exelastealer | b20c992d51e473212fe16dec2b5f865dceadc85194e6539065923e04e5b381ca

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
27-12-2024 20:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cracked vixen public.exe
Size

9.3MB
MD5

74c99cf85dc1aae39f394292577fe2b9
SHA1

9bb343e7505cbeca972215447981be6fb1f7be6f
SHA256

b20c992d51e473212fe16dec2b5f865dceadc85194e6539065923e04e5b381ca
SHA512

8f136022f8a814f6900ff23e2f41547514df72fef576628b8cd8a3b0338537013e25c9219c9e255cb0dad182239db54b72a6ac5cc51059af4c73399abe2f7597
SSDEEP

196608:p1LtmL/PHdzymvNm1E8giq1g9K5RHvUWvogWOxu9kXwvdbD903N/nbHCd9:Dt8/vYm1m1NqV5RHdBbAlbJ03tT2

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4844	netsh.exe
4812	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2276	powershell.exe
2488	cmd.exe

Loads dropped DLL 32 IoCs

pid	Process
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe
3120	cracked vixen public.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
23	discord.com
24	discord.com
26	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2324	ARP.EXE
4144	cmd.exe

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
1520	tasklist.exe
316	tasklist.exe
3340	tasklist.exe
3160	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2908	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c77-46.dat	upx
behavioral2/memory/3120-50-0x00007FFD31340000-0x00007FFD317AA000-memory.dmp	upx
behavioral2/files/0x0008000000023c00-52.dat	upx
behavioral2/files/0x0007000000023c6f-59.dat	upx
behavioral2/memory/3120-58-0x00007FFD328A0000-0x00007FFD328C4000-memory.dmp	upx
behavioral2/memory/3120-79-0x00007FFD3AA00000-0x00007FFD3AA0F000-memory.dmp	upx
behavioral2/files/0x000b000000023c34-78.dat	upx
behavioral2/files/0x0008000000023c1f-77.dat	upx
behavioral2/files/0x0008000000023c1e-76.dat	upx
behavioral2/files/0x0008000000023c1d-75.dat	upx
behavioral2/files/0x0008000000023c1c-74.dat	upx
behavioral2/files/0x0008000000023c1b-73.dat	upx
behavioral2/files/0x0008000000023c1a-72.dat	upx
behavioral2/files/0x0008000000023c14-71.dat	upx
behavioral2/files/0x0008000000023c02-70.dat	upx
behavioral2/files/0x0008000000023c01-69.dat	upx
behavioral2/files/0x0008000000023bfb-68.dat	upx
behavioral2/files/0x0008000000023bfa-67.dat	upx
behavioral2/files/0x0008000000023bf9-66.dat	upx
behavioral2/files/0x0007000000023c7a-65.dat	upx
behavioral2/files/0x0007000000023c79-64.dat	upx
behavioral2/files/0x0007000000023c78-63.dat	upx
behavioral2/files/0x0007000000023c75-62.dat	upx
behavioral2/files/0x0007000000023c70-61.dat	upx
behavioral2/files/0x0007000000023c6e-60.dat	upx
behavioral2/memory/3120-81-0x00007FFD37D20000-0x00007FFD37D39000-memory.dmp	upx
behavioral2/memory/3120-83-0x00007FFD3A320000-0x00007FFD3A32D000-memory.dmp	upx
behavioral2/memory/3120-85-0x00007FFD37780000-0x00007FFD37799000-memory.dmp	upx
behavioral2/memory/3120-87-0x00007FFD321E0000-0x00007FFD3220C000-memory.dmp	upx
behavioral2/memory/3120-89-0x00007FFD36820000-0x00007FFD3683E000-memory.dmp	upx
behavioral2/memory/3120-91-0x00007FFD311D0000-0x00007FFD3133D000-memory.dmp	upx
behavioral2/memory/3120-93-0x00007FFD321B0000-0x00007FFD321DE000-memory.dmp	upx
behavioral2/memory/3120-101-0x00007FFD328A0000-0x00007FFD328C4000-memory.dmp	upx
behavioral2/memory/3120-100-0x00007FFD227B0000-0x00007FFD22B24000-memory.dmp	upx
behavioral2/memory/3120-98-0x00007FFD31C40000-0x00007FFD31CF6000-memory.dmp	upx
behavioral2/memory/3120-97-0x00007FFD31340000-0x00007FFD317AA000-memory.dmp	upx
behavioral2/memory/3120-103-0x00007FFD36750000-0x00007FFD36764000-memory.dmp	upx
behavioral2/files/0x0007000000023c72-107.dat	upx
behavioral2/memory/3120-106-0x00007FFD36AB0000-0x00007FFD36AC0000-memory.dmp	upx
behavioral2/memory/3120-105-0x00007FFD37D20000-0x00007FFD37D39000-memory.dmp	upx
behavioral2/memory/3120-109-0x00007FFD32120000-0x00007FFD32134000-memory.dmp	upx
behavioral2/memory/3120-111-0x00007FFD32060000-0x00007FFD32075000-memory.dmp	upx
behavioral2/files/0x0007000000023c7c-112.dat	upx
behavioral2/memory/3120-114-0x00007FFD321E0000-0x00007FFD3220C000-memory.dmp	upx
behavioral2/memory/3120-119-0x00007FFD311D0000-0x00007FFD3133D000-memory.dmp	upx
behavioral2/memory/3120-118-0x00007FFD22690000-0x00007FFD227A8000-memory.dmp	upx
behavioral2/files/0x0007000000023c74-121.dat	upx
behavioral2/memory/3120-117-0x00007FFD36820000-0x00007FFD3683E000-memory.dmp	upx
behavioral2/memory/3120-116-0x00007FFD32030000-0x00007FFD32052000-memory.dmp	upx
behavioral2/memory/3120-122-0x00007FFD31F50000-0x00007FFD31F6B000-memory.dmp	upx
behavioral2/files/0x0008000000023c3f-123.dat	upx
behavioral2/memory/3120-126-0x00007FFD31E80000-0x00007FFD31E98000-memory.dmp	upx
behavioral2/memory/3120-125-0x00007FFD321B0000-0x00007FFD321DE000-memory.dmp	upx
behavioral2/files/0x0008000000023c3b-127.dat	upx
behavioral2/memory/3120-130-0x00007FFD31C40000-0x00007FFD31CF6000-memory.dmp	upx
behavioral2/files/0x0008000000023c4c-129.dat	upx
behavioral2/memory/3120-139-0x00007FFD36750000-0x00007FFD36764000-memory.dmp	upx
behavioral2/memory/3120-138-0x00007FFD31B10000-0x00007FFD31B42000-memory.dmp	upx
behavioral2/memory/3120-145-0x00007FFD31DF0000-0x00007FFD31E0E000-memory.dmp	upx
behavioral2/files/0x0007000000023c6b-143.dat	upx
behavioral2/memory/3120-147-0x00007FFD21E90000-0x00007FFD2268B000-memory.dmp	upx
behavioral2/memory/3120-144-0x00007FFD32110000-0x00007FFD3211A000-memory.dmp	upx
behavioral2/files/0x0007000000023c6d-142.dat	upx
behavioral2/memory/3120-149-0x00007FFD31AD0000-0x00007FFD31B07000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3244	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
220	cmd.exe
3212	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4960	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
1524	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1928	ipconfig.exe
4960	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1956	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2276	powershell.exe
2276	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2204	WMIC.exe
Token: SeSecurityPrivilege	2204	WMIC.exe
Token: SeTakeOwnershipPrivilege	2204	WMIC.exe
Token: SeLoadDriverPrivilege	2204	WMIC.exe
Token: SeSystemProfilePrivilege	2204	WMIC.exe
Token: SeSystemtimePrivilege	2204	WMIC.exe
Token: SeProfSingleProcessPrivilege	2204	WMIC.exe
Token: SeIncBasePriorityPrivilege	2204	WMIC.exe
Token: SeCreatePagefilePrivilege	2204	WMIC.exe
Token: SeBackupPrivilege	2204	WMIC.exe
Token: SeRestorePrivilege	2204	WMIC.exe
Token: SeShutdownPrivilege	2204	WMIC.exe
Token: SeDebugPrivilege	2204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2204	WMIC.exe
Token: SeRemoteShutdownPrivilege	2204	WMIC.exe
Token: SeUndockPrivilege	2204	WMIC.exe
Token: SeManageVolumePrivilege	2204	WMIC.exe
Token: 33	2204	WMIC.exe
Token: 34	2204	WMIC.exe
Token: 35	2204	WMIC.exe
Token: 36	2204	WMIC.exe
Token: SeDebugPrivilege	1520	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2204	WMIC.exe
Token: SeSecurityPrivilege	2204	WMIC.exe
Token: SeTakeOwnershipPrivilege	2204	WMIC.exe
Token: SeLoadDriverPrivilege	2204	WMIC.exe
Token: SeSystemProfilePrivilege	2204	WMIC.exe
Token: SeSystemtimePrivilege	2204	WMIC.exe
Token: SeProfSingleProcessPrivilege	2204	WMIC.exe
Token: SeIncBasePriorityPrivilege	2204	WMIC.exe
Token: SeCreatePagefilePrivilege	2204	WMIC.exe
Token: SeBackupPrivilege	2204	WMIC.exe
Token: SeRestorePrivilege	2204	WMIC.exe
Token: SeShutdownPrivilege	2204	WMIC.exe
Token: SeDebugPrivilege	2204	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2204	WMIC.exe
Token: SeRemoteShutdownPrivilege	2204	WMIC.exe
Token: SeUndockPrivilege	2204	WMIC.exe
Token: SeManageVolumePrivilege	2204	WMIC.exe
Token: 33	2204	WMIC.exe
Token: 34	2204	WMIC.exe
Token: 35	2204	WMIC.exe
Token: 36	2204	WMIC.exe
Token: SeDebugPrivilege	316	tasklist.exe
Token: SeDebugPrivilege	3340	tasklist.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeIncreaseQuotaPrivilege	1524	WMIC.exe
Token: SeSecurityPrivilege	1524	WMIC.exe
Token: SeTakeOwnershipPrivilege	1524	WMIC.exe
Token: SeLoadDriverPrivilege	1524	WMIC.exe
Token: SeSystemProfilePrivilege	1524	WMIC.exe
Token: SeSystemtimePrivilege	1524	WMIC.exe
Token: SeProfSingleProcessPrivilege	1524	WMIC.exe
Token: SeIncBasePriorityPrivilege	1524	WMIC.exe
Token: SeCreatePagefilePrivilege	1524	WMIC.exe
Token: SeBackupPrivilege	1524	WMIC.exe
Token: SeRestorePrivilege	1524	WMIC.exe
Token: SeShutdownPrivilege	1524	WMIC.exe
Token: SeDebugPrivilege	1524	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1524	WMIC.exe
Token: SeRemoteShutdownPrivilege	1524	WMIC.exe
Token: SeUndockPrivilege	1524	WMIC.exe
Token: SeManageVolumePrivilege	1524	WMIC.exe
Token: 33	1524	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1276 wrote to memory of 3120	1276	cracked vixen public.exe	82
PID 1276 wrote to memory of 3120	1276	cracked vixen public.exe	82
PID 3120 wrote to memory of 3132	3120	cracked vixen public.exe	83
PID 3120 wrote to memory of 3132	3120	cracked vixen public.exe	83
PID 3120 wrote to memory of 4704	3120	cracked vixen public.exe	85
PID 3120 wrote to memory of 4704	3120	cracked vixen public.exe	85
PID 3120 wrote to memory of 3116	3120	cracked vixen public.exe	86
PID 3120 wrote to memory of 3116	3120	cracked vixen public.exe	86
PID 4704 wrote to memory of 2204	4704	cmd.exe	89
PID 4704 wrote to memory of 2204	4704	cmd.exe	89
PID 3116 wrote to memory of 1520	3116	cmd.exe	90
PID 3116 wrote to memory of 1520	3116	cmd.exe	90
PID 3120 wrote to memory of 2908	3120	cracked vixen public.exe	92
PID 3120 wrote to memory of 2908	3120	cracked vixen public.exe	92
PID 2908 wrote to memory of 608	2908	cmd.exe	94
PID 2908 wrote to memory of 608	2908	cmd.exe	94
PID 3120 wrote to memory of 1668	3120	cracked vixen public.exe	95
PID 3120 wrote to memory of 1668	3120	cracked vixen public.exe	95
PID 3120 wrote to memory of 4448	3120	cracked vixen public.exe	96
PID 3120 wrote to memory of 4448	3120	cracked vixen public.exe	96
PID 4448 wrote to memory of 316	4448	cmd.exe	100
PID 4448 wrote to memory of 316	4448	cmd.exe	100
PID 1668 wrote to memory of 3112	1668	cmd.exe	99
PID 1668 wrote to memory of 3112	1668	cmd.exe	99
PID 3120 wrote to memory of 412	3120	cracked vixen public.exe	101
PID 3120 wrote to memory of 412	3120	cracked vixen public.exe	101
PID 3120 wrote to memory of 2072	3120	cracked vixen public.exe	102
PID 3120 wrote to memory of 2072	3120	cracked vixen public.exe	102
PID 3120 wrote to memory of 2440	3120	cracked vixen public.exe	103
PID 3120 wrote to memory of 2440	3120	cracked vixen public.exe	103
PID 3120 wrote to memory of 2488	3120	cracked vixen public.exe	104
PID 3120 wrote to memory of 2488	3120	cracked vixen public.exe	104
PID 2440 wrote to memory of 3340	2440	cmd.exe	109
PID 2440 wrote to memory of 3340	2440	cmd.exe	109
PID 2488 wrote to memory of 2276	2488	cmd.exe	110
PID 2488 wrote to memory of 2276	2488	cmd.exe	110
PID 2072 wrote to memory of 3764	2072	cmd.exe	111
PID 2072 wrote to memory of 3764	2072	cmd.exe	111
PID 412 wrote to memory of 1968	412	cmd.exe	112
PID 412 wrote to memory of 1968	412	cmd.exe	112
PID 3764 wrote to memory of 1728	3764	cmd.exe	113
PID 3764 wrote to memory of 1728	3764	cmd.exe	113
PID 1968 wrote to memory of 4416	1968	cmd.exe	114
PID 1968 wrote to memory of 4416	1968	cmd.exe	114
PID 3120 wrote to memory of 220	3120	cracked vixen public.exe	115
PID 3120 wrote to memory of 220	3120	cracked vixen public.exe	115
PID 3120 wrote to memory of 4144	3120	cracked vixen public.exe	116
PID 3120 wrote to memory of 4144	3120	cracked vixen public.exe	116
PID 4144 wrote to memory of 1956	4144	cmd.exe	119
PID 4144 wrote to memory of 1956	4144	cmd.exe	119
PID 220 wrote to memory of 3212	220	cmd.exe	120
PID 220 wrote to memory of 3212	220	cmd.exe	120
PID 4144 wrote to memory of 3280	4144	cmd.exe	122
PID 4144 wrote to memory of 3280	4144	cmd.exe	122
PID 4144 wrote to memory of 1524	4144	cmd.exe	123
PID 4144 wrote to memory of 1524	4144	cmd.exe	123
PID 4144 wrote to memory of 3048	4144	cmd.exe	124
PID 4144 wrote to memory of 3048	4144	cmd.exe	124
PID 3048 wrote to memory of 2904	3048	net.exe	125
PID 3048 wrote to memory of 2904	3048	net.exe	125
PID 4144 wrote to memory of 3728	4144	cmd.exe	126
PID 4144 wrote to memory of 3728	4144	cmd.exe	126
PID 3728 wrote to memory of 2944	3728	query.exe	127
PID 3728 wrote to memory of 2944	3728	query.exe	127

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
608	attrib.exe

C:\Users\Admin\AppData\Local\Temp\cracked vixen public.exe
"C:\Users\Admin\AppData\Local\Temp\cracked vixen public.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1276
- C:\Users\Admin\AppData\Local\Temp\cracked vixen public.exe
  "C:\Users\Admin\AppData\Local\Temp\cracked vixen public.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3132
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4704
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3116
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:608
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1668
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:3112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:412
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1968
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3764
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2276
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:220
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:4144
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1956
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:3280
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious use of AdjustPrivilegeToken
      PID:1524
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:2904
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3728
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:2944
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:4304
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:2392
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:4496
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1392
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:2032
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4848
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:4456
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:3884
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:1108
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:3160
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1928
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:32
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:2324
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:4960
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:3244
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4844
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1036
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:468
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1560
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI12762\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\_asyncio.pyd

Filesize
31KB

MD5
e43bf76d198fdd3e90d88be261d23ceb

SHA1
effe4b0decee8f927ee0dc193e8a2720729a054d

SHA256
888a55cda018d89cb252b1372214dc4d82f891de829a9e532d3fee7c824c3a31

SHA512
6da49d3546c4d8a199f9c756e4bb42bbeae221b8782ac0eb1793859fbb6a03c012ebc01e58fe0ce87d1ac0fb9b0dbd10dbfabc26ec306eda4058de351b0aa369

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\_bz2.pyd

Filesize
43KB

MD5
f3ae0c86090faa4d5cc898abfce850d6

SHA1
10fe6b9967f1f4eaec903d31056577a968720a1e

SHA256
dfa063e160e3120fd0cec3f2830fc9cbe73c1cbc29a3813c46bc3aa51d108b4e

SHA512
7cced9ec50acf614284d31289733f821ecdffd8f27bbf47786b08228e219498f2bcea9fca237763521162cb931ab4302784efc9a15691204d78c1df9c81f044d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
7727212e7bdbf63b1a39fb7faad24265

SHA1
a8fdec19d6690081b2bf55247e8e17657a68ac97

SHA256
b0116303e1e903d6eb02a69d05879f38af1640813f4b110cb733ffff6e4e985c

SHA512
2b1a27642118dd228791d0d8ba307aa39ab2d9c7d3799cff9f3c0744fe270eeaefe5545a4fda6e74e86fee747e45bf5f6c9ac799950c2b483a16eb3ce85d816a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\_ctypes.pyd

Filesize
53KB

MD5
95ac54b88d97b76b3562302ac962ff48

SHA1
347e8e1cc8a995d169f891d27dfec626ede021a4

SHA256
840fe0e6747dad71633993f74ed6b188b92abf894c5f6094232ce708f4cad2fb

SHA512
217f3a91d0f1ece0eaa4a00db73ef58efc0ee0f89c1932be7897881bbd52e9a9565c5590a1824d676cc88bb6762385360696e32774a025418cf5794b15c0a47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\_decimal.pyd

Filesize
100KB

MD5
17f760667aec745a0f6aaf8fd4295bce

SHA1
02e6797813291cf5093d33b78aec065cbbc23eaa

SHA256
cc21f3408122742136bbf616f928ebeef0eb797ec8cb3330a703ce494776eadd

SHA512
c4de9b0a5d01dd6e70acf280bb8368441a6eac5b62813c044f2ea0579094d484a5dbcad3eed94fb54f3e000fc59b6b4fe0c2cb3f3793b97d02aff564d3998e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\_hashlib.pyd

Filesize
30KB

MD5
c802eabf1f3e8e0439bda6da432b4a7a

SHA1
ce57c967afa6fedb2a2beced8d295b3a9e19d721

SHA256
0944dc7c37cce8000b283d4597956a46bd5bd1a6a1c01430799e20ab4bd09812

SHA512
484b8d5cba4742dcfde15fc87af8460aefa43e2434187297ec38d7e1b6a363a59d7b7b270d09d59f59229961e5e3554525c52fd6ac208f58848d838a5667c518

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\_lzma.pyd

Filesize
81KB

MD5
fd9f9c34a33410cf3be4dbb3fd4d24a7

SHA1
7c373b308f21c5a500580e5bbd19ce475a0a1dc6

SHA256
e6d746650e0d56bb45401431578d82beeb5848f6daccd90d85c5d62871576438

SHA512
dc73b34679bcef00d6f49cd8d3b534c1b4cbcd80b103e5ffd91a4d0452bee988b49781869f8bfb0828912571da3d9aa699affce568bf7801b9a8028a308375f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\_multiprocessing.pyd

Filesize
22KB

MD5
00c8b962093a2a15c7897624bfb95636

SHA1
c7d9ec9dbac8e3057ca32ef61b2522071e3fca7b

SHA256
3b53f60217ffba681089b2b509850d5eadc609c903ee44afcb90b07b194dde3d

SHA512
5523b2f97a6a6d544dd5a10c2915a3b99eaf5643ed23ce6f3928ccac0ed65899e988373deaf72b66b01eabb6497ca75350870d82e53d4231f80108eca6367e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\_overlapped.pyd

Filesize
27KB

MD5
fb7da97236c448dfc756c50ea098c7eb

SHA1
73fb846df160411f09473978d6171a55c799df0c

SHA256
9421ab684e6694ef5c031799e6d4adb03d2d78baef12204f32cd0ed3873117f5

SHA512
bd7d254fa1e35240a8ea6e3f1d3666fd6835347d4a8d999d25219ca004c52c8f06514c3783dc263731770a8791759db0a4286e65216fe23531ef1e6164ca7ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\_queue.pyd

Filesize
21KB

MD5
7913aea43a788dd7552c058b2d8f9c56

SHA1
f9efba69852cdff646c60b2589a77ece2d9290dc

SHA256
89d731860535347abfca36bee005f25fb7952e7ae6853298f9ece7338aa02488

SHA512
f772d397fdd1479915491795dda5717e976556ca6ea157087a88938685d54592816343da3c5fde62c35495da5aeff8d09e7ee62b70b9168cb38b8ac3e4e79fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\_socket.pyd

Filesize
38KB

MD5
62ebe51baf1113beebe713439f86691c

SHA1
294c379e1c220c4de333d0f55a5babfab74698cc

SHA256
b26a6409323f8d15d476f9d04c7d45a205580f21b692df18e9656f08ef9a0328

SHA512
fb92732eabcf744a25871754c414239630787ba959a88727759d9bb6273a2f7bd1a6cd795ede873f2ebbff23bedd2177c142d41715e4083e75afc3e36e6c84ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\_sqlite3.pyd

Filesize
45KB

MD5
212b4609f25ff515cbd00eb73b4684d7

SHA1
2b0cce3a1cef72f45bca9d525f2ce541002aee18

SHA256
1fb515cceed1a5e62541d605d0943c6e8d24caeca7b7c04e4c662fefc6b1de90

SHA512
775a293146f112103a73ad7b160f5dd7f618eada9b89c93b48fa89f99b558086b631bd643a6de0f35dc0e53b3f05c8906b83321c986ce7fabc8a1b110a830136

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\_ssl.pyd

Filesize
57KB

MD5
97600eab6a73856e37c585d1b27220ae

SHA1
6ddf1b90ae5e9a26696916551d6a335289da8d79

SHA256
5fd57f2b9aac9bc84bb65c78ec5ed6f40b619636f2c4aac284b7a284d159044e

SHA512
3a3d7d0df1d48b876e9630acb68c62bdf598016fdfc65601bdbf6c3b4468acd8cf8e2557a215c5b823dd453fe7fce7beee38c59433392190932e3d002c8079a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\_uuid.pyd

Filesize
18KB

MD5
ee976258f5954cfe8c3ed3ab082fa811

SHA1
ebf1b311b2c73278c35b1af56f61740fcb688520

SHA256
cbc5dc5f119f557b7e3afce9f5de95ca03636870f0c57b811b52a9f083167251

SHA512
b0e44f4def68738ecfbb641c202b1ef927e665c260047509f7868e3a7a87aeed813af49b5852174f885a865f67ad048edeefefc6328c02cfff7b98ef6e1eb3f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\aiohttp\_http_parser.cp310-win_amd64.pyd

Filesize
81KB

MD5
23df1d1a4bfd29c6c0f89d1a42bbecbb

SHA1
b8e5686724223bd5e8ed0b7a3517cdc3005be66a

SHA256
10f7967a3c574caea10fd5a94c9b6eba405ed6afec402969424c143566593adc

SHA512
75a455a9eb96bd52f0d795188a1120ee14d36944c331d97b4c3da837238bd2928cff29df27c0f17093022d976c0c2e54189babd94c6dc927ac325216c340481a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\aiohttp\_http_writer.cp310-win_amd64.pyd

Filesize
24KB

MD5
b0e8cbf64f3728eee12e6e0756e67c95

SHA1
71bc5ae8847dac5d0737e6321833a37da655d538

SHA256
7a931c3108173c4d8cc4ed7304414fcd3ba67ceff81f84506dcdda8979f5f33b

SHA512
622126f5a1fc5e275680bb64648a8cac6a5eaf3e7d6a262f0002afc26cec6d9c3addbba257626ac54189b7f85e5abdfc3809954ce0437046fc64b643a4e8cb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\aiohttp\_websocket\mask.cp310-win_amd64.pyd

Filesize
19KB

MD5
2b5d378afb9aeb031ed1a84f5c216291

SHA1
7955e2ec7e7ffa13e58af098d37c480c8f23ccad

SHA256
1d44b957609599fdf3115bb47bd668f560b63d4d84c74c1f7bf1f3dc05246d6a

SHA512
9102a95c57024afddb67b6500ce1606a2bf5923aa66f67e21fec23c1efb1c9a0cd77c55417b25c7cdbcda119cd817ea4219a1fe321a2f9300f8bffa99d8b0a31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\aiohttp\_websocket\reader_c.cp310-win_amd64.pyd

Filesize
61KB

MD5
2cb730463ee9a2360b568bb54ff283b1

SHA1
e63b5d62d281f153ab2c3487f4423bec259e1bd5

SHA256
17b026c18dc25b2f8842da41484e39c8e92bd3ff9fe0f6d03f9fdc389991e7ae

SHA512
a7891ba2619cc6910c47ffac153ba31a3b17f67f08654f7a1fed380b1f4951673573f5e5a59e45e4edc432b135dbb57bb82c3b4cbdfc265d0daa6fca587ab732

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\base_library.zip

Filesize
858KB

MD5
f96a471b8907296f79920b9c7adfeb70

SHA1
e3af1e73d5575f3283a4a0d90974c96fe95447ef

SHA256
b80aeac4bbd41c0e86f1dfd967cb171c517335b9dbcd42eb228a2f80731c5570

SHA512
559c205855ce8d03e979894d5669aa5f7e0263b2a5d46e64303f10885abfe8190404fe6995581d65aeaa0d80e20b52530a692b0ecbc81217596454ecf14c6e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.0MB

MD5
606a84af5a9cf8ad3cb0314e77fb7209

SHA1
6de88d8554488ffe3e48c9b14886da16d1703a69

SHA256
0693ffa4990fa8c1664485f3d2a41b581eac0b340d07d62242052a67bf2ed5c3

SHA512
97d451f025aefb487c5cea568eb430356adfe23908321f1c04f8fa4c03df87507eda8d9612c944be4fa733df4cec38a0e37bffd8865088064b749244d4321b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\frozenlist\_frozenlist.cp310-win_amd64.pyd

Filesize
36KB

MD5
219ad30aea7630a3696df28231405927

SHA1
ebaf69903305ea0803570cc2ff4cf43dd2bc812a

SHA256
06d38127de4cbd3243f861ea22897d490520e913f77011a37d915c4992433604

SHA512
72eb7323deb26931ea000690f85272ee71e19b2896af2b43ccd8bcfc3a299e0f8a7a3f1e339fbfe7c855e081cd94e21ae09ba3b8e2d16dbacddb838c31b4de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\libcrypto-1_1.dll

Filesize
1.1MB

MD5
700f32459dca0f54c982cd1c1ddd6b8b

SHA1
2538711c091ac3f572cb0f13539a68df0f228f28

SHA256
1de22bd1a0154d49f48b3fab94fb1fb1abd8bfed37d18e79a86ecd7cdab893c9

SHA512
99de1f5cb78c83fc6af0a475fb556f1ac58a1ba734efc69d507bf5dc1b0535a401d901324be845d7a59db021f8967cf33a7b105b2ddcb2e02a39dc0311e7c36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\libssl-1_1.dll

Filesize
198KB

MD5
45498cefc9ead03a63c2822581cd11c6

SHA1
f96b6373237317e606b3715705a71db47e2cafad

SHA256
a84174a00dc98c98240ad5ee16c35e6ef932cebd5b8048ff418d3dd80f20deca

SHA512
4d3d8d33e7f3c2bf1cad3afbfba6ba53852d1314713ad60eeae1d51cc299a52b73da2c629273f9e0b7983ca01544c3645451cfa247911af4f81ca88a82cf6a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\multidict\_multidict.cp310-win_amd64.pyd

Filesize
20KB

MD5
7f691747ce66d3ed05a7c2c53220c8b5

SHA1
1d3f247042030cf8cf7c859002941beba5d15776

SHA256
7d6472a0d7f1a0740c7fc0d0d0ea6f7c6e7cb2b11b8c623c46a6fae1adb4e228

SHA512
b01f0e91039fc5b2782caaa0b3d56d5d1fe9e94424cc536cde9eca73a76747736060042e345af9edc5ef5bf5c154705d2c2dddf35536f305306be25a955a9f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\propcache\_helpers_c.cp310-win_amd64.pyd

Filesize
31KB

MD5
9fe92acae9522cd0044146e1b57c23fa

SHA1
ec8875039a387bb4ac302cd533b2fe27dbe75b43

SHA256
622077d084db60b50c43a1923d60c02f1900fffa3b5a11dfd34328e6fd341362

SHA512
cdf5dae191f9b6c75d5698d49d1a55a00695ac896a0823357ea7bf3332683231cb10b1544ec12fab5cf5a15117a92af18e1266f29ed3d3ccbcb56ff46a421e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\pyexpat.pyd

Filesize
81KB

MD5
3c0515908399a4b0f3126479b331966e

SHA1
1780b6431e4bf42cfd14ccedeaffbd160af71ac1

SHA256
91a06df979c0ff0bb3b827a5ae1513e0ee88b36d6635cf0a497258e3634dd796

SHA512
6dc3ecba1500c0988575f1ffb9ddd1ad7094174f87f4ea1b599e67ab9a27da12034c675a8c66e447147fd42bc0be99f19b582c83875f7f1c553f966368268467

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\python3.DLL

Filesize
60KB

MD5
64a9384c6b329fb089e4d1657a06b175

SHA1
ba0e6fcc3b1406356a40b9d8577b2e7ce69c4aea

SHA256
ec655cc34819d6a9677c0541fd7e7b2b8a92804e8bf73aee692a9c44d1a24b5d

SHA512
9593d38abfd46bb94409838dd9cbe603fbe154fa0043959512afc264dceec50d846eefa409bcf9936ee1a7c7313604a578b4051eb6fd6918f2beb0da6c8ee532

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\python310.dll

Filesize
1.4MB

MD5
018dfe78afe5062c01dffbe60545f7e5

SHA1
e5659111f6fd30c8b1140cbb1b5b094003d96793

SHA256
639283586b67d53b98858ff3a238248299b86a95171015ce6f96cc2ccf8209ca

SHA512
168e9b9b31a0e4c291616b90e2c0ef836e8f07a1d776c48621979d4ef6b8cd7ece52fd2d920b44821a48055c5d89bd2ff4286d23f0c9c0c996a89d6c51b3055a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\select.pyd

Filesize
21KB

MD5
bc21a2802218055093da6e3e1f3be5c8

SHA1
982165a8fa195c856d927e311820a979088752d0

SHA256
0ee02e920c0f537a606aa4b3807294aaddd3e467f88776ea54e19ce2f61de7ff

SHA512
2feb520a3e709ccf1163eaa5db62d8589cd6fb3b15d023d31e96ec50f5453a79d1299cddd075db3084dccbb362da0e877e26b8b79d944109af95de65b31e03d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\sqlite3.dll

Filesize
605KB

MD5
486348762469a514e1e5a689dbdc3b23

SHA1
b9e599d135c6a3b952b7bc74ba42cc754b8f2213

SHA256
ed74b4798a348e693e1263ea80b5636e0b2de1fd2f3353b80b78b632b8e7b843

SHA512
61e51e6d2faf1a805c9220f954866b2c7cb3e19d99a4591865eaad8c40ad1ceeac72700cd6a4b5fb81e406f6a5e9fca68b98f8efbd7f772b91bc2cbeaeab11c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\unicodedata.pyd

Filesize
284KB

MD5
19afee0699eba966446972f813c62eed

SHA1
861f15b0529ee296890c4b177644c89cd51dd044

SHA256
a829cb1a28080d7ebb403a2af0d8e341c47d30732d7f7764bf9bbf02473c2db6

SHA512
e1c4b31bfc390e257acc054eb8179292cbb1eb4018a93231caacf7a29c78ce713f3cd365c842447be54f1ced4ba64db1a85a639ca6f97a6049300fb76b1889d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI12762\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
41KB

MD5
8640834733897205d9193e1b21084135

SHA1
e452ae2dbabcc8691233428dd1da5d23961b047d

SHA256
bd209ab04ba8a3a40546832380547a460b1257f4fb4b4012f6fc48f9c36cc476

SHA512
365805a31ed3ef7648fa2fac49fecc0646dd5dfcad8468918623d962db6aab08339f510edccdaf1340f8bfc06a4628c070de947cdec55cfabdc3563af2de43e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_alebacey.kpv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2276-197-0x00000224A1B20000-0x00000224A1B42000-memory.dmp

Filesize
136KB

Download
memory/3120-139-0x00007FFD36750000-0x00007FFD36764000-memory.dmp

Filesize
80KB

Download
memory/3120-210-0x00007FFD31E30000-0x00007FFD31E7D000-memory.dmp

Filesize
308KB

Download
memory/3120-98-0x00007FFD31C40000-0x00007FFD31CF6000-memory.dmp

Filesize
728KB

Download
memory/3120-97-0x00007FFD31340000-0x00007FFD317AA000-memory.dmp

Filesize
4.4MB

Download
memory/3120-103-0x00007FFD36750000-0x00007FFD36764000-memory.dmp

Filesize
80KB

Download
memory/3120-101-0x00007FFD328A0000-0x00007FFD328C4000-memory.dmp

Filesize
144KB

Download
memory/3120-106-0x00007FFD36AB0000-0x00007FFD36AC0000-memory.dmp

Filesize
64KB

Download
memory/3120-105-0x00007FFD37D20000-0x00007FFD37D39000-memory.dmp

Filesize
100KB

Download
memory/3120-109-0x00007FFD32120000-0x00007FFD32134000-memory.dmp

Filesize
80KB

Download
memory/3120-111-0x00007FFD32060000-0x00007FFD32075000-memory.dmp

Filesize
84KB

Download
memory/3120-99-0x0000021D901F0000-0x0000021D90564000-memory.dmp

Filesize
3.5MB

Download
memory/3120-114-0x00007FFD321E0000-0x00007FFD3220C000-memory.dmp

Filesize
176KB

Download
memory/3120-119-0x00007FFD311D0000-0x00007FFD3133D000-memory.dmp

Filesize
1.4MB

Download
memory/3120-118-0x00007FFD22690000-0x00007FFD227A8000-memory.dmp

Filesize
1.1MB

Download
memory/3120-93-0x00007FFD321B0000-0x00007FFD321DE000-memory.dmp

Filesize
184KB

Download
memory/3120-117-0x00007FFD36820000-0x00007FFD3683E000-memory.dmp

Filesize
120KB

Download
memory/3120-116-0x00007FFD32030000-0x00007FFD32052000-memory.dmp

Filesize
136KB

Download
memory/3120-122-0x00007FFD31F50000-0x00007FFD31F6B000-memory.dmp

Filesize
108KB

Download
memory/3120-91-0x00007FFD311D0000-0x00007FFD3133D000-memory.dmp

Filesize
1.4MB

Download
memory/3120-126-0x00007FFD31E80000-0x00007FFD31E98000-memory.dmp

Filesize
96KB

Download
memory/3120-125-0x00007FFD321B0000-0x00007FFD321DE000-memory.dmp

Filesize
184KB

Download
memory/3120-89-0x00007FFD36820000-0x00007FFD3683E000-memory.dmp

Filesize
120KB

Download
memory/3120-130-0x00007FFD31C40000-0x00007FFD31CF6000-memory.dmp

Filesize
728KB

Download
memory/3120-87-0x00007FFD321E0000-0x00007FFD3220C000-memory.dmp

Filesize
176KB

Download
memory/3120-85-0x00007FFD37780000-0x00007FFD37799000-memory.dmp

Filesize
100KB

Download
memory/3120-138-0x00007FFD31B10000-0x00007FFD31B42000-memory.dmp

Filesize
200KB

Download
memory/3120-145-0x00007FFD31DF0000-0x00007FFD31E0E000-memory.dmp

Filesize
120KB

Download
memory/3120-83-0x00007FFD3A320000-0x00007FFD3A32D000-memory.dmp

Filesize
52KB

Download
memory/3120-147-0x00007FFD21E90000-0x00007FFD2268B000-memory.dmp

Filesize
8.0MB

Download
memory/3120-144-0x00007FFD32110000-0x00007FFD3211A000-memory.dmp

Filesize
40KB

Download
memory/3120-81-0x00007FFD37D20000-0x00007FFD37D39000-memory.dmp

Filesize
100KB

Download
memory/3120-149-0x00007FFD31AD0000-0x00007FFD31B07000-memory.dmp

Filesize
220KB

Download
memory/3120-148-0x00007FFD32030000-0x00007FFD32052000-memory.dmp

Filesize
136KB

Download
memory/3120-137-0x00007FFD31E10000-0x00007FFD31E21000-memory.dmp

Filesize
68KB

Download
memory/3120-136-0x00007FFD227B0000-0x00007FFD22B24000-memory.dmp

Filesize
3.5MB

Download
memory/3120-79-0x00007FFD3AA00000-0x00007FFD3AA0F000-memory.dmp

Filesize
60KB

Download
memory/3120-134-0x00007FFD31E30000-0x00007FFD31E7D000-memory.dmp

Filesize
308KB

Download
memory/3120-133-0x0000021D901F0000-0x0000021D90564000-memory.dmp

Filesize
3.5MB

Download
memory/3120-154-0x00007FFD22690000-0x00007FFD227A8000-memory.dmp

Filesize
1.1MB

Download
memory/3120-193-0x00007FFD31890000-0x00007FFD3189D000-memory.dmp

Filesize
52KB

Download
memory/3120-192-0x00007FFD31F50000-0x00007FFD31F6B000-memory.dmp

Filesize
108KB

Download
memory/3120-58-0x00007FFD328A0000-0x00007FFD328C4000-memory.dmp

Filesize
144KB

Download
memory/3120-50-0x00007FFD31340000-0x00007FFD317AA000-memory.dmp

Filesize
4.4MB

Download
memory/3120-100-0x00007FFD227B0000-0x00007FFD22B24000-memory.dmp

Filesize
3.5MB

Download
memory/3120-211-0x00007FFD31B10000-0x00007FFD31B42000-memory.dmp

Filesize
200KB

Download
memory/3120-231-0x00007FFD36AB0000-0x00007FFD36AC0000-memory.dmp

Filesize
64KB

Download
memory/3120-229-0x00007FFD227B0000-0x00007FFD22B24000-memory.dmp

Filesize
3.5MB

Download
memory/3120-245-0x00007FFD31890000-0x00007FFD3189D000-memory.dmp

Filesize
52KB

Download
memory/3120-246-0x00007FFD21E90000-0x00007FFD2268B000-memory.dmp

Filesize
8.0MB

Download
memory/3120-244-0x00007FFD31AD0000-0x00007FFD31B07000-memory.dmp

Filesize
220KB

Download
memory/3120-237-0x00007FFD31E80000-0x00007FFD31E98000-memory.dmp

Filesize
96KB

Download
memory/3120-225-0x00007FFD36820000-0x00007FFD3683E000-memory.dmp

Filesize
120KB

Download
memory/3120-219-0x00007FFD328A0000-0x00007FFD328C4000-memory.dmp

Filesize
144KB

Download
memory/3120-230-0x00007FFD36750000-0x00007FFD36764000-memory.dmp

Filesize
80KB

Download
memory/3120-228-0x00007FFD31C40000-0x00007FFD31CF6000-memory.dmp

Filesize
728KB

Download
memory/3120-226-0x00007FFD311D0000-0x00007FFD3133D000-memory.dmp

Filesize
1.4MB

Download
memory/3120-227-0x00007FFD321B0000-0x00007FFD321DE000-memory.dmp

Filesize
184KB

Download
memory/3120-218-0x00007FFD31340000-0x00007FFD317AA000-memory.dmp

Filesize
4.4MB

Download
memory/3120-258-0x00007FFD227B0000-0x00007FFD22B24000-memory.dmp

Filesize
3.5MB

Download
memory/3120-282-0x00007FFD36820000-0x00007FFD3683E000-memory.dmp

Filesize
120KB

Download
memory/3120-295-0x00007FFD31E30000-0x00007FFD31E7D000-memory.dmp

Filesize
308KB

Download
memory/3120-294-0x00007FFD31E80000-0x00007FFD31E98000-memory.dmp

Filesize
96KB

Download
memory/3120-293-0x00007FFD31F50000-0x00007FFD31F6B000-memory.dmp

Filesize
108KB

Download
memory/3120-292-0x00007FFD311D0000-0x00007FFD3133D000-memory.dmp

Filesize
1.4MB

Download
memory/3120-291-0x00007FFD32030000-0x00007FFD32052000-memory.dmp

Filesize
136KB

Download
memory/3120-290-0x00007FFD32060000-0x00007FFD32075000-memory.dmp

Filesize
84KB

Download
memory/3120-289-0x00007FFD32120000-0x00007FFD32134000-memory.dmp

Filesize
80KB

Download
memory/3120-288-0x00007FFD36AB0000-0x00007FFD36AC0000-memory.dmp

Filesize
64KB

Download
memory/3120-287-0x00007FFD36750000-0x00007FFD36764000-memory.dmp

Filesize
80KB

Download
memory/3120-286-0x00007FFD31E10000-0x00007FFD31E21000-memory.dmp

Filesize
68KB

Download
memory/3120-285-0x00007FFD31C40000-0x00007FFD31CF6000-memory.dmp

Filesize
728KB

Download
memory/3120-284-0x00007FFD321B0000-0x00007FFD321DE000-memory.dmp

Filesize
184KB

Download
memory/3120-283-0x00007FFD22690000-0x00007FFD227A8000-memory.dmp

Filesize
1.1MB

Download
memory/3120-281-0x00007FFD321E0000-0x00007FFD3220C000-memory.dmp

Filesize
176KB

Download
memory/3120-280-0x00007FFD37780000-0x00007FFD37799000-memory.dmp

Filesize
100KB

Download
memory/3120-279-0x00007FFD3A320000-0x00007FFD3A32D000-memory.dmp

Filesize
52KB

Download
memory/3120-278-0x00007FFD37D20000-0x00007FFD37D39000-memory.dmp

Filesize
100KB

Download
memory/3120-277-0x00007FFD3AA00000-0x00007FFD3AA0F000-memory.dmp

Filesize
60KB

Download
memory/3120-276-0x00007FFD328A0000-0x00007FFD328C4000-memory.dmp

Filesize
144KB

Download
memory/3120-275-0x00007FFD31B10000-0x00007FFD31B42000-memory.dmp

Filesize
200KB

Download
memory/3120-274-0x00007FFD31890000-0x00007FFD3189D000-memory.dmp

Filesize
52KB

Download
memory/3120-273-0x00007FFD31AD0000-0x00007FFD31B07000-memory.dmp

Filesize
220KB

Download
memory/3120-271-0x00007FFD31DF0000-0x00007FFD31E0E000-memory.dmp

Filesize
120KB

Download
memory/3120-270-0x00007FFD32110000-0x00007FFD3211A000-memory.dmp

Filesize
40KB

Download
memory/3120-272-0x00007FFD21E90000-0x00007FFD2268B000-memory.dmp

Filesize
8.0MB

Download
memory/3120-247-0x00007FFD31340000-0x00007FFD317AA000-memory.dmp

Filesize
4.4MB

Download