exelastealer | ddd836101025f932bfa5cc4c8e216a90d7c3aa4babeda7ea6da5df2ac6db7df8

Analysis

max time kernel
30s
max time network
31s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-01-2025 15:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Exela.exe
Size

10.4MB
MD5

8c0aa3feb616840779479efb0b79f757
SHA1

a8e8d65fd0fe562eb3ad5ca4467d870932982bd0
SHA256

ddd836101025f932bfa5cc4c8e216a90d7c3aa4babeda7ea6da5df2ac6db7df8
SHA512

c475a576781f9c86e7436b0a69d15416e5601fce67f7b42c9b3897e64ab6aa87a04bbe59afd1d2a51932bbcf97185b66b8109af09d8f29b2f13dc5858017d49e
SSDEEP

196608:MmZzxVopeMPHNhvNm1E8giq1g9K5RHvUWvogWOxu9kXwvdbD903N60ne6H0o1uYM:xlrMvNh1m1NqV5RHdBbAlbJ03E0e6H02

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
548	netsh.exe
1408	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2196	cmd.exe
2416	powershell.exe

Loads dropped DLL 34 IoCs

pid	Process
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe
4744	Exela.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
29	discord.com
30	discord.com
31	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3576	cmd.exe
3560	ARP.EXE

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
1824	tasklist.exe
2592	tasklist.exe
4984	tasklist.exe
1172	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3412	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cfb-95.dat	upx
behavioral2/memory/4744-99-0x00007FFA1FC50000-0x00007FFA200BA000-memory.dmp	upx
behavioral2/files/0x0007000000023cb5-101.dat	upx
behavioral2/memory/4744-109-0x00007FFA26790000-0x00007FFA2679F000-memory.dmp	upx
behavioral2/memory/4744-108-0x00007FFA24D50000-0x00007FFA24D74000-memory.dmp	upx
behavioral2/files/0x0007000000023cf3-107.dat	upx
behavioral2/files/0x0007000000023cbc-110.dat	upx
behavioral2/memory/4744-113-0x00007FFA24D90000-0x00007FFA24DA9000-memory.dmp	upx
behavioral2/files/0x0007000000023cfc-112.dat	upx
behavioral2/memory/4744-115-0x00007FFA26780000-0x00007FFA2678D000-memory.dmp	upx
behavioral2/files/0x0007000000023cb3-116.dat	upx
behavioral2/memory/4744-118-0x00007FFA237F0000-0x00007FFA23809000-memory.dmp	upx
behavioral2/files/0x0007000000023cb8-120.dat	upx
behavioral2/memory/4744-121-0x00007FFA20880000-0x00007FFA208AC000-memory.dmp	upx
behavioral2/files/0x0007000000023cbd-122.dat	upx
behavioral2/memory/4744-125-0x00007FFA21B60000-0x00007FFA21B7E000-memory.dmp	upx
behavioral2/files/0x0007000000023cfd-124.dat	upx
behavioral2/memory/4744-127-0x00007FFA203D0000-0x00007FFA2053D000-memory.dmp	upx
behavioral2/files/0x0007000000023cbe-128.dat	upx
behavioral2/memory/4744-131-0x00007FFA205D0000-0x00007FFA205FE000-memory.dmp	upx
behavioral2/files/0x0007000000023cf2-130.dat	upx
behavioral2/files/0x0007000000023cf4-133.dat	upx
behavioral2/memory/4744-138-0x00007FFA1FAD0000-0x00007FFA1FB86000-memory.dmp	upx
behavioral2/memory/4744-140-0x00007FFA109F0000-0x00007FFA10D64000-memory.dmp	upx
behavioral2/files/0x0007000000023cb1-142.dat	upx
behavioral2/memory/4744-148-0x00007FFA24C60000-0x00007FFA24C70000-memory.dmp	upx
behavioral2/memory/4744-167-0x00007FFA1FA80000-0x00007FFA1FA9B000-memory.dmp	upx
behavioral2/files/0x0007000000023cb2-174.dat	upx
behavioral2/files/0x0007000000023cbf-187.dat	upx
behavioral2/files/0x0007000000023cef-191.dat	upx
behavioral2/memory/4744-193-0x00007FFA16F00000-0x00007FFA16F1E000-memory.dmp	upx
behavioral2/memory/4744-196-0x00007FFA201D0000-0x00007FFA201E4000-memory.dmp	upx
behavioral2/files/0x0007000000023cb4-197.dat	upx
behavioral2/memory/4744-198-0x00007FFA118B0000-0x00007FFA118E7000-memory.dmp	upx
behavioral2/memory/4744-195-0x00007FFA201A0000-0x00007FFA201AA000-memory.dmp	upx
behavioral2/memory/4744-194-0x00007FFA10000000-0x00007FFA107FB000-memory.dmp	upx
behavioral2/memory/4744-192-0x00007FFA20750000-0x00007FFA2075E000-memory.dmp	upx
behavioral2/files/0x0007000000023cf1-189.dat	upx
behavioral2/memory/4744-186-0x00007FFA10E10000-0x00007FFA10EDF000-memory.dmp	upx
behavioral2/memory/4744-184-0x00007FFA16870000-0x00007FFA168B1000-memory.dmp	upx
behavioral2/memory/4744-183-0x00007FFA16F20000-0x00007FFA16F35000-memory.dmp	upx
behavioral2/memory/4744-182-0x00007FFA109F0000-0x00007FFA10D64000-memory.dmp	upx
behavioral2/files/0x0007000000023cc4-181.dat	upx
behavioral2/files/0x0007000000023cc2-178.dat	upx
behavioral2/memory/4744-175-0x00007FFA1FAD0000-0x00007FFA1FB86000-memory.dmp	upx
behavioral2/files/0x0007000000023cc3-173.dat	upx
behavioral2/memory/4744-172-0x00007FFA16F40000-0x00007FFA16F53000-memory.dmp	upx
behavioral2/memory/4744-171-0x00007FFA205D0000-0x00007FFA205FE000-memory.dmp	upx
behavioral2/files/0x0007000000023cc1-169.dat	upx
behavioral2/memory/4744-166-0x00007FFA203D0000-0x00007FFA2053D000-memory.dmp	upx
behavioral2/memory/4744-165-0x00007FFA10FA0000-0x00007FFA110B8000-memory.dmp	upx
behavioral2/files/0x0007000000023cf8-164.dat	upx
behavioral2/memory/4744-163-0x00007FFA21B60000-0x00007FFA21B7E000-memory.dmp	upx
behavioral2/files/0x0007000000023cff-161.dat	upx
behavioral2/memory/4744-160-0x00007FFA1FAA0000-0x00007FFA1FAC2000-memory.dmp	upx
behavioral2/memory/4744-159-0x00007FFA20880000-0x00007FFA208AC000-memory.dmp	upx
behavioral2/files/0x0007000000023d01-157.dat	upx
behavioral2/memory/4744-156-0x00007FFA200E0000-0x00007FFA200F5000-memory.dmp	upx
behavioral2/memory/4744-155-0x00007FFA237F0000-0x00007FFA23809000-memory.dmp	upx
behavioral2/files/0x0007000000023cb7-153.dat	upx
behavioral2/memory/4744-152-0x00007FFA201B0000-0x00007FFA201C4000-memory.dmp	upx
behavioral2/memory/4744-151-0x00007FFA26780000-0x00007FFA2678D000-memory.dmp	upx
behavioral2/files/0x0007000000023cf6-149.dat	upx
behavioral2/memory/4744-147-0x00007FFA24D90000-0x00007FFA24DA9000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3936	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1528	cmd.exe
3616	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4468	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
732	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1416	ipconfig.exe
4468	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4184	systeminfo.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3840	schtasks.exe
4372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2416	powershell.exe
2416	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1028	WMIC.exe
Token: SeSecurityPrivilege	1028	WMIC.exe
Token: SeTakeOwnershipPrivilege	1028	WMIC.exe
Token: SeLoadDriverPrivilege	1028	WMIC.exe
Token: SeSystemProfilePrivilege	1028	WMIC.exe
Token: SeSystemtimePrivilege	1028	WMIC.exe
Token: SeProfSingleProcessPrivilege	1028	WMIC.exe
Token: SeIncBasePriorityPrivilege	1028	WMIC.exe
Token: SeCreatePagefilePrivilege	1028	WMIC.exe
Token: SeBackupPrivilege	1028	WMIC.exe
Token: SeRestorePrivilege	1028	WMIC.exe
Token: SeShutdownPrivilege	1028	WMIC.exe
Token: SeDebugPrivilege	1028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1028	WMIC.exe
Token: SeRemoteShutdownPrivilege	1028	WMIC.exe
Token: SeUndockPrivilege	1028	WMIC.exe
Token: SeManageVolumePrivilege	1028	WMIC.exe
Token: 33	1028	WMIC.exe
Token: 34	1028	WMIC.exe
Token: 35	1028	WMIC.exe
Token: 36	1028	WMIC.exe
Token: SeDebugPrivilege	1824	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1028	WMIC.exe
Token: SeSecurityPrivilege	1028	WMIC.exe
Token: SeTakeOwnershipPrivilege	1028	WMIC.exe
Token: SeLoadDriverPrivilege	1028	WMIC.exe
Token: SeSystemProfilePrivilege	1028	WMIC.exe
Token: SeSystemtimePrivilege	1028	WMIC.exe
Token: SeProfSingleProcessPrivilege	1028	WMIC.exe
Token: SeIncBasePriorityPrivilege	1028	WMIC.exe
Token: SeCreatePagefilePrivilege	1028	WMIC.exe
Token: SeBackupPrivilege	1028	WMIC.exe
Token: SeRestorePrivilege	1028	WMIC.exe
Token: SeShutdownPrivilege	1028	WMIC.exe
Token: SeDebugPrivilege	1028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1028	WMIC.exe
Token: SeRemoteShutdownPrivilege	1028	WMIC.exe
Token: SeUndockPrivilege	1028	WMIC.exe
Token: SeManageVolumePrivilege	1028	WMIC.exe
Token: 33	1028	WMIC.exe
Token: 34	1028	WMIC.exe
Token: 35	1028	WMIC.exe
Token: 36	1028	WMIC.exe
Token: SeDebugPrivilege	2592	tasklist.exe
Token: SeDebugPrivilege	4984	tasklist.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeIncreaseQuotaPrivilege	732	WMIC.exe
Token: SeSecurityPrivilege	732	WMIC.exe
Token: SeTakeOwnershipPrivilege	732	WMIC.exe
Token: SeLoadDriverPrivilege	732	WMIC.exe
Token: SeSystemProfilePrivilege	732	WMIC.exe
Token: SeSystemtimePrivilege	732	WMIC.exe
Token: SeProfSingleProcessPrivilege	732	WMIC.exe
Token: SeIncBasePriorityPrivilege	732	WMIC.exe
Token: SeCreatePagefilePrivilege	732	WMIC.exe
Token: SeBackupPrivilege	732	WMIC.exe
Token: SeRestorePrivilege	732	WMIC.exe
Token: SeShutdownPrivilege	732	WMIC.exe
Token: SeDebugPrivilege	732	WMIC.exe
Token: SeSystemEnvironmentPrivilege	732	WMIC.exe
Token: SeRemoteShutdownPrivilege	732	WMIC.exe
Token: SeUndockPrivilege	732	WMIC.exe
Token: SeManageVolumePrivilege	732	WMIC.exe
Token: 33	732	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 4744	2352	Exela.exe	82
PID 2352 wrote to memory of 4744	2352	Exela.exe	82
PID 4744 wrote to memory of 4236	4744	Exela.exe	83
PID 4744 wrote to memory of 4236	4744	Exela.exe	83
PID 4744 wrote to memory of 3016	4744	Exela.exe	85
PID 4744 wrote to memory of 3016	4744	Exela.exe	85
PID 4744 wrote to memory of 1260	4744	Exela.exe	86
PID 4744 wrote to memory of 1260	4744	Exela.exe	86
PID 3016 wrote to memory of 1028	3016	cmd.exe	89
PID 3016 wrote to memory of 1028	3016	cmd.exe	89
PID 1260 wrote to memory of 1824	1260	cmd.exe	90
PID 1260 wrote to memory of 1824	1260	cmd.exe	90
PID 4744 wrote to memory of 3412	4744	Exela.exe	92
PID 4744 wrote to memory of 3412	4744	Exela.exe	92
PID 3412 wrote to memory of 2164	3412	cmd.exe	94
PID 3412 wrote to memory of 2164	3412	cmd.exe	94
PID 4744 wrote to memory of 4156	4744	Exela.exe	95
PID 4744 wrote to memory of 4156	4744	Exela.exe	95
PID 4156 wrote to memory of 1456	4156	cmd.exe	97
PID 4156 wrote to memory of 1456	4156	cmd.exe	97
PID 4744 wrote to memory of 3144	4744	Exela.exe	98
PID 4744 wrote to memory of 3144	4744	Exela.exe	98
PID 3144 wrote to memory of 3840	3144	cmd.exe	100
PID 3144 wrote to memory of 3840	3144	cmd.exe	100
PID 4744 wrote to memory of 1276	4744	Exela.exe	101
PID 4744 wrote to memory of 1276	4744	Exela.exe	101
PID 1276 wrote to memory of 4372	1276	cmd.exe	103
PID 1276 wrote to memory of 4372	1276	cmd.exe	103
PID 4744 wrote to memory of 2704	4744	Exela.exe	104
PID 4744 wrote to memory of 2704	4744	Exela.exe	104
PID 4744 wrote to memory of 1692	4744	Exela.exe	105
PID 4744 wrote to memory of 1692	4744	Exela.exe	105
PID 1692 wrote to memory of 2592	1692	cmd.exe	108
PID 1692 wrote to memory of 2592	1692	cmd.exe	108
PID 2704 wrote to memory of 384	2704	cmd.exe	109
PID 2704 wrote to memory of 384	2704	cmd.exe	109
PID 4744 wrote to memory of 2380	4744	Exela.exe	110
PID 4744 wrote to memory of 2380	4744	Exela.exe	110
PID 4744 wrote to memory of 4588	4744	Exela.exe	111
PID 4744 wrote to memory of 4588	4744	Exela.exe	111
PID 4744 wrote to memory of 3408	4744	Exela.exe	112
PID 4744 wrote to memory of 3408	4744	Exela.exe	112
PID 4744 wrote to memory of 2196	4744	Exela.exe	114
PID 4744 wrote to memory of 2196	4744	Exela.exe	114
PID 4588 wrote to memory of 4200	4588	cmd.exe	118
PID 4588 wrote to memory of 4200	4588	cmd.exe	118
PID 4200 wrote to memory of 3492	4200	cmd.exe	119
PID 4200 wrote to memory of 3492	4200	cmd.exe	119
PID 3408 wrote to memory of 4984	3408	cmd.exe	120
PID 3408 wrote to memory of 4984	3408	cmd.exe	120
PID 2380 wrote to memory of 1788	2380	cmd.exe	121
PID 2380 wrote to memory of 1788	2380	cmd.exe	121
PID 2196 wrote to memory of 2416	2196	cmd.exe	122
PID 2196 wrote to memory of 2416	2196	cmd.exe	122
PID 1788 wrote to memory of 4820	1788	cmd.exe	123
PID 1788 wrote to memory of 4820	1788	cmd.exe	123
PID 4744 wrote to memory of 1528	4744	Exela.exe	124
PID 4744 wrote to memory of 1528	4744	Exela.exe	124
PID 4744 wrote to memory of 3576	4744	Exela.exe	126
PID 4744 wrote to memory of 3576	4744	Exela.exe	126
PID 1528 wrote to memory of 3616	1528	cmd.exe	128
PID 1528 wrote to memory of 3616	1528	cmd.exe	128
PID 3576 wrote to memory of 4184	3576	cmd.exe	129
PID 3576 wrote to memory of 4184	3576	cmd.exe	129

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2164	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Exela.exe
"C:\Users\Admin\AppData\Local\Temp\Exela.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Users\Admin\AppData\Local\Temp\Exela.exe
  "C:\Users\Admin\AppData\Local\Temp\Exela.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:2164
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /query /TN "ExelaUpdateService""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\system32\schtasks.exe
      schtasks /query /TN "ExelaUpdateService"
      4⤵
      PID:1456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3144
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3840
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1276
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4372
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1692
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2592
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1788
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4588
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4200
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3492
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3408
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2416
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3616
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:3576
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4184
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:1520
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious use of AdjustPrivilegeToken
      PID:732
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:2864
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:2600
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:2876
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:860
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:456
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:3628
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:1080
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:100
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:1968
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:3356
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:1524
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:2328
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:3196
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:1172
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1416
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:1284
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:3560
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:4468
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:3936
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:548
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2592
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3308
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI23522\VCRUNTIME140.dll

Filesize
94KB

MD5
a87575e7cf8967e481241f13940ee4f7

SHA1
879098b8a353a39e16c79e6479195d43ce98629e

SHA256
ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

SHA512
e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_asyncio.pyd

Filesize
31KB

MD5
e43bf76d198fdd3e90d88be261d23ceb

SHA1
effe4b0decee8f927ee0dc193e8a2720729a054d

SHA256
888a55cda018d89cb252b1372214dc4d82f891de829a9e532d3fee7c824c3a31

SHA512
6da49d3546c4d8a199f9c756e4bb42bbeae221b8782ac0eb1793859fbb6a03c012ebc01e58fe0ce87d1ac0fb9b0dbd10dbfabc26ec306eda4058de351b0aa369

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_brotli.cp310-win_amd64.pyd

Filesize
274KB

MD5
94c13e0636646019a4c7d405c2d919df

SHA1
8ed8519e9b310f59e5b40f3c8fb675791cae09f9

SHA256
10517c02bb69dafd60053152e65d00c02e24952f63ca230af807ec6b2053f2a6

SHA512
82fba52c4db4206f7a1ebb1a3ebf12fc60f3deff4763fd5a059b00f46aa7513279da994a815a0883ce3301c3cdd1d20923db21b926c43b2ee732c28852979945

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_bz2.pyd

Filesize
43KB

MD5
f3ae0c86090faa4d5cc898abfce850d6

SHA1
10fe6b9967f1f4eaec903d31056577a968720a1e

SHA256
dfa063e160e3120fd0cec3f2830fc9cbe73c1cbc29a3813c46bc3aa51d108b4e

SHA512
7cced9ec50acf614284d31289733f821ecdffd8f27bbf47786b08228e219498f2bcea9fca237763521162cb931ab4302784efc9a15691204d78c1df9c81f044d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
7727212e7bdbf63b1a39fb7faad24265

SHA1
a8fdec19d6690081b2bf55247e8e17657a68ac97

SHA256
b0116303e1e903d6eb02a69d05879f38af1640813f4b110cb733ffff6e4e985c

SHA512
2b1a27642118dd228791d0d8ba307aa39ab2d9c7d3799cff9f3c0744fe270eeaefe5545a4fda6e74e86fee747e45bf5f6c9ac799950c2b483a16eb3ce85d816a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_ctypes.pyd

Filesize
53KB

MD5
95ac54b88d97b76b3562302ac962ff48

SHA1
347e8e1cc8a995d169f891d27dfec626ede021a4

SHA256
840fe0e6747dad71633993f74ed6b188b92abf894c5f6094232ce708f4cad2fb

SHA512
217f3a91d0f1ece0eaa4a00db73ef58efc0ee0f89c1932be7897881bbd52e9a9565c5590a1824d676cc88bb6762385360696e32774a025418cf5794b15c0a47b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_hashlib.pyd

Filesize
30KB

MD5
c802eabf1f3e8e0439bda6da432b4a7a

SHA1
ce57c967afa6fedb2a2beced8d295b3a9e19d721

SHA256
0944dc7c37cce8000b283d4597956a46bd5bd1a6a1c01430799e20ab4bd09812

SHA512
484b8d5cba4742dcfde15fc87af8460aefa43e2434187297ec38d7e1b6a363a59d7b7b270d09d59f59229961e5e3554525c52fd6ac208f58848d838a5667c518

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_lzma.pyd

Filesize
81KB

MD5
fd9f9c34a33410cf3be4dbb3fd4d24a7

SHA1
7c373b308f21c5a500580e5bbd19ce475a0a1dc6

SHA256
e6d746650e0d56bb45401431578d82beeb5848f6daccd90d85c5d62871576438

SHA512
dc73b34679bcef00d6f49cd8d3b534c1b4cbcd80b103e5ffd91a4d0452bee988b49781869f8bfb0828912571da3d9aa699affce568bf7801b9a8028a308375f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_overlapped.pyd

Filesize
27KB

MD5
fb7da97236c448dfc756c50ea098c7eb

SHA1
73fb846df160411f09473978d6171a55c799df0c

SHA256
9421ab684e6694ef5c031799e6d4adb03d2d78baef12204f32cd0ed3873117f5

SHA512
bd7d254fa1e35240a8ea6e3f1d3666fd6835347d4a8d999d25219ca004c52c8f06514c3783dc263731770a8791759db0a4286e65216fe23531ef1e6164ca7ed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_socket.pyd

Filesize
38KB

MD5
62ebe51baf1113beebe713439f86691c

SHA1
294c379e1c220c4de333d0f55a5babfab74698cc

SHA256
b26a6409323f8d15d476f9d04c7d45a205580f21b692df18e9656f08ef9a0328

SHA512
fb92732eabcf744a25871754c414239630787ba959a88727759d9bb6273a2f7bd1a6cd795ede873f2ebbff23bedd2177c142d41715e4083e75afc3e36e6c84ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_sqlite3.pyd

Filesize
45KB

MD5
212b4609f25ff515cbd00eb73b4684d7

SHA1
2b0cce3a1cef72f45bca9d525f2ce541002aee18

SHA256
1fb515cceed1a5e62541d605d0943c6e8d24caeca7b7c04e4c662fefc6b1de90

SHA512
775a293146f112103a73ad7b160f5dd7f618eada9b89c93b48fa89f99b558086b631bd643a6de0f35dc0e53b3f05c8906b83321c986ce7fabc8a1b110a830136

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_ssl.pyd

Filesize
57KB

MD5
97600eab6a73856e37c585d1b27220ae

SHA1
6ddf1b90ae5e9a26696916551d6a335289da8d79

SHA256
5fd57f2b9aac9bc84bb65c78ec5ed6f40b619636f2c4aac284b7a284d159044e

SHA512
3a3d7d0df1d48b876e9630acb68c62bdf598016fdfc65601bdbf6c3b4468acd8cf8e2557a215c5b823dd453fe7fce7beee38c59433392190932e3d002c8079a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\_uuid.pyd

Filesize
18KB

MD5
ee976258f5954cfe8c3ed3ab082fa811

SHA1
ebf1b311b2c73278c35b1af56f61740fcb688520

SHA256
cbc5dc5f119f557b7e3afce9f5de95ca03636870f0c57b811b52a9f083167251

SHA512
b0e44f4def68738ecfbb641c202b1ef927e665c260047509f7868e3a7a87aeed813af49b5852174f885a865f67ad048edeefefc6328c02cfff7b98ef6e1eb3f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\aiohttp\_helpers.cp310-win_amd64.pyd

Filesize
20KB

MD5
fa023b69c818b172bd8669e7fe933112

SHA1
312346d1044df7acb19e005fb8986fc30f2b56f0

SHA256
7e9c8090381d391252a48e2c7487ad8e819e7afe626ab496bc056d16b5d7063c

SHA512
331fa20ac17294e7bb13ac5bf60c2f6a04f1ecf0454ed8ff795fddd616d412fae4a3614b07302a3a429348989ebdc4410567e081dafc2f032a28c1e2462a4574

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\aiohttp\_http_parser.cp310-win_amd64.pyd

Filesize
67KB

MD5
eb1392a4ff6a93673b62abcce37aaf52

SHA1
1d2588992a02d637c41ef41f9e0e6a629308f70d

SHA256
7edc05ab935cc38560a7fea345421d3b2832280f0f9676f6ae520fcf513ce339

SHA512
32a283dc7f717c41f4ec5514c33ebd9b16b0eb50b1e20e1a9eeb40505b3380ab836279873767d91376403042b84e742b76c220baec3f9717071d05f4b116ca63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\aiohttp\_http_writer.cp310-win_amd64.pyd

Filesize
19KB

MD5
8c0512c9ef4be82b40fa246139e11c34

SHA1
1582471f8c15658a221509e214e2d2c70b848302

SHA256
a36f4d71bdcb51cb3c5a11852a77ce1bea01bfe2055a6f786180fda65e03d6ed

SHA512
580eb50432271ef64d497a91cc07fa6281c4776598c2ecb2b3781fe2d44ce5537bde1c99fb7690655140255d7086725dcbc814119bffa903c8bcb936bcd035b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\aiohttp\_websocket.cp310-win_amd64.pyd

Filesize
14KB

MD5
50f77cb5b8812f9b25d6b3ff85ce87b3

SHA1
22fe42815f08347a8557cb7e7eeaf5d37d4a27a3

SHA256
8f3424305465e55bac961218afada8d01f8f55e400188270a737bdb8f0fa8f3b

SHA512
17ac4984f1b3fe081b47f304881033e6efcb538524c8089d978afdf3d0e6d6bf2db0a9752bfd16ddbf5702756ec9cc279e6054b780fd3158bc7818df2d674d18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\base_library.zip

Filesize
1.0MB

MD5
cba354bf79866419f074f52ee10e3224

SHA1
ed490a6d9981ca723a3a23fca149da35181400ae

SHA256
b9151bfd3fd8e40d83b2f9cc3fa708ecac4c16eccf522584abe7d5895adac522

SHA512
7625520fde973b0a9d25a39024091c4312be0d36d732b1e79293fe0ca033e7cf68eb054630bc9150f2e10edce7f7303bb91f9dc9ccf8aebf3dc1e7555b17d357

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.0MB

MD5
606a84af5a9cf8ad3cb0314e77fb7209

SHA1
6de88d8554488ffe3e48c9b14886da16d1703a69

SHA256
0693ffa4990fa8c1664485f3d2a41b581eac0b340d07d62242052a67bf2ed5c3

SHA512
97d451f025aefb487c5cea568eb430356adfe23908321f1c04f8fa4c03df87507eda8d9612c944be4fa733df4cec38a0e37bffd8865088064b749244d4321b1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\frozenlist\_frozenlist.cp310-win_amd64.pyd

Filesize
36KB

MD5
219ad30aea7630a3696df28231405927

SHA1
ebaf69903305ea0803570cc2ff4cf43dd2bc812a

SHA256
06d38127de4cbd3243f861ea22897d490520e913f77011a37d915c4992433604

SHA512
72eb7323deb26931ea000690f85272ee71e19b2896af2b43ccd8bcfc3a299e0f8a7a3f1e339fbfe7c855e081cd94e21ae09ba3b8e2d16dbacddb838c31b4de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\libcrypto-1_1.dll

Filesize
1.1MB

MD5
700f32459dca0f54c982cd1c1ddd6b8b

SHA1
2538711c091ac3f572cb0f13539a68df0f228f28

SHA256
1de22bd1a0154d49f48b3fab94fb1fb1abd8bfed37d18e79a86ecd7cdab893c9

SHA512
99de1f5cb78c83fc6af0a475fb556f1ac58a1ba734efc69d507bf5dc1b0535a401d901324be845d7a59db021f8967cf33a7b105b2ddcb2e02a39dc0311e7c36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\libssl-1_1.dll

Filesize
198KB

MD5
45498cefc9ead03a63c2822581cd11c6

SHA1
f96b6373237317e606b3715705a71db47e2cafad

SHA256
a84174a00dc98c98240ad5ee16c35e6ef932cebd5b8048ff418d3dd80f20deca

SHA512
4d3d8d33e7f3c2bf1cad3afbfba6ba53852d1314713ad60eeae1d51cc299a52b73da2c629273f9e0b7983ca01544c3645451cfa247911af4f81ca88a82cf6a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\multidict\_multidict.cp310-win_amd64.pyd

Filesize
20KB

MD5
7f691747ce66d3ed05a7c2c53220c8b5

SHA1
1d3f247042030cf8cf7c859002941beba5d15776

SHA256
7d6472a0d7f1a0740c7fc0d0d0ea6f7c6e7cb2b11b8c623c46a6fae1adb4e228

SHA512
b01f0e91039fc5b2782caaa0b3d56d5d1fe9e94424cc536cde9eca73a76747736060042e345af9edc5ef5bf5c154705d2c2dddf35536f305306be25a955a9f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\propcache\_helpers_c.cp310-win_amd64.pyd

Filesize
31KB

MD5
9fe92acae9522cd0044146e1b57c23fa

SHA1
ec8875039a387bb4ac302cd533b2fe27dbe75b43

SHA256
622077d084db60b50c43a1923d60c02f1900fffa3b5a11dfd34328e6fd341362

SHA512
cdf5dae191f9b6c75d5698d49d1a55a00695ac896a0823357ea7bf3332683231cb10b1544ec12fab5cf5a15117a92af18e1266f29ed3d3ccbcb56ff46a421e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\python3.DLL

Filesize
60KB

MD5
64a9384c6b329fb089e4d1657a06b175

SHA1
ba0e6fcc3b1406356a40b9d8577b2e7ce69c4aea

SHA256
ec655cc34819d6a9677c0541fd7e7b2b8a92804e8bf73aee692a9c44d1a24b5d

SHA512
9593d38abfd46bb94409838dd9cbe603fbe154fa0043959512afc264dceec50d846eefa409bcf9936ee1a7c7313604a578b4051eb6fd6918f2beb0da6c8ee532

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\python310.dll

Filesize
1.4MB

MD5
018dfe78afe5062c01dffbe60545f7e5

SHA1
e5659111f6fd30c8b1140cbb1b5b094003d96793

SHA256
639283586b67d53b98858ff3a238248299b86a95171015ce6f96cc2ccf8209ca

SHA512
168e9b9b31a0e4c291616b90e2c0ef836e8f07a1d776c48621979d4ef6b8cd7ece52fd2d920b44821a48055c5d89bd2ff4286d23f0c9c0c996a89d6c51b3055a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\select.pyd

Filesize
21KB

MD5
bc21a2802218055093da6e3e1f3be5c8

SHA1
982165a8fa195c856d927e311820a979088752d0

SHA256
0ee02e920c0f537a606aa4b3807294aaddd3e467f88776ea54e19ce2f61de7ff

SHA512
2feb520a3e709ccf1163eaa5db62d8589cd6fb3b15d023d31e96ec50f5453a79d1299cddd075db3084dccbb362da0e877e26b8b79d944109af95de65b31e03d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\sqlite3.dll

Filesize
605KB

MD5
486348762469a514e1e5a689dbdc3b23

SHA1
b9e599d135c6a3b952b7bc74ba42cc754b8f2213

SHA256
ed74b4798a348e693e1263ea80b5636e0b2de1fd2f3353b80b78b632b8e7b843

SHA512
61e51e6d2faf1a805c9220f954866b2c7cb3e19d99a4591865eaad8c40ad1ceeac72700cd6a4b5fb81e406f6a5e9fca68b98f8efbd7f772b91bc2cbeaeab11c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\ucrtbase.dll

Filesize
1.1MB

MD5
6a44a2235d33b3f154fc50dc72e8ea61

SHA1
e98127a010bc6555e50e2ce7eba6ead8d8e13bf3

SHA256
91d027417ff2301b7135e864a5df6693488f8412ff87040f4897e0e03bc2577b

SHA512
057595ef00dc41aab49d654dc1b8dfdfaad58a3e2cf764db71090413b04e07c618d4592b390d170a4fbbc02f04c68f11b382258e3bf13a1791c6bfc97df7687b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\unicodedata.pyd

Filesize
284KB

MD5
19afee0699eba966446972f813c62eed

SHA1
861f15b0529ee296890c4b177644c89cd51dd044

SHA256
a829cb1a28080d7ebb403a2af0d8e341c47d30732d7f7764bf9bbf02473c2db6

SHA512
e1c4b31bfc390e257acc054eb8179292cbb1eb4018a93231caacf7a29c78ce713f3cd365c842447be54f1ced4ba64db1a85a639ca6f97a6049300fb76b1889d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23522\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
41KB

MD5
8640834733897205d9193e1b21084135

SHA1
e452ae2dbabcc8691233428dd1da5d23961b047d

SHA256
bd209ab04ba8a3a40546832380547a460b1257f4fb4b4012f6fc48f9c36cc476

SHA512
365805a31ed3ef7648fa2fac49fecc0646dd5dfcad8468918623d962db6aab08339f510edccdaf1340f8bfc06a4628c070de947cdec55cfabdc3563af2de43e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mxo3o1vr.gls.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2416-249-0x000002087A520000-0x000002087A542000-memory.dmp

Filesize
136KB

Download
memory/4744-156-0x00007FFA200E0000-0x00007FFA200F5000-memory.dmp

Filesize
84KB

Download
memory/4744-263-0x00007FFA16870000-0x00007FFA168B1000-memory.dmp

Filesize
260KB

Download
memory/4744-193-0x00007FFA16F00000-0x00007FFA16F1E000-memory.dmp

Filesize
120KB

Download
memory/4744-198-0x00007FFA118B0000-0x00007FFA118E7000-memory.dmp

Filesize
220KB

Download
memory/4744-195-0x00007FFA201A0000-0x00007FFA201AA000-memory.dmp

Filesize
40KB

Download
memory/4744-194-0x00007FFA10000000-0x00007FFA107FB000-memory.dmp

Filesize
8.0MB

Download
memory/4744-192-0x00007FFA20750000-0x00007FFA2075E000-memory.dmp

Filesize
56KB

Download
memory/4744-167-0x00007FFA1FA80000-0x00007FFA1FA9B000-memory.dmp

Filesize
108KB

Download
memory/4744-186-0x00007FFA10E10000-0x00007FFA10EDF000-memory.dmp

Filesize
828KB

Download
memory/4744-184-0x00007FFA16870000-0x00007FFA168B1000-memory.dmp

Filesize
260KB

Download
memory/4744-183-0x00007FFA16F20000-0x00007FFA16F35000-memory.dmp

Filesize
84KB

Download
memory/4744-182-0x00007FFA109F0000-0x00007FFA10D64000-memory.dmp

Filesize
3.5MB

Download
memory/4744-148-0x00007FFA24C60000-0x00007FFA24C70000-memory.dmp

Filesize
64KB

Download
memory/4744-179-0x0000017D8AA60000-0x0000017D8ADD4000-memory.dmp

Filesize
3.5MB

Download
memory/4744-140-0x00007FFA109F0000-0x00007FFA10D64000-memory.dmp

Filesize
3.5MB

Download
memory/4744-175-0x00007FFA1FAD0000-0x00007FFA1FB86000-memory.dmp

Filesize
728KB

Download
memory/4744-138-0x00007FFA1FAD0000-0x00007FFA1FB86000-memory.dmp

Filesize
728KB

Download
memory/4744-172-0x00007FFA16F40000-0x00007FFA16F53000-memory.dmp

Filesize
76KB

Download
memory/4744-171-0x00007FFA205D0000-0x00007FFA205FE000-memory.dmp

Filesize
184KB

Download
memory/4744-131-0x00007FFA205D0000-0x00007FFA205FE000-memory.dmp

Filesize
184KB

Download
memory/4744-166-0x00007FFA203D0000-0x00007FFA2053D000-memory.dmp

Filesize
1.4MB

Download
memory/4744-165-0x00007FFA10FA0000-0x00007FFA110B8000-memory.dmp

Filesize
1.1MB

Download
memory/4744-127-0x00007FFA203D0000-0x00007FFA2053D000-memory.dmp

Filesize
1.4MB

Download
memory/4744-163-0x00007FFA21B60000-0x00007FFA21B7E000-memory.dmp

Filesize
120KB

Download
memory/4744-125-0x00007FFA21B60000-0x00007FFA21B7E000-memory.dmp

Filesize
120KB

Download
memory/4744-160-0x00007FFA1FAA0000-0x00007FFA1FAC2000-memory.dmp

Filesize
136KB

Download
memory/4744-159-0x00007FFA20880000-0x00007FFA208AC000-memory.dmp

Filesize
176KB

Download
memory/4744-121-0x00007FFA20880000-0x00007FFA208AC000-memory.dmp

Filesize
176KB

Download
memory/4744-118-0x00007FFA237F0000-0x00007FFA23809000-memory.dmp

Filesize
100KB

Download
memory/4744-155-0x00007FFA237F0000-0x00007FFA23809000-memory.dmp

Filesize
100KB

Download
memory/4744-115-0x00007FFA26780000-0x00007FFA2678D000-memory.dmp

Filesize
52KB

Download
memory/4744-152-0x00007FFA201B0000-0x00007FFA201C4000-memory.dmp

Filesize
80KB

Download
memory/4744-151-0x00007FFA26780000-0x00007FFA2678D000-memory.dmp

Filesize
52KB

Download
memory/4744-113-0x00007FFA24D90000-0x00007FFA24DA9000-memory.dmp

Filesize
100KB

Download
memory/4744-147-0x00007FFA24D90000-0x00007FFA24DA9000-memory.dmp

Filesize
100KB

Download
memory/4744-108-0x00007FFA24D50000-0x00007FFA24D74000-memory.dmp

Filesize
144KB

Download
memory/4744-144-0x00007FFA201D0000-0x00007FFA201E4000-memory.dmp

Filesize
80KB

Download
memory/4744-139-0x0000017D8AA60000-0x0000017D8ADD4000-memory.dmp

Filesize
3.5MB

Download
memory/4744-137-0x00007FFA24D50000-0x00007FFA24D74000-memory.dmp

Filesize
144KB

Download
memory/4744-136-0x00007FFA1FC50000-0x00007FFA200BA000-memory.dmp

Filesize
4.4MB

Download
memory/4744-243-0x00007FFA1FAA0000-0x00007FFA1FAC2000-memory.dmp

Filesize
136KB

Download
memory/4744-244-0x00007FFA20840000-0x00007FFA2084D000-memory.dmp

Filesize
52KB

Download
memory/4744-109-0x00007FFA26790000-0x00007FFA2679F000-memory.dmp

Filesize
60KB

Download
memory/4744-99-0x00007FFA1FC50000-0x00007FFA200BA000-memory.dmp

Filesize
4.4MB

Download
memory/4744-261-0x00007FFA16F40000-0x00007FFA16F53000-memory.dmp

Filesize
76KB

Download
memory/4744-196-0x00007FFA201D0000-0x00007FFA201E4000-memory.dmp

Filesize
80KB

Download
memory/4744-262-0x00007FFA16F20000-0x00007FFA16F35000-memory.dmp

Filesize
84KB

Download
memory/4744-264-0x00007FFA10000000-0x00007FFA107FB000-memory.dmp

Filesize
8.0MB

Download
memory/4744-299-0x00007FFA118B0000-0x00007FFA118E7000-memory.dmp

Filesize
220KB

Download
memory/4744-283-0x00007FFA24C60000-0x00007FFA24C70000-memory.dmp

Filesize
64KB

Download
memory/4744-282-0x00007FFA201D0000-0x00007FFA201E4000-memory.dmp

Filesize
80KB

Download
memory/4744-278-0x00007FFA203D0000-0x00007FFA2053D000-memory.dmp

Filesize
1.4MB

Download
memory/4744-277-0x00007FFA21B60000-0x00007FFA21B7E000-memory.dmp

Filesize
120KB

Download
memory/4744-271-0x00007FFA24D50000-0x00007FFA24D74000-memory.dmp

Filesize
144KB

Download
memory/4744-270-0x00007FFA1FC50000-0x00007FFA200BA000-memory.dmp

Filesize
4.4MB

Download
memory/4744-301-0x00007FFA1FC50000-0x00007FFA200BA000-memory.dmp

Filesize
4.4MB

Download
memory/4744-321-0x00007FFA16F20000-0x00007FFA16F35000-memory.dmp

Filesize
84KB

Download
memory/4744-313-0x00007FFA201D0000-0x00007FFA201E4000-memory.dmp

Filesize
80KB

Download
memory/4744-312-0x00007FFA109F0000-0x00007FFA10D64000-memory.dmp

Filesize
3.5MB

Download
memory/4744-311-0x00007FFA1FAD0000-0x00007FFA1FB86000-memory.dmp

Filesize
728KB

Download
memory/4744-310-0x00007FFA205D0000-0x00007FFA205FE000-memory.dmp

Filesize
184KB

Download
memory/4744-335-0x00007FFA237F0000-0x00007FFA23809000-memory.dmp

Filesize
100KB

Download
memory/4744-334-0x00007FFA26780000-0x00007FFA2678D000-memory.dmp

Filesize
52KB

Download
memory/4744-333-0x00007FFA24D90000-0x00007FFA24DA9000-memory.dmp

Filesize
100KB

Download
memory/4744-332-0x00007FFA26790000-0x00007FFA2679F000-memory.dmp

Filesize
60KB

Download
memory/4744-331-0x00007FFA24D50000-0x00007FFA24D74000-memory.dmp

Filesize
144KB

Download
memory/4744-330-0x00007FFA1FC50000-0x00007FFA200BA000-memory.dmp

Filesize
4.4MB

Download
memory/4744-362-0x00007FFA205D0000-0x00007FFA205FE000-memory.dmp

Filesize
184KB

Download
memory/4744-375-0x00007FFA16870000-0x00007FFA168B1000-memory.dmp

Filesize
260KB

Download
memory/4744-377-0x00007FFA16F00000-0x00007FFA16F1E000-memory.dmp

Filesize
120KB

Download
memory/4744-378-0x00007FFA10000000-0x00007FFA107FB000-memory.dmp

Filesize
8.0MB

Download
memory/4744-376-0x00007FFA109F0000-0x00007FFA10D64000-memory.dmp

Filesize
3.5MB

Download
memory/4744-374-0x00007FFA16F20000-0x00007FFA16F35000-memory.dmp

Filesize
84KB

Download
memory/4744-373-0x00007FFA16F40000-0x00007FFA16F53000-memory.dmp

Filesize
76KB

Download
memory/4744-372-0x00007FFA10FA0000-0x00007FFA110B8000-memory.dmp

Filesize
1.1MB

Download
memory/4744-371-0x00007FFA1FA80000-0x00007FFA1FA9B000-memory.dmp

Filesize
108KB

Download
memory/4744-370-0x00007FFA1FAA0000-0x00007FFA1FAC2000-memory.dmp

Filesize
136KB

Download
memory/4744-369-0x00007FFA200E0000-0x00007FFA200F5000-memory.dmp

Filesize
84KB

Download
memory/4744-368-0x00007FFA201B0000-0x00007FFA201C4000-memory.dmp

Filesize
80KB

Download
memory/4744-367-0x00007FFA24C60000-0x00007FFA24C70000-memory.dmp

Filesize
64KB

Download
memory/4744-366-0x00007FFA201D0000-0x00007FFA201E4000-memory.dmp

Filesize
80KB

Download
memory/4744-365-0x00007FFA20750000-0x00007FFA2075E000-memory.dmp

Filesize
56KB

Download
memory/4744-364-0x00007FFA201A0000-0x00007FFA201AA000-memory.dmp

Filesize
40KB

Download
memory/4744-361-0x00007FFA203D0000-0x00007FFA2053D000-memory.dmp

Filesize
1.4MB

Download
memory/4744-360-0x00007FFA21B60000-0x00007FFA21B7E000-memory.dmp

Filesize
120KB

Download
memory/4744-359-0x00007FFA20880000-0x00007FFA208AC000-memory.dmp

Filesize
176KB

Download
memory/4744-363-0x00007FFA1FAD0000-0x00007FFA1FB86000-memory.dmp

Filesize
728KB

Download
memory/4744-379-0x00007FFA10E10000-0x00007FFA10EDF000-memory.dmp

Filesize
828KB

Download
memory/4744-381-0x00007FFA20840000-0x00007FFA2084D000-memory.dmp

Filesize
52KB

Download
memory/4744-380-0x00007FFA118B0000-0x00007FFA118E7000-memory.dmp

Filesize
220KB

Download