exelastealer | 2cf23d3c7c672cd7eb6cf202938221f85516dfcf28543e8ac3aa08064920edab

Analysis

max time kernel
94s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
16-09-2024 23:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loader.exe
Size

11.3MB
MD5

66ec737afe283e53ad64c9cda9e920e7
SHA1

ac8ce4b38e8be27b652d4805da531f78bcf9b1d2
SHA256

2cf23d3c7c672cd7eb6cf202938221f85516dfcf28543e8ac3aa08064920edab
SHA512

d85bb8db13f55c655d30213c925ac6a767b3e852d7131960783fefd9dbf05f428b5878c3dee4c1d66fb6e8c154b8d50b39f595f0a179a07172804ba61978842b
SSDEEP

196608:94QbiRW39V0Jb3tQk5tAurErvI9pWj+NyPvzmespEcAIsTOg9FkCH:yQuRWtu7v5tAurEUWjuy3zafeTOg9Fk8

Score

10^/10

exelastealer collection credential_access discovery evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2096	netsh.exe
2952	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3740	cmd.exe
2872	powershell.exe

Loads dropped DLL 26 IoCs

pid	Process
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe
2596	Loader.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000700000002350c-40.dat	upx
behavioral2/memory/2596-44-0x00007FFFAD720000-0x00007FFFADD12000-memory.dmp	upx
behavioral2/files/0x00070000000234e4-46.dat	upx
behavioral2/files/0x0007000000023506-51.dat	upx
behavioral2/memory/2596-54-0x00007FFFB8010000-0x00007FFFB801F000-memory.dmp	upx
behavioral2/memory/2596-52-0x00007FFFB2F80000-0x00007FFFB2FA4000-memory.dmp	upx
behavioral2/files/0x00070000000234e9-68.dat	upx
behavioral2/files/0x00070000000234eb-70.dat	upx
behavioral2/memory/2596-77-0x00007FFFB7DA0000-0x00007FFFB7DAD000-memory.dmp	upx
behavioral2/memory/2596-81-0x00007FFFB20B0000-0x00007FFFB20DD000-memory.dmp	upx
behavioral2/files/0x000700000002350e-83.dat	upx
behavioral2/memory/2596-85-0x00007FFFB2080000-0x00007FFFB20A3000-memory.dmp	upx
behavioral2/memory/2596-84-0x00007FFFAE0D0000-0x00007FFFAE24E000-memory.dmp	upx
behavioral2/files/0x00070000000234ec-82.dat	upx
behavioral2/memory/2596-80-0x00007FFFB2E10000-0x00007FFFB2E29000-memory.dmp	upx
behavioral2/files/0x00070000000234ed-86.dat	upx
behavioral2/memory/2596-90-0x00007FFFAE000000-0x00007FFFAE0CD000-memory.dmp	upx
behavioral2/memory/2596-89-0x00007FFFAE3B0000-0x00007FFFAE3E3000-memory.dmp	upx
behavioral2/files/0x0007000000023507-88.dat	upx
behavioral2/memory/2596-87-0x00007FFFAD720000-0x00007FFFADD12000-memory.dmp	upx
behavioral2/files/0x0007000000023505-92.dat	upx
behavioral2/memory/2596-93-0x00007FFF9F460000-0x00007FFF9F989000-memory.dmp	upx
behavioral2/memory/2596-95-0x00007FFFB2F80000-0x00007FFFB2FA4000-memory.dmp	upx
behavioral2/files/0x0007000000023509-98.dat	upx
behavioral2/files/0x00070000000234e6-100.dat	upx
behavioral2/files/0x0007000000023511-103.dat	upx
behavioral2/memory/2596-110-0x00007FFFB1F80000-0x00007FFFB1F95000-memory.dmp	upx
behavioral2/memory/2596-109-0x00007FFFB8010000-0x00007FFFB801F000-memory.dmp	upx
behavioral2/memory/2596-108-0x00007FFFADF70000-0x00007FFFADF92000-memory.dmp	upx
behavioral2/memory/2596-107-0x00007FFF9F340000-0x00007FFF9F45C000-memory.dmp	upx
behavioral2/memory/2596-106-0x00007FFFADFA0000-0x00007FFFADFB4000-memory.dmp	upx
behavioral2/files/0x0007000000023504-112.dat	upx
behavioral2/memory/2596-105-0x00007FFFADFC0000-0x00007FFFADFD4000-memory.dmp	upx
behavioral2/memory/2596-104-0x00007FFFADFE0000-0x00007FFFADFF2000-memory.dmp	upx
behavioral2/memory/2596-114-0x00007FFFB3D20000-0x00007FFFB3D39000-memory.dmp	upx
behavioral2/memory/2596-115-0x00007FFF9E820000-0x00007FFF9EFC1000-memory.dmp	upx
behavioral2/files/0x000700000002350f-101.dat	upx
behavioral2/files/0x00070000000234e3-116.dat	upx
behavioral2/memory/2596-117-0x00007FFFAA3F0000-0x00007FFFAA426000-memory.dmp	upx
behavioral2/files/0x00070000000234e1-96.dat	upx
behavioral2/files/0x00070000000234e7-79.dat	upx
behavioral2/files/0x00070000000234e2-78.dat	upx
behavioral2/memory/2596-75-0x00007FFFB3D20000-0x00007FFFB3D39000-memory.dmp	upx
behavioral2/files/0x000700000002350d-76.dat	upx
behavioral2/files/0x00070000000234ea-69.dat	upx
behavioral2/files/0x00070000000234e8-67.dat	upx
behavioral2/files/0x00070000000234e5-64.dat	upx
behavioral2/files/0x000700000002350a-57.dat	upx
behavioral2/memory/2596-161-0x00007FFFAEC20000-0x00007FFFAEC2D000-memory.dmp	upx
behavioral2/memory/2596-160-0x00007FFFAE0D0000-0x00007FFFAE24E000-memory.dmp	upx
behavioral2/memory/2596-178-0x00007FFFAE3B0000-0x00007FFFAE3E3000-memory.dmp	upx
behavioral2/memory/2596-177-0x00007FFFB2080000-0x00007FFFB20A3000-memory.dmp	upx
behavioral2/memory/2596-180-0x00007FFFAE000000-0x00007FFFAE0CD000-memory.dmp	upx
behavioral2/memory/2596-181-0x00007FFF9F460000-0x00007FFF9F989000-memory.dmp	upx
behavioral2/memory/2596-186-0x00007FFFADF70000-0x00007FFFADF92000-memory.dmp	upx
behavioral2/memory/2596-185-0x00007FFFADFE0000-0x00007FFFADFF2000-memory.dmp	upx
behavioral2/memory/2596-190-0x00007FFFB1F80000-0x00007FFFB1F95000-memory.dmp	upx
behavioral2/memory/2596-196-0x00007FFF9E820000-0x00007FFF9EFC1000-memory.dmp	upx
behavioral2/memory/2596-205-0x00007FFFAE0D0000-0x00007FFFAE24E000-memory.dmp	upx
behavioral2/memory/2596-209-0x00007FFFB1F80000-0x00007FFFB1F95000-memory.dmp	upx
behavioral2/memory/2596-197-0x00007FFFAD720000-0x00007FFFADD12000-memory.dmp	upx
behavioral2/memory/2596-198-0x00007FFFB2F80000-0x00007FFFB2FA4000-memory.dmp	upx
behavioral2/memory/2596-228-0x00007FFFAD720000-0x00007FFFADD12000-memory.dmp	upx
behavioral2/memory/2596-245-0x00007FFFADF70000-0x00007FFFADF92000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\BattlEye\\r6s\\BEService_x32.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
65	discord.com
66	discord.com
67	discord.com
28	discord.com
30	discord.com
58	discord.com
63	discord.com
64	discord.com
27	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2284	cmd.exe
3924	ARP.EXE

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
4124	tasklist.exe
4528	tasklist.exe
344	tasklist.exe
1556	tasklist.exe

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4920	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2540	cmd.exe
2780	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3656	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3452	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5096	ipconfig.exe
3656	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3724	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2872	powershell.exe
2872	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1756	WMIC.exe
Token: SeSecurityPrivilege	1756	WMIC.exe
Token: SeTakeOwnershipPrivilege	1756	WMIC.exe
Token: SeLoadDriverPrivilege	1756	WMIC.exe
Token: SeSystemProfilePrivilege	1756	WMIC.exe
Token: SeSystemtimePrivilege	1756	WMIC.exe
Token: SeProfSingleProcessPrivilege	1756	WMIC.exe
Token: SeIncBasePriorityPrivilege	1756	WMIC.exe
Token: SeCreatePagefilePrivilege	1756	WMIC.exe
Token: SeBackupPrivilege	1756	WMIC.exe
Token: SeRestorePrivilege	1756	WMIC.exe
Token: SeShutdownPrivilege	1756	WMIC.exe
Token: SeDebugPrivilege	1756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1756	WMIC.exe
Token: SeRemoteShutdownPrivilege	1756	WMIC.exe
Token: SeUndockPrivilege	1756	WMIC.exe
Token: SeManageVolumePrivilege	1756	WMIC.exe
Token: 33	1756	WMIC.exe
Token: 34	1756	WMIC.exe
Token: 35	1756	WMIC.exe
Token: 36	1756	WMIC.exe
Token: SeDebugPrivilege	4124	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1756	WMIC.exe
Token: SeSecurityPrivilege	1756	WMIC.exe
Token: SeTakeOwnershipPrivilege	1756	WMIC.exe
Token: SeLoadDriverPrivilege	1756	WMIC.exe
Token: SeSystemProfilePrivilege	1756	WMIC.exe
Token: SeSystemtimePrivilege	1756	WMIC.exe
Token: SeProfSingleProcessPrivilege	1756	WMIC.exe
Token: SeIncBasePriorityPrivilege	1756	WMIC.exe
Token: SeCreatePagefilePrivilege	1756	WMIC.exe
Token: SeBackupPrivilege	1756	WMIC.exe
Token: SeRestorePrivilege	1756	WMIC.exe
Token: SeShutdownPrivilege	1756	WMIC.exe
Token: SeDebugPrivilege	1756	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1756	WMIC.exe
Token: SeRemoteShutdownPrivilege	1756	WMIC.exe
Token: SeUndockPrivilege	1756	WMIC.exe
Token: SeManageVolumePrivilege	1756	WMIC.exe
Token: 33	1756	WMIC.exe
Token: 34	1756	WMIC.exe
Token: 35	1756	WMIC.exe
Token: 36	1756	WMIC.exe
Token: SeDebugPrivilege	4528	tasklist.exe
Token: SeDebugPrivilege	344	tasklist.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeIncreaseQuotaPrivilege	3452	WMIC.exe
Token: SeSecurityPrivilege	3452	WMIC.exe
Token: SeTakeOwnershipPrivilege	3452	WMIC.exe
Token: SeLoadDriverPrivilege	3452	WMIC.exe
Token: SeSystemProfilePrivilege	3452	WMIC.exe
Token: SeSystemtimePrivilege	3452	WMIC.exe
Token: SeProfSingleProcessPrivilege	3452	WMIC.exe
Token: SeIncBasePriorityPrivilege	3452	WMIC.exe
Token: SeCreatePagefilePrivilege	3452	WMIC.exe
Token: SeBackupPrivilege	3452	WMIC.exe
Token: SeRestorePrivilege	3452	WMIC.exe
Token: SeShutdownPrivilege	3452	WMIC.exe
Token: SeDebugPrivilege	3452	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3452	WMIC.exe
Token: SeRemoteShutdownPrivilege	3452	WMIC.exe
Token: SeUndockPrivilege	3452	WMIC.exe
Token: SeManageVolumePrivilege	3452	WMIC.exe
Token: 33	3452	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3112 wrote to memory of 2596	3112	Loader.exe	82
PID 3112 wrote to memory of 2596	3112	Loader.exe	82
PID 2596 wrote to memory of 1948	2596	Loader.exe	83
PID 2596 wrote to memory of 1948	2596	Loader.exe	83
PID 2596 wrote to memory of 4860	2596	Loader.exe	84
PID 2596 wrote to memory of 4860	2596	Loader.exe	84
PID 1948 wrote to memory of 1756	1948	cmd.exe	87
PID 1948 wrote to memory of 1756	1948	cmd.exe	87
PID 4860 wrote to memory of 4124	4860	cmd.exe	88
PID 4860 wrote to memory of 4124	4860	cmd.exe	88
PID 2596 wrote to memory of 2372	2596	Loader.exe	90
PID 2596 wrote to memory of 2372	2596	Loader.exe	90
PID 2372 wrote to memory of 3808	2372	cmd.exe	92
PID 2372 wrote to memory of 3808	2372	cmd.exe	92
PID 2596 wrote to memory of 3700	2596	Loader.exe	93
PID 2596 wrote to memory of 3700	2596	Loader.exe	93
PID 2596 wrote to memory of 4156	2596	Loader.exe	94
PID 2596 wrote to memory of 4156	2596	Loader.exe	94
PID 4156 wrote to memory of 4528	4156	cmd.exe	97
PID 4156 wrote to memory of 4528	4156	cmd.exe	97
PID 3700 wrote to memory of 4836	3700	cmd.exe	98
PID 3700 wrote to memory of 4836	3700	cmd.exe	98
PID 2596 wrote to memory of 3916	2596	Loader.exe	99
PID 2596 wrote to memory of 3916	2596	Loader.exe	99
PID 2596 wrote to memory of 1200	2596	Loader.exe	100
PID 2596 wrote to memory of 1200	2596	Loader.exe	100
PID 2596 wrote to memory of 2856	2596	Loader.exe	101
PID 2596 wrote to memory of 2856	2596	Loader.exe	101
PID 2596 wrote to memory of 3740	2596	Loader.exe	102
PID 2596 wrote to memory of 3740	2596	Loader.exe	102
PID 3916 wrote to memory of 1660	3916	cmd.exe	107
PID 3916 wrote to memory of 1660	3916	cmd.exe	107
PID 2856 wrote to memory of 344	2856	cmd.exe	108
PID 2856 wrote to memory of 344	2856	cmd.exe	108
PID 1200 wrote to memory of 4912	1200	cmd.exe	109
PID 1200 wrote to memory of 4912	1200	cmd.exe	109
PID 1660 wrote to memory of 2656	1660	cmd.exe	110
PID 1660 wrote to memory of 2656	1660	cmd.exe	110
PID 3740 wrote to memory of 2872	3740	cmd.exe	111
PID 3740 wrote to memory of 2872	3740	cmd.exe	111
PID 4912 wrote to memory of 2860	4912	cmd.exe	112
PID 4912 wrote to memory of 2860	4912	cmd.exe	112
PID 2596 wrote to memory of 2284	2596	Loader.exe	113
PID 2596 wrote to memory of 2284	2596	Loader.exe	113
PID 2596 wrote to memory of 2540	2596	Loader.exe	115
PID 2596 wrote to memory of 2540	2596	Loader.exe	115
PID 2284 wrote to memory of 3724	2284	cmd.exe	117
PID 2284 wrote to memory of 3724	2284	cmd.exe	117
PID 2540 wrote to memory of 2780	2540	cmd.exe	118
PID 2540 wrote to memory of 2780	2540	cmd.exe	118
PID 2284 wrote to memory of 2752	2284	cmd.exe	123
PID 2284 wrote to memory of 2752	2284	cmd.exe	123
PID 2284 wrote to memory of 3452	2284	cmd.exe	124
PID 2284 wrote to memory of 3452	2284	cmd.exe	124
PID 2284 wrote to memory of 228	2284	cmd.exe	125
PID 2284 wrote to memory of 228	2284	cmd.exe	125
PID 228 wrote to memory of 220	228	net.exe	126
PID 228 wrote to memory of 220	228	net.exe	126
PID 2284 wrote to memory of 4952	2284	cmd.exe	127
PID 2284 wrote to memory of 4952	2284	cmd.exe	127
PID 4952 wrote to memory of 2748	4952	query.exe	128
PID 4952 wrote to memory of 2748	4952	query.exe	128
PID 2284 wrote to memory of 3680	2284	cmd.exe	129
PID 2284 wrote to memory of 3680	2284	cmd.exe	129

C:\Users\Admin\AppData\Local\Temp\Loader.exe
"C:\Users\Admin\AppData\Local\Temp\Loader.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3112
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4860
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4124
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\BattlEye\r6s\BEService_x32.exe" /f"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2372
  - - C:\Windows\system32\reg.exe
      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\BattlEye\r6s\BEService_x32.exe" /f
      4⤵
      Adds Run key to start application
      PID:3808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3700
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:4836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3916
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1660
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1200
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4912
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:344
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:3740
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:3724
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2752
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious use of AdjustPrivilegeToken
      PID:3452
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:228
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:220
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4952
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:2748
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:3680
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:4680
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:4336
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:1532
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:2836
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:2108
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:2908
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:4596
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:2488
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:1556
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:5096
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:1632
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:3924
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:3656
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:4920
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2096
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3900
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4984
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ConvertFromBlock.docx

Filesize
793KB

MD5
ab8b8a0fda729b9a6365da4f51280289

SHA1
9218855f907c496f931f7420f0e76242b6dae083

SHA256
4ce801fd0ca9c3eff22c4986b0a6e0375f1fa02dd399889285ccd911b61e9444

SHA512
a69598b006a4eea2338dce26b27e7fedd0e9d2984f05a2695a09351dc7f8825df304e01b8e76b737c1cbd95a1591fe294f7efb6a00f7f06c340ce76640e97f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\CopyBackup.js

Filesize
389KB

MD5
d9c8580af53651a5de87805bdfef07e3

SHA1
09270e22bb73d2424ef780e9625ca573d8b8c899

SHA256
1404dd81764364b1b6a47aa015c8fc9dba8dcae625f72b09e55a7bef437efc71

SHA512
37099df8e308a3657c69b2541a461d4e5a4ffdc80ba16602ac0d20729c333066d18b9a0e20a3de76bc86f8b17df2137b9abe46a5dff21f0aa4b729b587535291

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\PushClear.mp3

Filesize
1.0MB

MD5
c50f379e97bba3f95745996aa2410ee8

SHA1
1f9b472903e36a673c8e8193d3cc754f27421ae4

SHA256
68aec141cb57a5309f4a9c4273e7f26204a60853561dc0aefd8f139f3ccc7a08

SHA512
9e2794bc343dd92ce1ac2b35e8cc0a417954f3dd92216c2c68c1fcbad426718aaafad7bd2cff121fff0f64735cdc2ed9ebf0727b98a6f897747099870c70b62d

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\RenameBackup.docx

Filesize
12KB

MD5
166af12004128e65d15c754bd480cfa4

SHA1
1c3db1eb29e0557dac6b5a1a023fb07f046da68a

SHA256
3fb5bc8388fc890191608bd5916a60aaf96146968f5b3f6d0dbf7c5943060890

SHA512
a7fc1450d67586a705135d072e8f84d9a13c12c5801976b31355a71831c21a786ec6de009f0c3edcf07f4b7f84e54eca232b9b81ff59dee71c1d389a3cb185f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ResolveMount.xlsx

Filesize
10KB

MD5
539194d78c07393905f2de986f4c58ce

SHA1
bfc1827cde4dfc1912ee8f9e95da2983a6fe8eb3

SHA256
d1ea1c0dcd3cc5337100714b6c4d19d2c2ac2a5b400d079368fdab89b1397a9b

SHA512
048d4a3ce663392e195d8feab9d9afe0ef75b76812112572bc91c5c7b976a797e7128206c83ec682e257f1a588c3c302b4eea09d7be37ab5faf7f9394a14e9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\SaveRestart.docx

Filesize
18KB

MD5
dd390776dc022b114ae2b44a160b438c

SHA1
3332e7138531ce167f58fdff7e410b92f1a5ca2d

SHA256
34aa9b01eb14cab9fbce63d09a0121dba4ddc1fd83c8232a8e20af3855e1937b

SHA512
6bb612eea3938142eadefac98baa60d298df4ce4edf56949886c053557135ecb8e0c16d7f1e0e1de05b7ebabc6c45865700575648e2d598c082c92ebb17d303e

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\SearchNew.xlsx

Filesize
13KB

MD5
f50d9e5fd02201070734ed0f17d7aa26

SHA1
1f69acb8779597f52103e221b657389c97a7cb6b

SHA256
36de67eb17ec105b679c97e43aface1d500c33f0fb734972293973c72ac8ea6f

SHA512
3e38a75a8dde29ec5af409e05494b801df3d94a64b206f68a4a8aecda0872217ba11519c6f73dd0e04825b644f1dd95959e65edb58a51de67665529ffd2c34ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\SendConvertFrom.docx

Filesize
12KB

MD5
042d8f7a6b5c2945ddbebb4660f7fbd5

SHA1
034608f0d435e5d8dea4714332159193eb371794

SHA256
f5563630272de3b9cb740b2c430451a693f45d0d1c583dc3b39e326a3ad77703

SHA512
4673776f55c729051ca0d2e2c3a860f6e48d071fdc89117c4c61b07986e71b1e6801028fecd2d99caa3408cbfd2f12188e03796c35b23b8bacc1149f2132a7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\StepSwitch.docx

Filesize
17KB

MD5
edf0a9579876c797f003ab0e55a1b28b

SHA1
9ef704847eea1f6623ef2cd4e662f326d15c2cb1

SHA256
318df8bb1c08448eecff6397048b3c12512d6f5fdeba3b34ed924d2968eb87eb

SHA512
01ef7f3e7ec83888947b71313ea3d172e2a5deb4e93f3b86117586f96547612438405f686ab746dd4e3b7d22b963ac7ce05abd08930736996389dddbdcc0a0e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\TraceMove.zip

Filesize
1011KB

MD5
c7764774b8b914d0bfc89e2ea74ca1db

SHA1
2481488b3b8acf922791c3ac0d4fb5c6c23c541d

SHA256
97550f2902c00e1223b55f841230722540130a20ac139b6076cc4df395b91547

SHA512
0c760c96153da2941cde42216bbd104882c81607f68a79309acb3c167c03e610ef76e9a7ba67960be78fe9b94d1bd6055f3810223978285b6a75be1dfaab8414

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ReceiveSuspend.xls

Filesize
1.8MB

MD5
4636c64157f1fa60775fdbca111d0200

SHA1
01debee564ca2d737bf05e00b5f3f2a7426f45a6

SHA256
e5884910c4abd51ce0a2e6d9a5e92ab012a0a5173776ce86e9370ac78a509ef9

SHA512
bbd9258ada7b64126c3c1b187cfaaf91bc5cd921b4188241295a278d3c41d3018bb7f0e50e848055fc06990eb0eab93a77d49c20c00c0f956b7df8d08c6c9982

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\UnblockResolve.txt

Filesize
1.2MB

MD5
2923cef06855e4b333908e373368cb26

SHA1
0fdfa9b6753806f19636b68cdb6b7133421a121d

SHA256
3496f68c8d8a3f8311dc00197853906a9bd5fa6e0816b0815db0e65ae39186d9

SHA512
8ba04c5e7c7e2d00eac0e0e1a250db760784662f979edd4c3c9546864cabe7044e5c3718964d1013ea3e80e10b8e3e7c80fa969cdf9b997c3e70ff568f264b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\UninstallCompare.xlsx

Filesize
14KB

MD5
a8410c13ceb41e1adf4682caffaaa467

SHA1
7ed4f45f771ae55218f9a1edc0ded7af45224696

SHA256
40bf2d32d778020f8346069f6c013ebd426c65f44a9996712b64923c12e52bab

SHA512
51918a8d1927aa728a6e5cf5f7790bed8ece03811cbab564c1d86bed394370f0780470dca06f32ec061890af6aad322978408dec69ed2476afca35a6800420e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\UpdateConvert.csv

Filesize
545KB

MD5
001fcbfce2e97cd0d00bf4275a31573c

SHA1
bf2291211394f3c060801a874cac9a62d075d058

SHA256
3dc72d065516164adb9587f504db619625c3b4234196d04fa4a221e37c8cfa4b

SHA512
a10053aadc78b75bdc10bd117f035dc045c1199e8eb0688fc7608eef5cf5e357e5d5cdd2ad676da346893667981333b3ad09c20a0579782197c0dafbdcc4195a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\WatchUnblock.docx

Filesize
16KB

MD5
ead83d052c867239f04482478101a165

SHA1
0511bdaeadafacb9cd214212a0f450875a0bae70

SHA256
77057a6bd96f4516bde57ff66032124f7d1f4d20cafe72319ff89678d7d69d60

SHA512
f055d56400df478f3f4c106f0731197fa7dfbb978757e04f84d05e5a968e04743078d394597af89006c0ff79a5177bc24551bf27227e2f31c7b64ab00ffd55d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\AssertSkip.jpeg

Filesize
699KB

MD5
604e12b2a6299c8c5749cd14d5746e50

SHA1
e2a8110d2ecc222193d38c0e5a98672b8a54886e

SHA256
2848f7e82232aec5fd87471e379eb7d3f07065e70f4ce88ee9b42699e2be74d2

SHA512
00554cda3e72692f468e1d3b4deb544b94a7d535b159014a5476e34c2eda2313d3180184d28a58b136976ae0e18987706b6ff1a9dbe61f900429539082a96ed4

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\DenySplit.xls

Filesize
488KB

MD5
88b8a7183af2acf9d1a4f7b7dea6a3fa

SHA1
e1c816f4ca78c6d5500a8a7ed95a9b16a4d97eba

SHA256
0e4ef46072621bce21ff3e2dc73d482e904e9d2b8050a60a3d77decc7451ce4a

SHA512
588e0aef206929480203a7f6faff2c60178b0b98fffcbd86c8ad035626c69bd9596f77e9e084b37c425ecfa706273b2031dd8f6c0495ab733808b4aece746646

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ResizePop.pdf

Filesize
549KB

MD5
512ddd9a2d7edb2c88e4749f9a78cc37

SHA1
3afcdff2a27e8a5944ca51965030e6058d812333

SHA256
07523fd3ad6a5d04604d1767171c6a22df2ca29411c7be0f6ed313bced476acf

SHA512
f940cc4c123fa14fc74220852219b57b60210d3809f9bc4da35eccaa855b6f7bddcad292ce8774907e96e5ee66643b0f073e71827c793f9774813afcc555ed91

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\SuspendMerge.docx

Filesize
383KB

MD5
919fe915312cebb626fa5381d8c4a1af

SHA1
66f39c25cd6a4ca545e1cfb3fd9c0a2aa04f5994

SHA256
9a9620dac971101f70c7201f6f66570d67b0afc5b701326baf668fb37a719c2a

SHA512
6589ceb118f6f88e4fb21922b90607c76a9fd275420090b69cb636eed04d03259397eacd5a1865e32e4c482bbd5041ac624a2a3b513fd0b0be865b34465bc64f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\BackupTest.emf

Filesize
396KB

MD5
bc180b482aa00383dbc904d9784841f9

SHA1
4a0eb64bcb3373f8cd161cbfd0192c69f6c77f0a

SHA256
a0ec8c263cff3c2bdde16361bf42fbaebe3289b255bae09806eb6eb6ea3cb3c9

SHA512
a756b003f88247cd8a7db064af0205622d92297bd4703c9b04cae85d0327fca8fd771d1f32a2740b724c6c9a14c406cbf76248051c8cdf20444d2c1f1cadbe96

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\ConvertToMeasure.jpeg

Filesize
364KB

MD5
824a2ef124315268f45da9903d2baf67

SHA1
14a7434f3ee784869b8f955e553d6db32dc223e3

SHA256
4b0d17dd38681716e9ba5a3d185b3ad0c7c3bf0ef407a097c0cc6e89b1600d83

SHA512
b547deb1a221372019beb3c7c44ee92f8ba7c1af18ddb3b435dcc0ff1dcf0907a65bf93215f930d8140241ff61a9a9632a8d2101eb5ef35b14ade759ca153464

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\EnableComplete.xls

Filesize
440KB

MD5
95379b6cc9db01b4c58c04965765f6ba

SHA1
e97a076606121da8a9286f4b793003936943cfff

SHA256
e8246c63b8a6c4e6b95df026ec2d0511ef25a858414ebb553aa8341969f060cf

SHA512
55bdadec000715f59e2263e403d9d0cdae82fbae68fc344a09184ab2c34086a8e7b64a6cdc74cfb9bcffb63cbd2122dc6e30c9a7754c4271fa08eef056f4cfa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\LockBackup.wpl

Filesize
287KB

MD5
740d2c3896ae5c631a747c83386f0a69

SHA1
d65a29bda43ad5b5f31a62b1d7319260e2661a57

SHA256
21509dbf66b3759bdae0eaef13db180e44b17e5394c444638665ccbc7840ae27

SHA512
8420820e7c1b7e138437ec41f4980fcacb0a08415b23bf637fe98548bcc6e55ceeb069c2c6f462192ce035660cc9a633f6a6ac67ebbc2e329487920eb82aafbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\ApproveUnlock.jpg

Filesize
694KB

MD5
5832f95c66f218becaabd64fb7b5c274

SHA1
adaf67ac830a165fac1c9678dd00a414195625e5

SHA256
44584c975a184dddd80b5134f6fe11e302300b032402befd3da95aac8b9f61f4

SHA512
4e540d03bf86579c176ced3242a4c66bfb47d22616d6af5b796e042f5432f5ade1cd9c9cb2ec7b02ffb0e502ce5d78ca31fe775b93b9f68ac78874b0ad33d132

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\BackupMount.cr2

Filesize
255KB

MD5
4b37b1b986ed50654c6ed8d9aadb9923

SHA1
d76cf46223fa4b8487f1f0319254c5a2b6289ac5

SHA256
35d38587a7ee39f112ebb56f485b0bf04584e70614d617f689935ba0cd757ccb

SHA512
e4123b2931ee2cd2a3d053029ea056d6ba7b2d42546ccef5d9320400e38603b6f4ec3ade2e87b84b55ecb61c3798e7238d3396ec7d97095e7ad522852a5eb5d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\ShowStep.jpg

Filesize
566KB

MD5
cb8ff17c426ca24300117735a291fa87

SHA1
d8ce21b8e56b788a86f6df7a17968eeb6ce622c6

SHA256
f8e2827d50fcaad37299d2c508ad3a4250869a53044cb6b99a09f4570e3292e9

SHA512
4ffede7324971dd2a09d9175acc637d347ecb7aa9439609d351298f05057f3f15c9954848cd46638f66dfabe0112c8e80ff2ae341a76bda44d5301bab085ebc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\SyncAssert.jpg

Filesize
368KB

MD5
dc855f58ede1e172efabb91ec381ada1

SHA1
18d874360ca53a8901d4e57eec2e952c602111b4

SHA256
17a0c8880a79b169a3813a4b570ff21e808cab737930e3cd65c7823311acb925

SHA512
354a12a7a1f99dbcfe9df0af62aa3efebf72a3bea70f0f41f23e4226e093a73c884813316ee8e71bcfb3315a2783a042d21d0b45e8fdaa0db4850cd3b85cf8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\SyncBlock.jpeg

Filesize
340KB

MD5
86f396d3c1a2d54e84f00e8a2689c243

SHA1
7735fcd1539fd09ff52a7e074bcceb29905ff396

SHA256
539bde786c32940d9fc2714f532991af84a73e839c611c8962591222008266ff

SHA512
923e12baa41e601bef7ac7ab49c5be2937d633724b7136605ffddbf6898f89b3c7609a8303938aee07d0255c54a2e057b1829d8b21f9aeb54e3b6ded34f0f1b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\_asyncio.pyd

Filesize
36KB

MD5
968c9bdb22385a9acc74f64d2730b82f

SHA1
23e48219e2485ecca147cf238e3a236dbc784172

SHA256
facd0082b1cb25b2160e879f1695286f19f624eb419b303d2c793ca5df60ca30

SHA512
ed35112b6f3ff17f7427bcab73bcbd0aea86c711b7887bfd811e50c9782b10868b31607ffe74efcd94e013d1056f0fe8920aa1d5a38af3b89ffbbbc02313729c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\_bz2.pyd

Filesize
48KB

MD5
b1197cbb61a144d40a142794794bd087

SHA1
40b3a4f1e92f4757fa8934fcfa9af8b2fc0ed419

SHA256
f5a753fd08c3282945e42c33d8a98a19b9a6e836d0539982b8687519a39a1ee4

SHA512
2f2d1450bf76ba18b5d6ad7914032e1d2aa0a046e2f4f452010ee17d55c12f461c51820f8a6fb0cab2f868081a5531825f95909fea040020bceb621f4daf61e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\_cffi_backend.cp311-win_amd64.pyd

Filesize
70KB

MD5
3ee19e638459380934a44073c184b5c0

SHA1
6849d2f9e0920564e7a82f365616d6b763b1386f

SHA256
d26943222b0645c4d00f29fb4e0fb234ab2b963d8d48f616f204d8ae644c7322

SHA512
a7985b0acc57b635ed88b4945e72919c48c203bdea2f85659f0169ad3778ffb405e579d4bfcd9fc8d9752d10bec2f1cc793ac4e0c2cb84f4ce5b2297cd468d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\_ctypes.pyd

Filesize
58KB

MD5
c687c554a505abcdf2d4b4a8d1aa9884

SHA1
b526045c347423e301e37576eb1e7f98619a70d9

SHA256
335a36fd21131736d36d8d8d947ab581b62da9ecb9c826a17b105bc9809ff0e6

SHA512
23a31a3238fe64fde854a484360874bfe3962654262b54e6bfae61fcb88913755c6b6af5c62ffe8d006d9f87c971d143b085e407d261853e62963ee1ec356d7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\_decimal.pyd

Filesize
107KB

MD5
c37a105d9ec12601d2acce4f88810525

SHA1
57162af595cb95a0113930c78b83e7c040c66dc9

SHA256
75116a31531ac94c64b55c3f196c9f2e9ce542de4dadcf53f6bf4689aebb0404

SHA512
2b9c82e4a52ed0cf665191abe30e053825c88326876c8b0559e3651b4489e1f673496594ee8aa47a8bf1e5cf4e6b51d98abde9beae777dbd8fdd21761788855b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\_hashlib.pyd

Filesize
35KB

MD5
317ba9022f97eb628cb9e521dbb2b9df

SHA1
068e21131b04f9ccaa76d7f2f6fcde74771edd6c

SHA256
20c349f724bae26833c7d9116e8cc386604347de4bd256a9b5feb0c8721c74a2

SHA512
68bf729c481934eb1cecc3c6f9bf4f7c9485dcf60d1b50bfed33abecf385e39e80034f5ef640e31ecb921009544dea272de814204881a41069cb002e7c2e7e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\_lzma.pyd

Filesize
86KB

MD5
b0f3f0c44c3b21f41b3c230e82a0863c

SHA1
043304430233d7ed86a4b0a2aa39295e09f68abc

SHA256
e87e765d0e93f3316a0ec077c2ddfc8a0052a8dbc052243cf8024b72dc48aba3

SHA512
851838d4a27dd6ab64c1a8316affc8e937590635e1b1fdd5946231264e3f3804404153d79cc3b9406a575a85b97380ace72c61a806d4e5fd2fce8c222235632e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\_multiprocessing.pyd

Filesize
26KB

MD5
b71b425e4e8d2005c24914cac2e07dfb

SHA1
eeb09f8d07db33145227106f151ee65125e5e63c

SHA256
7786553b1bd13b974953ad61fb106e33499e5c83f23a064926a8b30a32008c06

SHA512
04b16c086caf30451d3af72a992e5686f821f84982603807a265f6ffb38cbd45e9bb487c1f3858de8821c7c7009f20a9911e8db90ea7da7ab0e8ad872837d4b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\_overlapped.pyd

Filesize
32KB

MD5
cd71490c6e7d901ab199f1b0acdef271

SHA1
d335e44e3981aba8b725729488d601fec8189d36

SHA256
aa7b3e8b84e59570a35684aa4da569de326906287d5b9a3c7edb3f58f0f9ecc1

SHA512
0aa55d2e6dc1bed7bcdfc2cdbdf5e8931984ddee1ebdcb4ee6a47a644465d76a16b7a05fd89576a716060fbf52b1dee85450cc718783e041038211ee4f65e27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\_queue.pyd

Filesize
25KB

MD5
50193d6efb24bbbe71c91f3fd67016db

SHA1
4430b536c28fae540604e55e5da7a407153f73e3

SHA256
c1c157729971e36b8468b193c0ca31836c13fe2cfb73069b2cb81bc2a2dc0854

SHA512
854b54cbe823385e4ba5e5f5ff836a06ea584f3ffa3c5d0b7f5fc1df2c882bf2c46be392b79c97a21e2cbb506b07b1ea20cb39fcc29778fa9601fe479ea6f732

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\_socket.pyd

Filesize
43KB

MD5
b8e0eb05b9003f674add1812450d8744

SHA1
02b7ea2464684855641aeb9ff8bc25eef85fe4d1

SHA256
9aa4c25028386dd47b75df4a92f3a67d24d76f1775997dd34de06455c2e8606e

SHA512
be3114334509f909ed37b4222208bc1454ce1af09f06a08de56d14e4c34ee8430b8aff24d1a700c3aad0a0c6bf563294416932907f95ed204b9099c64d0ae26f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\_sqlite3.pyd

Filesize
56KB

MD5
72773e28b3c48f37fb02c2ee214faa20

SHA1
dae79e4806fc0e1c87a24dc23e8787a0d2ce90df

SHA256
b912d4b8dd19177e450be061c3ec92e96b776e0cc3d2d0cc1e7d4f2eb7151b8a

SHA512
2542fd126ac04dc57f2e18aa854c77ffba88a7201f96eaf86c58959921b1247895006d6a82446ff638a356c075c5379b0bde86932c662f96d0603f7f944392e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\_ssl.pyd

Filesize
65KB

MD5
d0b4a3bb3b4b18e5d961cd664555e6df

SHA1
37567f9f5c6f9fefeede3f11f0a310f498406a23

SHA256
ac42e39a40cdda0bdd1d23d34cc4f47779498ebc707b9dd4cb83f5b54eb8e9e8

SHA512
db526d3e601a90f9d265dad389816d948047c2a71dce53e73331deccbd0290c5761bf0af7a77122ddc6391c475b277ebd02903e3d941b1f34034eadb83f66481

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\_uuid.pyd

Filesize
24KB

MD5
cc2fc10d528ec8eac403f3955a214d5b

SHA1
3eefd8e449532c13ae160aa631fdb0ad8f6f2ea4

SHA256
e6aa7f1637e211251c9d6f467203b2b6d85e5bc2d901699f2a55af637fa89250

SHA512
bf18089bd0b3a880930827d2035302060ea9db529ad1020879e5be6de42693bd0a01b40270b4e93ceaea3cfed20dad1e2942d983cde8bb2c99159b32209b34bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\attrs-24.2.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\attrs-24.2.0.dist-info\METADATA

Filesize
11KB

MD5
49cabcb5f8da14c72c8c3d00adb3c115

SHA1
f575becf993ecdf9c6e43190c1cb74d3556cf912

SHA256
dc9824e25afd635480a8073038b3cdfe6a56d3073a54e1a6fb21edd4bb0f207c

SHA512
923daeee0861611d230df263577b3c382ae26400ca5f1830ee309bd6737eed2ad934010d61cdd4796618bedb3436cd772d9429a5bed0a106ef7de60e114e505c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\attrs-24.2.0.dist-info\RECORD

Filesize
3KB

MD5
8037e693eafed6c3d0cce916babb50c4

SHA1
2321392aab7ae3a6a78248e5d5f454124d368ec1

SHA256
688073f6556808d9139fea52bec3802d8c0d7ce07978b98aae8db5c98facc0df

SHA512
95b9e6b8f946d2617098c338441afc5a555ff208947d5731e09ee17b959655161c397f57e14827a95a8fd4554de8c6e426dc316f858510ae4aa7ca8723c4cf51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\attrs-24.2.0.dist-info\WHEEL

Filesize
87B

MD5
52adfa0c417902ee8f0c3d1ca2372ac3

SHA1
b67635615eef7e869d74f4813b5dc576104825dd

SHA256
d7215d7625cc9af60aed0613aad44db57eba589d0ccfc3d8122114a0e514c516

SHA512
bfa87e7b0e76e544c2108ef40b9fac8c5ff4327ab8ede9feb2891bd5d38fea117bd9eebaf62f6c357b4deaddad5a5220e0b4a54078c8c2de34cb1dd5e00f2d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\attrs-24.2.0.dist-info\licenses\LICENSE

Filesize
1KB

MD5
5e55731824cf9205cfabeab9a0600887

SHA1
243e9dd038d3d68c67d42c0c4ba80622c2a56246

SHA256
882115c95dfc2af1eeb6714f8ec6d5cbcabf667caff8729f42420da63f714e9f

SHA512
21b242bf6dcbafa16336d77a40e69685d7e64a43cc30e13e484c72a93cd4496a7276e18137dc601b6a8c3c193cb775db89853ecc6d6eb2956deee36826d5ebfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\base_library.zip

Filesize
1.4MB

MD5
4b011f052728ae5007f9ec4e97a4f625

SHA1
9d940561f08104618ec9e901a9cd0cd13e8b355d

SHA256
c88cd8549debc046a980b0be3bf27956ae72dcdcf1a448e55892194752c570e6

SHA512
be405d80d78a188a563086809c372c44bcd1ccab5a472d50714f559559795a1df49437c1712e15eb0403917c7f6cfaf872d6bb0c8e4dd67a512c2c4a5ae93055

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\cryptography-43.0.0.dist-info\METADATA

Filesize
5KB

MD5
1682e8458a9f3565fd0941626cbe4302

SHA1
e5937d80b6ba976905491c9dbd8e16d0226795b5

SHA256
24f9838874233de69f9de9aebd95359e499498508d962b605d90186288d7d8c0

SHA512
2dc669a07dd263c967d637ac2e76ed3788830d96b91e256e16125997c4e3a68d268dc220c056bbfbc3b5e7def7d063b776d9d1da303a840ff203dae668d7a366

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\cryptography-43.0.0.dist-info\RECORD

Filesize
15KB

MD5
b4a0dca5a787b3c351dd3b888414a636

SHA1
bf078ce3a34f915c3492e46003a7c2b902870fb0

SHA256
d7b58bbd7b4c6d2cb7598431cc029f63a51c16b810e2eb99aef34b951c315149

SHA512
8e77f7f30d86a6de0268b59be13af1f097bd29bdf9d64e97a33a0cec0226c9fb24ee1b29145f217b1e8c3608a364ad32318bb10c73872e0feb655bb41b890ed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.1MB

MD5
073606ea92928af7b2863782c0114949

SHA1
ec7b4dbf415af6a071a6ca3a0d4f4a0cf544515c

SHA256
9be10e3f170875a5b3e403f29d7241bf64957c01bfcae3504f5576578183610a

SHA512
5cd48348b475c9de7c2c8d85f36a1f8cf63ee5ee2bde60e2e5a1026f0e877b4c686ad07ab37c8ae37b46b719233b28aa699ce5a2fedd0247c7607da6e519a11e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\libcrypto-3.dll

Filesize
1.6MB

MD5
443fd07a22ff1a688a3505d35f3c3dd1

SHA1
ab9f501aa1d3d523b45f8170e53981672cd69131

SHA256
f9c87ec6401039fd03b7c6732c74d1abfdb7c07c8e9803d00effe4c610baa9ee

SHA512
1de390d5d9872c9876662f89c57173391ecd300cabde69c655b2ade7eea56e67376839607cac52572111b88a025797060653dc8bb987c6a165f535b245309844

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\libffi-8.dll

Filesize
29KB

MD5
0d1c6b92d091cef3142e32ac4e0cc12e

SHA1
440dad5af38035cb0984a973e1f266deff2bd7fc

SHA256
11ee9c7fb70c3756c0392843245935517171b95cc5ba0d696b2c1742c8d46fb6

SHA512
5d514ecab93941e83c008f0e9749f99e330949580884bf4850b11cac08fe1ac4ac50033e8888045fe4a9d8b4d2e3ea667b39be18f77266d00f8d7d6797260233

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\libssl-3.dll

Filesize
222KB

MD5
364a71831c9bd0a09eeeceb6980c58c7

SHA1
9d084ccb83e12ddccd17250a009362d720e6271c

SHA256
3b20fb46f41234f8f7bbe342cfebfbbce5708d963cf5c7792d1237a1bc7b2676

SHA512
5abe19130f9306fd6fc3644412ef6c8c5b7da970cfaed69657a6cb62d431abfbba64fefcbfa82910d17d744e299e3ba5036bd490223b2bf28689cf2e70633dce

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\multidict\_multidict.cp311-win_amd64.pyd

Filesize
20KB

MD5
eeaded775eabfaaede5ca025f55fd273

SHA1
8eefb3b9d85b4d5ad4033308f8af2a24e8792e02

SHA256
db4d6a74a3301788d32905b2ccc525e9a8e2219f1a36924464871cf211f115a0

SHA512
a6055d5604cc53428d89b308c223634cd94082be0ba4081513974e1826775d6e9fc26180c816d9a38fead89b5e04c5e7cf729c056bfae0ed74d6885c921b70ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\pyexpat.pyd

Filesize
87KB

MD5
9de8f95d45076b3d3110684f3ceb4877

SHA1
99a1c34570fa93ded22e058c8d2b3bbbe0fb847e

SHA256
e4835a7e4de244565003592894e57e8ce722901edf14abd9876a64fcdccd40f6

SHA512
76b854106519fd6e66f1db140c2d0dcaec5f9159527e22279ee2ed7015df2527197084ef91fd96572e5338c039672f91dd33d70fdbecd7759d0e720d8432bd52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\python3.DLL

Filesize
65KB

MD5
7e07c63636a01df77cd31cfca9a5c745

SHA1
593765bc1729fdca66dd45bbb6ea9fcd882f42a6

SHA256
db84bc052cfb121fe4db36242ba5f1d2c031b600ef5d8d752cf25b7c02b6bac6

SHA512
8c538625be972481c495c7271398993cfe188e2f0a71d38fb51eb18b62467205fe3944def156d0ff09a145670af375d2fc974c6b18313fa275ce6b420decc729

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\python311.dll

Filesize
1.6MB

MD5
0d96f5dfd2dd0f495cad36148493c761

SHA1
928107e88bbee02563594374cd6c6ad19091fe14

SHA256
a238f7fb0043c4b64f76095c1ef950544bb1d0debd0902ea0fa3e8d99e5d4a47

SHA512
693c28c64e974ca1fb754357788a65b3a0271e63395963bb92691a5838e1b665af7aada6be5c5ada8339100eedd64c40ca0556601bec26a0f9e483ea98ab2d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\select.pyd

Filesize
25KB

MD5
c9333b0c4d756597e1c371b2e1569904

SHA1
a534e81dd4ac847ec4fa82f60d9c78aa3341783c

SHA256
5d9078f3caca928e6f608c69b2c571b3ff82a23de7b4576b5d97fde9b597b807

SHA512
fc1f3ad3021da212140d18954684cd612fbd806c33807c48b65c5a169f84d8af5e1a260c02a942fb13b3114437879275d44fee96252911bd62b6a509abf30c22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\sqlite3.dll

Filesize
644KB

MD5
de8018abd4a261cbb6be7acae32d3b07

SHA1
312a1de08a8d82ed23a3a1184d155d4bdd51d84a

SHA256
1d3b09affe7c5f6d3a5015aa7cb64d9b5df16b3d4b773ac09a1a1494d7413904

SHA512
9fbf011ee00cd3f1e6f44e540c80ac057f9f5a2759c6921f5827b28246af45e0e7466d2b8340b41552d83809273a505336387530d5bb6336e6b1ddbe586841f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\unicodedata.pyd

Filesize
295KB

MD5
affa5f396873e571271604ad19f186b1

SHA1
c54dd3b5935a93fbdc68c7ed37af14aba262ec0d

SHA256
0c19d227d0407a58d5d1b75f2e1eeedbb35e9d569f7868ad8c421719431e8c67

SHA512
d6ad17dfd396fab7ccc1499e5b1769caebb98011f7af82f7761a8b9df573effdadf828bf87959bd2e99315d922a81c25901879f142e8476a111d8004e390396d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI31122\yarl\_quoting_c.cp311-win_amd64.pyd

Filesize
40KB

MD5
9a8f969ecdf0c15734c1d582d2ae35d8

SHA1
a40691e81982f610a062e49a5ad29cffb5a2f5a8

SHA256
874e52cceae9a3c967bac7b628f4144c32e51fc77f519542fc1bac19045ecde8

SHA512
e0deb59abef7440f30effb1aab6295b5a50c817f685be30b21a3c453e3099b97fd71984e6ca6a6c6e0021abb6e906838566f402b00a11813e67a4e00b119619f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zs2h2g4w.q12.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2596-107-0x00007FFF9F340000-0x00007FFF9F45C000-memory.dmp

Filesize
1.1MB

Download
memory/2596-95-0x00007FFFB2F80000-0x00007FFFB2FA4000-memory.dmp

Filesize
144KB

Download
memory/2596-209-0x00007FFFB1F80000-0x00007FFFB1F95000-memory.dmp

Filesize
84KB

Download
memory/2596-197-0x00007FFFAD720000-0x00007FFFADD12000-memory.dmp

Filesize
5.9MB

Download
memory/2596-198-0x00007FFFB2F80000-0x00007FFFB2FA4000-memory.dmp

Filesize
144KB

Download
memory/2596-196-0x00007FFF9E820000-0x00007FFF9EFC1000-memory.dmp

Filesize
7.6MB

Download
memory/2596-190-0x00007FFFB1F80000-0x00007FFFB1F95000-memory.dmp

Filesize
84KB

Download
memory/2596-185-0x00007FFFADFE0000-0x00007FFFADFF2000-memory.dmp

Filesize
72KB

Download
memory/2596-186-0x00007FFFADF70000-0x00007FFFADF92000-memory.dmp

Filesize
136KB

Download
memory/2596-184-0x00000232AA790000-0x00000232AACB9000-memory.dmp

Filesize
5.2MB

Download
memory/2596-181-0x00007FFF9F460000-0x00007FFF9F989000-memory.dmp

Filesize
5.2MB

Download
memory/2596-180-0x00007FFFAE000000-0x00007FFFAE0CD000-memory.dmp

Filesize
820KB

Download
memory/2596-228-0x00007FFFAD720000-0x00007FFFADD12000-memory.dmp

Filesize
5.9MB

Download
memory/2596-245-0x00007FFFADF70000-0x00007FFFADF92000-memory.dmp

Filesize
136KB

Download
memory/2596-240-0x00007FFFB1F80000-0x00007FFFB1F95000-memory.dmp

Filesize
84KB

Download
memory/2596-239-0x00007FFF9F460000-0x00007FFF9F989000-memory.dmp

Filesize
5.2MB

Download
memory/2596-238-0x00007FFFAE000000-0x00007FFFAE0CD000-memory.dmp

Filesize
820KB

Download
memory/2596-237-0x00007FFFAE3B0000-0x00007FFFAE3E3000-memory.dmp

Filesize
204KB

Download
memory/2596-249-0x00007FFFAD720000-0x00007FFFADD12000-memory.dmp

Filesize
5.9MB

Download
memory/2596-177-0x00007FFFB2080000-0x00007FFFB20A3000-memory.dmp

Filesize
140KB

Download
memory/2596-178-0x00007FFFAE3B0000-0x00007FFFAE3E3000-memory.dmp

Filesize
204KB

Download
memory/2596-601-0x00007FFFAA3F0000-0x00007FFFAA426000-memory.dmp

Filesize
216KB

Download
memory/2596-160-0x00007FFFAE0D0000-0x00007FFFAE24E000-memory.dmp

Filesize
1.5MB

Download
memory/2596-161-0x00007FFFAEC20000-0x00007FFFAEC2D000-memory.dmp

Filesize
52KB

Download
memory/2596-75-0x00007FFFB3D20000-0x00007FFFB3D39000-memory.dmp

Filesize
100KB

Download
memory/2596-94-0x00000232AA790000-0x00000232AACB9000-memory.dmp

Filesize
5.2MB

Download
memory/2596-117-0x00007FFFAA3F0000-0x00007FFFAA426000-memory.dmp

Filesize
216KB

Download
memory/2596-115-0x00007FFF9E820000-0x00007FFF9EFC1000-memory.dmp

Filesize
7.6MB

Download
memory/2596-114-0x00007FFFB3D20000-0x00007FFFB3D39000-memory.dmp

Filesize
100KB

Download
memory/2596-104-0x00007FFFADFE0000-0x00007FFFADFF2000-memory.dmp

Filesize
72KB

Download
memory/2596-105-0x00007FFFADFC0000-0x00007FFFADFD4000-memory.dmp

Filesize
80KB

Download
memory/2596-106-0x00007FFFADFA0000-0x00007FFFADFB4000-memory.dmp

Filesize
80KB

Download
memory/2596-108-0x00007FFFADF70000-0x00007FFFADF92000-memory.dmp

Filesize
136KB

Download
memory/2596-109-0x00007FFFB8010000-0x00007FFFB801F000-memory.dmp

Filesize
60KB

Download
memory/2596-110-0x00007FFFB1F80000-0x00007FFFB1F95000-memory.dmp

Filesize
84KB

Download
memory/2596-205-0x00007FFFAE0D0000-0x00007FFFAE24E000-memory.dmp

Filesize
1.5MB

Download
memory/2596-93-0x00007FFF9F460000-0x00007FFF9F989000-memory.dmp

Filesize
5.2MB

Download
memory/2596-87-0x00007FFFAD720000-0x00007FFFADD12000-memory.dmp

Filesize
5.9MB

Download
memory/2596-89-0x00007FFFAE3B0000-0x00007FFFAE3E3000-memory.dmp

Filesize
204KB

Download
memory/2596-90-0x00007FFFAE000000-0x00007FFFAE0CD000-memory.dmp

Filesize
820KB

Download
memory/2596-80-0x00007FFFB2E10000-0x00007FFFB2E29000-memory.dmp

Filesize
100KB

Download
memory/2596-84-0x00007FFFAE0D0000-0x00007FFFAE24E000-memory.dmp

Filesize
1.5MB

Download
memory/2596-85-0x00007FFFB2080000-0x00007FFFB20A3000-memory.dmp

Filesize
140KB

Download
memory/2596-81-0x00007FFFB20B0000-0x00007FFFB20DD000-memory.dmp

Filesize
180KB

Download
memory/2596-77-0x00007FFFB7DA0000-0x00007FFFB7DAD000-memory.dmp

Filesize
52KB

Download
memory/2596-52-0x00007FFFB2F80000-0x00007FFFB2FA4000-memory.dmp

Filesize
144KB

Download
memory/2596-54-0x00007FFFB8010000-0x00007FFFB801F000-memory.dmp

Filesize
60KB

Download
memory/2596-44-0x00007FFFAD720000-0x00007FFFADD12000-memory.dmp

Filesize
5.9MB

Download
memory/2596-583-0x00007FFFB2F80000-0x00007FFFB2FA4000-memory.dmp

Filesize
144KB

Download
memory/2596-588-0x00007FFFB2080000-0x00007FFFB20A3000-memory.dmp

Filesize
140KB

Download
memory/2596-587-0x00007FFFB2E10000-0x00007FFFB2E29000-memory.dmp

Filesize
100KB

Download
memory/2596-586-0x00007FFFB7DA0000-0x00007FFFB7DAD000-memory.dmp

Filesize
52KB

Download
memory/2596-585-0x00007FFFB3D20000-0x00007FFFB3D39000-memory.dmp

Filesize
100KB

Download
memory/2596-584-0x00007FFFB8010000-0x00007FFFB801F000-memory.dmp

Filesize
60KB

Download
memory/2596-582-0x00007FFFB20B0000-0x00007FFFB20DD000-memory.dmp

Filesize
180KB

Download
memory/2596-589-0x00007FFFAE0D0000-0x00007FFFAE24E000-memory.dmp

Filesize
1.5MB

Download
memory/2596-598-0x00007FFFADF70000-0x00007FFFADF92000-memory.dmp

Filesize
136KB

Download
memory/2596-599-0x00007FFF9F460000-0x00007FFF9F989000-memory.dmp

Filesize
5.2MB

Download
memory/2596-597-0x00007FFF9F340000-0x00007FFF9F45C000-memory.dmp

Filesize
1.1MB

Download
memory/2596-596-0x00007FFFADFA0000-0x00007FFFADFB4000-memory.dmp

Filesize
80KB

Download
memory/2596-595-0x00007FFFADFC0000-0x00007FFFADFD4000-memory.dmp

Filesize
80KB

Download
memory/2596-594-0x00007FFFADFE0000-0x00007FFFADFF2000-memory.dmp

Filesize
72KB

Download
memory/2596-593-0x00007FFFB1F80000-0x00007FFFB1F95000-memory.dmp

Filesize
84KB

Download
memory/2596-592-0x00007FFFAE3B0000-0x00007FFFAE3E3000-memory.dmp

Filesize
204KB

Download
memory/2596-591-0x00007FFFAE000000-0x00007FFFAE0CD000-memory.dmp

Filesize
820KB

Download
memory/2596-590-0x00007FFFAD720000-0x00007FFFADD12000-memory.dmp

Filesize
5.9MB

Download
memory/2596-600-0x00007FFF9E820000-0x00007FFF9EFC1000-memory.dmp

Filesize
7.6MB

Download
memory/2596-602-0x00007FFFAEC20000-0x00007FFFAEC2D000-memory.dmp

Filesize
52KB

Download
memory/2872-169-0x000002BAAABA0000-0x000002BAAABC2000-memory.dmp

Filesize
136KB

Download