exelastealer | hxxps://rentry[.]co/asar/raw

Analysis

max time kernel
141s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10-07-2024 14:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://rentry.co/asar/raw

Score

10^/10

exelastealer defense_evasion evasion persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4512	netsh.exe
2284	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
4220	winAPI.exe
3716	usrgcp.exe
2752	usrgcp.exe
3040	winAPI.exe

Loads dropped DLL 26 IoCs

pid	Process
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe
2752	usrgcp.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023651-950.dat	upx
behavioral1/memory/2752-953-0x00007FFD5CE90000-0x00007FFD5D478000-memory.dmp	upx
behavioral1/files/0x0007000000023602-973.dat	upx
behavioral1/files/0x000700000002364b-978.dat	upx
behavioral1/memory/2752-996-0x00007FFD76E80000-0x00007FFD76E8F000-memory.dmp	upx
behavioral1/memory/2752-995-0x00007FFD6FD70000-0x00007FFD6FD94000-memory.dmp	upx
behavioral1/memory/2752-1001-0x00007FFD6CC20000-0x00007FFD6CC43000-memory.dmp	upx
behavioral1/memory/2752-1002-0x00007FFD5CD10000-0x00007FFD5CE83000-memory.dmp	upx
behavioral1/memory/2752-1000-0x00007FFD6E960000-0x00007FFD6E98D000-memory.dmp	upx
behavioral1/memory/2752-1003-0x00007FFD66F60000-0x00007FFD66F8E000-memory.dmp	upx
behavioral1/memory/2752-999-0x00007FFD6FBB0000-0x00007FFD6FBC9000-memory.dmp	upx
behavioral1/memory/2752-998-0x00007FFD709A0000-0x00007FFD709AD000-memory.dmp	upx
behavioral1/memory/2752-997-0x00007FFD6FCD0000-0x00007FFD6FCE9000-memory.dmp	upx
behavioral1/memory/2752-1005-0x00007FFD5C8D0000-0x00007FFD5C988000-memory.dmp	upx
behavioral1/memory/2752-1004-0x00007FFD5C990000-0x00007FFD5CD05000-memory.dmp	upx
behavioral1/memory/2752-1009-0x00007FFD5C700000-0x00007FFD5C714000-memory.dmp	upx
behavioral1/memory/2752-1008-0x00007FFD5C720000-0x00007FFD5C734000-memory.dmp	upx
behavioral1/memory/2752-1010-0x00007FFD5C5E0000-0x00007FFD5C6FC000-memory.dmp	upx
behavioral1/memory/2752-1013-0x00007FFD6FF10000-0x00007FFD6FF1A000-memory.dmp	upx
behavioral1/memory/2752-1012-0x00007FFD5C5B0000-0x00007FFD5C5D2000-memory.dmp	upx
behavioral1/memory/2752-1007-0x00007FFD5D980000-0x00007FFD5D992000-memory.dmp	upx
behavioral1/memory/2752-1006-0x00007FFD612C0000-0x00007FFD612D5000-memory.dmp	upx
behavioral1/memory/2752-1014-0x00007FFD5BEB0000-0x00007FFD5C5A5000-memory.dmp	upx
behavioral1/memory/2752-1015-0x00007FFD5BE70000-0x00007FFD5BEA8000-memory.dmp	upx
behavioral1/memory/2752-1099-0x00007FFD77B30000-0x00007FFD77B3D000-memory.dmp	upx
behavioral1/memory/2752-1098-0x00007FFD5CE90000-0x00007FFD5D478000-memory.dmp	upx
behavioral1/memory/2752-1119-0x00007FFD6FD70000-0x00007FFD6FD94000-memory.dmp	upx
behavioral1/memory/2752-1130-0x00007FFD5C990000-0x00007FFD5CD05000-memory.dmp	upx
behavioral1/memory/2752-1143-0x00007FFD6CC20000-0x00007FFD6CC43000-memory.dmp	upx
behavioral1/memory/2752-1144-0x00007FFD5CD10000-0x00007FFD5CE83000-memory.dmp	upx
behavioral1/memory/2752-1142-0x00007FFD6FCD0000-0x00007FFD6FCE9000-memory.dmp	upx
behavioral1/memory/2752-1140-0x00007FFD5BE70000-0x00007FFD5BEA8000-memory.dmp	upx
behavioral1/memory/2752-1139-0x00007FFD5BEB0000-0x00007FFD5C5A5000-memory.dmp	upx
behavioral1/memory/2752-1137-0x00007FFD5C5B0000-0x00007FFD5C5D2000-memory.dmp	upx
behavioral1/memory/2752-1133-0x00007FFD5D980000-0x00007FFD5D992000-memory.dmp	upx
behavioral1/memory/2752-1132-0x00007FFD612C0000-0x00007FFD612D5000-memory.dmp	upx
behavioral1/memory/2752-1131-0x00007FFD5C8D0000-0x00007FFD5C988000-memory.dmp	upx
behavioral1/memory/2752-1120-0x00007FFD5CE90000-0x00007FFD5D478000-memory.dmp	upx
behavioral1/memory/2752-1129-0x00007FFD66F60000-0x00007FFD66F8E000-memory.dmp	upx
behavioral1/memory/2752-1154-0x00007FFD612C0000-0x00007FFD612D5000-memory.dmp	upx
behavioral1/memory/2752-1168-0x00007FFD5C8D0000-0x00007FFD5C988000-memory.dmp	upx
behavioral1/memory/2752-1179-0x00007FFD5C5B0000-0x00007FFD5C5D2000-memory.dmp	upx
behavioral1/memory/2752-1169-0x00007FFD612C0000-0x00007FFD612D5000-memory.dmp	upx
behavioral1/memory/2752-1167-0x00007FFD5C990000-0x00007FFD5CD05000-memory.dmp	upx
behavioral1/memory/2752-1166-0x00007FFD66F60000-0x00007FFD66F8E000-memory.dmp	upx
behavioral1/memory/2752-1157-0x00007FFD5CE90000-0x00007FFD5D478000-memory.dmp	upx
behavioral1/memory/2752-1180-0x00007FFD5CE90000-0x00007FFD5D478000-memory.dmp	upx
behavioral1/memory/2752-1443-0x00007FFD66F60000-0x00007FFD66F8E000-memory.dmp	upx
behavioral1/memory/2752-1477-0x00007FFD77B30000-0x00007FFD77B3D000-memory.dmp	upx
behavioral1/memory/2752-1476-0x00007FFD5BE70000-0x00007FFD5BEA8000-memory.dmp	upx
behavioral1/memory/2752-1475-0x00007FFD5BEB0000-0x00007FFD5C5A5000-memory.dmp	upx
behavioral1/memory/2752-1474-0x00007FFD6FF10000-0x00007FFD6FF1A000-memory.dmp	upx
behavioral1/memory/2752-1473-0x00007FFD5C5B0000-0x00007FFD5C5D2000-memory.dmp	upx
behavioral1/memory/2752-1472-0x00007FFD5C5E0000-0x00007FFD5C6FC000-memory.dmp	upx
behavioral1/memory/2752-1471-0x00007FFD5C700000-0x00007FFD5C714000-memory.dmp	upx
behavioral1/memory/2752-1470-0x00007FFD5C720000-0x00007FFD5C734000-memory.dmp	upx
behavioral1/memory/2752-1469-0x00007FFD5D980000-0x00007FFD5D992000-memory.dmp	upx
behavioral1/memory/2752-1468-0x00007FFD612C0000-0x00007FFD612D5000-memory.dmp	upx
behavioral1/memory/2752-1467-0x00007FFD5C8D0000-0x00007FFD5C988000-memory.dmp	upx
behavioral1/memory/2752-1466-0x00007FFD5C990000-0x00007FFD5CD05000-memory.dmp	upx
behavioral1/memory/2752-1442-0x00007FFD5CD10000-0x00007FFD5CE83000-memory.dmp	upx
behavioral1/memory/2752-1441-0x00007FFD6CC20000-0x00007FFD6CC43000-memory.dmp	upx
behavioral1/memory/2752-1440-0x00007FFD6E960000-0x00007FFD6E98D000-memory.dmp	upx
behavioral1/memory/2752-1439-0x00007FFD6FBB0000-0x00007FFD6FBC9000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe"	reg.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
139	ip-api.com

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4736	cmd.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4100	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00070000000235fb-864.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4716	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5060	WMIC.exe

Enumerates processes with tasklist 1 TTPs 5 IoCs

Process Discovery

T1057

pid	Process
1472	tasklist.exe
2216	tasklist.exe
3628	tasklist.exe
2820	tasklist.exe
2992	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1732	ipconfig.exe
3660	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4580	systeminfo.exe

Kills process with taskkill 11 IoCs

evasion

pid	Process
4476	taskkill.exe
316	taskkill.exe
2104	taskkill.exe
4796	taskkill.exe
224	taskkill.exe
4516	taskkill.exe
2392	taskkill.exe
3428	taskkill.exe
2984	taskkill.exe
5044	taskkill.exe
2460	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 415056.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2148	msedge.exe
2148	msedge.exe
216	msedge.exe
216	msedge.exe
4816	identity_helper.exe
4816	identity_helper.exe
4568	msedge.exe
4568	msedge.exe
1008	powershell.exe
1008	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 23 IoCs

pid	Process
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	3980	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3980	AUDIODG.EXE
Token: SeIncreaseQuotaPrivilege	5060	WMIC.exe
Token: SeSecurityPrivilege	5060	WMIC.exe
Token: SeTakeOwnershipPrivilege	5060	WMIC.exe
Token: SeLoadDriverPrivilege	5060	WMIC.exe
Token: SeSystemProfilePrivilege	5060	WMIC.exe
Token: SeSystemtimePrivilege	5060	WMIC.exe
Token: SeProfSingleProcessPrivilege	5060	WMIC.exe
Token: SeIncBasePriorityPrivilege	5060	WMIC.exe
Token: SeCreatePagefilePrivilege	5060	WMIC.exe
Token: SeBackupPrivilege	5060	WMIC.exe
Token: SeRestorePrivilege	5060	WMIC.exe
Token: SeShutdownPrivilege	5060	WMIC.exe
Token: SeDebugPrivilege	5060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5060	WMIC.exe
Token: SeRemoteShutdownPrivilege	5060	WMIC.exe
Token: SeUndockPrivilege	5060	WMIC.exe
Token: SeManageVolumePrivilege	5060	WMIC.exe
Token: 33	5060	WMIC.exe
Token: 34	5060	WMIC.exe
Token: 35	5060	WMIC.exe
Token: 36	5060	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2456	WMIC.exe
Token: SeSecurityPrivilege	2456	WMIC.exe
Token: SeTakeOwnershipPrivilege	2456	WMIC.exe
Token: SeLoadDriverPrivilege	2456	WMIC.exe
Token: SeSystemProfilePrivilege	2456	WMIC.exe
Token: SeSystemtimePrivilege	2456	WMIC.exe
Token: SeProfSingleProcessPrivilege	2456	WMIC.exe
Token: SeIncBasePriorityPrivilege	2456	WMIC.exe
Token: SeCreatePagefilePrivilege	2456	WMIC.exe
Token: SeBackupPrivilege	2456	WMIC.exe
Token: SeRestorePrivilege	2456	WMIC.exe
Token: SeShutdownPrivilege	2456	WMIC.exe
Token: SeDebugPrivilege	2456	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2456	WMIC.exe
Token: SeRemoteShutdownPrivilege	2456	WMIC.exe
Token: SeUndockPrivilege	2456	WMIC.exe
Token: SeManageVolumePrivilege	2456	WMIC.exe
Token: 33	2456	WMIC.exe
Token: 34	2456	WMIC.exe
Token: 35	2456	WMIC.exe
Token: 36	2456	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5060	WMIC.exe
Token: SeSecurityPrivilege	5060	WMIC.exe
Token: SeTakeOwnershipPrivilege	5060	WMIC.exe
Token: SeLoadDriverPrivilege	5060	WMIC.exe
Token: SeSystemProfilePrivilege	5060	WMIC.exe
Token: SeSystemtimePrivilege	5060	WMIC.exe
Token: SeProfSingleProcessPrivilege	5060	WMIC.exe
Token: SeIncBasePriorityPrivilege	5060	WMIC.exe
Token: SeCreatePagefilePrivilege	5060	WMIC.exe
Token: SeBackupPrivilege	5060	WMIC.exe
Token: SeRestorePrivilege	5060	WMIC.exe
Token: SeShutdownPrivilege	5060	WMIC.exe
Token: SeDebugPrivilege	5060	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5060	WMIC.exe
Token: SeRemoteShutdownPrivilege	5060	WMIC.exe
Token: SeUndockPrivilege	5060	WMIC.exe
Token: SeManageVolumePrivilege	5060	WMIC.exe
Token: 33	5060	WMIC.exe
Token: 34	5060	WMIC.exe
Token: 35	5060	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe
216	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 216 wrote to memory of 3984	216	msedge.exe	83
PID 216 wrote to memory of 3984	216	msedge.exe	83
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 748	216	msedge.exe	85
PID 216 wrote to memory of 2148	216	msedge.exe	86
PID 216 wrote to memory of 2148	216	msedge.exe	86
PID 216 wrote to memory of 2232	216	msedge.exe	87
PID 216 wrote to memory of 2232	216	msedge.exe	87
PID 216 wrote to memory of 2232	216	msedge.exe	87
PID 216 wrote to memory of 2232	216	msedge.exe	87
PID 216 wrote to memory of 2232	216	msedge.exe	87
PID 216 wrote to memory of 2232	216	msedge.exe	87
PID 216 wrote to memory of 2232	216	msedge.exe	87
PID 216 wrote to memory of 2232	216	msedge.exe	87
PID 216 wrote to memory of 2232	216	msedge.exe	87
PID 216 wrote to memory of 2232	216	msedge.exe	87
PID 216 wrote to memory of 2232	216	msedge.exe	87
PID 216 wrote to memory of 2232	216	msedge.exe	87
PID 216 wrote to memory of 2232	216	msedge.exe	87
PID 216 wrote to memory of 2232	216	msedge.exe	87
PID 216 wrote to memory of 2232	216	msedge.exe	87
PID 216 wrote to memory of 2232	216	msedge.exe	87
PID 216 wrote to memory of 2232	216	msedge.exe	87
PID 216 wrote to memory of 2232	216	msedge.exe	87
PID 216 wrote to memory of 2232	216	msedge.exe	87
PID 216 wrote to memory of 2232	216	msedge.exe	87

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2076	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://rentry.co/asar/raw
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd706846f8,0x7ffd70684708,0x7ffd70684718
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2428 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:384
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5960 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  PID:1640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5824 /prefetch:8
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:2128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
  2⤵
  PID:4992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5408 /prefetch:8
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6440 /prefetch:8
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6864 /prefetch:1
  2⤵
  PID:2248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7048 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7044 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:3128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6604 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6464 /prefetch:1
  2⤵
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6548 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,9354152850811863048,6390792144270204711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:1
  2⤵
  PID:2696

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2692

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500 0x4f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3980

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4652

C:\Users\Admin\Downloads\winAPI.exe
"C:\Users\Admin\Downloads\winAPI.exe"
1⤵
- Executes dropped EXE
PID:4220
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start C:\Users\Admin\AppData\Local\Temp\usrgcp.exe"
  2⤵
  PID:1116
- - C:\Users\Admin\AppData\Local\Temp\usrgcp.exe
    C:\Users\Admin\AppData\Local\Temp\usrgcp.exe
    3⤵
    - Executes dropped EXE
    PID:3716
  - - C:\Users\Admin\AppData\Local\Temp\usrgcp.exe
      C:\Users\Admin\AppData\Local\Temp\usrgcp.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2752
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
        5⤵
        
        PID:5016
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        6⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
        5⤵
        
        PID:4544
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "ver"
        5⤵
        
        PID:2812
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "gdb --version"
        5⤵
        
        PID:536
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:772
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2820
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
        5⤵
        
        PID:4116
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        6⤵
        
        PID:4528
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:1980
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:1824
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:2692
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:2992
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
        5⤵
        Hide Artifacts: Hidden Files and Directories
        
        PID:4736
      - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        6⤵
        Views/modifies file attributes
        
        PID:2076
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
        5⤵
        
        PID:1040
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
        6⤵
        Adds Run key to start application
        
        PID:464
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist"
        5⤵
        
        PID:5016
      - C:\Windows\system32\tasklist.exe
        
        tasklist
        6⤵
        Enumerates processes with tasklist
        
        PID:1472
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 216"
        5⤵
        
        PID:4544
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 216
        6⤵
        Kills process with taskkill
        
        PID:2984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3984"
        5⤵
        
        PID:2196
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3984
        6⤵
        Kills process with taskkill
        
        PID:224
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 748"
        5⤵
        
        PID:3440
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 748
        6⤵
        Kills process with taskkill
        
        PID:4516
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2148"
        5⤵
        
        PID:536
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2148
        6⤵
        Kills process with taskkill
        
        PID:2392
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2232"
        5⤵
        
        PID:4392
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2232
        6⤵
        Kills process with taskkill
        
        PID:5044
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 384"
        5⤵
        
        PID:5060
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 384
        6⤵
        Kills process with taskkill
        
        PID:2460
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2328"
        5⤵
        
        PID:3448
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4544
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2328
        6⤵
        Kills process with taskkill
        
        PID:3428
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1640"
        5⤵
        
        PID:4988
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1640
        6⤵
        Kills process with taskkill
        
        PID:4476
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5080"
        5⤵
        
        PID:1880
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5080
        6⤵
        Kills process with taskkill
        
        PID:316
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2436"
        5⤵
        
        PID:2168
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2436
        6⤵
        Kills process with taskkill
        
        PID:2104
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2696"
        5⤵
        
        PID:960
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2696
        6⤵
        Kills process with taskkill
        
        PID:4796
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        5⤵
        
        PID:604
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        6⤵
        
        PID:1032
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:2444
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
        5⤵
        
        PID:2796
      - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        6⤵
        
        PID:2040
        
        C:\Windows\system32\chcp.com
        
        chcp
        7⤵
        
        PID:3896
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        5⤵
        
        PID:2520
      - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        6⤵
        Enumerates processes with tasklist
        
        PID:2216
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
        5⤵
        
        PID:2448
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        6⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1008
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
        5⤵
        
        PID:2212
      - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        6⤵
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2120
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
        5⤵
        
        PID:4928
      - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        6⤵
        Gathers system information
        
        PID:4580
      - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        6⤵
        
        PID:3796
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        6⤵
        Collects information from the system
        
        PID:4716
      - C:\Windows\system32\net.exe
        
        net user
        6⤵
        
        PID:2676
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        7⤵
        
        PID:116
      - C:\Windows\system32\query.exe
        
        query user
        6⤵
        
        PID:5044
        
        C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        7⤵
        
        PID:3264
      - C:\Windows\system32\net.exe
        
        net localgroup
        6⤵
        
        PID:3856
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        7⤵
        
        PID:1536
      - C:\Windows\system32\net.exe
        
        net localgroup administrators
        6⤵
        
        PID:5016
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        7⤵
        
        PID:2088
      - C:\Windows\system32\net.exe
        
        net user guest
        6⤵
        
        PID:3820
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        7⤵
        
        PID:444
      - C:\Windows\system32\net.exe
        
        net user administrator
        6⤵
        
        PID:1660
        
        C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        7⤵
        
        PID:4728
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        6⤵
        
        PID:4116
      - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        6⤵
        Enumerates processes with tasklist
        
        PID:3628
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        6⤵
        Gathers network information
        
        PID:1732
      - C:\Windows\system32\ROUTE.EXE
        
        route print
        6⤵
        
        PID:3708
      - C:\Windows\system32\ARP.EXE
        
        arp -a
        6⤵
        
        PID:4932
      - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        6⤵
        Gathers network information
        
        PID:3660
      - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        6⤵
        Launches sc.exe
        
        PID:4100
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4512
      - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2284
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:960
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:3984
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        5⤵
        
        PID:3080
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        6⤵
        
        PID:3520

C:\Users\Admin\Downloads\winAPI.exe
"C:\Users\Admin\Downloads\winAPI.exe"
1⤵
- Executes dropped EXE
PID:3040
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "start C:\Users\Admin\AppData\Local\Temp\idhglv.exe"
  2⤵
  PID:2040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1f9d180c0bcf71b48e7bc8302f85c28f

SHA1
ade94a8e51c446383dc0a45edf5aad5fa20edf3c

SHA256
a17d56c41d524453a78e3f06e0d0b0081e79d090a4b75d0b693ddbc39f6f7fdc

SHA512
282863df0e51288049587886ed37ad1cf5b6bfeed86454ea3b9f2bb7f0a1c591f3540c62712ebfcd6f1095e1977446dd5b13b904bb52b6d5c910a1efc208c785

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
60ead4145eb78b972baf6c6270ae6d72

SHA1
e71f4507bea5b518d9ee9fb2d523c5a11adea842

SHA256
b9e99e7387a915275e8fe4ac0b0c0cd330b4632814d5c9c446beb2755f1309a7

SHA512
8cdbafd2783048f5f54f22e13f6ef890936d5b986b0bb3fa86d2420a5bfecf7bedc56f46e6d5f126eae79f492315843c134c441084b912296e269f384a73ccde

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
1.6MB

MD5
b1c56daa3d67a643bb03cdf83671f7e2

SHA1
e3749a00fd13b735d2c51cbd04d6ce2a878d3bed

SHA256
893f886038485142a3700830a777a21499861909fd25ac56dc914eabea497b45

SHA512
09980f60903a5382c492d5007b0ad455f919252037dccb9adf5286810f19706b6a28966fc95eb65f769ee87c7fab76b8e5117e547c6140be14da588cbd4c8274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
32KB

MD5
1463643b0f2ad3b82c86eb21d11b3999

SHA1
76ab653cce1834739fb2899c04dd21ad6925c47a

SHA256
eb5b73f0ede3c50584dc1a184e8b82427931db4c9829ae409d4fb699a25ae4d1

SHA512
f7edf688f14f79092e0bb51186e0cab37af6f4ae7b511ef7ffc2bdc7c0c32457edbe41f4ea23648bdc8bc76db90a7cac65dcafd854217222c4bb211f2d09ad0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
32KB

MD5
eb889d7b98dbbbcb29b8ff45aceedcbc

SHA1
d4487aab8a130fd8e02f1a9496cb32731edad542

SHA256
5aecf726986c55022c566b62171c439076bc35aceb16432674397575aa7d62a2

SHA512
4299d52da5491ccbb3b2ef39b1046812535b4a7ba53a24ee590e8b5036911833303cb1257a725667adb5ba398ae31dc850979ffd63994137bffbaf42fab68762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
34KB

MD5
367d6749aabc56bcfd8fe6f68e8ec07f

SHA1
94603bfd837a6cc48b0b413d97e6c21294139f01

SHA256
aba7125a597cbea4846b275de47b9e35fb42202d217c321ad861b09d3b831b5b

SHA512
737b43474c49d945fcc767a082ae79734333de55374c35825993539376577af76175a966e633b8224b4ede6a42738f3298e5c42d7a307f37897857c7c65842c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

Filesize
19KB

MD5
2478c5d95fc69496af5f97c1090cd77d

SHA1
40cb7a3213c8e9bbfbac6a35ce2f9dee212077d0

SHA256
272dd3a546af5a3682a6a52a84b2d4dd7aea3d04af9c71f2d45359b55c68004d

SHA512
51c53e193582b17148512aa0259e466f21152ded8348e1544324ee4edcadc73bb231022a41ce68a6082284af7337b184a2ac90f20f265664339e79f040ac396c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
600B

MD5
3b16f5a2e725558b31b7ec018d739a4f

SHA1
59a83ebfb4e540bb99bf1661fffa5a4a2a668375

SHA256
0ee588d6bbe5959775f072da5fac61dc75d5606755862dd4910c0c0e34b25532

SHA512
025df46dd1dfd41d3f57f01401389d917a673b31444f5beac8f2dfcb331fe1da610b28263d1d4ba94679706397ce2c914804d40077e1e9a5c60dcf0e57cbe9b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
c321c9c928fa91deca0e044ab3a39e1a

SHA1
69706ad5dba12d3ac7139468da1b1cda406222cd

SHA256
1d05b58288468f20e323c34f3b9977f879dfd0daaa73fd6286fb1c7d48d0a58d

SHA512
79d9e70008ebea32b6a9016f365bafd86327ac970790fce4cf47103bb8e17b2a7e7dc79ab47af024e60e6b7142ab4175b0699a538725b671be2ed7ef1352a7c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5c7957cb69be3626e29b65201a1da971

SHA1
28bc1188f8102122abc64558bde05fb22e4d580e

SHA256
fd7b192493e8d5d4baa3e1ab845091474259d617e26b4ebc78abe6d62094ff1e

SHA512
4b95dd6c13194567a5ed184f71c46065a5c0db35dd7a01303b3f6e1c72e1196c7d7f6be7c95cb3e5421e5bdb3d07509f0cbf125a5452690583f93d7ee60fdf54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c080ee0ed625958e539038ba076ff349

SHA1
0e538c310cee6febd5b36f0a2cb9d1ff206c8cf2

SHA256
06514f9b5864a386e2dbb08c8def02f9188b0c12d8b01a288198b432a203b0c2

SHA512
165f43f854603d611838fb4a647f86b4afb00b54b09b81f24cf2ce9537c0c82f79fbb86407ae277044ccc35b9ebe7df971be8ab71e0a0191b7c3e24a211d90d4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e3427a64b1d5220a454fc3ea23c31bc5

SHA1
1dd0998c9162b40c1254be72470cba4944a3d006

SHA256
229f66ea31539eb1546beeaa2e935e909baed4099577c2f85da2efda78373707

SHA512
8202048243818d86c5154e38e1c09ea566acedecbfbc3612eba46e2f52d8105827dc388946624a7fe8f91bfe43009693a871554e3899f62cdf860055ecfe4a21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
6b1f64c0e6050c52a8025795818b3bcc

SHA1
a4c6801b19d1a302e353dc759480f5d904c434c4

SHA256
4f7fc4041941379d006f54072a4d8dddd58905ca9d1db7487517a804deff81b6

SHA512
b3301f055557e1f58b11e81d9269660bd88ef0356edb795aaae000eaad254b3efb3d36551d096c1f2f276364a24b66495b0003420e55412c8e21aaae8b28c84b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
ec083ded7166be82ef9dee3caaf4e1b2

SHA1
9a8d0cf8f0decece5f6829987e168ad712a68c8f

SHA256
d0a79cf07da3481b90adb66c1506030f23522ce4ae95319c5a1f95b1871e99d6

SHA512
45d2b63ee7d5243d9bdf26e8ab074271784292022c7936cd228fe6cb6da03e8447249898bb2aaca9a8cb1af819a196dd9352e2acee1083281aa52ff62dea34f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
18b8ed0af6eeb562e476d5103690b6cf

SHA1
cbe39bf297d9cde67e5a5fc7e17db4a578f1b9e0

SHA256
b9040a1f3b48a67780f52ff09eb354daca0807293c2b660371700ab3348a9ce7

SHA512
180eb6f75fa4f3076a54fbf83d3173f34eba3feb00f359d9b011d8a0dd2a9577ccb40819ccbaf03cceb0aaef27e3c159e687339d5cf71fa4de8d818f034e012b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\028d456d-0a7e-46c8-bc67-e94796ef97f2\index-dir\the-real-index

Filesize
624B

MD5
7aeedc9375106c7e427a3d13d55968d7

SHA1
2d4275e7cc425b8fb1bbf483a1f7d8ae3d3e3f3b

SHA256
795d32fdb7e85be04908bf78b698987f9e719ca94e184fb1bb97e72c2ac70bc8

SHA512
50f001e4cbc53399bb71eba0ab60c0b346cc8ceaaa0e25dfa733614db1c80f3feb22713274aacd955f5da5fc10a408ff5c923a1e3a070ce3939990adbeee9c3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\028d456d-0a7e-46c8-bc67-e94796ef97f2\index-dir\the-real-index~RFe5879cf.TMP

Filesize
48B

MD5
73944b29db51ab497529753a8bb39988

SHA1
1e917b0977fb912b509fab5ab87226a008bc4138

SHA256
19fc718716b5cf9656eba1c02c2537175714500f57f5143f5b3ca2bc0f50c236

SHA512
256b354d78be5884d6ad15ae6e671233bfd531474150cc47e9529aee0ee28e1de5e0fd4d2a1061583227797448c3bb8ef7c9dbc8364747545a672c63d85257fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0b6bd838-c8a6-4a5b-b3e1-22436772114b\index-dir\the-real-index

Filesize
2KB

MD5
23e531049898634c37881ee5075042cb

SHA1
7a07d127f6da9680ad3c3345aef25fb61c02871c

SHA256
8143fec6cd83d4acffe14245ee8440828e6d9b102b743ad8a73a4e3bb153ea37

SHA512
f06955c7b24f5dd51136ef3a4ad0db25276844963672cf42719b2b9e6f93349395cab0cee49e069438c15b07dee2be68fbf3a9e767e970d164cf039d48cdc361

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\0b6bd838-c8a6-4a5b-b3e1-22436772114b\index-dir\the-real-index~RFe581d28.TMP

Filesize
48B

MD5
9617222bdebf23809f3d8d00f5dfcbae

SHA1
e851d3b087d91e2d85d8a5169d92f94881f60129

SHA256
22d0e75464a5484165e82785358debdac863886bc92bfa8f4b412772a89d8369

SHA512
4a2bd7a63a2fe46c8402acc7235c9150764ba8d8653a58f7c6d6c5f9f22b9ca498717b933e46caed3b94001d20461a73b66f4f8f2cf09541868b593192724949

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\a3a2f55f-f343-42b8-ac94-14912af153d0\index

Filesize
24B

MD5
54cb446f628b2ea4a5bce5769910512e

SHA1
c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

SHA256
fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

SHA512
8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
146B

MD5
58c7cda3d3d0eeec1ea034ed6fef5df0

SHA1
e28c46356f50ddbac7bd09cdd5224b3fb33800e1

SHA256
3aefe868c74ff8d6b434c98180a6caac4e71b5685da26f5d20ce1bdaccac0b4a

SHA512
25847d8ac20cc9c1f20fb375ce8bbedb91cf30e8eb53ad3b1cb2bf7b9b9c0a3cefab480c713852cc689064aac1bee2f99886b0f48812d1426ed7074b4796fc27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
148B

MD5
2d154e7695a5f7c49de88b0432085761

SHA1
e79e5a9fe90be1e2f68b32a95270152d7b01b4b1

SHA256
e183f4835819068a01fae4ba035311bd8b92c9414d12cb3ed961ac6b2b2a7d7c

SHA512
e81f222bef774ba0ad349d4d8856c63b923a3fc2ff88d0ee3aff9bf10ad1c741712758f2188714f109ec9862f2668df022b945696f415037d2bdaa2d1e5d8abc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
217B

MD5
130b14487fd1740d061026737a5602cc

SHA1
e3ed10c393f038ab446e88e156165d7280320494

SHA256
8d9b71c65d4e1ba83d29c9df5f22848be3bc8f17766afeb179cf5a2bb91f520f

SHA512
87a35e3cee3190f7791094e48fc66f298cf76608143a229d42bb1876b7823d761fe7a47639f42e02e3521196e81ebf6169f4108ac83849423cd21b49590062e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
82B

MD5
645f91e8308247636c7729bb76dd6df2

SHA1
bd709e9d200d04b2e16fcedabeb5e9a56806c309

SHA256
8c1355574cb4a412e095f9fd2046b8450452295d45b7dd8a5dde2054cbab98a4

SHA512
f2541bb7da329b74d075394853370e8e1545a7039a0cf9b26942c07015d048df66e38c00903d39a79af316634931217f0221f883149c79b3fd1be8726218d7ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
157B

MD5
dce768f4c81984c012d16d4af493e709

SHA1
e031083d9b383fffc47150d7c50c83c04110f515

SHA256
42b7e03f9551aed07ad16334bd583a6af790f49d7698add8c2d751073758296c

SHA512
35cee4d8dbd0f9a7e49dc178ce50f5cc69bc89f67a90bd76d4befe53942c0911709a217d329330d708fe68905dbcda5a63aa42df48735a887605b091677d52c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
84B

MD5
69d8c32f7e6e777d7ebe24a7d74e501c

SHA1
be6481cdb6504d0ccde10ea94c1761725b37954a

SHA256
d851c0833abee52ba468232fcc8e3454d2af20369dedc3d93d938c91f65cb4fb

SHA512
682afc2d06690a5b449820dd5b01d42374c1f1f8abb84b8604f02ce219613695c59a72d793d13a4c8c99cdbe10341996eecb888233df030e1d1d269415516c5b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt

Filesize
153B

MD5
9d66ecdd2e4829dcef3a48ece40d8524

SHA1
3f18a61292812be6aa512d315bbe1d7dd9a642d7

SHA256
0eed59ac8c3a387be88e6aa336543132d43a9e051faea9a240fa1ac6dbe240d5

SHA512
90db0c44558fcd51420f2095366e3cb91dff337e3d8c5d83b3bcc5d3f0628fb636f37a64eb47a9149e6e01a1a2f78e0c8741a78fd3a2646890b1504d5b711eeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\379f1cbab5b08b6fc9e08681e42d8be311441c88\index.txt~RFe5808c5.TMP

Filesize
89B

MD5
941f9840602da46d282ee3283f5796a6

SHA1
3991b3aaff071bfba2b925d585fe8f4ab1cffbe7

SHA256
90cb413524e5efa14031c1f82531339afb620ddaae486d1d6b90a7008b6bfa57

SHA512
8954dfa8f540dbd3e2443b88768d3bd16fa49e4ca4e238b6978c75cfacd2a3b25b75ab24715df9a0b1541d5b0591b214c9197692c116774fa9013516594ea110

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
ca2609f9779ecdbf6b1d69b1c7bb9aa7

SHA1
498db163d3bafefdbb21f2da0eae124cd3777120

SHA256
a6ff698e61847ca4f38ee12137601c94281a6d77ac45d0ea5be91052480825e6

SHA512
a07808506b919de230f83224198ed4777d421eaa0ff18caafd59a133e5bdac94a8f211334c2c41477e921ee227a5aabd7d453b536229d28e97fdbf7873c9e856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5870a7.TMP

Filesize
48B

MD5
ca3f61b19d4dcfdbae340e05aa090857

SHA1
faf3c6546387f8b1a2f40b1b9e224008e829856c

SHA256
b544682db41830e26d38b683baf4f57493d587f6b7fb7b780073555e0dd7695b

SHA512
de4b93829a8ba54915e1796761c4b2f9c3d7f609732d84da3519ce50794f3be777f7802061d11b4e0af7705cb9785aad5bf52dead57a0cf9b7f9d2bb208912dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
bed7fb97a7fa905cf147940e498fdc3b

SHA1
9adb4ff7d1b486f22f7646f3b766d058f99235b9

SHA256
296347d1a63e180105c5156af7b9be8015fe159df3477943c6e96359ac8cda5b

SHA512
fdcade2c7f9c8e5f29c4de3b2fa293dde71b660c03634869bca95088ef75e2db8c41b91b16bb8d33c38c82760c7e4f6f3827db2421b4fa5f9337d036686f7fe5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
eb66718f7c086b84b8d90672885b4ad8

SHA1
c3ca88918adf379b7a13e86ef62eb524165e3563

SHA256
c6aaff0732cb6f7c315d39ec106198d6fa5aade433bb2e2019aa1d0da0d5a676

SHA512
dcda4079e09936694bff3217e1f0f456156a0366845e0b20bd12ddec34061dc38f1cd33d340df85f1dac53d96b1957ffd4537bc983adc7741dd3ed6e7a6ca2be

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58292e.TMP

Filesize
203B

MD5
b64c1a934ad8f9b4abae50f57fddb886

SHA1
e0cdd70b93071edc8464b4ac98b1dcfbd519407a

SHA256
fbe89c412e3a0af55f4284965cf51d86d497edcd8a144b21d2b22ae8b153a26d

SHA512
57be9fe87d618a91dc6081382061e412477b3232f351e64440eeb3cc1b79cb603101f657e51d3ca5a34119f4cd20ce269a28b391edcffa2a1727dd5524754043

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
46c9c5192315843f6ee8aa80ca4a2d63

SHA1
0edb166b5fca8bcd9649c1256897f5614f097199

SHA256
9d60ce0979865f9a5502ab27d13a924c7ac7d0f849c443bd38d8763db9cf185f

SHA512
04d9d0f29c12d394dfc84a0faed4e3282eaf3075832d13af415082e7120d7e9a8186b8c24faf4f92aea118922083eccb952471349c9668cf2308dcc891f49c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\BlockJoin.xlsx

Filesize
347KB

MD5
d748890450297116b309cf1a218bf2bd

SHA1
3efe1c2a074d5db4d4cc681c6ce09d5b0309ba88

SHA256
503d64c1856914435a297fddc965f0de0a33c6fbbc5df99df69baea0a93963c1

SHA512
0ce966826f6b556420406a19e2095e29e4670bfd0852faa4090b12862d33dcad9509042b22e5c1057d20372c5e05fd86f37db592379273c00a4b488655a9bb74

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ExitSearch.png

Filesize
371KB

MD5
9513cf541d8a01665811f34b8b309a2a

SHA1
a048f86e16730f55ad7e58ce918da70574c60057

SHA256
2bad90bf95583d0c17a04353dcdc19e779471208382546255ea3b8f764016777

SHA512
4feaacf9fee0a5df894783b11e3b0d744e35b2c4a696bf1549df110ae98786ea8e69ae0fc290f42f0e739a0b861dd1d18b6d230e0e6de2c72c278f6fc31f70fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\FindCompress.xls

Filesize
176KB

MD5
58b624ccf032c6adf4e2fda2e73ee4ec

SHA1
8a119d23cbf2fe2c8a510f0703307a766c49a6a5

SHA256
62c0cc142bf576c77b6e9913e6c9ae2b0606996c6cb5b9da2baa3e0fa44947c1

SHA512
59042616ba4ed6fef11dc8ad66f5388aa331369bc23de3ef7ea7182771dbcdfaed030fe1456f196ad7c4b5f5bb977441536d3fa27cd3409e5228ed586e0e803c

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\GetResume.xlsx

Filesize
11KB

MD5
8107220ccf711edc13fcefd4559dd64f

SHA1
bc5f3dcddc74cb9bc8ae233be83aedd259343d52

SHA256
222078f5f910e376b7308a8c5d05ee5d6529f24e040cd2dc10885918fd939d68

SHA512
bf696074182dd8ab31fb7366f86509db2f8510f96372e88beb05d032153bbda4b53f2e0767e2433c700d26873203f6ba81412e6e6f15e0320a5b45bc446773cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\InvokeUnblock.zip

Filesize
286KB

MD5
a360b494ce843f49e6786b06d354daee

SHA1
53d01200d7f23091f34ee763868e7b573ca6eaf2

SHA256
4c1df8b8cea12e1d64f18aeb353a53eed03bb29bee72c37db4ad92ad30d3f882

SHA512
778f825d61c8f2989eb030d07e450fe513507e6ff1f52d073118a9c610c0d74336286fdac29077a547a1b6a8a0ea01b5862f0e67dcf732c7c5a3aa7842bf6664

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\RenameConnect.docx

Filesize
14KB

MD5
c2cd4a055dc1df90455d9dac06231e0d

SHA1
0ce5d2dd53a2f7e1249dc1ae7527789b7afff9d2

SHA256
feb39df7739b70688e8c9b3734f30d73316bdea8c9b7cfb94d7044f1bd6e6e8f

SHA512
9df56a1d4be557fd1a35401cbb240ffbb86815fdd7faac856f0c7e282e834424957e02d099e33c4a4854606531fa41855cf7dd5ce87f3a7d9dcf648647fd6d83

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ClearRestore.xlsx

Filesize
1.2MB

MD5
4d18afbb8f67595eefa274dc9d980739

SHA1
e6d694c71bc4569261e3dedabdebf005f056ffc7

SHA256
d9b1b8530fb90cc1b5dc499e653eb7080bf90006c48c91e0adfb70a90acf7f4a

SHA512
570e7c98c0d338958af8bc4d795748886c387abfdb190017c1cc477bd4de9dff363fd2bb3e3c850dbd4977c761c614bb97c10ea28679dc38f67fdbeca2f04d2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\CompareInstall.docx

Filesize
16KB

MD5
5f9db8c50cf5558fff4e65cd0c86a6f5

SHA1
30bb29e590b17f8fe3c69b7a34bb9ab3c23518c3

SHA256
5ebd2aafb15e4802ae74e2130b665346a9a8d97b68c1058f08b3723dbc640535

SHA512
4298f6bc39e6811cedb6c69ab2c10fa40c279c46fe29f1f45d5327ff7c5f1455f992d707bd026e91638795077672b5447a5882cd90eb62b582bf95f02aaeef92

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ConnectGet.csv

Filesize
1.2MB

MD5
a514fb76b63893c5b064e9a39707457d

SHA1
432fd0a319147bb9a04f8e981230fbb7dce72b2d

SHA256
16e67a4dbbb9d10c579424cc483cfe9429d4c8814eca8072f8c9da7792c2768f

SHA512
86a7949ff87cc29e548ee583732197dc6f0ed0f33d2807684b0f1dd9b45b482d9d45304d6c80baa3d66fd54bc881de3acde56122ce5c39ce408e389893eb398c

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\PushBackup.xlsx

Filesize
12KB

MD5
17e9afff27f22a336bcfea51c48c7817

SHA1
92cad9890aa99b720a1e59a9c2ddcf12c3f79d25

SHA256
9711b96688620b8aaf25cb7af7869d8d99e88c4ec2de2c5f36d1a123d660acb5

SHA512
6873744083dc80994a96ca0d7ea4c37c9494888433660afcc080e8f52bb11c5ea803a4ee97e65ec1935858a9de2da41d5c64e7c6722309341e8c2f3b75752bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RestoreUpdate.txt

Filesize
522KB

MD5
d37df7ccc61f57b2d081852e11025c0d

SHA1
f54c8f8fee6bd89bb8f6a6c99c36360a06f67419

SHA256
118f922e1c6713964d33b014d41d3b4e756416bae7da6e0d633ae7abc23a84a2

SHA512
988047a77ea70f8e6f30be4fe53bb37c8993aa6d9bf68b55fa786de2cdda6c8a2f7b40d498d54ed1e879b38f7e38417bd7e0c0905e8fda0b916dbfdb44e562c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\SubmitSkip.xlsx

Filesize
12KB

MD5
60abb9fdab82d31e1e65d462443cfef6

SHA1
c444e101a37051e9d9eea16fd9c42dfa75bc73c1

SHA256
9f91b0bc03d0c4c8dfce4cc62673edb6b828bd1b246332e0d005dc14fdda076c

SHA512
04b5c40dea91242c17850ee500044283d3d0a4655b144596694070eedc597b3e0597d3ee722bbda482c6c07f1320e7ff2b0528778d1321ab0cbacc3b99308e31

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\WatchUpdate.xls

Filesize
641KB

MD5
125e9e20c11183491df50eb6afcf8303

SHA1
97e732d75ff48bfc9dccf96270453b056f5c034a

SHA256
60e29dbc45b36bbf88d071fe8cc48d7595b3b5e426acfad1903fe81a727e01a3

SHA512
606b3c21f2d578f4b0c8f2641843794b8cf74b4fc5e3d7e444400cb4ef10350727938a6a8367f22a7f9c09cb51407183034be1ec5c9fb6b0aa8bdc0b4a797078

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\SplitGroup.png

Filesize
472KB

MD5
9f10fbf9af3cabd904b84c46f894f910

SHA1
bb4941547ff8ba39b2a3c894845f1a10feeb4078

SHA256
420bb52a6624aa6b52b81b23c87c02505bb2c5bc167cad7921c6c2caf45406bf

SHA512
aa2f34cb999bddbbc1c295f5f272e3ed13b2f74fce86926eb5917c575560a555db57dab58ecb8484bb509beea8fd5a023b296016379a55c7636845f5271368d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\SplitWait.txt

Filesize
201KB

MD5
c0fdf439e05ffc318eafbe7390c3d038

SHA1
146060a747abda0eae2e28cb6d3e3271355eb795

SHA256
05e28c0d8c7ef05bfb08b3cd3fd4f7aa0b0ba78199fd69c0e21fd542cc4f324d

SHA512
405fb0ae3e36e7e70737877c4e04b16ed0eb04ea7eec941deb29667b3272ea8c91090ea6758f54787cee1a2608ecb43613219406232b1a25d81e1966ce002d6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\BackupNew.rle

Filesize
530KB

MD5
26bbaa964b2370d002871f7c93f486b2

SHA1
9f1e7e85cb838c917627455a99a16f0ab0b96eb5

SHA256
6c8931851a02e5dea87445e2d9bb6fa41a83f4ad61316cd41064b5a3ef2edc88

SHA512
3423fbcd4a366ef401994e694e4d1e6059917bbd87411e505e71c7ac29325dd051f3c84b47871b27c188642a1da0d128551aff89f705da5123f77736efaf7352

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\CompleteRevoke.docx

Filesize
232KB

MD5
bec3ed49f75da759af1b403229eb706b

SHA1
d5ab461b2eac94ed274d6b891c807b0d349e6be4

SHA256
370fb86340b5f345d8c38c79011635d6c0b09a182e7a7ecab9453ea76d547e66

SHA512
2accf845afbe48e0783164e64e9ab3d4efce8d49ea988bcff7036f16b7aac2e32b49564128b0e47bf3236ab9b5597337cade121647495c46f7b5e5e79ba4119c

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\FormatPop.jpg

Filesize
199KB

MD5
28df62dd083734c11204b0cee8a80f9c

SHA1
be9018a355f06adbfa35ebed19dc21c9956d4e19

SHA256
9a58db053bc4ba940392913166d2f86198b9af13eff49bda5a30f6d157a6b9e7

SHA512
11b91a536ab6d0efdec991f34b0f42d96ddfd4817cca188f74999ada776c278c144fae14c3c6cb943c7f10c43da6c3a1a553f8cdb4245195fd5518e44af630d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\MountLock.xls

Filesize
276KB

MD5
ddf8b90d428063cf1af82a729f70d531

SHA1
9a0b98c65a20b265c28f90023417b55f86943765

SHA256
62bbe5e0bd80cf150be3774837232af84a4b7a7b2d452d4e125876fce6549a14

SHA512
6bfe2647d589818541e2edead746213fdd8e992bd86fcba8ee67c1dfa4078ee8a91fe6e998880b2000fd2a9a41b59024b6df93a73206f4144667646ed95533a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\ResizePush.mp3

Filesize
542KB

MD5
2beca0901af98e5cef88b421b82b19d6

SHA1
c4462c70ae169ae2c87c22e94a06fb9f26ace304

SHA256
327829842a1b7d12ba5b7ed0b285fd3e189d966c98b74107d5a3db8c0659df42

SHA512
c881a399a711441cf78a0fe9ea08cfaf88155c28bed1326c116e86b87026e5df70861ef1b3964c235d4422fe2f1ce7612a28bf65d92d247642c9423ec98537cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\WriteCompare.xls

Filesize
309KB

MD5
3df59f1ee31c59894c1cc3f330f69046

SHA1
1baa0522d33f5a0aabeb00f3b485fe568181f378

SHA256
02aa4f53174d17020194a75e408756cf96b8f2ca2c98c93428e590c9c3b0ca43

SHA512
03ed7ca6127940f6161737ff9b289683449c8124d6f0f581ba2a6b67a0468a447bebe5e68b99adbfe397072497caae6f7aae1fc8a41aabc7119ebf382c3f5331

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\BackupStop.crw

Filesize
209KB

MD5
153f01c4c2184de8e809a9e69b2b468f

SHA1
be912ebfe5d204a926cebe3c8d4490b5a01ac68d

SHA256
8266b6d8b4c2d8beb6d6542d32dbdfd1f80a937bda94224c57d35357fd05b567

SHA512
357d5ed190239112e9c68dd6438a0f6bba86f582c58bdcb3aa064384e6c8991766e9bfc124217dc065e55810ea0e15757a42083a3f4b178444e39e728d721b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\RegisterExpand.png

Filesize
195KB

MD5
15adef9700baa7af97c5c69cb73e56bf

SHA1
2844b2aa0c28477c399679cdb49d2429c21936a9

SHA256
96be4c32dc55e69551f5e62c039a47414f6e383731e1282c412fc9936dc3116b

SHA512
eba885d2502b5b7ec30a971892cb7dd52c605048aebc72f1b30af9b52bf2ba66eca5f70a8946d4a128371d9f07e7daf1c1d081c696a465d5d1d81db4fef6f7e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\ResizeUnblock.jpeg

Filesize
86KB

MD5
7d06cba40af5a3df2b86c2dc549354a4

SHA1
8f666e756cccf5118e92dd510135cdfb95012323

SHA256
46bf6b53a0c66bf2d2c7f0d21f7e050c182f852e3200ab9479efd4b0137a7ea2

SHA512
6e10def168f5fe4441fff2965cbd53f728bde59fc16489b20ac79a18f42b9bc83d627dfb4b65b7e72fab1e95fb1836fd6092a029980f5b11ec8c9b554f98e3a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\UninstallInvoke.jpeg

Filesize
119KB

MD5
e29c71dc1cc8b918eca2b1b0df38fa9d

SHA1
9cfb884c048181dd44e7bb44976cbe8c4b2a4f38

SHA256
ddd52b8e1db4d4571b701b0f9a4fea3b51fa22d0541be6a29025897fa181dd7f

SHA512
2c02230409b527773618e7080b31384d1ba4039c63dd07cb7e103a9d83c7dc28e70f0a4a45fcfc45a3454ea711e29a1c743eebf5e1f201c79ccf1df258372a77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\_ctypes.pyd

Filesize
57KB

MD5
b4c41a4a46e1d08206c109ce547480c7

SHA1
9588387007a49ec2304160f27376aedca5bc854d

SHA256
9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9

SHA512
30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
3c38aac78b7ce7f94f4916372800e242

SHA1
c793186bcf8fdb55a1b74568102b4e073f6971d6

SHA256
3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d

SHA512
c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
321a3ca50e80795018d55a19bf799197

SHA1
df2d3c95fb4cbb298d255d342f204121d9d7ef7f

SHA256
5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f

SHA512
3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\base_library.zip

Filesize
1.4MB

MD5
83d235e1f5b0ee5b0282b5ab7244f6c4

SHA1
629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

SHA256
db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

SHA512
77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\libffi-8.dll

Filesize
24KB

MD5
decbba3add4c2246928ab385fb16a21e

SHA1
5f019eff11de3122ffa67a06d52d446a3448b75e

SHA256
4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d

SHA512
760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\python3.dll

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI37162\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yintcqgu.hrd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\usrgcp.exe

Filesize
11.6MB

MD5
19ee0c62d058248939477b1820914f2a

SHA1
27e2456ec9032f75c60408090227b3f4d988b2d0

SHA256
da789a7653878711e481cbb64cd70506ef0722fea35c4aef8c0f937c6d859544

SHA512
77251640b494a4757dbbc69414b43897f6b5f43169b6ab5ba7d0b60c4e0cefa18099c6fa8d42901ead2624b32207a227aa73bfd1871f3e50ce0219d7ba4408aa

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 415056.crdownload

Filesize
28.5MB

MD5
a6c1b27e646cf5904a69e45ffc8808d5

SHA1
7cbafd874594bf3ee91cc49d7fa8ec686b4cad80

SHA256
d9cd6884ad7518018efaa52cde9c0ed46fba959e9ea093c97e68004dbf2cad66

SHA512
b55adebe3be59f15eb66a80d2b328d20e3a7fb1aa8d666e37195855f0a510e9abaefe0ad58ec20e14b1d3426995c9e54c6fe9491704db44931a2777eb5e8c2c8

Download Submit
memory/1008-1107-0x000002837B840000-0x000002837B862000-memory.dmp

Filesize
136KB

Download
memory/2752-1004-0x00007FFD5C990000-0x00007FFD5CD05000-memory.dmp

Filesize
3.5MB

Download
memory/2752-1015-0x00007FFD5BE70000-0x00007FFD5BEA8000-memory.dmp

Filesize
224KB

Download
memory/2752-1140-0x00007FFD5BE70000-0x00007FFD5BEA8000-memory.dmp

Filesize
224KB

Download
memory/2752-1139-0x00007FFD5BEB0000-0x00007FFD5C5A5000-memory.dmp

Filesize
7.0MB

Download
memory/2752-1137-0x00007FFD5C5B0000-0x00007FFD5C5D2000-memory.dmp

Filesize
136KB

Download
memory/2752-1133-0x00007FFD5D980000-0x00007FFD5D992000-memory.dmp

Filesize
72KB

Download
memory/2752-1132-0x00007FFD612C0000-0x00007FFD612D5000-memory.dmp

Filesize
84KB

Download
memory/2752-1131-0x00007FFD5C8D0000-0x00007FFD5C988000-memory.dmp

Filesize
736KB

Download
memory/2752-1120-0x00007FFD5CE90000-0x00007FFD5D478000-memory.dmp

Filesize
5.9MB

Download
memory/2752-1129-0x00007FFD66F60000-0x00007FFD66F8E000-memory.dmp

Filesize
184KB

Download
memory/2752-1154-0x00007FFD612C0000-0x00007FFD612D5000-memory.dmp

Filesize
84KB

Download
memory/2752-1168-0x00007FFD5C8D0000-0x00007FFD5C988000-memory.dmp

Filesize
736KB

Download
memory/2752-1179-0x00007FFD5C5B0000-0x00007FFD5C5D2000-memory.dmp

Filesize
136KB

Download
memory/2752-1169-0x00007FFD612C0000-0x00007FFD612D5000-memory.dmp

Filesize
84KB

Download
memory/2752-1167-0x00007FFD5C990000-0x00007FFD5CD05000-memory.dmp

Filesize
3.5MB

Download
memory/2752-1166-0x00007FFD66F60000-0x00007FFD66F8E000-memory.dmp

Filesize
184KB

Download
memory/2752-1157-0x00007FFD5CE90000-0x00007FFD5D478000-memory.dmp

Filesize
5.9MB

Download
memory/2752-1180-0x00007FFD5CE90000-0x00007FFD5D478000-memory.dmp

Filesize
5.9MB

Download
memory/2752-1144-0x00007FFD5CD10000-0x00007FFD5CE83000-memory.dmp

Filesize
1.4MB

Download
memory/2752-1143-0x00007FFD6CC20000-0x00007FFD6CC43000-memory.dmp

Filesize
140KB

Download
memory/2752-1130-0x00007FFD5C990000-0x00007FFD5CD05000-memory.dmp

Filesize
3.5MB

Download
memory/2752-1009-0x00007FFD5C700000-0x00007FFD5C714000-memory.dmp

Filesize
80KB

Download
memory/2752-1005-0x00007FFD5C8D0000-0x00007FFD5C988000-memory.dmp

Filesize
736KB

Download
memory/2752-1119-0x00007FFD6FD70000-0x00007FFD6FD94000-memory.dmp

Filesize
144KB

Download
memory/2752-1098-0x00007FFD5CE90000-0x00007FFD5D478000-memory.dmp

Filesize
5.9MB

Download
memory/2752-997-0x00007FFD6FCD0000-0x00007FFD6FCE9000-memory.dmp

Filesize
100KB

Download
memory/2752-998-0x00007FFD709A0000-0x00007FFD709AD000-memory.dmp

Filesize
52KB

Download
memory/2752-999-0x00007FFD6FBB0000-0x00007FFD6FBC9000-memory.dmp

Filesize
100KB

Download
memory/2752-1003-0x00007FFD66F60000-0x00007FFD66F8E000-memory.dmp

Filesize
184KB

Download
memory/2752-1000-0x00007FFD6E960000-0x00007FFD6E98D000-memory.dmp

Filesize
180KB

Download
memory/2752-1002-0x00007FFD5CD10000-0x00007FFD5CE83000-memory.dmp

Filesize
1.4MB

Download
memory/2752-1001-0x00007FFD6CC20000-0x00007FFD6CC43000-memory.dmp

Filesize
140KB

Download
memory/2752-1099-0x00007FFD77B30000-0x00007FFD77B3D000-memory.dmp

Filesize
52KB

Download
memory/2752-1142-0x00007FFD6FCD0000-0x00007FFD6FCE9000-memory.dmp

Filesize
100KB

Download
memory/2752-1014-0x00007FFD5BEB0000-0x00007FFD5C5A5000-memory.dmp

Filesize
7.0MB

Download
memory/2752-995-0x00007FFD6FD70000-0x00007FFD6FD94000-memory.dmp

Filesize
144KB

Download
memory/2752-996-0x00007FFD76E80000-0x00007FFD76E8F000-memory.dmp

Filesize
60KB

Download
memory/2752-1006-0x00007FFD612C0000-0x00007FFD612D5000-memory.dmp

Filesize
84KB

Download
memory/2752-953-0x00007FFD5CE90000-0x00007FFD5D478000-memory.dmp

Filesize
5.9MB

Download
memory/2752-1007-0x00007FFD5D980000-0x00007FFD5D992000-memory.dmp

Filesize
72KB

Download
memory/2752-1012-0x00007FFD5C5B0000-0x00007FFD5C5D2000-memory.dmp

Filesize
136KB

Download
memory/2752-1013-0x00007FFD6FF10000-0x00007FFD6FF1A000-memory.dmp

Filesize
40KB

Download
memory/2752-1010-0x00007FFD5C5E0000-0x00007FFD5C6FC000-memory.dmp

Filesize
1.1MB

Download
memory/2752-1008-0x00007FFD5C720000-0x00007FFD5C734000-memory.dmp

Filesize
80KB

Download
memory/2752-1443-0x00007FFD66F60000-0x00007FFD66F8E000-memory.dmp

Filesize
184KB

Download
memory/2752-1477-0x00007FFD77B30000-0x00007FFD77B3D000-memory.dmp

Filesize
52KB

Download
memory/2752-1476-0x00007FFD5BE70000-0x00007FFD5BEA8000-memory.dmp

Filesize
224KB

Download
memory/2752-1475-0x00007FFD5BEB0000-0x00007FFD5C5A5000-memory.dmp

Filesize
7.0MB

Download
memory/2752-1474-0x00007FFD6FF10000-0x00007FFD6FF1A000-memory.dmp

Filesize
40KB

Download
memory/2752-1473-0x00007FFD5C5B0000-0x00007FFD5C5D2000-memory.dmp

Filesize
136KB

Download
memory/2752-1472-0x00007FFD5C5E0000-0x00007FFD5C6FC000-memory.dmp

Filesize
1.1MB

Download
memory/2752-1471-0x00007FFD5C700000-0x00007FFD5C714000-memory.dmp

Filesize
80KB

Download
memory/2752-1470-0x00007FFD5C720000-0x00007FFD5C734000-memory.dmp

Filesize
80KB

Download
memory/2752-1469-0x00007FFD5D980000-0x00007FFD5D992000-memory.dmp

Filesize
72KB

Download
memory/2752-1468-0x00007FFD612C0000-0x00007FFD612D5000-memory.dmp

Filesize
84KB

Download
memory/2752-1467-0x00007FFD5C8D0000-0x00007FFD5C988000-memory.dmp

Filesize
736KB

Download
memory/2752-1466-0x00007FFD5C990000-0x00007FFD5CD05000-memory.dmp

Filesize
3.5MB

Download
memory/2752-1442-0x00007FFD5CD10000-0x00007FFD5CE83000-memory.dmp

Filesize
1.4MB

Download
memory/2752-1441-0x00007FFD6CC20000-0x00007FFD6CC43000-memory.dmp

Filesize
140KB

Download
memory/2752-1440-0x00007FFD6E960000-0x00007FFD6E98D000-memory.dmp

Filesize
180KB

Download
memory/2752-1439-0x00007FFD6FBB0000-0x00007FFD6FBC9000-memory.dmp

Filesize
100KB

Download
memory/2752-1438-0x00007FFD709A0000-0x00007FFD709AD000-memory.dmp

Filesize
52KB

Download
memory/2752-1437-0x00007FFD6FCD0000-0x00007FFD6FCE9000-memory.dmp

Filesize
100KB

Download
memory/2752-1436-0x00007FFD76E80000-0x00007FFD76E8F000-memory.dmp

Filesize
60KB

Download
memory/2752-1435-0x00007FFD6FD70000-0x00007FFD6FD94000-memory.dmp

Filesize
144KB

Download
memory/2752-1434-0x00007FFD5CE90000-0x00007FFD5D478000-memory.dmp

Filesize
5.9MB

Download