe
Token: SeSystemtimePrivilege	3132	WMIC.exe
Token: SeProfSingleProcessPrivilege	3132	WMIC.exe
Token: SeIncBasePriorityPrivilege	3132	WMIC.exe
Token: SeCreatePagefilePrivilege	3132	WMIC.exe
Token: SeBackupPrivilege	3132	WMIC.exe
Token: SeRestorePrivilege	3132	WMIC.exe
Token: SeShutdownPrivilege	3132	WMIC.exe
Token: SeDebugPrivilege	3132	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3132	WMIC.exe
Token: SeRemoteShutdownPrivilege	3132	WMIC.exe
Token: SeUndockPrivilege	3132	WMIC.exe
Token: SeManageVolumePrivilege	3132	WMIC.exe
Token: 33	3132	WMIC.exe
Token: 34	3132	WMIC.exe
Token: 35	3132	WMIC.exe
Token: 36	3132	WMIC.exe
Token: SeDebugPrivilege	1100	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3132	WMIC.exe
Token: SeSecurityPrivilege	3132	WMIC.exe
Token: SeTakeOwnershipPrivilege	3132	WMIC.exe
Token: SeLoadDriverPrivilege	3132	WMIC.exe
Token: SeSystemProfilePrivilege	3132	WMIC.exe
Token: SeSystemtimePrivilege	3132	WMIC.exe
Token: SeProfSingleProcessPrivilege	3132	WMIC.exe
Token: SeIncBasePriorityPrivilege	3132	WMIC.exe
Token: SeCreatePagefilePrivilege	3132	WMIC.exe
Token: SeBackupPrivilege	3132	WMIC.exe
Token: SeRestorePrivilege	3132	WMIC.exe
Token: SeShutdownPrivilege	3132	WMIC.exe
Token: SeDebugPrivilege	3132	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3132	WMIC.exe
Token: SeRemoteShutdownPrivilege	3132	WMIC.exe
Token: SeUndockPrivilege	3132	WMIC.exe
Token: SeManageVolumePrivilege	3132	WMIC.exe
Token: 33	3132	WMIC.exe
Token: 34	3132	WMIC.exe
Token: 35	3132	WMIC.exe
Token: 36	3132	WMIC.exe
Token: SeDebugPrivilege	1980	tasklist.exe
Token: SeDebugPrivilege	2736	tasklist.exe
Token: SeDebugPrivilege	216	powershell.exe
Token: SeIncreaseQuotaPrivilege	4692	WMIC.exe
Token: SeSecurityPrivilege	4692	WMIC.exe
Token: SeTakeOwnershipPrivilege	4692	WMIC.exe
Token: SeLoadDriverPrivilege	4692	WMIC.exe
Token: SeSystemProfilePrivilege	4692	WMIC.exe
Token: SeSystemtimePrivilege	4692	WMIC.exe
Token: SeProfSingleProcessPrivilege	4692	WMIC.exe
Token: SeIncBasePriorityPrivilege	4692	WMIC.exe
Token: SeCreatePagefilePrivilege	4692	WMIC.exe
Token: SeBackupPrivilege	4692	WMIC.exe
Token: SeRestorePrivilege	4692	WMIC.exe
Token: SeShutdownPrivilege	4692	WMIC.exe
Token: SeDebugPrivilege	4692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4692	WMIC.exe
Token: SeRemoteShutdownPrivilege	4692	WMIC.exe
Token: SeUndockPrivilege	4692	WMIC.exe
Token: SeManageVolumePrivilege	4692	WMIC.exe
Token: 33	4692	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 4984	4288	setup.exe	86
PID 4288 wrote to memory of 4984	4288	setup.exe	86
PID 4984 wrote to memory of 636	4984	setup.exe	88
PID 4984 wrote to memory of 636	4984	setup.exe	88
PID 4984 wrote to memory of 1628	4984	setup.exe	89
PID 4984 wrote to memory of 1628	4984	setup.exe	89
PID 636 wrote to memory of 3132	636	cmd.exe	92
PID 636 wrote to memory of 3132	636	cmd.exe	92
PID 1628 wrote to memory of 1100	1628	cmd.exe	93
PID 1628 wrote to memory of 1100	1628	cmd.exe	93
PID 4984 wrote to memory of 740	4984	setup.exe	95
PID 4984 wrote to memory of 740	4984	setup.exe	95
PID 740 wrote to memory of 1608	740	cmd.exe	97
PID 740 wrote to memory of 1608	740	cmd.exe	97
PID 4984 wrote to memory of 1108	4984	setup.exe	98
PID 4984 wrote to memory of 1108	4984	setup.exe	98
PID 1108 wrote to memory of 1980	1108	cmd.exe	100
PID 1108 wrote to memory of 1980	1108	cmd.exe	100
PID 4984 wrote to memory of 3016	4984	setup.exe	101
PID 4984 wrote to memory of 3016	4984	setup.exe	101
PID 4984 wrote to memory of 3416	4984	setup.exe	102
PID 4984 wrote to memory of 3416	4984	setup.exe	102
PID 4984 wrote to memory of 1528	4984	setup.exe	103
PID 4984 wrote to memory of 1528	4984	setup.exe	103
PID 4984 wrote to memory of 4364	4984	setup.exe	104
PID 4984 wrote to memory of 4364	4984	setup.exe	104
PID 4364 wrote to memory of 216	4364	cmd.exe	109
PID 4364 wrote to memory of 216	4364	cmd.exe	109
PID 1528 wrote to memory of 2736	1528	cmd.exe	110
PID 1528 wrote to memory of 2736	1528	cmd.exe	110
PID 3416 wrote to memory of 2272	3416	cmd.exe	111
PID 3416 wrote to memory of 2272	3416	cmd.exe	111
PID 2272 wrote to memory of 1944	2272	cmd.exe	112
PID 2272 wrote to memory of 1944	2272	cmd.exe	112
PID 3016 wrote to memory of 1368	3016	cmd.exe	113
PID 3016 wrote to memory of 1368	3016	cmd.exe	113
PID 1368 wrote to memory of 4280	1368	cmd.exe	114
PID 1368 wrote to memory of 4280	1368	cmd.exe	114
PID 4984 wrote to memory of 4628	4984	setup.exe	115
PID 4984 wrote to memory of 4628	4984	setup.exe	115
PID 4984 wrote to memory of 3144	4984	setup.exe	116
PID 4984 wrote to memory of 3144	4984	setup.exe	116
PID 3144 wrote to memory of 2912	3144	cmd.exe	119
PID 3144 wrote to memory of 2912	3144	cmd.exe	119
PID 4628 wrote to memory of 4504	4628	cmd.exe	120
PID 4628 wrote to memory of 4504	4628	cmd.exe	120
PID 4628 wrote to memory of 2248	4628	cmd.exe	125
PID 4628 wrote to memory of 2248	4628	cmd.exe	125
PID 4628 wrote to memory of 4692	4628	cmd.exe	126
PID 4628 wrote to memory of 4692	4628	cmd.exe	126
PID 4628 wrote to memory of 3264	4628	cmd.exe	127
PID 4628 wrote to memory of 3264	4628	cmd.exe	127
PID 3264 wrote to memory of 920	3264	net.exe	128
PID 3264 wrote to memory of 920	3264	net.exe	128
PID 4628 wrote to memory of 1132	4628	cmd.exe	129
PID 4628 wrote to memory of 1132	4628	cmd.exe	129
PID 1132 wrote to memory of 1448	1132	query.exe	130
PID 1132 wrote to memory of 1448	1132	query.exe	130
PID 4628 wrote to memory of 4420	4628	cmd.exe	131
PID 4628 wrote to memory of 4420	4628	cmd.exe	131
PID 4420 wrote to memory of 1216	4420	net.exe	132
PID 4420 wrote to memory of 1216	4420	net.exe	132
PID 4628 wrote to memory of 4596	4628	cmd.exe	133
PID 4628 wrote to memory of 4596	4628	cmd.exe	133

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1608	attrib.exe

C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\AppData\Local\Temp\setup.exe
  "C:\Users\Admin\AppData\Local\Temp\setup.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1628
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:1608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1108
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1368
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3416
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2272
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1944
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4364
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4504
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2248
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious use of AdjustPrivilegeToken
      PID:4692
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3264
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:920
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1132
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:1448
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:1216
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:4596
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1800
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:2188
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4784
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:4516
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:1608
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:4940
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:3660
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2360
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:1724
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:2516
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:3136
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:4988
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4968
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2272
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3620
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2776
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe

Filesize
9.8MB

MD5
4d563c46d8553f7d2b7551dd17541821

SHA1
53746b017cba01648f4efd81c620feab96c8316f

SHA256
d13b50e2bcf90995477010372b0170eebb6830adcbc55e36d038a7286e329bbd

SHA512
473a634d531b56018405d6648c9314f7d63dd9077ef51fdf3bb2c211aeed0cf7ef1851423d457be0188ddbfa40a8af8ba4a309dfe2eb595ac381e48da63865b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\_asyncio.pyd

Filesize
34KB

MD5
6de61484aaeedf539f73e361eb186e21

SHA1
07a6ae85f68ca9b7ca147bf587b4af547c28e986

SHA256
2c308a887aa14b64f7853730cb53145856bacf40a1b421c0b06ec41e9a8052ff

SHA512
f9c4a6e8d4c5cb3a1947af234b6e3f08c325a97b14adc371f82430ec787cad17052d6f879575fc574abb92fd122a3a6a14004dce80b36e6e066c6bc43607463d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\_brotli.cp310-win_amd64.pyd

Filesize
274KB

MD5
9c5a11f077905cbd3dc42a233461b22e

SHA1
adb51dd54404d9018238a05218ae8e293c514b80

SHA256
5b56a8861637db3cde975d5f7c1a38616d7df89a34adeaa62f715bbf3e7889bb

SHA512
cd52b809d621aeed2a7b4b4e843388cf222b793ca34d76f7b89f0cc587fb6592b4221b938b69a152bfb9e01baca134a34c1b382ecd56cb4a9dc1f434a32d4b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\_bz2.pyd

Filesize
46KB

MD5
d584d4cfc04f616d406ec196997e706c

SHA1
b7fe2283e5b882823ee0ffcf92c4dd05f195dc4c

SHA256
e1ea9bb42b4184bf3ec29cbe10a6d6370a213d7a40aa6d849129b0d8ec50fda4

SHA512
ccf7cfbf4584401bab8c8e7d221308ca438779849a2eea074758be7d7afe9b73880e80f8f0b15e4dc2e8ae1142d389fee386dc58b603853760b0e7713a3d0b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
12854bf45c91256672927094acb2b31f

SHA1
8ec25f43200b087006b4b34aa2108350c527794a

SHA256
74afa6a2fae4ffb821fba3574c4e028786d7dcc51f1fb7d2629f8f29112c22df

SHA512
6ef26b005328fbc179c7e9c615a8cbf9f19088b0486f928898647342fb01863625779f924ad75b1570659657a0845d85b764e7f7066f7b86f9aaad3da05d3426

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\_ctypes.pyd

Filesize
56KB

MD5
f0077496f3bb6ea93da1d7b5ea1511c2

SHA1
a901ad6e13c1568d023c0dcb2b7d995c68ed2f6a

SHA256
0269ae71e9a7b006aab0802e72987fc308a6f94921d1c9b83c52c636e45035a0

SHA512
4f188746a77ad1c92cefa615278d321912c325a800aa67abb006821a6bdffc145c204c9da6b11474f44faf23376ff7391b94f4a51e6949a1d2576d79db7f27ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\_decimal.pyd

Filesize
103KB

MD5
fff94ecb907918f1b8c9f1a1534fcbbd

SHA1
14278c217213cd95a130b9efb461310df53d4e8b

SHA256
f1a6eb105ccfad9b62c60b1f4fae8051b65dc401c49ecca02357d086534028e5

SHA512
b36241ddc504df38e019e313d121f30bc80748cb7f15cf08382d9f51f3ac47fab3b38e6a5379ec544cfb79fa79595a98a9e7d99b559b06704fa9dca5eaed746f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\_hashlib.pyd

Filesize
33KB

MD5
0d8ffe48eb5657e5ac6725c7be1d9aa3

SHA1
a39a3dc76f3c7a4b8645bb6c1dc34e50d7e9a287

SHA256
5ad4b3a6287b9d139063383e2bfdc46f51f6f3aaca015b59f9ed58f707fa2a44

SHA512
c26c277196395291a4a42e710af3560e168535e59b708b04343b4a0a926277a93e16fe24673903469b7c96545d6fbf036f149ef21231a759a13147d533d4fc3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\_lzma.pyd

Filesize
84KB

MD5
213a986429a24c61eca7efed8611b28a

SHA1
348f47528a4e8d0a54eb60110db78a6b1543795e

SHA256
457114386ce08d81cb7ac988b1ff60d2fdffc40b3de6d023034b203582d32f5d

SHA512
1e43c2cacc819a2e578437d1329fa1f772fe614167d3ec9b5612b44f216175500e56e3d60a7107b66a5b3121e9e2e49344ebe9ff1b752cae574bb8b60eec42ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\_multiprocessing.pyd

Filesize
25KB

MD5
5772b1eac07f690fc8fb4b4d31127f39

SHA1
a40a7db95c250176f1184f1d1ddc9bed338d59aa

SHA256
364b93cf7ba0544b25f835f0ab0da7d8ec01bf55dd9c05030a621e40a736b8e3

SHA512
a53de6a304009c05b27372c71ba3ba8d77e5652e3e65d343081d44dcf591e60f43d32fc8abed5f8b032e17398f46042fa942c28232b0f1c476119651120d232e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\_overlapped.pyd

Filesize
30KB

MD5
b05bce7e8a1ef69679da7d1b4894208f

SHA1
7b2dd612cf76da09d5bd1a9dcd6ba20051d11595

SHA256
9c8edf15e9f0edbc96e3310572a231cdd1c57c693fbfc69278fbbc7c2fc47197

SHA512
27cef9b35a4560c98b4d72e5144a68d068263506ac97f5f813b0f6c7552f4c206c6f9a239bc1d9161aff79742cd4516c86f5997c27b1bd084e03854d6410b8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\_queue.pyd

Filesize
24KB

MD5
391bf7a40de25751364d52b881bf30e9

SHA1
9ec6ae2df4280213af96b764370957092e476b22

SHA256
ab3c6af282b8bef50c96be53cb74fcaf72befff9ac80bf30950975dea0244826

SHA512
75c3d4f8ece49b42bc70c462da4c4a363704bfc915d11e696f077cc021f07c534fb8635ef480d762f4a6a4457c22f6d4fb89414de5ee77c22f12342f0f24b841

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\_socket.pyd

Filesize
41KB

MD5
02adf34fc4cf0cbb7da84948c6e0a6ce

SHA1
4d5d1adaf743b6bd324642e28d78331059e3342b

SHA256
e92b5042b4a1ca76b84d3070e4adddf100ba5a56cf8e7fcd4dd1483830d786a5

SHA512
da133fc0f9fefed3b483ba782948fcdc508c50ffc141e5e1e29a7ec2628622cdd606c0b0a949098b48ee3f54cdb604842e3ca268c27bc23f169fced3d2fbd0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\_sqlite3.pyd

Filesize
48KB

MD5
b2b86c10944a124a00a6bcfaf6ddb689

SHA1
4971148b2a8d07b74aa616e2dd618aaf2be9e0db

SHA256
874783af90902a7a8f5b90b018b749de7ddb8ec8412c46f7abe2edfe9c7abe84

SHA512
0a44b508d2a9700db84bd395ff55a6fc3d593d2069f04a56b135ba41fc23ea7726ae131056123d06526c14284bce2dbadd4abf992b3eb27bf9af1e083763556f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\_ssl.pyd

Filesize
60KB

MD5
1af0fbf618468685c9a9541be14b3d24

SHA1
27e8c76192555a912e402635765df2556c1c2b88

SHA256
a46968ca76d6b17f63672a760f33664c3ea27d9356295122069e23d1c90f296a

SHA512
7382a0d3ec2ce560efd2ddd43db8423637af341ce6889d335165b7876b15d08f4de0f228f959dcb90b47814f9f4e0edd02d38a78ddad152ed7bc86791d46bc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\_uuid.pyd

Filesize
21KB

MD5
00276ab62a35d7c6022ae787168fe275

SHA1
e34d9a060b8f2f8673f878e64d7369ab99869876

SHA256
3500db7ef67cddd8b969f87b4a76a577b5b326597da968e262c23d2a8c7b426a

SHA512
ea4a46b0f7295b61a268d8df0e2f722b86b596946c421d5d89fe734389a819c9ae8e94b99e554feb4e40497261fa9c3ae7d13fdba1f4ad4f22c650076150682a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\attrs-23.1.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\attrs-23.1.0.dist-info\METADATA

Filesize
11KB

MD5
7774d77d730c0c295cb6e3e46817dad6

SHA1
406b5c84945b8dc1035bd53eb33f289b9ae699fc

SHA256
ca0970517928ef943e209e8b98f550e18f7d2894b708f2b4356f28bd7158b038

SHA512
6e991f3144cca536e906a180da7faf3198521c81eff4143fb943ecc6c6faa558d0b1f2aa1379a7294baa039d67202c671027d12c821d95b859ec25e0f78c2c21

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\attrs-23.1.0.dist-info\RECORD

Filesize
3KB

MD5
a3ad7b8cda8539786366bbbec93d29ad

SHA1
d79fe6c3773c0e56ab64f6288b2cef36bacc10a6

SHA256
0c4d6f02b4fecd5a3a81d45a6d684d38998f2a8dab51490548a27d85a5377299

SHA512
03a7fbf8ae5fb6c4bad790edc6c3479bb604fb7e3f8ccccb96fe7a8ef45dceb1bcf12415d51437c5048aa01183a3cd0e55d5a64fa1e7b22d7dab8031822ed77b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\base_library.zip

Filesize
812KB

MD5
fbd6be906ac7cd45f1d98f5cb05f8275

SHA1
5d563877a549f493da805b4d049641604a6a0408

SHA256
ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0

SHA512
1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.1MB

MD5
b81843524c520919e62b1239352c8576

SHA1
d281b3f417daafaff6f6d8f46a89d546f6877c7e

SHA256
e3624c26db292097538773ea3cae790c4993cf5b6369d519276a1f94e86abb84

SHA512
a354fd706707adb2754929e510310491ac268dcaab4c780bb0b9bb97086a5942ef5a4fc4879d114722521615b3b90c60c63df985bdbade64e0b381ff5c989b3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\libcrypto-1_1.dll

Filesize
1.1MB

MD5
9c2ffedb0ae90b3985e5cdbedd3363e9

SHA1
a475fbe289a716e1fbe2eab97f76dbba1da322a9

SHA256
7c9418ad6fb6d15acb7d340b7a6533f76337ad302a18e2b4e08d4ee37689913a

SHA512
70d2635d42e24c7426cf5306ed010808f2222049915adb43ffc12c13259c8e7a9fee3a49e096d5ba2b6b733fef18574823d00df2e8d7fb1532e1d65d0c478008

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\libffi-7.dll

Filesize
23KB

MD5
8e1d2a11b94e84eaa382d6a680d93f17

SHA1
07750d78022d387292525a7d8385687229795cf1

SHA256
090a90cd17b74abefddf9f82d145effe5c676e7c62cf1a59834528f512d7ee82

SHA512
213bf92a707b14211941e5e071f1926be4b5795babc6df0d168b623ecd6cb7c7e0ae4320369c51d75c75b38ec282b5bf77f15eb94018ae74c8fd14f328b45a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\libssl-1_1.dll

Filesize
203KB

MD5
87bb1a8526b475445b2d7fd298c57587

SHA1
aaad18ea92b132ca74942fd5a9f4c901d02d9b09

SHA256
c35a97d8f24ea84d1e39a8621b6b3027c9ac24885bdd37386c9fcaad1858419d

SHA512
956bd8e9f35c917cbfb570fc633bb2df0d1c2686731fa7179f5e7cd8789e665dd6ff8443e712eafa4e3f8d8661f933cb5675aeb1a2efc195c3bb32211e6d2506

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\multidict\_multidict.cp310-win_amd64.pyd

Filesize
20KB

MD5
07adf002b8bab71368fd904e8daa545c

SHA1
bd38ea6cca7f10660725c7df533fe33a349a11ea

SHA256
781496f2ae8d0a1cd2899bd643adee7813b33441f0f2c6177ab108148b5109ba

SHA512
20d4747890c957becb15136b4f16280356b74dcd159dac0f93cf853820a88dab5cb86f6e1ef0eff140f35443cdffe81ae0e05bccc573dbd3f54cda9ce0b2633d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\propcache\_helpers_c.cp310-win_amd64.pyd

Filesize
32KB

MD5
bc2a853112ece884267a5ffc835bc809

SHA1
e714c942dae5bbace443b38e615182395c3bee02

SHA256
1d06628ed700e675786d1083b060b0dcd4e19624183fdcc99f36fadb218ef417

SHA512
28403d41c8df5e1ff578b689290dc627fd0b0bff58e4a74407689991b083922c7a87d2d5fa9bf9d5b6bc84e1060f9a873bd14e6341039308d8a295c8fbdaad13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\pyexpat.pyd

Filesize
86KB

MD5
299d031f13d953a955ff18888db0d39a

SHA1
afd538a74421d406ce19d0919e8f719faf9aece9

SHA256
d65f22426652f10a54058cedd2f2917e65fa27762a5828fa27aa0ea42d56c87a

SHA512
d42833d409729a2cb3eee0f2bc3c6beeb71cf86c50a0cc774141849df2ec3617a50b5a1d7440a28daaebffb1a0fc4a5b943b1ecca237e83a2d2cd0e0d1dd9a79

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\python3.DLL

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\python310.dll

Filesize
1.4MB

MD5
196deb9a74e6e9e242f04008ea80f7d3

SHA1
a54373ebad306f3e6f585bcdf1544fbdcf9c0386

SHA256
20b004bfe69166c4961fee93163e795746df39fb31dc67399c0fde57f551eb75

SHA512
8c226d3ef21f3ddeee14a098c60ef030fa78590e9505d015ce63ea5e5bbcea2e105ff818e94653df1bddc9ba6ed3b376a1dff5c19266b623fa22cd75ac263b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\select.pyd

Filesize
24KB

MD5
16be2c5990fe8df5a6d98b0ba173084d

SHA1
572cb2107ff287928501dc8f5ae4a748e911d82d

SHA256
65de0eb0f1aa5830a99d46a1b2260aaa0608ed28e33a4b0ffe43fd891f426f76

SHA512
afa991c407548da16150ad6792a5233688cc042585538d510ac99c2cb1a6ee2144f31aa639065da4c2670f54f947947860a90ec1bde7c2afaa250e758b956dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\sqlite3.dll

Filesize
608KB

MD5
4357c9ab90f329f6cbc8fe6bc44a8a97

SHA1
2ec6992da815dcdb9a009d41d7f2879ea8f8b3f3

SHA256
eb1b1679d90d6114303f490de14931957cdfddf7d4311b3e5bacac4e4dc590ba

SHA512
a245971a4e3f73a6298c949052457fbaece970678362e2e5bf8bd6e2446d18d157ad3f1d934dae4e375ab595c84206381388fb6de6b17b9df9f315042234343a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\unicodedata.pyd

Filesize
287KB

MD5
d296d76daf56777da51fec9506d07c6a

SHA1
c012b7d74e68b126a5c20ac4f8408cebacbbf98d

SHA256
05201ceb3dba9395f6ac15a069d94720b9c2b5c6199447105e9bc29d7994c838

SHA512
15eed0ab1989e01b57e10f886a69a0cca2fff0a37cc886f4e3bc5c08684536cb61ff2551d75c62137c97aa455d6f2b99aab7ae339ea98870bb4116f63508deb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42882\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
41KB

MD5
67ea86195a841bdc8a5a2513726195b7

SHA1
64d9df5f14bd25193d0d6e8fa2aaeec390086523

SHA256
11a76414c8fc70a7d64159a7599b870887181630980d10dd0db08c3ca8de2af8

SHA512
eada64017d3f801cc141f416336916b318c00c30062498a040534caf1c23b3daa00e060c0a20057b1a4ab7a6fdd082c6b1eedc658b357174c12ae317470a6db3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bvlxdxj2.seo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/216-191-0x0000028FDCF70000-0x0000028FDCF92000-memory.dmp

Filesize
136KB

Download
memory/4984-131-0x00007FFA06DA0000-0x00007FFA0753A000-memory.dmp

Filesize
7.6MB

Download
memory/4984-229-0x00007FFA17C50000-0x00007FFA17C65000-memory.dmp

Filesize
84KB

Download
memory/4984-108-0x00007FFA1C780000-0x00007FFA1C799000-memory.dmp

Filesize
100KB

Download
memory/4984-109-0x00007FFA172B0000-0x00007FFA173C8000-memory.dmp

Filesize
1.1MB

Download
memory/4984-105-0x00007FFA17810000-0x00007FFA17824000-memory.dmp

Filesize
80KB

Download
memory/4984-114-0x00007FFA176B0000-0x00007FFA176CB000-memory.dmp

Filesize
108KB

Download
memory/4984-113-0x00007FFA17EF0000-0x00007FFA17F1D000-memory.dmp

Filesize
180KB

Download
memory/4984-101-0x00007FFA1F380000-0x00007FFA1F399000-memory.dmp

Filesize
100KB

Download
memory/4984-117-0x00007FFA17680000-0x00007FFA176A2000-memory.dmp

Filesize
136KB

Download
memory/4984-116-0x00007FFA17ED0000-0x00007FFA17EEF000-memory.dmp

Filesize
124KB

Download
memory/4984-98-0x00007FFA1D500000-0x00007FFA1D510000-memory.dmp

Filesize
64KB

Download
memory/4984-123-0x00007FFA07540000-0x00007FFA0760F000-memory.dmp

Filesize
828KB

Download
memory/4984-96-0x00007FFA17C50000-0x00007FFA17C65000-memory.dmp

Filesize
84KB

Download
memory/4984-125-0x00007FFA17EA0000-0x00007FFA17ECE000-memory.dmp

Filesize
184KB

Download
memory/4984-127-0x00007FFA1C830000-0x00007FFA1C83A000-memory.dmp

Filesize
40KB

Download
memory/4984-126-0x000002BADAC40000-0x000002BADAFB5000-memory.dmp

Filesize
3.5MB

Download
memory/4984-88-0x00007FFA08400000-0x00007FFA0886E000-memory.dmp

Filesize
4.4MB

Download
memory/4984-121-0x00007FFA07AF0000-0x00007FFA07E65000-memory.dmp

Filesize
3.5MB

Download
memory/4984-120-0x00007FFA07E70000-0x00007FFA07FE1000-memory.dmp

Filesize
1.4MB

Download
memory/4984-130-0x00007FFA17D10000-0x00007FFA17DC8000-memory.dmp

Filesize
736KB

Download
memory/4984-89-0x00007FFA17EA0000-0x00007FFA17ECE000-memory.dmp

Filesize
184KB

Download
memory/4984-91-0x00007FFA07AF0000-0x00007FFA07E65000-memory.dmp

Filesize
3.5MB

Download
memory/4984-135-0x00007FFA13650000-0x00007FFA13687000-memory.dmp

Filesize
220KB

Download
memory/4984-134-0x00007FFA17C50000-0x00007FFA17C65000-memory.dmp

Filesize
84KB

Download
memory/4984-92-0x00007FFA17D10000-0x00007FFA17DC8000-memory.dmp

Filesize
736KB

Download
memory/4984-90-0x000002BADAC40000-0x000002BADAFB5000-memory.dmp

Filesize
3.5MB

Download
memory/4984-179-0x00007FFA17C10000-0x00007FFA17C1D000-memory.dmp

Filesize
52KB

Download
memory/4984-80-0x00007FFA07E70000-0x00007FFA07FE1000-memory.dmp

Filesize
1.4MB

Download
memory/4984-78-0x00007FFA17ED0000-0x00007FFA17EEF000-memory.dmp

Filesize
124KB

Download
memory/4984-196-0x00007FFA17810000-0x00007FFA17824000-memory.dmp

Filesize
80KB

Download
memory/4984-197-0x00007FFA172B0000-0x00007FFA173C8000-memory.dmp

Filesize
1.1MB

Download
memory/4984-74-0x00007FFA17EF0000-0x00007FFA17F1D000-memory.dmp

Filesize
180KB

Download
memory/4984-199-0x00007FFA176B0000-0x00007FFA176CB000-memory.dmp

Filesize
108KB

Download
memory/4984-201-0x00007FFA17680000-0x00007FFA176A2000-memory.dmp

Filesize
136KB

Download
memory/4984-71-0x00007FFA1C780000-0x00007FFA1C799000-memory.dmp

Filesize
100KB

Download
memory/4984-68-0x00007FFA1D510000-0x00007FFA1D51D000-memory.dmp

Filesize
52KB

Download
memory/4984-66-0x00007FFA1F380000-0x00007FFA1F399000-memory.dmp

Filesize
100KB

Download
memory/4984-61-0x00007FFA17F20000-0x00007FFA17F44000-memory.dmp

Filesize
144KB

Download
memory/4984-62-0x00007FFA1FB40000-0x00007FFA1FB4F000-memory.dmp

Filesize
60KB

Download
memory/4984-52-0x00007FFA08400000-0x00007FFA0886E000-memory.dmp

Filesize
4.4MB

Download
memory/4984-230-0x00007FFA1D500000-0x00007FFA1D510000-memory.dmp

Filesize
64KB

Download
memory/4984-104-0x00007FFA179D0000-0x00007FFA179E4000-memory.dmp

Filesize
80KB

Download
memory/4984-226-0x00007FFA17EA0000-0x00007FFA17ECE000-memory.dmp

Filesize
184KB

Download
memory/4984-218-0x00007FFA17F20000-0x00007FFA17F44000-memory.dmp

Filesize
144KB

Download
memory/4984-217-0x00007FFA08400000-0x00007FFA0886E000-memory.dmp

Filesize
4.4MB

Download
memory/4984-235-0x00007FFA17680000-0x00007FFA176A2000-memory.dmp

Filesize
136KB

Download
memory/4984-228-0x00007FFA07AF0000-0x00007FFA07E65000-memory.dmp

Filesize
3.5MB

Download
memory/4984-227-0x00007FFA17D10000-0x00007FFA17DC8000-memory.dmp

Filesize
736KB

Download
memory/4984-225-0x00007FFA07E70000-0x00007FFA07FE1000-memory.dmp

Filesize
1.4MB

Download
memory/4984-224-0x00007FFA17ED0000-0x00007FFA17EEF000-memory.dmp

Filesize
124KB

Download
memory/4984-239-0x00007FFA13650000-0x00007FFA13687000-memory.dmp

Filesize
220KB

Download
memory/4984-241-0x00007FFA06DA0000-0x00007FFA0753A000-memory.dmp

Filesize
7.6MB

Download
memory/4984-255-0x00007FFA17C50000-0x00007FFA17C65000-memory.dmp

Filesize
84KB

Download
memory/4984-261-0x00007FFA17680000-0x00007FFA176A2000-memory.dmp

Filesize
136KB

Download
memory/4984-243-0x00007FFA08400000-0x00007FFA0886E000-memory.dmp

Filesize
4.4MB

Download
memory/4984-252-0x00007FFA17EA0000-0x00007FFA17ECE000-memory.dmp

Filesize
184KB

Download
memory/4984-267-0x00007FFA08400000-0x00007FFA0886E000-memory.dmp

Filesize
4.4MB

Download
memory/4984-415-0x00007FFA17D10000-0x00007FFA17DC8000-memory.dmp

Filesize
736KB

Download
memory/4984-423-0x00007FFA17810000-0x00007FFA17824000-memory.dmp

Filesize
80KB

Download
memory/4984-433-0x00007FFA1C830000-0x00007FFA1C83A000-memory.dmp

Filesize
40KB

Download
memory/4984-436-0x00007FFA17C10000-0x00007FFA17C1D000-memory.dmp

Filesize
52KB

Download
memory/4984-435-0x00007FFA13650000-0x00007FFA13687000-memory.dmp

Filesize
220KB

Download
memory/4984-434-0x00007FFA06DA0000-0x00007FFA0753A000-memory.dmp

Filesize
7.6MB

Download
memory/4984-432-0x00007FFA07540000-0x00007FFA0760F000-memory.dmp

Filesize
828KB

Download
memory/4984-431-0x00007FFA17680000-0x00007FFA176A2000-memory.dmp

Filesize
136KB

Download
memory/4984-430-0x00007FFA176B0000-0x00007FFA176CB000-memory.dmp

Filesize
108KB

Download
memory/4984-429-0x00007FFA172B0000-0x00007FFA173C8000-memory.dmp

Filesize
1.1MB

Download
memory/4984-428-0x00007FFA07AF0000-0x00007FFA07E65000-memory.dmp

Filesize
3.5MB

Download
memory/4984-427-0x00007FFA179D0000-0x00007FFA179E4000-memory.dmp

Filesize
80KB

Download
memory/4984-426-0x00007FFA1D500000-0x00007FFA1D510000-memory.dmp

Filesize
64KB

Download
memory/4984-425-0x00007FFA17C50000-0x00007FFA17C65000-memory.dmp

Filesize
84KB

Download
memory/4984-424-0x00007FFA08400000-0x00007FFA0886E000-memory.dmp

Filesize
4.4MB

Download
memory/4984-422-0x00007FFA17EA0000-0x00007FFA17ECE000-memory.dmp

Filesize
184KB

Download
memory/4984-421-0x00007FFA07E70000-0x00007FFA07FE1000-memory.dmp

Filesize
1.4MB

Download
memory/4984-420-0x00007FFA17ED0000-0x00007FFA17EEF000-memory.dmp

Filesize
124KB

Download
memory/4984-419-0x00007FFA17EF0000-0x00007FFA17F1D000-memory.dmp

Filesize
180KB

Download
memory/4984-418-0x00007FFA1C780000-0x00007FFA1C799000-memory.dmp

Filesize
100KB

Download
memory/4984-417-0x00007FFA1D510000-0x00007FFA1D51D000-memory.dmp

Filesize
52KB

Download
memory/4984-416-0x00007FFA1F380000-0x00007FFA1F399000-memory.dmp

Filesize
100KB

Download
memory/4984-414-0x00007FFA17F20000-0x00007FFA17F44000-memory.dmp

Filesize
144KB

Download
memory/4984-413-0x00007FFA1FB40000-0x00007FFA1FB4F000-memory.dmp

Filesize
60KB

Download