exelastealer | b7dcd530d64dcc98af9da6f3b89d32aa6771b060c994028e6d9e41ff1da26abd

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
25-12-2024 21:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Exela-V2.0-main/Pavica je okej.exe
Size

9.4MB
MD5

5eb5901afa6e48e9b500abfdc285b91b
SHA1

d0ad34b6b401697f6b5b9c99ba5aefbed9d63ead
SHA256

6bb46c9085a11993227500872b13a137bc02eb41bca919659cc005fabca386c1
SHA512

f67ce9ded25a724fd0972ad3b33bda4dc7e158bfa43fad8f4342aa9993a834ccec555e6ddb5fd483dbee40d28324572212edf21261407fc7e539ae825a275b04
SSDEEP

196608:KbG2GMYxmvNm1E8giq1g9KRDOlrJlpZstQoS9Hf1BKXTHK/CCh:MG2Em1m1NqVR0BGt7G/+HK3

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1100	netsh.exe
912	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1452	cmd.exe
2948	powershell.exe

Loads dropped DLL 32 IoCs

pid	Process
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe
4720	Pavica je okej.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
22	discord.com
23	discord.com
24	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3832	ARP.EXE
1328	cmd.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3172	tasklist.exe
2220	tasklist.exe
1948	tasklist.exe
3868	tasklist.exe
2608	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4888	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral12/files/0x0007000000023c80-46.dat	upx
behavioral12/memory/4720-50-0x00007FFC50020000-0x00007FFC50485000-memory.dmp	upx
behavioral12/files/0x0008000000023bd5-52.dat	upx
behavioral12/files/0x0007000000023c78-57.dat	upx
behavioral12/memory/4720-60-0x00007FFC655E0000-0x00007FFC655EF000-memory.dmp	upx
behavioral12/memory/4720-58-0x00007FFC63040000-0x00007FFC63064000-memory.dmp	upx
behavioral12/files/0x0007000000023c82-65.dat	upx
behavioral12/files/0x0007000000023c81-64.dat	upx
behavioral12/files/0x0008000000023c0f-79.dat	upx
behavioral12/files/0x0008000000023c0c-76.dat	upx
behavioral12/memory/4720-89-0x00007FFC5F2C0000-0x00007FFC5F2DE000-memory.dmp	upx
behavioral12/files/0x0008000000023c0d-88.dat	upx
behavioral12/memory/4720-91-0x00007FFC5F140000-0x00007FFC5F2B1000-memory.dmp	upx
behavioral12/memory/4720-87-0x00007FFC5F9D0000-0x00007FFC5F9FC000-memory.dmp	upx
behavioral12/files/0x0008000000023bda-86.dat	upx
behavioral12/memory/4720-85-0x00007FFC5FB60000-0x00007FFC5FB78000-memory.dmp	upx
behavioral12/files/0x0009000000023bcf-84.dat	upx
behavioral12/files/0x0007000000023c79-94.dat	upx
behavioral12/memory/4720-93-0x00007FFC5F110000-0x00007FFC5F13E000-memory.dmp	upx
behavioral12/files/0x0008000000023c0e-92.dat	upx
behavioral12/memory/4720-83-0x00007FFC630A0000-0x00007FFC630AD000-memory.dmp	upx
behavioral12/memory/4720-81-0x00007FFC5FB80000-0x00007FFC5FB99000-memory.dmp	upx
behavioral12/files/0x0008000000023c0b-75.dat	upx
behavioral12/files/0x0008000000023c0a-74.dat	upx
behavioral12/files/0x0008000000023bdb-73.dat	upx
behavioral12/files/0x0008000000023bd9-71.dat	upx
behavioral12/files/0x0008000000023bd8-70.dat	upx
behavioral12/files/0x000e000000023bd3-69.dat	upx
behavioral12/files/0x0009000000023bce-67.dat	upx
behavioral12/files/0x0007000000023c83-66.dat	upx
behavioral12/files/0x0007000000023c7e-63.dat	upx
behavioral12/files/0x0007000000023c77-61.dat	upx
behavioral12/memory/4720-97-0x00007FFC50020000-0x00007FFC50485000-memory.dmp	upx
behavioral12/memory/4720-101-0x00007FFC63040000-0x00007FFC63064000-memory.dmp	upx
behavioral12/memory/4720-103-0x00007FFC5F030000-0x00007FFC5F044000-memory.dmp	upx
behavioral12/memory/4720-121-0x00007FFC5EEB0000-0x00007FFC5EECB000-memory.dmp	upx
behavioral12/memory/4720-120-0x00007FFC5F140000-0x00007FFC5F2B1000-memory.dmp	upx
behavioral12/files/0x0007000000023c7d-119.dat	upx
behavioral12/files/0x0008000000023c2f-129.dat	upx
behavioral12/memory/4720-142-0x00007FFC5E0E0000-0x00007FFC5E0FE000-memory.dmp	upx
behavioral12/memory/4720-141-0x00007FFC4FCA0000-0x00007FFC50017000-memory.dmp	upx
behavioral12/files/0x0007000000023c76-140.dat	upx
behavioral12/files/0x0007000000023c74-144.dat	upx
behavioral12/memory/4720-146-0x00007FFC4EF50000-0x00007FFC4F74B000-memory.dmp	upx
behavioral12/memory/4720-145-0x00007FFC5F030000-0x00007FFC5F044000-memory.dmp	upx
behavioral12/memory/4720-147-0x00007FFC5BDF0000-0x00007FFC5BE27000-memory.dmp	upx
behavioral12/memory/4720-138-0x00007FFC5EAF0000-0x00007FFC5EB01000-memory.dmp	upx
behavioral12/memory/4720-137-0x00007FFC5F050000-0x00007FFC5F107000-memory.dmp	upx
behavioral12/memory/4720-136-0x00007FFC5C790000-0x00007FFC5C7DD000-memory.dmp	upx
behavioral12/memory/4720-135-0x00007FFC62F10000-0x00007FFC62F1A000-memory.dmp	upx
behavioral12/memory/4720-134-0x00007FFC5E1B0000-0x00007FFC5E1E2000-memory.dmp	upx
behavioral12/memory/4720-133-0x00007FFC5EB10000-0x00007FFC5EB28000-memory.dmp	upx
behavioral12/files/0x0008000000023c2e-128.dat	upx
behavioral12/memory/4720-127-0x00007FFC5F110000-0x00007FFC5F13E000-memory.dmp	upx
behavioral12/files/0x0008000000023c15-125.dat	upx
behavioral12/files/0x0008000000023c16-123.dat	upx
behavioral12/memory/4720-118-0x00007FFC4FAC0000-0x00007FFC4FBD8000-memory.dmp	upx
behavioral12/memory/4720-117-0x00007FFC5F2C0000-0x00007FFC5F2DE000-memory.dmp	upx
behavioral12/memory/4720-114-0x00007FFC5EED0000-0x00007FFC5EEF2000-memory.dmp	upx
behavioral12/memory/4720-113-0x00007FFC5EFF0000-0x00007FFC5F005000-memory.dmp	upx
behavioral12/files/0x0007000000023c85-112.dat	upx
behavioral12/memory/4720-109-0x00007FFC5F010000-0x00007FFC5F024000-memory.dmp	upx
behavioral12/files/0x0007000000023c7b-108.dat	upx
behavioral12/memory/4720-107-0x00007FFC62F50000-0x00007FFC62F60000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4936	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1700	netsh.exe
1400	cmd.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
1584	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
2256	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2736	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5100	ipconfig.exe
1584	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4556	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2948	powershell.exe
2948	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2736	WMIC.exe
Token: SeSecurityPrivilege	2736	WMIC.exe
Token: SeTakeOwnershipPrivilege	2736	WMIC.exe
Token: SeLoadDriverPrivilege	2736	WMIC.exe
Token: SeSystemProfilePrivilege	2736	WMIC.exe
Token: SeSystemtimePrivilege	2736	WMIC.exe
Token: SeProfSingleProcessPrivilege	2736	WMIC.exe
Token: SeIncBasePriorityPrivilege	2736	WMIC.exe
Token: SeCreatePagefilePrivilege	2736	WMIC.exe
Token: SeBackupPrivilege	2736	WMIC.exe
Token: SeRestorePrivilege	2736	WMIC.exe
Token: SeShutdownPrivilege	2736	WMIC.exe
Token: SeDebugPrivilege	2736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2736	WMIC.exe
Token: SeRemoteShutdownPrivilege	2736	WMIC.exe
Token: SeUndockPrivilege	2736	WMIC.exe
Token: SeManageVolumePrivilege	2736	WMIC.exe
Token: 33	2736	WMIC.exe
Token: 34	2736	WMIC.exe
Token: 35	2736	WMIC.exe
Token: 36	2736	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1344	WMIC.exe
Token: SeSecurityPrivilege	1344	WMIC.exe
Token: SeTakeOwnershipPrivilege	1344	WMIC.exe
Token: SeLoadDriverPrivilege	1344	WMIC.exe
Token: SeSystemProfilePrivilege	1344	WMIC.exe
Token: SeSystemtimePrivilege	1344	WMIC.exe
Token: SeProfSingleProcessPrivilege	1344	WMIC.exe
Token: SeIncBasePriorityPrivilege	1344	WMIC.exe
Token: SeCreatePagefilePrivilege	1344	WMIC.exe
Token: SeBackupPrivilege	1344	WMIC.exe
Token: SeRestorePrivilege	1344	WMIC.exe
Token: SeShutdownPrivilege	1344	WMIC.exe
Token: SeDebugPrivilege	1344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1344	WMIC.exe
Token: SeRemoteShutdownPrivilege	1344	WMIC.exe
Token: SeUndockPrivilege	1344	WMIC.exe
Token: SeManageVolumePrivilege	1344	WMIC.exe
Token: 33	1344	WMIC.exe
Token: 34	1344	WMIC.exe
Token: 35	1344	WMIC.exe
Token: 36	1344	WMIC.exe
Token: SeDebugPrivilege	3172	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2736	WMIC.exe
Token: SeSecurityPrivilege	2736	WMIC.exe
Token: SeTakeOwnershipPrivilege	2736	WMIC.exe
Token: SeLoadDriverPrivilege	2736	WMIC.exe
Token: SeSystemProfilePrivilege	2736	WMIC.exe
Token: SeSystemtimePrivilege	2736	WMIC.exe
Token: SeProfSingleProcessPrivilege	2736	WMIC.exe
Token: SeIncBasePriorityPrivilege	2736	WMIC.exe
Token: SeCreatePagefilePrivilege	2736	WMIC.exe
Token: SeBackupPrivilege	2736	WMIC.exe
Token: SeRestorePrivilege	2736	WMIC.exe
Token: SeShutdownPrivilege	2736	WMIC.exe
Token: SeDebugPrivilege	2736	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2736	WMIC.exe
Token: SeRemoteShutdownPrivilege	2736	WMIC.exe
Token: SeUndockPrivilege	2736	WMIC.exe
Token: SeManageVolumePrivilege	2736	WMIC.exe
Token: 33	2736	WMIC.exe
Token: 34	2736	WMIC.exe
Token: 35	2736	WMIC.exe
Token: 36	2736	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 4720	2224	Pavica je okej.exe	83
PID 2224 wrote to memory of 4720	2224	Pavica je okej.exe	83
PID 4720 wrote to memory of 4864	4720	Pavica je okej.exe	84
PID 4720 wrote to memory of 4864	4720	Pavica je okej.exe	84
PID 4720 wrote to memory of 4976	4720	Pavica je okej.exe	86
PID 4720 wrote to memory of 4976	4720	Pavica je okej.exe	86
PID 4720 wrote to memory of 740	4720	Pavica je okej.exe	87
PID 4720 wrote to memory of 740	4720	Pavica je okej.exe	87
PID 4720 wrote to memory of 1172	4720	Pavica je okej.exe	88
PID 4720 wrote to memory of 1172	4720	Pavica je okej.exe	88
PID 4720 wrote to memory of 3832	4720	Pavica je okej.exe	89
PID 4720 wrote to memory of 3832	4720	Pavica je okej.exe	89
PID 4976 wrote to memory of 2736	4976	cmd.exe	94
PID 4976 wrote to memory of 2736	4976	cmd.exe	94
PID 740 wrote to memory of 1344	740	cmd.exe	95
PID 740 wrote to memory of 1344	740	cmd.exe	95
PID 3832 wrote to memory of 3172	3832	cmd.exe	96
PID 3832 wrote to memory of 3172	3832	cmd.exe	96
PID 4720 wrote to memory of 752	4720	Pavica je okej.exe	98
PID 4720 wrote to memory of 752	4720	Pavica je okej.exe	98
PID 752 wrote to memory of 2608	752	cmd.exe	100
PID 752 wrote to memory of 2608	752	cmd.exe	100
PID 4720 wrote to memory of 2204	4720	Pavica je okej.exe	101
PID 4720 wrote to memory of 2204	4720	Pavica je okej.exe	101
PID 4720 wrote to memory of 2704	4720	Pavica je okej.exe	102
PID 4720 wrote to memory of 2704	4720	Pavica je okej.exe	102
PID 2204 wrote to memory of 4488	2204	cmd.exe	105
PID 2204 wrote to memory of 4488	2204	cmd.exe	105
PID 2704 wrote to memory of 2220	2704	cmd.exe	106
PID 2704 wrote to memory of 2220	2704	cmd.exe	106
PID 4720 wrote to memory of 4888	4720	Pavica je okej.exe	107
PID 4720 wrote to memory of 4888	4720	Pavica je okej.exe	107
PID 4888 wrote to memory of 4448	4888	cmd.exe	109
PID 4888 wrote to memory of 4448	4888	cmd.exe	109
PID 4720 wrote to memory of 3140	4720	Pavica je okej.exe	110
PID 4720 wrote to memory of 3140	4720	Pavica je okej.exe	110
PID 4720 wrote to memory of 3748	4720	Pavica je okej.exe	111
PID 4720 wrote to memory of 3748	4720	Pavica je okej.exe	111
PID 3140 wrote to memory of 1340	3140	cmd.exe	114
PID 3140 wrote to memory of 1340	3140	cmd.exe	114
PID 3748 wrote to memory of 1948	3748	cmd.exe	115
PID 3748 wrote to memory of 1948	3748	cmd.exe	115
PID 4720 wrote to memory of 2972	4720	Pavica je okej.exe	116
PID 4720 wrote to memory of 2972	4720	Pavica je okej.exe	116
PID 4720 wrote to memory of 2168	4720	Pavica je okej.exe	117
PID 4720 wrote to memory of 2168	4720	Pavica je okej.exe	117
PID 4720 wrote to memory of 3944	4720	Pavica je okej.exe	118
PID 4720 wrote to memory of 3944	4720	Pavica je okej.exe	118
PID 4720 wrote to memory of 1452	4720	Pavica je okej.exe	119
PID 4720 wrote to memory of 1452	4720	Pavica je okej.exe	119
PID 2972 wrote to memory of 3620	2972	cmd.exe	124
PID 2972 wrote to memory of 3620	2972	cmd.exe	124
PID 3620 wrote to memory of 4880	3620	cmd.exe	125
PID 3620 wrote to memory of 4880	3620	cmd.exe	125
PID 1452 wrote to memory of 2948	1452	cmd.exe	126
PID 1452 wrote to memory of 2948	1452	cmd.exe	126
PID 2168 wrote to memory of 1676	2168	cmd.exe	127
PID 2168 wrote to memory of 1676	2168	cmd.exe	127
PID 3944 wrote to memory of 3868	3944	cmd.exe	128
PID 3944 wrote to memory of 3868	3944	cmd.exe	128
PID 1676 wrote to memory of 1956	1676	cmd.exe	129
PID 1676 wrote to memory of 1956	1676	cmd.exe	129
PID 4720 wrote to memory of 1328	4720	Pavica je okej.exe	130
PID 4720 wrote to memory of 1328	4720	Pavica je okej.exe	130

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4448	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Exela-V2.0-main\Pavica je okej.exe
"C:\Users\Admin\AppData\Local\Temp\Exela-V2.0-main\Pavica je okej.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Users\Admin\AppData\Local\Temp\Exela-V2.0-main\Pavica je okej.exe
  "C:\Users\Admin\AppData\Local\Temp\Exela-V2.0-main\Pavica je okej.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4720
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4976
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2736
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:740
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:1172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3832
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3172
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:752
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:2608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4488
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3140
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:1340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3620
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4880
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2168
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3944
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:1328
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4556
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:4472
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:2256
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:1808
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:1172
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:1804
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:2332
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:764
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:2084
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:2360
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:4516
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:1692
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4168
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:4628
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:5116
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:3272
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:2608
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:5100
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:3376
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:3832
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:1584
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:4936
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1100
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1400
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1700
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4108
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3404
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI22242\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\_asyncio.pyd

Filesize
32KB

MD5
7d2f4f793195eb2a67e1f9e4981c9c4e

SHA1
8f0def2c0d5fc89fb5975d7ab77d68e8f3c18604

SHA256
f0a9762a537399d42dd9e92307ad836fb28017633a0ff667ead192d3271a540d

SHA512
c48153e1e0d520208d87baa8a0493740ff16afdb34b95206cfaf127504ce1fd7705b70609d50ab08f804ded834bc575076b5d21a7a69a2e7d2e703aee6e8c646

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\_bz2.pyd

Filesize
44KB

MD5
3d2088f03b8fdbdce585012c0186b353

SHA1
0e8996b391f74563d763bef2e431020b6d05229d

SHA256
9f8b4a677b8184a60c3315670755ed971992c55dfcd8280774ffc77817cd9611

SHA512
0885f3099cd12042c61e0a994794abdf7706719f2330300d03ba3b1430abc60a2836b7f9553222534ed9667fa9ebb2f225a86e4ac68564bcb38a72958e528836

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
7727212e7bdbf63b1a39fb7faad24265

SHA1
a8fdec19d6690081b2bf55247e8e17657a68ac97

SHA256
b0116303e1e903d6eb02a69d05879f38af1640813f4b110cb733ffff6e4e985c

SHA512
2b1a27642118dd228791d0d8ba307aa39ab2d9c7d3799cff9f3c0744fe270eeaefe5545a4fda6e74e86fee747e45bf5f6c9ac799950c2b483a16eb3ce85d816a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\_ctypes.pyd

Filesize
55KB

MD5
ef8a89b1a76c481df5255e3975d025cb

SHA1
8b2a13eaf2f37b51f00e5143e56df89d29ecc3bd

SHA256
9aaafc4f450a699029a1dc8c818886e3605dd40f35488d7679540c77eafa1b5b

SHA512
d30f2c1a89545f4f66048791b9f37e639664cd79f0e7380b3f35da09f0d6be3ec5d365081e07b9406d1d5b08b2504192b85748deb266b1cbadf51189404a82b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\_decimal.pyd

Filesize
102KB

MD5
34e05c43ead82c246b1823ed83b56c5e

SHA1
f8cf172a57638d059866fd00abed42d0550cae0e

SHA256
61953424f6359c460d25f304da49b56338149dc6a67a4b702eff7f4036b3ea6d

SHA512
7c3eb868c5fea40b4fcac10603c1bb60273c14f4bea20a3c38fce679998332a137ffa5bc5c7c3b45990d0863b14bc72f9e92ffc39d4b23f47c860e043b550a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\_hashlib.pyd

Filesize
32KB

MD5
dacb69169009998d69fbdfef4c0dd9e8

SHA1
793f86ea4adafd60ecad7497799df59b11213443

SHA256
2d0ff88e65e0c0e502974631c539ee5d355f2b17b113f835a5a4aff6cb03c173

SHA512
19e1c58cc6b70a40178a558170ccab3a31489f4ca49662ee909d3c12b33060685fcf18e41e9daa1498111bdb0e68355160bbc0891f2eb13cbe106f2db834a8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\_lzma.pyd

Filesize
82KB

MD5
c312a9353b8cc4a01ba16a77cf84cee1

SHA1
27a2431b66f7319d666e85d29368f7e721a8da36

SHA256
50bc124862c170f4ce59f003ecc103a0aa3e2180caa99466812ca4520d4925a9

SHA512
340d5bcac85c14235e8bb46c4efa38dbd2f648470a8bcaf01c5daa5caa27e63367e1d3266f5426cee2904acad3b0b7243d7df0d2f2975e6d3247f49f359fdc44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\_multiprocessing.pyd

Filesize
23KB

MD5
7daa7ff4329fd7e1ace0ec2926b25bb7

SHA1
07b4bd8b65ed18c6913d011399097bcd589202d3

SHA256
e6ae85ffe5cddc5d9c9187a5dfc0b0b0bec3eba4cb7666cdac5b28c433e56808

SHA512
3dc07b888918ba49df1be823888fdbbbfc0f161db0e46cf6a6041014343c0c1b1016ad2eb2c982ed2f513d9cac3653c64665137c091f21125fbedb143df0beae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\_overlapped.pyd

Filesize
28KB

MD5
f005ba1a3959e87f97b7c701654a2751

SHA1
fd07361042814104f18ac80ba658466f27ad850e

SHA256
e43a8f704b2ed404ffe188fc57e7600b73ed01b107e58e024b8345bab4c3f14a

SHA512
252de47cf7b40f5c31471b7949ef2bf61ba9c2e00a726406e2fa0eb4f2177565c81249e674e8e41a6869e787e552166b4ac47cd01e3f5a931c58a775e6308ea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\_queue.pyd

Filesize
22KB

MD5
9e5db585986c35bbdb37c8ade021a73e

SHA1
89186c0e4737b7a92ee802b8f859a2a5211cac98

SHA256
55534c47d8b9e46e86363cfad69ad9dfab93d3c2fc90b5539d19be47fd0cdd05

SHA512
8a3643fcb28c9275e37e3daf3ae41d92bec96251ace52009359990919186d3337098995aa9dc134f117404985f42e5c0a79c8e87f1fc7f374ef805688bf7ae6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\_socket.pyd

Filesize
39KB

MD5
7af126cffd5718681441572d46f63e37

SHA1
83608518514890685550a5b8d502827b0a8ff6b4

SHA256
7738c3756b73282fdb800bbc544a85f15fe843941745d2e8ed88bc44c1e97637

SHA512
0b8dbcda13ac14e059114eb0e8d9662ecc4797af19b5d516cf250b216af545b6bfb5299da9bc2082a2d1db24a9286a799e9d5451178375b7d43da4e74a43a1ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\_sqlite3.pyd

Filesize
47KB

MD5
d00dcf342baded08a4b587db7674ce9b

SHA1
cd8d989f11dfa574433a80da2d6daf49c6379a48

SHA256
6ec3c71e65c037bfffa5b7af2ebe5668aedcb6480665682e8e7e110e37289518

SHA512
9a5f373f19c51b5aca88f47042516086fa515b7354a553a03f56101a6163f745d72f82b5d2af2eaab7c7271199355cacdfe1a848a06b8fcc23f653d1c525da29

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\_ssl.pyd

Filesize
59KB

MD5
67f0fd52d4b4fa801de864cafdccca42

SHA1
ff1f4e4cf0b269dcab87ec7c35493f21d2cd98be

SHA256
79db1bb8a6e542a743f050f776f7fe7f62088acefd317d72e3a13a914de036c7

SHA512
e7730c395efb9486ecf2613dee1ee4a1da2724d2fce5b84737957a8889b7df034e1f264fc18de3b9bd5026796906018974a93a29d40d24aa90fbe33c85bf0aa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\_uuid.pyd

Filesize
20KB

MD5
2ae02a5f40e9efbc503ad5a45561aba8

SHA1
5726c945e6d979bf304ca21c700608075f4a4ed1

SHA256
2b58278f3fca5d4bcc0c6e7aa8ede6e81a9798828375e38194c6c128fe32a1e8

SHA512
385c566399a2116d1a79aa517b88fdc984615787e906b0abdfb69e8cbd212c6459ad0fa2e2e616c7bab485229daefbf673d14f383b0b19e8c53ee7e73fbfc325

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\aiohttp\_http_parser.cp310-win_amd64.pyd

Filesize
81KB

MD5
23df1d1a4bfd29c6c0f89d1a42bbecbb

SHA1
b8e5686724223bd5e8ed0b7a3517cdc3005be66a

SHA256
10f7967a3c574caea10fd5a94c9b6eba405ed6afec402969424c143566593adc

SHA512
75a455a9eb96bd52f0d795188a1120ee14d36944c331d97b4c3da837238bd2928cff29df27c0f17093022d976c0c2e54189babd94c6dc927ac325216c340481a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\aiohttp\_http_writer.cp310-win_amd64.pyd

Filesize
24KB

MD5
b0e8cbf64f3728eee12e6e0756e67c95

SHA1
71bc5ae8847dac5d0737e6321833a37da655d538

SHA256
7a931c3108173c4d8cc4ed7304414fcd3ba67ceff81f84506dcdda8979f5f33b

SHA512
622126f5a1fc5e275680bb64648a8cac6a5eaf3e7d6a262f0002afc26cec6d9c3addbba257626ac54189b7f85e5abdfc3809954ce0437046fc64b643a4e8cb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\aiohttp\_websocket\mask.cp310-win_amd64.pyd

Filesize
19KB

MD5
2b5d378afb9aeb031ed1a84f5c216291

SHA1
7955e2ec7e7ffa13e58af098d37c480c8f23ccad

SHA256
1d44b957609599fdf3115bb47bd668f560b63d4d84c74c1f7bf1f3dc05246d6a

SHA512
9102a95c57024afddb67b6500ce1606a2bf5923aa66f67e21fec23c1efb1c9a0cd77c55417b25c7cdbcda119cd817ea4219a1fe321a2f9300f8bffa99d8b0a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\aiohttp\_websocket\reader_c.cp310-win_amd64.pyd

Filesize
61KB

MD5
2cb730463ee9a2360b568bb54ff283b1

SHA1
e63b5d62d281f153ab2c3487f4423bec259e1bd5

SHA256
17b026c18dc25b2f8842da41484e39c8e92bd3ff9fe0f6d03f9fdc389991e7ae

SHA512
a7891ba2619cc6910c47ffac153ba31a3b17f67f08654f7a1fed380b1f4951673573f5e5a59e45e4edc432b135dbb57bb82c3b4cbdfc265d0daa6fca587ab732

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\base_library.zip

Filesize
859KB

MD5
32e73623efef1a8ea9a04196d0febd09

SHA1
e8f6cfce52cd6cc3fb5a52a177631aa961c0de9c

SHA256
8f052f386e7e29c25175dddfe823fc59656a6192d4cb885699d6b14f4845e3a9

SHA512
e38ba4ae3fcaa6c14b059aff1be5d995b339ae5e1b1995da63b50b62e9900083af558c25a3bf8eb5d17a86f587a7cd9fb7f085cc31c1ea3bd680106c336c0fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.0MB

MD5
606a84af5a9cf8ad3cb0314e77fb7209

SHA1
6de88d8554488ffe3e48c9b14886da16d1703a69

SHA256
0693ffa4990fa8c1664485f3d2a41b581eac0b340d07d62242052a67bf2ed5c3

SHA512
97d451f025aefb487c5cea568eb430356adfe23908321f1c04f8fa4c03df87507eda8d9612c944be4fa733df4cec38a0e37bffd8865088064b749244d4321b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\frozenlist\_frozenlist.cp310-win_amd64.pyd

Filesize
36KB

MD5
219ad30aea7630a3696df28231405927

SHA1
ebaf69903305ea0803570cc2ff4cf43dd2bc812a

SHA256
06d38127de4cbd3243f861ea22897d490520e913f77011a37d915c4992433604

SHA512
72eb7323deb26931ea000690f85272ee71e19b2896af2b43ccd8bcfc3a299e0f8a7a3f1e339fbfe7c855e081cd94e21ae09ba3b8e2d16dbacddb838c31b4de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\libcrypto-1_1.dll

Filesize
1.1MB

MD5
5e999bc10636935a56a26b623718d4be

SHA1
378622eb481006983f14607fdce99641d161f244

SHA256
35460fc9fd3bac20826a5bd7608cbe71822ac172e014a6b0e0693bd1b6e255c1

SHA512
d28ecc0f001b91c06fe4572ad18eb49cb0c81c2b3496725d69f6f82eccd992047ecd5819e05e4f7bf786904b6c2e5d68fecc629fa50425a7d7abd9fe33c0052a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\libssl-1_1.dll

Filesize
200KB

MD5
8d8d9c30250f7042d25d73b9822efc45

SHA1
f6b83a793175e77f6e8a6add37204115da8cb319

SHA256
92bf5bdc30c53d52ab53b4f51e5f36f5b8be1235e7929590a9fddc86819dba1d

SHA512
ed40078d289b4293f4e22396f5b7d3016daec76a4406444ccd0a8b33d9c939a6f3274b4028b1c85914b32e69fc00c50ec9a710738746c9ee9962f86d99455bdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\multidict\_multidict.cp310-win_amd64.pyd

Filesize
20KB

MD5
7f691747ce66d3ed05a7c2c53220c8b5

SHA1
1d3f247042030cf8cf7c859002941beba5d15776

SHA256
7d6472a0d7f1a0740c7fc0d0d0ea6f7c6e7cb2b11b8c623c46a6fae1adb4e228

SHA512
b01f0e91039fc5b2782caaa0b3d56d5d1fe9e94424cc536cde9eca73a76747736060042e345af9edc5ef5bf5c154705d2c2dddf35536f305306be25a955a9f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\propcache\_helpers_c.cp310-win_amd64.pyd

Filesize
31KB

MD5
9fe92acae9522cd0044146e1b57c23fa

SHA1
ec8875039a387bb4ac302cd533b2fe27dbe75b43

SHA256
622077d084db60b50c43a1923d60c02f1900fffa3b5a11dfd34328e6fd341362

SHA512
cdf5dae191f9b6c75d5698d49d1a55a00695ac896a0823357ea7bf3332683231cb10b1544ec12fab5cf5a15117a92af18e1266f29ed3d3ccbcb56ff46a421e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\pyexpat.pyd

Filesize
84KB

MD5
6b2713f310ab692eac1fd5cbc5649132

SHA1
426b22c96a6f04cff186558c8cbc6f2815c5e1e0

SHA256
8800c7df298f5d8afa4dca596e0a627e633d67a651fe14b41ac2791d12ea512e

SHA512
716c2bcf6dac6d7d4a666c6809da44f35601f10608cd4403592607fa767d7568367296c3b3afd2cc7606a049d9998cb4d16e2ed4dad72464c32606a865c8a917

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\python3.DLL

Filesize
61KB

MD5
704d647d6921dbd71d27692c5a92a5fa

SHA1
6f0552ce789dc512f183b565d9f6bf6bf86c229d

SHA256
a1c5c6e4873aa53d75b35c512c1cbadf39315deeec21a3ada72b324551f1f769

SHA512
6b340d64c808388fe95e6d632027715fb5bd801f013debaaa97e5ecb27a6f6ace49bf23648517dd10734daff8f4f44969cff2276010bf7502e79417736a44ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\python310.dll

Filesize
1.4MB

MD5
36fd0e7f37bcc508f4c88bb93ee103fe

SHA1
305e8a7da7508ea0571efd0e6248ba32a54160e6

SHA256
e44fc24423b18f343fbbab490fcbfddb17aade548f01de0926428a1944e87a95

SHA512
9f47fb8a96595498342e53b23671fb7c96ca438427f8bec9aeef845ce604817d6200f544afe530b2906edcb0f448d42ca10c1824a9d2ebd5ced4beb4bd5c1bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\select.pyd

Filesize
22KB

MD5
35eecd97e3e1b5e0c75bf7b018e0f04b

SHA1
f1ea7b96d733b3ff8b93db70a6a9770be0e1ed77

SHA256
ea46b47dafc1fafaf790dae6a75fdf8eec4429a73a2369f4e956d3b3b19ccac4

SHA512
2be099a0f92aa026ca0a0d0ae1691f4513c65fb5f2a85b90e92090df09987957ce7ec69807b56280ae97834b237172a6baeb712659a512a46ca004433ef06446

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\sqlite3.dll

Filesize
612KB

MD5
e45c51708eb87295aa418c94f85490d2

SHA1
5d8c0683abdd4a56c1c29c368b998f50e2825112

SHA256
a8a26572f2e0ece5196fcecb7e54b29500d3f8deaf91cb0fd314f3af20342f8e

SHA512
d14046651961e740f7d62ba1cd4fc0ed8a156a47019bd99911c6fd72d1bdbdbda61eb12ea72f3b1161e87f6aeaf98b962ffcb2b9f223d191694d4caa2c79eb38

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\unicodedata.pyd

Filesize
286KB

MD5
47a9df0a0ec9232a3fa357da50454679

SHA1
be91c3991d20cc38e8dcd94acb96593e8e49ecbd

SHA256
799296850dd8a0774ac78d874700901b58a790e85fb3ae113a3174122cdc637b

SHA512
cdf8faeb17f122a5cad2dbb58b9e27d0ca6842cee62fbf1a0b7391edee2ffc66782bf85046077c16bba31330c22da0b198e0146e4f607374d3f2e98f927bd5f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI22242\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
41KB

MD5
8640834733897205d9193e1b21084135

SHA1
e452ae2dbabcc8691233428dd1da5d23961b047d

SHA256
bd209ab04ba8a3a40546832380547a460b1257f4fb4b4012f6fc48f9c36cc476

SHA512
365805a31ed3ef7648fa2fac49fecc0646dd5dfcad8468918623d962db6aab08339f510edccdaf1340f8bfc06a4628c070de947cdec55cfabdc3563af2de43e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zfy41psu.gc3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2948-204-0x000001B39BEE0000-0x000001B39BF02000-memory.dmp

Filesize
136KB

Download
memory/4720-107-0x00007FFC62F50000-0x00007FFC62F60000-memory.dmp

Filesize
64KB

Download
memory/4720-214-0x00007FFC5E1B0000-0x00007FFC5E1E2000-memory.dmp

Filesize
200KB

Download
memory/4720-121-0x00007FFC5EEB0000-0x00007FFC5EECB000-memory.dmp

Filesize
108KB

Download
memory/4720-120-0x00007FFC5F140000-0x00007FFC5F2B1000-memory.dmp

Filesize
1.4MB

Download
memory/4720-101-0x00007FFC63040000-0x00007FFC63064000-memory.dmp

Filesize
144KB

Download
memory/4720-97-0x00007FFC50020000-0x00007FFC50485000-memory.dmp

Filesize
4.4MB

Download
memory/4720-142-0x00007FFC5E0E0000-0x00007FFC5E0FE000-memory.dmp

Filesize
120KB

Download
memory/4720-141-0x00007FFC4FCA0000-0x00007FFC50017000-memory.dmp

Filesize
3.5MB

Download
memory/4720-60-0x00007FFC655E0000-0x00007FFC655EF000-memory.dmp

Filesize
60KB

Download
memory/4720-58-0x00007FFC63040000-0x00007FFC63064000-memory.dmp

Filesize
144KB

Download
memory/4720-146-0x00007FFC4EF50000-0x00007FFC4F74B000-memory.dmp

Filesize
8.0MB

Download
memory/4720-145-0x00007FFC5F030000-0x00007FFC5F044000-memory.dmp

Filesize
80KB

Download
memory/4720-147-0x00007FFC5BDF0000-0x00007FFC5BE27000-memory.dmp

Filesize
220KB

Download
memory/4720-138-0x00007FFC5EAF0000-0x00007FFC5EB01000-memory.dmp

Filesize
68KB

Download
memory/4720-137-0x00007FFC5F050000-0x00007FFC5F107000-memory.dmp

Filesize
732KB

Download
memory/4720-136-0x00007FFC5C790000-0x00007FFC5C7DD000-memory.dmp

Filesize
308KB

Download
memory/4720-135-0x00007FFC62F10000-0x00007FFC62F1A000-memory.dmp

Filesize
40KB

Download
memory/4720-134-0x00007FFC5E1B0000-0x00007FFC5E1E2000-memory.dmp

Filesize
200KB

Download
memory/4720-133-0x00007FFC5EB10000-0x00007FFC5EB28000-memory.dmp

Filesize
96KB

Download
memory/4720-132-0x000001B4D2430000-0x000001B4D27A7000-memory.dmp

Filesize
3.5MB

Download
memory/4720-81-0x00007FFC5FB80000-0x00007FFC5FB99000-memory.dmp

Filesize
100KB

Download
memory/4720-127-0x00007FFC5F110000-0x00007FFC5F13E000-memory.dmp

Filesize
184KB

Download
memory/4720-50-0x00007FFC50020000-0x00007FFC50485000-memory.dmp

Filesize
4.4MB

Download
memory/4720-83-0x00007FFC630A0000-0x00007FFC630AD000-memory.dmp

Filesize
52KB

Download
memory/4720-118-0x00007FFC4FAC0000-0x00007FFC4FBD8000-memory.dmp

Filesize
1.1MB

Download
memory/4720-117-0x00007FFC5F2C0000-0x00007FFC5F2DE000-memory.dmp

Filesize
120KB

Download
memory/4720-114-0x00007FFC5EED0000-0x00007FFC5EEF2000-memory.dmp

Filesize
136KB

Download
memory/4720-113-0x00007FFC5EFF0000-0x00007FFC5F005000-memory.dmp

Filesize
84KB

Download
memory/4720-89-0x00007FFC5F2C0000-0x00007FFC5F2DE000-memory.dmp

Filesize
120KB

Download
memory/4720-109-0x00007FFC5F010000-0x00007FFC5F024000-memory.dmp

Filesize
80KB

Download
memory/4720-93-0x00007FFC5F110000-0x00007FFC5F13E000-memory.dmp

Filesize
184KB

Download
memory/4720-87-0x00007FFC5F9D0000-0x00007FFC5F9FC000-memory.dmp

Filesize
176KB

Download
memory/4720-106-0x00007FFC5FB80000-0x00007FFC5FB99000-memory.dmp

Filesize
100KB

Download
memory/4720-100-0x00007FFC4FCA0000-0x00007FFC50017000-memory.dmp

Filesize
3.5MB

Download
memory/4720-99-0x000001B4D2430000-0x000001B4D27A7000-memory.dmp

Filesize
3.5MB

Download
memory/4720-98-0x00007FFC5F050000-0x00007FFC5F107000-memory.dmp

Filesize
732KB

Download
memory/4720-159-0x00007FFC5EED0000-0x00007FFC5EEF2000-memory.dmp

Filesize
136KB

Download
memory/4720-195-0x00007FFC5F780000-0x00007FFC5F78D000-memory.dmp

Filesize
52KB

Download
memory/4720-91-0x00007FFC5F140000-0x00007FFC5F2B1000-memory.dmp

Filesize
1.4MB

Download
memory/4720-85-0x00007FFC5FB60000-0x00007FFC5FB78000-memory.dmp

Filesize
96KB

Download
memory/4720-212-0x00007FFC5EEB0000-0x00007FFC5EECB000-memory.dmp

Filesize
108KB

Download
memory/4720-103-0x00007FFC5F030000-0x00007FFC5F044000-memory.dmp

Filesize
80KB

Download
memory/4720-213-0x00007FFC5EB10000-0x00007FFC5EB28000-memory.dmp

Filesize
96KB

Download
memory/4720-215-0x00007FFC5C790000-0x00007FFC5C7DD000-memory.dmp

Filesize
308KB

Download
memory/4720-247-0x00007FFC5BDF0000-0x00007FFC5BE27000-memory.dmp

Filesize
220KB

Download
memory/4720-234-0x00007FFC62F50000-0x00007FFC62F60000-memory.dmp

Filesize
64KB

Download
memory/4720-249-0x00007FFC4EF50000-0x00007FFC4F74B000-memory.dmp

Filesize
8.0MB

Download
memory/4720-233-0x00007FFC5F030000-0x00007FFC5F044000-memory.dmp

Filesize
80KB

Download
memory/4720-232-0x00007FFC4FCA0000-0x00007FFC50017000-memory.dmp

Filesize
3.5MB

Download
memory/4720-231-0x00007FFC5F050000-0x00007FFC5F107000-memory.dmp

Filesize
732KB

Download
memory/4720-230-0x00007FFC5F110000-0x00007FFC5F13E000-memory.dmp

Filesize
184KB

Download
memory/4720-229-0x00007FFC5F140000-0x00007FFC5F2B1000-memory.dmp

Filesize
1.4MB

Download
memory/4720-228-0x00007FFC5F2C0000-0x00007FFC5F2DE000-memory.dmp

Filesize
120KB

Download
memory/4720-222-0x00007FFC63040000-0x00007FFC63064000-memory.dmp

Filesize
144KB

Download
memory/4720-221-0x00007FFC50020000-0x00007FFC50485000-memory.dmp

Filesize
4.4MB

Download
memory/4720-274-0x00007FFC62F10000-0x00007FFC62F1A000-memory.dmp

Filesize
40KB

Download
memory/4720-275-0x00007FFC5E0E0000-0x00007FFC5E0FE000-memory.dmp

Filesize
120KB

Download
memory/4720-280-0x00007FFC5EEB0000-0x00007FFC5EECB000-memory.dmp

Filesize
108KB

Download
memory/4720-279-0x00007FFC5C790000-0x00007FFC5C7DD000-memory.dmp

Filesize
308KB

Download
memory/4720-278-0x00007FFC5F780000-0x00007FFC5F78D000-memory.dmp

Filesize
52KB

Download
memory/4720-277-0x00007FFC5BDF0000-0x00007FFC5BE27000-memory.dmp

Filesize
220KB

Download
memory/4720-273-0x00007FFC5E1B0000-0x00007FFC5E1E2000-memory.dmp

Filesize
200KB

Download
memory/4720-272-0x00007FFC5EAF0000-0x00007FFC5EB01000-memory.dmp

Filesize
68KB

Download
memory/4720-252-0x00007FFC63040000-0x00007FFC63064000-memory.dmp

Filesize
144KB

Download
memory/4720-270-0x00007FFC5EB10000-0x00007FFC5EB28000-memory.dmp

Filesize
96KB

Download
memory/4720-268-0x00007FFC4FAC0000-0x00007FFC4FBD8000-memory.dmp

Filesize
1.1MB

Download
memory/4720-267-0x00007FFC5EED0000-0x00007FFC5EEF2000-memory.dmp

Filesize
136KB

Download
memory/4720-266-0x00007FFC5EFF0000-0x00007FFC5F005000-memory.dmp

Filesize
84KB

Download
memory/4720-265-0x00007FFC5F010000-0x00007FFC5F024000-memory.dmp

Filesize
80KB

Download
memory/4720-264-0x00007FFC62F50000-0x00007FFC62F60000-memory.dmp

Filesize
64KB

Download
memory/4720-263-0x00007FFC5F030000-0x00007FFC5F044000-memory.dmp

Filesize
80KB

Download
memory/4720-262-0x00007FFC4FCA0000-0x00007FFC50017000-memory.dmp

Filesize
3.5MB

Download
memory/4720-261-0x00007FFC5F050000-0x00007FFC5F107000-memory.dmp

Filesize
732KB

Download
memory/4720-260-0x00007FFC5F110000-0x00007FFC5F13E000-memory.dmp

Filesize
184KB

Download
memory/4720-259-0x00007FFC5F140000-0x00007FFC5F2B1000-memory.dmp

Filesize
1.4MB

Download
memory/4720-258-0x00007FFC5F2C0000-0x00007FFC5F2DE000-memory.dmp

Filesize
120KB

Download
memory/4720-257-0x00007FFC5F9D0000-0x00007FFC5F9FC000-memory.dmp

Filesize
176KB

Download
memory/4720-256-0x00007FFC5FB60000-0x00007FFC5FB78000-memory.dmp

Filesize
96KB

Download
memory/4720-255-0x00007FFC630A0000-0x00007FFC630AD000-memory.dmp

Filesize
52KB

Download
memory/4720-254-0x00007FFC5FB80000-0x00007FFC5FB99000-memory.dmp

Filesize
100KB

Download
memory/4720-253-0x00007FFC655E0000-0x00007FFC655EF000-memory.dmp

Filesize
60KB

Download
memory/4720-276-0x00007FFC4EF50000-0x00007FFC4F74B000-memory.dmp

Filesize
8.0MB

Download
memory/4720-251-0x00007FFC50020000-0x00007FFC50485000-memory.dmp

Filesize
4.4MB

Download