xworm | 0455cb69cbb1cfa6bf808cd04587b12e5b472b1234733127cf581fc8fbeb190b

Analysis

max time kernel
127s
max time network
151s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
29/12/2024, 19:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Server.exe
Size

14.6MB
MD5

2928da00b2513f425e73f07ad2475745
SHA1

17e5dc060ebabe16032c96670ca2e0f9c6026d2a
SHA256

0455cb69cbb1cfa6bf808cd04587b12e5b472b1234733127cf581fc8fbeb190b
SHA512

6ea489a28304f9bf8bb3ba220c25fd2c9e1ab74145381b3c1de46159598000eefa5d2a2e74b73d1dae636b77104246f51b306aa260d1a9e7b7c883257faec73e
SSDEEP

393216:rK1vMyfwX52ikwhX6TCXJVJDFZHTb8lMIKw4aJ4q:G1UswX5TkwhX6sPpguw4V

Score

10^/10

xworm execution persistence pyinstaller rat trojan upx

Malware Config

Extracted

Family

xworm

Version

5.0

147.185.221.18:13965

Mutex

kjDnGKIhO1rlIiCr

Attributes

Install_directory
%Temp%
install_file
svchost.exe

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0008000000003683-12.dat	family_xworm
behavioral1/memory/2644-14-0x00000000003D0000-0x00000000003E0000-memory.dmp	family_xworm
behavioral1/memory/1672-471-0x0000000001250000-0x0000000001260000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2724	powershell.exe
1844	powershell.exe
2192	powershell.exe
2552	powershell.exe
1248	powershell.exe
1604	powershell.exe
2724	powershell.exe
2616	powershell.exe
1808	powershell.exe
688	powershell.exe
2216	powershell.exe
2664	powershell.exe
2956	powershell.exe
1756	powershell.exe
324	powershell.exe
1040	powershell.exe
1396	powershell.exe
2512	powershell.exe
1772	powershell.exe
2560	powershell.exe
772	powershell.exe
2788	powershell.exe
2712	powershell.exe
1596	powershell.exe
820	powershell.exe
3016	powershell.exe
2916	powershell.exe
2540	powershell.exe
3016	powershell.exe
2412	powershell.exe
1020	powershell.exe
2520	powershell.exe
1840	powershell.exe
820	powershell.exe
1576	powershell.exe
1488	powershell.exe
2368	powershell.exe
1616	powershell.exe
3048	powershell.exe
1224	powershell.exe
1860	powershell.exe
2756	powershell.exe
1272	powershell.exe
1680	powershell.exe
2244	powershell.exe
2580	powershell.exe
304	powershell.exe
2600	powershell.exe
2992	powershell.exe
2508	powershell.exe
2396	powershell.exe
876	powershell.exe
2116	powershell.exe
2412	powershell.exe
2228	powershell.exe
2868	powershell.exe
1032	powershell.exe
1972	powershell.exe
1572	powershell.exe
1548	powershell.exe
2160	powershell.exe
2260	powershell.exe
2444	powershell.exe
2768	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	scvhost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	scvhost.exe

Executes dropped EXE 64 IoCs

pid	Process
2644	scvhost.exe
2324	Exela.exe
948	Exela.exe
2492	scvhost.exe
2352	Exela.exe
2116	Exela.exe
1204	Process not Found
2960	scvhost.exe
2784	Exela.exe
2312	Exela.exe
600	scvhost.exe
2552	Exela.exe
1028	Exela.exe
1824	scvhost.exe
1788	Exela.exe
880	Exela.exe
2256	scvhost.exe
1956	Exela.exe
1496	Exela.exe
1672	svchost.exe
2788	scvhost.exe
428	Exela.exe
2936	Exela.exe
1608	scvhost.exe
796	Exela.exe
1796	Exela.exe
2016	scvhost.exe
1648	Exela.exe
2772	Exela.exe
892	scvhost.exe
768	Exela.exe
556	Exela.exe
2744	scvhost.exe
2068	Exela.exe
2784	Exela.exe
760	scvhost.exe
684	Exela.exe
2168	Exela.exe
1616	scvhost.exe
1976	Exela.exe
2308	Exela.exe
1728	scvhost.exe
2508	Exela.exe
2596	Exela.exe
2876	scvhost.exe
1724	Exela.exe
2736	Exela.exe
2728	scvhost.exe
316	Exela.exe
112	Exela.exe
1728	scvhost.exe
2436	Exela.exe
2888	Exela.exe
2164	scvhost.exe
600	Exela.exe
2416	Exela.exe
984	scvhost.exe
2340	svchost.exe
1328	Exela.exe
1560	Exela.exe
2992	scvhost.exe
2996	Exela.exe
876	Exela.exe
2868	scvhost.exe

Loads dropped DLL 64 IoCs

pid	Process
2484	Server.exe
2324	Exela.exe
948	Exela.exe
2204	Server.exe
2352	Exela.exe
2116	Exela.exe
1204	Process not Found
1688	Server.exe
2784	Exela.exe
2312	Exela.exe
756	Server.exe
2552	Exela.exe
1028	Exela.exe
1276	Server.exe
1788	Exela.exe
880	Exela.exe
2896	Server.exe
1956	Exela.exe
1496	Exela.exe
2456	Server.exe
428	Exela.exe
2936	Exela.exe
2196	Server.exe
796	Exela.exe
1796	Exela.exe
2344	Server.exe
1648	Exela.exe
2772	Exela.exe
748	Server.exe
768	Exela.exe
556	Exela.exe
2972	Server.exe
2068	Exela.exe
2784	Exela.exe
1668	Server.exe
684	Exela.exe
2168	Exela.exe
2204	Server.exe
1976	Exela.exe
2308	Exela.exe
2188	Server.exe
2508	Exela.exe
2596	Exela.exe
2716	Server.exe
1724	Exela.exe
2736	Exela.exe
2300	Server.exe
316	Exela.exe
112	Exela.exe
2364	Server.exe
2436	Exela.exe
2888	Exela.exe
2852	Server.exe
600	Exela.exe
2416	Exela.exe
1108	Server.exe
1328	Exela.exe
1560	Exela.exe
1464	Server.exe
2996	Exela.exe
876	Exela.exe
2196	Server.exe
1012	Exela.exe
2480	Exela.exe

Adds Run key to start application 2 TTPs 52 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\svchost.exe"	scvhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Exela = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Exela.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\scvhost = "C:\\Users\\Admin\\AppData\\Local\\Temp\\scvhost.exe"	Server.exe

UPX packed file 46 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001a482-76.dat	upx
behavioral1/memory/948-78-0x000007FEF2500000-0x000007FEF2AE8000-memory.dmp	upx
behavioral1/memory/2116-165-0x000007FEEECE0000-0x000007FEEF2C8000-memory.dmp	upx
behavioral1/memory/2312-235-0x000007FEF2500000-0x000007FEF2AE8000-memory.dmp	upx
behavioral1/memory/2116-347-0x000007FEEECE0000-0x000007FEEF2C8000-memory.dmp	upx
behavioral1/memory/1028-348-0x000007FEECE00000-0x000007FEED3E8000-memory.dmp	upx
behavioral1/files/0x000400000001cc45-364.dat	upx
behavioral1/files/0x000400000001cc46-365.dat	upx
behavioral1/files/0x000400000001cc54-373.dat	upx
behavioral1/files/0x000400000001ccbd-375.dat	upx
behavioral1/files/0x000400000001cc71-374.dat	upx
behavioral1/files/0x000400000001cd36-379.dat	upx
behavioral1/files/0x000400000001cde8-381.dat	upx
behavioral1/files/0x000400000001cddd-380.dat	upx
behavioral1/files/0x000400000001cd15-378.dat	upx
behavioral1/files/0x000400000001cd0c-377.dat	upx
behavioral1/files/0x000400000001cfdf-395.dat	upx
behavioral1/files/0x000400000001d146-396.dat	upx
behavioral1/files/0x000400000001d14d-399.dat	upx
behavioral1/files/0x000400000001d14c-398.dat	upx
behavioral1/files/0x000400000001d14a-397.dat	upx
behavioral1/files/0x000400000001ccf0-376.dat	upx
behavioral1/files/0x000400000001cc4f-372.dat	upx
behavioral1/files/0x000400000001cc4e-371.dat	upx
behavioral1/files/0x000400000001cc4c-370.dat	upx
behavioral1/files/0x000400000001cc4b-369.dat	upx
behavioral1/files/0x000400000001d2bd-402.dat	upx
behavioral1/files/0x000400000001d33e-406.dat	upx
behavioral1/files/0x000400000001d35a-408.dat	upx
behavioral1/files/0x000400000001d34e-407.dat	upx
behavioral1/files/0x000400000001d334-405.dat	upx
behavioral1/files/0x000400000001d26c-401.dat	upx
behavioral1/files/0x000400000001d22c-400.dat	upx
behavioral1/files/0x000400000001cc4a-368.dat	upx
behavioral1/files/0x000400000001cc49-367.dat	upx
behavioral1/files/0x000400000001cc48-366.dat	upx
behavioral1/memory/1496-469-0x000007FEEC810000-0x000007FEECDF8000-memory.dmp	upx
behavioral1/memory/2936-572-0x000007FEEC220000-0x000007FEEC808000-memory.dmp	upx
behavioral1/memory/2772-729-0x000007FEEBC30000-0x000007FEEC218000-memory.dmp	upx
behavioral1/memory/556-786-0x000007FEEB640000-0x000007FEEBC28000-memory.dmp	upx
behavioral1/memory/2168-945-0x000007FEEB050000-0x000007FEEB638000-memory.dmp	upx
behavioral1/memory/2596-1062-0x000007FEEAA60000-0x000007FEEB048000-memory.dmp	upx
behavioral1/memory/2736-1165-0x000007FEEA470000-0x000007FEEAA58000-memory.dmp	upx
behavioral1/memory/2888-1327-0x000007FEE9E80000-0x000007FEEA468000-memory.dmp	upx
behavioral1/memory/1560-1563-0x000007FEE9890000-0x000007FEE9E78000-memory.dmp	upx
behavioral1/memory/876-1669-0x000007FEE92A0000-0x000007FEE9888000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x002d000000016d70-24.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
2724	powershell.exe
2756	powershell.exe
2508	powershell.exe
1272	powershell.exe
1572	powershell.exe
1840	powershell.exe
820	powershell.exe
1576	powershell.exe
2644	scvhost.exe
1548	powershell.exe
2788	powershell.exe
1488	powershell.exe
1844	powershell.exe
2712	powershell.exe
2616	powershell.exe
2160	powershell.exe
2368	powershell.exe
1020	powershell.exe
2664	powershell.exe
2956	powershell.exe
2396	powershell.exe
1596	powershell.exe
1616	powershell.exe
2192	powershell.exe
2512	powershell.exe
876	powershell.exe
1680	powershell.exe
3016	powershell.exe
2260	powershell.exe
2444	powershell.exe
324	powershell.exe
2768	powershell.exe
2244	powershell.exe
1808	powershell.exe
2116	powershell.exe
1248	powershell.exe
3048	powershell.exe
2580	powershell.exe
1040	powershell.exe
1756	powershell.exe
2412	powershell.exe
2916	powershell.exe
1032	powershell.exe
1772	powershell.exe
2228	powershell.exe
1860	powershell.exe
2724	powershell.exe
688	powershell.exe
304	powershell.exe
2540	powershell.exe
1604	powershell.exe
2216	powershell.exe
2600	powershell.exe
3016	powershell.exe
2868	powershell.exe
2560	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2644	scvhost.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2492	scvhost.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	1576	powershell.exe
Token: SeDebugPrivilege	2644	scvhost.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	2960	scvhost.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	600	scvhost.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	2712	powershell.exe
Token: SeDebugPrivilege	1824	scvhost.exe
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	2256	scvhost.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1672	svchost.exe
Token: SeDebugPrivilege	1020	powershell.exe
Token: SeDebugPrivilege	2788	scvhost.exe
Token: SeDebugPrivilege	2664	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	1608	scvhost.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2016	scvhost.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	892	scvhost.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	876	powershell.exe
Token: SeDebugPrivilege	2744	scvhost.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	760	scvhost.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	1616	scvhost.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	1728	scvhost.exe
Token: SeDebugPrivilege	2244	powershell.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeDebugPrivilege	2876	scvhost.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	2728	scvhost.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1728	scvhost.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2164	scvhost.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	984	scvhost.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2340	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2644	scvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 2724	2484	Server.exe	30
PID 2484 wrote to memory of 2724	2484	Server.exe	30
PID 2484 wrote to memory of 2724	2484	Server.exe	30
PID 2484 wrote to memory of 2644	2484	Server.exe	32
PID 2484 wrote to memory of 2644	2484	Server.exe	32
PID 2484 wrote to memory of 2644	2484	Server.exe	32
PID 2484 wrote to memory of 2756	2484	Server.exe	33
PID 2484 wrote to memory of 2756	2484	Server.exe	33
PID 2484 wrote to memory of 2756	2484	Server.exe	33
PID 2484 wrote to memory of 2324	2484	Server.exe	35
PID 2484 wrote to memory of 2324	2484	Server.exe	35
PID 2484 wrote to memory of 2324	2484	Server.exe	35
PID 2484 wrote to memory of 2204	2484	Server.exe	36
PID 2484 wrote to memory of 2204	2484	Server.exe	36
PID 2484 wrote to memory of 2204	2484	Server.exe	36
PID 2324 wrote to memory of 948	2324	Exela.exe	37
PID 2324 wrote to memory of 948	2324	Exela.exe	37
PID 2324 wrote to memory of 948	2324	Exela.exe	37
PID 2644 wrote to memory of 2508	2644	scvhost.exe	38
PID 2644 wrote to memory of 2508	2644	scvhost.exe	38
PID 2644 wrote to memory of 2508	2644	scvhost.exe	38
PID 2644 wrote to memory of 1272	2644	scvhost.exe	40
PID 2644 wrote to memory of 1272	2644	scvhost.exe	40
PID 2644 wrote to memory of 1272	2644	scvhost.exe	40
PID 2204 wrote to memory of 1572	2204	Server.exe	42
PID 2204 wrote to memory of 1572	2204	Server.exe	42
PID 2204 wrote to memory of 1572	2204	Server.exe	42
PID 2644 wrote to memory of 1840	2644	scvhost.exe	44
PID 2644 wrote to memory of 1840	2644	scvhost.exe	44
PID 2644 wrote to memory of 1840	2644	scvhost.exe	44
PID 2204 wrote to memory of 2492	2204	Server.exe	46
PID 2204 wrote to memory of 2492	2204	Server.exe	46
PID 2204 wrote to memory of 2492	2204	Server.exe	46
PID 2204 wrote to memory of 820	2204	Server.exe	47
PID 2204 wrote to memory of 820	2204	Server.exe	47
PID 2204 wrote to memory of 820	2204	Server.exe	47
PID 2644 wrote to memory of 1576	2644	scvhost.exe	49
PID 2644 wrote to memory of 1576	2644	scvhost.exe	49
PID 2644 wrote to memory of 1576	2644	scvhost.exe	49
PID 2204 wrote to memory of 2352	2204	Server.exe	51
PID 2204 wrote to memory of 2352	2204	Server.exe	51
PID 2204 wrote to memory of 2352	2204	Server.exe	51
PID 2204 wrote to memory of 1688	2204	Server.exe	52
PID 2204 wrote to memory of 1688	2204	Server.exe	52
PID 2204 wrote to memory of 1688	2204	Server.exe	52
PID 2352 wrote to memory of 2116	2352	Exela.exe	53
PID 2352 wrote to memory of 2116	2352	Exela.exe	53
PID 2352 wrote to memory of 2116	2352	Exela.exe	53
PID 2644 wrote to memory of 880	2644	scvhost.exe	80
PID 2644 wrote to memory of 880	2644	scvhost.exe	80
PID 2644 wrote to memory of 880	2644	scvhost.exe	80
PID 1688 wrote to memory of 1548	1688	Server.exe	56
PID 1688 wrote to memory of 1548	1688	Server.exe	56
PID 1688 wrote to memory of 1548	1688	Server.exe	56
PID 1688 wrote to memory of 2960	1688	Server.exe	58
PID 1688 wrote to memory of 2960	1688	Server.exe	58
PID 1688 wrote to memory of 2960	1688	Server.exe	58
PID 1688 wrote to memory of 2788	1688	Server.exe	93
PID 1688 wrote to memory of 2788	1688	Server.exe	93
PID 1688 wrote to memory of 2788	1688	Server.exe	93
PID 1688 wrote to memory of 2784	1688	Server.exe	61
PID 1688 wrote to memory of 2784	1688	Server.exe	61
PID 1688 wrote to memory of 2784	1688	Server.exe	61
PID 1688 wrote to memory of 756	1688	Server.exe	62

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Server.exe
"C:\Users\Admin\AppData\Local\Temp\Server.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2724
- C:\Users\Admin\AppData\Local\Temp\scvhost.exe
  "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2508
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'scvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1272
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1840
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1576
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:880
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2756
- C:\Users\Admin\AppData\Local\Temp\Exela.exe
  "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2324
- - C:\Users\Admin\AppData\Local\Temp\Exela.exe
    "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:948
- C:\Users\Admin\AppData\Local\Temp\Server.exe
  "C:\Users\Admin\AppData\Local\Temp\Server.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1572
- - C:\Users\Admin\AppData\Local\Temp\scvhost.exe
    "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2492
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:820
- - C:\Users\Admin\AppData\Local\Temp\Exela.exe
    "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2352
  - - C:\Users\Admin\AppData\Local\Temp\Exela.exe
      "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2116
- - C:\Users\Admin\AppData\Local\Temp\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Server.exe"
    3⤵
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1688
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1548
  - - C:\Users\Admin\AppData\Local\Temp\scvhost.exe
      "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2788
  - - C:\Users\Admin\AppData\Local\Temp\Exela.exe
      "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2784
    - - C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2312
  - - C:\Users\Admin\AppData\Local\Temp\Server.exe
      "C:\Users\Admin\AppData\Local\Temp\Server.exe"
      4⤵
      Loads dropped DLL
      Adds Run key to start application
      PID:756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
    - - C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
    - - C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2552
      - C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1028
    - - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        5⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1276
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
      - C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
      - C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:880
      - C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        6⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1496
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        7⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2456
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:428
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2936
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        8⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:796
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1796
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        9⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2344
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        10⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        11⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:768
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:556
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        11⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        12⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2784
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        12⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1668
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        13⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2168
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        13⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        14⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1976
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2308
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        14⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2188
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        15⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2508
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        15⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        16⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1724
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        16⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2300
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        17⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:316
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:112
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        17⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        18⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2436
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        18⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2852
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        19⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:600
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2416
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        19⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        20⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1560
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        20⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1464
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1772
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        21⤵
        Executes dropped EXE
        
        PID:2992
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        21⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2996
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        22⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:876
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        21⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1860
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        22⤵
        Executes dropped EXE
        
        PID:2868
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2724
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        22⤵
        Loads dropped DLL
        
        PID:1012
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        23⤵
        Loads dropped DLL
        
        PID:2480
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        22⤵
        Adds Run key to start application
        
        PID:3012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:688
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        23⤵
        
        PID:2376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:304
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        23⤵
        
        PID:2164
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        24⤵
        
        PID:1776
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        23⤵
        Adds Run key to start application
        
        PID:2528
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        24⤵
        
        PID:1384
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        24⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        25⤵
        
        PID:2668
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        24⤵
        Adds Run key to start application
        
        PID:2748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2216
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        25⤵
        
        PID:1312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2600
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        25⤵
        
        PID:2424
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        26⤵
        
        PID:572
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        25⤵
        Adds Run key to start application
        
        PID:2020
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:3016
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        26⤵
        
        PID:1580
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        26⤵
        
        PID:2528
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        27⤵
        
        PID:1380
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        26⤵
        Adds Run key to start application
        
        PID:2368
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        27⤵
        
        PID:2320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2992
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        27⤵
        
        PID:520
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        28⤵
        
        PID:1732
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        27⤵
        
        PID:1564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2412
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        28⤵
        
        PID:2656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:820
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        28⤵
        
        PID:2728
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        29⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        28⤵
        
        PID:2092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2552
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        29⤵
        
        PID:2972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1224
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        29⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        30⤵
        
        PID:2080
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        29⤵
        
        PID:3060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1396
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        30⤵
        
        PID:2500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        30⤵
        
        PID:2764
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        31⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        30⤵
        
        PID:1132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\scvhost.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1972
        
        C:\Users\Admin\AppData\Local\Temp\scvhost.exe
        
        "C:\Users\Admin\AppData\Local\Temp\scvhost.exe"
        31⤵
        
        PID:1956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Exela.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        31⤵
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\Exela.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
        32⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Local\Temp\Server.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Server.exe"
        31⤵
        
        PID:1864

C:\Windows\system32\taskeng.exe
taskeng.exe {EDD7E844-00C9-4CA6-BA8C-6655CA56A83F} S-1-5-21-3692679935-4019334568-335155002-1000:BCXRJFKE\Admin:Interactive:[1]
1⤵
PID:2460
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1672
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  C:\Users\Admin\AppData\Local\Temp\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2340

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "154462663410078491914992379361847245008-1714344153-1938613531-1336766357-1508451373"
1⤵
PID:2956

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1222658880-1065348977-415300159347717174-184241609613134490213578494431329922910"
1⤵
PID:2712

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-464562268-6868500961094061198-822601054267991561-1850523673-1574828600-189567126"
1⤵
PID:1808

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-940015336-1549731622-316896013-2137655570-720305331357681670-14867955251616062037"
1⤵
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI17882\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_asyncio.pyd

Filesize
34KB

MD5
1b8ce772a230a5da8cbdccd8914080a5

SHA1
40d4faf1308d1af6ef9f3856a4f743046fd0ead5

SHA256
fa5a1e7031de5849ab2ab5a177e366b41e1df6bbd90c8d2418033a01c740771f

SHA512
d2fc21b9f58b57065b337c3513e7e6c3e2243b73c5a230e81c91dafcb6724b521ad766667848ba8d0a428d530691ffc4020de6ce9ce1eaa2bf5e15338114a603

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_bz2.pyd

Filesize
46KB

MD5
80c69a1d87f0c82d6c4268e5a8213b78

SHA1
bae059da91d48eaac4f1bb45ca6feee2c89a2c06

SHA256
307359f1b2552b60839385eb63d74cbfe75cd5efdb4e7cd0bb7d296fa67d8a87

SHA512
542cf4ba19dd6a91690340779873e0cb8864b28159f55917f98a192ff9c449aba2d617e9b2b3932ddfeee13021706577ab164e5394e0513fe4087af6bc39d40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_cffi_backend.cp311-win_amd64.pyd

Filesize
71KB

MD5
0f0f1c4e1d043f212b00473a81c012a3

SHA1
ff9ff3c257dceefc74551e4e2bacde0faaef5aec

SHA256
fda255664cbf627cb6a9cd327daf4e3eb06f4f0707ed2615e86e2e99b422ad0b

SHA512
fcfa42f417e319bddf721f298587d1b26e6974e5d7589dfe6ddd2b013bc554a53db3725741fbc4941f34079ed8cb96f05934f3c2b933cda6a7e19cda315591a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_ctypes.pyd

Filesize
57KB

MD5
b4c41a4a46e1d08206c109ce547480c7

SHA1
9588387007a49ec2304160f27376aedca5bc854d

SHA256
9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9

SHA512
30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_decimal.pyd

Filesize
104KB

MD5
e9501519a447b13dcca19e09140c9e84

SHA1
472b1aa072454d065dfe415a05036ffd8804c181

SHA256
6b5fe2dea13b84e40b0278d1702aa29e9e2091f9dc09b64bbff5fd419a604c3c

SHA512
ef481e0e4f9b277642652cd090634e1c04702df789e2267a87205e0fe12b00f1de6cdd4fafb51da01efa726606c0b57fcb2ea373533c772983fc4777dc0acc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_hashlib.pyd

Filesize
33KB

MD5
0629bdb5ff24ce5e88a2ddcede608aee

SHA1
47323370992b80dafb6f210b0d0229665b063afb

SHA256
f404bb8371618bbd782201f092a3bcd7a96d3c143787ebea1d8d86ded1f4b3b8

SHA512
3faeff1a19893257c17571b89963af37534c189421585ea03dd6a3017d28803e9d08b0e4daceee01ffeda21da60e68d10083fe7dbdbbde313a6b489a40e70952

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_lzma.pyd

Filesize
84KB

MD5
bfca96ed7647b31dd2919bedebb856b8

SHA1
7d802d5788784f8b6bfbb8be491c1f06600737ac

SHA256
032b1a139adcff84426b6e156f9987b501ad42ecfb18170b10fb54da0157392e

SHA512
3a2926b79c90c3153c88046d316a081c8ddfb181d5f7c849ea6ae55cb13c6adba3a0434f800c4a30017d2fbab79d459432a2e88487914b54a897c4301c778551

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_multiprocessing.pyd

Filesize
25KB

MD5
849b4203c5f9092db9022732d8247c97

SHA1
ed7bd0d6dcdcfa07f754b98acf44a7cfe5dcb353

SHA256
45bfbab1d2373cf7a8af19e5887579b8a306b3ad0c4f57e8f666339177f1f807

SHA512
cc618b4fc918b423e5dbdcbc45206653133df16bf2125fd53bafef8f7850d2403564cf80f8a5d4abb4a8928ff1262f80f23c633ea109a18556d1871aff81cd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_overlapped.pyd

Filesize
30KB

MD5
97a40f53a81c39469cc7c8dd00f51b5d

SHA1
6c3916fe42e7977d8a6b53bfbc5a579abcf22a83

SHA256
11879a429c996fee8be891af2bec7d00f966593f1e01ca0a60bd2005feb4176f

SHA512
02af654ab73b6c8bf15a81c0e9071c8faf064c529b1439a2ab476e1026c860cf7d01472945112d4583e5da8e4c57f1df2700331440be80066dbb6a7e89e1c5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_queue.pyd

Filesize
24KB

MD5
0614691624f99748ef1d971419bdb80d

SHA1
39c52450ed7e31e935b5b0e49d03330f2057747d

SHA256
ac7972502144e9e01e53001e8eec3fc9ab063564678b784d024da2036ba7384d

SHA512
184bc172c7bb8a1fb55c4c23950cbe5e0b5a3c96c1c555ed8476edf79c5c729ed297112ee01b45d771e5c0055d2dc402b566967d1900b5abf683ee8e668c5b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_socket.pyd

Filesize
41KB

MD5
04e7eb0b6861495233247ac5bb33a89a

SHA1
c4d43474e0b378a00845cca044f68e224455612a

SHA256
7efe25284a4663df9458603bf0988b0f47c7dcf56119e3e853e6bda80831a383

SHA512
d4ea0484363edf284ac08a1c3356cc3112d410dd80fe5010c1777acf88dbd830e9f668b593e252033d657a3431a79f7b68d09eb071d0c2ceb51632dbe9b8ed97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_sqlite3.pyd

Filesize
54KB

MD5
d9eeeeacc3a586cf2dbf6df366f6029e

SHA1
4ff9fb2842a13e9371ce7894ec4fe331b6af9219

SHA256
67649e1e8acd348834efb2c927ab6a7599cf76b2c0c0a50b137b3be89c482e29

SHA512
0b9f1d80fb92c796682dba94a75fbce0e4fbeaedccd50e21d42d4b9366463a830109a8cd4300aa62b41910655f8ca96ecc609ea8a1b84236250b6fd08c965830

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_ssl.pyd

Filesize
60KB

MD5
fd0f4aed22736098dc146936cbf0ad1d

SHA1
e520def83b8efdbca9dd4b384a15880b036ee0cf

SHA256
50404a6a3de89497e9a1a03ff3df65c6028125586dced1a006d2abb9009a9892

SHA512
c8f3c04d87da19041f28e1d474c8eb052fe8c03ffd88f0681ef4a2ffe29755cfd5b9c100a1b1d2fdb233cb0f70e367af500cbd3cd4ce77475f441f2b2aa0ab8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\_uuid.pyd

Filesize
21KB

MD5
3377ae26c2987cfee095dff160f2c86c

SHA1
0ca6aa60618950e6d91a7dea530a65a1cdf16625

SHA256
9534cb9c997a17f0004fb70116e0141bdd516373b37bbd526d91ad080daa3a2b

SHA512
8e408b84e2130ff48b8004154d1bdf6a08109d0b40f9fafb6f55e9f215e418e05dca819f411c802792a9d9936a55d6b90460121583e5568579a0fda6935852ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\aiohttp\_http_parser.cp311-win_amd64.pyd

Filesize
81KB

MD5
d0015cdc0b5784fd149496e288c92b12

SHA1
df08b6934096525334803f0553200b571eb409d8

SHA256
53b2b23a54a04ba3166a703f95f66f97b480c5e292ba132dea1c5aa27a5b79fc

SHA512
a0bce0570b47c4b903cfb02a9525d179d9dcc1ac72e8f399c4d68eba8bbfe1aa7ed5a479c792371e7fbc3d5e83d6367ee88753c032f0699f4a596e258924aaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\aiohttp\_http_writer.cp311-win_amd64.pyd

Filesize
24KB

MD5
01ad6d465ae412a90ffc4182859c6ed3

SHA1
3507f55ac173a3c7d79abed35751c7e0b8657d9e

SHA256
a265bc3961a251f72fa6517fc63fa776a23906a042b273d0b6237296dfe8d85f

SHA512
838b849b4d5f4881a6718a18470654050f78d48624bd480a8721e9f478d91497f60b75c61edc8bf356270e39597fe0f8ff61b2a518ef41a5565712b8885cc1b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\aiohttp\_websocket\mask.cp311-win_amd64.pyd

Filesize
19KB

MD5
986372efcb4a82c018492e96c9555acb

SHA1
8bee8140632511694cf79e932f41fe34a7057d4e

SHA256
8eff46f03756da5183fde6aacaeaaff8a503545fb2142e449db42dc0d9be7480

SHA512
f696fd1c75015bbd784c47e900b16c3234992c781287f71cf98f47b5994e1c2898cc5e63c2f02594ccc41f7173873699a10aa01fd23f3abc76d65fb6230087f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\aiohttp\_websocket\reader_c.cp311-win_amd64.pyd

Filesize
61KB

MD5
eef1b62d99dbbbf17a0df939a91186f1

SHA1
ac142397a477d62850ff638318b0e9d36c2245b8

SHA256
44d8861eddf16b8346655e05cf9ae82fc41ce58e38aff6e88f0ab9564e03bf98

SHA512
fe9f86107f667467f1e5b71812b571a023cc6c7e9a835afcc2d302a8373d6b690713518ee8bf201fecf382c40d154c2f8bd6dc60fad115aae65eb4a488a96b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\attrs-24.3.0.dist-info\METADATA

Filesize
11KB

MD5
0e682e7854fe836cad441326ab36d36d

SHA1
3efad7961f8f2dfb0a22a1eeabd3a92b9da0ab23

SHA256
7fd8611027805324bb89ec073d1b8c2c3cb5b6927abf2cbc47f4ca5270a6880f

SHA512
54fd3b0c98dce7c11691d08ca22c9c8a74cd838d03723dda3fbac326efc2550edb892f9d45aa3956c9c5c35b8c20fe096f6a002dee07150b437a1e7e76ac175a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\attrs-24.3.0.dist-info\RECORD

Filesize
3KB

MD5
c31f9f651add893db81193d7b4f54aa9

SHA1
745b7ecb5ffcef145f10f92ac2dc969bdda6f399

SHA256
3f4c872514e82078140dcaf518557221b471ee4305b131fbadad8659d2bebd00

SHA512
6984c4cae53c279060c67a15f19a76630e0bd33be24389be0dc349f4ce62470d67397280f678508fc4f0bcfa4e99dcf47107e868f7ef2264c60ecdfdc4103a8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\attrs-24.3.0.dist-info\WHEEL

Filesize
87B

MD5
e2fcb0ad9ea59332c808928b4b439e7a

SHA1
07311208d4849f821e8af25a89a9985c4503fbd8

SHA256
aad0b0a12256807936d52d4a6f88a1773236ae527564a688bab4e3fe780e8724

SHA512
d4cb3ca64d69678959c4f59b4d1cb992e8e2e046a6acb92341fd30b8ce862bd81a48cbfa09ec9ae2e735ffec5c12d246d1593a859615adee10984635a9ba8af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\attrs-24.3.0.dist-info\licenses\LICENSE

Filesize
1KB

MD5
5e55731824cf9205cfabeab9a0600887

SHA1
243e9dd038d3d68c67d42c0c4ba80622c2a56246

SHA256
882115c95dfc2af1eeb6714f8ec6d5cbcabf667caff8729f42420da63f714e9f

SHA512
21b242bf6dcbafa16336d77a40e69685d7e64a43cc30e13e484c72a93cd4496a7276e18137dc601b6a8c3c193cb775db89853ecc6d6eb2956deee36826d5ebfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\base_library.zip

Filesize
1.4MB

MD5
2a138e2ee499d3ba2fc4afaef93b7caa

SHA1
508c733341845e94fce7c24b901fc683108df2a8

SHA256
130e506ead01b91b60d6d56072c468aeb5457dd0f2ecd6ce17dfcbb7d51a1f8c

SHA512
1f61a0fda5676e8ed8d10dfee78267f6d785f9c131f5caf2dd984e18ca9e5866b7658ab7edb2ffd74920a40ffea5cd55c0419f5e9ee57a043105e729e10d820b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\cryptography-44.0.0.dist-info\METADATA

Filesize
5KB

MD5
526d9ac9d8150602ec9ed8b9f4de7102

SHA1
dba2cb32c21c4b0f575e77bbcdd4fa468056f5e3

SHA256
d95f491ed418dc302db03804daf9335ce21b2df4704587e6851ef03e1f84d895

SHA512
fb13a2f6b64cb7e380a69424d484fc9b8758fa316a7a155ff062bfdacdca8f2c5d2a03898cd099688b1c16a5a0edcecfc42bf0d4d330926b10c3fce9f5238643

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\cryptography-44.0.0.dist-info\RECORD

Filesize
15KB

MD5
09af09857b22a20b1237c76423d111a3

SHA1
0fa4becccb7de4b5f56a5a2e84d8751a089b136e

SHA256
18508c295d7d68317791cab2dbfbff1b79c19b1812a83c7a15a01fc8263d5249

SHA512
d0d0c5f728e4f7bd136465722af8ceaaa83a7f70aa779c90f80ef7b5dda837e58c8dd1740b8ca5cb27e84e37b9b9fdaa63c2242e8ea60d21ee2ea814f846211a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\cryptography-44.0.0.dist-info\WHEEL

Filesize
94B

MD5
a868f93fcf51c4f1c25658d54f994349

SHA1
535c88a10911673deabb7889d365e81729e483a6

SHA256
1e7f5bcad669386a11e8ce14e715131c2d402693c3f41d713eb338493c658c45

SHA512
ec13cac9df03676640ef5da033e8c2faee63916f27cc27b9c43f0824b98ab4a6ecb4c8d7d039fa6674ef189bdd9265c8ed509c1d80dff610aeb9e081093aeb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\cryptography-44.0.0.dist-info\licenses\LICENSE

Filesize
197B

MD5
8c3617db4fb6fae01f1d253ab91511e4

SHA1
e442040c26cd76d1b946822caf29011a51f75d6d

SHA256
3e0c7c091a948b82533ba98fd7cbb40432d6f1a9acbf85f5922d2f99a93ae6bb

SHA512
77a1919e380730bcce5b55d76fbffba2f95874254fad955bd2fe1de7fc0e4e25b5fdaab0feffd6f230fa5dc895f593cf8bfedf8fdc113efbd8e22fadab0b8998

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\cryptography-44.0.0.dist-info\licenses\LICENSE.APACHE

Filesize
11KB

MD5
4e168cce331e5c827d4c2b68a6200e1b

SHA1
de33ead2bee64352544ce0aa9e410c0c44fdf7d9

SHA256
aac73b3148f6d1d7111dbca32099f68d26c644c6813ae1e4f05f6579aa2663fe

SHA512
f451048e81a49fbfa11b49de16ff46c52a8e3042d1bcc3a50aaf7712b097bed9ae9aed9149c21476c2a1e12f1583d4810a6d36569e993fe1ad3879942e5b0d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\cryptography-44.0.0.dist-info\licenses\LICENSE.BSD

Filesize
1KB

MD5
5ae30ba4123bc4f2fa49aa0b0dce887b

SHA1
ea5b412c09f3b29ba1d81a61b878c5c16ffe69d8

SHA256
602c4c7482de6479dd2e9793cda275e5e63d773dacd1eca689232ab7008fb4fb

SHA512
ddbb20c80adbc8f4118c10d3e116a5cd6536f72077c5916d87258e155be561b89eb45c6341a1e856ec308b49a4cb4dba1408eabd6a781fbe18d6c71c32b72c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.0MB

MD5
606a84af5a9cf8ad3cb0314e77fb7209

SHA1
6de88d8554488ffe3e48c9b14886da16d1703a69

SHA256
0693ffa4990fa8c1664485f3d2a41b581eac0b340d07d62242052a67bf2ed5c3

SHA512
97d451f025aefb487c5cea568eb430356adfe23908321f1c04f8fa4c03df87507eda8d9612c944be4fa733df4cec38a0e37bffd8865088064b749244d4321b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\frozenlist\_frozenlist.cp311-win_amd64.pyd

Filesize
36KB

MD5
4958b93afcea376c56d67eb2d70645bc

SHA1
a5b31435c2925b585a14666cb23682bcba38a576

SHA256
bfeb41b7d1aeae29992a44dc992fd7c752b87b0f87d67cf452eba15e85341cbe

SHA512
be32abe68cef6c8e396de42f2b5adaff4373172b5b980e1bfff0944330f1bfad92b58cf00997f072da129522cd14b54d48b8a39dba1d3e0798ad863d7ba32a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\libcrypto-1_1.dll

Filesize
1.1MB

MD5
86cfc84f8407ab1be6cc64a9702882ef

SHA1
86f3c502ed64df2a5e10b085103c2ffc9e3a4130

SHA256
11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307

SHA512
b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\libffi-8.dll

Filesize
24KB

MD5
decbba3add4c2246928ab385fb16a21e

SHA1
5f019eff11de3122ffa67a06d52d446a3448b75e

SHA256
4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d

SHA512
760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\libssl-1_1.dll

Filesize
203KB

MD5
6cd33578bc5629930329ca3303f0fae1

SHA1
f2f8e3248a72f98d27f0cfa0010e32175a18487f

SHA256
4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0

SHA512
c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\multidict\_multidict.cp311-win_amd64.pyd

Filesize
20KB

MD5
5587c32d9bf7f76e1a9565df8b1b649f

SHA1
52ae204a65c15a09ecc73e7031e3ac5c3dcb71b2

SHA256
7075185db068e3c8f1b7db75e5aa5c500fc76ed8270c6abc6f49681d7119a782

SHA512
f21d0530389138457d6fdcdb3487a3c8b030338c569b2742f9e691e43af1d9e779c98426bad81b152f343b324a9375fe1322ef74030b1c8f8ba606d19e562e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\propcache\_helpers_c.cp311-win_amd64.pyd

Filesize
31KB

MD5
51f012d736c71a681948623455617995

SHA1
e6b5954870c90a81da9bf274df6ceac62d471ad8

SHA256
b495db6bac375f948efa2830073bf1b4496086e2b572b5353ebd07bcd07e200f

SHA512
a409f3ef69887761620403ca4bd2ebfbb8f3648139dd654d5da47f4fa61ff6d3e73557b3a19aefe59eb7ab9eb39d59048115c0bc2046bc09b3fdc7108b91dc3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\pyexpat.pyd

Filesize
86KB

MD5
fe0e32bfe3764ed5321454e1a01c81ec

SHA1
7690690df0a73bdcc54f0f04b674fc8a9a8f45fb

SHA256
b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92

SHA512
d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\python3.dll

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\select.pyd

Filesize
24KB

MD5
c39459806c712b3b3242f8376218c1e1

SHA1
85d254fb6cc5d6ed20a04026bff1158c8fd0a530

SHA256
7cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9

SHA512
b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\sqlite3.dll

Filesize
608KB

MD5
895f001ae969364432372329caf08b6a

SHA1
4567fc6672501648b277fe83e6b468a7a2155ddf

SHA256
f5dd29e1e99cf8967f7f81487dc624714dcbec79c1630f929d5507fc95cbfad7

SHA512
05b4559d283ea84174da72a6c11b8b93b1586b4e7d8cda8d745c814f8f6dff566e75f9d7890f32bd9dfe43485244973860f83f96ba39296e28127c9396453261

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\unicodedata.pyd

Filesize
293KB

MD5
06a5e52caf03426218f0c08fc02cc6b8

SHA1
ae232c63620546716fbb97452d73948ebfd06b35

SHA256
118c31faa930f2849a14c3133df36420a5832114df90d77b09cde0ad5f96f33a

SHA512
546b1a01f36d3689b0fdeeda8b1ce55e7d3451731ca70fffe6627d542fff19d7a70e27147cab1920aae8bed88272342908d4e9d671d7aba74abb5db398b90718

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI17882\yarl\_quoting_c.cp311-win_amd64.pyd

Filesize
41KB

MD5
99569b47d3a55086013a5760a28ac6af

SHA1
9e5017979fb646b00c98f4fe2cf8c8f7d5dd3664

SHA256
469f039bfa377890b95c9d3413ece8ca296d156ad4ec194d8ec78d6b81a9d0b6

SHA512
8425d38d3b69472e5e41e4ece08ba2dbdd2d871c1bf083d859edec006a4ee9441796d53f1373f030c8ccf32b74bdaee2a9b3a32457cc53024d15322e5920895e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23242\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27842\attrs-24.3.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\scvhost.exe

Filesize
39KB

MD5
91ba4fceb243638cb0f2d6a29d11ce9d

SHA1
c564e9da7da346aaa84005e705fac2059b71130a

SHA256
8fde0700cff700537b60e6bd2f946f73132136aaf8018ca572f1a87ef7dea423

SHA512
5bcd8a459be0d550d97d15ed92ca0f0bcaf052d11ede8a870ff5e86af3a3749b0bbf61ea27c897df50f46882dbf078f480b7fc69c6232f13525518fefea9bdb6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d3916717cb0cd47338f3266910e54fc0

SHA1
e96b49debc7f99e7c709bcffde375ef9c2c7deff

SHA256
bd188f646900cdc08c0b8bb5c41a59e740884c0783f33f57cc5557a7c409861c

SHA512
3107574cb22c3554204fc053e7061ad3f2751d2457afaa64508582fe910bbaa5b652876dc9775a00254b9e38d48dc3dd4db4ef928e927e495882f340fb3f7bee

Download Submit
\Users\Admin\AppData\Local\Temp\Exela.exe

Filesize
10.8MB

MD5
9be787d3555fdd188e7afff03237ddb9

SHA1
4d9cbe8dabf49b6634768df630d612e44066c98f

SHA256
2a69e147b3a6b65f495cded51123466ddae96876dc2f5d36cd6bbb846e2ccb23

SHA512
077846c2645f7c3c9742416179cfab61a99e082a9b069e6cd9533952d4b95ca37a3fc489fd529bb2042047bdb9a2fd624a4ab56a12ccbfb755c0e9a5bfc6878f

Download Submit
memory/556-786-0x000007FEEB640000-0x000007FEEBC28000-memory.dmp

Filesize
5.9MB

Download
memory/876-1669-0x000007FEE92A0000-0x000007FEE9888000-memory.dmp

Filesize
5.9MB

Download
memory/948-78-0x000007FEF2500000-0x000007FEF2AE8000-memory.dmp

Filesize
5.9MB

Download
memory/1028-348-0x000007FEECE00000-0x000007FEED3E8000-memory.dmp

Filesize
5.9MB

Download
memory/1488-241-0x0000000002040000-0x0000000002048000-memory.dmp

Filesize
32KB

Download
memory/1496-469-0x000007FEEC810000-0x000007FEECDF8000-memory.dmp

Filesize
5.9MB

Download
memory/1560-1563-0x000007FEE9890000-0x000007FEE9E78000-memory.dmp

Filesize
5.9MB

Download
memory/1572-95-0x00000000022F0000-0x00000000022F8000-memory.dmp

Filesize
32KB

Download
memory/1672-471-0x0000000001250000-0x0000000001260000-memory.dmp

Filesize
64KB

Download
memory/1844-293-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

Filesize
2.9MB

Download
memory/1844-294-0x0000000002420000-0x0000000002428000-memory.dmp

Filesize
32KB

Download
memory/2116-347-0x000007FEEECE0000-0x000007FEEF2C8000-memory.dmp

Filesize
5.9MB

Download
memory/2116-165-0x000007FEEECE0000-0x000007FEEF2C8000-memory.dmp

Filesize
5.9MB

Download
memory/2168-945-0x000007FEEB050000-0x000007FEEB638000-memory.dmp

Filesize
5.9MB

Download
memory/2312-235-0x000007FEF2500000-0x000007FEF2AE8000-memory.dmp

Filesize
5.9MB

Download
memory/2484-0-0x000007FEF5F63000-0x000007FEF5F64000-memory.dmp

Filesize
4KB

Download
memory/2484-1-0x0000000001050000-0x0000000001EEE000-memory.dmp

Filesize
14.6MB

Download
memory/2596-1062-0x000007FEEAA60000-0x000007FEEB048000-memory.dmp

Filesize
5.9MB

Download
memory/2644-14-0x00000000003D0000-0x00000000003E0000-memory.dmp

Filesize
64KB

Download
memory/2724-6-0x0000000002840000-0x00000000028C0000-memory.dmp

Filesize
512KB

Download
memory/2724-7-0x000000001B380000-0x000000001B662000-memory.dmp

Filesize
2.9MB

Download
memory/2724-8-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2736-1165-0x000007FEEA470000-0x000007FEEAA58000-memory.dmp

Filesize
5.9MB

Download
memory/2756-20-0x000000001B2D0000-0x000000001B5B2000-memory.dmp

Filesize
2.9MB

Download
memory/2756-21-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2772-729-0x000007FEEBC30000-0x000007FEEC218000-memory.dmp

Filesize
5.9MB

Download
memory/2888-1327-0x000007FEE9E80000-0x000007FEEA468000-memory.dmp

Filesize
5.9MB

Download
memory/2936-572-0x000007FEEC220000-0x000007FEEC808000-memory.dmp

Filesize
5.9MB

Download