exelastealer | baa3e63d84d9010d4d054e32f051bd6eda685bccc9176f84ceacaa30aca17771

Analysis

max time kernel
94s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06-12-2024 05:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Exela.exe
Size

9.3MB
MD5

9b710581e4d8ea6c794feee1bcf451a1
SHA1

6cef280dcd11ea850f9bb3f1502deea075b68a2d
SHA256

baa3e63d84d9010d4d054e32f051bd6eda685bccc9176f84ceacaa30aca17771
SHA512

ceeb8f3eb15ec65f7f01ba4ff5edcc0507a155dd442a278987fe8bb8a73dd566a637ad3f13d2fc746cce5eee50c5042e30f9669cce40b47b4a47ba7be8dd985d
SSDEEP

196608:K7SyWtIw5Ck6xfbaX8iiis4hTJURf+RHvUWvoRWOxu9kXwvdbDq03NLnpEhJj1/n:SpStBizaXZscJ6f+RHdGbAlbu03dpEnr

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
456	netsh.exe
676	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1168	cmd.exe
1160	powershell.exe

Loads dropped DLL 32 IoCs

pid	Process
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe
1420	Exela.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe"	reg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4040	cmd.exe
4280	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4984	tasklist.exe
2740	tasklist.exe
1316	tasklist.exe
1568	tasklist.exe
516	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2684	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000a000000023b99-46.dat	upx
behavioral2/memory/1420-50-0x00007FF986910000-0x00007FF986D7A000-memory.dmp	upx
behavioral2/files/0x000a000000023b79-52.dat	upx
behavioral2/memory/1420-58-0x00007FF99A4D0000-0x00007FF99A4F4000-memory.dmp	upx
behavioral2/files/0x000a000000023b91-57.dat	upx
behavioral2/files/0x0031000000023b80-60.dat	upx
behavioral2/memory/1420-63-0x00007FF99D3E0000-0x00007FF99D3F9000-memory.dmp	upx
behavioral2/files/0x000a000000023b9a-65.dat	upx
behavioral2/memory/1420-67-0x00007FF99EA40000-0x00007FF99EA4D000-memory.dmp	upx
behavioral2/memory/1420-61-0x00007FF99F0F0000-0x00007FF99F0FF000-memory.dmp	upx
behavioral2/files/0x000a000000023b77-66.dat	upx
behavioral2/files/0x000a000000023b7c-69.dat	upx
behavioral2/memory/1420-70-0x00007FF99B8F0000-0x00007FF99B909000-memory.dmp	upx
behavioral2/memory/1420-73-0x00007FF9998A0000-0x00007FF9998CC000-memory.dmp	upx
behavioral2/files/0x0031000000023b81-72.dat	upx
behavioral2/memory/1420-76-0x00007FF99A770000-0x00007FF99A78E000-memory.dmp	upx
behavioral2/files/0x000a000000023b9b-75.dat	upx
behavioral2/memory/1420-78-0x00007FF994DA0000-0x00007FF994F0D000-memory.dmp	upx
behavioral2/files/0x000a000000023b82-79.dat	upx
behavioral2/files/0x000a000000023b90-81.dat	upx
behavioral2/files/0x000a000000023b92-83.dat	upx
behavioral2/memory/1420-85-0x00007FF995D90000-0x00007FF995DBE000-memory.dmp	upx
behavioral2/memory/1420-89-0x00007FF9956A0000-0x00007FF995756000-memory.dmp	upx
behavioral2/files/0x000a000000023b76-91.dat	upx
behavioral2/memory/1420-95-0x00007FF995D70000-0x00007FF995D84000-memory.dmp	upx
behavioral2/memory/1420-102-0x00007FF995680000-0x00007FF995694000-memory.dmp	upx
behavioral2/files/0x000a000000023b9e-104.dat	upx
behavioral2/files/0x000a000000023b9c-109.dat	upx
behavioral2/files/0x000a000000023b96-112.dat	upx
behavioral2/files/0x000a000000023b86-115.dat	upx
behavioral2/memory/1420-121-0x00007FF995D90000-0x00007FF995DBE000-memory.dmp	upx
behavioral2/files/0x000a000000023b83-133.dat	upx
behavioral2/memory/1420-139-0x00007FF995410000-0x00007FF99542E000-memory.dmp	upx
behavioral2/files/0x000a000000023b8d-138.dat	upx
behavioral2/files/0x000a000000023b8f-137.dat	upx
behavioral2/memory/1420-141-0x00007FF985D90000-0x00007FF98658B000-memory.dmp	upx
behavioral2/memory/1420-136-0x00007FF9996E0000-0x00007FF9996EA000-memory.dmp	upx
behavioral2/files/0x000a000000023b78-142.dat	upx
behavioral2/memory/1420-144-0x00007FF9953D0000-0x00007FF995407000-memory.dmp	upx
behavioral2/memory/1420-135-0x00007FF995D70000-0x00007FF995D84000-memory.dmp	upx
behavioral2/memory/1420-132-0x00007FF995430000-0x00007FF995462000-memory.dmp	upx
behavioral2/memory/1420-129-0x00007FF9956A0000-0x00007FF995756000-memory.dmp	upx
behavioral2/memory/1420-128-0x00007FF995520000-0x00007FF995531000-memory.dmp	upx
behavioral2/memory/1420-127-0x00007FF995540000-0x00007FF99558D000-memory.dmp	upx
behavioral2/files/0x000a000000023b89-126.dat	upx
behavioral2/memory/1420-125-0x00007FF995590000-0x00007FF9955A8000-memory.dmp	upx
behavioral2/memory/1420-124-0x00007FF986590000-0x00007FF986904000-memory.dmp	upx
behavioral2/files/0x000a000000023b88-122.dat	upx
behavioral2/files/0x000a000000023b85-119.dat	upx
behavioral2/memory/1420-118-0x00007FF994DA0000-0x00007FF994F0D000-memory.dmp	upx
behavioral2/memory/1420-114-0x00007FF9955B0000-0x00007FF9955CB000-memory.dmp	upx
behavioral2/memory/1420-113-0x00007FF99A770000-0x00007FF99A78E000-memory.dmp	upx
behavioral2/memory/1420-111-0x00007FF994BE0000-0x00007FF994CF8000-memory.dmp	upx
behavioral2/memory/1420-108-0x00007FF9955D0000-0x00007FF9955F2000-memory.dmp	upx
behavioral2/memory/1420-105-0x00007FF995660000-0x00007FF995675000-memory.dmp	upx
behavioral2/files/0x000a000000023b7b-103.dat	upx
behavioral2/memory/1420-101-0x00007FF99D3E0000-0x00007FF99D3F9000-memory.dmp	upx
behavioral2/files/0x000a000000023b94-99.dat	upx
behavioral2/memory/1420-98-0x00007FF99A630000-0x00007FF99A640000-memory.dmp	upx
behavioral2/files/0x000a000000023b7e-96.dat	upx
behavioral2/memory/1420-94-0x00007FF99A4D0000-0x00007FF99A4F4000-memory.dmp	upx
behavioral2/memory/1420-88-0x00007FF986910000-0x00007FF986D7A000-memory.dmp	upx
behavioral2/memory/1420-87-0x00007FF986590000-0x00007FF986904000-memory.dmp	upx
behavioral2/memory/1420-147-0x00007FF9955D0000-0x00007FF9955F2000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4084	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0008000000023bd0-157.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2888	cmd.exe
4660	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2444	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4548	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3124	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4368	ipconfig.exe
2444	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1840	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1160	powershell.exe
1160	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3124	WMIC.exe
Token: SeSecurityPrivilege	3124	WMIC.exe
Token: SeTakeOwnershipPrivilege	3124	WMIC.exe
Token: SeLoadDriverPrivilege	3124	WMIC.exe
Token: SeSystemProfilePrivilege	3124	WMIC.exe
Token: SeSystemtimePrivilege	3124	WMIC.exe
Token: SeProfSingleProcessPrivilege	3124	WMIC.exe
Token: SeIncBasePriorityPrivilege	3124	WMIC.exe
Token: SeCreatePagefilePrivilege	3124	WMIC.exe
Token: SeBackupPrivilege	3124	WMIC.exe
Token: SeRestorePrivilege	3124	WMIC.exe
Token: SeShutdownPrivilege	3124	WMIC.exe
Token: SeDebugPrivilege	3124	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3124	WMIC.exe
Token: SeRemoteShutdownPrivilege	3124	WMIC.exe
Token: SeUndockPrivilege	3124	WMIC.exe
Token: SeManageVolumePrivilege	3124	WMIC.exe
Token: 33	3124	WMIC.exe
Token: 34	3124	WMIC.exe
Token: 35	3124	WMIC.exe
Token: 36	3124	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3184	WMIC.exe
Token: SeSecurityPrivilege	3184	WMIC.exe
Token: SeTakeOwnershipPrivilege	3184	WMIC.exe
Token: SeLoadDriverPrivilege	3184	WMIC.exe
Token: SeSystemProfilePrivilege	3184	WMIC.exe
Token: SeSystemtimePrivilege	3184	WMIC.exe
Token: SeProfSingleProcessPrivilege	3184	WMIC.exe
Token: SeIncBasePriorityPrivilege	3184	WMIC.exe
Token: SeCreatePagefilePrivilege	3184	WMIC.exe
Token: SeBackupPrivilege	3184	WMIC.exe
Token: SeRestorePrivilege	3184	WMIC.exe
Token: SeShutdownPrivilege	3184	WMIC.exe
Token: SeDebugPrivilege	3184	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3184	WMIC.exe
Token: SeRemoteShutdownPrivilege	3184	WMIC.exe
Token: SeUndockPrivilege	3184	WMIC.exe
Token: SeManageVolumePrivilege	3184	WMIC.exe
Token: 33	3184	WMIC.exe
Token: 34	3184	WMIC.exe
Token: 35	3184	WMIC.exe
Token: 36	3184	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3124	WMIC.exe
Token: SeSecurityPrivilege	3124	WMIC.exe
Token: SeTakeOwnershipPrivilege	3124	WMIC.exe
Token: SeLoadDriverPrivilege	3124	WMIC.exe
Token: SeSystemProfilePrivilege	3124	WMIC.exe
Token: SeSystemtimePrivilege	3124	WMIC.exe
Token: SeProfSingleProcessPrivilege	3124	WMIC.exe
Token: SeIncBasePriorityPrivilege	3124	WMIC.exe
Token: SeCreatePagefilePrivilege	3124	WMIC.exe
Token: SeBackupPrivilege	3124	WMIC.exe
Token: SeRestorePrivilege	3124	WMIC.exe
Token: SeShutdownPrivilege	3124	WMIC.exe
Token: SeDebugPrivilege	3124	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3124	WMIC.exe
Token: SeRemoteShutdownPrivilege	3124	WMIC.exe
Token: SeUndockPrivilege	3124	WMIC.exe
Token: SeManageVolumePrivilege	3124	WMIC.exe
Token: 33	3124	WMIC.exe
Token: 34	3124	WMIC.exe
Token: 35	3124	WMIC.exe
Token: 36	3124	WMIC.exe
Token: SeDebugPrivilege	4984	tasklist.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4196 wrote to memory of 1420	4196	Exela.exe	82
PID 4196 wrote to memory of 1420	4196	Exela.exe	82
PID 1420 wrote to memory of 4432	1420	Exela.exe	83
PID 1420 wrote to memory of 4432	1420	Exela.exe	83
PID 1420 wrote to memory of 2432	1420	Exela.exe	85
PID 1420 wrote to memory of 2432	1420	Exela.exe	85
PID 1420 wrote to memory of 4300	1420	Exela.exe	86
PID 1420 wrote to memory of 4300	1420	Exela.exe	86
PID 1420 wrote to memory of 4548	1420	Exela.exe	87
PID 1420 wrote to memory of 4548	1420	Exela.exe	87
PID 1420 wrote to memory of 4212	1420	Exela.exe	88
PID 1420 wrote to memory of 4212	1420	Exela.exe	88
PID 2432 wrote to memory of 3124	2432	cmd.exe	93
PID 2432 wrote to memory of 3124	2432	cmd.exe	93
PID 4300 wrote to memory of 3184	4300	cmd.exe	94
PID 4300 wrote to memory of 3184	4300	cmd.exe	94
PID 4212 wrote to memory of 4984	4212	cmd.exe	95
PID 4212 wrote to memory of 4984	4212	cmd.exe	95
PID 1420 wrote to memory of 924	1420	Exela.exe	97
PID 1420 wrote to memory of 924	1420	Exela.exe	97
PID 924 wrote to memory of 2808	924	cmd.exe	99
PID 924 wrote to memory of 2808	924	cmd.exe	99
PID 1420 wrote to memory of 4280	1420	Exela.exe	100
PID 1420 wrote to memory of 4280	1420	Exela.exe	100
PID 1420 wrote to memory of 1584	1420	Exela.exe	101
PID 1420 wrote to memory of 1584	1420	Exela.exe	101
PID 4280 wrote to memory of 1424	4280	cmd.exe	104
PID 4280 wrote to memory of 1424	4280	cmd.exe	104
PID 1584 wrote to memory of 2740	1584	cmd.exe	105
PID 1584 wrote to memory of 2740	1584	cmd.exe	105
PID 1420 wrote to memory of 2684	1420	Exela.exe	106
PID 1420 wrote to memory of 2684	1420	Exela.exe	106
PID 2684 wrote to memory of 2552	2684	cmd.exe	108
PID 2684 wrote to memory of 2552	2684	cmd.exe	108
PID 1420 wrote to memory of 2420	1420	Exela.exe	109
PID 1420 wrote to memory of 2420	1420	Exela.exe	109
PID 2420 wrote to memory of 2732	2420	cmd.exe	111
PID 2420 wrote to memory of 2732	2420	cmd.exe	111
PID 1420 wrote to memory of 1616	1420	Exela.exe	112
PID 1420 wrote to memory of 1616	1420	Exela.exe	112
PID 1616 wrote to memory of 1316	1616	cmd.exe	114
PID 1616 wrote to memory of 1316	1616	cmd.exe	114
PID 1420 wrote to memory of 1512	1420	Exela.exe	115
PID 1420 wrote to memory of 1512	1420	Exela.exe	115
PID 1420 wrote to memory of 4372	1420	Exela.exe	116
PID 1420 wrote to memory of 4372	1420	Exela.exe	116
PID 1420 wrote to memory of 2332	1420	Exela.exe	117
PID 1420 wrote to memory of 2332	1420	Exela.exe	117
PID 1420 wrote to memory of 1168	1420	Exela.exe	118
PID 1420 wrote to memory of 1168	1420	Exela.exe	118
PID 2332 wrote to memory of 1568	2332	cmd.exe	123
PID 2332 wrote to memory of 1568	2332	cmd.exe	123
PID 1512 wrote to memory of 2300	1512	cmd.exe	124
PID 1512 wrote to memory of 2300	1512	cmd.exe	124
PID 2300 wrote to memory of 1496	2300	cmd.exe	125
PID 2300 wrote to memory of 1496	2300	cmd.exe	125
PID 1168 wrote to memory of 1160	1168	cmd.exe	126
PID 1168 wrote to memory of 1160	1168	cmd.exe	126
PID 4372 wrote to memory of 1356	4372	cmd.exe	127
PID 4372 wrote to memory of 1356	4372	cmd.exe	127
PID 1356 wrote to memory of 5060	1356	cmd.exe	128
PID 1356 wrote to memory of 5060	1356	cmd.exe	128
PID 1420 wrote to memory of 4040	1420	Exela.exe	129
PID 1420 wrote to memory of 4040	1420	Exela.exe	129

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2552	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Exela.exe
"C:\Users\Admin\AppData\Local\Temp\Exela.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Users\Admin\AppData\Local\Temp\Exela.exe
  "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1420
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:4548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:924
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:2808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1584
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:2552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2420
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
      4⤵
      Adds Run key to start application
      PID:2732
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1616
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1512
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2300
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1496
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4372
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1356
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1168
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:4040
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1840
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2188
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:4548
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:5072
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:3408
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:1896
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:4100
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:1388
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:1188
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:4480
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:644
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:3184
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4820
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:4828
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:4980
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:4788
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:516
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4368
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:1520
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:4280
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:2444
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:4084
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:456
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:676
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2888
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2612
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3440
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe

Filesize
9.3MB

MD5
9b710581e4d8ea6c794feee1bcf451a1

SHA1
6cef280dcd11ea850f9bb3f1502deea075b68a2d

SHA256
baa3e63d84d9010d4d054e32f051bd6eda685bccc9176f84ceacaa30aca17771

SHA512
ceeb8f3eb15ec65f7f01ba4ff5edcc0507a155dd442a278987fe8bb8a73dd566a637ad3f13d2fc746cce5eee50c5042e30f9669cce40b47b4a47ba7be8dd985d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_asyncio.pyd

Filesize
31KB

MD5
7856932053409da97cfa0f73b5b7918a

SHA1
d207ffba0e87d018d14c7c52cfc4e987e64de400

SHA256
bca3bed9a754c83933debeadb3a79cbb1902f189d38adce73d83d40555276e94

SHA512
c4ef04b382424f5ec720fb36c580cb277fc29d0751ad686aa467af6f5415e74129f1438291d279cdc1e376f0f13857ae9f67f4baee05c60229e0d0ac4c777318

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_bz2.pyd

Filesize
43KB

MD5
47b0a6efcc22e0080f873ef2c4a11756

SHA1
bfea3812dbf29d4fa0d1d175bf7657cc991f7153

SHA256
62e65c9406c2edaa9709bc396fb59abe863859251329a62013b3f375bc15b69a

SHA512
32090e6299e22edfc833ffcd9a882adc4940da9386e72cbbc392bff79f0e571ddf9f0b023e93ae7252bf1aac7c68d98dd999ebdaacca88bb1e179316ca3c1485

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
12854bf45c91256672927094acb2b31f

SHA1
8ec25f43200b087006b4b34aa2108350c527794a

SHA256
74afa6a2fae4ffb821fba3574c4e028786d7dcc51f1fb7d2629f8f29112c22df

SHA512
6ef26b005328fbc179c7e9c615a8cbf9f19088b0486f928898647342fb01863625779f924ad75b1570659657a0845d85b764e7f7066f7b86f9aaad3da05d3426

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_ctypes.pyd

Filesize
53KB

MD5
0305efd6fbf093b3c08ff612c86a87d6

SHA1
b239774a979b27b812d34b4493fb621cd9306dd0

SHA256
793e4b535c18eb759fa57fac03c9527717b9d3c5d54f3e2724ccc40ecc115171

SHA512
7944dcff40ec927564d76052acc6840223fff20db8f00b5b913614f385735ed5ae1d99fcdd5695dce634fb65e5a87eb0cf75561e13927f1621ab6f5d45f455aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_hashlib.pyd

Filesize
30KB

MD5
44b0f31f25cb6017f0e79d352e99f4b8

SHA1
61b83f9bd930a2dd0cfb5a3a7ffb7b9cd1ab5749

SHA256
2f2a408a2d36735f3873c5a3a14bc3be4e7a255d568e3e5560558772f4c14c52

SHA512
feaf2d1d283812b79e903b6a26b34562809ad4db5250308697aa5e9d0a1e8711681c53114720b8d6bf16845464d26dbf111ea1a44f156b3469d04b146549c9bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_lzma.pyd

Filesize
81KB

MD5
6b8b49dac7d13bdea8a01d9aef17432e

SHA1
60dc39d9dd45b1c602396c3d97925ed912c9349b

SHA256
63a79ad5993941f95dc441ccff0773f499b790d8d42cde192adcd54b36db3d44

SHA512
1d2f46966012f711b3bc2731b93ac573604c1d75a1418e038cb75ff49015d6676c87e9ab983d6d9a8b6d0260f7874928538768b64f1b63db1927480209e27ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_overlapped.pyd

Filesize
27KB

MD5
d76e1c46529f6b016853a9ddceea9a2b

SHA1
6b458ab0be2b62f0364ef4b651b33ca75657db1f

SHA256
f664420133c5f8ee4f069a96b41a9a5d83f1fc94364d20e09c413dea0eea7bd8

SHA512
19c4400864c6dde86dd56db9da44189f06e994fead8f7d23ceb0e0df1384cb58df8e4a6085aa23af0f936f8b5ef41e79598bbb76a51fcdfd796bcadbc8e4b3df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_queue.pyd

Filesize
21KB

MD5
de34b68bee18c334ce8306bc24b18b29

SHA1
b06e5886a3d763ba9db8df3f11e6b7d88f40c735

SHA256
80df14e8f67797ec9c6310b88be3d70dc2aa9bdbeb1f8109f4711c71f7d6a79a

SHA512
d4b4b76e59c03e110618d305188aa4e25968f31b45028548630bc8aee103e87365f754ec8a949ed2383a6c16f839dcc57f659f6162f4b95d77b9bd127bbdec09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_socket.pyd

Filesize
38KB

MD5
739e9a8cbe7a271a5c6b295e49bf5d3c

SHA1
0acc0181bced4a16af6384aac6ae7aeeb69bf38b

SHA256
2499f7a7b2bc6249bee54cb8217593802120f70dc7a4b1a492243a1fcabb2d59

SHA512
061ce829814921c5de7280606e7ef4ff3afcb68338e9cd5010055f4e320dbbf50508e71e653698b4c96a2d0510d25579733c617f78b79678a81e608759b9f3c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_sqlite3.pyd

Filesize
45KB

MD5
1bd3a6e0471facd3c52b3156774a15a2

SHA1
7b0f596260aad1170a044e90fe313c55d593333f

SHA256
65b570d3ecf244d56fd697cda4889e5e2091fae9b834b7bac937688ffe54b1cf

SHA512
6ead4e9eb818ef91413686d0d494cbd5b67f09d989ec5d251b768d231b9adaa39c8cb4b74ae938e5962d546389a2b851448cb0c27fac170a349e304601dd4afa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_ssl.pyd

Filesize
57KB

MD5
1bcfeb981d209a7f53d66bc0cd77d9ac

SHA1
9ebee560ff1630a26ee6caa6f547aa0feae7de7b

SHA256
66226f36b994c65367b81803cfccb3995393270ea05e2341091d6a9188e2123a

SHA512
8618b8e84fc631976cef859044fa25950615e9a84bdeb85d3f4ff234276537e2ca92378d548de9cb420cec93bb5453610b629b6758eac705b65a0e61e24ce883

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\_uuid.pyd

Filesize
18KB

MD5
f519f5eb17fa8de1790b150442503dfa

SHA1
71f9b488633322784bf680c0058e9e11aeda0139

SHA256
13a4b0fe607fe667f5cae29ea7d84293ca432b951beac67cb9602b9feb722853

SHA512
dd700a8842b2c123c0b3d1617f5d146da5c5f5eff7cc8bc31d9ce834f84b85855b280d48bb197dc9677001385cfa855f284d9df5d00c856711b267e7830c603f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\aiohttp\_http_parser.cp310-win_amd64.pyd

Filesize
81KB

MD5
dd9d0763628f9b2e70b7038b06d73295

SHA1
4db36721f9bb10b4640a77768cc5fb71bc4497f4

SHA256
474765bfb74ac3035595fc4e7b430f90e3287ef3b1f1790f680497f16389d3b5

SHA512
d4a0f29ba499a59798b48d9c13944a2443ad54fc0af5f1998121712ceb8f0d5680174f663aa195535f9376d49f42920718d9e0643305af94a683d0827f38676c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\aiohttp\_http_writer.cp310-win_amd64.pyd

Filesize
24KB

MD5
d9cb433ca974a81a0f69ce9754eefdeb

SHA1
b8e48fc211b5a3853dfa43680b8c0a26efd5b488

SHA256
1e4c5c47a2525f2cbb4e72084abb8f4a2fc25a2911e4b75755fd38c7e54467fc

SHA512
5e92109adea864c78134ccaf90d3972c52b6c2caaa1e8e73f1d35b271dd48c27685afa97440af50c07a5d8a30b8d6f5918ec75e49f15e14b4304e63f22f7e5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\aiohttp\_websocket\mask.cp310-win_amd64.pyd

Filesize
19KB

MD5
a6492b7fc7cd181316d8662271598bc6

SHA1
499a66a2dfbcb365e2d1dd000eb429b7140778c5

SHA256
90110e50555ed2e6f2a2d9a0d357a4c4b4916f82d3e7d1d6e35b5523faba075d

SHA512
891350f141c2be8973379218af7daac143cf2bbd7de6a8e0cd82305543c9e2c26911f71fe01c3b40bfb2d328a6935659233f9bec241cc7a4869a7f86aae66be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\aiohttp\_websocket\reader_c.cp310-win_amd64.pyd

Filesize
61KB

MD5
a3bd5a2d8b34e92425e76ed493414ba5

SHA1
ff710c32d4b6309131b49c48a60930bc887691b9

SHA256
3cfaa74ce93217153b452cd679ca6cb6f4ac325a13182257c5c84942a76b9279

SHA512
493e98ccaa4864e082766b48122f5d63ef0af97d2ded90bb513c69f7cc8768e43ff710175a0e50f22901d89ed6bfa2814f365a0bd651060c93a722f6fa746ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\base_library.zip

Filesize
811KB

MD5
908d39d9dd12e91ced9d71a1704ca67b

SHA1
09e12bed17b9293292888061ba655536e65cba72

SHA256
164129ccae5ad1c4045580fb29e326b57650747cc239c0c2b45c3e92952f7bf1

SHA512
2ec5ac64c16e289179e4be50d51522199404a72acbac4785f25315ff3bf324f18533eb6522e394e056eaf7156ca7139f39db81be913ec8e4009f106b2a0d6926

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.0MB

MD5
dc7227f2116f68a1999bf3ade5fd9ed3

SHA1
68c348f1fed2fb02f97800098c2f17726364f504

SHA256
2cefdad9b9ba1669eb840179a6117f0f741b6e374c6b0e86699a8768869a5482

SHA512
d04b5956076ebc80e392c197e5fcb109837039a367fda44eb28bcbe1fdaaae50405e7634b4a98627c768cff737589d052ccfbebe01c3a3326c5d4eca34afd777

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\frozenlist\_frozenlist.cp310-win_amd64.pyd

Filesize
36KB

MD5
138e9bafcd6ae1c6f677909f18d61705

SHA1
b95b8d50dd8e90820bc7b43b1511475cf6f723b0

SHA256
29275eaf3788818a394e827393382dce9e4ee382d9bba9528a819c6a00147bd3

SHA512
98633517343d7fcf51936be135a795d4ffd6de6645739aa498a8f9c8fce890f522c7c0946d68f46f122c07f96a03b662679173d4a78b9e04c244ea6f6665e29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\libcrypto-1_1.dll

Filesize
1.1MB

MD5
20f73d33eeefe4b73ce01f5e83b615bc

SHA1
572c4e4279ec3f9808e7a150c70a9fcf39dfc44e

SHA256
590774cbeabf4b8e5dcd0ce5b79bdf59e93b25f72be8dbaf460e00e7be6dfee7

SHA512
192f8c4b9df7fbaab984c7b9f90dc1be7274c832f4131e43a6fb3b28905f26edf283cd2de3329184d9d3ad5c4a738da7da831c7af29fdb5ce44782095bcd9b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\libffi-7.dll

Filesize
23KB

MD5
8e1d2a11b94e84eaa382d6a680d93f17

SHA1
07750d78022d387292525a7d8385687229795cf1

SHA256
090a90cd17b74abefddf9f82d145effe5c676e7c62cf1a59834528f512d7ee82

SHA512
213bf92a707b14211941e5e071f1926be4b5795babc6df0d168b623ecd6cb7c7e0ae4320369c51d75c75b38ec282b5bf77f15eb94018ae74c8fd14f328b45a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\libssl-1_1.dll

Filesize
198KB

MD5
e12b1923be07999a45e5a7a5686ec78f

SHA1
490605e2470b69d9be8dc94f51819812aa85fc37

SHA256
7890be634015c0df00fed44297319b3912375625b81a77711261338266fb36e4

SHA512
2d49fd070c2e130b96d05483d488fb3381fb9244c54937366b22e7feea607fabd930e9eed57a62db4f98d39e183c0a556cb4a9c8e3f41033f1963668c758c35d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\multidict\_multidict.cp310-win_amd64.pyd

Filesize
20KB

MD5
07adf002b8bab71368fd904e8daa545c

SHA1
bd38ea6cca7f10660725c7df533fe33a349a11ea

SHA256
781496f2ae8d0a1cd2899bd643adee7813b33441f0f2c6177ab108148b5109ba

SHA512
20d4747890c957becb15136b4f16280356b74dcd159dac0f93cf853820a88dab5cb86f6e1ef0eff140f35443cdffe81ae0e05bccc573dbd3f54cda9ce0b2633d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\propcache\_helpers_c.cp310-win_amd64.pyd

Filesize
31KB

MD5
8844cbded1ec4002772c545e8ac52c7b

SHA1
3f7159995343509b58077af51a90636c66c86512

SHA256
7b9e72f2f20599fc2e00756430208eebb6fecb97fcf586bfc2a69bd92d99009d

SHA512
3cc54ac3d3410bb7a7372dcc65e545df4c777dfcc9c2d097ccb2006298b9eaed71a217656daeaba1a2b578a89a9f7204e7092c99121d796d1028c967c5b10fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\python3.DLL

Filesize
60KB

MD5
64a9384c6b329fb089e4d1657a06b175

SHA1
ba0e6fcc3b1406356a40b9d8577b2e7ce69c4aea

SHA256
ec655cc34819d6a9677c0541fd7e7b2b8a92804e8bf73aee692a9c44d1a24b5d

SHA512
9593d38abfd46bb94409838dd9cbe603fbe154fa0043959512afc264dceec50d846eefa409bcf9936ee1a7c7313604a578b4051eb6fd6918f2beb0da6c8ee532

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\python310.dll

Filesize
1.4MB

MD5
26a40f85f4f17377dde2708ee37a5625

SHA1
f3e29b06631fbcb8c882f7171adae2991618b8cb

SHA256
9040c8db6a0040b0f9fd90b632114822f7786cb94beeb7755860edffada52462

SHA512
fbf6ed76bea9879b1efb3477141991cb287d1bed1c89d8c9fd0642182c50223e217384625cddde4421983e4885b2f3bf7b2e3e582be4009119a820f3e0ad94a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\select.pyd

Filesize
21KB

MD5
ec7599b25e88f905e3f7f8ddbe50e4e7

SHA1
27f1dcfc1dc32d081863cd4c6dce8a5e230a9bf2

SHA256
2006ba9c7be901454f8e9dad65c44d6f272212360ccc650c1913d5d463eab3e8

SHA512
dfb70e245b375e746bfd617b32b15bd7f89ba30a7882518e223fb813c434416ec7bf9d55ccd127c052e1a8bc6e9487f5398cf3b61ad18f6da73ae295d1dbe316

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\sqlite3.dll

Filesize
605KB

MD5
a0002dd2c9dfe263afb6e1be3dd5150b

SHA1
ed4272afb406509ffdb457d75f72a42ccf894dd5

SHA256
c50228c3883452fb21a6a2bc7b6da92a0ae75d47cc1b703b119f410bc4161f30

SHA512
b3d9d15bd0473afcc8e8eeade05d027dcb67ac5d6a1218069f8b4c2c4a4f0046db0c3dd6d6abe3e47bc46075926b7d875fa24a5e72e7b6653d80a0ed65914837

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\unicodedata.pyd

Filesize
284KB

MD5
c3158ec16b16505ef448ef216db20245

SHA1
b3008a45b89654e8e0dbe3a3b47596b08a748e37

SHA256
002cc667a686302aabfdf2ce05f74ce037db1adc210cb408ff7164ba26c1e19b

SHA512
2c0e676019de833240d1d049e51f26abf0f9358ffec6632a6e67efea5d9316687e1be6f386e63c3b7fb8244885fff25e7a93cca5b23f4b4162c954ceb68e35b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41962\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
41KB

MD5
a5c18baac54c07391cd2e162a777c15b

SHA1
79f4fc478997ab56ce915965f906d7c20887719b

SHA256
3b649d8f5a4ba5419ed4d8290ed4c9fa809ad8fad9de36b78a41bb0c03bde60c

SHA512
bf19d9e48c95667cecd9662b4c6d8cecdf1b3a7993a1776aac89bd91d6c77b6db4cbbe7ab1ec9e472f8ce7e8fbc31da344af4a8285a09c46029728edc61b5fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ixmohafv.spi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1160-205-0x00000225ECF50000-0x00000225ECF72000-memory.dmp

Filesize
136KB

Download
memory/1420-108-0x00007FF9955D0000-0x00007FF9955F2000-memory.dmp

Filesize
136KB

Download
memory/1420-213-0x00007FF995540000-0x00007FF99558D000-memory.dmp

Filesize
308KB

Download
memory/1420-139-0x00007FF995410000-0x00007FF99542E000-memory.dmp

Filesize
120KB

Download
memory/1420-102-0x00007FF995680000-0x00007FF995694000-memory.dmp

Filesize
80KB

Download
memory/1420-95-0x00007FF995D70000-0x00007FF995D84000-memory.dmp

Filesize
80KB

Download
memory/1420-141-0x00007FF985D90000-0x00007FF98658B000-memory.dmp

Filesize
8.0MB

Download
memory/1420-136-0x00007FF9996E0000-0x00007FF9996EA000-memory.dmp

Filesize
40KB

Download
memory/1420-90-0x0000023FDA4D0000-0x0000023FDA844000-memory.dmp

Filesize
3.5MB

Download
memory/1420-144-0x00007FF9953D0000-0x00007FF995407000-memory.dmp

Filesize
220KB

Download
memory/1420-135-0x00007FF995D70000-0x00007FF995D84000-memory.dmp

Filesize
80KB

Download
memory/1420-132-0x00007FF995430000-0x00007FF995462000-memory.dmp

Filesize
200KB

Download
memory/1420-131-0x0000023FDA4D0000-0x0000023FDA844000-memory.dmp

Filesize
3.5MB

Download
memory/1420-129-0x00007FF9956A0000-0x00007FF995756000-memory.dmp

Filesize
728KB

Download
memory/1420-128-0x00007FF995520000-0x00007FF995531000-memory.dmp

Filesize
68KB

Download
memory/1420-127-0x00007FF995540000-0x00007FF99558D000-memory.dmp

Filesize
308KB

Download
memory/1420-89-0x00007FF9956A0000-0x00007FF995756000-memory.dmp

Filesize
728KB

Download
memory/1420-125-0x00007FF995590000-0x00007FF9955A8000-memory.dmp

Filesize
96KB

Download
memory/1420-124-0x00007FF986590000-0x00007FF986904000-memory.dmp

Filesize
3.5MB

Download
memory/1420-85-0x00007FF995D90000-0x00007FF995DBE000-memory.dmp

Filesize
184KB

Download
memory/1420-78-0x00007FF994DA0000-0x00007FF994F0D000-memory.dmp

Filesize
1.4MB

Download
memory/1420-118-0x00007FF994DA0000-0x00007FF994F0D000-memory.dmp

Filesize
1.4MB

Download
memory/1420-114-0x00007FF9955B0000-0x00007FF9955CB000-memory.dmp

Filesize
108KB

Download
memory/1420-113-0x00007FF99A770000-0x00007FF99A78E000-memory.dmp

Filesize
120KB

Download
memory/1420-111-0x00007FF994BE0000-0x00007FF994CF8000-memory.dmp

Filesize
1.1MB

Download
memory/1420-76-0x00007FF99A770000-0x00007FF99A78E000-memory.dmp

Filesize
120KB

Download
memory/1420-105-0x00007FF995660000-0x00007FF995675000-memory.dmp

Filesize
84KB

Download
memory/1420-73-0x00007FF9998A0000-0x00007FF9998CC000-memory.dmp

Filesize
176KB

Download
memory/1420-101-0x00007FF99D3E0000-0x00007FF99D3F9000-memory.dmp

Filesize
100KB

Download
memory/1420-70-0x00007FF99B8F0000-0x00007FF99B909000-memory.dmp

Filesize
100KB

Download
memory/1420-98-0x00007FF99A630000-0x00007FF99A640000-memory.dmp

Filesize
64KB

Download
memory/1420-61-0x00007FF99F0F0000-0x00007FF99F0FF000-memory.dmp

Filesize
60KB

Download
memory/1420-94-0x00007FF99A4D0000-0x00007FF99A4F4000-memory.dmp

Filesize
144KB

Download
memory/1420-88-0x00007FF986910000-0x00007FF986D7A000-memory.dmp

Filesize
4.4MB

Download
memory/1420-87-0x00007FF986590000-0x00007FF986904000-memory.dmp

Filesize
3.5MB

Download
memory/1420-147-0x00007FF9955D0000-0x00007FF9955F2000-memory.dmp

Filesize
136KB

Download
memory/1420-67-0x00007FF99EA40000-0x00007FF99EA4D000-memory.dmp

Filesize
52KB

Download
memory/1420-63-0x00007FF99D3E0000-0x00007FF99D3F9000-memory.dmp

Filesize
100KB

Download
memory/1420-196-0x00007FF995260000-0x00007FF99526D000-memory.dmp

Filesize
52KB

Download
memory/1420-195-0x00007FF9955B0000-0x00007FF9955CB000-memory.dmp

Filesize
108KB

Download
memory/1420-58-0x00007FF99A4D0000-0x00007FF99A4F4000-memory.dmp

Filesize
144KB

Download
memory/1420-50-0x00007FF986910000-0x00007FF986D7A000-memory.dmp

Filesize
4.4MB

Download
memory/1420-121-0x00007FF995D90000-0x00007FF995DBE000-memory.dmp

Filesize
184KB

Download
memory/1420-214-0x00007FF995430000-0x00007FF995462000-memory.dmp

Filesize
200KB

Download
memory/1420-220-0x00007FF985D90000-0x00007FF98658B000-memory.dmp

Filesize
8.0MB

Download
memory/1420-235-0x00007FF99A630000-0x00007FF99A640000-memory.dmp

Filesize
64KB

Download
memory/1420-234-0x00007FF995D70000-0x00007FF995D84000-memory.dmp

Filesize
80KB

Download
memory/1420-231-0x00007FF995D90000-0x00007FF995DBE000-memory.dmp

Filesize
184KB

Download
memory/1420-232-0x00007FF9956A0000-0x00007FF995756000-memory.dmp

Filesize
728KB

Download
memory/1420-242-0x00007FF995540000-0x00007FF99558D000-memory.dmp

Filesize
308KB

Download
memory/1420-241-0x00007FF995590000-0x00007FF9955A8000-memory.dmp

Filesize
96KB

Download
memory/1420-233-0x00007FF986590000-0x00007FF986904000-memory.dmp

Filesize
3.5MB

Download
memory/1420-230-0x00007FF994DA0000-0x00007FF994F0D000-memory.dmp

Filesize
1.4MB

Download
memory/1420-250-0x00007FF9953D0000-0x00007FF995407000-memory.dmp

Filesize
220KB

Download
memory/1420-229-0x00007FF99A770000-0x00007FF99A78E000-memory.dmp

Filesize
120KB

Download
memory/1420-223-0x00007FF99A4D0000-0x00007FF99A4F4000-memory.dmp

Filesize
144KB

Download
memory/1420-222-0x00007FF986910000-0x00007FF986D7A000-memory.dmp

Filesize
4.4MB

Download
memory/1420-278-0x00007FF995260000-0x00007FF99526D000-memory.dmp

Filesize
52KB

Download
memory/1420-275-0x00007FF995410000-0x00007FF99542E000-memory.dmp

Filesize
120KB

Download
memory/1420-274-0x00007FF9996E0000-0x00007FF9996EA000-memory.dmp

Filesize
40KB

Download
memory/1420-288-0x00007FF995590000-0x00007FF9955A8000-memory.dmp

Filesize
96KB

Download
memory/1420-287-0x00007FF9955B0000-0x00007FF9955CB000-memory.dmp

Filesize
108KB

Download
memory/1420-286-0x00007FF994BE0000-0x00007FF994CF8000-memory.dmp

Filesize
1.1MB

Download
memory/1420-285-0x00007FF9955D0000-0x00007FF9955F2000-memory.dmp

Filesize
136KB

Download
memory/1420-284-0x00007FF995660000-0x00007FF995675000-memory.dmp

Filesize
84KB

Download
memory/1420-283-0x00007FF995680000-0x00007FF995694000-memory.dmp

Filesize
80KB

Download
memory/1420-282-0x00007FF99A630000-0x00007FF99A640000-memory.dmp

Filesize
64KB

Download
memory/1420-281-0x00007FF995D70000-0x00007FF995D84000-memory.dmp

Filesize
80KB

Download
memory/1420-280-0x00007FF995520000-0x00007FF995531000-memory.dmp

Filesize
68KB

Download
memory/1420-279-0x00007FF995430000-0x00007FF995462000-memory.dmp

Filesize
200KB

Download
memory/1420-276-0x00007FF985D90000-0x00007FF98658B000-memory.dmp

Filesize
8.0MB

Download
memory/1420-262-0x00007FF986590000-0x00007FF986904000-memory.dmp

Filesize
3.5MB

Download
memory/1420-261-0x00007FF9956A0000-0x00007FF995756000-memory.dmp

Filesize
728KB

Download
memory/1420-260-0x00007FF995D90000-0x00007FF995DBE000-memory.dmp

Filesize
184KB

Download
memory/1420-259-0x00007FF994DA0000-0x00007FF994F0D000-memory.dmp

Filesize
1.4MB

Download
memory/1420-258-0x00007FF99A770000-0x00007FF99A78E000-memory.dmp

Filesize
120KB

Download
memory/1420-257-0x00007FF9998A0000-0x00007FF9998CC000-memory.dmp

Filesize
176KB

Download
memory/1420-256-0x00007FF99B8F0000-0x00007FF99B909000-memory.dmp

Filesize
100KB

Download
memory/1420-255-0x00007FF99EA40000-0x00007FF99EA4D000-memory.dmp

Filesize
52KB

Download
memory/1420-254-0x00007FF99D3E0000-0x00007FF99D3F9000-memory.dmp

Filesize
100KB

Download
memory/1420-253-0x00007FF99F0F0000-0x00007FF99F0FF000-memory.dmp

Filesize
60KB

Download
memory/1420-252-0x00007FF99A4D0000-0x00007FF99A4F4000-memory.dmp

Filesize
144KB

Download
memory/1420-251-0x00007FF986910000-0x00007FF986D7A000-memory.dmp

Filesize
4.4MB

Download
memory/1420-277-0x00007FF9953D0000-0x00007FF995407000-memory.dmp

Filesize
220KB

Download
memory/1420-271-0x00007FF995540000-0x00007FF99558D000-memory.dmp

Filesize
308KB

Download