Analysis Overview
SHA256
6b9568f25dba66dde3d01baa88ff15ce5165fed7c29c8446d8fab993234a49ce
Threat Level: Known bad
The file 6b9568f25dba66dde3d01baa88ff15ce5165fed7c29c8446d8fab993234a49ce.exe was found to be: Known bad.
Malicious Activity Summary
Exela Stealer
Exelastealer family
Grants admin privileges
Modifies Windows Firewall
Loads dropped DLL
Clipboard Data
Reads user/profile data of web browsers
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Network Service Discovery
Enumerates processes with tasklist
UPX packed file
Hide Artifacts: Hidden Files and Directories
Launches sc.exe
Detects Pyinstaller
System Network Configuration Discovery: Wi-Fi Discovery
Browser Information Discovery
System Network Connections Discovery
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Permission Groups Discovery: Local Groups
Suspicious use of WriteProcessMemory
Gathers system information
Collects information from the system
Runs net.exe
Detects videocard installed
Gathers network information
Views/modifies file attributes
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-10-29 02:27
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-29 02:27
Reported
2024-10-29 02:30
Platform
win7-20241023-en
Max time kernel
119s
Max time network
122s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\6b9568f25dba66dde3d01baa88ff15ce5165fed7c29c8446d8fab993234a49ce.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2416 wrote to memory of 2948 | N/A | C:\Users\Admin\AppData\Local\Temp\6b9568f25dba66dde3d01baa88ff15ce5165fed7c29c8446d8fab993234a49ce.exe | C:\Users\Admin\AppData\Local\Temp\6b9568f25dba66dde3d01baa88ff15ce5165fed7c29c8446d8fab993234a49ce.exe |
| PID 2416 wrote to memory of 2948 | N/A | C:\Users\Admin\AppData\Local\Temp\6b9568f25dba66dde3d01baa88ff15ce5165fed7c29c8446d8fab993234a49ce.exe | C:\Users\Admin\AppData\Local\Temp\6b9568f25dba66dde3d01baa88ff15ce5165fed7c29c8446d8fab993234a49ce.exe |
| PID 2416 wrote to memory of 2948 | N/A | C:\Users\Admin\AppData\Local\Temp\6b9568f25dba66dde3d01baa88ff15ce5165fed7c29c8446d8fab993234a49ce.exe | C:\Users\Admin\AppData\Local\Temp\6b9568f25dba66dde3d01baa88ff15ce5165fed7c29c8446d8fab993234a49ce.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\6b9568f25dba66dde3d01baa88ff15ce5165fed7c29c8446d8fab993234a49ce.exe
"C:\Users\Admin\AppData\Local\Temp\6b9568f25dba66dde3d01baa88ff15ce5165fed7c29c8446d8fab993234a49ce.exe"
C:\Users\Admin\AppData\Local\Temp\6b9568f25dba66dde3d01baa88ff15ce5165fed7c29c8446d8fab993234a49ce.exe
"C:\Users\Admin\AppData\Local\Temp\6b9568f25dba66dde3d01baa88ff15ce5165fed7c29c8446d8fab993234a49ce.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI24162\python310.dll
| MD5 | 0ff261eaec9b2a95d5a42dd14b3ebd06 |
| SHA1 | eaca11a8495d1d82754eea1d370db66beee5531a |
| SHA256 | d83d45dba2dc176107a17dc5efe8c136cab3bacdbb42426805c1a36d78242ff3 |
| SHA512 | 04ab60e90babbf53001ccc4ffd7e979ff450b232cbf1221731ecbe21cab0bee4a42c9ff6a53a5973f89b48085f797384a8d1218f34c48149c7b7d572fd8bf663 |
memory/2948-48-0x000007FEF60F0000-0x000007FEF6553000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-29 02:27
Reported
2024-10-29 02:30
Platform
win10v2004-20241007-en
Max time kernel
137s
Max time network
149s
Command Line
Signatures
Exela Stealer
Exelastealer family
Grants admin privileges
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\6b9568f25dba66dde3d01baa88ff15ce5165fed7c29c8446d8fab993234a49ce.exe
"C:\Users\Admin\AppData\Local\Temp\6b9568f25dba66dde3d01baa88ff15ce5165fed7c29c8446d8fab993234a49ce.exe"
C:\Users\Admin\AppData\Local\Temp\6b9568f25dba66dde3d01baa88ff15ce5165fed7c29c8446d8fab993234a49ce.exe
"C:\Users\Admin\AppData\Local\Temp\6b9568f25dba66dde3d01baa88ff15ce5165fed7c29c8446d8fab993234a49ce.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "gdb --version"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get Manufacturer
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
C:\Windows\System32\Wbem\WMIC.exe
wmic path Win32_ComputerSystem get Manufacturer
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:58448 | tcp | |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| N/A | 127.0.0.1:58459 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| N/A | 127.0.0.1:58465 | tcp | |
| N/A | 127.0.0.1:58468 | tcp | |
| N/A | 127.0.0.1:58470 | tcp | |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI29482\python310.dll
| MD5 | 0ff261eaec9b2a95d5a42dd14b3ebd06 |
| SHA1 | eaca11a8495d1d82754eea1d370db66beee5531a |
| SHA256 | d83d45dba2dc176107a17dc5efe8c136cab3bacdbb42426805c1a36d78242ff3 |
| SHA512 | 04ab60e90babbf53001ccc4ffd7e979ff450b232cbf1221731ecbe21cab0bee4a42c9ff6a53a5973f89b48085f797384a8d1218f34c48149c7b7d572fd8bf663 |
C:\Users\Admin\AppData\Local\Temp\_MEI29482\VCRUNTIME140.dll
| MD5 | a87575e7cf8967e481241f13940ee4f7 |
| SHA1 | 879098b8a353a39e16c79e6479195d43ce98629e |
| SHA256 | ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e |
| SHA512 | e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0 |
memory/2372-50-0x00007FFE58D20000-0x00007FFE59183000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29482\base_library.zip
| MD5 | 789d288a8a4bd999b71846b020bb425c |
| SHA1 | a4a4c52092ff8cfaa10e05fab0c879009bd0395e |
| SHA256 | 215e363d87855bf45206a8f8b5510227930422829842e7f0a41fdd0bf7cb5cdc |
| SHA512 | 95ab7d80b37059ad6aa19b66568e1240a5825d770300846a635bd57b2579b06413a370db2053445973f36ef8dcd4bfe8e2e52fbd65a8db59b48641854c49ff65 |
C:\Users\Admin\AppData\Local\Temp\_MEI29482\_ctypes.pyd
| MD5 | ef1217909e473e7550d4e0f8649e9899 |
| SHA1 | 52489ac45202525c3757741015376806da73131a |
| SHA256 | 6c5f213cee7f1ede6f5ec7ffc7102b2e777e9a19eb21e795bcd0ba6de1f49489 |
| SHA512 | e62ae850e3be398bf2d91269a5958c2c6aede111e58876675a04a343a927d1df306cef559a34b19d9f88edbc4ee7cdaca31d6b0c72eb388c93be6bd017058d28 |
C:\Users\Admin\AppData\Local\Temp\_MEI29482\libffi-7.dll
| MD5 | d50ebf567149ead9d88933561cb87d09 |
| SHA1 | 171df40e4187ebbfdf9aa1d76a33f769fb8a35ed |
| SHA256 | 6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af |
| SHA512 | 7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de |
memory/2372-58-0x00007FFE6CAE0000-0x00007FFE6CB04000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29482\python3.dll
| MD5 | f5cb0f83f8a825d4bedcddae9d730804 |
| SHA1 | 07385f55b69660b8abc197cfab7580072da320ea |
| SHA256 | a62a9c7966cf614b3083740dc856ca9a1151ddcc0b110ebc3494799511ed392b |
| SHA512 | 2bfa35eb4b8fff821b4504eccad94ed8591ef42e0cdb39a18458395789508b4d2da76f0de3708d963c3187b8b1ced66b37c66834f17eeca0ceb45a62b3a69974 |
C:\Users\Admin\AppData\Local\Temp\_MEI29482\libcrypto-1_1.dll
| MD5 | 5e999bc10636935a56a26b623718d4be |
| SHA1 | 378622eb481006983f14607fdce99641d161f244 |
| SHA256 | 35460fc9fd3bac20826a5bd7608cbe71822ac172e014a6b0e0693bd1b6e255c1 |
| SHA512 | d28ecc0f001b91c06fe4572ad18eb49cb0c81c2b3496725d69f6f82eccd992047ecd5819e05e4f7bf786904b6c2e5d68fecc629fa50425a7d7abd9fe33c0052a |
C:\Users\Admin\AppData\Local\Temp\_MEI29482\_uuid.pyd
| MD5 | 7c7db8c81f5f26cf1a795254f4cfba81 |
| SHA1 | 0575708630b0f8917e80285d065dcf27f5642307 |
| SHA256 | e23fd6254aceb83c12bdaaa477b3777cc84ffd057dcd86de5ba15bbb94d3b321 |
| SHA512 | c7481f6a7ea6eb343a5a1f98e8040c8018a26b32b5c08b0c11d00e68e0c77f800421d147998b24e24821913d274b3dff36b14a2140fb3deb4649cbb50bc3a561 |
C:\Users\Admin\AppData\Local\Temp\_MEI29482\_socket.pyd
| MD5 | c393807c2b4db1ef035c35d44ee7e27e |
| SHA1 | 2035ae4199cb87f87c21a170dff6094cccac789e |
| SHA256 | f9f87f9e233a83f00b59e4b20c3ef5cdc4c8256f1fbf8d6cbc3a8619a5d31161 |
| SHA512 | df30349a031d47bcd2a2324067364fc04c57ec55c3014beeec325cf3f19b88ac36a1c120b9b3833011f7dea3a7a8461e8ed847e104cfa786df1ff0404c324394 |
C:\Users\Admin\AppData\Local\Temp\_MEI29482\_ssl.pyd
| MD5 | 42146db5647f8a00358473acee48fddc |
| SHA1 | be45224db1ed10e238eae50d1b4f9d3fef40c698 |
| SHA256 | 7b2d9490dfecfaf918d3eeb5d8f242eff1c3de6609d414bb3c318859d2a6717c |
| SHA512 | 1e522b661bd20f8f878e6f2e2f9bf6868048dc752d596162a3ba1c6283a76ec60f3f1cd792e1e670fcd5a9ab57cfcf9d5f11b257f44e68f9dc42df81b6c2a60d |
C:\Users\Admin\AppData\Local\Temp\_MEI29482\select.pyd
| MD5 | f6ccbb8579c0a2d3ab65f62546ab9549 |
| SHA1 | 9c441a78b771bd591a73ab27c6ae4a514ed356b6 |
| SHA256 | ce958b7855d3c85127a8971cc4d9c79611402ae1e05ad6b22147e9fe084dbb08 |
| SHA512 | 04a0ceaccce5010d233d2508e09af531761cfe1cf2a55e531966c06bfcf4e4936b139cd9158b7ba680b795bd64a5e83d198c18a00f33771e3dc3a73008851cae |
memory/2372-81-0x00007FFE6CB50000-0x00007FFE6CB69000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29482\_lzma.pyd
| MD5 | 672c40c864ab29141a573f778d57d1a2 |
| SHA1 | bc9443654f593163d02ccdb790c17ae8bcea9c04 |
| SHA256 | 8cf7d39be3f91971b1f8fc88a0e320edb720e0e61d26a32b56bbebe3fe23e485 |
| SHA512 | fb60de107c049d9b4dcfae5b13e56cbf080e736fa69c92291b7f4abf838eee2a62d940b0b2b69cc60a650bdd127fff8bf305cdb220592c5a0132953546b14084 |
memory/2372-87-0x00007FFE680A0000-0x00007FFE680CC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29482\sqlite3.dll
| MD5 | 02ffe8fbaca3a8e908615c557f4dfae3 |
| SHA1 | 61dacefbc236c99cb904ed05627eeed4fb5ab74d |
| SHA256 | 80943701e464891c4b7c9342ca3d6d8aa8d8125617c3e72c082c3ff8783f9130 |
| SHA512 | 1e87843f844d4b85d688b2aad049e941945a7e7c7d6778982bf8fac1e8d0fec33e63344a231a243d8c1e69c769cef382b39311cf03ecc0732cd6fceafe2952f6 |
memory/2372-89-0x00007FFE68080000-0x00007FFE6809E000-memory.dmp
memory/2372-91-0x00007FFE67DD0000-0x00007FFE67F41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29482\_sqlite3.pyd
| MD5 | 66bdd61d103f7408b39ed0689a736fcf |
| SHA1 | bf64187823af7e17df7ffb6d022d6c55529b5019 |
| SHA256 | 457c828ed5dc483d90525aec78dcf58a63ac59b1e985192fa812884ef6da85d2 |
| SHA512 | 5dae18d8ad419c582c6a362f076519c52286da89b98be296bcf1a1af46706790d479fa76d72f0760f349b4941b1811bdc5cbc3c6bffafec190d28f97442e989f |
memory/2372-85-0x00007FFE680D0000-0x00007FFE680E8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29482\_bz2.pyd
| MD5 | 2d1c4d692cd8184038222aad2f54751b |
| SHA1 | f36153cc210ff9e33c0d9cfbb9905d9c6772c43b |
| SHA256 | fd3ddc5129a4d8b4c27aa60b42ada66ba505abc8cf9639cf95e1525cf4732b98 |
| SHA512 | bc0463a4832858bac6ee54328afd534191531a307e7fe390a35b48e36517c148dbc41c5fc44dc639f49cbbb59b9ceeb9d9d53bcc9c19454d99869ee648668c1b |
memory/2372-83-0x00007FFE6DF60000-0x00007FFE6DF6D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29482\_queue.pyd
| MD5 | 882e18ba4edba5c3343eaf69de9ef0d2 |
| SHA1 | 42d979b4367401a8da471938e51d9d8b8f21fbdb |
| SHA256 | 35b72ef1546f5c99ec7655439d946d21049c1af1a8b04d43dd75905d07bd3d9c |
| SHA512 | a005717f087f0650c1f8f7f446e8cbd6c89a4ffe486957eac62abb649ac52767a27506a02fed4a039c7347e24d1d13b02883432f7d00eed92be50b36dba11ed6 |
C:\Users\Admin\AppData\Local\Temp\_MEI29482\_overlapped.pyd
| MD5 | 28ea417bf25b472c909cf63462ba9ef4 |
| SHA1 | c3754cb23bbec72151ba79f7fcd9b6b9a63b2694 |
| SHA256 | 8cb8f65f1cc6717e85da97bef42ef61aa644a5c5bcfc6c23fed893d24b9ade06 |
| SHA512 | abb995f6f0e72face46619c282a555b0175e3b05c750c9637b0f4fba3f2f2dfa9f7ed5e53443a7547dae34ba67989d80f29a8200fa1116291c949a6be7cd06fc |
C:\Users\Admin\AppData\Local\Temp\_MEI29482\_multiprocessing.pyd
| MD5 | d6d33072072f7f9fe1ad69846d2d99cb |
| SHA1 | 72089a7b0c42798a3c997054d99bf63a36361589 |
| SHA256 | 803ad62cbc5834b59dc3ccd44e8b71b5a6dedcdd8fcd8bd13b3cfeab765721b7 |
| SHA512 | 0c82744221a3e392c736c2b3d97e1577316279dddb587f71457cfe101be205cb52e871a28fdc8a485c0a2474a4515e5479ffd3638e590fa18142c3248112a670 |
C:\Users\Admin\AppData\Local\Temp\_MEI29482\_hashlib.pyd
| MD5 | 4aca251f62eb58043ebddb2f7e6723f0 |
| SHA1 | 3f5cfd347f16c9cff5bc95b26d3081031a71ad85 |
| SHA256 | 04cc829af7271a9b50cd03d59860e0e12f146d0dd2e16d51cd3e6f8b7f6af45e |
| SHA512 | 0e1e97fbd6fac6b2aa0655d08c5db888e3ec5e34abf33ce8741ab875b424ede4619387ce612b71ff273f0977daa535d1b33e3856b124a11cc3999e8715b139f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI29482\_decimal.pyd
| MD5 | 43962d46dce863e51863783fb186a449 |
| SHA1 | 6f62af15b738d38ac333d477f840284627ec8849 |
| SHA256 | bbe1500c272c8452c63520326683fcd48aa184c0a4f41ed56ac08278ef5dd3da |
| SHA512 | 7d7591fce56eeac924c6bff06118a0f0da951133ec8192696832e03e4cdeb22242d8d5a103c330e47c358743b75929a82cc833d3be51f53540d7c970ccb594f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI29482\_asyncio.pyd
| MD5 | 14709a8f2cc2e00fac56ff0437f72bc2 |
| SHA1 | 08cc3f10280fdaa31d2a02c9176fbd6b730a446c |
| SHA256 | a4f7a2296c0989452d542789637c4dd66cffc7995fcef0e924804588daa74251 |
| SHA512 | db7e00725ac035e0db9c9c625429d032e4260285237e22914ad71d29d4a6437390649b0a034ae20e8e9d69b35c58c928d06d45653a77e99967dc86215e4401b8 |
C:\Users\Admin\AppData\Local\Temp\_MEI29482\unicodedata.pyd
| MD5 | 135c7cddd0c42150dcca589716c5a20b |
| SHA1 | 1546e9064cfb4ab16cd8849e06bb14e613e5ca89 |
| SHA256 | eb6b2821c9b5d4421554878c6b8cbd96ed4a23cb878ff159b37c2ddd22e43bee |
| SHA512 | 2921538faf85ced9dc6715865958e208bfc88e7135d5009c1d648ca4a8b3adcd548f704a783bad62a2ad1020f8e0859efc664afed3c326afc8ded484ea907ef7 |
C:\Users\Admin\AppData\Local\Temp\_MEI29482\pyexpat.pyd
| MD5 | 13dab8a6ef861842f835940ac87a9204 |
| SHA1 | b1d0b8d080a83f11467ef23a487a2b140c5b4325 |
| SHA256 | 57a561945943de9d06ed0a8c16699d0e28d38ec696a354fe8735a3de6518ec0b |
| SHA512 | 12a020130711bd17a2a1c12beaeb239040ec17a6742382546e044155a57736bfbb8fd95d30d08fd5b52bc4488cadc149708b253006b4c2ca26f84266869fa64a |
C:\Users\Admin\AppData\Local\Temp\_MEI29482\libssl-1_1.dll
| MD5 | 8d8d9c30250f7042d25d73b9822efc45 |
| SHA1 | f6b83a793175e77f6e8a6add37204115da8cb319 |
| SHA256 | 92bf5bdc30c53d52ab53b4f51e5f36f5b8be1235e7929590a9fddc86819dba1d |
| SHA512 | ed40078d289b4293f4e22396f5b7d3016daec76a4406444ccd0a8b33d9c939a6f3274b4028b1c85914b32e69fc00c50ec9a710738746c9ee9962f86d99455bdf |
memory/2372-60-0x00007FFE6DF70000-0x00007FFE6DF7F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29482\_cffi_backend.cp310-win_amd64.pyd
| MD5 | 7727212e7bdbf63b1a39fb7faad24265 |
| SHA1 | a8fdec19d6690081b2bf55247e8e17657a68ac97 |
| SHA256 | b0116303e1e903d6eb02a69d05879f38af1640813f4b110cb733ffff6e4e985c |
| SHA512 | 2b1a27642118dd228791d0d8ba307aa39ab2d9c7d3799cff9f3c0744fe270eeaefe5545a4fda6e74e86fee747e45bf5f6c9ac799950c2b483a16eb3ce85d816a |
memory/2372-93-0x00007FFE67BD0000-0x00007FFE67BFE000-memory.dmp
memory/2372-99-0x00000284C5080000-0x00000284C53F7000-memory.dmp
memory/2372-101-0x00007FFE6CAE0000-0x00007FFE6CB04000-memory.dmp
memory/2372-103-0x00007FFE68030000-0x00007FFE68044000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29482\multidict\_multidict.cp310-win_amd64.pyd
| MD5 | 7f691747ce66d3ed05a7c2c53220c8b5 |
| SHA1 | 1d3f247042030cf8cf7c859002941beba5d15776 |
| SHA256 | 7d6472a0d7f1a0740c7fc0d0d0ea6f7c6e7cb2b11b8c623c46a6fae1adb4e228 |
| SHA512 | b01f0e91039fc5b2782caaa0b3d56d5d1fe9e94424cc536cde9eca73a76747736060042e345af9edc5ef5bf5c154705d2c2dddf35536f305306be25a955a9f06 |
memory/2372-109-0x00007FFE67BB0000-0x00007FFE67BC4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29482\yarl\_quoting_c.cp310-win_amd64.pyd
| MD5 | 66c8816ab9b6040ed5d45c5432f93c96 |
| SHA1 | 78b73258e6fff699b8b345a54e8a7c868b10da53 |
| SHA256 | d28d9808d80b6bee274f7e553168b1d42ad806b9d767a92e189678bc81b329d6 |
| SHA512 | 847e39ad6b490b5901e07187d6dafa8fcc50d654ae6faedbefaa9759bc328581a1d9b03f0d7b997d00c3de1a752de451fc91837ea4700561f93389ae10766295 |
memory/2372-122-0x00007FFE67B30000-0x00007FFE67B4B000-memory.dmp
memory/2372-121-0x00007FFE67DD0000-0x00007FFE67F41000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29482\propcache\_helpers_c.cp310-win_amd64.pyd
| MD5 | fd362fc501ddbfa28004e0d5c8df6dd2 |
| SHA1 | 7ddef836354bee5222c2bf65ed321e4e6254310a |
| SHA256 | cc2d201dfa2dfa430505e88be8d61f69b275cb3eb27e7a32ebf2f95d890709b3 |
| SHA512 | a9d87b27454640b8f78e934baf0f8d4781739fc1bb6de2b82b9ad0e11df7aca5d291ea6395289e4313bf5ab89225db5ef3085c945e01dde81bc2a73ce6591761 |
memory/2372-118-0x00007FFE68080000-0x00007FFE6809E000-memory.dmp
memory/2372-116-0x00007FFE67520000-0x00007FFE67542000-memory.dmp
memory/2372-117-0x00007FFE58880000-0x00007FFE58998000-memory.dmp
memory/2372-112-0x00007FFE67B90000-0x00007FFE67BA5000-memory.dmp
memory/2372-111-0x00007FFE680D0000-0x00007FFE680E8000-memory.dmp
memory/2372-107-0x00007FFE6BA50000-0x00007FFE6BA60000-memory.dmp
memory/2372-106-0x00007FFE6CB50000-0x00007FFE6CB69000-memory.dmp
memory/2372-100-0x00007FFE589A0000-0x00007FFE58D17000-memory.dmp
memory/2372-98-0x00007FFE679B0000-0x00007FFE67A67000-memory.dmp
memory/2372-97-0x00007FFE58D20000-0x00007FFE59183000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29482\aiohttp\_helpers.cp310-win_amd64.pyd
| MD5 | 785031e18bb4c52889cb92a1b43af777 |
| SHA1 | fab7ee02bd57218ef6043455c3c275afa99b981f |
| SHA256 | e3a028c10a2dbb4e9a8e04d35637d1e2aa7639c73ff9650f3218be455442b7dc |
| SHA512 | 525d0a8fc4074ae3f5c50e78445528fe90419af5cdcb7579f5d556f3616bbd9f632b184e3400e1cff551c7dc646c5e38c44b5575b323910264b83b4395906ae0 |
memory/2372-126-0x00007FFE67060000-0x00007FFE67076000-memory.dmp
memory/2372-125-0x00007FFE67BD0000-0x00007FFE67BFE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29482\aiohttp\_http_parser.cp310-win_amd64.pyd
| MD5 | 70e66a7159a10ad5673e5d91cb5b7c55 |
| SHA1 | 158497a3d11a410f277e813a55ee1b64936d95c2 |
| SHA256 | 60ceeb87549dc017bd151ae1b840e08386f3b9a65079356d108c85295c578510 |
| SHA512 | 518d094ee366a54652ed001bd832d95365a99be30e3ccd45f2b19ce8611d4fcc8911172ccfac714496e2b553813f49e85cdda6c094e2e42bb96c078b3f072421 |
C:\Users\Admin\AppData\Local\Temp\_MEI29482\aiohttp\_http_writer.cp310-win_amd64.pyd
| MD5 | 633e3269e2c42ec6a4518864e799300b |
| SHA1 | 4abc0d717f537980efcbc5c847e0f00ff2727dfb |
| SHA256 | 7f33f7e480270df70363a8510ea2c68bc8d9d0b34d46f73759a7833b89df3129 |
| SHA512 | 983c6eaa301876be356c15fa28e01815f75e8086d25c9a8db9110523217bcab58ffcbe28d24fd31fd3ac6b142862a9c6314427a58e96968e0c050bd84b46568c |
memory/2372-130-0x00007FFE679B0000-0x00007FFE67A67000-memory.dmp
memory/2372-133-0x00000284C5080000-0x00000284C53F7000-memory.dmp
memory/2372-138-0x00007FFE65F70000-0x00007FFE65F81000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29482\frozenlist\_frozenlist.cp310-win_amd64.pyd
| MD5 | 6106b4d1eec11d2a71def28d2a2afa46 |
| SHA1 | e10039eff42f88a2cd8dfe11d428c35f6178c6ce |
| SHA256 | 19b144f1bfeb38f5a88da4471d0e9eeefcee979e0d574ecf13a28d06bdf7f1da |
| SHA512 | d08ba0cf57d533ce2df7027158329da66518fb1bf10220d836ce39bdf8bc0436dfc3a649cf937b3b3e2bb9ff0d3c9e964416e9ac965cff4b24bd203067f53d43 |
memory/2372-145-0x00007FFE65F50000-0x00007FFE65F6E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29482\cryptography\hazmat\bindings\_rust.pyd
| MD5 | 27bfdc1a00eb382f490991a6507cc3f2 |
| SHA1 | 162bc0ddf111968bfd69246660cf650f89b5b7bc |
| SHA256 | 788d5c28a70e2bc4e695c827aec70e0869ad7bfdd1f0f4f75231d6f8d83450c2 |
| SHA512 | 6fcc538c0f901f8543cf296b981a68eb6271f72ddcd106b69b45e0ebd166a355299ce23e999aa855d23edd69f95f53b653f92772435a42c72001386cdb423899 |
memory/2372-143-0x00007FFE67760000-0x00007FFE6776A000-memory.dmp
memory/2372-142-0x00007FFE68030000-0x00007FFE68044000-memory.dmp
memory/2372-137-0x00007FFE5ED30000-0x00007FFE5ED7D000-memory.dmp
memory/2372-136-0x00007FFE66F80000-0x00007FFE66F99000-memory.dmp
memory/2372-135-0x00007FFE589A0000-0x00007FFE58D17000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI29482\aiohttp\_websocket.cp310-win_amd64.pyd
| MD5 | e64158ae2cf875156756f22ccd54b292 |
| SHA1 | 346b3ebd5e7f270dddb1cae228fe56145f096193 |
| SHA256 | 2f1d5c8eac0b485e38d8afefeb759586666ece4e963af9adcf0f1abfe99c56ce |
| SHA512 | 4a09d91700c7175d05dfa00dc81a99482ae2bfc80c60514ca33f6bd31998ba6eb8fa04c5ea1dae877e248df38a050b3d23a560a9a078747dc1d3ef06da13a8b5 |
memory/2372-147-0x00007FFE57D80000-0x00007FFE5850A000-memory.dmp
memory/2372-148-0x00007FFE650E0000-0x00007FFE65117000-memory.dmp
memory/2372-160-0x00007FFE67520000-0x00007FFE67542000-memory.dmp
memory/2372-196-0x00007FFE6B930000-0x00007FFE6B93D000-memory.dmp
memory/2372-195-0x00007FFE58880000-0x00007FFE58998000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_b3ggx2jo.yql.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1136-208-0x000001BD28F80000-0x000001BD28FA2000-memory.dmp
memory/2372-213-0x00007FFE67060000-0x00007FFE67076000-memory.dmp
memory/2372-214-0x00007FFE66F80000-0x00007FFE66F99000-memory.dmp
memory/2372-215-0x00007FFE5ED30000-0x00007FFE5ED7D000-memory.dmp
memory/2372-233-0x00007FFE68030000-0x00007FFE68044000-memory.dmp
memory/2372-247-0x00007FFE650E0000-0x00007FFE65117000-memory.dmp
memory/2372-232-0x00007FFE589A0000-0x00007FFE58D17000-memory.dmp
memory/2372-249-0x00007FFE57D80000-0x00007FFE5850A000-memory.dmp
memory/2372-234-0x00007FFE6BA50000-0x00007FFE6BA60000-memory.dmp
memory/2372-231-0x00007FFE679B0000-0x00007FFE67A67000-memory.dmp
memory/2372-230-0x00007FFE67BD0000-0x00007FFE67BFE000-memory.dmp
memory/2372-229-0x00007FFE67DD0000-0x00007FFE67F41000-memory.dmp
memory/2372-228-0x00007FFE68080000-0x00007FFE6809E000-memory.dmp
memory/2372-222-0x00007FFE6CAE0000-0x00007FFE6CB04000-memory.dmp
memory/2372-221-0x00007FFE58D20000-0x00007FFE59183000-memory.dmp
memory/2372-279-0x00007FFE58880000-0x00007FFE58998000-memory.dmp
memory/2372-286-0x00007FFE68080000-0x00007FFE6809E000-memory.dmp
memory/2372-285-0x00007FFE680A0000-0x00007FFE680CC000-memory.dmp
memory/2372-290-0x00007FFE5ED30000-0x00007FFE5ED7D000-memory.dmp
memory/2372-289-0x00007FFE679B0000-0x00007FFE67A67000-memory.dmp
memory/2372-288-0x00007FFE67BD0000-0x00007FFE67BFE000-memory.dmp
memory/2372-287-0x00007FFE67DD0000-0x00007FFE67F41000-memory.dmp
memory/2372-284-0x00007FFE6DF60000-0x00007FFE6DF6D000-memory.dmp
memory/2372-283-0x00007FFE680D0000-0x00007FFE680E8000-memory.dmp
memory/2372-282-0x00007FFE6CB50000-0x00007FFE6CB69000-memory.dmp
memory/2372-281-0x00007FFE6DF70000-0x00007FFE6DF7F000-memory.dmp
memory/2372-280-0x00007FFE6CAE0000-0x00007FFE6CB04000-memory.dmp
memory/2372-276-0x00007FFE57D80000-0x00007FFE5850A000-memory.dmp
memory/2372-275-0x00007FFE65F50000-0x00007FFE65F6E000-memory.dmp
memory/2372-274-0x00007FFE67760000-0x00007FFE6776A000-memory.dmp
memory/2372-271-0x00007FFE66F80000-0x00007FFE66F99000-memory.dmp
memory/2372-270-0x00007FFE67060000-0x00007FFE67076000-memory.dmp
memory/2372-267-0x00007FFE67520000-0x00007FFE67542000-memory.dmp
memory/2372-266-0x00007FFE67B90000-0x00007FFE67BA5000-memory.dmp
memory/2372-262-0x00007FFE589A0000-0x00007FFE58D17000-memory.dmp
memory/2372-251-0x00007FFE58D20000-0x00007FFE59183000-memory.dmp
memory/2372-278-0x00007FFE6B930000-0x00007FFE6B93D000-memory.dmp
memory/2372-277-0x00007FFE650E0000-0x00007FFE65117000-memory.dmp
memory/2372-273-0x00007FFE65F70000-0x00007FFE65F81000-memory.dmp
memory/2372-269-0x00007FFE67B30000-0x00007FFE67B4B000-memory.dmp
memory/2372-265-0x00007FFE67BB0000-0x00007FFE67BC4000-memory.dmp
memory/2372-264-0x00007FFE6BA50000-0x00007FFE6BA60000-memory.dmp
memory/2372-263-0x00007FFE68030000-0x00007FFE68044000-memory.dmp