Analysis Overview
SHA256
cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf
Threat Level: Known bad
The file cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf was found to be: Known bad.
Malicious Activity Summary
Exela Stealer
Exelastealer family
Grants admin privileges
Modifies Windows Firewall
Reads user/profile data of web browsers
Clipboard Data
Loads dropped DLL
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Network Service Discovery
Hide Artifacts: Hidden Files and Directories
Enumerates processes with tasklist
UPX packed file
Launches sc.exe
Browser Information Discovery
System Network Connections Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Detects Pyinstaller
Permission Groups Discovery: Local Groups
Event Triggered Execution: Netsh Helper DLL
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Runs net.exe
Gathers network information
Collects information from the system
Gathers system information
Views/modifies file attributes
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-11-27 19:59
Signatures
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-27 19:58
Reported
2024-11-27 20:01
Platform
win7-20241010-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2092 wrote to memory of 2372 | N/A | C:\Users\Admin\AppData\Local\Temp\cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe | C:\Users\Admin\AppData\Local\Temp\cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe |
| PID 2092 wrote to memory of 2372 | N/A | C:\Users\Admin\AppData\Local\Temp\cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe | C:\Users\Admin\AppData\Local\Temp\cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe |
| PID 2092 wrote to memory of 2372 | N/A | C:\Users\Admin\AppData\Local\Temp\cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe | C:\Users\Admin\AppData\Local\Temp\cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
"C:\Users\Admin\AppData\Local\Temp\cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe"
C:\Users\Admin\AppData\Local\Temp\cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
"C:\Users\Admin\AppData\Local\Temp\cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe"
Network
Files
C:\Users\Admin\AppData\Local\Temp\_MEI20922\python313.dll
| MD5 | d99ac8bac1343105b642295397ca2ffc |
| SHA1 | 93fd73c1fb9ee99ddc66d38885a657cf81f62836 |
| SHA256 | 9116e56cedeb1c4ae82b4bde560f2fe0b83a16764865012cbf5501673d3c5536 |
| SHA512 | 89d30bc84978daf469008ffc347cbd3e189f1df2c1a302dedfc2b700267cc28c671c7c35b5e95ba29a300e7fda75ccfc720d2173ea6db6eb69978772c0b8339f |
memory/2372-63-0x000007FEF62E0000-0x000007FEF6943000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-27 19:58
Reported
2024-11-27 20:02
Platform
win10v2004-20241007-en
Max time kernel
140s
Max time network
143s
Command Line
Signatures
Exela Stealer
Exelastealer family
Grants admin privileges
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
"C:\Users\Admin\AppData\Local\Temp\cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe"
C:\Users\Admin\AppData\Local\Temp\cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe
"C:\Users\Admin\AppData\Local\Temp\cca0b8ac2bdc6e900888b1970b2aa05d3b987bda8c4be17f01c0fa69eb3b7baf.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\InfinityUpdateService\Infinity.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\InfinityUpdateService\Infinity.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| N/A | 127.0.0.1:55838 | tcp | |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| N/A | 127.0.0.1:55848 | tcp | |
| N/A | 127.0.0.1:55851 | tcp | |
| N/A | 127.0.0.1:55853 | tcp | |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.137.159.162.in-addr.arpa | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store1.gofile.io | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 8.8.8.8:53 | 227.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.208.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\_MEI48602\python313.dll
| MD5 | d99ac8bac1343105b642295397ca2ffc |
| SHA1 | 93fd73c1fb9ee99ddc66d38885a657cf81f62836 |
| SHA256 | 9116e56cedeb1c4ae82b4bde560f2fe0b83a16764865012cbf5501673d3c5536 |
| SHA512 | 89d30bc84978daf469008ffc347cbd3e189f1df2c1a302dedfc2b700267cc28c671c7c35b5e95ba29a300e7fda75ccfc720d2173ea6db6eb69978772c0b8339f |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\VCRUNTIME140.dll
| MD5 | 862f820c3251e4ca6fc0ac00e4092239 |
| SHA1 | ef96d84b253041b090c243594f90938e9a487a9a |
| SHA256 | 36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153 |
| SHA512 | 2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e |
memory/4152-65-0x00007FFC53C90000-0x00007FFC542F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48602\base_library.zip
| MD5 | a9cbd0455b46c7d14194d1f18ca8719e |
| SHA1 | e1b0c30bccd9583949c247854f617ac8a14cbac7 |
| SHA256 | df6c19637d239bfedc8cd13d20e0938c65e8fdf340622ff334db533f2d30fa19 |
| SHA512 | b92468e71490a8800e51410df7068dd8099e78c79a95666ecf274a9e9206359f049490b8f60b96081fafd872ec717e67020364bcfa972f26f0d77a959637e528 |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\python3.dll
| MD5 | 16855ebef31c5b1ebe767f1c617645b3 |
| SHA1 | 315521f3a748abfa35cd4d48e8dd09d0556d989b |
| SHA256 | a5c6a329698490a035133433928d04368ce6285bb91a9d074fc285de4c9a32a4 |
| SHA512 | c3957b3bd36b10c7ad6ea1ff3bc7bd65cdceb3e6b4195a25d0649aa0da179276ce170da903d77b50a38fc3d5147a45be32dbcfdbfbf76cc46301199c529adea4 |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\libffi-8.dll
| MD5 | 0d1c6b92d091cef3142e32ac4e0cc12e |
| SHA1 | 440dad5af38035cb0984a973e1f266deff2bd7fc |
| SHA256 | 11ee9c7fb70c3756c0392843245935517171b95cc5ba0d696b2c1742c8d46fb6 |
| SHA512 | 5d514ecab93941e83c008f0e9749f99e330949580884bf4850b11cac08fe1ac4ac50033e8888045fe4a9d8b4d2e3ea667b39be18f77266d00f8d7d6797260233 |
memory/4152-75-0x00007FFC6C6B0000-0x00007FFC6C6BF000-memory.dmp
memory/4152-73-0x00007FFC67400000-0x00007FFC67427000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_ctypes.pyd
| MD5 | 83f2a420d3a54dc73dc553faead3bbd4 |
| SHA1 | 954525c475713acc04fa2116191bd5a914cd881a |
| SHA256 | b50b87720095fe7ed8dfad73f7a6a0bbeb408a24b561a2cfd7e3b333f87bed90 |
| SHA512 | 21a80a2a6e3ca2e87df87bf3c34f0a61be441ca5d7bcb9fe7d35dfbce17a02ec04153e72864b284c001f6edcf4f7260476b21c2881614d0f632eeaa34656b1ac |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_bz2.pyd
| MD5 | 76dda2f9e6796b85d4c80b7a49585bd0 |
| SHA1 | 9d8eb7052fd218d75094c87c669a7e4d6d1614b9 |
| SHA256 | 1ddc1386f8bec84b4c7d17e75a84fd2b7abef20bd3d5cdc648b3884252e78ca3 |
| SHA512 | 602bfb0b42d3f8184f15082b61692796c18715c9581dbc840069209a2550545bb4af54e35c1f971a6a9a9830b94fb491f4c9f8d5f4899cf1b534ee6388505019 |
memory/4152-79-0x00007FFC68E60000-0x00007FFC68E79000-memory.dmp
memory/4152-100-0x00007FFC67200000-0x00007FFC6722B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_wmi.pyd
| MD5 | b263987e0a3cc69177351ef8c72931c0 |
| SHA1 | 662f37a7c48feee8ddc2acfac21267ed168f0060 |
| SHA256 | 9a72f30c62104ee4218519c244f9883890f7e116b546e77ca294d4c39cddf289 |
| SHA512 | f9a6ac77bf31e3ad42bb410197915e8c06f06d50053befd488df237b88a3554117f58c172045eea2a606034908dfe30874514abd93e06c8bf7d0d0903aa27c4a |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_uuid.pyd
| MD5 | 3acf3138d5550ca6de7e2580e076e0f7 |
| SHA1 | 3e878a18df2362aa6f0bdbfa058dca115e70d0b8 |
| SHA256 | f9d5008f0772aa0720bc056a6ecd5a2a3f24965e4b470b022d88627a436c1ffe |
| SHA512 | f05e90a0feaa2994b425884af32149fbbe2e11cb7499fc88ca92d8a74410edcd62b2b2c0f1ecd1a46985133f7e89575f2c114bd01f619c22ce52f3cf2a7e37c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_ssl.pyd
| MD5 | 51296f2f4ba52ad6a1f88471b34a42fa |
| SHA1 | 6e97e59a6438774ab8502157cc6139864cf8dff8 |
| SHA256 | edca2535998bc0f193f706d33f92324224587b353ce8cd1ad00836ad9093ffd1 |
| SHA512 | 4bf99768f09cebf94c66f359b4e5c0fa03a44b7cd9f6df085d8d5287d66962cf4d654df243e853d9c4fb172a4b366d97a20367c7b3f4fcab81c63b0af3d6c21e |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_sqlite3.pyd
| MD5 | d8a9c98fae2b577c8cb4246e9875de10 |
| SHA1 | 27b2a31ec26009a4c8a242f3c54b56e46d606070 |
| SHA256 | ccf4c7a8efce2a995a91548efc894859922be003ae1c2a00c75123c3453c711b |
| SHA512 | cc519d00f67fc493ed9d9dccc0f6daa2c110247096d12ffdc9da69f7f0f11b11a1a333e6449f2c713b167c629ba9179a8c0083726cf25d8a04196045aed7cd66 |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_socket.pyd
| MD5 | 574c2fee96efa2d63952a6042ee3272f |
| SHA1 | 22146b2592bd9aa086632c554f252a5ca92305cd |
| SHA256 | 66a745d27d7fdbe039f3ba2b82273eddcdcb8613cd17588682153fafd4b93384 |
| SHA512 | 078e15e0a508c4035c2b83e458bab95ea56ef941d5505280fc207053be90d072699ec39b5094490ab495fd5041d2c684d0260e5a88ad2c68b199d04340ab4a1b |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_queue.pyd
| MD5 | c7fdadca43547314c311fd077520000e |
| SHA1 | c166a575e2896bd2700af2c43f7edae023304252 |
| SHA256 | 6a984ba75337e4487a97646227a14a559eb752e76c831ff413165b5938b6fc69 |
| SHA512 | 44be37526ddacdde4406a150d72278b2c2689051475d4ace5262d8a6425ab752fd22d0873b8e35620adae12f7c2c75b8feba8315863fb14c1ec1f8d311fc0431 |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_overlapped.pyd
| MD5 | ff936ad394f51e00cfa20b497820dc24 |
| SHA1 | 02bc239848b717c0a71cefaa85ec7de44ef2e266 |
| SHA256 | c7a497d8bb056b55b7e8882c34e250afe3e3bf76f8691d6a90b3f24361ff672d |
| SHA512 | 2bccb9399b478516b85535cfb8ceb9c48ab9ab69df70f230a2f0e12506486f1935204bd931ea8cb4f3298bd00f9f7254278fa6739446c14ae0f0e9a0839f313e |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_multiprocessing.pyd
| MD5 | 3694bc10cac00d42b50bcf99cb9a8fc6 |
| SHA1 | 3cffdb605d1e063dba0539400dbf6458a0351a03 |
| SHA256 | 7bdefee7fbea26a231335cf4b58e6bafe2016275cd274339fdebfd7738d0be1d |
| SHA512 | f5c905689ed17478c1cf66836fe43de656339a678b3f2c0028f196430e9e8d0431621158f03c4368a4eeceafd20904cd7ee89d554b839c21436a48ee65337159 |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_hashlib.pyd
| MD5 | e34a96f476a486da9f3a461abc2df8cc |
| SHA1 | d70836f9ac2cd98c25b51c96f268674e95f53b26 |
| SHA256 | 72d71d3e5ab403221d8e6ab292b97652fa194cf038fbd31afdf8ef61f1fbcf8e |
| SHA512 | 0e2ee8d50a85c450d29002975df616c2318d6e4d52caa0172d2ba46439a9c1fd0b639593852035b0585ccd6d84ba66ba46c79b6cb50e99dc5cff4988ea8af724 |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_decimal.pyd
| MD5 | 2bbe0345bba0ceb1dfead3bd326e32f7 |
| SHA1 | 7675f9a476b2ba7a3a76d825faddc9795d2e5afd |
| SHA256 | 79e9cf484191193a12126625bf8f8a929c51de8c0dd743f52eab49f86b313818 |
| SHA512 | 9da97707bf77240ff8557d0a9f6c4cbefd0bd4d4c9b5528de9f588135f98fe9cd7b6d854068fb85df4d95d29b9981daf6d26f8abb94d483d0671bd9a79fbf53a |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_cffi_backend.cp313-win_amd64.pyd
| MD5 | feb838919a9cbc39fa2f7e47b2cf2fa0 |
| SHA1 | 4cfb8e03dc507587be9183e08c81c710ca368b86 |
| SHA256 | 85508735f87ab59af7343101b96337a12d51d6e54227abc3fc139156565c5d8b |
| SHA512 | 317913492b361678bc9d7565c011eb201f8bf36fd3c4e3218e00554122db429ca583fa2c0fd782073ab9ae98ba4c228a291d4e71cfc443a8e6d79c051591656c |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_asyncio.pyd
| MD5 | fe4f2e32ed0ea1ef93188939ed5b9564 |
| SHA1 | 082396142b4c17343695d9ad0d841e73372cddba |
| SHA256 | 7319ca620123e4664d6a6aff95ebb43a7a5b0b3cc0df0acb665be1330ed1d6ed |
| SHA512 | 3c2ce4589e1ca7f544585bf9fd6bbfe21c49141516a503c6f55ed1eb57b0bc3c53222062599e7213ad82d1b85e6c4e81b3b4bebf0efad4f1acbacd4132f9790c |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\VCRUNTIME140_1.dll
| MD5 | 68156f41ae9a04d89bb6625a5cd222d4 |
| SHA1 | 3be29d5c53808186eba3a024be377ee6f267c983 |
| SHA256 | 82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd |
| SHA512 | f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57 |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\unicodedata.pyd
| MD5 | d06c37a2f1e9298433c1f40b2b5dfac6 |
| SHA1 | 86a3b9edcae4ef141ce40d96551e73fd8d886b66 |
| SHA256 | c1eec492fccad5913c86e43cd6f2ed8d9660561ff15e43a2649f6848ef2105aa |
| SHA512 | e40d1042a36145b7f233c6f8af1c191f622629aacfb5dffbd9ba99132b68cddd2fda194068a07ace2b351c0050172815bbfc1bc5e3e3cdc5135239384384f0fc |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\sqlite3.dll
| MD5 | 739c7cfbb423ecc578012a1e968845c4 |
| SHA1 | b33937e491e611afbb1f7588647bdbf7ca36721e |
| SHA256 | f71744ff7a6fb0bfe988b15453c258e53d6db7f08f3e6a50753dcc2a2990b72c |
| SHA512 | 4bb21339c39de65c604b73c46963d2e7e5cf31d33a1cdd7ac5c4b8ccc1fd88863a6342f7ba48d694ca6944764f7eec4e0b64851334781e3eddad743d8a8ed47b |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\select.pyd
| MD5 | 9d6ec4a3d6011af6c1a18163d2f2dcd8 |
| SHA1 | 04ff12fc1c8e185a65051b5ccd0e467bb997fe73 |
| SHA256 | fe525f24259716b6786c4ef169e106a977b06d7ef6661e63668551d96e03f31c |
| SHA512 | 6e9fc605f3319e563d880a573522f4361d24fc5731bff90f069fed053ab7f5159e69a8292929fbc0c56aa369fb350b5eee0c1dedb692e26221b7d7e7bd2d92b2 |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\pyexpat.pyd
| MD5 | 59c087c4a65839c69e3a59e129512563 |
| SHA1 | e5a39768dbd0be72f03c45a2d2eea9c802bb0f35 |
| SHA256 | 1bba10c40afdad06f99d51624ecd0dfef43a4cee0beec5e5a21d61ae06cbdb49 |
| SHA512 | 7c6f8164f0270b6aee2b30a66a44a094b987b6e6aaa2e34fdfcbc16b80143b76c430fd65871e5dcbe5338b8ad8b4635ff343bdfd09017b1d00663f31d4e5ef6a |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\libssl-3.dll
| MD5 | fc9d8dea869ea56ff6612a2c577394bf |
| SHA1 | f30bc2bceb36e5e08c348936c791abaa93fd5b25 |
| SHA256 | 8ec0a7ac78f483bf55585d53f77d23934a4d15665e06fbd73c4addf1c9e6c959 |
| SHA512 | 929f5e08142e56f2d8067dac5d7457c72221da73e4cf6259da1982c5308b93dbec77d87cef89294a68441da77fa1923d6c9f812f714f6061ff9952f4f17783df |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\libcrypto-3.dll
| MD5 | f5c66bbd34fc2839f2c8afa5a70c4e2c |
| SHA1 | a085085dbf5396ca45801d63d9681b20f091414c |
| SHA256 | 7ff3ccb7903f8bc1b872c948cfff4520c51539ae184f93b7bd9c04bf60f4a7f4 |
| SHA512 | fc108dfa1ef75b4a4c45c3fae1ccb9257e8950a17f6374fef5080df69ffd52928e5bcac0490772d4d57091e0d81ea58cd1d6d34ec6993e30c1b4c5704be7044b |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\_lzma.pyd
| MD5 | 4c91d0d2bd873740d3b835cd29ba4806 |
| SHA1 | 76a4a59ea939d87177dc2e600a444bc908729d9a |
| SHA256 | 95578954b3282a5ed9c2db1e214cf3b4459afd955eabc898a896344b02908aba |
| SHA512 | f551a17495b7620dbf6d60cf40c29f6a4ceb5afee31472e398492491308023e7401a334c50883f37b60767d209801be4611a6f57ed16a419b06ab8ad5c967565 |
memory/4152-102-0x00007FFC68580000-0x00007FFC68599000-memory.dmp
memory/4152-106-0x00007FFC67880000-0x00007FFC6788D000-memory.dmp
memory/4152-104-0x00007FFC6B6A0000-0x00007FFC6B6AD000-memory.dmp
memory/4152-108-0x00007FFC671F0000-0x00007FFC671FF000-memory.dmp
memory/4152-111-0x00007FFC671C0000-0x00007FFC671D4000-memory.dmp
memory/4152-114-0x00007FFC53750000-0x00007FFC53C83000-memory.dmp
memory/4152-113-0x00007FFC53C90000-0x00007FFC542F3000-memory.dmp
memory/4152-116-0x00007FFC67400000-0x00007FFC67427000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48602\setuptools\_vendor\jaraco\text\Lorem ipsum.txt
| MD5 | 4ce7501f6608f6ce4011d627979e1ae4 |
| SHA1 | 78363672264d9cd3f72d5c1d3665e1657b1a5071 |
| SHA256 | 37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b |
| SHA512 | a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24 |
memory/4152-119-0x00007FFC633C0000-0x00007FFC6348E000-memory.dmp
memory/4152-118-0x00007FFC63930000-0x00007FFC63964000-memory.dmp
memory/4152-122-0x00007FFC637B0000-0x00007FFC637E6000-memory.dmp
memory/4152-127-0x00007FFC63000000-0x00007FFC6317F000-memory.dmp
memory/4152-126-0x00007FFC68580000-0x00007FFC68599000-memory.dmp
memory/4152-124-0x00007FFC63A30000-0x00007FFC63A55000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48602\cryptography\hazmat\bindings\_rust.pyd
| MD5 | 27bfdc1a00eb382f490991a6507cc3f2 |
| SHA1 | 162bc0ddf111968bfd69246660cf650f89b5b7bc |
| SHA256 | 788d5c28a70e2bc4e695c827aec70e0869ad7bfdd1f0f4f75231d6f8d83450c2 |
| SHA512 | 6fcc538c0f901f8543cf296b981a68eb6271f72ddcd106b69b45e0ebd166a355299ce23e999aa855d23edd69f95f53b653f92772435a42c72001386cdb423899 |
memory/4152-130-0x00007FFC52DD0000-0x00007FFC5355A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48602\propcache\_helpers_c.cp313-win_amd64.pyd
| MD5 | 259dbfe970670d71dd3aba04f8489c03 |
| SHA1 | 6c80ba0abfe89f599b74cf3da36ada926df22296 |
| SHA256 | 64d60c63dcfd09a383f97bd7b75b891dbe215f7b0331bb7d7dcbbaed4108263c |
| SHA512 | 79d6b4180fd647f8146c57da7df1c1e178c40a6403ee57dea3da0342e0ad1c5616c8d89e6d45b1ac337f8c58ff2c4162da3274325f06a24051788144dbf47b81 |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\yarl\_quoting_c.cp313-win_amd64.pyd
| MD5 | f8851964d34e012fc786945cf8e3737a |
| SHA1 | 364a9f9f5f01297f2f0206fd6947d107c2f8140a |
| SHA256 | 9c2e2220a2ef4c16cd677cfb28bf23cc7850efe6e863a304068ab117557a381e |
| SHA512 | 29b88e4e1df3f6b50ec07bba771dadcb8ae26621ed7ae44628587cc74006c6f46e09ae1f922bf641c201cbb51ae04df53a39778f30d376a8d2cd0e52a60c6b19 |
memory/4152-141-0x00007FFC63350000-0x00007FFC63366000-memory.dmp
memory/4152-140-0x00007FFC671F0000-0x00007FFC671FF000-memory.dmp
memory/4152-150-0x00007FFC62D90000-0x00007FFC62E43000-memory.dmp
memory/4152-149-0x00007FFC62E50000-0x00007FFC62E72000-memory.dmp
memory/4152-148-0x00007FFC671C0000-0x00007FFC671D4000-memory.dmp
memory/4152-147-0x00007FFC62D70000-0x00007FFC62D8B000-memory.dmp
memory/4152-146-0x00007FFC53750000-0x00007FFC53C83000-memory.dmp
memory/4152-139-0x00007FFC631E0000-0x00007FFC631F4000-memory.dmp
memory/4152-138-0x00007FFC63330000-0x00007FFC63342000-memory.dmp
memory/4152-137-0x00007FFC63570000-0x00007FFC635A8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI48602\multidict\_multidict.cp313-win_amd64.pyd
| MD5 | 3c58269113cfce41c884db5b857bdc2d |
| SHA1 | a7170fcf559c18acd9e5b9f1f07f557629ea1b30 |
| SHA256 | 5513d20e607a6926737c8f83994d92e100e94b7117201a07d0c44531830b9daf |
| SHA512 | d7dd460089dd9f6179aa3942b16553a4bd7a96fceb0a5d506f1499958409fadda666c43e2552227c1549e596c1a254374253bacc60b7ad3ea09db4864f9030cb |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\aiohttp\_http_writer.cp313-win_amd64.pyd
| MD5 | 4fbd128e1bbabcc1bca750957c02c6e9 |
| SHA1 | 4b4ec26140ab190c05aa5649408da7048388a01c |
| SHA256 | 1ad797bfdc4ec7b27f48070b8bf4f1484bb3d6d01b903cfa6a5e186be34b5a3a |
| SHA512 | 60efa10b89b5b4d9ea918ff13a26725c0399d652563910e467a1f8b09db886b435d7a9560eb0871a9fef7440230a451fcfd8bec062aaa2cea6cdd7932c56188c |
C:\Users\Admin\AppData\Local\Temp\_MEI48602\aiohttp\_http_parser.cp313-win_amd64.pyd
| MD5 | 4fea7cc469ae54798233e3b29fb97217 |
| SHA1 | 45239758065eb81f463b7d75b2f262f61fbde103 |
| SHA256 | 29f4ae910b7615778e4adf0102a37d1668a2645cbabff95e3d182769674a0ebd |
| SHA512 | bcc084b022fa7199357b86f43658e03e7cfec84902d0eeb44bbf26d7397238cb8bcffbd184d8257664e1440b3ecf1e7674a7108c9176f5468790982362b4361d |
memory/4152-154-0x00007FFC63930000-0x00007FFC63964000-memory.dmp
memory/4152-155-0x00007FFC636E0000-0x00007FFC636F8000-memory.dmp
memory/4152-159-0x00007FFC636C0000-0x00007FFC636D1000-memory.dmp
memory/4152-158-0x00007FFC63370000-0x00007FFC633BD000-memory.dmp
memory/4152-157-0x00007FFC633C0000-0x00007FFC6348E000-memory.dmp
memory/4152-161-0x00007FFC59DE0000-0x00007FFC59E12000-memory.dmp
memory/4152-160-0x00007FFC63A30000-0x00007FFC63A55000-memory.dmp
memory/4152-166-0x00007FFC636A0000-0x00007FFC636BE000-memory.dmp
memory/4152-165-0x00007FFC52DD0000-0x00007FFC5355A000-memory.dmp
memory/4152-162-0x00007FFC63000000-0x00007FFC6317F000-memory.dmp
memory/448-209-0x0000018267860000-0x0000018267882000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hinzzveh.khd.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4152-219-0x00007FFC63350000-0x00007FFC63366000-memory.dmp
memory/4152-237-0x00007FFC63000000-0x00007FFC6317F000-memory.dmp
memory/4152-252-0x00007FFC63370000-0x00007FFC633BD000-memory.dmp
memory/4152-251-0x00007FFC636E0000-0x00007FFC636F8000-memory.dmp
memory/4152-249-0x00007FFC59DE0000-0x00007FFC59E12000-memory.dmp
memory/4152-240-0x00007FFC63350000-0x00007FFC63366000-memory.dmp
memory/4152-239-0x00007FFC63570000-0x00007FFC635A8000-memory.dmp
memory/4152-234-0x00007FFC633C0000-0x00007FFC6348E000-memory.dmp
memory/4152-233-0x00007FFC63930000-0x00007FFC63964000-memory.dmp
memory/4152-232-0x00007FFC53750000-0x00007FFC53C83000-memory.dmp
memory/4152-230-0x00007FFC671F0000-0x00007FFC671FF000-memory.dmp
memory/4152-229-0x00007FFC67880000-0x00007FFC6788D000-memory.dmp
memory/4152-222-0x00007FFC53C90000-0x00007FFC542F3000-memory.dmp
memory/4152-238-0x00007FFC52DD0000-0x00007FFC5355A000-memory.dmp
memory/4152-263-0x00007FFC53C90000-0x00007FFC542F3000-memory.dmp
memory/4152-278-0x00007FFC63000000-0x00007FFC6317F000-memory.dmp
memory/4152-273-0x00007FFC53750000-0x00007FFC53C83000-memory.dmp
memory/4152-287-0x00007FFC636E0000-0x00007FFC636F8000-memory.dmp
memory/4152-274-0x00007FFC63930000-0x00007FFC63964000-memory.dmp