Analysis Overview
SHA256
c6784468e56bee420171416b973d6ef962ca4f5e58c55cf2a6862a9705246854
Threat Level: Known bad
The file Test.exe was found to be: Known bad.
Malicious Activity Summary
Exela Stealer
Exelastealer family
Grants admin privileges
Modifies Windows Firewall
Clipboard Data
Loads dropped DLL
Reads user/profile data of web browsers
Network Service Discovery
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Enumerates processes with tasklist
Hide Artifacts: Hidden Files and Directories
Launches sc.exe
Detects Pyinstaller
Browser Information Discovery
Permission Groups Discovery: Local Groups
System Network Connections Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Collects information from the system
Gathers system information
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Views/modifies file attributes
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Runs net.exe
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Gathers network information
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-02 06:00
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-02 06:00
Reported
2024-11-02 06:03
Platform
win7-20240708-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 824 wrote to memory of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | C:\Users\Admin\AppData\Local\Temp\Test.exe |
| PID 824 wrote to memory of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | C:\Users\Admin\AppData\Local\Temp\Test.exe |
| PID 824 wrote to memory of 2628 | N/A | C:\Users\Admin\AppData\Local\Temp\Test.exe | C:\Users\Admin\AppData\Local\Temp\Test.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Test.exe"
C:\Users\Admin\AppData\Local\Temp\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Test.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI8242\python312.dll
| MD5 | b243d61f4248909bc721674d70a633de |
| SHA1 | 1d2fb44b29c4ac3cfd5a7437038a0c541fce82fc |
| SHA256 | 93488fa7e631cc0a2bd808b9eee8617280ee9b6ff499ab424a1a1cbf24d77dc7 |
| SHA512 | 10460c443c7b9a6d7e39ad6e2421b8ca4d8329f1c4a0ff5b71ce73352d2e9438d45f7d59edb13ce30fad3b4f260bd843f4d9b48522d448310d43e0988e075fcb |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-02 06:00
Reported
2024-11-02 06:04
Platform
win10v2004-20241007-en
Max time kernel
209s
Max time network
203s
Command Line
Signatures
Exela Stealer
Exelastealer family
Grants admin privileges
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Test.exe"
C:\Users\Admin\AppData\Local\Temp\Test.exe
"C:\Users\Admin\AppData\Local\Temp\Test.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| N/A | 127.0.0.1:54000 | tcp | |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| N/A | 127.0.0.1:54008 | tcp | |
| N/A | 127.0.0.1:54012 | tcp | |
| N/A | 127.0.0.1:54016 | tcp | |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | store1.gofile.io | udp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| N/A | 127.0.0.1:54115 | tcp | |
| N/A | 127.0.0.1:54117 | tcp | |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI22482\python312.dll
| MD5 | b243d61f4248909bc721674d70a633de |
| SHA1 | 1d2fb44b29c4ac3cfd5a7437038a0c541fce82fc |
| SHA256 | 93488fa7e631cc0a2bd808b9eee8617280ee9b6ff499ab424a1a1cbf24d77dc7 |
| SHA512 | 10460c443c7b9a6d7e39ad6e2421b8ca4d8329f1c4a0ff5b71ce73352d2e9438d45f7d59edb13ce30fad3b4f260bd843f4d9b48522d448310d43e0988e075fcb |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\VCRUNTIME140.dll
| MD5 | 862f820c3251e4ca6fc0ac00e4092239 |
| SHA1 | ef96d84b253041b090c243594f90938e9a487a9a |
| SHA256 | 36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153 |
| SHA512 | 2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\python3.dll
| MD5 | 2e2bb725b92a3d30b1e42cc43275bb7b |
| SHA1 | 83af34fb6bbb3e24ff309e3ebc637dd3875592a5 |
| SHA256 | d52baca085f88b40f30c855e6c55791e5375c80f60f94057061e77e33f4cad7a |
| SHA512 | e4a500287f7888b1935df40fd0d0f303b82cbcf0d5621592805f3bb507e8ee8de6b51ba2612500838d653566fad18a04f76322c3ab405ce2fdbbefb5ab89069e |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\_ctypes.pyd
| MD5 | 302ddf5f83b5887ab9c4b8cc4e40b7a6 |
| SHA1 | 0aa06af65d072eb835c8d714d0f0733dc2f47e20 |
| SHA256 | 8250b4c102abd1dba49fc5b52030caa93ca34e00b86cee6547cc0a7f22326807 |
| SHA512 | 5ddc2488fa192d8b662771c698a63faaf109862c8a4dd0df10fb113aef839d012df58346a87178aff9a1b369f82d8ae7819cef4aad542d8bd3f91327feace596 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\libffi-8.dll
| MD5 | 0f8e4992ca92baaf54cc0b43aaccce21 |
| SHA1 | c7300975df267b1d6adcbac0ac93fd7b1ab49bd2 |
| SHA256 | eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a |
| SHA512 | 6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\libssl-3.dll
| MD5 | 4ff168aaa6a1d68e7957175c8513f3a2 |
| SHA1 | 782f886709febc8c7cebcec4d92c66c4d5dbcf57 |
| SHA256 | 2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950 |
| SHA512 | c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\_wmi.pyd
| MD5 | fda7d7aada1d15cab2add2f4bd2e59a1 |
| SHA1 | 7e61473f2ad5e061ef59105bf4255dbe7db5117a |
| SHA256 | b0ed1c62b73b291a1b57e3d8882cc269b2fcbb1253f2947da18d9036e0c985d9 |
| SHA512 | 95c2934a75507ea2d8c817da7e76ee7567ec29a52018aef195fac779b7ffb440c27722d162f8e416b6ef5d3fd0936c71a55776233293b3dd0124d51118a2b628 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\_uuid.pyd
| MD5 | 48c6cca2fdc2ec83fa0771d92bf1d72f |
| SHA1 | 723a8bb6e715616da003d7c658cf94fb129cd091 |
| SHA256 | 869361adf2be930e5c8b492fa2116dc0d0edccbf2c231d39c859ce320be27b31 |
| SHA512 | 42fdca831e8398638c06cd54186c63cb434da78234a23d80e0f400c64d4e0e4ef8fa307d115b3775b4f97248bd3ce498d764c6befe11b078ec9fcdd270e8f324 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\_ssl.pyd
| MD5 | eea3e12970e28545a964a95da7e84e0b |
| SHA1 | c3ccac86975f2704dabc1ffc3918e81feb3b9ac1 |
| SHA256 | 61f00b0543464bba61e0bd1128118326c9bd0cdc592854dd1a31c3d6d8df2b83 |
| SHA512 | 9bd5c83e7e0ab24d6be40a31ac469a0d9b4621a2a279a5f3ab2fc6401a08c54aec421bc9461aed533a0211d7dbda0c264c5f05aeb39138403da25c8cda0339e6 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\_sqlite3.pyd
| MD5 | d3d748770f9bbcf22f20322250befd5b |
| SHA1 | 0b5ced1de5f6585cfd3edd9d00f75e56d2c0959d |
| SHA256 | fef8e9f427b47e7758658a876ff1f2d718119af54dbb0498e14c8234571942df |
| SHA512 | c8027eb9a71c5aaf9d714bfebebad091ed45952ca2867981fd1a4e1fdb9fa409addfbcb1d2dc01732a2216b257300d6a88aaea0742b6e1b1d1abbac5506feabc |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\_socket.pyd
| MD5 | 632336eeead53cfad22eb57f795d5657 |
| SHA1 | 62f5f73d21b86cd3b73b68e5faec032618196745 |
| SHA256 | ce3090fff8575b21287df5fc69ae98806646fc302eefadf85e369ad3debad92b |
| SHA512 | 77965b45060545e210cdb044f25e5fd68d6a9150caf1cad7645dbafcf1ce8e1ccbdf8436fbdcbf5f9c293321c8916e114de30ed8897c7db72df7f8d1f98dfb55 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\_queue.pyd
| MD5 | 941a3757931719dd40898d88d04690cb |
| SHA1 | 177ede06a3669389512bfc8a9b282d918257bf8b |
| SHA256 | bbe7736caed8c17c97e2b156f686521a788c25f2004aae34ab0c282c24d57da7 |
| SHA512 | 7cfba5c69695c492bf967018b3827073b0c2797b24e1bd43b814fbbb39d1a8b32a2d7ef240e86046e4e07aa06f7266a31b5512d04d98a0d2d3736630c044546e |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\_overlapped.pyd
| MD5 | b89fca6edba418768147e455085f7cc7 |
| SHA1 | 5d41e0990e19ee0d131b4fe8c6ac5b7371d1f83e |
| SHA256 | 2af91c5ab6f05c4be357b93673920eccf3ebcad5e5ec6b0a7b53ef94a5feaad7 |
| SHA512 | a6bd8d62fb1fbebbfa9fee9037effbcbbb48bfa2e6c8b398e036c0bd5f402a4b1c0bf0ad8d80585fe501e00d7fe21b387a0f0e05ad2fcdf3aeb248010cb3f1be |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\_multiprocessing.pyd
| MD5 | 4daa82aafc49dd75daea468cc37ef4b0 |
| SHA1 | cbf05abc0eb9a6529aa01955d5feac200e602c89 |
| SHA256 | a197f3485bbe30b3a1612ea2198cef121af440ba799fd6cbf0ad3493150df3ca |
| SHA512 | 473caa70ec832b645296eba3da2dc0bbfc90df15281a9de612a2febf10b7e86d7f20f1c265c7be693bc0d25e11d3d2904f4c2b1039a81ae0e192cfca625408d5 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\_lzma.pyd
| MD5 | e3e7e99b3c2ea56065740b69f1a0bc12 |
| SHA1 | 79fa083d6e75a18e8b1e81f612acb92d35bb2aea |
| SHA256 | b095fa2eac97496b515031fbea5737988b18deee86a11f2784f5a551732ddc0c |
| SHA512 | 35cbc30b1ccdc4f5cc9560fc0149373ccd9399eb9297e61d52e6662bb8c56c6a7569d8cfad85aeb057c10558c9352ae086c0467f684fdcf72a137eadf563a909 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\_hashlib.pyd
| MD5 | 0abfee1db6c16e8ddaff12cd3e86475b |
| SHA1 | b2dda9635ede4f2841912cc50cb3ae67eea89fe7 |
| SHA256 | b4cec162b985d34ab768f66e8fa41ed28dc2f273fde6670eeace1d695789b137 |
| SHA512 | 0a5cae4e3442af1d62b65e8bf91e0f2a61563c2b971bbf008bfb2de0f038ee472e7bfcc88663dc503b2712e92e6a7e6a5f518ddab1fab2eb435d387b740d2d44 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\_decimal.pyd
| MD5 | 82321fb8245333842e1c31f874329170 |
| SHA1 | 81abb1d3d5c55db53e8aca9bdf74f2dec0aba1a3 |
| SHA256 | b7f9603f98ef232a2c5bce7001d842c01d76ed35171afbd898e6d17facf38b56 |
| SHA512 | 0cf932ee0d1242ea9377d054adcd71fdd7ec335abbac865e82987e3979e24cead6939cca19da63a08e08ac64face16950edce7918e02bfc7710f09645fd2fa19 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\_cffi_backend.cp312-win_amd64.pyd
| MD5 | fcb71ce882f99ec085d5875e1228bdc1 |
| SHA1 | 763d9afa909c15fea8e016d321f32856ec722094 |
| SHA256 | 86f136553ba301c70e7bada8416b77eb4a07f76ccb02f7d73c2999a38fa5fa5b |
| SHA512 | 4a0e98ab450453fd930edc04f0f30976abb9214b693db4b6742d784247fb062c57fafafb51eb04b7b4230039ab3b07d2ffd3454d6e261811f34749f2e35f04d6 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\_bz2.pyd
| MD5 | fe499b0a9f7f361fa705e7c81e1011fa |
| SHA1 | cc1c98754c6dab53f5831b05b4df6635ad3f856d |
| SHA256 | 160b5218c2035cccbaab9dc4ca26d099f433dcb86dbbd96425c933dc796090df |
| SHA512 | 60520c5eb5ccc72ae2a4c0f06c8447d9e9922c5f9f1f195757362fc47651adcc1cdbfef193ae4fec7d7c1a47cf1d9756bd820be996ae145f0fbbbfba327c5742 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\_asyncio.pyd
| MD5 | e74e8b37bd359f581f368ba092eed90e |
| SHA1 | e6bdc3494dbc5d4ae0434bf4dc3b2952e4827f18 |
| SHA256 | 184fc13677c7856e7a8b31dfe79ce68dcea10cdf83a205de2b0d5497fb0ffdf3 |
| SHA512 | 29d33593758945a02844e1333ed99d66a0e42eb7e8d0c881197f05d4ec9dad3f1bb490739bc2d64ea9451f4bbbfcc05089a57a7aa1ec22c4091c7edd604b7f7c |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\VCRUNTIME140_1.dll
| MD5 | 68156f41ae9a04d89bb6625a5cd222d4 |
| SHA1 | 3be29d5c53808186eba3a024be377ee6f267c983 |
| SHA256 | 82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd |
| SHA512 | f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\unicodedata.pyd
| MD5 | 098cc6ad04199442c3e2a60e1243c2dc |
| SHA1 | 4c92c464a8e1e56e1c4d77cd30a0da474a026aaf |
| SHA256 | 64a162d6b11ba10cb11509f3cc445f17beb7acfd064f030b4d59faa1c9894b29 |
| SHA512 | 73c28488b42a0bc2f0d2861fed3f5dcccf8959ce19d3121c13c998db496f2822deb40f36f86240c8d3954fd2dc2ba5d63c8a125b62324dcd92fb6c8ba49ff170 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\sqlite3.dll
| MD5 | 8c5644cb9cef2bb0702a4c8007521c98 |
| SHA1 | 638af7d40162853d1be85c04125dbf18743bfa1b |
| SHA256 | 2f9c9940e87840ff1b5c4922d8b73c7302d1b12badc860990dfebdf77b4140ee |
| SHA512 | 1f0a6e969bcb37bcd131b1476f21a068f69b9224063e194b3a04a9454e50dd530d3474e82b24a9be727b94272fadfeaea76a896cd0fb579e15fdf7a48b00cc01 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\select.pyd
| MD5 | 7e871444ca23860a25b888ee263e2eaf |
| SHA1 | aa43c9d3abdb1aabda8379f301f8116d0674b590 |
| SHA256 | dca5e6d39c5094ce599143cb82f6d8470f0c2a4ce4443499e73f32ed13333fd0 |
| SHA512 | 2e260d3123f7ca612901513b90fe40739e85248da913297d4cca3b2ebd398d9697880d148830e168e474ebfc3d30ede10668c7316ed7668f8b39da7bca59e57d |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\pyexpat.pyd
| MD5 | b34ca0fcd5e0e4f060fe211273ac2946 |
| SHA1 | f7e978eb8adda4bf74739ef71901e0e3aa12ea8c |
| SHA256 | b6670d91a76e9f00609752ab19aae0b1ebe00d24d9d8d22068989bbb24d0aa44 |
| SHA512 | 010774770dd5c4355c336ece7bfb729d2e616bba62bfb9961324d3b314396f1f535b5adf50621bfc0517c03587c912568e19602173a43f297a5f638aa9296500 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\libcrypto-3.dll
| MD5 | 123ad0908c76ccba4789c084f7a6b8d0 |
| SHA1 | 86de58289c8200ed8c1fc51d5f00e38e32c1aad5 |
| SHA256 | 4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43 |
| SHA512 | 80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\base_library.zip
| MD5 | bed03063e08a571088685625544ce144 |
| SHA1 | 56519a1b60314ec43f3af0c5268ecc4647239ba3 |
| SHA256 | 0d960743dbf746817b61ff7dd1c8c99b4f8c915de26946be56118cd6bedaebdc |
| SHA512 | c136e16db86f94b007db42a9bf485a7c255dcc2843b40337e8f22a67028117f5bd5d48f7c1034d7446bb45ea16e530f1216d22740ddb7fab5b39cc33d4c6d995 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\setuptools\_vendor\jaraco\text\Lorem ipsum.txt
| MD5 | 4ce7501f6608f6ce4011d627979e1ae4 |
| SHA1 | 78363672264d9cd3f72d5c1d3665e1657b1a5071 |
| SHA256 | 37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b |
| SHA512 | a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\yarl\_quoting_c.cp312-win_amd64.pyd
| MD5 | 7af50f2b92c4bc2fc18ced5d322fcaae |
| SHA1 | 87df1b69cc0d1ed3bfdf43f7992430d629135f96 |
| SHA256 | 7ddfe201d613b2a048768040a9cf4be7b7c1dcd0555cbde00f0cc99496c3ef7f |
| SHA512 | 9a44ae60e195f836d151104223b407d3ac9b8bcfcddf0f11f084660dbb4a5b8ebff37df61b3cdac8b997d5bd23a035c743553bfa273331b82a490a7c4f231ae9 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\multidict\_multidict.cp312-win_amd64.pyd
| MD5 | 4eed96bbb1c4b6d63f50c433e9c0a16a |
| SHA1 | cde34e8f1dac7f4e98d2b0aaf1186c6938de06c3 |
| SHA256 | b521b7e3b6bed424a0719c36735bc4bf2bb8b0926370b31c221c604e81f8d78b |
| SHA512 | 1cacb250d867fcbbc5224c3f66cb23a93f818bc1d0524cad6d1c52295d243af10f454fde13fa58671d3ee62281a2a3f71a69f28b08fd942fcedba3c9b09a774a |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\propcache\_helpers_c.cp312-win_amd64.pyd
| MD5 | 93ccd2b7284bdc745f1adbb8f0927f26 |
| SHA1 | 30043d4dad9a909b2d0841d279f5266f00315ad9 |
| SHA256 | c8c7c9259a47961321b6d913b3cb70215a37b9cff1dbde9e9cbc3250c1b5ad77 |
| SHA512 | 1dd365345ff334183a1a4ad959ec07a732836d6f1768e935462f0ea62f24f50ee62fb1324fcd813ef7bc40ed092c33f5d5bf70b8d016b67be9a9274dad2868d6 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\aiohttp\_helpers.cp312-win_amd64.pyd
| MD5 | 7c25230f2e4d1cbcc45f29ec7bf0d84a |
| SHA1 | 3d5a32ba222065c6b64657b940bd72495edc4f1e |
| SHA256 | 767cbef142e5e39c760c6f133cdadb39bd103d614ac2770023c4dac24271983e |
| SHA512 | 0d2d51d1fa7d201e7b6e2f10f32a245507416c96def8c0d10b861ab1475a87b3ba91319c4d4a700ff94c4783384aa7c7a8dab04df6cfa9a558a9f7e52b15cd67 |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\aiohttp\_http_writer.cp312-win_amd64.pyd
| MD5 | 1cb70be75767514b7f16356a57a58b3d |
| SHA1 | 0a1bff8845405cf9f036eb99ac118a60072c50ed |
| SHA256 | ab2e84a94cd5009292216a8d4497ee04a5fd9cb1caa824833e573cce664f1ff7 |
| SHA512 | 4ceecc7c7740c9a80df58667344481044b902031726df377a917baffd162dfd3ea9790f1439c0fd70e36bd158a97ba7734a27335533357a9cef1657cb177f28e |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\aiohttp\_http_parser.cp312-win_amd64.pyd
| MD5 | 5ae4b8b1e0689a44d37a168065eb756e |
| SHA1 | cb67ab1f4e1229ad4cf5afa6c8c00873faa41462 |
| SHA256 | 17cd604b21acd9b07b26ec7a40303eed5c6a566d4abc0188d2ec00ab58b48638 |
| SHA512 | 01ec46f174117f4ec5ab0b9f0af4e250face2179c94f8645722ab456f00b7a60cabec18b233b4c9fe56d59b8ec4b23cd57bc93976fe04de79c85b6241054e3bd |
C:\Users\Admin\AppData\Local\Temp\_MEI22482\aiohttp\_websocket.cp312-win_amd64.pyd
| MD5 | d3f5b8de4546f7b8d0e74520462346b7 |
| SHA1 | 0c7bd2e0e282b239f7935f79e7b12bb47668cf4d |
| SHA256 | 95f09d24ea5b708845dd324f5560475e08349d25b69f711047297f806911bda5 |
| SHA512 | 0a94abe1409cb529fe5692ed8092296d73ca726d0fbb986bb52c6d1a9b43ec20126497bb27506d56a032f21e31f184ae6a13c024acf282a2a4c4211a227f8712 |
memory/3692-176-0x0000025D779E0000-0x0000025D77A02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jy4lmvus.5xe.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1312-194-0x000001CD76140000-0x000001CD76141000-memory.dmp
memory/1312-196-0x000001CD76140000-0x000001CD76141000-memory.dmp
memory/1312-195-0x000001CD76140000-0x000001CD76141000-memory.dmp
memory/1312-206-0x000001CD76140000-0x000001CD76141000-memory.dmp
memory/1312-205-0x000001CD76140000-0x000001CD76141000-memory.dmp
memory/1312-204-0x000001CD76140000-0x000001CD76141000-memory.dmp
memory/1312-203-0x000001CD76140000-0x000001CD76141000-memory.dmp
memory/1312-202-0x000001CD76140000-0x000001CD76141000-memory.dmp
memory/1312-201-0x000001CD76140000-0x000001CD76141000-memory.dmp
memory/1312-200-0x000001CD76140000-0x000001CD76141000-memory.dmp