exelastealer | 2f78b8b815c6c55a7c368252c4cffe15350b3942bbda2b50db3fc63cec333cfc

Analysis

max time kernel
31s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-01-2025 13:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

__IL Spammer.EXE - עותק.exe
Size

395.3MB
MD5

5d80b902c3df6038228ddc6c8f56d405
SHA1

6fceb0d778451c1711f07a47c3f932ca005dd9a5
SHA256

2f78b8b815c6c55a7c368252c4cffe15350b3942bbda2b50db3fc63cec333cfc
SHA512

9cc316a81a5746d72a026cc1833239abab87b501fa108fe79a6b45f6ce0c3b14f2859ab1a6c649b900b89df1bfa8801a10da8dfa93572cc061b96b16846036a6
SSDEEP

393216:6raewq3Obs2ClPBXMCHWUjvrRQ7XbFsn6xEahVbGTbo1N:6Oewq3ObRqPBXMb8vrRQ766xhZGT8v

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3516	netsh.exe
4756	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5112	cmd.exe
4896	powershell.exe

Loads dropped DLL 34 IoCs

pid	Process
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe
224	__IL Spammer.EXE - עותק.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
33	discord.com
34	discord.com
35	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
25	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
60	cmd.exe
1296	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4956	tasklist.exe
1296	tasklist.exe
4200	tasklist.exe
4128	tasklist.exe
2904	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
408	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4992	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1268	cmd.exe
3956	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3488	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
1612	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1124	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1068	ipconfig.exe
3488	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3216	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
4896	powershell.exe
4896	powershell.exe
4896	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1124	WMIC.exe
Token: SeSecurityPrivilege	1124	WMIC.exe
Token: SeTakeOwnershipPrivilege	1124	WMIC.exe
Token: SeLoadDriverPrivilege	1124	WMIC.exe
Token: SeSystemProfilePrivilege	1124	WMIC.exe
Token: SeSystemtimePrivilege	1124	WMIC.exe
Token: SeProfSingleProcessPrivilege	1124	WMIC.exe
Token: SeIncBasePriorityPrivilege	1124	WMIC.exe
Token: SeCreatePagefilePrivilege	1124	WMIC.exe
Token: SeBackupPrivilege	1124	WMIC.exe
Token: SeRestorePrivilege	1124	WMIC.exe
Token: SeShutdownPrivilege	1124	WMIC.exe
Token: SeDebugPrivilege	1124	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1124	WMIC.exe
Token: SeRemoteShutdownPrivilege	1124	WMIC.exe
Token: SeUndockPrivilege	1124	WMIC.exe
Token: SeManageVolumePrivilege	1124	WMIC.exe
Token: 33	1124	WMIC.exe
Token: 34	1124	WMIC.exe
Token: 35	1124	WMIC.exe
Token: 36	1124	WMIC.exe
Token: SeIncreaseQuotaPrivilege	928	WMIC.exe
Token: SeSecurityPrivilege	928	WMIC.exe
Token: SeTakeOwnershipPrivilege	928	WMIC.exe
Token: SeLoadDriverPrivilege	928	WMIC.exe
Token: SeSystemProfilePrivilege	928	WMIC.exe
Token: SeSystemtimePrivilege	928	WMIC.exe
Token: SeProfSingleProcessPrivilege	928	WMIC.exe
Token: SeIncBasePriorityPrivilege	928	WMIC.exe
Token: SeCreatePagefilePrivilege	928	WMIC.exe
Token: SeBackupPrivilege	928	WMIC.exe
Token: SeRestorePrivilege	928	WMIC.exe
Token: SeShutdownPrivilege	928	WMIC.exe
Token: SeDebugPrivilege	928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	928	WMIC.exe
Token: SeRemoteShutdownPrivilege	928	WMIC.exe
Token: SeUndockPrivilege	928	WMIC.exe
Token: SeManageVolumePrivilege	928	WMIC.exe
Token: 33	928	WMIC.exe
Token: 34	928	WMIC.exe
Token: 35	928	WMIC.exe
Token: 36	928	WMIC.exe
Token: SeDebugPrivilege	4956	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1124	WMIC.exe
Token: SeSecurityPrivilege	1124	WMIC.exe
Token: SeTakeOwnershipPrivilege	1124	WMIC.exe
Token: SeLoadDriverPrivilege	1124	WMIC.exe
Token: SeSystemProfilePrivilege	1124	WMIC.exe
Token: SeSystemtimePrivilege	1124	WMIC.exe
Token: SeProfSingleProcessPrivilege	1124	WMIC.exe
Token: SeIncBasePriorityPrivilege	1124	WMIC.exe
Token: SeCreatePagefilePrivilege	1124	WMIC.exe
Token: SeBackupPrivilege	1124	WMIC.exe
Token: SeRestorePrivilege	1124	WMIC.exe
Token: SeShutdownPrivilege	1124	WMIC.exe
Token: SeDebugPrivilege	1124	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1124	WMIC.exe
Token: SeRemoteShutdownPrivilege	1124	WMIC.exe
Token: SeUndockPrivilege	1124	WMIC.exe
Token: SeManageVolumePrivilege	1124	WMIC.exe
Token: 33	1124	WMIC.exe
Token: 34	1124	WMIC.exe
Token: 35	1124	WMIC.exe
Token: 36	1124	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4112 wrote to memory of 224	4112	__IL Spammer.EXE - עותק.exe	85
PID 4112 wrote to memory of 224	4112	__IL Spammer.EXE - עותק.exe	85
PID 224 wrote to memory of 2372	224	__IL Spammer.EXE - עותק.exe	87
PID 224 wrote to memory of 2372	224	__IL Spammer.EXE - עותק.exe	87
PID 224 wrote to memory of 2264	224	__IL Spammer.EXE - עותק.exe	88
PID 224 wrote to memory of 2264	224	__IL Spammer.EXE - עותק.exe	88
PID 224 wrote to memory of 4460	224	__IL Spammer.EXE - עותק.exe	89
PID 224 wrote to memory of 4460	224	__IL Spammer.EXE - עותק.exe	89
PID 224 wrote to memory of 972	224	__IL Spammer.EXE - עותק.exe	90
PID 224 wrote to memory of 972	224	__IL Spammer.EXE - עותק.exe	90
PID 2372 wrote to memory of 1124	2372	cmd.exe	95
PID 2372 wrote to memory of 1124	2372	cmd.exe	95
PID 972 wrote to memory of 4956	972	cmd.exe	96
PID 972 wrote to memory of 4956	972	cmd.exe	96
PID 2264 wrote to memory of 928	2264	cmd.exe	97
PID 2264 wrote to memory of 928	2264	cmd.exe	97
PID 224 wrote to memory of 3600	224	__IL Spammer.EXE - עותק.exe	98
PID 224 wrote to memory of 3600	224	__IL Spammer.EXE - עותק.exe	98
PID 3600 wrote to memory of 1480	3600	cmd.exe	100
PID 3600 wrote to memory of 1480	3600	cmd.exe	100
PID 224 wrote to memory of 3456	224	__IL Spammer.EXE - עותק.exe	101
PID 224 wrote to memory of 3456	224	__IL Spammer.EXE - עותק.exe	101
PID 224 wrote to memory of 3488	224	__IL Spammer.EXE - עותק.exe	102
PID 224 wrote to memory of 3488	224	__IL Spammer.EXE - עותק.exe	102
PID 3456 wrote to memory of 4368	3456	cmd.exe	105
PID 3456 wrote to memory of 4368	3456	cmd.exe	105
PID 3488 wrote to memory of 1296	3488	cmd.exe	106
PID 3488 wrote to memory of 1296	3488	cmd.exe	106
PID 224 wrote to memory of 408	224	__IL Spammer.EXE - עותק.exe	107
PID 224 wrote to memory of 408	224	__IL Spammer.EXE - עותק.exe	107
PID 408 wrote to memory of 1860	408	cmd.exe	109
PID 408 wrote to memory of 1860	408	cmd.exe	109
PID 224 wrote to memory of 4280	224	__IL Spammer.EXE - עותק.exe	112
PID 224 wrote to memory of 4280	224	__IL Spammer.EXE - עותק.exe	112
PID 224 wrote to memory of 628	224	__IL Spammer.EXE - עותק.exe	114
PID 224 wrote to memory of 628	224	__IL Spammer.EXE - עותק.exe	114
PID 628 wrote to memory of 4200	628	cmd.exe	116
PID 628 wrote to memory of 4200	628	cmd.exe	116
PID 4280 wrote to memory of 3188	4280	cmd.exe	117
PID 4280 wrote to memory of 3188	4280	cmd.exe	117
PID 224 wrote to memory of 4988	224	__IL Spammer.EXE - עותק.exe	118
PID 224 wrote to memory of 4988	224	__IL Spammer.EXE - עותק.exe	118
PID 224 wrote to memory of 1620	224	__IL Spammer.EXE - עותק.exe	119
PID 224 wrote to memory of 1620	224	__IL Spammer.EXE - עותק.exe	119
PID 224 wrote to memory of 2300	224	__IL Spammer.EXE - עותק.exe	120
PID 224 wrote to memory of 2300	224	__IL Spammer.EXE - עותק.exe	120
PID 224 wrote to memory of 5112	224	__IL Spammer.EXE - עותק.exe	121
PID 224 wrote to memory of 5112	224	__IL Spammer.EXE - עותק.exe	121
PID 1620 wrote to memory of 4156	1620	cmd.exe	126
PID 1620 wrote to memory of 4156	1620	cmd.exe	126
PID 4988 wrote to memory of 556	4988	cmd.exe	127
PID 4988 wrote to memory of 556	4988	cmd.exe	127
PID 4156 wrote to memory of 1104	4156	cmd.exe	128
PID 4156 wrote to memory of 1104	4156	cmd.exe	128
PID 2300 wrote to memory of 4128	2300	cmd.exe	129
PID 2300 wrote to memory of 4128	2300	cmd.exe	129
PID 556 wrote to memory of 4552	556	cmd.exe	130
PID 556 wrote to memory of 4552	556	cmd.exe	130
PID 5112 wrote to memory of 4896	5112	cmd.exe	131
PID 5112 wrote to memory of 4896	5112	cmd.exe	131
PID 224 wrote to memory of 1268	224	__IL Spammer.EXE - עותק.exe	132
PID 224 wrote to memory of 1268	224	__IL Spammer.EXE - עותק.exe	132
PID 224 wrote to memory of 60	224	__IL Spammer.EXE - עותק.exe	134
PID 224 wrote to memory of 60	224	__IL Spammer.EXE - עותק.exe	134

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1860	attrib.exe

C:\Users\Admin\AppData\Local\Temp\__IL Spammer.EXE - עותק.exe
"C:\Users\Admin\AppData\Local\Temp\__IL Spammer.EXE - עותק.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4112
- C:\Users\Admin\AppData\Local\Temp\__IL Spammer.EXE - עותק.exe
  "C:\Users\Admin\AppData\Local\Temp\__IL Spammer.EXE - עותק.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:972
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3600
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:1480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3456
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4368
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3488
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:1296
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\WaltuhiumUpdateService\Waltuhium.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\WaltuhiumUpdateService\Waltuhium.exe"
      4⤵
      Views/modifies file attributes
      PID:1860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4280
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:3188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:628
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4200
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:556
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1620
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4156
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4896
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1268
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:60
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3216
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:4908
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:1612
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:792
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4680
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:3648
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:3768
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:2312
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:4264
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:4668
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:2264
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:4332
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:3948
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:4508
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:4956
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:972
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:2904
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1068
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:3200
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:1296
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:3488
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:4992
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3516
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1524
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2660
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI41122\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\VCRUNTIME140_1.dll

Filesize
48KB

MD5
68156f41ae9a04d89bb6625a5cd222d4

SHA1
3be29d5c53808186eba3a024be377ee6f267c983

SHA256
82a2f9ae1e6146ae3cb0f4bc5a62b7227e0384209d9b1aef86bbcc105912f7cd

SHA512
f7bf8ad7cd8b450050310952c56f6a20b378a972c822ccc253ef3d7381b56ffb3ca6ce3323bea9872674ed1c02017f78ab31e9eb9927fc6b3cba957c247e5d57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_asyncio.pyd

Filesize
71KB

MD5
142e957ae9fe9dd8514e1781c9a35c2b

SHA1
66d587f8b3a9f8cf237fc682c6e6d3d0929f1df9

SHA256
4c6d6690e91974804c1eaf77827ea63882711689baff0718a246796ff40b2a23

SHA512
874a827a6183bfe9898c80c25db4336eb58273a0ec701bc5f497364afe3084d6634bf6db7f9dc02ef593c6a751e678be419e9af050bd51c4bbb89d98f53c5f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_bz2.pyd

Filesize
83KB

MD5
c17dcb7fc227601471a641ec90e6237f

SHA1
c93a8c2430e844f40f1d9c880aa74612409ffbb9

SHA256
55894b2b98d01f37b9a8cf4daf926d0161ff23c2fb31c56f9dbbac3a61932712

SHA512
38851cbd234a51394673a7514110eb43037b4e19d2a6fb79471cc7d01dbcf2695e70df4ba2727c69f1fed56fc7980e3ca37fddff73cc3294a2ea44facdeb0fa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_cffi_backend.cp313-win_amd64.pyd

Filesize
175KB

MD5
5cba92e7c00d09a55f5cbadc8d16cd26

SHA1
0300c6b62cd9db98562fdd3de32096ab194da4c8

SHA256
0e3d149b91fc7dc3367ab94620a5e13af6e419f423b31d4800c381468cb8ad85

SHA512
7ab432c8774a10f04ddd061b57d07eba96481b5bb8c663c6ade500d224c6061bc15d17c74da20a7c3cec8bbf6453404d553ebab22d37d67f9b163d7a15cf1ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_ctypes.pyd

Filesize
129KB

MD5
2bd5dabbb35398a506e3406bc01eba26

SHA1
af3ab9d8467e25367d03cb7479a3e4324917f8d0

SHA256
5c4c489ac052795c27af063c96bc4db5ab250144d4839050cfa9bb3836b87c32

SHA512
c07860d86ae0d900e44945da77e3b620005667304c0715985f06000f3d410fffb7e38e1bc84e4e6d24889d46b9dac6bf18861c95b2b09e760012edc5406b3838

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_decimal.pyd

Filesize
274KB

MD5
ad4324e5cc794d626ffccda544a5a833

SHA1
ef925e000383b6cad9361430fc38264540d434a5

SHA256
040f361f63204b55c17a100c260c7ddfadd00866cc055fbd641b83a6747547d5

SHA512
0a002b79418242112600b9246da66a5c04651aecb2e245f0220b2544d7b7df67a20139f45ddf2d4e7759ce8cc3d6b4be7f98b0a221c756449eb1b6d7af602325

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_hashlib.pyd

Filesize
63KB

MD5
422e214ca76421e794b99f99a374b077

SHA1
58b24448ab889948303cdefe28a7c697687b7ebc

SHA256
78223aef72777efc93c739f5308a3fc5de28b7d10e6975b8947552a62592772b

SHA512
03fcccc5a300cc029bef06c601915fa38604d955995b127b5b121cb55fb81752a8a1eec4b1b263ba12c51538080335dabaef9e2b8259b4bf02af84a680552fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_lzma.pyd

Filesize
155KB

MD5
66a9028efd1bb12047dafce391fd6198

SHA1
e0b61ce28ea940f1f0d5247d40abe61ae2b91293

SHA256
e44dea262a24df69fd9b50b08d09ae6f8b051137ce0834640c977091a6f9fca8

SHA512
3c2a4e2539933cbeb1d0b3c8ef14f0563675fd53b6ef487c7a5371dfe2ee1932255f91db598a61aaadacd8dc2fe2486a91f586542c52dfc054b22ad843831d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_multiprocessing.pyd

Filesize
35KB

MD5
22d20bd3946419ecf0882315ae1f96de

SHA1
f3c07bef75fa372a6905e971ca8350d1e3e48058

SHA256
9da721822a592f8c4e9a96ebaa4517c45768d7737582e0e5b933066f453a2e5e

SHA512
a3bec1f99240b9e9d823405eecc1c511c46f11c7d844229a0dad7e23edb69df365874c184fe9b2637f12a94132e44acecc3a434810d0ff5c819f8207f1ddde9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_overlapped.pyd

Filesize
55KB

MD5
4df3728d404e0b1607a80b32c6c93bcc

SHA1
d6ebd687de4d5fd8037f0775d6ea88b84f6a8287

SHA256
c8a0e2c0d7f82cedb839d2c0b827cf139113faa4aba05f2345c80e2cf3335b8a

SHA512
f9f51ac1f82e2fa799249336a927a84b0a44055ada0a136e318d9073633c2595445a933fbc74b0b3c16cbad6c253d1df76cad031389d89daf9a789de1526e265

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_queue.pyd

Filesize
34KB

MD5
955b197c38ea5bd537ce9c7cb2109802

SHA1
8feffcb11740ddafc4479fc008cc06c6b570a8bc

SHA256
73cade82ee139459fe5841e5631274fc9caf7f579418b613f278125435653539

SHA512
cab0d8d10fb3bff72d20b287901ccd9be685796142cd2e45e4712cd6f4551dec69180490c2fdfad262c6927a3c7f4fefe68187f64c066731fe17012f78a0ed69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_socket.pyd

Filesize
82KB

MD5
abf998769f3cba685e90fa06e0ec8326

SHA1
daa66047cf22b6be608127f8824e59b30c9026bf

SHA256
62d0493ced6ca33e2fd8141649dd9889c23b2e9afc5fdf56edb4f888c88fb823

SHA512
08c6b3573c596a15accf4936533567415198a0daab5b6e9824b820fd1f078233bbc3791fde6971489e70155f7c33c1242b0b0a3a17fe2ec95b9fadae555ed483

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_sqlite3.pyd

Filesize
126KB

MD5
8a8ed31d0a082bcdfb7d5a3249689890

SHA1
ff9c7529ed7636fa0cda44d8c9d043c84d8f55f2

SHA256
c2161b71db9ce8c518d65e8a36c9ec67cd6d039ff732203b8adbe2c7ea883f6d

SHA512
075aa2ccb70041ffc66c5bc672dbf05aac1bf8f1f33f86d2fa2578fe9be3731689686dae6e69d59515028390ba0da1ea452f3bd2d46b9cce3f26106084db074f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_ssl.pyd

Filesize
178KB

MD5
cf541cc288ac0bec9b682a2e0011d1ff

SHA1
ef0dd009fdad14b3f6063619112dcdfafb17186d

SHA256
e94f0195363c5c9babfc4c17ec6fb1aa8bbabf59e377db66ce6a79c4c58bbd07

SHA512
f97e7fc644356bebe7e3deaa46b7de61118b13af99c9e91d0fbcbe3caea0c941265bcb28fee31a22fc3031c6428517c5202c1425654f3c2cd234979c9e3c04b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_uuid.pyd

Filesize
27KB

MD5
b5f2d9353f758e1a60e67dac33debdd2

SHA1
edae6378d70b76846329fa609483de89531bcf16

SHA256
cde836ef0bde1c15c1c3750de54b50d2285864c512abbfc9e2c94f0ff5aa5ca2

SHA512
9d780a8ec760c6bae3b53079c9a0670c7cbf2af6aababda0234ee71c5e0546b501cbe9666d973eaa28fb7fb7285814ecfece98d20cf4a86d3aea9a61a8120397

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\_wmi.pyd

Filesize
39KB

MD5
c629ce084fc76ac60b7a77479cb2225c

SHA1
fe80955f217162ce9d4910202bbe30f7601d254a

SHA256
afad80f9e62a57814779cf3e48352b583c1a0697b11a23cc9db3f4e43f7f8664

SHA512
9863767981508f458c61553e5a50b6c5d70956676fee92e15b5ab08b1770ba0f640392fa12feddd6ab1eac5a418f3f8cd057c608e33653a2825ca36edded78b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\aiohttp\_http_parser.cp313-win_amd64.pyd

Filesize
257KB

MD5
3d5b5e6a36927ec78a1e4716b23eb3b6

SHA1
4bb9c47ad4be457f92fda1a0c15794dfc9d2f617

SHA256
311b8f4aa9656fa2a2e728b4f34137e79767199e5eb0b2f8d9b1e9df614b387b

SHA512
0dce3a58a0b6c2d2270d62d3ba2fdc6c5e5cc53f2b1072db5c2b7dbc2a303a4141d66d402ec9baa4c0d49e7e125f8481e1f40ce0550f5ad1a9f82e52b1e4b867

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\aiohttp\_http_writer.cp313-win_amd64.pyd

Filesize
47KB

MD5
73432d154eeea2102e1d140767bf5b65

SHA1
2bc59507522021fab2d1be19bf3478dc2f6012f9

SHA256
beaf5290cff140934c2c34293da92985096306d6c7c7614c870fd9b59114c7bc

SHA512
3fd6fa9734f02ea08f96f3a62954bc36b2bcefed6ee8a29432ecbfc449b7c6db905cb526bde72a8b0d3731d041e1d157b469554bcd192e479bc64620ea079dc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\aiohttp\_websocket\mask.cp313-win_amd64.pyd

Filesize
34KB

MD5
78bda19210370777e1ab3840b0b16a32

SHA1
e848cb17a5ecc42b0f8a5588348a427fa781ab8f

SHA256
aaeecd93142b34ea1b4ff473c88365cf5b8fd7bec7d83e6bfde12a0f836d38b9

SHA512
ddb54fb256eafed024ea950277a6e1e7d6bcc38905de883d3e35a79238ff11621f15ec8a4724ec9e74093b2d213aa0cc961e9dc56a8c868c185b44ae61387223

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\base_library.zip

Filesize
1.3MB

MD5
18c3f8bf07b4764d340df1d612d28fad

SHA1
fc0e09078527c13597c37dbea39551f72bbe9ae8

SHA256
6e30043dfa5faf9c31bd8fb71778e8e0701275b620696d29ad274846676b7175

SHA512
135b97cd0284424a269c964ed95b06d338814e5e7b2271b065e5eabf56a8af4a213d863dd2a1e93c1425fadb1b20e6c63ffa6e8984156928be4a9a2fbbfd5e93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\cryptography\hazmat\bindings\_rust.pyd

Filesize
7.9MB

MD5
34293b976da366d83c12d8ee05de7b03

SHA1
82b8eb434c26fcc3a5d9673c9b93663c0ff9bf15

SHA256
a2285c3f2f7e63ba8a17ab5d0a302740e6adf7e608e0707a7737c1ec3bd8cecc

SHA512
0807ec7515186f0a989bb667150a84ff3bebcc248625597ba0be3c6f07ad60d70cf8a3f65191436ec16042f446d4248bf92fcd02212e459405948db10f078b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\libcrypto-3.dll

Filesize
5.0MB

MD5
123ad0908c76ccba4789c084f7a6b8d0

SHA1
86de58289c8200ed8c1fc51d5f00e38e32c1aad5

SHA256
4e5d5d20d6d31e72ab341c81e97b89e514326c4c861b48638243bdf0918cfa43

SHA512
80fae0533ba9a2f5fa7806e86f0db8b6aab32620dde33b70a3596938b529f3822856de75bddb1b06721f8556ec139d784bc0bb9c8da0d391df2c20a80d33cb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\libffi-8.dll

Filesize
38KB

MD5
0f8e4992ca92baaf54cc0b43aaccce21

SHA1
c7300975df267b1d6adcbac0ac93fd7b1ab49bd2

SHA256
eff52743773eb550fcc6ce3efc37c85724502233b6b002a35496d828bd7b280a

SHA512
6e1b223462dc124279bfca74fd2c66fe18b368ffbca540c84e82e0f5bcbea0e10cc243975574fa95ace437b9d8b03a446ed5ee0c9b1b094147cefaf704dfe978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\libssl-3.dll

Filesize
774KB

MD5
4ff168aaa6a1d68e7957175c8513f3a2

SHA1
782f886709febc8c7cebcec4d92c66c4d5dbcf57

SHA256
2e4d35b681a172d3298caf7dc670451be7a8ba27c26446efc67470742497a950

SHA512
c372b759b8c7817f2cbb78eccc5a42fa80bdd8d549965bd925a97c3eebdce0335fbfec3995430064dead0f4db68ebb0134eb686a0be195630c49f84b468113e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\multidict\_multidict.cp313-win_amd64.pyd

Filesize
46KB

MD5
113a209e8167ddd2da9b4b73ef0b0229

SHA1
198b613a362b6432bd42a668ad27c744cde9c348

SHA256
9470add15fae0be67f79d2abe2e9eefe6b573cc2254b688565161b8e7561e6ab

SHA512
eda70a5f8af14a84d0c59e795c4df42af34b1ba6ea0185a01709d8f04a658f25f3f88164d1b9594c0e487963cdc3a02bc5bffd5e0976aa30813b359af78ace1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\propcache\_helpers_c.cp313-win_amd64.pyd

Filesize
71KB

MD5
e780c9eebe237208cd71987ac15d94e2

SHA1
257da5d8a050ee2609b19b8e3e57601abc4d76ed

SHA256
3a5a51c8fb2555f9d78886fd78c84eb62e3da342cd8c0f3f73929d82719bcd64

SHA512
643372f0d5b2be441db6f21049aba350f21a8ed93a65159156dafd2c46d3eff9f3549ef7178775d32ba67ba552827ae866098a69004204906f48107fe373b6b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\pyexpat.pyd

Filesize
197KB

MD5
03493d1441671abe9339af942253dac3

SHA1
0d8800be2733bb56fb2909a6f9389c00eb00f612

SHA256
3a4830342ab562e41ab93b4bc2dc45fe0ab760815e7c3ec4a7fddc914ec99982

SHA512
1b092a9e2e9e64533e7436c239961cee4ffde0fa6fed4c6e0ca2a9f72fc72065d457968dc92e74f4e052cd2557f6d380a86046117b6a450306a16ac6e885a036

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\python3.DLL

Filesize
70KB

MD5
ad2c4784c3240063eeaa646fd59be62c

SHA1
5efab563725781ab38a511e3f26e0406d5d46e8d

SHA256
c1de4bfe57dc4a5be8c72c865d617dc39dfd8162fcd2ce1fac9f401cf9efb504

SHA512
c964d4289206d099310bd5299f71a32c643311e0e8445e35ae3179772136d0ca9b75f5271eaf31efc75c055cd438799cef836ed87797589629b0e9f247424676

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\python313.dll

Filesize
5.8MB

MD5
3aad23292404a7038eb07ce5a6348256

SHA1
35cac5479699b28549ebe36c1d064bfb703f0857

SHA256
78b1dd211c0e66a0603df48da2c9b67a915ab3258701b9285d3faa255ed8dc25

SHA512
f5b6ef04e744d2c98c1ef9402d7a8ce5cda3b008837cf2c37a8b6d0cd1b188ca46585a40b2db7acf019f67e6ced59eff5bc86e1aaf48d3c3b62fecf37f3aec6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\select.pyd

Filesize
31KB

MD5
62fe3761d24b53d98cc9b0cbbd0feb7c

SHA1
317344c9edf2fcfa2b9bc248a18f6e6acedafffb

SHA256
81f124b01a85882e362a42e94a13c0eff2f4ccd72d461821dc5457a789554413

SHA512
a1d3da17937087af4e5980d908ed645d4ea1b5f3ebfab5c572417df064707cae1372b331c7096cc8e2e041db9315172806d3bc4bb425c6bb4d2fa55e00524881

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\sqlite3.dll

Filesize
1.5MB

MD5
31a0332fa7a20a91e0ae0ee2e2b3e179

SHA1
a26f8e51b200cc222ba8a8cc14df6926a577132a

SHA256
afb50a080d3c79d9c89d134b006fb2b0779b5ffeeb703762d163141b15eb03bb

SHA512
ebb50a5611b9e82161ab813acdc21d7bcb0b5d98587b67cc82a0fdd18df5a8415406e1a06c1c0a95e9eebff3909d6104756ff73ae965efc49ffff04ec4210e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\unicodedata.pyd

Filesize
695KB

MD5
43b8b61debbc6dd93124a00ddd922d8c

SHA1
5dee63d250ac6233aac7e462eee65c5326224f01

SHA256
3f462ee6e7743a87e5791181936539642e3761c55de3de980a125f91fe21f123

SHA512
dd4791045cf887e6722feae4442c38e641f19ec994a8eaf7667e9df9ea84378d6d718caf3390f92443f6bbf39840c150121bb6fa896c4badd3f78f1ffe4de19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI41122\yarl\_quoting_c.cp313-win_amd64.pyd

Filesize
94KB

MD5
8fb4a79b2c7cfe657adffff4c3d2859e

SHA1
3d44aeebb7de1789f04d89d221febf9fea4f27d2

SHA256
1ddb9fc16b1afbb73e1415054dd13e187369b1d456ddcd31bd88bbd3e5006c3e

SHA512
0a307a1ff593e86dd2c69f1a4aaf6de8d4ae5e9c4fab4353226e2853de7bc524d794ffa29c853694dd6c588803b26c1b801bb6b23712cfdea9f8eb26a2e2fba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ulohgraw.4lj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/4896-168-0x0000020CAEFD0000-0x0000020CAEFF2000-memory.dmp

Filesize
136KB

Download