exelastealer | 37bf040c6960ed08c9b717cae5e0c90710572b3c6770072724ebdc2dc32ae102

Analysis

max time kernel
152s
max time network
154s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
20-12-2024 17:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Senex-paid-UPDATED.exe
Size

9.6MB
MD5

287cfd94b4d9f4c650f73c4e8d401594
SHA1

687b83c5663b48da3fff0d82b6e67b7217b286fc
SHA256

37bf040c6960ed08c9b717cae5e0c90710572b3c6770072724ebdc2dc32ae102
SHA512

c284d6a22ea83f4873cc40e803f3874b6120299f3d3222421af270fd189b9a30ffda8c0374108452aa2ce5d45fd195115d646122b5b7f484b2d4bcf75977700b
SSDEEP

196608:+AAVcCxfbaX8iiis4hTJURfdeN0YFJMIDJ+gsAGKpRxZtQ6m5xhGygTl7F:lAVVzaXZscJ6fGnFqy+gsixZKWr

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 4 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4484	netsh.exe
220	netsh.exe
2672	netsh.exe
1976	netsh.exe

Clipboard Data 1 TTPs 4 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
776	cmd.exe
652	powershell.exe
2936	cmd.exe
3048	powershell.exe

Loads dropped DLL 63 IoCs

pid	Process
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
336	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe
1984	Senex-paid-UPDATED.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe"	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
80	discord.com
25	discord.com
26	discord.com
27	discord.com
50	discord.com
55	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
19	ip-api.com
75	ip-api.com

Network Service Discovery 1 TTPs 4 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
652	cmd.exe
4584	ARP.EXE
4908	cmd.exe
4912	ARP.EXE

Enumerates processes with tasklist 1 TTPs 10 IoCs

discovery

Process Discovery

T1057

pid	Process
1948	tasklist.exe
1432	tasklist.exe
2400	tasklist.exe
3040	tasklist.exe
4640	tasklist.exe
5096	tasklist.exe
4448	tasklist.exe
3740	tasklist.exe
4644	tasklist.exe
2632	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1696	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0028000000046187-46.dat	upx
behavioral1/memory/336-50-0x00007FFFEC570000-0x00007FFFEC9DE000-memory.dmp	upx
behavioral1/files/0x002800000004614d-56.dat	upx
behavioral1/files/0x0029000000046166-59.dat	upx
behavioral1/memory/336-60-0x00007FF805120000-0x00007FF80512F000-memory.dmp	upx
behavioral1/memory/336-58-0x00007FF800560000-0x00007FF800584000-memory.dmp	upx
behavioral1/files/0x0028000000046155-61.dat	upx
behavioral1/files/0x002e00000004618b-63.dat	upx
behavioral1/memory/336-64-0x00007FF804CA0000-0x00007FF804CB9000-memory.dmp	upx
behavioral1/memory/336-67-0x00007FF802E90000-0x00007FF802E9D000-memory.dmp	upx
behavioral1/files/0x002800000004614b-66.dat	upx
behavioral1/memory/336-70-0x00007FF802D90000-0x00007FF802DA9000-memory.dmp	upx
behavioral1/files/0x0028000000046151-69.dat	upx
behavioral1/memory/336-72-0x00007FF800420000-0x00007FF80044D000-memory.dmp	upx
behavioral1/files/0x0028000000046156-73.dat	upx
behavioral1/memory/336-76-0x00007FF800540000-0x00007FF80055F000-memory.dmp	upx
behavioral1/files/0x002800000004618d-75.dat	upx
behavioral1/memory/336-78-0x00007FFFF9F20000-0x00007FFFFA091000-memory.dmp	upx
behavioral1/files/0x0028000000046157-79.dat	upx
behavioral1/files/0x0028000000046165-81.dat	upx
behavioral1/memory/336-82-0x00007FFFFBA10000-0x00007FFFFBA3E000-memory.dmp	upx
behavioral1/files/0x0028000000046167-83.dat	upx
behavioral1/memory/336-88-0x00007FFFFB950000-0x00007FFFFBA08000-memory.dmp	upx
behavioral1/memory/336-89-0x00007FFFEC1F0000-0x00007FFFEC565000-memory.dmp	upx
behavioral1/memory/336-91-0x00007FF800560000-0x00007FF800584000-memory.dmp	upx
behavioral1/memory/336-87-0x00007FFFEC570000-0x00007FFFEC9DE000-memory.dmp	upx
behavioral1/files/0x002800000004614a-92.dat	upx
behavioral1/memory/336-94-0x00007FFFFB930000-0x00007FFFFB945000-memory.dmp	upx
behavioral1/files/0x0028000000046153-95.dat	upx
behavioral1/memory/336-98-0x00007FF802E80000-0x00007FF802E90000-memory.dmp	upx
behavioral1/memory/336-97-0x00007FF804CA0000-0x00007FF804CB9000-memory.dmp	upx
behavioral1/files/0x0029000000046170-100.dat	upx
behavioral1/memory/336-102-0x00007FFFFB2A0000-0x00007FFFFB2B4000-memory.dmp	upx
behavioral1/files/0x0028000000046150-101.dat	upx
behavioral1/memory/336-104-0x00007FFFFB280000-0x00007FFFFB294000-memory.dmp	upx
behavioral1/files/0x0028000000046192-105.dat	upx
behavioral1/memory/336-108-0x00007FF800420000-0x00007FF80044D000-memory.dmp	upx
behavioral1/memory/336-109-0x00007FFFFB250000-0x00007FFFFB272000-memory.dmp	upx
behavioral1/files/0x0028000000046190-110.dat	upx
behavioral1/memory/336-113-0x00007FFFF9E00000-0x00007FFFF9F18000-memory.dmp	upx
behavioral1/files/0x0028000000046174-114.dat	upx
behavioral1/memory/336-116-0x00007FFFFAED0000-0x00007FFFFAEEB000-memory.dmp	upx
behavioral1/memory/336-115-0x00007FFFF9F20000-0x00007FFFFA091000-memory.dmp	upx
behavioral1/memory/336-112-0x00007FF800540000-0x00007FF80055F000-memory.dmp	upx
behavioral1/files/0x002800000004615b-117.dat	upx
behavioral1/memory/336-120-0x00007FFFFBA10000-0x00007FFFFBA3E000-memory.dmp	upx
behavioral1/memory/336-121-0x00007FFFF7170000-0x00007FFFF7188000-memory.dmp	upx
behavioral1/files/0x002800000004615a-119.dat	upx
behavioral1/files/0x002800000004615d-123.dat	upx
behavioral1/memory/336-124-0x00007FFFFB950000-0x00007FFFFBA08000-memory.dmp	upx
behavioral1/files/0x002800000004615e-127.dat	upx
behavioral1/memory/336-134-0x00007FFFFB930000-0x00007FFFFB945000-memory.dmp	upx
behavioral1/memory/336-133-0x00007FFFF2220000-0x00007FFFF2252000-memory.dmp	upx
behavioral1/memory/336-132-0x00007FFFF2300000-0x00007FFFF2311000-memory.dmp	upx
behavioral1/files/0x0028000000046158-130.dat	upx
behavioral1/files/0x0028000000046164-139.dat	upx
behavioral1/files/0x0028000000046162-140.dat	upx
behavioral1/memory/336-144-0x00007FFFEB900000-0x00007FFFEC0FB000-memory.dmp	upx
behavioral1/memory/336-143-0x00007FFFFB280000-0x00007FFFFB294000-memory.dmp	upx
behavioral1/memory/336-141-0x00007FFFF21F0000-0x00007FFFF220E000-memory.dmp	upx
behavioral1/memory/336-138-0x00007FFFF2210000-0x00007FFFF221A000-memory.dmp	upx
behavioral1/memory/336-137-0x00007FF802E80000-0x00007FF802E90000-memory.dmp	upx
behavioral1/memory/336-128-0x00007FFFF28C0000-0x00007FFFF290D000-memory.dmp	upx
behavioral1/memory/336-126-0x00007FFFEC1F0000-0x00007FFFEC565000-memory.dmp	upx

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2452	sc.exe
2804	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x002600000004621a-160.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 18 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 4 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4692	cmd.exe
1160	netsh.exe
564	cmd.exe
3124	netsh.exe

System Network Connections Discovery 1 TTPs 2 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3984	NETSTAT.EXE
4672	NETSTAT.EXE

Collects information from the system 1 TTPs 2 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4712	WMIC.exe
1836	WMIC.exe

Detects videocard installed 1 TTPs 2 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1816	WMIC.exe
4016	WMIC.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4816	ipconfig.exe
3984	NETSTAT.EXE
3972	ipconfig.exe
4672	NETSTAT.EXE

Gathers system information 1 TTPs 2 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1444	systeminfo.exe
4044	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1816	WMIC.exe
1816	WMIC.exe
1816	WMIC.exe
1816	WMIC.exe
1760	WMIC.exe
1760	WMIC.exe
1760	WMIC.exe
1760	WMIC.exe
2440	WMIC.exe
2440	WMIC.exe
2440	WMIC.exe
2440	WMIC.exe
1204	WMIC.exe
1204	WMIC.exe
1204	WMIC.exe
1204	WMIC.exe
652	powershell.exe
652	powershell.exe
1836	WMIC.exe
1836	WMIC.exe
1836	WMIC.exe
1836	WMIC.exe
3224	WMIC.exe
3224	WMIC.exe
3224	WMIC.exe
3224	WMIC.exe
4036	WMIC.exe
4036	WMIC.exe
4036	WMIC.exe
4036	WMIC.exe
4536	WMIC.exe
4536	WMIC.exe
4536	WMIC.exe
4536	WMIC.exe
4016	WMIC.exe
4016	WMIC.exe
4016	WMIC.exe
4016	WMIC.exe
320	WMIC.exe
320	WMIC.exe
320	WMIC.exe
320	WMIC.exe
556	WMIC.exe
556	WMIC.exe
556	WMIC.exe
556	WMIC.exe
768	WMIC.exe
768	WMIC.exe
768	WMIC.exe
768	WMIC.exe
3048	powershell.exe
3048	powershell.exe
3048	powershell.exe
4712	WMIC.exe
4712	WMIC.exe
4712	WMIC.exe
4712	WMIC.exe
4616	WMIC.exe
4616	WMIC.exe
4616	WMIC.exe
4616	WMIC.exe
1216	WMIC.exe
1216	WMIC.exe
1216	WMIC.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1760	WMIC.exe
Token: SeSecurityPrivilege	1760	WMIC.exe
Token: SeTakeOwnershipPrivilege	1760	WMIC.exe
Token: SeLoadDriverPrivilege	1760	WMIC.exe
Token: SeSystemProfilePrivilege	1760	WMIC.exe
Token: SeSystemtimePrivilege	1760	WMIC.exe
Token: SeProfSingleProcessPrivilege	1760	WMIC.exe
Token: SeIncBasePriorityPrivilege	1760	WMIC.exe
Token: SeCreatePagefilePrivilege	1760	WMIC.exe
Token: SeBackupPrivilege	1760	WMIC.exe
Token: SeRestorePrivilege	1760	WMIC.exe
Token: SeShutdownPrivilege	1760	WMIC.exe
Token: SeDebugPrivilege	1760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1760	WMIC.exe
Token: SeRemoteShutdownPrivilege	1760	WMIC.exe
Token: SeUndockPrivilege	1760	WMIC.exe
Token: SeManageVolumePrivilege	1760	WMIC.exe
Token: 33	1760	WMIC.exe
Token: 34	1760	WMIC.exe
Token: 35	1760	WMIC.exe
Token: 36	1760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1816	WMIC.exe
Token: SeSecurityPrivilege	1816	WMIC.exe
Token: SeTakeOwnershipPrivilege	1816	WMIC.exe
Token: SeLoadDriverPrivilege	1816	WMIC.exe
Token: SeSystemProfilePrivilege	1816	WMIC.exe
Token: SeSystemtimePrivilege	1816	WMIC.exe
Token: SeProfSingleProcessPrivilege	1816	WMIC.exe
Token: SeIncBasePriorityPrivilege	1816	WMIC.exe
Token: SeCreatePagefilePrivilege	1816	WMIC.exe
Token: SeBackupPrivilege	1816	WMIC.exe
Token: SeRestorePrivilege	1816	WMIC.exe
Token: SeShutdownPrivilege	1816	WMIC.exe
Token: SeDebugPrivilege	1816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1816	WMIC.exe
Token: SeRemoteShutdownPrivilege	1816	WMIC.exe
Token: SeUndockPrivilege	1816	WMIC.exe
Token: SeManageVolumePrivilege	1816	WMIC.exe
Token: 33	1816	WMIC.exe
Token: 34	1816	WMIC.exe
Token: 35	1816	WMIC.exe
Token: 36	1816	WMIC.exe
Token: SeDebugPrivilege	2632	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1760	WMIC.exe
Token: SeSecurityPrivilege	1760	WMIC.exe
Token: SeTakeOwnershipPrivilege	1760	WMIC.exe
Token: SeLoadDriverPrivilege	1760	WMIC.exe
Token: SeSystemProfilePrivilege	1760	WMIC.exe
Token: SeSystemtimePrivilege	1760	WMIC.exe
Token: SeProfSingleProcessPrivilege	1760	WMIC.exe
Token: SeIncBasePriorityPrivilege	1760	WMIC.exe
Token: SeCreatePagefilePrivilege	1760	WMIC.exe
Token: SeBackupPrivilege	1760	WMIC.exe
Token: SeRestorePrivilege	1760	WMIC.exe
Token: SeShutdownPrivilege	1760	WMIC.exe
Token: SeDebugPrivilege	1760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1760	WMIC.exe
Token: SeRemoteShutdownPrivilege	1760	WMIC.exe
Token: SeUndockPrivilege	1760	WMIC.exe
Token: SeManageVolumePrivilege	1760	WMIC.exe
Token: 33	1760	WMIC.exe
Token: 34	1760	WMIC.exe
Token: 35	1760	WMIC.exe
Token: 36	1760	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3908 wrote to memory of 336	3908	Senex-paid-UPDATED.exe	81
PID 3908 wrote to memory of 336	3908	Senex-paid-UPDATED.exe	81
PID 336 wrote to memory of 440	336	Senex-paid-UPDATED.exe	82
PID 336 wrote to memory of 440	336	Senex-paid-UPDATED.exe	82
PID 336 wrote to memory of 4972	336	Senex-paid-UPDATED.exe	84
PID 336 wrote to memory of 4972	336	Senex-paid-UPDATED.exe	84
PID 336 wrote to memory of 664	336	Senex-paid-UPDATED.exe	85
PID 336 wrote to memory of 664	336	Senex-paid-UPDATED.exe	85
PID 336 wrote to memory of 3972	336	Senex-paid-UPDATED.exe	87
PID 336 wrote to memory of 3972	336	Senex-paid-UPDATED.exe	87
PID 336 wrote to memory of 2236	336	Senex-paid-UPDATED.exe	88
PID 336 wrote to memory of 2236	336	Senex-paid-UPDATED.exe	88
PID 4972 wrote to memory of 1816	4972	cmd.exe	93
PID 4972 wrote to memory of 1816	4972	cmd.exe	93
PID 664 wrote to memory of 1760	664	cmd.exe	94
PID 664 wrote to memory of 1760	664	cmd.exe	94
PID 2236 wrote to memory of 2632	2236	cmd.exe	95
PID 2236 wrote to memory of 2632	2236	cmd.exe	95
PID 336 wrote to memory of 2588	336	Senex-paid-UPDATED.exe	97
PID 336 wrote to memory of 2588	336	Senex-paid-UPDATED.exe	97
PID 2588 wrote to memory of 2440	2588	cmd.exe	99
PID 2588 wrote to memory of 2440	2588	cmd.exe	99
PID 336 wrote to memory of 472	336	Senex-paid-UPDATED.exe	100
PID 336 wrote to memory of 472	336	Senex-paid-UPDATED.exe	100
PID 336 wrote to memory of 2948	336	Senex-paid-UPDATED.exe	101
PID 336 wrote to memory of 2948	336	Senex-paid-UPDATED.exe	101
PID 2948 wrote to memory of 4448	2948	cmd.exe	104
PID 2948 wrote to memory of 4448	2948	cmd.exe	104
PID 472 wrote to memory of 1204	472	cmd.exe	105
PID 472 wrote to memory of 1204	472	cmd.exe	105
PID 336 wrote to memory of 1696	336	Senex-paid-UPDATED.exe	106
PID 336 wrote to memory of 1696	336	Senex-paid-UPDATED.exe	106
PID 1696 wrote to memory of 4600	1696	cmd.exe	108
PID 1696 wrote to memory of 4600	1696	cmd.exe	108
PID 336 wrote to memory of 4088	336	Senex-paid-UPDATED.exe	109
PID 336 wrote to memory of 4088	336	Senex-paid-UPDATED.exe	109
PID 4088 wrote to memory of 1576	4088	cmd.exe	111
PID 4088 wrote to memory of 1576	4088	cmd.exe	111
PID 336 wrote to memory of 4520	336	Senex-paid-UPDATED.exe	112
PID 336 wrote to memory of 4520	336	Senex-paid-UPDATED.exe	112
PID 336 wrote to memory of 4904	336	Senex-paid-UPDATED.exe	113
PID 336 wrote to memory of 4904	336	Senex-paid-UPDATED.exe	113
PID 4904 wrote to memory of 3740	4904	cmd.exe	116
PID 4904 wrote to memory of 3740	4904	cmd.exe	116
PID 4520 wrote to memory of 2952	4520	cmd.exe	117
PID 4520 wrote to memory of 2952	4520	cmd.exe	117
PID 336 wrote to memory of 3164	336	Senex-paid-UPDATED.exe	118
PID 336 wrote to memory of 3164	336	Senex-paid-UPDATED.exe	118
PID 336 wrote to memory of 3956	336	Senex-paid-UPDATED.exe	119
PID 336 wrote to memory of 3956	336	Senex-paid-UPDATED.exe	119
PID 336 wrote to memory of 2652	336	Senex-paid-UPDATED.exe	120
PID 336 wrote to memory of 2652	336	Senex-paid-UPDATED.exe	120
PID 336 wrote to memory of 776	336	Senex-paid-UPDATED.exe	121
PID 336 wrote to memory of 776	336	Senex-paid-UPDATED.exe	121
PID 3956 wrote to memory of 1240	3956	cmd.exe	126
PID 3956 wrote to memory of 1240	3956	cmd.exe	126
PID 2652 wrote to memory of 1948	2652	cmd.exe	127
PID 2652 wrote to memory of 1948	2652	cmd.exe	127
PID 776 wrote to memory of 652	776	cmd.exe	128
PID 776 wrote to memory of 652	776	cmd.exe	128
PID 1240 wrote to memory of 1424	1240	cmd.exe	129
PID 1240 wrote to memory of 1424	1240	cmd.exe	129
PID 3164 wrote to memory of 1692	3164	cmd.exe	130
PID 3164 wrote to memory of 1692	3164	cmd.exe	130

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4600	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Senex-paid-UPDATED.exe
"C:\Users\Admin\AppData\Local\Temp\Senex-paid-UPDATED.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Users\Admin\AppData\Local\Temp\Senex-paid-UPDATED.exe
  "C:\Users\Admin\AppData\Local\Temp\Senex-paid-UPDATED.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4972
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:664
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1760
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:3972
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:472
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1204
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:4600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4088
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
      4⤵
      Adds Run key to start application
      PID:1576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4904
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3164
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:1692
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1240
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1424
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:1948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:776
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:652
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:4908
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1444
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:412
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious behavior: EnumeratesProcesses
      PID:1836
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:2840
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:2756
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:1972
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:3148
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:2588
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:4636
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:4612
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:4436
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:1608
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:2572
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:2668
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:4416
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:3224
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:1432
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4816
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:3596
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:4912
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:3984
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:2452
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:4484
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4692
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1160
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1952
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2824
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4536

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:748

C:\Users\Admin\AppData\Local\Temp\Senex-paid-UPDATED.exe
"C:\Users\Admin\AppData\Local\Temp\Senex-paid-UPDATED.exe"
1⤵
PID:2720
- C:\Users\Admin\AppData\Local\Temp\Senex-paid-UPDATED.exe
  "C:\Users\Admin\AppData\Local\Temp\Senex-paid-UPDATED.exe"
  2⤵
  - Loads dropped DLL
  PID:1984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4412
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious behavior: EnumeratesProcesses
      PID:4016
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:412
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:3664
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:4664
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:3080
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4344
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:2328
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
    3⤵
    PID:4684
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
      4⤵
      Adds Run key to start application
      PID:4712
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:2180
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:4036
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:5036
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:3040
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:1660
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:3168
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:4404
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:544
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:1332
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2936
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:564
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:652
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4044
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:4164
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious behavior: EnumeratesProcesses
      PID:4712
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:2160
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:2112
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:4332
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:3940
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:4360
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:3520
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:1728
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:4932
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:3552
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4836
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:2228
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:2616
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:4616
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:5096
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:3972
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:544
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:4584
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:4672
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:2804
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2672
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1976
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1608
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1216
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4644
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:5080

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe

Filesize
9.6MB

MD5
287cfd94b4d9f4c650f73c4e8d401594

SHA1
687b83c5663b48da3fff0d82b6e67b7217b286fc

SHA256
37bf040c6960ed08c9b717cae5e0c90710572b3c6770072724ebdc2dc32ae102

SHA512
c284d6a22ea83f4873cc40e803f3874b6120299f3d3222421af270fd189b9a30ffda8c0374108452aa2ce5d45fd195115d646122b5b7f484b2d4bcf75977700b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
124KB

MD5
9618e15b04a4ddb39ed6c496575f6f95

SHA1
1c28f8750e5555776b3c80b187c5d15a443a7412

SHA256
a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab

SHA512
f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

Download Submit
C:\Users\Admin\AppData\Local\Temp\HistoryData.db

Filesize
160KB

MD5
f310cf1ff562ae14449e0167a3e1fe46

SHA1
85c58afa9049467031c6c2b17f5c12ca73bb2788

SHA256
e187946249cd390a3c1cf5d4e3b0d8f554f9acdc416bf4e7111fff217bb08855

SHA512
1196371de08c964268c44103ccaed530bda6a145df98e0f480d8ee5ad58cb6fb33ca4c9195a52181fe864726dcf52e6a7a466d693af0cda43400a3a7ef125fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\BackupSwitch.mht

Filesize
363KB

MD5
5f125ac55969b059327a4dc11d14476b

SHA1
9dcb82b83422c55bef1b0dd24563b4ea26d75895

SHA256
5d2e76f9e36a5ca295cc16a45bf7a563be204bfa1c6ad632e172298ab243d413

SHA512
3f3631aba4d54c74447beaaa1671ab613158413a27abb58660684d7dd6def40565826da5ff7f5f0d9376b26d847db9968598ef5d5d44cdd509d47fb5b82fc20c

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\BlockSave.xlsx

Filesize
16KB

MD5
78f3d5ec3c1ff345b4ef85dba154cdd2

SHA1
8d9aa3417d3345c687eb0763912878d293424ea6

SHA256
3a262b59d9b47f0a3a98c7d4049964cd410ea82dcb0801fafe9079dd9a80a9da

SHA512
31d0176420d3bbcacbf01514efd54f1728af0be77f16b5fb6bfad3d1775a0e5f4a71e75ad0ddbf7e16318f06b50cb733db62930b6e8f0f3c6d3a23fedc5811b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\SplitReset.docx

Filesize
15KB

MD5
1afe8282947961887bcb3c1db5987078

SHA1
38c7bd577d829ec1a1ad58e94d8564cab7d5571c

SHA256
7377f447eed06854b6371f49075272ecb71f46020fe0eeaecba80bfa44dc5dcb

SHA512
080de4fd4aa5ccdc0829a90bb8d88ba48fd8cc83b88c6554efd2315074e025678b495a6496512976b1c8ad84ea302b395fd66391613a96ad620cb5380c936380

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\WaitRestore.docx

Filesize
18KB

MD5
9f8d2f3acaa07b55113d9519a9c746e6

SHA1
05b960abc5bb1f44e406297a86beeba29b35a916

SHA256
fb9f304a24001fe8b02492485409f5bb1a9cc43ead0a4506747e1c8c59223f1a

SHA512
5720b4ed38040ac0430eb48f966b4cf84e1e38adf49af041901207e4124f5b716aa59c296089377130c137c8ae138241da781719f0cec8701cd4d6df03b1df83

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\EnterRegister.docx

Filesize
17KB

MD5
7ee213d55b9b0d5dacf5090699fc8d34

SHA1
9c4b3ad6ac1882166798a876d24658c4a5f7fc05

SHA256
85fb608518048d4dc60efcd501dc47882f3c2b9f183841c37965440a1b61ec3c

SHA512
8547e531d77a4059d7c0fd2611614f066053906ab9d91c597b30eda337d864901092a3bfd54d5f62b8cca0bb005fe10bd08a8e45f014673dce28cbcd50e3e4b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ExpandConfirm.csv

Filesize
953KB

MD5
983d464e2aace8ca9622ce9bd66fbcf7

SHA1
4f9989713ddb4512f671790b5ada200e014f51ba

SHA256
a2492661ea9b976d54f71fb089088e96892af60ece0ea10dad5dd361dceee167

SHA512
88cf16e3ae3c72c226c969087eda0cc182b6a14c0d996f0745ea12d3e3a4905222138744c62f7b7cc6da4de86601a965d635ac8370ab7cc3f8cec482e798e9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\FormatBackup.pptx

Filesize
1.1MB

MD5
c269dc8c2497cbd67dba3c139b8aa1ad

SHA1
1e94c5460fb59fbb6bfef2d87f77cc8534039fc4

SHA256
7ccbf0aadcea97af7aa2849f7319ae49d688472b6705b0b75e033a6cb412c3b9

SHA512
58188b60b8037e5e978a894cd202b717d0057faa5640266bf428f298d40b42139b2f50af5d7f9a1d2866f2450c5ce2d94b684bbcf80737b3acdc44b1592b2c3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\FormatCompare.docx

Filesize
15KB

MD5
073234ad995576d0d50bb872c156c32e

SHA1
4f49cd44b67660c4d78c2b741e8534190ded17a2

SHA256
cf07db56c6180de53e212e94da67a0f29feaaa6a3bb7d4f1385fe5d3589ce6e3

SHA512
4e7525ffde5ee59ae581bc73cebe0360a3e791102679eecd685a5852df25a725d484878ab269e882cfe953aee6a2dbee1ac89d3f1b6e7c03aa707012525a42fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ImportCheckpoint.txt

Filesize
436KB

MD5
ac7d3deeeafc467b8dce9f7d7c7cdf67

SHA1
41dfcee397c9bb0fc66d9577c27c266181110bdf

SHA256
05d4e295e04b251e01b6f96a6972ba9e1179e941b4c012f0e887c42748bcdb83

SHA512
e465c791c9facfa888d58456eef73cb0dafa48c8ab3cbf9c3dc394aec4e8638204a279cfbe3889e38b5f7b76450d53cfa6e4d7430cccbd399b5cd59ba8e6f567

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RegisterSuspend.csv

Filesize
1012KB

MD5
a3367301e2d7834d7537750da21db784

SHA1
9df4df723cc0a89ae83f23e4fe1b512b42b1c8cf

SHA256
24841b9372677cedfd677c82c72b2f8c71bce84a57e462494eeef610374ced80

SHA512
64ce453411e753ddc456e8d7cf328af44bceb7ca338708913eff8182972a39f37241db6bbc03da1344278916f89de4b7090f374616d571a7fa29fdf3c77aa714

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\SearchEnter.docx

Filesize
12KB

MD5
079286752ee3937a7d4e49b8e5ab9e11

SHA1
3358a76c80d5f3d618ec26c94ddfc1e2f9c793da

SHA256
87dbeb44b8553bd4a241f32e73a115cba7261826375875888c9dfbdd1363981f

SHA512
f7da94fcd53bf6bb24282c808c7bf398cb7a9454857e014ced1ef5e567b346800da08157839222f6f96b4a28e9e5806de861b16d18b55282188d16897d12cc82

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\SearchJoin.txt

Filesize
416KB

MD5
c2f260df5ea03969b681bbf5d7be98fb

SHA1
702cfaaf9f78ae3af58492a9c700aee672217e49

SHA256
462963923953868ad67d3b20eab220181530f825942310dd0611fc02c4fa0afc

SHA512
0e1a74f5c3c4fd2bb0190ebc196e84e5df303724a4b6b94e0b9b486ea8ec20262b71aff9b240529f31a8d3d172bc22ee332a854f110821823bfca621b4f246e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\UnregisterRead.doc

Filesize
714KB

MD5
a5e8d87819a559e891dc452c57d463b8

SHA1
58abe2ae3d455c6915df56a0afcb2dc155e633be

SHA256
57b41204ad4c9dc36426dd3a79f9db8c0a8c7aadef405b838bb0065bed84e586

SHA512
44e1205be6bcc7702f4a6152dd383f306d64e850f523c93e44ef0be3fb93ee912f398b9915c135cada26928499a0c6547b8bc8cc1d0514b651787baf70518bd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\BackupCheckpoint.midi

Filesize
245KB

MD5
92c362a2147855ac42bee84f1a943b84

SHA1
eed7401d79fd0bad2a7445e37063a4d6f4f3653b

SHA256
103ab86f7787b2d7000d6f4669d0f2153c6c06f93d0ae25fbdca01399c85910e

SHA512
7a028fb347488572fea4cdc2598dd967a3d09a35c4c6d68a9d27322b1e66ba079a8e611800758d8feb48d9942e9cce6f1dce06ab398adcc8351984595d69a09c

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\SelectUnlock.txt

Filesize
532KB

MD5
a1ee8750f0fa8db2e144636715593c47

SHA1
3a9ce38eed3641579b3c7b43ea8e064d41974d2f

SHA256
2ea34ba47231f4711744eff11b46faedd4415808038a09914f46bda0d7e7794c

SHA512
64e409d7ad1c1116992c77dd8776bf55f5c861b345076cd5473c06991bef424f41314981f906522af720b43ab81e759604f719924f03d9528d0bcd746b544a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\CopyCompress.png

Filesize
361KB

MD5
977189429c65a3e8f8cb78140a98c16b

SHA1
0dd51602f2db2c039158dcf9186780cccc400f83

SHA256
98a771c01ba9dadfed7e28062bcd1d5a304956f7ffb703ea4d8bdbf67c2427d3

SHA512
365d58257d84a3fd4cb1d07bb34c1a298337df9916b833c746f870745d40d01c16a0256d508138560cb13c7d50567dda30402b1021ac7d15e972ff62b3201119

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\WaitPing.jpg

Filesize
871KB

MD5
726a16eb5a2102d6a01bcfc0141eb1e1

SHA1
bf02409a8a871327f5631e9318f867b32f376ff3

SHA256
848bda1b1d4b8aa1da78348411b43bb45f496e35c8f02e355021eb31e10e06c6

SHA512
0b7d77489caed75419c182fd5b2ee62262233f87ab36b41886c07528acf6bd162c6731fc977977f6c5d27fdb28f30213b652373cf6db6cbde88dadb5ce2c4fc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\CompareUnpublish.png

Filesize
682KB

MD5
987c0f7b63925df0a68663386fcb5ad5

SHA1
32ca73418d67aac15951f927b7040d0c99827941

SHA256
9bba98c5c0e7ddfde8627ab57ea7f7d9808876f0c5d4d7d2500ef82429072c34

SHA512
15f046e113e6fb06938dc542993314d086e94f06a37dbe1eaba73a57f76bcb302fd8d911040d2653bb74b087c48d50f7204820f6cd12ef97adc1af86e6169792

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\TraceFormat.png

Filesize
1.4MB

MD5
dcff63c14034c604d1e26b1abbe1ba75

SHA1
ee0e240fe6b0f952c93e850c606d69c33b1349d7

SHA256
c49be4c37b7dda528f0b2c2b9a5efd5290a864aaf53c5b27cfe3307e326dd2e4

SHA512
22e3030ce774d6d3f563cc35cb151805e7f612983e359b8cd6dcccae4f48166b295e4538208b2707fad5f124509e070e77f84a2b21179fe70b291e1a5eb86332

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
114KB

MD5
a4113ed4c49bc5088ab7cb62befd5325

SHA1
9da515c6c9cee1924b120283cc2b4715a76c1ab0

SHA256
e6e5b44affaacaac61de8cc07e7b775fedab8ef911097166090704891b27ab77

SHA512
eb27afcc43f002aab16641df2a0283a5cf05484dc830a946100b42ec0ea86bbb5f0e68b6d703d63bc83efb6590d27ecd7e2d3686932066f5e66b5f7eaf611761

Download Submit
C:\Users\Admin\AppData\Local\Temp\Web.db

Filesize
112KB

MD5
780853cddeaee8de70f28a4b255a600b

SHA1
ad7a5da33f7ad12946153c497e990720b09005ed

SHA256
1055ff62de3dea7645c732583242adf4164bdcfb9dd37d9b35bbb9510d59b0a3

SHA512
e422863112084bb8d11c682482e780cd63c2f20c8e3a93ed3b9efd1b04d53eb5d3c8081851ca89b74d66f3d9ab48eb5f6c74550484f46e7c6e460a8250c9b1d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_asyncio.pyd

Filesize
34KB

MD5
6de61484aaeedf539f73e361eb186e21

SHA1
07a6ae85f68ca9b7ca147bf587b4af547c28e986

SHA256
2c308a887aa14b64f7853730cb53145856bacf40a1b421c0b06ec41e9a8052ff

SHA512
f9c4a6e8d4c5cb3a1947af234b6e3f08c325a97b14adc371f82430ec787cad17052d6f879575fc574abb92fd122a3a6a14004dce80b36e6e066c6bc43607463d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_bz2.pyd

Filesize
46KB

MD5
d584d4cfc04f616d406ec196997e706c

SHA1
b7fe2283e5b882823ee0ffcf92c4dd05f195dc4c

SHA256
e1ea9bb42b4184bf3ec29cbe10a6d6370a213d7a40aa6d849129b0d8ec50fda4

SHA512
ccf7cfbf4584401bab8c8e7d221308ca438779849a2eea074758be7d7afe9b73880e80f8f0b15e4dc2e8ae1142d389fee386dc58b603853760b0e7713a3d0b9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
12854bf45c91256672927094acb2b31f

SHA1
8ec25f43200b087006b4b34aa2108350c527794a

SHA256
74afa6a2fae4ffb821fba3574c4e028786d7dcc51f1fb7d2629f8f29112c22df

SHA512
6ef26b005328fbc179c7e9c615a8cbf9f19088b0486f928898647342fb01863625779f924ad75b1570659657a0845d85b764e7f7066f7b86f9aaad3da05d3426

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_ctypes.pyd

Filesize
56KB

MD5
f0077496f3bb6ea93da1d7b5ea1511c2

SHA1
a901ad6e13c1568d023c0dcb2b7d995c68ed2f6a

SHA256
0269ae71e9a7b006aab0802e72987fc308a6f94921d1c9b83c52c636e45035a0

SHA512
4f188746a77ad1c92cefa615278d321912c325a800aa67abb006821a6bdffc145c204c9da6b11474f44faf23376ff7391b94f4a51e6949a1d2576d79db7f27ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_hashlib.pyd

Filesize
33KB

MD5
0d8ffe48eb5657e5ac6725c7be1d9aa3

SHA1
a39a3dc76f3c7a4b8645bb6c1dc34e50d7e9a287

SHA256
5ad4b3a6287b9d139063383e2bfdc46f51f6f3aaca015b59f9ed58f707fa2a44

SHA512
c26c277196395291a4a42e710af3560e168535e59b708b04343b4a0a926277a93e16fe24673903469b7c96545d6fbf036f149ef21231a759a13147d533d4fc3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_lzma.pyd

Filesize
84KB

MD5
213a986429a24c61eca7efed8611b28a

SHA1
348f47528a4e8d0a54eb60110db78a6b1543795e

SHA256
457114386ce08d81cb7ac988b1ff60d2fdffc40b3de6d023034b203582d32f5d

SHA512
1e43c2cacc819a2e578437d1329fa1f772fe614167d3ec9b5612b44f216175500e56e3d60a7107b66a5b3121e9e2e49344ebe9ff1b752cae574bb8b60eec42ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_overlapped.pyd

Filesize
30KB

MD5
b05bce7e8a1ef69679da7d1b4894208f

SHA1
7b2dd612cf76da09d5bd1a9dcd6ba20051d11595

SHA256
9c8edf15e9f0edbc96e3310572a231cdd1c57c693fbfc69278fbbc7c2fc47197

SHA512
27cef9b35a4560c98b4d72e5144a68d068263506ac97f5f813b0f6c7552f4c206c6f9a239bc1d9161aff79742cd4516c86f5997c27b1bd084e03854d6410b8e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_queue.pyd

Filesize
24KB

MD5
391bf7a40de25751364d52b881bf30e9

SHA1
9ec6ae2df4280213af96b764370957092e476b22

SHA256
ab3c6af282b8bef50c96be53cb74fcaf72befff9ac80bf30950975dea0244826

SHA512
75c3d4f8ece49b42bc70c462da4c4a363704bfc915d11e696f077cc021f07c534fb8635ef480d762f4a6a4457c22f6d4fb89414de5ee77c22f12342f0f24b841

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_socket.pyd

Filesize
41KB

MD5
02adf34fc4cf0cbb7da84948c6e0a6ce

SHA1
4d5d1adaf743b6bd324642e28d78331059e3342b

SHA256
e92b5042b4a1ca76b84d3070e4adddf100ba5a56cf8e7fcd4dd1483830d786a5

SHA512
da133fc0f9fefed3b483ba782948fcdc508c50ffc141e5e1e29a7ec2628622cdd606c0b0a949098b48ee3f54cdb604842e3ca268c27bc23f169fced3d2fbd0a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_sqlite3.pyd

Filesize
48KB

MD5
b2b86c10944a124a00a6bcfaf6ddb689

SHA1
4971148b2a8d07b74aa616e2dd618aaf2be9e0db

SHA256
874783af90902a7a8f5b90b018b749de7ddb8ec8412c46f7abe2edfe9c7abe84

SHA512
0a44b508d2a9700db84bd395ff55a6fc3d593d2069f04a56b135ba41fc23ea7726ae131056123d06526c14284bce2dbadd4abf992b3eb27bf9af1e083763556f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_ssl.pyd

Filesize
60KB

MD5
1af0fbf618468685c9a9541be14b3d24

SHA1
27e8c76192555a912e402635765df2556c1c2b88

SHA256
a46968ca76d6b17f63672a760f33664c3ea27d9356295122069e23d1c90f296a

SHA512
7382a0d3ec2ce560efd2ddd43db8423637af341ce6889d335165b7876b15d08f4de0f228f959dcb90b47814f9f4e0edd02d38a78ddad152ed7bc86791d46bc36

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\_uuid.pyd

Filesize
21KB

MD5
00276ab62a35d7c6022ae787168fe275

SHA1
e34d9a060b8f2f8673f878e64d7369ab99869876

SHA256
3500db7ef67cddd8b969f87b4a76a577b5b326597da968e262c23d2a8c7b426a

SHA512
ea4a46b0f7295b61a268d8df0e2f722b86b596946c421d5d89fe734389a819c9ae8e94b99e554feb4e40497261fa9c3ae7d13fdba1f4ad4f22c650076150682a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\aiohttp\_http_parser.cp310-win_amd64.pyd

Filesize
81KB

MD5
dd9d0763628f9b2e70b7038b06d73295

SHA1
4db36721f9bb10b4640a77768cc5fb71bc4497f4

SHA256
474765bfb74ac3035595fc4e7b430f90e3287ef3b1f1790f680497f16389d3b5

SHA512
d4a0f29ba499a59798b48d9c13944a2443ad54fc0af5f1998121712ceb8f0d5680174f663aa195535f9376d49f42920718d9e0643305af94a683d0827f38676c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\aiohttp\_http_writer.cp310-win_amd64.pyd

Filesize
24KB

MD5
d9cb433ca974a81a0f69ce9754eefdeb

SHA1
b8e48fc211b5a3853dfa43680b8c0a26efd5b488

SHA256
1e4c5c47a2525f2cbb4e72084abb8f4a2fc25a2911e4b75755fd38c7e54467fc

SHA512
5e92109adea864c78134ccaf90d3972c52b6c2caaa1e8e73f1d35b271dd48c27685afa97440af50c07a5d8a30b8d6f5918ec75e49f15e14b4304e63f22f7e5d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\aiohttp\_websocket\mask.cp310-win_amd64.pyd

Filesize
19KB

MD5
a6492b7fc7cd181316d8662271598bc6

SHA1
499a66a2dfbcb365e2d1dd000eb429b7140778c5

SHA256
90110e50555ed2e6f2a2d9a0d357a4c4b4916f82d3e7d1d6e35b5523faba075d

SHA512
891350f141c2be8973379218af7daac143cf2bbd7de6a8e0cd82305543c9e2c26911f71fe01c3b40bfb2d328a6935659233f9bec241cc7a4869a7f86aae66be0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\aiohttp\_websocket\reader_c.cp310-win_amd64.pyd

Filesize
61KB

MD5
a3bd5a2d8b34e92425e76ed493414ba5

SHA1
ff710c32d4b6309131b49c48a60930bc887691b9

SHA256
3cfaa74ce93217153b452cd679ca6cb6f4ac325a13182257c5c84942a76b9279

SHA512
493e98ccaa4864e082766b48122f5d63ef0af97d2ded90bb513c69f7cc8768e43ff710175a0e50f22901d89ed6bfa2814f365a0bd651060c93a722f6fa746ab4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\base_library.zip

Filesize
812KB

MD5
fbd6be906ac7cd45f1d98f5cb05f8275

SHA1
5d563877a549f493da805b4d049641604a6a0408

SHA256
ae35709e6b8538827e3999e61a0345680c5167962296ac7bef62d6b813227fb0

SHA512
1547b02875f3e547c4f5e15c964719c93d7088c7f4fd044f6561bebd29658a54ef044211f9d5cfb4570ca49ed0f17b08011d27fe85914e8c3ea12024c8071e8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.0MB

MD5
dc7227f2116f68a1999bf3ade5fd9ed3

SHA1
68c348f1fed2fb02f97800098c2f17726364f504

SHA256
2cefdad9b9ba1669eb840179a6117f0f741b6e374c6b0e86699a8768869a5482

SHA512
d04b5956076ebc80e392c197e5fcb109837039a367fda44eb28bcbe1fdaaae50405e7634b4a98627c768cff737589d052ccfbebe01c3a3326c5d4eca34afd777

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\frozenlist\_frozenlist.cp310-win_amd64.pyd

Filesize
36KB

MD5
138e9bafcd6ae1c6f677909f18d61705

SHA1
b95b8d50dd8e90820bc7b43b1511475cf6f723b0

SHA256
29275eaf3788818a394e827393382dce9e4ee382d9bba9528a819c6a00147bd3

SHA512
98633517343d7fcf51936be135a795d4ffd6de6645739aa498a8f9c8fce890f522c7c0946d68f46f122c07f96a03b662679173d4a78b9e04c244ea6f6665e29d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\libcrypto-1_1.dll

Filesize
1.1MB

MD5
9c2ffedb0ae90b3985e5cdbedd3363e9

SHA1
a475fbe289a716e1fbe2eab97f76dbba1da322a9

SHA256
7c9418ad6fb6d15acb7d340b7a6533f76337ad302a18e2b4e08d4ee37689913a

SHA512
70d2635d42e24c7426cf5306ed010808f2222049915adb43ffc12c13259c8e7a9fee3a49e096d5ba2b6b733fef18574823d00df2e8d7fb1532e1d65d0c478008

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\libffi-7.dll

Filesize
23KB

MD5
8e1d2a11b94e84eaa382d6a680d93f17

SHA1
07750d78022d387292525a7d8385687229795cf1

SHA256
090a90cd17b74abefddf9f82d145effe5c676e7c62cf1a59834528f512d7ee82

SHA512
213bf92a707b14211941e5e071f1926be4b5795babc6df0d168b623ecd6cb7c7e0ae4320369c51d75c75b38ec282b5bf77f15eb94018ae74c8fd14f328b45a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\libssl-1_1.dll

Filesize
203KB

MD5
87bb1a8526b475445b2d7fd298c57587

SHA1
aaad18ea92b132ca74942fd5a9f4c901d02d9b09

SHA256
c35a97d8f24ea84d1e39a8621b6b3027c9ac24885bdd37386c9fcaad1858419d

SHA512
956bd8e9f35c917cbfb570fc633bb2df0d1c2686731fa7179f5e7cd8789e665dd6ff8443e712eafa4e3f8d8661f933cb5675aeb1a2efc195c3bb32211e6d2506

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\multidict\_multidict.cp310-win_amd64.pyd

Filesize
20KB

MD5
07adf002b8bab71368fd904e8daa545c

SHA1
bd38ea6cca7f10660725c7df533fe33a349a11ea

SHA256
781496f2ae8d0a1cd2899bd643adee7813b33441f0f2c6177ab108148b5109ba

SHA512
20d4747890c957becb15136b4f16280356b74dcd159dac0f93cf853820a88dab5cb86f6e1ef0eff140f35443cdffe81ae0e05bccc573dbd3f54cda9ce0b2633d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\propcache\_helpers_c.cp310-win_amd64.pyd

Filesize
31KB

MD5
8844cbded1ec4002772c545e8ac52c7b

SHA1
3f7159995343509b58077af51a90636c66c86512

SHA256
7b9e72f2f20599fc2e00756430208eebb6fecb97fcf586bfc2a69bd92d99009d

SHA512
3cc54ac3d3410bb7a7372dcc65e545df4c777dfcc9c2d097ccb2006298b9eaed71a217656daeaba1a2b578a89a9f7204e7092c99121d796d1028c967c5b10fa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\python3.DLL

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\python310.dll

Filesize
1.4MB

MD5
196deb9a74e6e9e242f04008ea80f7d3

SHA1
a54373ebad306f3e6f585bcdf1544fbdcf9c0386

SHA256
20b004bfe69166c4961fee93163e795746df39fb31dc67399c0fde57f551eb75

SHA512
8c226d3ef21f3ddeee14a098c60ef030fa78590e9505d015ce63ea5e5bbcea2e105ff818e94653df1bddc9ba6ed3b376a1dff5c19266b623fa22cd75ac263b68

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\select.pyd

Filesize
24KB

MD5
16be2c5990fe8df5a6d98b0ba173084d

SHA1
572cb2107ff287928501dc8f5ae4a748e911d82d

SHA256
65de0eb0f1aa5830a99d46a1b2260aaa0608ed28e33a4b0ffe43fd891f426f76

SHA512
afa991c407548da16150ad6792a5233688cc042585538d510ac99c2cb1a6ee2144f31aa639065da4c2670f54f947947860a90ec1bde7c2afaa250e758b956dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\sqlite3.dll

Filesize
608KB

MD5
4357c9ab90f329f6cbc8fe6bc44a8a97

SHA1
2ec6992da815dcdb9a009d41d7f2879ea8f8b3f3

SHA256
eb1b1679d90d6114303f490de14931957cdfddf7d4311b3e5bacac4e4dc590ba

SHA512
a245971a4e3f73a6298c949052457fbaece970678362e2e5bf8bd6e2446d18d157ad3f1d934dae4e375ab595c84206381388fb6de6b17b9df9f315042234343a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\unicodedata.pyd

Filesize
287KB

MD5
d296d76daf56777da51fec9506d07c6a

SHA1
c012b7d74e68b126a5c20ac4f8408cebacbbf98d

SHA256
05201ceb3dba9395f6ac15a069d94720b9c2b5c6199447105e9bc29d7994c838

SHA512
15eed0ab1989e01b57e10f886a69a0cca2fff0a37cc886f4e3bc5c08684536cb61ff2551d75c62137c97aa455d6f2b99aab7ae339ea98870bb4116f63508deb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI39082\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
41KB

MD5
a5c18baac54c07391cd2e162a777c15b

SHA1
79f4fc478997ab56ce915965f906d7c20887719b

SHA256
3b649d8f5a4ba5419ed4d8290ed4c9fa809ad8fad9de36b78a41bb0c03bde60c

SHA512
bf19d9e48c95667cecd9662b4c6d8cecdf1b3a7993a1776aac89bd91d6c77b6db4cbbe7ab1ec9e472f8ce7e8fbc31da344af4a8285a09c46029728edc61b5fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0hbhigb0.ocd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/336-238-0x00007FFFF7170000-0x00007FFFF7188000-memory.dmp

Filesize
96KB

Download
memory/336-76-0x00007FF800540000-0x00007FF80055F000-memory.dmp

Filesize
124KB

Download
memory/336-133-0x00007FFFF2220000-0x00007FFFF2252000-memory.dmp

Filesize
200KB

Download
memory/336-134-0x00007FFFFB930000-0x00007FFFFB945000-memory.dmp

Filesize
84KB

Download
memory/336-144-0x00007FFFEB900000-0x00007FFFEC0FB000-memory.dmp

Filesize
8.0MB

Download
memory/336-143-0x00007FFFFB280000-0x00007FFFFB294000-memory.dmp

Filesize
80KB

Download
memory/336-141-0x00007FFFF21F0000-0x00007FFFF220E000-memory.dmp

Filesize
120KB

Download
memory/336-138-0x00007FFFF2210000-0x00007FFFF221A000-memory.dmp

Filesize
40KB

Download
memory/336-137-0x00007FF802E80000-0x00007FF802E90000-memory.dmp

Filesize
64KB

Download
memory/336-131-0x000001F9616D0000-0x000001F961A45000-memory.dmp

Filesize
3.5MB

Download
memory/336-128-0x00007FFFF28C0000-0x00007FFFF290D000-memory.dmp

Filesize
308KB

Download
memory/336-126-0x00007FFFEC1F0000-0x00007FFFEC565000-memory.dmp

Filesize
3.5MB

Download
memory/336-124-0x00007FFFFB950000-0x00007FFFFBA08000-memory.dmp

Filesize
736KB

Download
memory/336-148-0x00007FFFECAF0000-0x00007FFFECB27000-memory.dmp

Filesize
220KB

Download
memory/336-147-0x00007FFFFB250000-0x00007FFFFB272000-memory.dmp

Filesize
136KB

Download
memory/336-121-0x00007FFFF7170000-0x00007FFFF7188000-memory.dmp

Filesize
96KB

Download
memory/336-161-0x00007FFFFAED0000-0x00007FFFFAEEB000-memory.dmp

Filesize
108KB

Download
memory/336-200-0x00007FFFECD80000-0x00007FFFECD8D000-memory.dmp

Filesize
52KB

Download
memory/336-120-0x00007FFFFBA10000-0x00007FFFFBA3E000-memory.dmp

Filesize
184KB

Download
memory/336-112-0x00007FF800540000-0x00007FF80055F000-memory.dmp

Filesize
124KB

Download
memory/336-50-0x00007FFFEC570000-0x00007FFFEC9DE000-memory.dmp

Filesize
4.4MB

Download
memory/336-215-0x00007FFFF28C0000-0x00007FFFF290D000-memory.dmp

Filesize
308KB

Download
memory/336-218-0x00007FFFF2220000-0x00007FFFF2252000-memory.dmp

Filesize
200KB

Download
memory/336-227-0x00007FFFF9F20000-0x00007FFFFA091000-memory.dmp

Filesize
1.4MB

Download
memory/336-232-0x00007FF802E80000-0x00007FF802E90000-memory.dmp

Filesize
64KB

Download
memory/336-245-0x00007FFFECAF0000-0x00007FFFECB27000-memory.dmp

Filesize
220KB

Download
memory/336-239-0x00007FFFF28C0000-0x00007FFFF290D000-memory.dmp

Filesize
308KB

Download
memory/336-115-0x00007FFFF9F20000-0x00007FFFFA091000-memory.dmp

Filesize
1.4MB

Download
memory/336-231-0x00007FFFFB930000-0x00007FFFFB945000-memory.dmp

Filesize
84KB

Download
memory/336-230-0x00007FFFEC1F0000-0x00007FFFEC565000-memory.dmp

Filesize
3.5MB

Download
memory/336-229-0x00007FFFFB950000-0x00007FFFFBA08000-memory.dmp

Filesize
736KB

Download
memory/336-228-0x00007FFFFBA10000-0x00007FFFFBA3E000-memory.dmp

Filesize
184KB

Download
memory/336-219-0x00007FFFEC570000-0x00007FFFEC9DE000-memory.dmp

Filesize
4.4MB

Download
memory/336-226-0x00007FF800540000-0x00007FF80055F000-memory.dmp

Filesize
124KB

Download
memory/336-220-0x00007FF800560000-0x00007FF800584000-memory.dmp

Filesize
144KB

Download
memory/336-244-0x00007FFFEB900000-0x00007FFFEC0FB000-memory.dmp

Filesize
8.0MB

Download
memory/336-269-0x00007FFFFB930000-0x00007FFFFB945000-memory.dmp

Filesize
84KB

Download
memory/336-276-0x00007FFFF7170000-0x00007FFFF7188000-memory.dmp

Filesize
96KB

Download
memory/336-266-0x00007FFFFBA10000-0x00007FFFFBA3E000-memory.dmp

Filesize
184KB

Download
memory/336-257-0x00007FFFEC570000-0x00007FFFEC9DE000-memory.dmp

Filesize
4.4MB

Download
memory/336-285-0x00007FFFEC570000-0x00007FFFEC9DE000-memory.dmp

Filesize
4.4MB

Download
memory/336-116-0x00007FFFFAED0000-0x00007FFFFAEEB000-memory.dmp

Filesize
108KB

Download
memory/336-113-0x00007FFFF9E00000-0x00007FFFF9F18000-memory.dmp

Filesize
1.1MB

Download
memory/336-109-0x00007FFFFB250000-0x00007FFFFB272000-memory.dmp

Filesize
136KB

Download
memory/336-108-0x00007FF800420000-0x00007FF80044D000-memory.dmp

Filesize
180KB

Download
memory/336-104-0x00007FFFFB280000-0x00007FFFFB294000-memory.dmp

Filesize
80KB

Download
memory/336-102-0x00007FFFFB2A0000-0x00007FFFFB2B4000-memory.dmp

Filesize
80KB

Download
memory/336-97-0x00007FF804CA0000-0x00007FF804CB9000-memory.dmp

Filesize
100KB

Download
memory/336-98-0x00007FF802E80000-0x00007FF802E90000-memory.dmp

Filesize
64KB

Download
memory/336-94-0x00007FFFFB930000-0x00007FFFFB945000-memory.dmp

Filesize
84KB

Download
memory/336-87-0x00007FFFEC570000-0x00007FFFEC9DE000-memory.dmp

Filesize
4.4MB

Download
memory/336-90-0x000001F9616D0000-0x000001F961A45000-memory.dmp

Filesize
3.5MB

Download
memory/336-91-0x00007FF800560000-0x00007FF800584000-memory.dmp

Filesize
144KB

Download
memory/336-89-0x00007FFFEC1F0000-0x00007FFFEC565000-memory.dmp

Filesize
3.5MB

Download
memory/336-88-0x00007FFFFB950000-0x00007FFFFBA08000-memory.dmp

Filesize
736KB

Download
memory/336-82-0x00007FFFFBA10000-0x00007FFFFBA3E000-memory.dmp

Filesize
184KB

Download
memory/336-78-0x00007FFFF9F20000-0x00007FFFFA091000-memory.dmp

Filesize
1.4MB

Download
memory/336-132-0x00007FFFF2300000-0x00007FFFF2311000-memory.dmp

Filesize
68KB

Download
memory/336-72-0x00007FF800420000-0x00007FF80044D000-memory.dmp

Filesize
180KB

Download
memory/336-70-0x00007FF802D90000-0x00007FF802DA9000-memory.dmp

Filesize
100KB

Download
memory/336-67-0x00007FF802E90000-0x00007FF802E9D000-memory.dmp

Filesize
52KB

Download
memory/336-531-0x00007FFFFB250000-0x00007FFFFB272000-memory.dmp

Filesize
136KB

Download
memory/336-524-0x00007FFFFB950000-0x00007FFFFBA08000-memory.dmp

Filesize
736KB

Download
memory/336-514-0x00007FFFF2220000-0x00007FFFF2252000-memory.dmp

Filesize
200KB

Download
memory/336-535-0x00007FFFF28C0000-0x00007FFFF290D000-memory.dmp

Filesize
308KB

Download
memory/336-541-0x00007FFFECD80000-0x00007FFFECD8D000-memory.dmp

Filesize
52KB

Download
memory/336-540-0x00007FFFECAF0000-0x00007FFFECB27000-memory.dmp

Filesize
220KB

Download
memory/336-539-0x00007FFFEB900000-0x00007FFFEC0FB000-memory.dmp

Filesize
8.0MB

Download
memory/336-538-0x00007FFFF21F0000-0x00007FFFF220E000-memory.dmp

Filesize
120KB

Download
memory/336-537-0x00007FFFF2210000-0x00007FFFF221A000-memory.dmp

Filesize
40KB

Download
memory/336-536-0x00007FFFEC1F0000-0x00007FFFEC565000-memory.dmp

Filesize
3.5MB

Download
memory/336-534-0x00007FFFF7170000-0x00007FFFF7188000-memory.dmp

Filesize
96KB

Download
memory/336-533-0x00007FFFFAED0000-0x00007FFFFAEEB000-memory.dmp

Filesize
108KB

Download
memory/336-532-0x00007FFFF9E00000-0x00007FFFF9F18000-memory.dmp

Filesize
1.1MB

Download
memory/336-530-0x00007FFFFB280000-0x00007FFFFB294000-memory.dmp

Filesize
80KB

Download
memory/336-529-0x00007FFFFB2A0000-0x00007FFFFB2B4000-memory.dmp

Filesize
80KB

Download
memory/336-528-0x00007FF802E80000-0x00007FF802E90000-memory.dmp

Filesize
64KB

Download
memory/336-527-0x00007FFFFB930000-0x00007FFFFB945000-memory.dmp

Filesize
84KB

Download
memory/336-526-0x00007FFFEC570000-0x00007FFFEC9DE000-memory.dmp

Filesize
4.4MB

Download
memory/336-525-0x00007FFFF2300000-0x00007FFFF2311000-memory.dmp

Filesize
68KB

Download
memory/336-523-0x00007FFFFBA10000-0x00007FFFFBA3E000-memory.dmp

Filesize
184KB

Download
memory/336-522-0x00007FFFF9F20000-0x00007FFFFA091000-memory.dmp

Filesize
1.4MB

Download
memory/336-521-0x00007FF800540000-0x00007FF80055F000-memory.dmp

Filesize
124KB

Download
memory/336-520-0x00007FF800420000-0x00007FF80044D000-memory.dmp

Filesize
180KB

Download
memory/336-519-0x00007FF802D90000-0x00007FF802DA9000-memory.dmp

Filesize
100KB

Download
memory/336-518-0x00007FF802E90000-0x00007FF802E9D000-memory.dmp

Filesize
52KB

Download
memory/336-517-0x00007FF804CA0000-0x00007FF804CB9000-memory.dmp

Filesize
100KB

Download
memory/336-516-0x00007FF805120000-0x00007FF80512F000-memory.dmp

Filesize
60KB

Download
memory/336-515-0x00007FF800560000-0x00007FF800584000-memory.dmp

Filesize
144KB

Download
memory/336-60-0x00007FF805120000-0x00007FF80512F000-memory.dmp

Filesize
60KB

Download
memory/336-58-0x00007FF800560000-0x00007FF800584000-memory.dmp

Filesize
144KB

Download
memory/336-64-0x00007FF804CA0000-0x00007FF804CB9000-memory.dmp

Filesize
100KB

Download
memory/652-210-0x000001AD1DC80000-0x000001AD1DCA2000-memory.dmp

Filesize
136KB

Download
memory/1984-599-0x00007FFFEC1F0000-0x00007FFFEC565000-memory.dmp

Filesize
3.5MB

Download
memory/1984-596-0x00007FFFF9F20000-0x00007FFFFA091000-memory.dmp

Filesize
1.4MB

Download
memory/1984-603-0x00007FF800540000-0x00007FF800555000-memory.dmp

Filesize
84KB

Download
memory/1984-604-0x00007FF802F30000-0x00007FF802F49000-memory.dmp

Filesize
100KB

Download
memory/1984-602-0x00007FF802F50000-0x00007FF802F5F000-memory.dmp

Filesize
60KB

Download
memory/1984-598-0x00007FFFF9EF0000-0x00007FFFF9F1E000-memory.dmp

Filesize
184KB

Download
memory/1984-597-0x00007FFFEC570000-0x00007FFFEC9DE000-memory.dmp

Filesize
4.4MB

Download
memory/1984-601-0x00007FFFF9E30000-0x00007FFFF9EE8000-memory.dmp

Filesize
736KB

Download
memory/1984-600-0x00007FF802F60000-0x00007FF802F84000-memory.dmp

Filesize
144KB

Download
memory/1984-591-0x00007FF802F30000-0x00007FF802F49000-memory.dmp

Filesize
100KB

Download
memory/1984-594-0x00007FFFFA0A0000-0x00007FFFFA0CD000-memory.dmp

Filesize
180KB

Download
memory/1984-592-0x00007FF802F20000-0x00007FF802F2D000-memory.dmp

Filesize
52KB

Download
memory/1984-595-0x00007FF8005C0000-0x00007FF8005DF000-memory.dmp

Filesize
124KB

Download
memory/1984-607-0x00007FFFFAED0000-0x00007FFFFAEE4000-memory.dmp

Filesize
80KB

Download
memory/1984-606-0x00007FFFFB530000-0x00007FFFFB544000-memory.dmp

Filesize
80KB

Download
memory/1984-608-0x00007FFFF9E00000-0x00007FFFF9E22000-memory.dmp

Filesize
136KB

Download
memory/1984-605-0x00007FF8027F0000-0x00007FF802800000-memory.dmp

Filesize
64KB

Download
memory/1984-589-0x00007FF802F60000-0x00007FF802F84000-memory.dmp

Filesize
144KB

Download
memory/1984-590-0x00007FF802F50000-0x00007FF802F5F000-memory.dmp

Filesize
60KB

Download
memory/1984-588-0x00007FFFEC570000-0x00007FFFEC9DE000-memory.dmp

Filesize
4.4MB

Download
memory/1984-593-0x00007FF802800000-0x00007FF802819000-memory.dmp

Filesize
100KB

Download