exelastealer | 399b296b21cca504e716f53dddc8d01ab781b4592306320cb8b80ddcdfda333d

Analysis

max time kernel
139s
max time network
135s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03-08-2024 12:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

auxia_updater.exe
Size

10.9MB
MD5

3b83f4ed82c3f00ccfd267a3fa0ff65e
SHA1

abb3b29c7092e0fec2d29999b56718b2267ed2c7
SHA256

92f7de4db70a88abef1e2fb31174fffa5a1b885aab68012b8a4ac31b3e827e22
SHA512

606c5238e11dfb41729fd510bf730dce67de5cf3f6a4f611b85ab555e71752c3df82890da075b5b14a8a2da8ca18781da8d468b9d3b1b44ab439e57eb45eee20
SSDEEP

196608:G7tPRQkdwuLUhJb3tQk5tsurErvI9pWj+sgX3ZdahF0wB1AajVsCEk9QtQTNWVJg:SxOhh7v5tsurEUWj/gXe7b2C7S6gU

Score

10^/10

exelastealer collection credential_access defense_evasion discovery evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1392	netsh.exe
1020	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4128	cmd.exe
4532	powershell.exe

Loads dropped DLL 32 IoCs

pid	Process
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe
2068	auxia_updater.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002ab09-47.dat	upx
behavioral1/memory/2068-51-0x00007FFCDDCD0000-0x00007FFCDE394000-memory.dmp	upx
behavioral1/files/0x000100000002aad9-53.dat	upx
behavioral1/files/0x000100000002ab03-58.dat	upx
behavioral1/memory/2068-82-0x00007FFCF9230000-0x00007FFCF923F000-memory.dmp	upx
behavioral1/memory/2068-81-0x00007FFCF2720000-0x00007FFCF2745000-memory.dmp	upx
behavioral1/files/0x000100000002aae4-80.dat	upx
behavioral1/files/0x000100000002aae2-78.dat	upx
behavioral1/files/0x000100000002aae1-77.dat	upx
behavioral1/files/0x000100000002aae0-76.dat	upx
behavioral1/files/0x000100000002aadf-75.dat	upx
behavioral1/files/0x000100000002aadd-73.dat	upx
behavioral1/files/0x000100000002aadc-72.dat	upx
behavioral1/files/0x000100000002aadb-71.dat	upx
behavioral1/files/0x000100000002aada-70.dat	upx
behavioral1/files/0x000100000002aad8-69.dat	upx
behavioral1/files/0x000100000002aad7-68.dat	upx
behavioral1/files/0x000100000002aad6-67.dat	upx
behavioral1/files/0x000100000002ab0c-65.dat	upx
behavioral1/files/0x000100000002ab0b-64.dat	upx
behavioral1/files/0x000100000002ab0a-63.dat	upx
behavioral1/files/0x000100000002ab07-62.dat	upx
behavioral1/files/0x000100000002ab04-61.dat	upx
behavioral1/files/0x000100000002ab02-60.dat	upx
behavioral1/files/0x000100000002aade-74.dat	upx
behavioral1/memory/2068-84-0x00007FFCF4E70000-0x00007FFCF4E89000-memory.dmp	upx
behavioral1/memory/2068-86-0x00007FFCF4BE0000-0x00007FFCF4BED000-memory.dmp	upx
behavioral1/memory/2068-88-0x00007FFCF4BD0000-0x00007FFCF4BDF000-memory.dmp	upx
behavioral1/memory/2068-91-0x00007FFCF91C0000-0x00007FFCF91DA000-memory.dmp	upx
behavioral1/memory/2068-93-0x00007FFCF2930000-0x00007FFCF295D000-memory.dmp	upx
behavioral1/memory/2068-96-0x00007FFCF2900000-0x00007FFCF2924000-memory.dmp	upx
behavioral1/memory/2068-97-0x00007FFCF2780000-0x00007FFCF28FF000-memory.dmp	upx
behavioral1/files/0x000100000002aaff-98.dat	upx
behavioral1/memory/2068-100-0x00007FFCDDCD0000-0x00007FFCDE394000-memory.dmp	upx
behavioral1/memory/2068-101-0x00007FFCDD290000-0x00007FFCDDA31000-memory.dmp	upx
behavioral1/memory/2068-103-0x00007FFCF2640000-0x00007FFCF2679000-memory.dmp	upx
behavioral1/memory/2068-107-0x00007FFCEFC60000-0x00007FFCEFC93000-memory.dmp	upx
behavioral1/memory/2068-109-0x00007FFCEF9E0000-0x00007FFCEFAAD000-memory.dmp	upx
behavioral1/memory/2068-111-0x00007FFCF2760000-0x00007FFCF2776000-memory.dmp	upx
behavioral1/memory/2068-108-0x00007FFCDCD60000-0x00007FFCDD289000-memory.dmp	upx
behavioral1/files/0x000100000002ab06-113.dat	upx
behavioral1/memory/2068-120-0x00007FFCF4BD0000-0x00007FFCF4BDF000-memory.dmp	upx
behavioral1/memory/2068-124-0x00007FFCEFBF0000-0x00007FFCEFC12000-memory.dmp	upx
behavioral1/memory/2068-123-0x00007FFCEF8C0000-0x00007FFCEF9DB000-memory.dmp	upx
behavioral1/files/0x000100000002ab0e-122.dat	upx
behavioral1/memory/2068-121-0x00007FFCEFC20000-0x00007FFCEFC34000-memory.dmp	upx
behavioral1/memory/2068-116-0x00007FFCEFC40000-0x00007FFCEFC54000-memory.dmp	upx
behavioral1/memory/2068-115-0x00007FFCEFD30000-0x00007FFCEFD42000-memory.dmp	upx
behavioral1/files/0x000100000002aae6-126.dat	upx
behavioral1/files/0x000100000002aae8-129.dat	upx
behavioral1/memory/2068-128-0x00007FFCEF850000-0x00007FFCEF867000-memory.dmp	upx
behavioral1/files/0x000100000002aae9-137.dat	upx
behavioral1/memory/2068-135-0x00007FFCEF7E0000-0x00007FFCEF82C000-memory.dmp	upx
behavioral1/memory/2068-141-0x00007FFCEF7C0000-0x00007FFCEF7D1000-memory.dmp	upx
behavioral1/memory/2068-140-0x00007FFCEF1F0000-0x00007FFCEF20E000-memory.dmp	upx
behavioral1/memory/2068-139-0x00007FFCDD290000-0x00007FFCDDA31000-memory.dmp	upx
behavioral1/memory/2068-134-0x00007FFCEF830000-0x00007FFCEF849000-memory.dmp	upx
behavioral1/memory/2068-133-0x00007FFCF2780000-0x00007FFCF28FF000-memory.dmp	upx
behavioral1/files/0x000100000002aae7-132.dat	upx
behavioral1/memory/2068-130-0x00007FFCF2900000-0x00007FFCF2924000-memory.dmp	upx
behavioral1/memory/2068-190-0x00007FFCEFC60000-0x00007FFCEFC93000-memory.dmp	upx
behavioral1/memory/2068-193-0x00007FFCF3B30000-0x00007FFCF3B3D000-memory.dmp	upx
behavioral1/memory/2068-192-0x00007FFCEF9E0000-0x00007FFCEFAAD000-memory.dmp	upx
behavioral1/memory/2068-191-0x00007FFCDCD60000-0x00007FFCDD289000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
10	discord.com
13	discord.com
14	discord.com
30	discord.com
31	discord.com
9	discord.com
11	discord.com
12	discord.com
2	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4008	cmd.exe
960	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
2520	tasklist.exe
3148	tasklist.exe
900	tasklist.exe
1448	tasklist.exe
2920	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3516	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3604	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4804	cmd.exe
3744	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
32	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
5056	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2408	WMIC.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4492	ipconfig.exe
32	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
684	systeminfo.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3007475212-2160282277-2943627620-1000\{C6C70348-832B-4662-BCBA-6FC9F9ADFE20}	chrome.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4532	powershell.exe
4532	powershell.exe
2288	chrome.exe
2288	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 12 IoCs

pid	Process
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2408	WMIC.exe
Token: SeSecurityPrivilege	2408	WMIC.exe
Token: SeTakeOwnershipPrivilege	2408	WMIC.exe
Token: SeLoadDriverPrivilege	2408	WMIC.exe
Token: SeSystemProfilePrivilege	2408	WMIC.exe
Token: SeSystemtimePrivilege	2408	WMIC.exe
Token: SeProfSingleProcessPrivilege	2408	WMIC.exe
Token: SeIncBasePriorityPrivilege	2408	WMIC.exe
Token: SeCreatePagefilePrivilege	2408	WMIC.exe
Token: SeBackupPrivilege	2408	WMIC.exe
Token: SeRestorePrivilege	2408	WMIC.exe
Token: SeShutdownPrivilege	2408	WMIC.exe
Token: SeDebugPrivilege	2408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2408	WMIC.exe
Token: SeRemoteShutdownPrivilege	2408	WMIC.exe
Token: SeUndockPrivilege	2408	WMIC.exe
Token: SeManageVolumePrivilege	2408	WMIC.exe
Token: 33	2408	WMIC.exe
Token: 34	2408	WMIC.exe
Token: 35	2408	WMIC.exe
Token: 36	2408	WMIC.exe
Token: SeIncreaseQuotaPrivilege	412	WMIC.exe
Token: SeSecurityPrivilege	412	WMIC.exe
Token: SeTakeOwnershipPrivilege	412	WMIC.exe
Token: SeLoadDriverPrivilege	412	WMIC.exe
Token: SeSystemProfilePrivilege	412	WMIC.exe
Token: SeSystemtimePrivilege	412	WMIC.exe
Token: SeProfSingleProcessPrivilege	412	WMIC.exe
Token: SeIncBasePriorityPrivilege	412	WMIC.exe
Token: SeCreatePagefilePrivilege	412	WMIC.exe
Token: SeBackupPrivilege	412	WMIC.exe
Token: SeRestorePrivilege	412	WMIC.exe
Token: SeShutdownPrivilege	412	WMIC.exe
Token: SeDebugPrivilege	412	WMIC.exe
Token: SeSystemEnvironmentPrivilege	412	WMIC.exe
Token: SeRemoteShutdownPrivilege	412	WMIC.exe
Token: SeUndockPrivilege	412	WMIC.exe
Token: SeManageVolumePrivilege	412	WMIC.exe
Token: 33	412	WMIC.exe
Token: 34	412	WMIC.exe
Token: 35	412	WMIC.exe
Token: 36	412	WMIC.exe
Token: SeDebugPrivilege	2520	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2408	WMIC.exe
Token: SeSecurityPrivilege	2408	WMIC.exe
Token: SeTakeOwnershipPrivilege	2408	WMIC.exe
Token: SeLoadDriverPrivilege	2408	WMIC.exe
Token: SeSystemProfilePrivilege	2408	WMIC.exe
Token: SeSystemtimePrivilege	2408	WMIC.exe
Token: SeProfSingleProcessPrivilege	2408	WMIC.exe
Token: SeIncBasePriorityPrivilege	2408	WMIC.exe
Token: SeCreatePagefilePrivilege	2408	WMIC.exe
Token: SeBackupPrivilege	2408	WMIC.exe
Token: SeRestorePrivilege	2408	WMIC.exe
Token: SeShutdownPrivilege	2408	WMIC.exe
Token: SeDebugPrivilege	2408	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2408	WMIC.exe
Token: SeRemoteShutdownPrivilege	2408	WMIC.exe
Token: SeUndockPrivilege	2408	WMIC.exe
Token: SeManageVolumePrivilege	2408	WMIC.exe
Token: 33	2408	WMIC.exe
Token: 34	2408	WMIC.exe
Token: 35	2408	WMIC.exe
Token: 36	2408	WMIC.exe

Suspicious use of FindShellTrayWindow 53 IoCs

pid	Process
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
2288	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe
4572	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4372 wrote to memory of 2068	4372	auxia_updater.exe	81
PID 4372 wrote to memory of 2068	4372	auxia_updater.exe	81
PID 2068 wrote to memory of 428	2068	auxia_updater.exe	83
PID 2068 wrote to memory of 428	2068	auxia_updater.exe	83
PID 2068 wrote to memory of 1008	2068	auxia_updater.exe	84
PID 2068 wrote to memory of 1008	2068	auxia_updater.exe	84
PID 2068 wrote to memory of 1280	2068	auxia_updater.exe	86
PID 2068 wrote to memory of 1280	2068	auxia_updater.exe	86
PID 2068 wrote to memory of 2416	2068	auxia_updater.exe	87
PID 2068 wrote to memory of 2416	2068	auxia_updater.exe	87
PID 428 wrote to memory of 2408	428	cmd.exe	91
PID 428 wrote to memory of 2408	428	cmd.exe	91
PID 1008 wrote to memory of 412	1008	cmd.exe	92
PID 1008 wrote to memory of 412	1008	cmd.exe	92
PID 2416 wrote to memory of 2520	2416	cmd.exe	93
PID 2416 wrote to memory of 2520	2416	cmd.exe	93
PID 2068 wrote to memory of 780	2068	auxia_updater.exe	94
PID 2068 wrote to memory of 780	2068	auxia_updater.exe	94
PID 780 wrote to memory of 2212	780	cmd.exe	96
PID 780 wrote to memory of 2212	780	cmd.exe	96
PID 2068 wrote to memory of 3388	2068	auxia_updater.exe	97
PID 2068 wrote to memory of 3388	2068	auxia_updater.exe	97
PID 2068 wrote to memory of 3124	2068	auxia_updater.exe	98
PID 2068 wrote to memory of 3124	2068	auxia_updater.exe	98
PID 3388 wrote to memory of 808	3388	cmd.exe	101
PID 3388 wrote to memory of 808	3388	cmd.exe	101
PID 3124 wrote to memory of 3148	3124	cmd.exe	102
PID 3124 wrote to memory of 3148	3124	cmd.exe	102
PID 2068 wrote to memory of 3516	2068	auxia_updater.exe	104
PID 2068 wrote to memory of 3516	2068	auxia_updater.exe	104
PID 3516 wrote to memory of 2060	3516	cmd.exe	106
PID 3516 wrote to memory of 2060	3516	cmd.exe	106
PID 2068 wrote to memory of 4076	2068	auxia_updater.exe	107
PID 2068 wrote to memory of 4076	2068	auxia_updater.exe	107
PID 4076 wrote to memory of 900	4076	cmd.exe	109
PID 4076 wrote to memory of 900	4076	cmd.exe	109
PID 2068 wrote to memory of 2664	2068	auxia_updater.exe	110
PID 2068 wrote to memory of 2664	2068	auxia_updater.exe	110
PID 2068 wrote to memory of 3580	2068	auxia_updater.exe	111
PID 2068 wrote to memory of 3580	2068	auxia_updater.exe	111
PID 2068 wrote to memory of 3908	2068	auxia_updater.exe	112
PID 2068 wrote to memory of 3908	2068	auxia_updater.exe	112
PID 2068 wrote to memory of 4128	2068	auxia_updater.exe	113
PID 2068 wrote to memory of 4128	2068	auxia_updater.exe	113
PID 4128 wrote to memory of 4532	4128	cmd.exe	118
PID 4128 wrote to memory of 4532	4128	cmd.exe	118
PID 2664 wrote to memory of 1916	2664	cmd.exe	119
PID 2664 wrote to memory of 1916	2664	cmd.exe	119
PID 3580 wrote to memory of 1416	3580	cmd.exe	120
PID 3580 wrote to memory of 1416	3580	cmd.exe	120
PID 3908 wrote to memory of 1448	3908	cmd.exe	121
PID 3908 wrote to memory of 1448	3908	cmd.exe	121
PID 1416 wrote to memory of 3572	1416	cmd.exe	122
PID 1416 wrote to memory of 3572	1416	cmd.exe	122
PID 1916 wrote to memory of 1044	1916	cmd.exe	123
PID 1916 wrote to memory of 1044	1916	cmd.exe	123
PID 2068 wrote to memory of 4804	2068	auxia_updater.exe	124
PID 2068 wrote to memory of 4804	2068	auxia_updater.exe	124
PID 2068 wrote to memory of 4008	2068	auxia_updater.exe	126
PID 2068 wrote to memory of 4008	2068	auxia_updater.exe	126
PID 4804 wrote to memory of 3744	4804	cmd.exe	128
PID 4804 wrote to memory of 3744	4804	cmd.exe	128
PID 4008 wrote to memory of 684	4008	cmd.exe	129
PID 4008 wrote to memory of 684	4008	cmd.exe	129

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2060	attrib.exe

C:\Users\Admin\AppData\Local\Temp\auxia_updater.exe
"C:\Users\Admin\AppData\Local\Temp\auxia_updater.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4372
- C:\Users\Admin\AppData\Local\Temp\auxia_updater.exe
  "C:\Users\Admin\AppData\Local\Temp\auxia_updater.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2408
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1008
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:1280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3388
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3148
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:2060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4076
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:900
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2664
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1916
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1044
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3580
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1416
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3908
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:4532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4804
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:684
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2336
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:5056
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:2828
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:3324
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:2980
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:2864
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:3928
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:2188
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:5060
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:428
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:1356
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4336
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:2480
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:240
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:2104
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:2920
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4492
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:1148
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:960
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:32
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:3604
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1392
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:760
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2060
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1188

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcefa8cc40,0x7ffcefa8cc4c,0x7ffcefa8cc58
  2⤵
  PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1768,i,9860903190850235787,10802269130386277086,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1764 /prefetch:2
  2⤵
  PID:4664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1380,i,9860903190850235787,10802269130386277086,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  PID:936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2188,i,9860903190850235787,10802269130386277086,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2204 /prefetch:8
  2⤵
  PID:2336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,9860903190850235787,10802269130386277086,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3168,i,9860903190850235787,10802269130386277086,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:952
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4488,i,9860903190850235787,10802269130386277086,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4480 /prefetch:1
  2⤵
  PID:988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4252,i,9860903190850235787,10802269130386277086,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4300 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4816,i,9860903190850235787,10802269130386277086,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4824 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4852,i,9860903190850235787,10802269130386277086,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4820 /prefetch:8
  2⤵
  PID:3364

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3828

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcefa8cc40,0x7ffcefa8cc4c,0x7ffcefa8cc58
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1964,i,9839222370939753542,4033651302829309903,262144 --variations-seed-version=20240802-130108.496000 --mojo-platform-channel-handle=1960 /prefetch:2
  2⤵
  PID:1604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1788,i,9839222370939753542,4033651302829309903,262144 --variations-seed-version=20240802-130108.496000 --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  PID:464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,9839222370939753542,4033651302829309903,262144 --variations-seed-version=20240802-130108.496000 --mojo-platform-channel-handle=2240 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,9839222370939753542,4033651302829309903,262144 --variations-seed-version=20240802-130108.496000 --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:4740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3208,i,9839222370939753542,4033651302829309903,262144 --variations-seed-version=20240802-130108.496000 --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4448,i,9839222370939753542,4033651302829309903,262144 --variations-seed-version=20240802-130108.496000 --mojo-platform-channel-handle=3588 /prefetch:1
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4596,i,9839222370939753542,4033651302829309903,262144 --variations-seed-version=20240802-130108.496000 --mojo-platform-channel-handle=4776 /prefetch:8
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4804,i,9839222370939753542,4033651302829309903,262144 --variations-seed-version=20240802-130108.496000 --mojo-platform-channel-handle=4800 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5012,i,9839222370939753542,4033651302829309903,262144 --variations-seed-version=20240802-130108.496000 --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5020,i,9839222370939753542,4033651302829309903,262144 --variations-seed-version=20240802-130108.496000 --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4640,i,9839222370939753542,4033651302829309903,262144 --variations-seed-version=20240802-130108.496000 --mojo-platform-channel-handle=3352 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5100,i,9839222370939753542,4033651302829309903,262144 --variations-seed-version=20240802-130108.496000 --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5204,i,9839222370939753542,4033651302829309903,262144 --variations-seed-version=20240802-130108.496000 --mojo-platform-channel-handle=212 /prefetch:8
  2⤵
  PID:3176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5028,i,9839222370939753542,4033651302829309903,262144 --variations-seed-version=20240802-130108.496000 --mojo-platform-channel-handle=3748 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4904,i,9839222370939753542,4033651302829309903,262144 --variations-seed-version=20240802-130108.496000 --mojo-platform-channel-handle=5400 /prefetch:1
  2⤵
  PID:5104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5236,i,9839222370939753542,4033651302829309903,262144 --variations-seed-version=20240802-130108.496000 --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=5284,i,9839222370939753542,4033651302829309903,262144 --variations-seed-version=20240802-130108.496000 --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:4860

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1472

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E4 0x00000000000004D0
1⤵
PID:2768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\3f4f3e00-9ad5-4817-b66d-521422d8738a.tmp

Filesize
197KB

MD5
999075f6de9071425bf43747ae298620

SHA1
dfb56e7e4f6a8a91f1f123b7eafb16e5e64f1060

SHA256
c2cef62b894ddaf78d08e5032c4b7a413466335cf70ee37f512b6d84e8a062dd

SHA512
381f9d9d46153b3fde019353d27208d4098dc8c0b4f10beac525a09c6c31b6c66505b9168c55329dae6691da2a9727ffcce15182743ad2698ffd1e1555010b6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

Filesize
40B

MD5
7bcf62155ff790174eb7d0bd933c377a

SHA1
f08f3142332cccbb197645a06a2be53556583b45

SHA256
3e4edede42ac4bbac1276ba6d12ce318ce1c583e6de3f30049f1110fa1d98779

SHA512
5205f8b027d8ab8bbfcf3d0c6b162c5c52d8e073d27e2a0765c82d31f849d43c5bffb00a5631eca30d63e92f481b8dfc18699151fd9977dcaf85b542143069c7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
39e37a13168d89685e3f31f3328161e7

SHA1
c6cbffdd51a0caa8de6beb6171c46b00b1aaf024

SHA256
3f43291507ba87f0265ae7ce66e3b718111fe1ac6acacb070e08a6b4fc00b86c

SHA512
1bae0ff91e0cbd21f2f4ca2f6f7d3eeb4d02b19b4f3e5889a79051c5c7f5f84b7a4c2cd59e0812b7d49ba611c2f0fdc6a0bf4ab1d009339c9b231e060db62729

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
41a343b52bffb04844bc11da92aea700

SHA1
675883fdddb1b9578c50ef1974a8d70544995732

SHA256
efb3dc0a9eff33f1cf496b14850fd4002d506db44fcc35fea241a55cd886e985

SHA512
2d6c922e0eadb9bab6e70d1a9d00cfa7d52652823686a38dfb78dbab8a908b52965163562f8973747dd94831695e5c2f9004b48bc5da4beca9535c3816ba8548

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
35e27295f8e823e4a54fa6fe7a6e2f57

SHA1
50152d74b825b8f5a68406a0990e9c6fb5d931a3

SHA256
26748884b3e93ffc2b4585747990dcb3da60756aea6a163806c6feed9e5f8301

SHA512
df1191de1b4d94073cc7ebbcc99de863a018273e2b7c63374dcee2916be5755e11a4e8d2d8c501917016f875c20d2527f2eb11b07ab6b5d35affc9424197abd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
64b491872ec4a31c5bf2af78b60c9c50

SHA1
8b158f6f967f569442db87c4bef252758c152c8c

SHA256
02c4f1673fd46b83c4c6e9fee27476b4450303b7dc9f5eb0a919dccfdc3939ca

SHA512
107a087b7a061eef87e8c2cd308995270ec70f6c95188b5ebc608e8bf381df73f1eefb8e7754d3771dae5d56a45e957148a444577108c7b6043bc6dd0e85bd57

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
688B

MD5
308d460b3e299234189e7b0e99d44061

SHA1
7ba2f0f861d916c5af880ee95eb8d78cc9d22c48

SHA256
c2050150891648b586cb578a800505ecfa15abb0ddbb64f234d0bebf3e12ad0b

SHA512
ccdf906a0663a87d86c4e3b0b7044f9958b9c7bfccba81c8913c6798d47c3fb44483b4e06946c0b0f1d32c559f4f3de99e1559617197fbce38f26946f4311516

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
55cab3e231b4e598f0b2c6927f0d5482

SHA1
211fe82c6f584b447bb7a44bc9758dbead45b641

SHA256
2dac8917cb8faea2336b5c4e47a19fee6ecda8cf65564c0bb7b7f45623f39bda

SHA512
bc566960627dadeb5041fa8bd5f754dfbe621b3b400e898e058567d282951c821c507618f2bb009b225223e337feeb23fd74ab50324d9d1bfd949dc686b0a63b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
991934fda0b7922a2022527d652fb84a

SHA1
f56228e66698b1942b4ca07104a32fe7620fe917

SHA256
a1caaa57ea5300153dbabe816ed2d92e98c29420e2d21ef5ec415e2bf7a51ba2

SHA512
ee645146befd2de6a68a26a4115335876b5aefb302168a00caf145e1f2e83eee95bc3814be84fb61d7a315e492a2b7e791c023c2ef431abf841386d30e3444e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f8575ca9f91618d966caee0c3ea30e7f

SHA1
9af679f38bedee91e5903b1f901786fdaa343c3d

SHA256
e4964044f66b403f4117cfafb5a2e00298f1ca91c253728b550730afb87a2f84

SHA512
fc99c927b247b227ead1ba268cf924a6461750f26e286042119bbe5c9bf43d9e51932371c3ad4deeb366171efb758f653563cf445edaa56a9f0011e863ef7f09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
123e215e9231e77ef5ce6f33b205ab3c

SHA1
5f4f8e06dde828381933439b328c44077a1b1fd0

SHA256
d5038324475a2b1d45e3446fc9df279d9dd305794b93fe7d91c7f084931c2e78

SHA512
0f340cb0f27405f524a143786bd87079fb0a1f078f74787a87dc7ae7a85dad09cda38b680bea899bc0362f0e8b427173e92363c1cec42aa6fa46b0cfdcc4d0ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
a5c56cf7a32bc1bcc9a7b7807d115bc6

SHA1
c9f9bee7572e252d1870984ae7c85460dc0426c5

SHA256
aa954f129306db17cbf45bdf3a0b5b4fb83e8520a8ec1a46749436543ec92614

SHA512
4dcd078b2f1597b0553610fe267d0f1315392e8d7e179bc2ac406a4aad213d9eaf4f64fdc02baf58115f056eb2238d9ad1e7d53278c43ca21abab0662d35f41d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a7666a5be524315f2509b79cd9d8604e

SHA1
2bd299e0ba79fab41c832df53b582729163c2116

SHA256
509c892523eaa63f80f8fb2b10b2413de4ceadcde6a9194411b6892ee8c52364

SHA512
14deaacbc4856b513d1a6546165b563c03f4e482948164339fb2ff34ce58340890621cd6383923f9cf85554d423fe548bbf46a3cebec3fe3ea3303b23063cdc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d54143f41e1fc83f47964bb6055b39af

SHA1
7c7390c84f5fb7fa3572f0a8d5d6bca5158840da

SHA256
36fc519ef7c01d5b1b463a95551e1066b3eff59cadfbffe18355407abac51552

SHA512
3550397092ff9d9d3df002cce3e4177728b2c3aef00cc0111f3d2e51bee60c4ddab87e23da3c5eb0f0853b2c0007419f3440a464d0e29130f4eef0573c584028

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4212ced167ee9fcfe84872feee9984d4

SHA1
106174650329034945bfecb3e9808709bc374063

SHA256
dc685acdaf75058928c41e02be57a047f9a6252405a563d33f6416d85b566fe8

SHA512
26aaece3e23970552f3b2150f4dfd1acd2e3cd79eb812f5d488fa40cbd7c873f2d82c927f375907d4c9addaf17bd4641e2420c022a62d773b07464001dccd5f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
8432bc0535994d6c79dcb7dbdf78aa30

SHA1
0a40a3b0dfc481d49f1f377f432592eaafe627b6

SHA256
016c017be27758ab34242772cb4bddb38a664d8b6c00db598128bf02234c41a1

SHA512
3914edae7fc6a2ee6efaac02ab04ba584cad395f8e66f27925e207069a3f97d15931b8bf6b08293739dea7cb9ba0192d5903bf45d75df28d323c27c1f2c276ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a50fd1ebed2a7b557858271233dca946

SHA1
17f9651c6e513f9ad043c6b6981ec450cfaae761

SHA256
5d7e29b4df0d17e8d343c3626f1a8ee2704b189c8a6451bb884aff669271f715

SHA512
32ad5389355e689967b83f9df10af9ce301c5e054085f04e3ac1313fdbd93c3885264d63876bc6198ecf8712d7e4f5a18033cd267e8a3be5f04f27f178c2e99c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
48ec313fa12a9074b6b32783263faf08

SHA1
bb4c5de06abdcf2f2a70c2666205d4f51548406d

SHA256
65cb7df0b0af1dc7a07b56f6bc896912d7b6f79995b43f5881deed5b1bd0a42e

SHA512
d8c2a5b3be188e2dd65134115942329c0b99de11d382b0b50bd9878beda4fc39458f745ebc298dc69b86ca6c8073241e2109a1ea68d8f09896d90005d2f25c59

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
48892af7fe8135593f68d15f551e4486

SHA1
9dfb9c297cb28d0939be9cf7e83b8a0f86a617da

SHA256
06714a0e9ced1df65657d8871dbd1d16a82bb1188f5d2147282a868738cad557

SHA512
0d3a9a5748f118d6a051ef8121af7940502e6debb7d064e576581541245164b896c11ab8f0d2f7f1e8596fc76eb218bd9b8e20b2cea02c030d0258522d4a32e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
102KB

MD5
f0f3ed5720e148890f225974a3ed1da1

SHA1
df6c3cc3bdfd4e2ca31cd65deec215ef918eb33b

SHA256
05b5da43c76666878a4a143caf0620808ff9028bfa5400e50e79363793b80eb6

SHA512
78af1b401717f022e84828b98c03841a00a5961a63c6ab3f354b61b33db6f5e5d8a93ca8c6f505cd7865939bfe968d6c39d034cd82aa1016fae3f9d676d201e7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
d495d7a568f37f020a0f5e9716b20376

SHA1
f839c33d2233f285e8041ddb7f05b61d8050b86c

SHA256
b2d30da360370fa7dee05f11b5b6b356b33634f849d6db9f9abfc8731236e01d

SHA512
fb53a5ceb8232234e7f6e80da0158bfc30b75209a43179a7bb67a09cbf2385f1147b5f806054a2f2e976273eafea49315a049803e64460ce6a7ff31ed440f09c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
196KB

MD5
5d20648ec59fa1f7b0fbb18280072cf9

SHA1
f063f4496e2cddc6b782104e6ab06b0002006c02

SHA256
cfee6f5bfb5e777ae29a1e5a06bc8eef41d2640d39375a95274a65ae25fd5f4d

SHA512
18f1ed34276311f6727cf7f58e9e9dd393fa265f6d3b7d032f68c75d230de0cee489ebf092ba35650b88a973f41190e01ecb045abe0bf69909138d1919604ee1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
101KB

MD5
a0f315c84e385b8c4e2c5d04682fee43

SHA1
cab279523abc920384294d51c44d10ab2161a904

SHA256
b1cb72139f5441e0ef651e353baef29f2fe1bff48f2bccfc59ba0ce8b311285e

SHA512
fb21f0c0cc8086280586b53e03ba4413c2ec000c2f0499dfbb6587b9ffc8169d17b16ec9f5a2eb09fd39ffd2b4129bbc51da08bcd990064cc316d0830a60df26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
129KB

MD5
6958a9b0d3cd2b1560ed74b661300fba

SHA1
4c6f821546b6c2e5b9a2bd0ec35549108f1bf153

SHA256
9b9c84d0a916ca9076a48bc85c59c0eb55b3437a2187122d6688c44eb781ce96

SHA512
c5286c5a57a9e43ecc2d81f6ec9ae5df763964ff59719ae76d3cd4b7422faa9226803dfc3cd2fe58e429aca7c17cf7c8d68bc2bb8cf812f83f609566c52d1ab0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\_asyncio.pyd

Filesize
37KB

MD5
77cd03f9c42d36424aacb8d57ca1ff6f

SHA1
20d8cb82b27254833d0e37bd9c29b89aee048e8c

SHA256
7d4b54b19c6b583f41c54ab21ae1d24f53494ddf7bc8874af762465ac9194833

SHA512
b23dab0d579ef423b7bfeef5e70756f6ba75e9aa3859e7149dd2a8b96e3a17fc03bd2c465b2633bc26220e213b82018a82edf6dbc473f768bad9f2623b1af42f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\_bz2.pyd

Filesize
48KB

MD5
025986d082270f879149a4b2fd495f44

SHA1
fe581b23d6ebc8d9ce7984a490ab23e00a6e2a4e

SHA256
7f0eec26cb5f3bcd11d2e2986a99e73b3c5c023a321c905bc3ea264186f398b0

SHA512
3b13a173d17b476638cc59da087fe45a5599754ded3d3978d83176135a4f392892e7db8f59529d5a0ce03bdfc1c199b810763664a65573908971aa3503c7ec08

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
1c0cc15036c54930c1e61306a8be4658

SHA1
7d88a5a72198e2785c5514200ab8f85b50946fb9

SHA256
1666002cf4ff50cf337159e187ecf990d2ec23d5324736e66cf68df4c80cc12c

SHA512
bb235e55a69bbdc27102d7afea9089480a5de35f064e63bb3265b060906268f8065472c8d87da588a6ea6ce6a39f2079e218f3cd762692713a93ec5cef4473dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\_ctypes.pyd

Filesize
59KB

MD5
d12406ab3df4ba0e2973322d641a7157

SHA1
fc3cd3f531d3e05f1d544835aec88106711440c5

SHA256
5f94af75d6f5f7745d214dd423895bfbe31c92eb1cf3fc692051b1c11ad12f15

SHA512
d5a91762b322bae9e34ad23e8790954686bcc712beebedd04faaa675b25a6de66c11667af3f0dd46e56bf383e593d8403e5da07a52eba1cd17fc9940e4ad389f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\_decimal.pyd

Filesize
107KB

MD5
9690c76ddada8d9aa0b6e64bc8e0035f

SHA1
9ca380a8c462116af12949d17eae360e4e52a13c

SHA256
ee01c55bbe667298eca712137e7516cfe677eca8197f39d6177b3cd0453b16fc

SHA512
4a34b2dbfabbcedd303a1be8b7a23029a874ab790f15d33df6e90eeafc6f76d02e16ebd4006d505ac666ad741f414aa5b21da7a0e8858a890b69d8e2b79f1937

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\_hashlib.pyd

Filesize
35KB

MD5
0d036361cd8effaf4f13fa200e9b2b90

SHA1
62e543e2a5f1d36c938e638408e22c5f5246d0f2

SHA256
e210d4f37950c20a3354e99b1f422a4aa0235b74afa8ebed41c27eca45570f1d

SHA512
d837642c980c12f33c9949e20840a8bf069297e4511e68b65a1b015ae709cb39c3bd5a0ea0bd7406b62f4c98b728ea22cfbdb8362a4c36d5e4eb9d7c7b59f125

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\_lzma.pyd

Filesize
86KB

MD5
2a8f3db31ce15d68b66004c30d284520

SHA1
a680e79662d420ede7554d53d793517b1857abe4

SHA256
e7f754a8675839869e16358b7375d15ca1b7b9350c2a23ea5f2ae6552fe7ceb7

SHA512
dd3c8fd4d1f42cdf515bd3217bee00803d29532ef58abb2a0718398d1276233b024bf1bbd3372ee83d5c145e5c6f658a4f9e1dfd43bb9df890dee76cae04b728

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\_multiprocessing.pyd

Filesize
27KB

MD5
30fb92567574752a90e3812967739f72

SHA1
3920d58f27ab30a651e7d87aa6d1b9177840fa8b

SHA256
3c5bd69e69f46ba12a3e4e47c1521be12b3939b8ec1cbc16494b3307bb3b5825

SHA512
68c8a045f8c989f1788286d776da139bc143cef94183d99a4718a3af9633846a766ed51bde03317cb34a5e1b7ee1ca52ad4d0e36a18ceca5df67fb78a5be79aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\_overlapped.pyd

Filesize
33KB

MD5
80c58dcfd420ee2af4ea8b8003e2adb3

SHA1
18e17eb3dfc09a2878bf7d6d67f5b65788d0a7d9

SHA256
2c2858e7b68df7f30c4131caec8cba0972c085c80b6989ae9c6bd4b40e9450db

SHA512
b5b54061fbea16820784462cc30d769f3ce7f13158a204b36fd766e148ef359997149cddf7c1ad7c7d0a76d5fcfe12c976938f364612fb7bdc767b9fc99cd446

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\_queue.pyd

Filesize
26KB

MD5
004e83d3199d5fd8c9f041d6e0bd184b

SHA1
b460cf029a62dfb4d1915071e9721fec0daca5fa

SHA256
13d4646dd80158fec7ef4af593b9a476566a430656e87159887734ca84108c92

SHA512
36a1abe13f276cd3b9261e3addb7327b0a85f01f49a84988a6adee1fc026c759f9b9793983ce743dbb114f5cc0ea88a399b20e95c76379fc2b8e55273bc4dceb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\_socket.pyd

Filesize
44KB

MD5
67c4a06a4e310e8f8c73b1f95830a90a

SHA1
a71b54cf64bb179f0fb850b5713845a4a5af85b0

SHA256
8c6719d0b3b0ef68dc739735befab0b424abdc8528196abb33925138eb390c26

SHA512
844a3682f29e84859ff19e8d3480c09aa083bcb1cae7c77d967e3f174d8f605a4d36a834f43c39045741388049868df6cd93cd3951b2a2e8e9d7e018c9bd1ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\_sqlite3.pyd

Filesize
57KB

MD5
3f25a0e3e1c284a220da018d3e3b568c

SHA1
26a4526b4f3a07f011a1ce03fb7576774c187511

SHA256
a43b07b1baa88246e59ca356a3f7494a95049203d86d824a508328db236fa869

SHA512
42f8a31da2a71edd4ac7b711fa68b400e2adb91ca453ad4a64caa7c7643bb139cafccb71257955d50ea4bafdaa6be55317bcc8d0c77f43ab24c476d621a8873d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\_ssl.pyd

Filesize
66KB

MD5
3f2bee38c866188984999b7406b06b42

SHA1
2e471894996772305f5a70f4d2568690f1ccc4f0

SHA256
d884f02f7c72dc462490c90dfd851d52dcbc0c21f1f3e42101dbe77793bd4464

SHA512
7afde89ade235156d682b49755edf4905ce2238165424e89e53d47cac36421d05bf7c4eab0cbad766f9d7e00f7952204bbd787e33ddfc500bd3d5d4c4225b90a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\_uuid.pyd

Filesize
25KB

MD5
50521b577719195d7618a23b3103d8aa

SHA1
7020d2e107000eaf0eddde74bc3809df2c638e22

SHA256
acbf831004fb8b8d5340fe5debd9814c49bd282dd765c78faeb6bb5116288c78

SHA512
4ee950da8bbbd36932b488ec62fa046ac8fc35783a146edadbe063b8419a63d4dfb5bbd8c45e9e008fe708e6fc4a1fee1202fce92ffc95320547ba714fed95e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\_wmi.pyd

Filesize
28KB

MD5
b74bfad5ef1024522290da3463e6ccc3

SHA1
28312bf92fcd39d013313714249bf1c2b988db55

SHA256
dcb1087b3c9fab43e9b577beae93f698c5d05650478f0825650bc9ea2b9f18bf

SHA512
38c09e2daf0c40e5df8b0ea55146272131d54e7c3a9b440229017934baf4ad554bd70812b26f82150ef144a36b1e7f53c5839b51dad24766228f533b3b29b0bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\aiohttp\_helpers.cp312-win_amd64.pyd

Filesize
26KB

MD5
c410bbefad892761e0740ecd8f4d5e6f

SHA1
7c9cd82661bca55ff73f69605014b6a44f446474

SHA256
c5b4fed2e40f482525e2b2594636cb0ef4e8b3bd96ebf5e09a6faf7c211ee048

SHA512
7e7a416c71afa8a6482e643ef5a90c7642c41fe6cdb308df0079dfeb3dd64d823f895dc3a96f9417c4d45986b89bff44456dd06fdc24f997ebdd1a874bdc7179

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\aiohttp\_http_parser.cp312-win_amd64.pyd

Filesize
79KB

MD5
3048b7205298dfde89a3ad146c35bd4a

SHA1
2101cbc798621ad2d8eef5753a5908f9e8c938ea

SHA256
be7404c647081b0590ae87d104c03f28f88dd826306cd262b84b2629069dd803

SHA512
d915eb2da669fdf04c0529c386f2dd823a7bea2e62225bcdbf382652a74b7dec166a7436e5497a742de6f42942bb6bc725a0c2107b2f80616bbab12b4bf245cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\aiohttp\_http_writer.cp312-win_amd64.pyd

Filesize
25KB

MD5
195c022969f2f44c4fcbd84639c7ed8c

SHA1
45681fbdf37461000ebab627e63a95c1224a1a9c

SHA256
7f60b20705d75ef92022e2cb39bab1888e1b3d2a9cf8e8f38f7f1513daeedf85

SHA512
adca54b638b57269b9aecb59e94d881569829b89323d28e8831be1f09b57261cbf712e99f10b5f7174e47597d8102634080792199d452e5ed1c83a052f228d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\aiohttp\_websocket.cp312-win_amd64.pyd

Filesize
20KB

MD5
ea2b5dadf81517f8f82c088a3a6fde04

SHA1
6b9aea196e1c92920e11ba660c2290f98d103ffc

SHA256
e6411e1bf1e90b703593da40b3edb93add2c377d8beab9dd00465aeb9961cac8

SHA512
c113dd47d258205dc538732f3c77d2d564f4cb189a06980957e32b3f00182b68256c86e88a87920febc7981cc699e708f7d7f4ada941520879afcea5df509044

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\base_library.zip

Filesize
1.3MB

MD5
43935f81d0c08e8ab1dfe88d65af86d8

SHA1
abb6eae98264ee4209b81996c956a010ecf9159b

SHA256
c611943f0aeb3292d049437cb03500cc2f8d12f23faf55e644bca82f43679bc0

SHA512
06a9dcd310aa538664b08f817ec1c6cfa3f748810d76559c46878ea90796804904d41ac79535c7f63114df34c0e5de6d0452bb30df54b77118d925f21cfa1955

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.1MB

MD5
073606ea92928af7b2863782c0114949

SHA1
ec7b4dbf415af6a071a6ca3a0d4f4a0cf544515c

SHA256
9be10e3f170875a5b3e403f29d7241bf64957c01bfcae3504f5576578183610a

SHA512
5cd48348b475c9de7c2c8d85f36a1f8cf63ee5ee2bde60e2e5a1026f0e877b4c686ad07ab37c8ae37b46b719233b28aa699ce5a2fedd0247c7607da6e519a11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\libcrypto-3.dll

Filesize
1.6MB

MD5
443fd07a22ff1a688a3505d35f3c3dd1

SHA1
ab9f501aa1d3d523b45f8170e53981672cd69131

SHA256
f9c87ec6401039fd03b7c6732c74d1abfdb7c07c8e9803d00effe4c610baa9ee

SHA512
1de390d5d9872c9876662f89c57173391ecd300cabde69c655b2ade7eea56e67376839607cac52572111b88a025797060653dc8bb987c6a165f535b245309844

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\libffi-8.dll

Filesize
29KB

MD5
0d1c6b92d091cef3142e32ac4e0cc12e

SHA1
440dad5af38035cb0984a973e1f266deff2bd7fc

SHA256
11ee9c7fb70c3756c0392843245935517171b95cc5ba0d696b2c1742c8d46fb6

SHA512
5d514ecab93941e83c008f0e9749f99e330949580884bf4850b11cac08fe1ac4ac50033e8888045fe4a9d8b4d2e3ea667b39be18f77266d00f8d7d6797260233

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\libssl-3.dll

Filesize
222KB

MD5
364a71831c9bd0a09eeeceb6980c58c7

SHA1
9d084ccb83e12ddccd17250a009362d720e6271c

SHA256
3b20fb46f41234f8f7bbe342cfebfbbce5708d963cf5c7792d1237a1bc7b2676

SHA512
5abe19130f9306fd6fc3644412ef6c8c5b7da970cfaed69657a6cb62d431abfbba64fefcbfa82910d17d744e299e3ba5036bd490223b2bf28689cf2e70633dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\multidict\_multidict.cp312-win_amd64.pyd

Filesize
20KB

MD5
877e8f7f3c980020b1da6bdbc6f1741c

SHA1
184d162f6eea7cce343fe0c62fda49ca796ceb20

SHA256
65b96acd7b6517c4493491f31083e75d905b48466f021fab098655f0d953497c

SHA512
881332a6cbc7ab030f52bc46a8cf68c0ad922c54c68b3b8e35909f758aed9443cc90b49681f88c6c1f61741eb6507849857405a87dbbd78bb1a453ade3fe1ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\pyexpat.pyd

Filesize
88KB

MD5
36419d2b149485c1e70c2e5cd1566025

SHA1
fb5405dab18804d5c5531c76ae64fa11eec0c8e3

SHA256
668d3e0fc405ab296a6ab297fbfd7ebd229f4e6d72541043041b08007612db84

SHA512
77edda9d35b24609c184c0c2ebe21adf09b5d00bd2a5812a39ac67fe806c4d9466b84b314018ed2de354531097087e5a7981472c78003e1316223c027777ad2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\python3.DLL

Filesize
66KB

MD5
a07661c5fad97379cf6d00332999d22c

SHA1
dca65816a049b3cce5c4354c3819fef54c6299b0

SHA256
5146005c36455e7ede4b8ecc0dc6f6fa8ea6b4a99fedbabc1994ae27dfab9d1b

SHA512
6ddeb9d89ccb4d2ec5d994d85a55e5e2cc7af745056dae030ab8d72ee7830f672003f4675b6040f123fc64c19e9b48cabd0da78101774dafacf74a88fbd74b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\python312.dll

Filesize
1.7MB

MD5
01be3c75babc89c73e1f97286e2d254a

SHA1
bc54e991fbcccbca12159da53757f3e0739074dc

SHA256
ceced46d2deb9e7a1c74819cd5cad12c7bc291c163f292c7581eb35b50e97936

SHA512
6712adeaaecf511186ccc12a3dfce6221c1eeab498222ada5d4626abfe52520d55acd515fbc2c1b2791b8cdb45e585741c6349808a4e83b8aaba24c69a08ce52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\select.pyd

Filesize
25KB

MD5
7ee738ed9d792280020e40110baf1cef

SHA1
dca4b274f8a559ffadb0ad214601a5624f29d90a

SHA256
7a9b8a0caba35a5a3db38891d49e577b8ac5b6f3f89f9bbd75a54278b4ef62dd

SHA512
c1f4266c885566f337a53c312d6e719e9d6afb93e0000a90a3ea01a5010dc7e7946b31a67a8703b1dec31e567e38297a671cdbafee7df9d1e5a123cc63ca72dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\sqlite3.dll

Filesize
644KB

MD5
3cedf16a2134aefd06fd2ee9d2d29ce6

SHA1
3c16fc69c4511753cc7c6668ee0b76565f529d11

SHA256
0e63b3a3b80e8e7f88f99125caf8e82e6525786536e9d4d6cbd9c4c6234b34e3

SHA512
4aaf18dbe1d34b69c599c6fe23934744fe9605a131fd3556238f89f21729adbe8039286ff7ce4147a779fee125b192c1e6a3a7618015d4e4185116d4ce486b7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\unicodedata.pyd

Filesize
295KB

MD5
1999e387697f1098877992c424f4b9aa

SHA1
235b887496a521fb84b4e0894c2cca9897f1f6f0

SHA256
14dd0ad3c30b1357bfc410157acb2241431503d93d9019086a58f17761a8ffdc

SHA512
701b139b2367abd7d555c653aa9e168ae6c0d4de95aa19eb42d8b40fd3f9593baf597ffd1cff4e309d2c16226c6868d0133f38497ed7c1713734b7cad116b6fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43722\yarl\_quoting_c.cp312-win_amd64.pyd

Filesize
40KB

MD5
4bbcf91653204023164d00202769fc4f

SHA1
ccdaf8e3ee4ae4b6ae0b85193afb5b0fa9e68970

SHA256
213e1ba2baabc331eb61461791c85498cefabc223c872fd57d0b98b43b5afd9f

SHA512
79ad58112c2b7f1200c6fbc8074f8992c094ea785a3ac88cecbafcc245bbe41bfd1acd87fd0b1aca13e2bd644a9be540807ac31152824f86ef0a2d113405a765

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_535tgruj.jpv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2068-191-0x00007FFCDCD60000-0x00007FFCDD289000-memory.dmp

Filesize
5.2MB

Download
memory/2068-306-0x00007FFCDCD60000-0x00007FFCDD289000-memory.dmp

Filesize
5.2MB

Download
memory/2068-134-0x00007FFCEF830000-0x00007FFCEF849000-memory.dmp

Filesize
100KB

Download
memory/2068-130-0x00007FFCF2900000-0x00007FFCF2924000-memory.dmp

Filesize
144KB

Download
memory/2068-190-0x00007FFCEFC60000-0x00007FFCEFC93000-memory.dmp

Filesize
204KB

Download
memory/2068-193-0x00007FFCF3B30000-0x00007FFCF3B3D000-memory.dmp

Filesize
52KB

Download
memory/2068-192-0x00007FFCEF9E0000-0x00007FFCEFAAD000-memory.dmp

Filesize
820KB

Download
memory/2068-139-0x00007FFCDD290000-0x00007FFCDDA31000-memory.dmp

Filesize
7.6MB

Download
memory/2068-51-0x00007FFCDDCD0000-0x00007FFCDE394000-memory.dmp

Filesize
6.8MB

Download
memory/2068-140-0x00007FFCEF1F0000-0x00007FFCEF20E000-memory.dmp

Filesize
120KB

Download
memory/2068-208-0x00007FFCF2760000-0x00007FFCF2776000-memory.dmp

Filesize
88KB

Download
memory/2068-239-0x00007FFCEF830000-0x00007FFCEF849000-memory.dmp

Filesize
100KB

Download
memory/2068-243-0x00007FFCF3B30000-0x00007FFCF3B3D000-memory.dmp

Filesize
52KB

Download
memory/2068-240-0x00007FFCEF7E0000-0x00007FFCEF82C000-memory.dmp

Filesize
304KB

Download
memory/2068-238-0x00007FFCEF850000-0x00007FFCEF867000-memory.dmp

Filesize
92KB

Download
memory/2068-222-0x00007FFCF4BD0000-0x00007FFCF4BDF000-memory.dmp

Filesize
60KB

Download
memory/2068-217-0x00007FFCDDCD0000-0x00007FFCDE394000-memory.dmp

Filesize
6.8MB

Download
memory/2068-237-0x00007FFCEFBF0000-0x00007FFCEFC12000-memory.dmp

Filesize
136KB

Download
memory/2068-226-0x00007FFCF2780000-0x00007FFCF28FF000-memory.dmp

Filesize
1.5MB

Download
memory/2068-218-0x00007FFCF2720000-0x00007FFCF2745000-memory.dmp

Filesize
148KB

Download
memory/2068-245-0x00007FFCEFBF0000-0x00007FFCEFC12000-memory.dmp

Filesize
136KB

Download
memory/2068-260-0x00007FFCEF9E0000-0x00007FFCEFAAD000-memory.dmp

Filesize
820KB

Download
memory/2068-259-0x00007FFCDCD60000-0x00007FFCDD289000-memory.dmp

Filesize
5.2MB

Download
memory/2068-258-0x00007FFCEFC60000-0x00007FFCEFC93000-memory.dmp

Filesize
204KB

Download
memory/2068-246-0x00007FFCDDCD0000-0x00007FFCDE394000-memory.dmp

Filesize
6.8MB

Download
memory/2068-282-0x00007FFCF2780000-0x00007FFCF28FF000-memory.dmp

Filesize
1.5MB

Download
memory/2068-281-0x00007FFCF2900000-0x00007FFCF2924000-memory.dmp

Filesize
144KB

Download
memory/2068-305-0x00007FFCEFC60000-0x00007FFCEFC93000-memory.dmp

Filesize
204KB

Download
memory/2068-304-0x00007FFCF2640000-0x00007FFCF2679000-memory.dmp

Filesize
228KB

Download
memory/2068-303-0x00007FFCEF7C0000-0x00007FFCEF7D1000-memory.dmp

Filesize
68KB

Download
memory/2068-302-0x00007FFCEF7E0000-0x00007FFCEF82C000-memory.dmp

Filesize
304KB

Download
memory/2068-301-0x00007FFCF2720000-0x00007FFCF2745000-memory.dmp

Filesize
148KB

Download
memory/2068-300-0x00007FFCF9230000-0x00007FFCF923F000-memory.dmp

Filesize
60KB

Download
memory/2068-280-0x00007FFCF2930000-0x00007FFCF295D000-memory.dmp

Filesize
180KB

Download
memory/2068-279-0x00007FFCF91C0000-0x00007FFCF91DA000-memory.dmp

Filesize
104KB

Download
memory/2068-278-0x00007FFCF4BD0000-0x00007FFCF4BDF000-memory.dmp

Filesize
60KB

Download
memory/2068-277-0x00007FFCF4BE0000-0x00007FFCF4BED000-memory.dmp

Filesize
52KB

Download
memory/2068-276-0x00007FFCF4E70000-0x00007FFCF4E89000-memory.dmp

Filesize
100KB

Download
memory/2068-273-0x00007FFCDDCD0000-0x00007FFCDE394000-memory.dmp

Filesize
6.8MB

Download
memory/2068-133-0x00007FFCF2780000-0x00007FFCF28FF000-memory.dmp

Filesize
1.5MB

Download
memory/2068-308-0x00007FFCF3B30000-0x00007FFCF3B3D000-memory.dmp

Filesize
52KB

Download
memory/2068-317-0x00007FFCEF830000-0x00007FFCEF849000-memory.dmp

Filesize
100KB

Download
memory/2068-316-0x00007FFCEF850000-0x00007FFCEF867000-memory.dmp

Filesize
92KB

Download
memory/2068-315-0x00007FFCEF8C0000-0x00007FFCEF9DB000-memory.dmp

Filesize
1.1MB

Download
memory/2068-314-0x00007FFCEFBF0000-0x00007FFCEFC12000-memory.dmp

Filesize
136KB

Download
memory/2068-313-0x00007FFCEFC20000-0x00007FFCEFC34000-memory.dmp

Filesize
80KB

Download
memory/2068-312-0x00007FFCEFD30000-0x00007FFCEFD42000-memory.dmp

Filesize
72KB

Download
memory/2068-311-0x00007FFCEFC40000-0x00007FFCEFC54000-memory.dmp

Filesize
80KB

Download
memory/2068-310-0x00007FFCF2760000-0x00007FFCF2776000-memory.dmp

Filesize
88KB

Download
memory/2068-309-0x00007FFCEF9E0000-0x00007FFCEFAAD000-memory.dmp

Filesize
820KB

Download
memory/2068-307-0x00007FFCEF1F0000-0x00007FFCEF20E000-memory.dmp

Filesize
120KB

Download
memory/2068-318-0x00007FFCDD290000-0x00007FFCDDA31000-memory.dmp

Filesize
7.6MB

Download
memory/2068-141-0x00007FFCEF7C0000-0x00007FFCEF7D1000-memory.dmp

Filesize
68KB

Download
memory/2068-135-0x00007FFCEF7E0000-0x00007FFCEF82C000-memory.dmp

Filesize
304KB

Download
memory/2068-128-0x00007FFCEF850000-0x00007FFCEF867000-memory.dmp

Filesize
92KB

Download
memory/2068-115-0x00007FFCEFD30000-0x00007FFCEFD42000-memory.dmp

Filesize
72KB

Download
memory/2068-116-0x00007FFCEFC40000-0x00007FFCEFC54000-memory.dmp

Filesize
80KB

Download
memory/2068-121-0x00007FFCEFC20000-0x00007FFCEFC34000-memory.dmp

Filesize
80KB

Download
memory/2068-123-0x00007FFCEF8C0000-0x00007FFCEF9DB000-memory.dmp

Filesize
1.1MB

Download
memory/2068-124-0x00007FFCEFBF0000-0x00007FFCEFC12000-memory.dmp

Filesize
136KB

Download
memory/2068-120-0x00007FFCF4BD0000-0x00007FFCF4BDF000-memory.dmp

Filesize
60KB

Download
memory/2068-108-0x00007FFCDCD60000-0x00007FFCDD289000-memory.dmp

Filesize
5.2MB

Download
memory/2068-111-0x00007FFCF2760000-0x00007FFCF2776000-memory.dmp

Filesize
88KB

Download
memory/2068-109-0x00007FFCEF9E0000-0x00007FFCEFAAD000-memory.dmp

Filesize
820KB

Download
memory/2068-107-0x00007FFCEFC60000-0x00007FFCEFC93000-memory.dmp

Filesize
204KB

Download
memory/2068-103-0x00007FFCF2640000-0x00007FFCF2679000-memory.dmp

Filesize
228KB

Download
memory/2068-101-0x00007FFCDD290000-0x00007FFCDDA31000-memory.dmp

Filesize
7.6MB

Download
memory/2068-100-0x00007FFCDDCD0000-0x00007FFCDE394000-memory.dmp

Filesize
6.8MB

Download
memory/2068-97-0x00007FFCF2780000-0x00007FFCF28FF000-memory.dmp

Filesize
1.5MB

Download
memory/2068-96-0x00007FFCF2900000-0x00007FFCF2924000-memory.dmp

Filesize
144KB

Download
memory/2068-93-0x00007FFCF2930000-0x00007FFCF295D000-memory.dmp

Filesize
180KB

Download
memory/2068-91-0x00007FFCF91C0000-0x00007FFCF91DA000-memory.dmp

Filesize
104KB

Download
memory/2068-88-0x00007FFCF4BD0000-0x00007FFCF4BDF000-memory.dmp

Filesize
60KB

Download
memory/2068-86-0x00007FFCF4BE0000-0x00007FFCF4BED000-memory.dmp

Filesize
52KB

Download
memory/2068-84-0x00007FFCF4E70000-0x00007FFCF4E89000-memory.dmp

Filesize
100KB

Download
memory/2068-81-0x00007FFCF2720000-0x00007FFCF2745000-memory.dmp

Filesize
148KB

Download
memory/2068-82-0x00007FFCF9230000-0x00007FFCF923F000-memory.dmp

Filesize
60KB

Download
memory/4532-200-0x0000027FEA250000-0x0000027FEA272000-memory.dmp

Filesize
136KB

Download