exelastealer | 647897b22f1a8819c060b4cb4bc1f5838a26969772f3fc154d93c11acb13e00a

Analysis

max time kernel
100s
max time network
148s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
25-12-2024 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test.exe
Size

11.0MB
MD5

2e44d625a51667de554f8fc5fc232e83
SHA1

1a6f7e77500bd46a12e621618ba19df0d3a9560d
SHA256

647897b22f1a8819c060b4cb4bc1f5838a26969772f3fc154d93c11acb13e00a
SHA512

3f692b51dd3ef3a26142d17e2ac5c206aa94642e8d462388e5c61b214250358be806c74a6a330dac9d7063ef78717fb69e9d1c4ae899f6f3bcefba76ff77b184
SSDEEP

196608:gX16VVe3kdQyvNm1E8giq1g9PwfI9jsCbB7m+mKOY7rLZuuoQfbGTb9mhPTNGsff:a16Le0ay1m1Nq3Int7HmBYLaKbGTbo1N

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3912	netsh.exe
2612	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
644	cmd.exe
4720	powershell.exe

Loads dropped DLL 34 IoCs

pid	Process
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe
4708	test.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
24	discord.com
25	discord.com
26	discord.com
54	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
868	cmd.exe
1032	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4588	tasklist.exe
792	tasklist.exe
408	tasklist.exe
3084	tasklist.exe
4996	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4628	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0028000000045096-48.dat	upx
behavioral1/memory/4708-52-0x00007FFB637A0000-0x00007FFB63E05000-memory.dmp	upx
behavioral1/files/0x0028000000045062-54.dat	upx
behavioral1/memory/4708-60-0x00007FFB765A0000-0x00007FFB765C7000-memory.dmp	upx
behavioral1/files/0x002800000004508e-61.dat	upx
behavioral1/memory/4708-62-0x00007FFB7C6F0000-0x00007FFB7C6FF000-memory.dmp	upx
behavioral1/files/0x0028000000045060-63.dat	upx
behavioral1/memory/4708-66-0x00007FFB798B0000-0x00007FFB798C9000-memory.dmp	upx
behavioral1/files/0x0028000000045065-65.dat	upx
behavioral1/memory/4708-68-0x00007FFB72C80000-0x00007FFB72CAB000-memory.dmp	upx
behavioral1/files/0x002800000004508d-69.dat	upx
behavioral1/files/0x002800000004506d-87.dat	upx
behavioral1/files/0x0028000000045069-83.dat	upx
behavioral1/memory/4708-96-0x00007FFB727C0000-0x00007FFB727E5000-memory.dmp	upx
behavioral1/files/0x0028000000045098-97.dat	upx
behavioral1/memory/4708-98-0x00007FFB71C20000-0x00007FFB71D9F000-memory.dmp	upx
behavioral1/files/0x0028000000045089-99.dat	upx
behavioral1/files/0x002800000004506a-95.dat	upx
behavioral1/memory/4708-102-0x00007FFB62FA0000-0x00007FFB6379B000-memory.dmp	upx
behavioral1/memory/4708-101-0x00007FFB637A0000-0x00007FFB63E05000-memory.dmp	upx
behavioral1/memory/4708-93-0x00007FFB7B200000-0x00007FFB7B20F000-memory.dmp	upx
behavioral1/memory/4708-91-0x00007FFB7B220000-0x00007FFB7B22D000-memory.dmp	upx
behavioral1/files/0x0028000000045061-103.dat	upx
behavioral1/memory/4708-105-0x00007FFB72710000-0x00007FFB72748000-memory.dmp	upx
behavioral1/memory/4708-104-0x00007FFB765A0000-0x00007FFB765C7000-memory.dmp	upx
behavioral1/files/0x0028000000045097-90.dat	upx
behavioral1/memory/4708-89-0x00007FFB77C10000-0x00007FFB77C29000-memory.dmp	upx
behavioral1/files/0x002800000004506b-85.dat	upx
behavioral1/files/0x0028000000045068-82.dat	upx
behavioral1/files/0x0028000000045067-81.dat	upx
behavioral1/files/0x0028000000045066-80.dat	upx
behavioral1/files/0x0028000000045064-79.dat	upx
behavioral1/memory/4708-107-0x00007FFB71F30000-0x00007FFB71F63000-memory.dmp	upx
behavioral1/memory/4708-109-0x00007FFB6D0D0000-0x00007FFB6D19E000-memory.dmp	upx
behavioral1/memory/4708-113-0x00007FFB62A60000-0x00007FFB62F93000-memory.dmp	upx
behavioral1/memory/4708-112-0x00007FFB72C80000-0x00007FFB72CAB000-memory.dmp	upx
behavioral1/files/0x002800000004508f-108.dat	upx
behavioral1/files/0x0028000000045063-78.dat	upx
behavioral1/files/0x002800000004509b-128.dat	upx
behavioral1/files/0x0028000000045093-131.dat	upx
behavioral1/files/0x0028000000045099-129.dat	upx
behavioral1/memory/4708-127-0x00007FFB6EDD0000-0x00007FFB6EDE4000-memory.dmp	upx
behavioral1/memory/4708-126-0x00007FFB71C20000-0x00007FFB71D9F000-memory.dmp	upx
behavioral1/memory/4708-125-0x00007FFB6F7E0000-0x00007FFB6F7F4000-memory.dmp	upx
behavioral1/memory/4708-122-0x00007FFB727C0000-0x00007FFB727E5000-memory.dmp	upx
behavioral1/files/0x0028000000045091-121.dat	upx
behavioral1/memory/4708-120-0x00007FFB6F800000-0x00007FFB6F812000-memory.dmp	upx
behavioral1/memory/4708-119-0x00007FFB7B200000-0x00007FFB7B20F000-memory.dmp	upx
behavioral1/memory/4708-116-0x00007FFB71EC0000-0x00007FFB71ED6000-memory.dmp	upx
behavioral1/files/0x002800000004505f-115.dat	upx
behavioral1/files/0x0028000000045094-71.dat	upx
behavioral1/memory/4708-134-0x00007FFB6EDB0000-0x00007FFB6EDCB000-memory.dmp	upx
behavioral1/memory/4708-133-0x00007FFB6E700000-0x00007FFB6E722000-memory.dmp	upx
behavioral1/memory/4708-135-0x00007FFB6AF00000-0x00007FFB6AFB3000-memory.dmp	upx
behavioral1/memory/4708-132-0x00007FFB62FA0000-0x00007FFB6379B000-memory.dmp	upx
behavioral1/files/0x0028000000045070-136.dat	upx
behavioral1/memory/4708-139-0x00007FFB71F30000-0x00007FFB71F63000-memory.dmp	upx
behavioral1/memory/4708-140-0x00007FFB6AEC0000-0x00007FFB6AED8000-memory.dmp	upx
behavioral1/files/0x002800000004506f-138.dat	upx
behavioral1/files/0x0028000000045072-143.dat	upx
behavioral1/memory/4708-146-0x00007FFB63F60000-0x00007FFB63FAD000-memory.dmp	upx
behavioral1/memory/4708-149-0x00007FFB61EE0000-0x00007FFB61F12000-memory.dmp	upx
behavioral1/memory/4708-148-0x00007FFB69040000-0x00007FFB69051000-memory.dmp	upx
behavioral1/memory/4708-147-0x00007FFB62A60000-0x00007FFB62F93000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1292	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1220	cmd.exe
2112	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4996	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4064	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3932	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2608	ipconfig.exe
4996	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
348	systeminfo.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1360	schtasks.exe
5044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
2372	WMIC.exe
2372	WMIC.exe
2372	WMIC.exe
2372	WMIC.exe
3932	WMIC.exe
3932	WMIC.exe
3932	WMIC.exe
3932	WMIC.exe
788	WMIC.exe
788	WMIC.exe
788	WMIC.exe
788	WMIC.exe
2700	WMIC.exe
2700	WMIC.exe
2700	WMIC.exe
2700	WMIC.exe
4720	powershell.exe
4720	powershell.exe
4064	WMIC.exe
4064	WMIC.exe
4064	WMIC.exe
4064	WMIC.exe
1304	WMIC.exe
1304	WMIC.exe
1304	WMIC.exe
1304	WMIC.exe
2160	WMIC.exe
2160	WMIC.exe
2160	WMIC.exe
2160	WMIC.exe
5016	WMIC.exe
5016	WMIC.exe
5016	WMIC.exe
5016	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2372	WMIC.exe
Token: SeSecurityPrivilege	2372	WMIC.exe
Token: SeTakeOwnershipPrivilege	2372	WMIC.exe
Token: SeLoadDriverPrivilege	2372	WMIC.exe
Token: SeSystemProfilePrivilege	2372	WMIC.exe
Token: SeSystemtimePrivilege	2372	WMIC.exe
Token: SeProfSingleProcessPrivilege	2372	WMIC.exe
Token: SeIncBasePriorityPrivilege	2372	WMIC.exe
Token: SeCreatePagefilePrivilege	2372	WMIC.exe
Token: SeBackupPrivilege	2372	WMIC.exe
Token: SeRestorePrivilege	2372	WMIC.exe
Token: SeShutdownPrivilege	2372	WMIC.exe
Token: SeDebugPrivilege	2372	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2372	WMIC.exe
Token: SeRemoteShutdownPrivilege	2372	WMIC.exe
Token: SeUndockPrivilege	2372	WMIC.exe
Token: SeManageVolumePrivilege	2372	WMIC.exe
Token: 33	2372	WMIC.exe
Token: 34	2372	WMIC.exe
Token: 35	2372	WMIC.exe
Token: 36	2372	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3932	WMIC.exe
Token: SeSecurityPrivilege	3932	WMIC.exe
Token: SeTakeOwnershipPrivilege	3932	WMIC.exe
Token: SeLoadDriverPrivilege	3932	WMIC.exe
Token: SeSystemProfilePrivilege	3932	WMIC.exe
Token: SeSystemtimePrivilege	3932	WMIC.exe
Token: SeProfSingleProcessPrivilege	3932	WMIC.exe
Token: SeIncBasePriorityPrivilege	3932	WMIC.exe
Token: SeCreatePagefilePrivilege	3932	WMIC.exe
Token: SeBackupPrivilege	3932	WMIC.exe
Token: SeRestorePrivilege	3932	WMIC.exe
Token: SeShutdownPrivilege	3932	WMIC.exe
Token: SeDebugPrivilege	3932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3932	WMIC.exe
Token: SeRemoteShutdownPrivilege	3932	WMIC.exe
Token: SeUndockPrivilege	3932	WMIC.exe
Token: SeManageVolumePrivilege	3932	WMIC.exe
Token: 33	3932	WMIC.exe
Token: 34	3932	WMIC.exe
Token: 35	3932	WMIC.exe
Token: 36	3932	WMIC.exe
Token: SeDebugPrivilege	3084	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3932	WMIC.exe
Token: SeSecurityPrivilege	3932	WMIC.exe
Token: SeTakeOwnershipPrivilege	3932	WMIC.exe
Token: SeLoadDriverPrivilege	3932	WMIC.exe
Token: SeSystemProfilePrivilege	3932	WMIC.exe
Token: SeSystemtimePrivilege	3932	WMIC.exe
Token: SeProfSingleProcessPrivilege	3932	WMIC.exe
Token: SeIncBasePriorityPrivilege	3932	WMIC.exe
Token: SeCreatePagefilePrivilege	3932	WMIC.exe
Token: SeBackupPrivilege	3932	WMIC.exe
Token: SeRestorePrivilege	3932	WMIC.exe
Token: SeShutdownPrivilege	3932	WMIC.exe
Token: SeDebugPrivilege	3932	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3932	WMIC.exe
Token: SeRemoteShutdownPrivilege	3932	WMIC.exe
Token: SeUndockPrivilege	3932	WMIC.exe
Token: SeManageVolumePrivilege	3932	WMIC.exe
Token: 33	3932	WMIC.exe
Token: 34	3932	WMIC.exe
Token: 35	3932	WMIC.exe
Token: 36	3932	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4540 wrote to memory of 4708	4540	test.exe	80
PID 4540 wrote to memory of 4708	4540	test.exe	80
PID 4708 wrote to memory of 2604	4708	test.exe	83
PID 4708 wrote to memory of 2604	4708	test.exe	83
PID 4708 wrote to memory of 2272	4708	test.exe	84
PID 4708 wrote to memory of 2272	4708	test.exe	84
PID 4708 wrote to memory of 2412	4708	test.exe	85
PID 4708 wrote to memory of 2412	4708	test.exe	85
PID 4708 wrote to memory of 1704	4708	test.exe	86
PID 4708 wrote to memory of 1704	4708	test.exe	86
PID 2272 wrote to memory of 2372	2272	cmd.exe	91
PID 2272 wrote to memory of 2372	2272	cmd.exe	91
PID 2604 wrote to memory of 3932	2604	cmd.exe	93
PID 2604 wrote to memory of 3932	2604	cmd.exe	93
PID 1704 wrote to memory of 3084	1704	cmd.exe	92
PID 1704 wrote to memory of 3084	1704	cmd.exe	92
PID 4708 wrote to memory of 1288	4708	test.exe	94
PID 4708 wrote to memory of 1288	4708	test.exe	94
PID 1288 wrote to memory of 788	1288	cmd.exe	96
PID 1288 wrote to memory of 788	1288	cmd.exe	96
PID 4708 wrote to memory of 4500	4708	test.exe	97
PID 4708 wrote to memory of 4500	4708	test.exe	97
PID 4708 wrote to memory of 2172	4708	test.exe	98
PID 4708 wrote to memory of 2172	4708	test.exe	98
PID 4500 wrote to memory of 2700	4500	cmd.exe	101
PID 4500 wrote to memory of 2700	4500	cmd.exe	101
PID 2172 wrote to memory of 4996	2172	cmd.exe	102
PID 2172 wrote to memory of 4996	2172	cmd.exe	102
PID 4708 wrote to memory of 4628	4708	test.exe	103
PID 4708 wrote to memory of 4628	4708	test.exe	103
PID 4628 wrote to memory of 4528	4628	cmd.exe	105
PID 4628 wrote to memory of 4528	4628	cmd.exe	105
PID 4708 wrote to memory of 1180	4708	test.exe	106
PID 4708 wrote to memory of 1180	4708	test.exe	106
PID 1180 wrote to memory of 2160	1180	cmd.exe	108
PID 1180 wrote to memory of 2160	1180	cmd.exe	108
PID 4708 wrote to memory of 720	4708	test.exe	109
PID 4708 wrote to memory of 720	4708	test.exe	109
PID 720 wrote to memory of 1360	720	cmd.exe	111
PID 720 wrote to memory of 1360	720	cmd.exe	111
PID 4708 wrote to memory of 1636	4708	test.exe	112
PID 4708 wrote to memory of 1636	4708	test.exe	112
PID 1636 wrote to memory of 5044	1636	cmd.exe	114
PID 1636 wrote to memory of 5044	1636	cmd.exe	114
PID 4708 wrote to memory of 4356	4708	test.exe	115
PID 4708 wrote to memory of 4356	4708	test.exe	115
PID 4708 wrote to memory of 3852	4708	test.exe	116
PID 4708 wrote to memory of 3852	4708	test.exe	116
PID 3852 wrote to memory of 4588	3852	cmd.exe	119
PID 3852 wrote to memory of 4588	3852	cmd.exe	119
PID 4356 wrote to memory of 2380	4356	cmd.exe	120
PID 4356 wrote to memory of 2380	4356	cmd.exe	120
PID 4708 wrote to memory of 3856	4708	test.exe	121
PID 4708 wrote to memory of 3856	4708	test.exe	121
PID 4708 wrote to memory of 4412	4708	test.exe	122
PID 4708 wrote to memory of 4412	4708	test.exe	122
PID 4708 wrote to memory of 3140	4708	test.exe	123
PID 4708 wrote to memory of 3140	4708	test.exe	123
PID 4708 wrote to memory of 644	4708	test.exe	124
PID 4708 wrote to memory of 644	4708	test.exe	124
PID 3856 wrote to memory of 1536	3856	cmd.exe	129
PID 3856 wrote to memory of 1536	3856	cmd.exe	129
PID 644 wrote to memory of 4720	644	cmd.exe	130
PID 644 wrote to memory of 4720	644	cmd.exe	130

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4528	attrib.exe

C:\Users\Admin\AppData\Local\Temp\test.exe
"C:\Users\Admin\AppData\Local\Temp\test.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4540
- C:\Users\Admin\AppData\Local\Temp\test.exe
  "C:\Users\Admin\AppData\Local\Temp\test.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:2412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1704
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3084
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4500
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4628
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /query /TN "ExelaUpdateService""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1180
  - - C:\Windows\system32\schtasks.exe
      schtasks /query /TN "ExelaUpdateService"
      4⤵
      PID:2160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:720
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1360
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1636
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4356
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:2380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3856
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:1536
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:4412
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:4164
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3140
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:644
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:868
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:348
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2104
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious behavior: EnumeratesProcesses
      PID:4064
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:3836
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:1264
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:4732
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:2728
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:1620
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:4124
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:4532
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:2880
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:2916
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:3780
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:1328
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:700
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1304
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:408
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:2608
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:3952
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:1032
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:4996
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:1292
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3912
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1220
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1040
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:232
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI45402\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\VCRUNTIME140_1.dll

Filesize
48KB

MD5
68156f41ae9a04d89bb6625a5cd222d4

SHA1
3be29d5c53808186eba3a024be377ee6f267c983

SHA256
82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd

SHA512
f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\_asyncio.pyd

Filesize
39KB

MD5
6fc513cf75b0c753af1ec88579801e4a

SHA1
ba28d4237e144299fafa0e08f9dfc1ce075140dd

SHA256
ca292fbdeeafc744437d39d52fdc9fa84f6a2436c15176ebd0b68a67744d5f4f

SHA512
35dcbe2f044d1d9cd9ad59f080d80fa2188993dc1c24db4c44525f682e9d95eb58bd02e1f45e5c40b82a06cc3d390f5ad148b1dae7f4290c077f7ba1b774a20e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\_bz2.pyd

Filesize
49KB

MD5
92f2392bf5110f3fee496fcfd39333e7

SHA1
2830eaa55e7099a8954358ed6aa2cf903b8b8afd

SHA256
fdbe879a9d8a7d7a8116e91626f2f60265f87e920289f13b3b38cd0305ec0410

SHA512
50090a58038e8e1163b6e1390d0ffb3227eff42566e39368da0991e2ccc9a33bab85d08f016be193dc8e9bf763754e84f8eb7a8090c3b9e466ab77609fb57266

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\_cffi_backend.cp313-win_amd64.pyd

Filesize
71KB

MD5
feb838919a9cbc39fa2f7e47b2cf2fa0

SHA1
4cfb8e03dc507587be9183e08c81c710ca368b86

SHA256
85508735f87ab59af7343101b96337a12d51d6e54227abc3fc139156565c5d8b

SHA512
317913492b361678bc9d7565c011eb201f8bf36fd3c4e3218e00554122db429ca583fa2c0fd782073ab9ae98ba4c228a291d4e71cfc443a8e6d79c051591656c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\_ctypes.pyd

Filesize
63KB

MD5
b6d6ae485f0688ad65c494ef16b40491

SHA1
fc29e46df68a15b24ac22191101f23b6e5768733

SHA256
f6013f9d036dc355249f3931dea60232557f335898b73286125af07391b7238b

SHA512
7d7b69fb2b151fe9a894534b04d89800996e5ba4a11e96d2b25b6db058fc471d0c5545f5e1a3101ced072e9d0ec870708e8291a9cc7dfeef3785eb63d0c5a977

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\_decimal.pyd

Filesize
119KB

MD5
948b1ca7dbdc7c5bcf159c280c5e8823

SHA1
18819bb7c72e1bb0e849cd7c02aa6f2ae65a44e7

SHA256
ffe501f541a4f1368db2847b1083f781105ee0d5f9fa60e75f8cc5831014be51

SHA512
8b1c10dbb5425b2b58bf100b8d82e12e69ae7f2b54bd39577536e7a7d785ac7d0cadc0b7dd4ed80800a63153adf3269eb2a20346dd321324dbfb97b09cc86f51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\_hashlib.pyd

Filesize
36KB

MD5
e8453d27520e583f6204664ccab94de9

SHA1
fa6ff8576a7428ef6553692d31cce8fbdbebc50e

SHA256
f3d0c121e9d60edd6fe28fe5a397a555565dd8c74ee5799799d3a892d8494afc

SHA512
01ccdd5d74a451800e2295e3525ad8c71df4bb0a07b4920e838b00e6fdcf5ec9dcb7d595d59667d58ffd044e303f79697b4acad0d2388ad33a3a6f5bbccd99e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\_lzma.pyd

Filesize
87KB

MD5
61648849af212ba3ee0776dfa7e13aa3

SHA1
9faf0a51ee1391739bfecd6176bd5ca3ec6d5943

SHA256
b3dc291fcb16e16cf82045d5156b4a6ceaef6604ee5843841a00a672855c9291

SHA512
85f184becceff43d8dc7f05bc8f836e1685187914869955165091150622022ac001eba7f5dadfe9c00079cfb6fe5a7db856c3cd032855e76c86482fb3b34db99

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\_multiprocessing.pyd

Filesize
28KB

MD5
d258b9a8c3a39be3cc4bf0383b06ff0b

SHA1
7acb2a392a65f32994aaa7b9ba762914a3a24d43

SHA256
bf667c914db9ee4b9c2fe494196085a12306cdfd5d87be51941d339376635306

SHA512
a2162559ea9d2d3ffbebccdb212b19b0c07538b9c36913ab53931ed2b04d33077b4f0a52b91b67ea8303a98e3d620768311c974a77a37f52a0253532e57b0661

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\_overlapped.pyd

Filesize
34KB

MD5
790f2aec63024333240d9c3a78d6733d

SHA1
3b3e2bb83f2fb68ea403334d19ca4a6fe03cfd60

SHA256
55168e2daab2cf8b1524a9c3f2c6bc68a19829a9b91e078649a7bed99fc04b72

SHA512
afba85feaa9c48781e25c83461b54bc430fd221d0d1cc1601eed2719f317a400ef46e4ae956296abe3cbbd78d047a647cdda308d8182ae2a1e5a32340b3c8c30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\_queue.pyd

Filesize
28KB

MD5
2e6c9b4dface2db25a0e402838f35522

SHA1
58fe6fb3756769ad3c67fbf8e13a5bb32e9cbabc

SHA256
e0744c1ce07395e4d1bd3522333ea8b833b8ab6ebdeb8b1049b8939f5a63fb4b

SHA512
2cfb05c0e3c434aeb70af12b1e444631005c3a99c248cb39b17709342d5e1d2a3d14bb1025da01590ab5630535a78cf7c56d611037f4f8dffa17220519c3614e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\_socket.pyd

Filesize
45KB

MD5
b22072ff6687d9e61dc2dcc9eb0d60df

SHA1
84316417ad6940868c80e086e5ca575250198539

SHA256
2cda75625b87bb71ab8d447878bd0f6ffa53a113310ab00b9a0b2848e79a9da0

SHA512
85b961d8ca311f1152c62a7ee3d64931522b9a445c53ee949d3bf0b3f33dbb15c15e51734c5b56090c5818c379b4ba087555d1e37e9ce7a096d0187c51cb05bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\_sqlite3.pyd

Filesize
59KB

MD5
0fe763bab8a78793c33ed767f23c878e

SHA1
88f8c2c6125746c9ed2db9672b55431665b8c500

SHA256
b39e51eead608de12ee1847d4033d346e1e6998dbaf2f2e6ecb323227b979a95

SHA512
e05615b4a7e41693b23563a84dbd087ca6687efd31644934d7958dd6fe40e1532fed3d2219340a0de8ae30de6e51cc3be7cfb351feaf39d3e7d8b297e0d9bc0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\_ssl.pyd

Filesize
68KB

MD5
b30162b26c6eeca50c8893bb2b773b8d

SHA1
450d7c43b8e5591dcdf46dcaf7069c460bafccad

SHA256
e40758051a956c1b991dc55a7a08860ce97b452c727c25406fb55a3642aa9f2b

SHA512
846e6e23a5ad2127211cc1ec4efafc5363fc91008f2cae301376692f92ec2f1f034e22cb30956de3cbf3c7138ada4669d9d9bbc41b286663f33fd194b2378e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\_uuid.pyd

Filesize
27KB

MD5
b5f2d9353f758e1a60e67dac33debdd2

SHA1
edae6378d70b76846329fa609483de89531bcf16

SHA256
cde836ef0bde1c15c1c3750de54b50d2285864c512abbfc9e2c94f0ff5aa5ca2

SHA512
9d780a8ec760c6bae3b53079c9a0670c7cbf2af6aababda0234ee71c5e0546b501cbe9666d973eaa28fb7fb7285814ecfece98d20cf4a86d3aea9a61a8120397

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\_wmi.pyd

Filesize
30KB

MD5
ccd64b09898a6bff017068be71c023e4

SHA1
14c34ac076485f03b66572582b4446f7f8f32a45

SHA256
21c884440d789e314f87516c7af49c361b4c2c3d6bd21e7536f1ce7d26884142

SHA512
8d79b00fe4d3ccdf68f54fef1c156291818a3d26da6904c505cef364524e626ed9614c5b2bb571e915e74e36ca3bf83542db88b659a7855b3e7f9b5dc9dc6191

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\aiohttp\_http_parser.cp313-win_amd64.pyd

Filesize
79KB

MD5
e4c394e5b9ac3dae8d635f916614c392

SHA1
7392640cec6d7468efca94daeccd5d839841cab6

SHA256
9fc0e407885309480cea5aa7bea10133449d7c85e566d53a3450d18032ff33f4

SHA512
eaef6456ef61606f977ea71d1207f781660f2f7e244013a2f3722b8e4004ad7642313d14440fecb74bb35f72cb09441eef83dd85f427d621cd2fed3f4c7c2a20

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\aiohttp\_http_writer.cp313-win_amd64.pyd

Filesize
24KB

MD5
3ce52571fae3c59c07ecf91524fb666f

SHA1
5bba90eff60c163c444b6476642f6672d9e6cd25

SHA256
35289d2d0003a02a65854df30894c804c32f0e828d5bcb7dd952ae179ab62fca

SHA512
0fb6c106a4c4d8aa3032d00aa243f0f79d8e3e92ad02def1c5d5e62af6e890df8128b5eff8212fca7f201d7106c924db4d485fe0ef4706e8a0250423ecb39670

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\aiohttp\_websocket\mask.cp313-win_amd64.pyd

Filesize
19KB

MD5
35f8512f60ebfd8606a1ea6a3ceefea2

SHA1
268bb7121d4c5fad2944c6caeaca60289a540020

SHA256
de904cb2962afadf3238ad49aa0bdcd015f7b4b87730f632ef008bae789d0ddd

SHA512
fb0f7ec723cad50c01c34a427345b1a601ed57b543b1cc3db2c381b9bd413b94a6367cf76cdd8213863ede5b1cbb592dfa461ea66c1b917b04852f73dcee8608

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\base_library.zip

Filesize
1.3MB

MD5
18c3f8bf07b4764d340df1d612d28fad

SHA1
fc0e09078527c13597c37dbea39551f72bbe9ae8

SHA256
6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

SHA512
135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.0MB

MD5
606a84af5a9cf8ad3cb0314e77fb7209

SHA1
6de88d8554488ffe3e48c9b14886da16d1703a69

SHA256
0693ffa4990fa8c1664485f3d2a41b581eac0b340d07d62242052a67bf2ed5c3

SHA512
97d451f025aefb487c5cea568eb430356adfe23908321f1c04f8fa4c03df87507eda8d9612c944be4fa733df4cec38a0e37bffd8865088064b749244d4321b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\libcrypto-3.dll

Filesize
1.6MB

MD5
f5c66bbd34fc2839f2c8afa5a70c4e2c

SHA1
a085085dbf5396ca45801d63d9681b20f091414c

SHA256
7ff3ccb7903f8bc1b872c948cfff4520c51539ae184f93b7bd9c04bf60f4a7f4

SHA512
fc108dfa1ef75b4a4c45c3fae1ccb9257e8950a17f6374fef5080df69ffd52928e5bcac0490772d4d57091e0d81ea58cd1d6d34ec6993e30c1b4c5704be7044b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\libffi-8.dll

Filesize
29KB

MD5
0d1c6b92d091cef3142e32ac4e0cc12e

SHA1
440dad5af38035cb0984a973e1f266deff2bd7fc

SHA256
11ee9c7fb70c3756c0392843245935517171b95cc5ba0d696b2c1742c8d46fb6

SHA512
5d514ecab93941e83c008f0e9749f99e330949580884bf4850b11cac08fe1ac4ac50033e8888045fe4a9d8b4d2e3ea667b39be18f77266d00f8d7d6797260233

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\libssl-3.dll

Filesize
221KB

MD5
fc9d8dea869ea56ff6612a2c577394bf

SHA1
f30bc2bceb36e5e08c348936c791abaa93fd5b25

SHA256
8ec0a7ac78f483bf55585d53f77d23934a4d15665e06fbd73c4addf1c9e6c959

SHA512
929f5e08142e56f2d8067dac5d7457c72221da73e4cf6259da1982c5308b93dbec77d87cef89294a68441da77fa1923d6c9f812f714f6061ff9952f4f17783df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\multidict\_multidict.cp313-win_amd64.pyd

Filesize
20KB

MD5
3c58269113cfce41c884db5b857bdc2d

SHA1
a7170fcf559c18acd9e5b9f1f07f557629ea1b30

SHA256
5513d20e607a6926737c8f83994d92e100e94b7117201a07d0c44531830b9daf

SHA512
d7dd460089dd9f6179aa3942b16553a4bd7a96fceb0a5d506f1499958409fadda666c43e2552227c1549e596c1a254374253bacc60b7ad3ea09db4864f9030cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\propcache\_helpers_c.cp313-win_amd64.pyd

Filesize
30KB

MD5
b9298b94398ccada68496245cce968ba

SHA1
0c819eb3014697d5c61afcfd98a6bb693b15fe8d

SHA256
0060f315fefe97338cca796927beb1770986275e3b69cc8fca5dd19dc7239798

SHA512
9736b0454078544cd8b169b51dd4aeea3f4d0bceedc4ad2fc41b6b0089dd572d7d8bc80a9188ae434372dc11b996334b13515541dd1e40f741409cf7efc43407

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\pyexpat.pyd

Filesize
89KB

MD5
23d5cf12c977c295deda33a573140b3c

SHA1
76fe780c95167e832cee72571eea63b8a1199f9e

SHA256
8b3e558e62e763e79bd2b96585f75b92d1b83270d490893f5c2e01c2e0d5d9ca

SHA512
1703015d9f09fa59759df08850c8299384e2dbfe8e10786bc288efa5f0ee0936c19091a10c7e84ee61dadb42101fa55f9c348a59051308fe332e2f5f8f131034

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\python3.DLL

Filesize
70KB

MD5
ad2c4784c3240063eeaa646fd59be62c

SHA1
5efab563725781ab38a511e3f26e0406d5d46e8d

SHA256
c1de4bfe57dc4a5be8c72c865d617dc39dfd8162fcd2ce1fac9f401cf9efb504

SHA512
c964d4289206d099310bd5299f71a32c643311e0e8445e35ae3179772136d0ca9b75f5271eaf31efc75c055cd438799cef836ed87797589629b0e9f247424676

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\python313.dll

Filesize
1.8MB

MD5
1f43122a9d856ddbb9b60ec8351a0594

SHA1
38604c2b41e4a87dc5b124febec6e456bb194c32

SHA256
bd741ee4c42bdf1ed828a812f22aa6c8bcfae189086b9aaea85a9f3f72f92d3f

SHA512
82f4a0106bc9cf17c7c024887492bba38ff08b04ddde4a0e2eb43331945bf31953d177c2294b24b6f7c90757e00e4112c3ad7bd857fb7c541501efbd368398c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\select.pyd

Filesize
26KB

MD5
e49bff4d44552b6b047a0d343dcc45a7

SHA1
3ac100db040ebc1ede5a157cab26974e57d3ed1a

SHA256
0997baf1672e628311a47920e99f180c7046b310833815a67e4a43f294a46baf

SHA512
8b86b060139b62e3b9c7d09c3702f48bfaeb2b54b660c686b96184472b3dfed320c8acede650c472d5cb1f7bca6a387509127e8cc98d58f8609270a546667aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\sqlite3.dll

Filesize
645KB

MD5
bb3ea0627657db20e1e614a27d2365af

SHA1
b1a1438d5ae8e4c180b03325f68a2af6c29cb4d2

SHA256
53b780954617ed438cb8c8b63731746697931fad8a7e724a297487c8d6ae6a09

SHA512
1db78e3b57e945506c69c6d26467f794f2b73b90671b70f615a38f62e0de9d4ccfca8057f4377b70718af62d136be2e8a48c4f97283976cd921718a29af0624b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\unicodedata.pyd

Filesize
262KB

MD5
cf5e7cc0b5c05c8616bdd6eb1482d5bc

SHA1
8ef94f43bb2acd915d9b9eff36f4cb9d4750fbe0

SHA256
c0de94cf954243c11c4ac119ebadfd03f962e39e0939d4e087a4533d1b46baf3

SHA512
d59c519911f266a98f245b636cc254122924f533f6aeff5f148050442836bca98b26a06154132e275b97510763e3707c941b3603cb8d29209b7008433c0c87cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI45402\yarl\_quoting_c.cp313-win_amd64.pyd

Filesize
41KB

MD5
42e95749965a3fad75307330b54c97a5

SHA1
12e7bce4128676047dc457f8fc785d49ea091cd0

SHA256
cbb432318fde1e441980dbd4d86f4e40d370d484c3f96f81d73b42108445142a

SHA512
48f02161a7fdfac7b6af67190a1fd48c9f86d68877a56d407c3bc3adf83a283b97438ea6af8512c0012642290464c13002c042287819584222a02626584a8570

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y22pgnai.rua.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4708-135-0x00007FFB6AF00000-0x00007FFB6AFB3000-memory.dmp

Filesize
716KB

Download
memory/4708-246-0x00007FFB63F60000-0x00007FFB63FAD000-memory.dmp

Filesize
308KB

Download
memory/4708-107-0x00007FFB71F30000-0x00007FFB71F63000-memory.dmp

Filesize
204KB

Download
memory/4708-109-0x00007FFB6D0D0000-0x00007FFB6D19E000-memory.dmp

Filesize
824KB

Download
memory/4708-113-0x00007FFB62A60000-0x00007FFB62F93000-memory.dmp

Filesize
5.2MB

Download
memory/4708-112-0x00007FFB72C80000-0x00007FFB72CAB000-memory.dmp

Filesize
172KB

Download
memory/4708-114-0x00000248B5460000-0x00000248B5993000-memory.dmp

Filesize
5.2MB

Download
memory/4708-104-0x00007FFB765A0000-0x00007FFB765C7000-memory.dmp

Filesize
156KB

Download
memory/4708-105-0x00007FFB72710000-0x00007FFB72748000-memory.dmp

Filesize
224KB

Download
memory/4708-91-0x00007FFB7B220000-0x00007FFB7B22D000-memory.dmp

Filesize
52KB

Download
memory/4708-93-0x00007FFB7B200000-0x00007FFB7B20F000-memory.dmp

Filesize
60KB

Download
memory/4708-101-0x00007FFB637A0000-0x00007FFB63E05000-memory.dmp

Filesize
6.4MB

Download
memory/4708-127-0x00007FFB6EDD0000-0x00007FFB6EDE4000-memory.dmp

Filesize
80KB

Download
memory/4708-126-0x00007FFB71C20000-0x00007FFB71D9F000-memory.dmp

Filesize
1.5MB

Download
memory/4708-125-0x00007FFB6F7E0000-0x00007FFB6F7F4000-memory.dmp

Filesize
80KB

Download
memory/4708-122-0x00007FFB727C0000-0x00007FFB727E5000-memory.dmp

Filesize
148KB

Download
memory/4708-102-0x00007FFB62FA0000-0x00007FFB6379B000-memory.dmp

Filesize
8.0MB

Download
memory/4708-120-0x00007FFB6F800000-0x00007FFB6F812000-memory.dmp

Filesize
72KB

Download
memory/4708-119-0x00007FFB7B200000-0x00007FFB7B20F000-memory.dmp

Filesize
60KB

Download
memory/4708-116-0x00007FFB71EC0000-0x00007FFB71ED6000-memory.dmp

Filesize
88KB

Download
memory/4708-98-0x00007FFB71C20000-0x00007FFB71D9F000-memory.dmp

Filesize
1.5MB

Download
memory/4708-96-0x00007FFB727C0000-0x00007FFB727E5000-memory.dmp

Filesize
148KB

Download
memory/4708-134-0x00007FFB6EDB0000-0x00007FFB6EDCB000-memory.dmp

Filesize
108KB

Download
memory/4708-133-0x00007FFB6E700000-0x00007FFB6E722000-memory.dmp

Filesize
136KB

Download
memory/4708-68-0x00007FFB72C80000-0x00007FFB72CAB000-memory.dmp

Filesize
172KB

Download
memory/4708-132-0x00007FFB62FA0000-0x00007FFB6379B000-memory.dmp

Filesize
8.0MB

Download
memory/4708-66-0x00007FFB798B0000-0x00007FFB798C9000-memory.dmp

Filesize
100KB

Download
memory/4708-139-0x00007FFB71F30000-0x00007FFB71F63000-memory.dmp

Filesize
204KB

Download
memory/4708-140-0x00007FFB6AEC0000-0x00007FFB6AED8000-memory.dmp

Filesize
96KB

Download
memory/4708-62-0x00007FFB7C6F0000-0x00007FFB7C6FF000-memory.dmp

Filesize
60KB

Download
memory/4708-60-0x00007FFB765A0000-0x00007FFB765C7000-memory.dmp

Filesize
156KB

Download
memory/4708-146-0x00007FFB63F60000-0x00007FFB63FAD000-memory.dmp

Filesize
308KB

Download
memory/4708-149-0x00007FFB61EE0000-0x00007FFB61F12000-memory.dmp

Filesize
200KB

Download
memory/4708-148-0x00007FFB69040000-0x00007FFB69051000-memory.dmp

Filesize
68KB

Download
memory/4708-147-0x00007FFB62A60000-0x00007FFB62F93000-memory.dmp

Filesize
5.2MB

Download
memory/4708-145-0x00000248B5460000-0x00000248B5993000-memory.dmp

Filesize
5.2MB

Download
memory/4708-142-0x00007FFB6D0D0000-0x00007FFB6D19E000-memory.dmp

Filesize
824KB

Download
memory/4708-150-0x00007FFB727A0000-0x00007FFB727BE000-memory.dmp

Filesize
120KB

Download
memory/4708-200-0x00007FFB72690000-0x00007FFB7269D000-memory.dmp

Filesize
52KB

Download
memory/4708-346-0x00007FFB637A0000-0x00007FFB63E05000-memory.dmp

Filesize
6.4MB

Download
memory/4708-52-0x00007FFB637A0000-0x00007FFB63E05000-memory.dmp

Filesize
6.4MB

Download
memory/4708-217-0x00007FFB6AEC0000-0x00007FFB6AED8000-memory.dmp

Filesize
96KB

Download
memory/4708-227-0x00007FFB71C20000-0x00007FFB71D9F000-memory.dmp

Filesize
1.5MB

Download
memory/4708-89-0x00007FFB77C10000-0x00007FFB77C29000-memory.dmp

Filesize
100KB

Download
memory/4708-245-0x00007FFB72690000-0x00007FFB7269D000-memory.dmp

Filesize
52KB

Download
memory/4708-232-0x00007FFB62A60000-0x00007FFB62F93000-memory.dmp

Filesize
5.2MB

Download
memory/4708-231-0x00007FFB6D0D0000-0x00007FFB6D19E000-memory.dmp

Filesize
824KB

Download
memory/4708-230-0x00007FFB71F30000-0x00007FFB71F63000-memory.dmp

Filesize
204KB

Download
memory/4708-229-0x00007FFB72710000-0x00007FFB72748000-memory.dmp

Filesize
224KB

Download
memory/4708-228-0x00007FFB62FA0000-0x00007FFB6379B000-memory.dmp

Filesize
8.0MB

Download
memory/4708-225-0x00007FFB7B200000-0x00007FFB7B20F000-memory.dmp

Filesize
60KB

Download
memory/4708-233-0x00007FFB71EC0000-0x00007FFB71ED6000-memory.dmp

Filesize
88KB

Download
memory/4708-218-0x00007FFB637A0000-0x00007FFB63E05000-memory.dmp

Filesize
6.4MB

Download
memory/4708-257-0x00007FFB637A0000-0x00007FFB63E05000-memory.dmp

Filesize
6.4MB

Download
memory/4708-279-0x00007FFB6AEC0000-0x00007FFB6AED8000-memory.dmp

Filesize
96KB

Download
memory/4708-271-0x00007FFB62A60000-0x00007FFB62F93000-memory.dmp

Filesize
5.2MB

Download
memory/4708-269-0x00007FFB71F30000-0x00007FFB71F63000-memory.dmp

Filesize
204KB

Download
memory/4708-349-0x00007FFB798B0000-0x00007FFB798C9000-memory.dmp

Filesize
100KB

Download
memory/4708-359-0x00007FFB6D0D0000-0x00007FFB6D19E000-memory.dmp

Filesize
824KB

Download
memory/4708-370-0x00007FFB63F60000-0x00007FFB63FAD000-memory.dmp

Filesize
308KB

Download
memory/4708-373-0x00007FFB72690000-0x00007FFB7269D000-memory.dmp

Filesize
52KB

Download
memory/4708-372-0x00007FFB727A0000-0x00007FFB727BE000-memory.dmp

Filesize
120KB

Download
memory/4708-371-0x00007FFB62A60000-0x00007FFB62F93000-memory.dmp

Filesize
5.2MB

Download
memory/4708-369-0x00007FFB6AEC0000-0x00007FFB6AED8000-memory.dmp

Filesize
96KB

Download
memory/4708-368-0x00007FFB62FA0000-0x00007FFB6379B000-memory.dmp

Filesize
8.0MB

Download
memory/4708-367-0x00007FFB6EDB0000-0x00007FFB6EDCB000-memory.dmp

Filesize
108KB

Download
memory/4708-366-0x00007FFB6E700000-0x00007FFB6E722000-memory.dmp

Filesize
136KB

Download
memory/4708-365-0x00007FFB69040000-0x00007FFB69051000-memory.dmp

Filesize
68KB

Download
memory/4708-364-0x00007FFB6F7E0000-0x00007FFB6F7F4000-memory.dmp

Filesize
80KB

Download
memory/4708-363-0x00007FFB6F800000-0x00007FFB6F812000-memory.dmp

Filesize
72KB

Download
memory/4708-362-0x00007FFB71EC0000-0x00007FFB71ED6000-memory.dmp

Filesize
88KB

Download
memory/4708-361-0x00007FFB6EDD0000-0x00007FFB6EDE4000-memory.dmp

Filesize
80KB

Download
memory/4708-360-0x00007FFB61EE0000-0x00007FFB61F12000-memory.dmp

Filesize
200KB

Download
memory/4708-358-0x00007FFB71F30000-0x00007FFB71F63000-memory.dmp

Filesize
204KB

Download
memory/4708-357-0x00007FFB72710000-0x00007FFB72748000-memory.dmp

Filesize
224KB

Download
memory/4708-356-0x00007FFB6AF00000-0x00007FFB6AFB3000-memory.dmp

Filesize
716KB

Download
memory/4708-355-0x00007FFB71C20000-0x00007FFB71D9F000-memory.dmp

Filesize
1.5MB

Download
memory/4708-354-0x00007FFB727C0000-0x00007FFB727E5000-memory.dmp

Filesize
148KB

Download
memory/4708-353-0x00007FFB7B200000-0x00007FFB7B20F000-memory.dmp

Filesize
60KB

Download
memory/4708-352-0x00007FFB7B220000-0x00007FFB7B22D000-memory.dmp

Filesize
52KB

Download
memory/4708-351-0x00007FFB77C10000-0x00007FFB77C29000-memory.dmp

Filesize
100KB

Download
memory/4708-350-0x00007FFB72C80000-0x00007FFB72CAB000-memory.dmp

Filesize
172KB

Download
memory/4708-347-0x00007FFB765A0000-0x00007FFB765C7000-memory.dmp

Filesize
156KB

Download
memory/4708-348-0x00007FFB7C6F0000-0x00007FFB7C6FF000-memory.dmp

Filesize
60KB

Download
memory/4720-202-0x000001BE22B80000-0x000001BE22BA2000-memory.dmp

Filesize
136KB

Download