12ebda72ae1f323de1350f46caa98e7f78c5064681b5fa9c1fc0d67a1b21b537

Analysis

max time kernel
1679s
max time network
1173s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2024, 15:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

reasl-.exe
Size

54.9MB
MD5

d357ac66097254aa58cdecce42f407e2
SHA1

f48b6336f458bf39dd1244f96d870b89b828968f
SHA256

12ebda72ae1f323de1350f46caa98e7f78c5064681b5fa9c1fc0d67a1b21b537
SHA512

22f6a4cea32029671c0ea723a3793f3b5e5ab62b00cc052390368f56fd5ed381cdfaf92d83036038354ab359a79d13a4af9eaf1d6c15f246c4774911a26da93e
SSDEEP

786432:3e9X7QqMoknvNpA+vIlo0FdGgCdb5+KvIFVOjXESWqE5SezWNtyy2SFsLB:3gLQqMrlpA+Ql4JdHvIFVO8qQZby49

Score

8^/10

defense_evasion execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
100	powershell.exe
4660	powershell.exe
2884	powershell.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‏ .scr	reasl-.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‏ .scr	reasl-.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‏ .scr	attrib.exe

Loads dropped DLL 57 IoCs

pid	Process
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000239b7-724.dat	upx
behavioral1/memory/1948-728-0x00007FFAAE8F0000-0x00007FFAAEFB4000-memory.dmp	upx
behavioral1/files/0x00070000000235ef-735.dat	upx
behavioral1/memory/1948-741-0x00007FFABE730000-0x00007FFABE755000-memory.dmp	upx
behavioral1/memory/1948-744-0x00007FFABE530000-0x00007FFABE55D000-memory.dmp	upx
behavioral1/memory/1948-743-0x00007FFABE710000-0x00007FFABE72A000-memory.dmp	upx
behavioral1/memory/1948-742-0x00007FFABE840000-0x00007FFABE84F000-memory.dmp	upx
behavioral1/files/0x00070000000235bb-740.dat	upx
behavioral1/files/0x00070000000235b6-738.dat	upx
behavioral1/files/0x00070000000235b8-734.dat	upx
behavioral1/files/0x00070000000235ee-745.dat	upx
behavioral1/files/0x00070000000235c3-764.dat	upx
behavioral1/files/0x00070000000239b5-748.dat	upx
behavioral1/files/0x00070000000239ba-770.dat	upx
behavioral1/files/0x00070000000235ba-772.dat	upx
behavioral1/files/0x00070000000235be-771.dat	upx
behavioral1/memory/1948-778-0x00007FFABDC50000-0x00007FFABDC64000-memory.dmp	upx
behavioral1/memory/1948-779-0x00007FFAAE3C0000-0x00007FFAAE8E9000-memory.dmp	upx
behavioral1/memory/1948-777-0x00007FFABDE20000-0x00007FFABDE2D000-memory.dmp	upx
behavioral1/memory/1948-776-0x00007FFABDE30000-0x00007FFABDE3D000-memory.dmp	upx
behavioral1/memory/1948-775-0x00007FFABE3A0000-0x00007FFABE3B9000-memory.dmp	upx
behavioral1/memory/1948-774-0x00007FFABE4F0000-0x00007FFABE526000-memory.dmp	upx
behavioral1/files/0x00070000000235bf-769.dat	upx
behavioral1/memory/1948-767-0x00007FFABE700000-0x00007FFABE70F000-memory.dmp	upx
behavioral1/files/0x00070000000235c1-762.dat	upx
behavioral1/files/0x00070000000235c0-761.dat	upx
behavioral1/files/0x00070000000235bd-758.dat	upx
behavioral1/files/0x00070000000235bc-757.dat	upx
behavioral1/files/0x00070000000235b9-755.dat	upx
behavioral1/files/0x00070000000235b7-754.dat	upx
behavioral1/files/0x00070000000235b5-753.dat	upx
behavioral1/files/0x00070000000239bc-751.dat	upx
behavioral1/files/0x00070000000239bb-750.dat	upx
behavioral1/files/0x00070000000235f0-746.dat	upx
behavioral1/memory/1948-783-0x00007FFAAF890000-0x00007FFAAF95D000-memory.dmp	upx
behavioral1/memory/1948-781-0x00007FFAB9D90000-0x00007FFAB9DC3000-memory.dmp	upx
behavioral1/memory/1948-786-0x00007FFABDC30000-0x00007FFABDC46000-memory.dmp	upx
behavioral1/memory/1948-787-0x00007FFABDB50000-0x00007FFABDB62000-memory.dmp	upx
behavioral1/memory/1948-789-0x00007FFAAE0A0000-0x00007FFAAE1BB000-memory.dmp	upx
behavioral1/files/0x00070000000239c3-790.dat	upx
behavioral1/files/0x00070000000235c9-792.dat	upx
behavioral1/files/0x00070000000235ca-795.dat	upx
behavioral1/memory/1948-799-0x00007FFABDA60000-0x00007FFABDA6B000-memory.dmp	upx
behavioral1/memory/1948-798-0x00007FFAB5CB0000-0x00007FFAB5CD7000-memory.dmp	upx
behavioral1/memory/1948-797-0x00007FFAAE010000-0x00007FFAAE097000-memory.dmp	upx
behavioral1/memory/1948-796-0x00007FFAAE8F0000-0x00007FFAAEFB4000-memory.dmp	upx
behavioral1/files/0x0007000000023613-802.dat	upx
behavioral1/memory/1948-810-0x00007FFABE700000-0x00007FFABE70F000-memory.dmp	upx
behavioral1/memory/1948-809-0x00007FFAADE90000-0x00007FFAAE00F000-memory.dmp	upx
behavioral1/memory/1948-808-0x00007FFAAF7B0000-0x00007FFAAF7D4000-memory.dmp	upx
behavioral1/memory/1948-807-0x00007FFABCC50000-0x00007FFABCC68000-memory.dmp	upx
behavioral1/memory/1948-806-0x00007FFABE530000-0x00007FFABE55D000-memory.dmp	upx
behavioral1/files/0x0007000000023588-813.dat	upx
behavioral1/memory/1948-815-0x00007FFAAE3C0000-0x00007FFAAE8E9000-memory.dmp	upx
behavioral1/memory/1948-819-0x00007FFAB55F0000-0x00007FFAB55FB000-memory.dmp	upx
behavioral1/memory/1948-837-0x00007FFAADD60000-0x00007FFAADD7C000-memory.dmp	upx
behavioral1/memory/1948-838-0x00007FFAAD970000-0x00007FFAADD55000-memory.dmp	upx
behavioral1/memory/1948-833-0x00007FFAADD90000-0x00007FFAADDBE000-memory.dmp	upx
behavioral1/memory/1948-832-0x00007FFAADDC0000-0x00007FFAADDE9000-memory.dmp	upx
behavioral1/memory/1948-831-0x00007FFAADDF0000-0x00007FFAADDFC000-memory.dmp	upx
behavioral1/memory/1948-839-0x00007FFAAF890000-0x00007FFAAF95D000-memory.dmp	upx
behavioral1/memory/1948-830-0x00007FFAADE00000-0x00007FFAADE12000-memory.dmp	upx
behavioral1/memory/1948-829-0x00007FFAADE20000-0x00007FFAADE2D000-memory.dmp	upx
behavioral1/memory/1948-828-0x00007FFAADE30000-0x00007FFAADE3C000-memory.dmp	upx

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
36	discord.com
37	discord.com
44	discord.com
46	discord.com
28	raw.githubusercontent.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
42	ip-api.com

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3476	cmd.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
3544	WMIC.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4204450073-1267028356-951339405-1000\{C378A1D9-0093-4B23-9953-E042CA78ECBC}	reasl-.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3980	PING.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
1948	reasl-.exe
2808	powershell.exe
2808	powershell.exe
2808	powershell.exe
100	powershell.exe
100	powershell.exe
100	powershell.exe
4660	powershell.exe
4660	powershell.exe
4660	powershell.exe
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	reasl-.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	100	powershell.exe
Token: SeDebugPrivilege	4660	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeIncreaseQuotaPrivilege	4684	WMIC.exe
Token: SeSecurityPrivilege	4684	WMIC.exe
Token: SeTakeOwnershipPrivilege	4684	WMIC.exe
Token: SeLoadDriverPrivilege	4684	WMIC.exe
Token: SeSystemProfilePrivilege	4684	WMIC.exe
Token: SeSystemtimePrivilege	4684	WMIC.exe
Token: SeProfSingleProcessPrivilege	4684	WMIC.exe
Token: SeIncBasePriorityPrivilege	4684	WMIC.exe
Token: SeCreatePagefilePrivilege	4684	WMIC.exe
Token: SeBackupPrivilege	4684	WMIC.exe
Token: SeRestorePrivilege	4684	WMIC.exe
Token: SeShutdownPrivilege	4684	WMIC.exe
Token: SeDebugPrivilege	4684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4684	WMIC.exe
Token: SeRemoteShutdownPrivilege	4684	WMIC.exe
Token: SeUndockPrivilege	4684	WMIC.exe
Token: SeManageVolumePrivilege	4684	WMIC.exe
Token: 33	4684	WMIC.exe
Token: 34	4684	WMIC.exe
Token: 35	4684	WMIC.exe
Token: 36	4684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4684	WMIC.exe
Token: SeSecurityPrivilege	4684	WMIC.exe
Token: SeTakeOwnershipPrivilege	4684	WMIC.exe
Token: SeLoadDriverPrivilege	4684	WMIC.exe
Token: SeSystemProfilePrivilege	4684	WMIC.exe
Token: SeSystemtimePrivilege	4684	WMIC.exe
Token: SeProfSingleProcessPrivilege	4684	WMIC.exe
Token: SeIncBasePriorityPrivilege	4684	WMIC.exe
Token: SeCreatePagefilePrivilege	4684	WMIC.exe
Token: SeBackupPrivilege	4684	WMIC.exe
Token: SeRestorePrivilege	4684	WMIC.exe
Token: SeShutdownPrivilege	4684	WMIC.exe
Token: SeDebugPrivilege	4684	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4684	WMIC.exe
Token: SeRemoteShutdownPrivilege	4684	WMIC.exe
Token: SeUndockPrivilege	4684	WMIC.exe
Token: SeManageVolumePrivilege	4684	WMIC.exe
Token: 33	4684	WMIC.exe
Token: 34	4684	WMIC.exe
Token: 35	4684	WMIC.exe
Token: 36	4684	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4516	wmic.exe
Token: SeSecurityPrivilege	4516	wmic.exe
Token: SeTakeOwnershipPrivilege	4516	wmic.exe
Token: SeLoadDriverPrivilege	4516	wmic.exe
Token: SeSystemProfilePrivilege	4516	wmic.exe
Token: SeSystemtimePrivilege	4516	wmic.exe
Token: SeProfSingleProcessPrivilege	4516	wmic.exe
Token: SeIncBasePriorityPrivilege	4516	wmic.exe
Token: SeCreatePagefilePrivilege	4516	wmic.exe
Token: SeBackupPrivilege	4516	wmic.exe
Token: SeRestorePrivilege	4516	wmic.exe
Token: SeShutdownPrivilege	4516	wmic.exe
Token: SeDebugPrivilege	4516	wmic.exe
Token: SeSystemEnvironmentPrivilege	4516	wmic.exe
Token: SeRemoteShutdownPrivilege	4516	wmic.exe
Token: SeUndockPrivilege	4516	wmic.exe
Token: SeManageVolumePrivilege	4516	wmic.exe

Suspicious use of WriteProcessMemory 50 IoCs

description	pid	Process	procid_target
PID 60 wrote to memory of 1948	60	reasl-.exe	86
PID 60 wrote to memory of 1948	60	reasl-.exe	86
PID 1948 wrote to memory of 3476	1948	reasl-.exe	93
PID 1948 wrote to memory of 3476	1948	reasl-.exe	93
PID 3476 wrote to memory of 564	3476	cmd.exe	95
PID 3476 wrote to memory of 564	3476	cmd.exe	95
PID 1948 wrote to memory of 4488	1948	reasl-.exe	96
PID 1948 wrote to memory of 4488	1948	reasl-.exe	96
PID 4488 wrote to memory of 2808	4488	cmd.exe	98
PID 4488 wrote to memory of 2808	4488	cmd.exe	98
PID 1948 wrote to memory of 3308	1948	reasl-.exe	99
PID 1948 wrote to memory of 3308	1948	reasl-.exe	99
PID 3308 wrote to memory of 100	3308	cmd.exe	101
PID 3308 wrote to memory of 100	3308	cmd.exe	101
PID 3308 wrote to memory of 4660	3308	cmd.exe	102
PID 3308 wrote to memory of 4660	3308	cmd.exe	102
PID 3308 wrote to memory of 2884	3308	cmd.exe	105
PID 3308 wrote to memory of 2884	3308	cmd.exe	105
PID 1948 wrote to memory of 560	1948	reasl-.exe	106
PID 1948 wrote to memory of 560	1948	reasl-.exe	106
PID 1948 wrote to memory of 4948	1948	reasl-.exe	108
PID 1948 wrote to memory of 4948	1948	reasl-.exe	108
PID 4948 wrote to memory of 4684	4948	cmd.exe	110
PID 4948 wrote to memory of 4684	4948	cmd.exe	110
PID 1948 wrote to memory of 4516	1948	reasl-.exe	111
PID 1948 wrote to memory of 4516	1948	reasl-.exe	111
PID 1948 wrote to memory of 2176	1948	reasl-.exe	113
PID 1948 wrote to memory of 2176	1948	reasl-.exe	113
PID 2176 wrote to memory of 3544	2176	cmd.exe	115
PID 2176 wrote to memory of 3544	2176	cmd.exe	115
PID 1948 wrote to memory of 3744	1948	reasl-.exe	116
PID 1948 wrote to memory of 3744	1948	reasl-.exe	116
PID 3744 wrote to memory of 1056	3744	cmd.exe	118
PID 3744 wrote to memory of 1056	3744	cmd.exe	118
PID 1948 wrote to memory of 4304	1948	reasl-.exe	119
PID 1948 wrote to memory of 4304	1948	reasl-.exe	119
PID 4304 wrote to memory of 3464	4304	cmd.exe	121
PID 4304 wrote to memory of 3464	4304	cmd.exe	121
PID 1948 wrote to memory of 3048	1948	reasl-.exe	122
PID 1948 wrote to memory of 3048	1948	reasl-.exe	122
PID 3048 wrote to memory of 3688	3048	cmd.exe	124
PID 3048 wrote to memory of 3688	3048	cmd.exe	124
PID 1948 wrote to memory of 888	1948	reasl-.exe	125
PID 1948 wrote to memory of 888	1948	reasl-.exe	125
PID 888 wrote to memory of 4668	888	cmd.exe	127
PID 888 wrote to memory of 4668	888	cmd.exe	127
PID 1948 wrote to memory of 4896	1948	reasl-.exe	128
PID 1948 wrote to memory of 4896	1948	reasl-.exe	128
PID 4896 wrote to memory of 3980	4896	cmd.exe	130
PID 4896 wrote to memory of 3980	4896	cmd.exe	130

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
564	attrib.exe

C:\Users\Admin\AppData\Local\Temp\reasl-.exe
"C:\Users\Admin\AppData\Local\Temp\reasl-.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:60
- C:\Users\Admin\AppData\Local\Temp\reasl-.exe
  "C:\Users\Admin\AppData\Local\Temp\reasl-.exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‏ .scr"
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ ‏ .scr"
      4⤵
      Drops startup file
      Views/modifies file attributes
      PID:564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4488
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:100
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe','.py'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2884
- - C:\Windows\SYSTEM32\netsh.exe
    netsh wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    PID:560
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4684
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2176
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:3544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:1056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4304
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      PID:3464
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path softwarelicensingservice get OA3xOriginalProductKey"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path softwarelicensingservice get OA3xOriginalProductKey
      4⤵
      PID:3688
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:888
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:4668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\reasl-.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4896
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      Runs ping.exe
      PID:3980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ULleMAKsOz\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ULleMAKsOz\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ULleMAKsOz\Common Files\Are.docx

Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ULleMAKsOz\Common Files\ClearUndo.rtf

Filesize
684KB

MD5
e6b80a75ad9c90f46dc04f5c9298bdf0

SHA1
e46f1c1a7ddd3f014f4f4c5f830bd010d1baf060

SHA256
4b5f73edca98f8eb1f6bf449fff64f4d7d6e832d85e1b5243ec414926c33d1bc

SHA512
1e8207b8d27fb753e7e74e56377aaac97e0788a18604adf56cacad936b0ecd6068b7cc14744a37978177946dafec72ce70b2c4334a8bbdc9205110936a025814

Download Submit
C:\Users\Admin\AppData\Local\Temp\ULleMAKsOz\Common Files\ConnectConvertFrom.pdf

Filesize
515KB

MD5
51e2e5dc8aacb5f3bf1cea16ab374fc4

SHA1
72af60469a3bae05f25c46130a93c073aaa524a3

SHA256
4bd19ee91b49cccf87688b898a2fca65dbf6909f4aae5b523c03726326024d09

SHA512
70fe46ae9889106189bb62f941950bcfd91db235ff8595242781eced4231bababa98245b1c8295de6d3e827205d0667c26fa5604e16262507eee1774a3535a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\ULleMAKsOz\Common Files\Files.docx

Filesize
11KB

MD5
4a8fbd593a733fc669169d614021185b

SHA1
166e66575715d4c52bcb471c09bdbc5a9bb2f615

SHA256
714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42

SHA512
6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ULleMAKsOz\Common Files\JoinComplete.odt

Filesize
530KB

MD5
8dab74522516861730a09a0214996829

SHA1
5a1d2f8f3417fdaf637f33750ca0c49d494b3d42

SHA256
7349b4e81eb5b4a0618121a39281e4957da3fd391f7288ea4f1c7e6b2a2943dd

SHA512
420514df0212da2244d8c553ebd5ffaf154640101c226376f5e38d8e0221a7fc5bfeb6fe229e53e3c738ebad2f1b521731fa4a64e4054bb24052c927599cb72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ULleMAKsOz\Common Files\ResizeSuspend.odt

Filesize
703KB

MD5
cabdd98e424fcc750a233bd5fcff5824

SHA1
5f6fcecd3a5e4aad2dbddb0047df5b20197869f6

SHA256
733844a667a7407852cf931b00b12a3a76c425bb19bf87f3969ec7e2d9050e87

SHA512
9f7455fff9f575e0df78452e261813d4899364bcb74b47a27e1ec03f36028b3e6b70a2f947fec84b1665b75d48929170f21a343bfca739f31ef4c52c35210067

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\Cryptodome\Cipher\_raw_cbc.pyd

Filesize
10KB

MD5
d9f0780e8df9e0adb12d1c4c39d6c9be

SHA1
2335d8d81c1a65d4f537553d66b70d37bc9a55b6

SHA256
e91c6bba58cf9dd76cb573f787c76f1da4481f4cbcdf5da3899cce4d3754bbe7

SHA512
7785aadb25cffdb736ce5f9ae4ca2d97b634bc969a0b0cb14815afaff4398a529a5f86327102b8005ace30c0d196b2c221384a54d7db040c08f0a01de3621d42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\Cryptodome\Cipher\_raw_ecb.pyd

Filesize
9KB

MD5
768559588eef33d33d9fa64ab5ed482b

SHA1
09be733f1deed8593c20afaf04042f8370e4e82f

SHA256
57d3efc53d8c4be726597a1f3068947b895b5b8aba47fd382c600d8e72125356

SHA512
3bf9cd35906e6e408089faea9ffcdf49cc164f58522764fe9e481d41b0e9c6ff14e13b0954d2c64bb942970bbf9d94d07fce0c0d5fdbd6ca045649675ecff0f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\_asyncio.pyd

Filesize
37KB

MD5
6880e3d5872fefa9810753e181cf3033

SHA1
e875467792bbe3c4117040f6cf935a7a60a21d55

SHA256
c7000207e8c406f3a18b006649248906963834ff901c7b8b9f627d534e31575b

SHA512
f501bfe8300b20a621d587d9a86e1228ab90da5f4cab8ed47a2822617ca5eeaf66691756228745ff24084ba481f6b3eedcddfc4a4869cd56334e8ca53a92148d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\_bz2.pyd

Filesize
48KB

MD5
ab542da47a7745a2f588ca78d41734e0

SHA1
d8f1601548510333e35199e3b6bb4eaf994ca9ae

SHA256
4aba601dd528a85dad5975daf6aa394002c8a38582e4abb05a89684f52130084

SHA512
d80228ae846c562e08b08b92796e871e546760cd8ed92cbbe526675947ea2a5524ff4a93210e820c9f646912db24ff112ed2a354fc018a53a5161934c7fbd0f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
5225e3fc11136d4ad314367fa911a8b1

SHA1
c2cfb71d867e59f29d394131e0e6c8a2e71dee32

SHA256
08005b24e71411fc4acdb312a4558339595b1d12c6917f8d50c6166a9f122abe

SHA512
87bdeacaca87dc465de92fe8dda425560c5e6e149883113f4541f2d5ecc59f57523cde41ad48fa0081f820678182648afbf73839c249fe3f7d493dcf94e76248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\_ctypes.pyd

Filesize
59KB

MD5
fc609234e81821c069d54a7c8d4a7e05

SHA1
9aef96aa0276feb2df28ce0abf4ec1f2f766d011

SHA256
506cdca8f4cc4754a78edac3be230a5ec7ca4a0d61ef08fe0accab4080b2c69e

SHA512
bea687c1a9ed32db6c99be1c8689ac9e498f0ffce74c0c66c6c7653d58b6ee90e50df66c8a48b49854d47142fa9a930047f4828651193f7a500ae7fbc1882d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\_decimal.pyd

Filesize
107KB

MD5
e3245ba10c125de02593c0a67669ab17

SHA1
6b846b98ee8f663aa39d3c6c960df8bc84d82193

SHA256
306cc1df8631d632e9831d6a710c8776784c4655b107424290338c385e743026

SHA512
26c4d7280a93dc004b0a92689c43b9bcb6c0afa282d24581051fd18d0037499c2c77431636ca20a9225af002f254526cf66ff466b3b7fad0d73b8096ce1594fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\_hashlib.pyd

Filesize
35KB

MD5
fa6ae459e8a2c3071bd373da5a4cfe18

SHA1
dbf6462e952efe70f4ad72c0c8688456833462d5

SHA256
20af24170652420bc06adbb2fc159ae9e61e71f2cad5370b423c9ce4c57ad5e1

SHA512
9846f7fcf86fd67b03080a6ec270e4c6ecb0fee7bd0019fddd976c26e062c5d41f35691384a2307ca80289010f73cecf7326d7f446971639698b2948c4f67c08

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\_lzma.pyd

Filesize
86KB

MD5
ed15089e3c0c1b2ab5b73354abf0087b

SHA1
f51ade203d249e27ebf9ae2159220fabdb8726c0

SHA256
02fe60ad99452d53294514e8c6b8d95d79cc013742e3a4cd74b36601fc3fb09b

SHA512
a9f869b2988057c37d14ee56495ecbf2ec688517203a7e2d1bc1488f4d37c6e3d3fb6fb439442c86679a9cebbbd5b2e7b11d42f64bdbce7212b6411cd27073ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\_multiprocessing.pyd

Filesize
27KB

MD5
a2de86f88aad5c050f86d258b1f05617

SHA1
11824bbb09e5ee9865cadcbbfda1e0664c6d98ff

SHA256
f10fc80b19740eceb7fdce89c30d6670c9af7ed600fa7f881d27b8b5a054495f

SHA512
3662a8e6afa6b385a3e2682a49b0ae57f0f2aefc029eaaf841a228ec76c0f79c4e963b6f22eb345f4cad72b35bd72576a79a282d9816cf9b37b762773c10a80b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\_overlapped.pyd

Filesize
33KB

MD5
d2b3134bae2e401e1753aac8b9ca577e

SHA1
3b4c4fe61c724a6bc4ee423ee7a1efb007a1f515

SHA256
2386cf6ceaef4c6aa13974f913d6b3e6cde3b48e2fbb73f5c63ae6fe4384836f

SHA512
215609827121d9da6fa0bc884bd388391c46a799c22d54762775d591d9ae5e6bbce70011bc5f5237b6e526b79416c00f5daa8fc6baf70450ce37ced17fafa1f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\_queue.pyd

Filesize
26KB

MD5
6cff25f6eb2872a07d52591cffe97ed7

SHA1
1e51fc338bcf4e868a827c8dd2d3573a60ec9a73

SHA256
b58694a5585645827ce1f0aa285e176e9328584917a36434132fd71c3f017d8d

SHA512
e847437f88dfd473272ed89f06fc9939c2e58e71f309275afa89599b4d79365459f763815660499be69b93b2440f3ed0dec88192d7d5b2be6ac2b79009a6442a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\_socket.pyd

Filesize
44KB

MD5
552d390e9c359bf460b87cfb9a24a48b

SHA1
d4920c3355b18087e9a392bea152cef90cc04a60

SHA256
f11b57f08a31e172cabae66830f9ef936e322a4df03ba5230d1621db4e7a24b6

SHA512
cfc59e43ab855f1c571db92c0df1258e88bc6db9d8569c2a5242b90d22f327503f4b4402f79f816f53f12a43f3d1ca84066231f0a3e719758340813f79528d8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\_sqlite3.pyd

Filesize
57KB

MD5
435b49a7f84e7fbe0c6681932de37179

SHA1
a8a285579de10dacbfd053735c6f0ab930fe0fe2

SHA256
5321e5c26a9bcaebb58f11241121bd0d1e45f98dcfbb4d8457eae42f17b8328a

SHA512
13d7d7120a7a150d789b92964acbe6d2ea7ebb130d6cb1833456ea1cdd6654cdd1d8841165296b3f077935dbaec4a37ca7e45c395c0b72d9b6dc970dbb76136a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\_ssl.pyd

Filesize
66KB

MD5
318cfedf19856dbbc627e79ed9fd2b9c

SHA1
fb9b5565a033a8c6a4aee3f0a27de047714442d1

SHA256
efa7fef1f1456e19c44a787b62d047f5d73c6abb6a6d4201d125dc3d101fff09

SHA512
d5d616400fa33751bec6ce8786d4c29e6307f2042db0602907354734ff72387570201420290f5e99c375059ef7217159e254c44291b36f7f296574f506211e10

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\_uuid.pyd

Filesize
25KB

MD5
50521b577719195d7618a23b3103d8aa

SHA1
7020d2e107000eaf0eddde74bc3809df2c638e22

SHA256
acbf831004fb8b8d5340fe5debd9814c49bd282dd765c78faeb6bb5116288c78

SHA512
4ee950da8bbbd36932b488ec62fa046ac8fc35783a146edadbe063b8419a63d4dfb5bbd8c45e9e008fe708e6fc4a1fee1202fce92ffc95320547ba714fed95e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\_wmi.pyd

Filesize
28KB

MD5
54ba74f0c557b0c0463c08b5d2439379

SHA1
8aa3f3f50501962f4a64ead15b24b6a77b06c5c5

SHA256
53d4c23bc2ba89ee5050bae9b498eebbcde5a1906e51389742780f0c976b861f

SHA512
fa4b6ca32a635f3a17d1e50b2b0a0c9e184cc104c2632b1d57c2a14db30272e6985a5665c567f49a5d4a6f36bfe80db9b5c591856d1667c024631a7050efb5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\base_library.zip

Filesize
1.3MB

MD5
55df3c98d18ec80bc37a6682ba0abcbb

SHA1
e3bf60cfecfee2473d4e0b07057af3c27afa6567

SHA256
d8de678c0ac0cecb7be261bda75511c47e6a565f0c6260eacf240c7c5039753b

SHA512
26368c9187155ee83c450bfc792938a2908c473ba60330ce95bcc3f780390043879bbff3949bd4a25b38343eac3c5c9ba709267959109c9c99a229809c97f3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\certifi\cacert.pem

Filesize
287KB

MD5
2a6bef11d1f4672f86d3321b38f81220

SHA1
b4146c66e7e24312882d33b16b2ee140cb764b0e

SHA256
1605d0d39c5e25d67e7838da6a17dcf2e8c6cfa79030e8fb0318e35f5495493c

SHA512
500dfff929d803b0121796e8c1a30bdfcb149318a4a4de460451e093e4cbd568cd12ab20d0294e0bfa7efbd001de968cca4c61072218441d4fa7fd9edf7236d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
9KB

MD5
e4fad9ff1b85862a6afaca2495d9f019

SHA1
0e47d7c5d4de3a1d7e3bb31bd47ea22cc4ddeac4

SHA256
e5d362766e9806e7e64709de7e0cff40e03123d821c3f30cac5bac1360e08c18

SHA512
706fb033fc2079b0aabe969bc51ccb6ffaaf1863daf0e4a83d6f13adc0fedab61cee2b63efb40f033aea22bf96886834d36f50af36e6e25b455e941c1676a30a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
39KB

MD5
5c643741418d74c743ca128ff3f50646

SHA1
0b499a3228865a985d86c1199d14614096efd8a0

SHA256
2d86563fdfdc39894a53a293810744915192f3b3f40a47526551e66cdb9cb35c

SHA512
45d02b854557d8f9c25ca8136fa6d3daed24275cc77b1c98038752daed4318bd081c889ff1f4fa8a28e734c9167f477350a8fa863f61729c30c76e7a91d61a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\libcrypto-3.dll

Filesize
1.6MB

MD5
63eb76eccfe70cff3a3935c0f7e8ba0f

SHA1
a8dd05dce28b79047e18633aee5f7e68b2f89a36

SHA256
785c8dde9803f8e1b279895c4e598a57dc7b01e0b1a914764fcedef0d7928b4e

SHA512
8da31fa77ead8711c0c6ffedcef6314f29d02a95411c6aacec626e150f329a5b96e9fdeae8d1a5e24d1ca5384ae2f0939a5cc0d58eb8bdbc5f00e62736dcc322

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\libffi-8.dll

Filesize
29KB

MD5
be8ceb4f7cb0782322f0eb52bc217797

SHA1
280a7cc8d297697f7f818e4274a7edd3b53f1e4d

SHA256
7d08df2c496c32281bf9a010b62e8898b9743db8b95a7ebee12d746c2e95d676

SHA512
07318c71c3137114e0cfec7d8b4815fd6efa51ce70b377121f26dc469cefe041d5098e1c92af8ed0c53b21e9c845fddee4d6646d5bd8395a3f1370ba56a59571

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\libssl-3.dll

Filesize
222KB

MD5
7e87c34b39f3a8c332df6e15fd83160b

SHA1
db712b55f23d8e946c2d91cbbeb7c9a78a92b484

SHA256
41448b8365b3a75cf33894844496eb03f84e5422b72b90bdcb9866051939c601

SHA512
eceda8b66736edf7f8e7e6d5a17e280342e989c5195525c697cc02dda80fd82d62c7fd4dc6c4825425bae69a820e1262b8d8cc00dbcd73868a26e16c14ac5559

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\luna.aes

Filesize
297KB

MD5
3af9a1dde555fc69c7b27044accd7424

SHA1
303dc8bb1dabce3046c0b3dc99be5c3654133dd6

SHA256
def7c364ece8a081dc7c08b7bbcc330ecae67a848d95d59013223744a9735b99

SHA512
66dac076347295df1961062b2f56ed7f54d9f107757405965ddbdbc29980c3938bde931d4cc18d36ebb17be4ef3ae80d1fc4cc3d3a699c54abe8efdfb779c5a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\psutil\_psutil_windows.pyd

Filesize
31KB

MD5
3adca2ff39adeb3567b73a4ca6d0253c

SHA1
ae35dde2348c8490f484d1afd0648380090e74fc

SHA256
92202b877579b74a87be769d58f9d1e8aced8a97336ad70e97d09685a10afeb3

SHA512
358d109b23cf99eb7396c450660f193e9e16f85f13737ecf29f4369b44f8356041a08443d157b325ccb5125a5f10410659761eda55f24fcc03a082ac8acdd345

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\pyexpat.pyd

Filesize
88KB

MD5
7291100352b163626455abf2252f2a96

SHA1
3c4d13bbf5fb69fe6f2af70f675ed2e437cea893

SHA256
01974148486d569e9f1ad62d36d4d54b5396b07c853bd50f358d5580fde331f4

SHA512
fc384703828bb7a38b51dcf1a131b49283808b5658395e1d1c5ee9a204f895da0c29b12a7b1fc9aa468babc5d6f03be638fecf519e41911bf015a481f95458bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\python3.DLL

Filesize
66KB

MD5
a07661c5fad97379cf6d00332999d22c

SHA1
dca65816a049b3cce5c4354c3819fef54c6299b0

SHA256
5146005c36455e7ede4b8ecc0dc6f6fa8ea6b4a99fedbabc1994ae27dfab9d1b

SHA512
6ddeb9d89ccb4d2ec5d994d85a55e5e2cc7af745056dae030ab8d72ee7830f672003f4675b6040f123fc64c19e9b48cabd0da78101774dafacf74a88fbd74b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\python312.dll

Filesize
1.7MB

MD5
8f165bfadf970edafd59067ad45a3952

SHA1
16c1876f2233087156b49db35d4d935c6e17be6a

SHA256
22470af77229d53d9141823c12780db63c43703dd525940bc479730d2e43513d

SHA512
b3af95dc9a68e21e8eca98e451b935f72663c2552ebf26de299716f17193f238d55c292df953d641defcbcec3ea18eb37cd4b839800804efa8f40658427263ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\select.pyd

Filesize
25KB

MD5
3b214dfb6ec4ca67be55b3aa52922827

SHA1
f665ffeab25d2bab506b873be944280586eb50f6

SHA256
7507a92c4787e9e7936a0b4a8eeb0a3f24e5ee12ae58cd7988543581d99817ac

SHA512
de4e9b9d79b01d21aca74179c6a3e8fc6fe041f71cdd78910fd893cda90c2cfe7e54ade91064333f37ffc880d446879a64dd8bb790677039df56df1f80ec6b45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\sqlite3.dll

Filesize
644KB

MD5
b26fa7619d82c7272b7279eb7aae801c

SHA1
fa6a3240a531615a0853306f3b3d66aed98a04d8

SHA256
74dc76a2a2d06d61f9f06bd3b0972bfb30ab57b0e5cb8c3011e79ce4a52924f0

SHA512
20b0d6cf3e07ca0d565f140c9f9c1e218406ed9bdaaf75433858acb250bfb71bb134a6479fdcf6d4d0e0252707b1fb14f9c9d3e4d6a40824c3fdc7a43dfad0ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\unicodedata.pyd

Filesize
295KB

MD5
97f08bbcf9903c768668b1cd1e30aada

SHA1
84e2dc5c3662bd39ac09b5f682a59104ffec16d2

SHA256
c5c2997c3b16eb8b89fe230582a579a753efc8317ffd95d9795ec2762aa54ed9

SHA512
076ca0017ae252d62d4a3bd7a42af95800e39a164bda990a0ca651aa2f0df2736c0dfdc086d8328a1834ae89f17716c5f76e798460a90263d1d8b6f2c233c686

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI602\zstandard\backend_c.cp312-win_amd64.pyd

Filesize
174KB

MD5
4dd9c42a89ddf77fef7aa34a71c5b480

SHA1
fc4c03ffcf81fb255b54c4f16f6ed90d5a1f37d4

SHA256
f76dc6f9ace0d356dbfdea443c3d43232342f48384f4afc7293b2ace813477e7

SHA512
02c04fa2fa1d8136730f2596740049664a4f9343fb56de195988d80151cb38e67e7fee1c140d2c5d7c439f19df377cc6e253f5178711f72b821eae3076b4e142

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qdfo5e2k.bp2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1948-822-0x00007FFAAF780000-0x00007FFAAF78C000-memory.dmp

Filesize
48KB

Download
memory/1948-741-0x00007FFABE730000-0x00007FFABE755000-memory.dmp

Filesize
148KB

Download
memory/1948-787-0x00007FFABDB50000-0x00007FFABDB62000-memory.dmp

Filesize
72KB

Download
memory/1948-786-0x00007FFABDC30000-0x00007FFABDC46000-memory.dmp

Filesize
88KB

Download
memory/1948-799-0x00007FFABDA60000-0x00007FFABDA6B000-memory.dmp

Filesize
44KB

Download
memory/1948-798-0x00007FFAB5CB0000-0x00007FFAB5CD7000-memory.dmp

Filesize
156KB

Download
memory/1948-797-0x00007FFAAE010000-0x00007FFAAE097000-memory.dmp

Filesize
540KB

Download
memory/1948-796-0x00007FFAAE8F0000-0x00007FFAAEFB4000-memory.dmp

Filesize
6.8MB

Download
memory/1948-781-0x00007FFAB9D90000-0x00007FFAB9DC3000-memory.dmp

Filesize
204KB

Download
memory/1948-783-0x00007FFAAF890000-0x00007FFAAF95D000-memory.dmp

Filesize
820KB

Download
memory/1948-810-0x00007FFABE700000-0x00007FFABE70F000-memory.dmp

Filesize
60KB

Download
memory/1948-809-0x00007FFAADE90000-0x00007FFAAE00F000-memory.dmp

Filesize
1.5MB

Download
memory/1948-808-0x00007FFAAF7B0000-0x00007FFAAF7D4000-memory.dmp

Filesize
144KB

Download
memory/1948-807-0x00007FFABCC50000-0x00007FFABCC68000-memory.dmp

Filesize
96KB

Download
memory/1948-806-0x00007FFABE530000-0x00007FFABE55D000-memory.dmp

Filesize
180KB

Download
memory/1948-767-0x00007FFABE700000-0x00007FFABE70F000-memory.dmp

Filesize
60KB

Download
memory/1948-815-0x00007FFAAE3C0000-0x00007FFAAE8E9000-memory.dmp

Filesize
5.2MB

Download
memory/1948-819-0x00007FFAB55F0000-0x00007FFAB55FB000-memory.dmp

Filesize
44KB

Download
memory/1948-837-0x00007FFAADD60000-0x00007FFAADD7C000-memory.dmp

Filesize
112KB

Download
memory/1948-838-0x00007FFAAD970000-0x00007FFAADD55000-memory.dmp

Filesize
3.9MB

Download
memory/1948-833-0x00007FFAADD90000-0x00007FFAADDBE000-memory.dmp

Filesize
184KB

Download
memory/1948-832-0x00007FFAADDC0000-0x00007FFAADDE9000-memory.dmp

Filesize
164KB

Download
memory/1948-831-0x00007FFAADDF0000-0x00007FFAADDFC000-memory.dmp

Filesize
48KB

Download
memory/1948-839-0x00007FFAAF890000-0x00007FFAAF95D000-memory.dmp

Filesize
820KB

Download
memory/1948-830-0x00007FFAADE00000-0x00007FFAADE12000-memory.dmp

Filesize
72KB

Download
memory/1948-829-0x00007FFAADE20000-0x00007FFAADE2D000-memory.dmp

Filesize
52KB

Download
memory/1948-828-0x00007FFAADE30000-0x00007FFAADE3C000-memory.dmp

Filesize
48KB

Download
memory/1948-827-0x00007FFAADE40000-0x00007FFAADE4C000-memory.dmp

Filesize
48KB

Download
memory/1948-826-0x00007FFAADE50000-0x00007FFAADE5B000-memory.dmp

Filesize
44KB

Download
memory/1948-825-0x00007FFAADE60000-0x00007FFAADE6B000-memory.dmp

Filesize
44KB

Download
memory/1948-824-0x00007FFAADE80000-0x00007FFAADE8E000-memory.dmp

Filesize
56KB

Download
memory/1948-823-0x00007FFAAF770000-0x00007FFAAF77C000-memory.dmp

Filesize
48KB

Download
memory/1948-774-0x00007FFABE4F0000-0x00007FFABE526000-memory.dmp

Filesize
216KB

Download
memory/1948-836-0x00007FFAB9D90000-0x00007FFAB9DC3000-memory.dmp

Filesize
204KB

Download
memory/1948-835-0x00007FFAADE70000-0x00007FFAADE7C000-memory.dmp

Filesize
48KB

Download
memory/1948-834-0x00007FFAADD80000-0x00007FFAADD8B000-memory.dmp

Filesize
44KB

Download
memory/1948-821-0x00007FFAAF790000-0x00007FFAAF79B000-memory.dmp

Filesize
44KB

Download
memory/1948-820-0x00007FFAAF7A0000-0x00007FFAAF7AC000-memory.dmp

Filesize
48KB

Download
memory/1948-840-0x00007FFAAB4F0000-0x00007FFAAD616000-memory.dmp

Filesize
33.1MB

Download
memory/1948-818-0x00007FFAB5CA0000-0x00007FFAB5CAC000-memory.dmp

Filesize
48KB

Download
memory/1948-817-0x00007FFAB7CF0000-0x00007FFAB7CFB000-memory.dmp

Filesize
44KB

Download
memory/1948-816-0x00007FFAB7EB0000-0x00007FFAB7EBB000-memory.dmp

Filesize
44KB

Download
memory/1948-814-0x00007FFABDC50000-0x00007FFABDC64000-memory.dmp

Filesize
80KB

Download
memory/1948-775-0x00007FFABE3A0000-0x00007FFABE3B9000-memory.dmp

Filesize
100KB

Download
memory/1948-841-0x00007FFAAB430000-0x00007FFAAB448000-memory.dmp

Filesize
96KB

Download
memory/1948-842-0x00007FFAAB400000-0x00007FFAAB421000-memory.dmp

Filesize
132KB

Download
memory/1948-1042-0x00007FFAAB4F0000-0x00007FFAAD616000-memory.dmp

Filesize
33.1MB

Download
memory/1948-776-0x00007FFABDE30000-0x00007FFABDE3D000-memory.dmp

Filesize
52KB

Download
memory/1948-857-0x00007FFAAE0A0000-0x00007FFAAE1BB000-memory.dmp

Filesize
1.1MB

Download
memory/1948-777-0x00007FFABDE20000-0x00007FFABDE2D000-memory.dmp

Filesize
52KB

Download
memory/1948-779-0x00007FFAAE3C0000-0x00007FFAAE8E9000-memory.dmp

Filesize
5.2MB

Download
memory/1948-778-0x00007FFABDC50000-0x00007FFABDC64000-memory.dmp

Filesize
80KB

Download
memory/1948-742-0x00007FFABE840000-0x00007FFABE84F000-memory.dmp

Filesize
60KB

Download
memory/1948-743-0x00007FFABE710000-0x00007FFABE72A000-memory.dmp

Filesize
104KB

Download
memory/1948-744-0x00007FFABE530000-0x00007FFABE55D000-memory.dmp

Filesize
180KB

Download
memory/1948-789-0x00007FFAAE0A0000-0x00007FFAAE1BB000-memory.dmp

Filesize
1.1MB

Download
memory/1948-728-0x00007FFAAE8F0000-0x00007FFAAEFB4000-memory.dmp

Filesize
6.8MB

Download
memory/1948-975-0x00007FFAAF7B0000-0x00007FFAAF7D4000-memory.dmp

Filesize
144KB

Download
memory/1948-976-0x00007FFAADE90000-0x00007FFAAE00F000-memory.dmp

Filesize
1.5MB

Download
memory/1948-974-0x00007FFABCC50000-0x00007FFABCC68000-memory.dmp

Filesize
96KB

Download
memory/1948-966-0x00007FFAB9D90000-0x00007FFAB9DC3000-memory.dmp

Filesize
204KB

Download
memory/1948-954-0x00007FFAAE8F0000-0x00007FFAAEFB4000-memory.dmp

Filesize
6.8MB

Download
memory/1948-955-0x00007FFABE730000-0x00007FFABE755000-memory.dmp

Filesize
148KB

Download
memory/1948-1000-0x00007FFABE4F0000-0x00007FFABE526000-memory.dmp

Filesize
216KB

Download
memory/1948-1003-0x00007FFABDE20000-0x00007FFABDE2D000-memory.dmp

Filesize
52KB

Download
memory/1948-1024-0x00007FFAAF770000-0x00007FFAAF77C000-memory.dmp

Filesize
48KB

Download
memory/1948-1027-0x00007FFAADD60000-0x00007FFAADD7C000-memory.dmp

Filesize
112KB

Download
memory/1948-1039-0x00007FFAADD80000-0x00007FFAADD8B000-memory.dmp

Filesize
44KB

Download
memory/1948-1038-0x00007FFAADD90000-0x00007FFAADDBE000-memory.dmp

Filesize
184KB

Download
memory/1948-1037-0x00007FFAADDC0000-0x00007FFAADDE9000-memory.dmp

Filesize
164KB

Download
memory/1948-1036-0x00007FFAADDF0000-0x00007FFAADDFC000-memory.dmp

Filesize
48KB

Download
memory/1948-1035-0x00007FFAADE00000-0x00007FFAADE12000-memory.dmp

Filesize
72KB

Download
memory/1948-1034-0x00007FFAADE20000-0x00007FFAADE2D000-memory.dmp

Filesize
52KB

Download
memory/1948-1033-0x00007FFAADE30000-0x00007FFAADE3C000-memory.dmp

Filesize
48KB

Download
memory/1948-1032-0x00007FFAADE40000-0x00007FFAADE4C000-memory.dmp

Filesize
48KB

Download
memory/1948-1031-0x00007FFAADE50000-0x00007FFAADE5B000-memory.dmp

Filesize
44KB

Download
memory/1948-1030-0x00007FFAADE60000-0x00007FFAADE6B000-memory.dmp

Filesize
44KB

Download
memory/1948-1029-0x00007FFAADE80000-0x00007FFAADE8E000-memory.dmp

Filesize
56KB

Download
memory/1948-1028-0x00007FFAAB400000-0x00007FFAAB421000-memory.dmp

Filesize
132KB

Download
memory/1948-1026-0x00007FFAADE70000-0x00007FFAADE7C000-memory.dmp

Filesize
48KB

Download
memory/1948-1025-0x00007FFAADE90000-0x00007FFAAE00F000-memory.dmp

Filesize
1.5MB

Download
memory/1948-1023-0x00007FFAAF780000-0x00007FFAAF78C000-memory.dmp

Filesize
48KB

Download
memory/1948-1022-0x00007FFAAF790000-0x00007FFAAF79B000-memory.dmp

Filesize
44KB

Download
memory/1948-1020-0x00007FFAB55F0000-0x00007FFAB55FB000-memory.dmp

Filesize
44KB

Download
memory/1948-1019-0x00007FFAB5CA0000-0x00007FFAB5CAC000-memory.dmp

Filesize
48KB

Download
memory/1948-1018-0x00007FFAB7CF0000-0x00007FFAB7CFB000-memory.dmp

Filesize
44KB

Download
memory/1948-1021-0x00007FFAAF7A0000-0x00007FFAAF7AC000-memory.dmp

Filesize
48KB

Download
memory/1948-1017-0x00007FFAB7EB0000-0x00007FFAB7EBB000-memory.dmp

Filesize
44KB

Download
memory/1948-1015-0x00007FFAAF7B0000-0x00007FFAAF7D4000-memory.dmp

Filesize
144KB

Download
memory/1948-1014-0x00007FFABCC50000-0x00007FFABCC68000-memory.dmp

Filesize
96KB

Download
memory/1948-1013-0x00007FFAB5CB0000-0x00007FFAB5CD7000-memory.dmp

Filesize
156KB

Download
memory/1948-1012-0x00007FFABDA60000-0x00007FFABDA6B000-memory.dmp

Filesize
44KB

Download
memory/1948-1011-0x00007FFAAE010000-0x00007FFAAE097000-memory.dmp

Filesize
540KB

Download
memory/1948-1010-0x00007FFAAE0A0000-0x00007FFAAE1BB000-memory.dmp

Filesize
1.1MB

Download
memory/1948-1009-0x00007FFABDB50000-0x00007FFABDB62000-memory.dmp

Filesize
72KB

Download
memory/1948-1008-0x00007FFABDC30000-0x00007FFABDC46000-memory.dmp

Filesize
88KB

Download
memory/1948-1007-0x00007FFAAF890000-0x00007FFAAF95D000-memory.dmp

Filesize
820KB

Download
memory/1948-1006-0x00007FFAB9D90000-0x00007FFAB9DC3000-memory.dmp

Filesize
204KB

Download
memory/1948-1004-0x00007FFABDC50000-0x00007FFABDC64000-memory.dmp

Filesize
80KB

Download
memory/1948-1002-0x00007FFABDE30000-0x00007FFABDE3D000-memory.dmp

Filesize
52KB

Download
memory/1948-1001-0x00007FFABE3A0000-0x00007FFABE3B9000-memory.dmp

Filesize
100KB

Download
memory/1948-994-0x00007FFAAE8F0000-0x00007FFAAEFB4000-memory.dmp

Filesize
6.8MB

Download
memory/1948-1005-0x00007FFAAE3C0000-0x00007FFAAE8E9000-memory.dmp

Filesize
5.2MB

Download
memory/1948-999-0x00007FFABE700000-0x00007FFABE70F000-memory.dmp

Filesize
60KB

Download
memory/1948-998-0x00007FFABE530000-0x00007FFABE55D000-memory.dmp

Filesize
180KB

Download
memory/1948-997-0x00007FFABE710000-0x00007FFABE72A000-memory.dmp

Filesize
104KB

Download
memory/1948-996-0x00007FFABE840000-0x00007FFABE84F000-memory.dmp

Filesize
60KB

Download
memory/1948-995-0x00007FFABE730000-0x00007FFABE755000-memory.dmp

Filesize
148KB

Download
memory/1948-1040-0x00007FFAAD970000-0x00007FFAADD55000-memory.dmp

Filesize
3.9MB

Download
memory/1948-1041-0x00007FFAAB430000-0x00007FFAAB448000-memory.dmp

Filesize
96KB

Download
memory/2808-847-0x000001ED74790000-0x000001ED747B2000-memory.dmp

Filesize
136KB

Download