exelastealer | 3c7bf5cbfed275ff139b41fbbf5d0f7880f7732c56c87550075e53d6a37053e9

Analysis

max time kernel
94s
max time network
204s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
11-12-2024 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JerryFlow.exe
Size

9.5MB
MD5

56abdfda781413df79136f80613fb255
SHA1

63bceb77cc9b2a0a44c48d67dc30cbada8459a75
SHA256

3c7bf5cbfed275ff139b41fbbf5d0f7880f7732c56c87550075e53d6a37053e9
SHA512

e8dc09f009ac5025ec208362dbf32b9710651eb85297badf569cb4f14704fe6823b2b74ba448a58c5bb81339c2677b55079d49b770e945f80745396d8cf0cba1
SSDEEP

196608:n7PeyDFg/yV0cemXyuSyTde8j5RHvUWvoLC9gA3oLQbRdGtoLFG:7PhDFg/Y8tByxjj5RHdEC9LoLQbTLE

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3324	netsh.exe
1152	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1052	cmd.exe
1652	powershell.exe

Loads dropped DLL 32 IoCs

pid	Process
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe
1424	JerryFlow.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
9	discord.com
10	discord.com
3	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4456	cmd.exe
3296	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4100	tasklist.exe
2000	tasklist.exe
2016	tasklist.exe
2660	tasklist.exe
4236	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4640	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ab08-46.dat	upx
behavioral1/memory/1424-50-0x00007FF8D2540000-0x00007FF8D29A5000-memory.dmp	upx
behavioral1/files/0x001a00000002aabb-52.dat	upx
behavioral1/memory/1424-58-0x00007FF8D60F0000-0x00007FF8D6114000-memory.dmp	upx
behavioral1/files/0x001c00000002aafc-57.dat	upx
behavioral1/memory/1424-60-0x00007FF8DC230000-0x00007FF8DC23F000-memory.dmp	upx
behavioral1/files/0x001900000002aafb-61.dat	upx
behavioral1/files/0x001900000002aafd-62.dat	upx
behavioral1/files/0x001900000002ab04-63.dat	upx
behavioral1/files/0x001900000002ab09-64.dat	upx
behavioral1/files/0x001900000002ab0a-65.dat	upx
behavioral1/files/0x001900000002ab0b-66.dat	upx
behavioral1/files/0x001900000002aac0-70.dat	upx
behavioral1/files/0x001a00000002aab5-69.dat	upx
behavioral1/files/0x001a00000002aab4-68.dat	upx
behavioral1/files/0x001b00000002aab2-67.dat	upx
behavioral1/files/0x001900000002aac1-71.dat	upx
behavioral1/files/0x001c00000002aacc-79.dat	upx
behavioral1/files/0x001900000002aacb-78.dat	upx
behavioral1/files/0x001900000002aac8-77.dat	upx
behavioral1/files/0x001900000002aac7-76.dat	upx
behavioral1/files/0x001900000002aac5-75.dat	upx
behavioral1/files/0x001900000002aac4-74.dat	upx
behavioral1/files/0x001900000002aac3-73.dat	upx
behavioral1/files/0x001900000002aac2-72.dat	upx
behavioral1/memory/1424-81-0x00007FF8D8F80000-0x00007FF8D8F99000-memory.dmp	upx
behavioral1/memory/1424-83-0x00007FF8D83D0000-0x00007FF8D83DD000-memory.dmp	upx
behavioral1/memory/1424-85-0x00007FF8D5FB0000-0x00007FF8D5FC9000-memory.dmp	upx
behavioral1/memory/1424-87-0x00007FF8D5F80000-0x00007FF8D5FAC000-memory.dmp	upx
behavioral1/memory/1424-89-0x00007FF8D5C20000-0x00007FF8D5C3E000-memory.dmp	upx
behavioral1/memory/1424-91-0x00007FF8D2A70000-0x00007FF8D2BDD000-memory.dmp	upx
behavioral1/memory/1424-93-0x00007FF8D5BF0000-0x00007FF8D5C1E000-memory.dmp	upx
behavioral1/memory/1424-98-0x00007FF8D2480000-0x00007FF8D2536000-memory.dmp	upx
behavioral1/memory/1424-101-0x00007FF8D60F0000-0x00007FF8D6114000-memory.dmp	upx
behavioral1/memory/1424-100-0x00007FF8D00B0000-0x00007FF8D0424000-memory.dmp	upx
behavioral1/memory/1424-97-0x00007FF8D2540000-0x00007FF8D29A5000-memory.dmp	upx
behavioral1/memory/1424-104-0x00007FF8D5BD0000-0x00007FF8D5BE4000-memory.dmp	upx
behavioral1/memory/1424-103-0x00007FF8DC230000-0x00007FF8DC23F000-memory.dmp	upx
behavioral1/memory/1424-106-0x00007FF8D8F80000-0x00007FF8D8F99000-memory.dmp	upx
behavioral1/memory/1424-107-0x00007FF8D83C0000-0x00007FF8D83D0000-memory.dmp	upx
behavioral1/files/0x001900000002ab01-108.dat	upx
behavioral1/memory/1424-110-0x00007FF8D5BB0000-0x00007FF8D5BC4000-memory.dmp	upx
behavioral1/memory/1424-113-0x00007FF8D5B00000-0x00007FF8D5B15000-memory.dmp	upx
behavioral1/memory/1424-112-0x00007FF8D5FB0000-0x00007FF8D5FC9000-memory.dmp	upx
behavioral1/files/0x001900000002ab0d-114.dat	upx
behavioral1/memory/1424-116-0x00007FF8D5F80000-0x00007FF8D5FAC000-memory.dmp	upx
behavioral1/memory/1424-117-0x00007FF8D2D40000-0x00007FF8D2D62000-memory.dmp	upx
behavioral1/memory/1424-120-0x00007FF8D2360000-0x00007FF8D2478000-memory.dmp	upx
behavioral1/memory/1424-124-0x00007FF8D2FB0000-0x00007FF8D2FCB000-memory.dmp	upx
behavioral1/memory/1424-123-0x00007FF8D2A70000-0x00007FF8D2BDD000-memory.dmp	upx
behavioral1/files/0x001900000002ab03-122.dat	upx
behavioral1/files/0x001900000002aad1-125.dat	upx
behavioral1/memory/1424-128-0x00007FF8D5BF0000-0x00007FF8D5C1E000-memory.dmp	upx
behavioral1/files/0x001900000002aace-130.dat	upx
behavioral1/files/0x001900000002aaf8-141.dat	upx
behavioral1/files/0x001c00000002aaf6-143.dat	upx
behavioral1/memory/1424-140-0x00007FF8D6870000-0x00007FF8D687A000-memory.dmp	upx
behavioral1/memory/1424-139-0x00007FF8D2320000-0x00007FF8D2352000-memory.dmp	upx
behavioral1/memory/1424-138-0x00007FF8D2C50000-0x00007FF8D2C9D000-memory.dmp	upx
behavioral1/memory/1424-146-0x00007FF8D2A50000-0x00007FF8D2A61000-memory.dmp	upx
behavioral1/memory/1424-149-0x00007FF8D5BD0000-0x00007FF8D5BE4000-memory.dmp	upx
behavioral1/memory/1424-148-0x00007FF8D2A30000-0x00007FF8D2A4E000-memory.dmp	upx
behavioral1/memory/1424-147-0x00007FF8C0D50000-0x00007FF8C14DA000-memory.dmp	upx
behavioral1/memory/1424-145-0x00007FF8D00B0000-0x00007FF8D0424000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2856	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3624	cmd.exe
3928	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3344	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
324	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
996	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1704	ipconfig.exe
3344	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4556	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1652	powershell.exe
1652	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3296	WMIC.exe
Token: SeSecurityPrivilege	3296	WMIC.exe
Token: SeTakeOwnershipPrivilege	3296	WMIC.exe
Token: SeLoadDriverPrivilege	3296	WMIC.exe
Token: SeSystemProfilePrivilege	3296	WMIC.exe
Token: SeSystemtimePrivilege	3296	WMIC.exe
Token: SeProfSingleProcessPrivilege	3296	WMIC.exe
Token: SeIncBasePriorityPrivilege	3296	WMIC.exe
Token: SeCreatePagefilePrivilege	3296	WMIC.exe
Token: SeBackupPrivilege	3296	WMIC.exe
Token: SeRestorePrivilege	3296	WMIC.exe
Token: SeShutdownPrivilege	3296	WMIC.exe
Token: SeDebugPrivilege	3296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3296	WMIC.exe
Token: SeRemoteShutdownPrivilege	3296	WMIC.exe
Token: SeUndockPrivilege	3296	WMIC.exe
Token: SeManageVolumePrivilege	3296	WMIC.exe
Token: 33	3296	WMIC.exe
Token: 34	3296	WMIC.exe
Token: 35	3296	WMIC.exe
Token: 36	3296	WMIC.exe
Token: SeIncreaseQuotaPrivilege	996	WMIC.exe
Token: SeSecurityPrivilege	996	WMIC.exe
Token: SeTakeOwnershipPrivilege	996	WMIC.exe
Token: SeLoadDriverPrivilege	996	WMIC.exe
Token: SeSystemProfilePrivilege	996	WMIC.exe
Token: SeSystemtimePrivilege	996	WMIC.exe
Token: SeProfSingleProcessPrivilege	996	WMIC.exe
Token: SeIncBasePriorityPrivilege	996	WMIC.exe
Token: SeCreatePagefilePrivilege	996	WMIC.exe
Token: SeBackupPrivilege	996	WMIC.exe
Token: SeRestorePrivilege	996	WMIC.exe
Token: SeShutdownPrivilege	996	WMIC.exe
Token: SeDebugPrivilege	996	WMIC.exe
Token: SeSystemEnvironmentPrivilege	996	WMIC.exe
Token: SeRemoteShutdownPrivilege	996	WMIC.exe
Token: SeUndockPrivilege	996	WMIC.exe
Token: SeManageVolumePrivilege	996	WMIC.exe
Token: 33	996	WMIC.exe
Token: 34	996	WMIC.exe
Token: 35	996	WMIC.exe
Token: 36	996	WMIC.exe
Token: SeDebugPrivilege	2016	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3296	WMIC.exe
Token: SeSecurityPrivilege	3296	WMIC.exe
Token: SeTakeOwnershipPrivilege	3296	WMIC.exe
Token: SeLoadDriverPrivilege	3296	WMIC.exe
Token: SeSystemProfilePrivilege	3296	WMIC.exe
Token: SeSystemtimePrivilege	3296	WMIC.exe
Token: SeProfSingleProcessPrivilege	3296	WMIC.exe
Token: SeIncBasePriorityPrivilege	3296	WMIC.exe
Token: SeCreatePagefilePrivilege	3296	WMIC.exe
Token: SeBackupPrivilege	3296	WMIC.exe
Token: SeRestorePrivilege	3296	WMIC.exe
Token: SeShutdownPrivilege	3296	WMIC.exe
Token: SeDebugPrivilege	3296	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3296	WMIC.exe
Token: SeRemoteShutdownPrivilege	3296	WMIC.exe
Token: SeUndockPrivilege	3296	WMIC.exe
Token: SeManageVolumePrivilege	3296	WMIC.exe
Token: 33	3296	WMIC.exe
Token: 34	3296	WMIC.exe
Token: 35	3296	WMIC.exe
Token: 36	3296	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 1424	3948	JerryFlow.exe	77
PID 3948 wrote to memory of 1424	3948	JerryFlow.exe	77
PID 1424 wrote to memory of 3144	1424	JerryFlow.exe	78
PID 1424 wrote to memory of 3144	1424	JerryFlow.exe	78
PID 1424 wrote to memory of 1688	1424	JerryFlow.exe	80
PID 1424 wrote to memory of 1688	1424	JerryFlow.exe	80
PID 1424 wrote to memory of 2340	1424	JerryFlow.exe	81
PID 1424 wrote to memory of 2340	1424	JerryFlow.exe	81
PID 1424 wrote to memory of 2284	1424	JerryFlow.exe	83
PID 1424 wrote to memory of 2284	1424	JerryFlow.exe	83
PID 1424 wrote to memory of 2120	1424	JerryFlow.exe	85
PID 1424 wrote to memory of 2120	1424	JerryFlow.exe	85
PID 2340 wrote to memory of 3296	2340	cmd.exe	88
PID 2340 wrote to memory of 3296	2340	cmd.exe	88
PID 1688 wrote to memory of 996	1688	cmd.exe	89
PID 1688 wrote to memory of 996	1688	cmd.exe	89
PID 2120 wrote to memory of 2016	2120	cmd.exe	90
PID 2120 wrote to memory of 2016	2120	cmd.exe	90
PID 1424 wrote to memory of 3448	1424	JerryFlow.exe	92
PID 1424 wrote to memory of 3448	1424	JerryFlow.exe	92
PID 3448 wrote to memory of 4796	3448	cmd.exe	94
PID 3448 wrote to memory of 4796	3448	cmd.exe	94
PID 1424 wrote to memory of 1556	1424	JerryFlow.exe	95
PID 1424 wrote to memory of 1556	1424	JerryFlow.exe	95
PID 1424 wrote to memory of 1808	1424	JerryFlow.exe	96
PID 1424 wrote to memory of 1808	1424	JerryFlow.exe	96
PID 1808 wrote to memory of 2660	1808	cmd.exe	99
PID 1808 wrote to memory of 2660	1808	cmd.exe	99
PID 1556 wrote to memory of 2296	1556	cmd.exe	100
PID 1556 wrote to memory of 2296	1556	cmd.exe	100
PID 1424 wrote to memory of 4640	1424	JerryFlow.exe	101
PID 1424 wrote to memory of 4640	1424	JerryFlow.exe	101
PID 4640 wrote to memory of 1188	4640	cmd.exe	103
PID 4640 wrote to memory of 1188	4640	cmd.exe	103
PID 1424 wrote to memory of 3180	1424	JerryFlow.exe	104
PID 1424 wrote to memory of 3180	1424	JerryFlow.exe	104
PID 3180 wrote to memory of 3328	3180	cmd.exe	106
PID 3180 wrote to memory of 3328	3180	cmd.exe	106
PID 1424 wrote to memory of 4120	1424	JerryFlow.exe	107
PID 1424 wrote to memory of 4120	1424	JerryFlow.exe	107
PID 1424 wrote to memory of 4988	1424	JerryFlow.exe	108
PID 1424 wrote to memory of 4988	1424	JerryFlow.exe	108
PID 4988 wrote to memory of 4236	4988	cmd.exe	111
PID 4988 wrote to memory of 4236	4988	cmd.exe	111
PID 4120 wrote to memory of 4412	4120	cmd.exe	112
PID 4120 wrote to memory of 4412	4120	cmd.exe	112
PID 1424 wrote to memory of 3920	1424	JerryFlow.exe	113
PID 1424 wrote to memory of 3920	1424	JerryFlow.exe	113
PID 1424 wrote to memory of 2620	1424	JerryFlow.exe	114
PID 1424 wrote to memory of 2620	1424	JerryFlow.exe	114
PID 1424 wrote to memory of 4112	1424	JerryFlow.exe	115
PID 1424 wrote to memory of 4112	1424	JerryFlow.exe	115
PID 1424 wrote to memory of 1052	1424	JerryFlow.exe	117
PID 1424 wrote to memory of 1052	1424	JerryFlow.exe	117
PID 3920 wrote to memory of 4764	3920	cmd.exe	121
PID 3920 wrote to memory of 4764	3920	cmd.exe	121
PID 4112 wrote to memory of 4100	4112	cmd.exe	122
PID 4112 wrote to memory of 4100	4112	cmd.exe	122
PID 2620 wrote to memory of 4600	2620	cmd.exe	123
PID 2620 wrote to memory of 4600	2620	cmd.exe	123
PID 4764 wrote to memory of 1636	4764	cmd.exe	124
PID 4764 wrote to memory of 1636	4764	cmd.exe	124
PID 4600 wrote to memory of 2132	4600	cmd.exe	125
PID 4600 wrote to memory of 2132	4600	cmd.exe	125

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1188	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JerryFlow.exe
"C:\Users\Admin\AppData\Local\Temp\JerryFlow.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Users\Admin\AppData\Local\Temp\JerryFlow.exe
  "C:\Users\Admin\AppData\Local\Temp\JerryFlow.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3448
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:4796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1556
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4640
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:1188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3180
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
      4⤵
      Adds Run key to start application
      PID:3328
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:4412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3920
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4764
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4600
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:1052
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:1652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:4456
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4556
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2836
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:324
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:1828
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:2568
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:3112
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:2536
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:2040
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:1104
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:4936
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:2284
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:4180
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:3564
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:3060
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:1240
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:3168
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:2000
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1704
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:2244
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:3296
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:3344
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:2856
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3324
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1152
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:3624
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1368
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4220
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI39482\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\_asyncio.pyd

Filesize
31KB

MD5
515b878466b1f7695a0b336ace8c5f1f

SHA1
24c3cf81ed1d6e3686eb30f929f772b6e15f133c

SHA256
4ce70ddabec74d84228c1c053ae8b63a98ff9c908c0c8b6b916484de70504a40

SHA512
a970fc72b1fb0048e707a4c83fa870520f8d29b204e44e2ccaf3bd0cf312d0eb90b0092bc7746865069d066f3c2093b07108f3d4b150186474a92f25e3543884

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\_bz2.pyd

Filesize
43KB

MD5
e238f0b5e7094df9fa699679b7975ede

SHA1
1b5ad5c2d3fab04a6e59ffec3322eb4904a36146

SHA256
d85e5e459de5939c970b7251f0ba7d30a9c805a825cf9ce11278cd874624aabf

SHA512
aa1ed291d12380b581a33b9c8279082b2b5ff5e1ce589a4879a027d45d8a26e12ca897b3b62a930900c445f68421f974be30246da554493452ad4325d832ed10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
7727212e7bdbf63b1a39fb7faad24265

SHA1
a8fdec19d6690081b2bf55247e8e17657a68ac97

SHA256
b0116303e1e903d6eb02a69d05879f38af1640813f4b110cb733ffff6e4e985c

SHA512
2b1a27642118dd228791d0d8ba307aa39ab2d9c7d3799cff9f3c0744fe270eeaefe5545a4fda6e74e86fee747e45bf5f6c9ac799950c2b483a16eb3ce85d816a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\_ctypes.pyd

Filesize
53KB

MD5
98dd74cb4a15b6adcb107bff52394eab

SHA1
abc894ab0927af490ea7667e4a333fa8f27675a2

SHA256
0fe2c8841a9298164b0789c9bd736ec443701154f2e93e8d9567877cbd406878

SHA512
888262b2f67bf6af7ddeda8a915ac610bf66d57eec83dcf88c4eb88f9a0045abe0aeaa4e69de829c16ffe589f04acf832e19c18fbf950df302b044419b1baeb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\_decimal.pyd

Filesize
102KB

MD5
fa86fb6c5c0b16eee5cc0cdc200ecd9a

SHA1
5abfe7eea57885e2dd49cf0c3f6e625e5e568c36

SHA256
d848c12e9519f975b568b0251886090b4e526151b162b76ff219635ab388eb05

SHA512
1ed6e6767ba06c511eea2de87f71d2f6182f4af069cbfb08e4ac8f123fbd04c876084481f536766f2e874155e4dc3c396e95057d98e673ebee03392f31196c53

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\_hashlib.pyd

Filesize
30KB

MD5
300b894a1621ffebfa9b9c0409261029

SHA1
f9e506e45cab7999478aa590db10e7e5e3f64a6b

SHA256
cb50ea50fa66ea81588a684699f0e6f799b5bbd98c684f5d664fda2a7b3c5fb4

SHA512
d8c2c1fc9b4a0ebdddf863df62e6653aab1f641e36368a39ea080ce52285eddc838ab93568bcf3e67db65898da609e7aa872cc9e733f96ea2e6880154a54e866

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\_lzma.pyd

Filesize
81KB

MD5
4ee38a21130e4ed56df687d644039661

SHA1
8ac3f5fa7f302fa390c592e12fe6aa02d69faffb

SHA256
f601dd356c45f2f8edac88a742c383c79099ecbd8c13033884af36a83e35c333

SHA512
3f34c2ff5cf1b3d5e517acd485253319cb6b9e7e8cb9eba9e4530fb53d0bc7a4456351ed353aa70b36f353e70e3c92ad77e627caff14a916476c225722c4dac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\_multiprocessing.pyd

Filesize
22KB

MD5
2e2295e5e972add7b9a166ae43a6abfd

SHA1
5f3a9b371811e27285e2d143eb63428b4b5c6102

SHA256
7e585e854d5a4dfc173c5a6ffa9181c8696aac66817c63a772f1a5c5b4357135

SHA512
94788fcb4e20f655f37acaa7cb63361df08ea1f737a9f2b6b51f73cde525b7455926084f46b5f15177464b51ce36c738366eb02986f85dd1e63c9c3dfe7d9362

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\_overlapped.pyd

Filesize
27KB

MD5
177aeb79f08c0819d63ef4ba0eeabfcd

SHA1
543fc2089febb582d7f98f889c9849aa269035a1

SHA256
9e12cd402fa957d5bf898168dc191558193d7b4fac297f83f1d010e81a589f1e

SHA512
e5a67e8359e18270cda4de7713641586827636ed2d7a8238e20cd7c86df49ee625b4e7c96f13eadb6fee94c365815a343cbbfe2688995a90c4b52eb35c066f04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\_queue.pyd

Filesize
21KB

MD5
c9a3aea71dd36c330eb7bd1fa0150552

SHA1
cf745a6170d4a2dab2d67a8a9c4dfaa6a8feb07f

SHA256
baccd9e08fc0905c6d82387bec35a50881e5d45aefe1df98285624d40959a722

SHA512
56ab6ca5d996680d614d4709b9a9daaa4e37a8d86f1b43e5e09eb85648f72127fae7abdfc1a712d8a6eb3203851cc71784eed95d428f656e2b23205fa8986ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\_socket.pyd

Filesize
38KB

MD5
cd25d43a9862c921ea4c4c36bceea745

SHA1
068d345f52b973681fb5c947307ea60536a9dff7

SHA256
a4aa415e2d6da61d8336c4f27603cfb0b9e2f104694c8de752b02e99c6172a9b

SHA512
b4f98dc4f88d603724575721c6b6da34ae7b1249fbd5d0e98aa723383c32ff9da11453aa03740e85670b322675c4592a3a077b21b55d133f789e600646aab077

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\_sqlite3.pyd

Filesize
45KB

MD5
fc8930c7d1170c6330a13c380eda5602

SHA1
7f52c776252b2ed228694b8f37814adf425edcdd

SHA256
157b9771f22afaa71619260a3e1da4c4dd1634fbc009fd72a8ae2165b62617a6

SHA512
1b6803c36bb4aa7ee8e1dd8b5c35ec36332966ea7fdaca16ae12025d4a42d8b88483c5c5cc35371a9186e04d1c2bcc942fc5d3a83dd38628c11e62388a6453cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\_ssl.pyd

Filesize
57KB

MD5
775b82fd54b5c84e33ed45c9af820b5e

SHA1
554402171a67db8482b91e191e3e7518841186c5

SHA256
0c0a9b97c9d2bd70eb15f0309d47993cd0929ba0e764dac942302e950f3bd98f

SHA512
7589178fe56cbcea1b83eaec3e984cb83a654e6da011853d3429f14f66a33e0b17871948047f703221493dcf5712cf499d3c61349c4dc79b8edebbdcb797b073

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\_uuid.pyd

Filesize
18KB

MD5
a66b2d66c9aed1c92befe7d2b6c663b2

SHA1
44a05127c638427c126fed0623a9be708d1137b3

SHA256
312dd3028d669185b9cc5d66d2f2a50d6534eccac9f60d2ecc8c84b6d0a674f5

SHA512
1bb69058b999dfa748ad4d45066bfe9fcb6d51e954659ae189cc816f9e6c358b2b65341c20484b7a9af29dbbf9c78c4be567c476c87dcdfe910d717d3e64c49f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\aiohttp\_http_parser.cp310-win_amd64.pyd

Filesize
81KB

MD5
747833c1455b7eecdbf45771df402360

SHA1
d002c30bd6df0218097debe4856cf49b853c9613

SHA256
101ea233fcb0b2bddc0baa526eb7b76467bc509957aee7dab56496135dd0efd9

SHA512
943aefd4a493fbbb8ef48d46d6d9d032fb8deae74c4a0b9041c545ddb97c8770199263245d4177828d6ca4defe1bffde9e44ff5341e911b8eb4ebf4707134140

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\aiohttp\_http_writer.cp310-win_amd64.pyd

Filesize
24KB

MD5
7170622cf82b2c57114735f9dc4244a4

SHA1
735a26b64dcd29f83597982b4249402824757660

SHA256
3b6caaaeee7ae740d59a0d4f22c449a2f2c8667d8a93ea9dfe47fc2cabf80bb2

SHA512
6a6815a1e3eec3891cf3f2d46bf9a7461932dd92a856694780ac910430d44801ed1d6d979d78c6bd7996f31654d49938743dbb9212a17455486b42d46b634e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\aiohttp\_websocket\mask.cp310-win_amd64.pyd

Filesize
19KB

MD5
347d1fea285167708cebb70a348f8b3a

SHA1
55aa9027fe76862498897cbaad62addb2b024a19

SHA256
f08e435b667e0851d3549b24e615ff5a4629565f47437de06553b470f5c8c03f

SHA512
80c7655a268161b23e0216e67308a8da52537b6f6f344095ea1e484013abeca8947609ab549991f95ba7c1f7103b2c44dd4cfb1b0e14ec35945dd3ba86b72c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\aiohttp\_websocket\reader_c.cp310-win_amd64.pyd

Filesize
61KB

MD5
9e595d3cd36651829d143551def4f4dd

SHA1
445e8a8429f9d10a3ae6e60f9333bb232093cf69

SHA256
56a0fd47ddee1fb89587ca233a80c412da64ce3823c091d22f2562d467e83137

SHA512
64b273158253a78392cb55997c413dffa31ba2a45c9d72b9c0518db6ac429650af4c2f1a87ed804ab4721003dde7fd0fa1c90c43432e9cf7f434c9ea7b3eb437

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\base_library.zip

Filesize
857KB

MD5
8eb67a933c218cda039aa71c4247b5fe

SHA1
9a1c35d99d446020a1358acc52ca8edeba518168

SHA256
15f19f125849ea8bf04476dec3c3e02a0f7eda6e17f572783e85bb641fc78fcc

SHA512
e83794cd35133ae57ef0f71b10d5c1875a12b501952c029687b66677926f93a550902c0b07d730999cd26ff0dac1f56b32add6bfedc2f92506dda225d24b8c0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.1MB

MD5
27bfdc1a00eb382f490991a6507cc3f2

SHA1
162bc0ddf111968bfd69246660cf650f89b5b7bc

SHA256
788d5c28a70e2bc4e695c827aec70e0869ad7bfdd1f0f4f75231d6f8d83450c2

SHA512
6fcc538c0f901f8543cf296b981a68eb6271f72ddcd106b69b45e0ebd166a355299ce23e999aa855d23edd69f95f53b653f92772435a42c72001386cdb423899

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\frozenlist\_frozenlist.cp310-win_amd64.pyd

Filesize
36KB

MD5
219ad30aea7630a3696df28231405927

SHA1
ebaf69903305ea0803570cc2ff4cf43dd2bc812a

SHA256
06d38127de4cbd3243f861ea22897d490520e913f77011a37d915c4992433604

SHA512
72eb7323deb26931ea000690f85272ee71e19b2896af2b43ccd8bcfc3a299e0f8a7a3f1e339fbfe7c855e081cd94e21ae09ba3b8e2d16dbacddb838c31b4de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\libcrypto-1_1.dll

Filesize
1.1MB

MD5
700f32459dca0f54c982cd1c1ddd6b8b

SHA1
2538711c091ac3f572cb0f13539a68df0f228f28

SHA256
1de22bd1a0154d49f48b3fab94fb1fb1abd8bfed37d18e79a86ecd7cdab893c9

SHA512
99de1f5cb78c83fc6af0a475fb556f1ac58a1ba734efc69d507bf5dc1b0535a401d901324be845d7a59db021f8967cf33a7b105b2ddcb2e02a39dc0311e7c36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\libssl-1_1.dll

Filesize
198KB

MD5
45498cefc9ead03a63c2822581cd11c6

SHA1
f96b6373237317e606b3715705a71db47e2cafad

SHA256
a84174a00dc98c98240ad5ee16c35e6ef932cebd5b8048ff418d3dd80f20deca

SHA512
4d3d8d33e7f3c2bf1cad3afbfba6ba53852d1314713ad60eeae1d51cc299a52b73da2c629273f9e0b7983ca01544c3645451cfa247911af4f81ca88a82cf6a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\multidict\_multidict.cp310-win_amd64.pyd

Filesize
20KB

MD5
7f691747ce66d3ed05a7c2c53220c8b5

SHA1
1d3f247042030cf8cf7c859002941beba5d15776

SHA256
7d6472a0d7f1a0740c7fc0d0d0ea6f7c6e7cb2b11b8c623c46a6fae1adb4e228

SHA512
b01f0e91039fc5b2782caaa0b3d56d5d1fe9e94424cc536cde9eca73a76747736060042e345af9edc5ef5bf5c154705d2c2dddf35536f305306be25a955a9f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\propcache\_helpers_c.cp310-win_amd64.pyd

Filesize
32KB

MD5
fd362fc501ddbfa28004e0d5c8df6dd2

SHA1
7ddef836354bee5222c2bf65ed321e4e6254310a

SHA256
cc2d201dfa2dfa430505e88be8d61f69b275cb3eb27e7a32ebf2f95d890709b3

SHA512
a9d87b27454640b8f78e934baf0f8d4781739fc1bb6de2b82b9ad0e11df7aca5d291ea6395289e4313bf5ab89225db5ef3085c945e01dde81bc2a73ce6591761

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\pyexpat.pyd

Filesize
81KB

MD5
74fbba02426b3d5727e48e665af239ee

SHA1
8014e0c982ee8d5d293f6395d9f942caca98f403

SHA256
b1b8b75cf1b8615ebe972d0e4a031804920b3eba2de3f1dfc0fb03b130b713e1

SHA512
b046843ca03ca6ca763c5c8bf1b9394c7a46771c044948f6a19639e738683a9113201c003cd8eaea2acf84e3d1d1dc3171cad3bc7f086e75e33c7f671ed5053a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\python3.DLL

Filesize
60KB

MD5
fb5f5886e6415c6746102a0bebb5fce7

SHA1
a9c8bf6cf81bc9c1be033085ecae84961f96e022

SHA256
b3dbc18b47b9b47a1a43d67de2b0435f3121fb232fe9bd26e071d0c45cebbfd1

SHA512
41052c1da22c75cb2aa27efaccac6367ec4ea2492fb957f9a1a8852c0c63c295a1bccecfd693ca595c673330ae2eb1497c76f42ecb1169c7cdc4716920965ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\python310.dll

Filesize
1.4MB

MD5
90bc20464612c1b867471e49115cb61c

SHA1
765e6c77cb85facf257d6433fce2577f7abc07c2

SHA256
e6f4dcf5b94b8501826e99c810318478accecca2da3c95f3d2859a13e000a673

SHA512
1e276faaae280455a653f5b1a513d57a9c7fd78649b1927319c6ab1708bd0341516652e12773b228f5b394e535eb8810a2fb3c57ef7301283859704aa4339614

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\select.pyd

Filesize
21KB

MD5
c6fae84364bd2ae00b49c79049869256

SHA1
df7bed70642e320dccc19987583b820325a89420

SHA256
5c99daf5e05e0b5fc4bd0ff2ac52a672ab43a80dad9abe4a5da461eaf1fc2c09

SHA512
1bc6e349cef98240f4c5a86eeb479d2fe5878190602e2bbfc3666a665a95b564a5b0d0820a16b1df61b59f55a71ba23722ef586bbf81edc9d3d89392aa53fa98

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\sqlite3.dll

Filesize
605KB

MD5
3483a421e20696ce3ec700f41bbf43a6

SHA1
b549e76f4bafb6d01c96e2bc200890a61649b450

SHA256
494ea2e4396e769cf2dab284b19eff9a9ef36f4c351c5332bbfbeed84d4940c3

SHA512
b5eceb98589c755e46bd5d41fb0bde88988c03d2849175c73ad291a3e1b7bd52d00afbf0c744541d2fc73672ae412b1e6efc866f8218bc58b9435b0cf28ec0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\unicodedata.pyd

Filesize
285KB

MD5
c6347cdd013f6c244773a05a1cb34845

SHA1
b9ae62397a0fef07cdf8d6240c7cc0d2a8aa8b97

SHA256
c56b2091fd42d48ba7a0306a9650ef0282362774ffef955741791e06630996ea

SHA512
d581047ef7886ec20fa59e7d95620f65f43444b3f156815eb385e61df8d57a331acf9a67b48803bbd1bdf247e20e4855c03edf5e8b0b4c88db2484ab854fd642

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39482\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
41KB

MD5
73fc3ad053bf106b0e5f11d9004f4efb

SHA1
0da5d951092f7c1100b661562f88ef03ad93abac

SHA256
d7b97dba5d8368f56c4a8003bdec87f397b058cdd0a4994e212e30378270e415

SHA512
182e971e5e2b7c829219b1d6d43b8aa9e13db1d10a71b180bfb0aa6cf0ded077662dc099453f13688dedf53eb479086dfc7b782914f6c1ebe1619053f2a0f2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bomqku2i.3o0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1424-138-0x00007FF8D2C50000-0x00007FF8D2C9D000-memory.dmp

Filesize
308KB

Download
memory/1424-216-0x00007FF8D2360000-0x00007FF8D2478000-memory.dmp

Filesize
1.1MB

Download
memory/1424-101-0x00007FF8D60F0000-0x00007FF8D6114000-memory.dmp

Filesize
144KB

Download
memory/1424-100-0x00007FF8D00B0000-0x00007FF8D0424000-memory.dmp

Filesize
3.5MB

Download
memory/1424-97-0x00007FF8D2540000-0x00007FF8D29A5000-memory.dmp

Filesize
4.4MB

Download
memory/1424-104-0x00007FF8D5BD0000-0x00007FF8D5BE4000-memory.dmp

Filesize
80KB

Download
memory/1424-103-0x00007FF8DC230000-0x00007FF8DC23F000-memory.dmp

Filesize
60KB

Download
memory/1424-106-0x00007FF8D8F80000-0x00007FF8D8F99000-memory.dmp

Filesize
100KB

Download
memory/1424-107-0x00007FF8D83C0000-0x00007FF8D83D0000-memory.dmp

Filesize
64KB

Download
memory/1424-98-0x00007FF8D2480000-0x00007FF8D2536000-memory.dmp

Filesize
728KB

Download
memory/1424-110-0x00007FF8D5BB0000-0x00007FF8D5BC4000-memory.dmp

Filesize
80KB

Download
memory/1424-113-0x00007FF8D5B00000-0x00007FF8D5B15000-memory.dmp

Filesize
84KB

Download
memory/1424-112-0x00007FF8D5FB0000-0x00007FF8D5FC9000-memory.dmp

Filesize
100KB

Download
memory/1424-93-0x00007FF8D5BF0000-0x00007FF8D5C1E000-memory.dmp

Filesize
184KB

Download
memory/1424-116-0x00007FF8D5F80000-0x00007FF8D5FAC000-memory.dmp

Filesize
176KB

Download
memory/1424-117-0x00007FF8D2D40000-0x00007FF8D2D62000-memory.dmp

Filesize
136KB

Download
memory/1424-120-0x00007FF8D2360000-0x00007FF8D2478000-memory.dmp

Filesize
1.1MB

Download
memory/1424-124-0x00007FF8D2FB0000-0x00007FF8D2FCB000-memory.dmp

Filesize
108KB

Download
memory/1424-123-0x00007FF8D2A70000-0x00007FF8D2BDD000-memory.dmp

Filesize
1.4MB

Download
memory/1424-91-0x00007FF8D2A70000-0x00007FF8D2BDD000-memory.dmp

Filesize
1.4MB

Download
memory/1424-89-0x00007FF8D5C20000-0x00007FF8D5C3E000-memory.dmp

Filesize
120KB

Download
memory/1424-128-0x00007FF8D5BF0000-0x00007FF8D5C1E000-memory.dmp

Filesize
184KB

Download
memory/1424-87-0x00007FF8D5F80000-0x00007FF8D5FAC000-memory.dmp

Filesize
176KB

Download
memory/1424-85-0x00007FF8D5FB0000-0x00007FF8D5FC9000-memory.dmp

Filesize
100KB

Download
memory/1424-83-0x00007FF8D83D0000-0x00007FF8D83DD000-memory.dmp

Filesize
52KB

Download
memory/1424-140-0x00007FF8D6870000-0x00007FF8D687A000-memory.dmp

Filesize
40KB

Download
memory/1424-139-0x00007FF8D2320000-0x00007FF8D2352000-memory.dmp

Filesize
200KB

Download
memory/1424-81-0x00007FF8D8F80000-0x00007FF8D8F99000-memory.dmp

Filesize
100KB

Download
memory/1424-137-0x00000212DED10000-0x00000212DF084000-memory.dmp

Filesize
3.5MB

Download
memory/1424-146-0x00007FF8D2A50000-0x00007FF8D2A61000-memory.dmp

Filesize
68KB

Download
memory/1424-149-0x00007FF8D5BD0000-0x00007FF8D5BE4000-memory.dmp

Filesize
80KB

Download
memory/1424-148-0x00007FF8D2A30000-0x00007FF8D2A4E000-memory.dmp

Filesize
120KB

Download
memory/1424-147-0x00007FF8C0D50000-0x00007FF8C14DA000-memory.dmp

Filesize
7.5MB

Download
memory/1424-145-0x00007FF8D00B0000-0x00007FF8D0424000-memory.dmp

Filesize
3.5MB

Download
memory/1424-60-0x00007FF8DC230000-0x00007FF8DC23F000-memory.dmp

Filesize
60KB

Download
memory/1424-58-0x00007FF8D60F0000-0x00007FF8D6114000-memory.dmp

Filesize
144KB

Download
memory/1424-132-0x00007FF8D2480000-0x00007FF8D2536000-memory.dmp

Filesize
728KB

Download
memory/1424-129-0x00007FF8D2CA0000-0x00007FF8D2CB8000-memory.dmp

Filesize
96KB

Download
memory/1424-119-0x00007FF8D5C20000-0x00007FF8D5C3E000-memory.dmp

Filesize
120KB

Download
memory/1424-150-0x00007FF8D83C0000-0x00007FF8D83D0000-memory.dmp

Filesize
64KB

Download
memory/1424-151-0x00007FF8D22E0000-0x00007FF8D2317000-memory.dmp

Filesize
220KB

Download
memory/1424-199-0x00007FF8D5BA0000-0x00007FF8D5BAD000-memory.dmp

Filesize
52KB

Download
memory/1424-50-0x00007FF8D2540000-0x00007FF8D29A5000-memory.dmp

Filesize
4.4MB

Download
memory/1424-313-0x00007FF8D2A30000-0x00007FF8D2A4E000-memory.dmp

Filesize
120KB

Download
memory/1424-215-0x00007FF8D2D40000-0x00007FF8D2D62000-memory.dmp

Filesize
136KB

Download
memory/1424-99-0x00000212DED10000-0x00000212DF084000-memory.dmp

Filesize
3.5MB

Download
memory/1424-217-0x00007FF8D2FB0000-0x00007FF8D2FCB000-memory.dmp

Filesize
108KB

Download
memory/1424-218-0x00007FF8D2CA0000-0x00007FF8D2CB8000-memory.dmp

Filesize
96KB

Download
memory/1424-219-0x00007FF8D2C50000-0x00007FF8D2C9D000-memory.dmp

Filesize
308KB

Download
memory/1424-220-0x00007FF8D2320000-0x00007FF8D2352000-memory.dmp

Filesize
200KB

Download
memory/1424-226-0x00007FF8C0D50000-0x00007FF8C14DA000-memory.dmp

Filesize
7.5MB

Download
memory/1424-256-0x00007FF8D22E0000-0x00007FF8D2317000-memory.dmp

Filesize
220KB

Download
memory/1424-247-0x00007FF8D2CA0000-0x00007FF8D2CB8000-memory.dmp

Filesize
96KB

Download
memory/1424-240-0x00007FF8D5BD0000-0x00007FF8D5BE4000-memory.dmp

Filesize
80KB

Download
memory/1424-228-0x00007FF8D2540000-0x00007FF8D29A5000-memory.dmp

Filesize
4.4MB

Download
memory/1424-241-0x00007FF8D83C0000-0x00007FF8D83D0000-memory.dmp

Filesize
64KB

Download
memory/1424-239-0x00007FF8D00B0000-0x00007FF8D0424000-memory.dmp

Filesize
3.5MB

Download
memory/1424-238-0x00007FF8D2480000-0x00007FF8D2536000-memory.dmp

Filesize
728KB

Download
memory/1424-237-0x00007FF8D5BF0000-0x00007FF8D5C1E000-memory.dmp

Filesize
184KB

Download
memory/1424-236-0x00007FF8D2A70000-0x00007FF8D2BDD000-memory.dmp

Filesize
1.4MB

Download
memory/1424-235-0x00007FF8D5C20000-0x00007FF8D5C3E000-memory.dmp

Filesize
120KB

Download
memory/1424-229-0x00007FF8D60F0000-0x00007FF8D6114000-memory.dmp

Filesize
144KB

Download
memory/1424-285-0x00007FF8D2540000-0x00007FF8D29A5000-memory.dmp

Filesize
4.4MB

Download
memory/1424-323-0x00007FF8D2480000-0x00007FF8D2536000-memory.dmp

Filesize
728KB

Download
memory/1424-328-0x00007FF8D5B00000-0x00007FF8D5B15000-memory.dmp

Filesize
84KB

Download
memory/1424-336-0x00007FF8C0D50000-0x00007FF8C14DA000-memory.dmp

Filesize
7.5MB

Download
memory/1424-339-0x00007FF8D5BA0000-0x00007FF8D5BAD000-memory.dmp

Filesize
52KB

Download
memory/1424-338-0x00007FF8D22E0000-0x00007FF8D2317000-memory.dmp

Filesize
220KB

Download
memory/1424-337-0x00007FF8D00B0000-0x00007FF8D0424000-memory.dmp

Filesize
3.5MB

Download
memory/1424-335-0x00007FF8D6870000-0x00007FF8D687A000-memory.dmp

Filesize
40KB

Download
memory/1424-334-0x00007FF8D2320000-0x00007FF8D2352000-memory.dmp

Filesize
200KB

Download
memory/1424-333-0x00007FF8D2C50000-0x00007FF8D2C9D000-memory.dmp

Filesize
308KB

Download
memory/1424-332-0x00007FF8D2CA0000-0x00007FF8D2CB8000-memory.dmp

Filesize
96KB

Download
memory/1424-331-0x00007FF8D2FB0000-0x00007FF8D2FCB000-memory.dmp

Filesize
108KB

Download
memory/1424-330-0x00007FF8D2360000-0x00007FF8D2478000-memory.dmp

Filesize
1.1MB

Download
memory/1424-329-0x00007FF8D2D40000-0x00007FF8D2D62000-memory.dmp

Filesize
136KB

Download
memory/1424-327-0x00007FF8D5BB0000-0x00007FF8D5BC4000-memory.dmp

Filesize
80KB

Download
memory/1424-326-0x00007FF8D83C0000-0x00007FF8D83D0000-memory.dmp

Filesize
64KB

Download
memory/1424-325-0x00007FF8D5BD0000-0x00007FF8D5BE4000-memory.dmp

Filesize
80KB

Download
memory/1424-324-0x00007FF8D2A50000-0x00007FF8D2A61000-memory.dmp

Filesize
68KB

Download
memory/1424-322-0x00007FF8D5BF0000-0x00007FF8D5C1E000-memory.dmp

Filesize
184KB

Download
memory/1424-321-0x00007FF8D2A70000-0x00007FF8D2BDD000-memory.dmp

Filesize
1.4MB

Download
memory/1424-320-0x00007FF8D5C20000-0x00007FF8D5C3E000-memory.dmp

Filesize
120KB

Download
memory/1424-319-0x00007FF8D5F80000-0x00007FF8D5FAC000-memory.dmp

Filesize
176KB

Download
memory/1424-318-0x00007FF8D5FB0000-0x00007FF8D5FC9000-memory.dmp

Filesize
100KB

Download
memory/1424-317-0x00007FF8D83D0000-0x00007FF8D83DD000-memory.dmp

Filesize
52KB

Download
memory/1424-316-0x00007FF8D8F80000-0x00007FF8D8F99000-memory.dmp

Filesize
100KB

Download
memory/1424-315-0x00007FF8DC230000-0x00007FF8DC23F000-memory.dmp

Filesize
60KB

Download
memory/1424-314-0x00007FF8D60F0000-0x00007FF8D6114000-memory.dmp

Filesize
144KB

Download
memory/1652-210-0x0000028EF3570000-0x0000028EF3592000-memory.dmp

Filesize
136KB

Download