exelastealer | hxxps://easyupload[.]io/3t99y8

Analysis

max time kernel
53s
max time network
49s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 03:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://easyupload.io/3t99y8

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence phishing privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

6528 netsh.exe
7112 netsh.exe
A potential corporate email address has been identified in the URL: [email protected]
phishing
Clipboard Data 1 TTPs 2 IoCs
Adversaries may collect data stored in the clipboard from users copying information within or between applications.
collection

Clipboard Data
T1115

Processes:

cmd.exepowershell.exe

pid process

2616 cmd.exe
5968 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

ElectronV3.exeElectronV3.exe

pid process

6672 ElectronV3.exe
7000 ElectronV3.exe

pid	process
6528	netsh.exe
7112	netsh.exe

pid	process
2616	cmd.exe
5968	powershell.exe

pid	process
6672	ElectronV3.exe
7000	ElectronV3.exe

Loads dropped DLL 33 IoCs

Processes:

ElectronV3.exe

pid	process
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe
7000	ElectronV3.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

387 ip-api.com
Network Service Discovery 1 TTPs 2 IoCs
Attempt to gather information on host's network.
discovery

Network Service Discovery
T1046

Processes:

cmd.exeARP.EXE

pid process

5564 cmd.exe
3704 ARP.EXE
Enumerates processes with tasklist 1 TTPs 5 IoCs
discovery

Process Discovery
T1057

Processes:

tasklist.exetasklist.exetasklist.exetasklist.exetasklist.exe

pid process

6800 tasklist.exe
6536 tasklist.exe
6332 tasklist.exe
5960 tasklist.exe
6936 tasklist.exe
Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs
defense_evasion

Hidden Files and Directories
T1564.001

Processes:

cmd.exe

pid process

1376 cmd.exe

flow	ioc
387	ip-api.com

pid	process
5564	cmd.exe
3704	ARP.EXE

pid	process
6800	tasklist.exe
6536	tasklist.exe
6332	tasklist.exe
5960	tasklist.exe
6936	tasklist.exe

pid	process
1376	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI66722\python310.dll	upx
behavioral1/memory/7000-360-0x00007FF98FF20000-0x00007FF990385000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_ctypes.pyd	upx
behavioral1/memory/7000-368-0x00007FF9A44D0000-0x00007FF9A44F4000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\libffi-7.dll	upx
behavioral1/memory/7000-390-0x00007FF9A4DC0000-0x00007FF9A4DCF000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_uuid.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_ssl.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_sqlite3.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_socket.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_queue.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_overlapped.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_multiprocessing.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_lzma.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_hashlib.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_decimal.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_cffi_backend.cp310-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_bz2.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_brotli.cp310-win_amd64.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_asyncio.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\unicodedata.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\sqlite3.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\select.pyd	upx
behavioral1/memory/7000-392-0x00007FF9A44B0000-0x00007FF9A44C9000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\pyexpat.pyd	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\libssl-1_1.dll	upx
C:\Users\Admin\AppData\Local\Temp\_MEI66722\libcrypto-1_1.dll	upx
behavioral1/memory/7000-394-0x00007FF9A4BD0000-0x00007FF9A4BDD000-memory.dmp	upx
behavioral1/memory/7000-396-0x00007FF9A1210000-0x00007FF9A1229000-memory.dmp	upx
behavioral1/memory/7000-398-0x00007FF996100000-0x00007FF99612C000-memory.dmp	upx
behavioral1/memory/7000-399-0x00007FF9960E0000-0x00007FF9960FE000-memory.dmp	upx
behavioral1/memory/7000-400-0x00007FF990790000-0x00007FF9908FD000-memory.dmp	upx
behavioral1/memory/7000-401-0x00007FF98FF20000-0x00007FF990385000-memory.dmp	upx
behavioral1/memory/7000-402-0x00007FF9960B0000-0x00007FF9960DE000-memory.dmp	upx
behavioral1/memory/7000-403-0x00007FF98FBA0000-0x00007FF98FF14000-memory.dmp	upx
behavioral1/memory/7000-404-0x00007FF991CF0000-0x00007FF991DA6000-memory.dmp	upx
behavioral1/memory/7000-407-0x00007FF996090000-0x00007FF9960A4000-memory.dmp	upx
behavioral1/memory/7000-406-0x00007FF9A44D0000-0x00007FF9A44F4000-memory.dmp	upx
behavioral1/memory/7000-410-0x00007FF9A44B0000-0x00007FF9A44C9000-memory.dmp	upx
behavioral1/memory/7000-411-0x00007FF996050000-0x00007FF996065000-memory.dmp	upx
behavioral1/memory/7000-409-0x00007FF996070000-0x00007FF996084000-memory.dmp	upx
behavioral1/memory/7000-408-0x00007FF9A44A0000-0x00007FF9A44B0000-memory.dmp	upx
behavioral1/memory/7000-412-0x00007FF990670000-0x00007FF990788000-memory.dmp	upx
behavioral1/memory/7000-414-0x00007FF996030000-0x00007FF996047000-memory.dmp	upx
behavioral1/memory/7000-413-0x00007FF996100000-0x00007FF99612C000-memory.dmp	upx
behavioral1/memory/7000-415-0x00007FF9960E0000-0x00007FF9960FE000-memory.dmp	upx
behavioral1/memory/7000-417-0x00007FF991E00000-0x00007FF991E22000-memory.dmp	upx
behavioral1/memory/7000-416-0x00007FF990790000-0x00007FF9908FD000-memory.dmp	upx
behavioral1/memory/7000-418-0x00007FF996010000-0x00007FF996027000-memory.dmp	upx
behavioral1/memory/7000-421-0x00007FF9905A0000-0x00007FF99066F000-memory.dmp	upx
behavioral1/memory/7000-420-0x00007FF9960B0000-0x00007FF9960DE000-memory.dmp	upx
behavioral1/memory/7000-429-0x00007FF996090000-0x00007FF9960A4000-memory.dmp	upx
behavioral1/memory/7000-425-0x00007FF990550000-0x00007FF99059D000-memory.dmp	upx
behavioral1/memory/7000-424-0x00007FF992EA0000-0x00007FF992EB9000-memory.dmp	upx
behavioral1/memory/7000-430-0x00007FF98CC70000-0x00007FF98D40A000-memory.dmp	upx
behavioral1/memory/7000-428-0x00007FF991DE0000-0x00007FF991DF1000-memory.dmp	upx
behavioral1/memory/7000-427-0x00007FF990530000-0x00007FF99054E000-memory.dmp	upx
behavioral1/memory/7000-426-0x00007FF9A4470000-0x00007FF9A447A000-memory.dmp	upx
behavioral1/memory/7000-422-0x00007FF991CF0000-0x00007FF991DA6000-memory.dmp	upx
behavioral1/memory/7000-419-0x00007FF98FBA0000-0x00007FF98FF14000-memory.dmp	upx
behavioral1/memory/7000-431-0x00007FF98FB60000-0x00007FF98FB97000-memory.dmp	upx
behavioral1/memory/7000-444-0x00007FF996050000-0x00007FF996065000-memory.dmp	upx
behavioral1/memory/7000-448-0x00007FF990670000-0x00007FF990788000-memory.dmp	upx
behavioral1/memory/7000-461-0x00007FF996030000-0x00007FF996047000-memory.dmp	upx

Launches sc.exe 1 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exe

pid process

6572 sc.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

pid	process
6572	sc.exe

Detects Pyinstaller 1 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\Downloads\ElectronV3\ElectronV3.exe	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001
System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs
Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.
discovery

Wi-Fi Discovery
T1016.002

Processes:

cmd.exenetsh.exe

pid process

5584 cmd.exe
5416 netsh.exe
System Network Connections Discovery 1 TTPs 1 IoCs
Attempt to get a listing of network connections.
discovery

System Network Connections Discovery
T1049

Processes:

NETSTAT.EXE

pid process

6540 NETSTAT.EXE
Collects information from the system 1 TTPs 1 IoCs
Uses WMIC.exe to find detailed system information.

Data from Local System
T1005

Processes:

WMIC.exe

pid process

6152 WMIC.exe
Detects videocard installed 1 TTPs 1 IoCs
Uses WMIC.exe to determine videocard installed.

System Information Discovery
T1082

Processes:

WMIC.exe

pid process

6644 WMIC.exe

pid	process
5584	cmd.exe
5416	netsh.exe

pid	process
6540	NETSTAT.EXE

pid	process
6152	WMIC.exe

pid	process
6644	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXEipconfig.exe

pid process

6540 NETSTAT.EXE
6648 ipconfig.exe
Gathers system information 1 TTPs 1 IoCs
Runs systeminfo.exe.

System Information Discovery
T1082

Processes:

systeminfo.exe

pid process

4708 systeminfo.exe

pid	process
6540	NETSTAT.EXE
6648	ipconfig.exe

pid	process
4708	systeminfo.exe

Kills process with taskkill 22 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
6812	taskkill.exe
7140	taskkill.exe
5816	taskkill.exe
3936	taskkill.exe
6784	taskkill.exe
6516	taskkill.exe
1576	taskkill.exe
1836	taskkill.exe
6004	taskkill.exe
4572	taskkill.exe
6572	taskkill.exe
1128	taskkill.exe
2028	taskkill.exe
4316	taskkill.exe
6860	taskkill.exe
3100	taskkill.exe
1952	taskkill.exe
6956	taskkill.exe
7092	taskkill.exe
6808	taskkill.exe
2928	taskkill.exe
6964	taskkill.exe

Modifies registry class 2 IoCs

Processes:

msedge.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2045521122-590294423-3465680274-1000\{07E9E4E9-2431-47CD-90BC-CDA074099F2A}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	msedge.exe

Runs net.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exeschtasks.exe

pid process

4448 schtasks.exe
5412 schtasks.exe

pid	process
4448	schtasks.exe
5412	schtasks.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exepowershell.exe

pid	process
4404	msedge.exe
4404	msedge.exe
5048	msedge.exe
5048	msedge.exe
2844	identity_helper.exe
2844	identity_helper.exe
6032	msedge.exe
6032	msedge.exe
5372	msedge.exe
5372	msedge.exe
5968	powershell.exe
5968	powershell.exe
5968	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

Processes:

msedge.exe

pid	process
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

7zG.exeWMIC.exeWMIC.exetasklist.exe

description	pid	process
Token: SeRestorePrivilege	6456	7zG.exe
Token: 35	6456	7zG.exe
Token: SeSecurityPrivilege	6456	7zG.exe
Token: SeSecurityPrivilege	6456	7zG.exe
Token: SeIncreaseQuotaPrivilege	6644	WMIC.exe
Token: SeSecurityPrivilege	6644	WMIC.exe
Token: SeTakeOwnershipPrivilege	6644	WMIC.exe
Token: SeLoadDriverPrivilege	6644	WMIC.exe
Token: SeSystemProfilePrivilege	6644	WMIC.exe
Token: SeSystemtimePrivilege	6644	WMIC.exe
Token: SeProfSingleProcessPrivilege	6644	WMIC.exe
Token: SeIncBasePriorityPrivilege	6644	WMIC.exe
Token: SeCreatePagefilePrivilege	6644	WMIC.exe
Token: SeBackupPrivilege	6644	WMIC.exe
Token: SeRestorePrivilege	6644	WMIC.exe
Token: SeShutdownPrivilege	6644	WMIC.exe
Token: SeDebugPrivilege	6644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6644	WMIC.exe
Token: SeRemoteShutdownPrivilege	6644	WMIC.exe
Token: SeUndockPrivilege	6644	WMIC.exe
Token: SeManageVolumePrivilege	6644	WMIC.exe
Token: 33	6644	WMIC.exe
Token: 34	6644	WMIC.exe
Token: 35	6644	WMIC.exe
Token: 36	6644	WMIC.exe
Token: SeIncreaseQuotaPrivilege	6864	WMIC.exe
Token: SeSecurityPrivilege	6864	WMIC.exe
Token: SeTakeOwnershipPrivilege	6864	WMIC.exe
Token: SeLoadDriverPrivilege	6864	WMIC.exe
Token: SeSystemProfilePrivilege	6864	WMIC.exe
Token: SeSystemtimePrivilege	6864	WMIC.exe
Token: SeProfSingleProcessPrivilege	6864	WMIC.exe
Token: SeIncBasePriorityPrivilege	6864	WMIC.exe
Token: SeCreatePagefilePrivilege	6864	WMIC.exe
Token: SeBackupPrivilege	6864	WMIC.exe
Token: SeRestorePrivilege	6864	WMIC.exe
Token: SeShutdownPrivilege	6864	WMIC.exe
Token: SeDebugPrivilege	6864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6864	WMIC.exe
Token: SeRemoteShutdownPrivilege	6864	WMIC.exe
Token: SeUndockPrivilege	6864	WMIC.exe
Token: SeManageVolumePrivilege	6864	WMIC.exe
Token: 33	6864	WMIC.exe
Token: 34	6864	WMIC.exe
Token: 35	6864	WMIC.exe
Token: 36	6864	WMIC.exe
Token: SeDebugPrivilege	6800	tasklist.exe
Token: SeIncreaseQuotaPrivilege	6644	WMIC.exe
Token: SeSecurityPrivilege	6644	WMIC.exe
Token: SeTakeOwnershipPrivilege	6644	WMIC.exe
Token: SeLoadDriverPrivilege	6644	WMIC.exe
Token: SeSystemProfilePrivilege	6644	WMIC.exe
Token: SeSystemtimePrivilege	6644	WMIC.exe
Token: SeProfSingleProcessPrivilege	6644	WMIC.exe
Token: SeIncBasePriorityPrivilege	6644	WMIC.exe
Token: SeCreatePagefilePrivilege	6644	WMIC.exe
Token: SeBackupPrivilege	6644	WMIC.exe
Token: SeRestorePrivilege	6644	WMIC.exe
Token: SeShutdownPrivilege	6644	WMIC.exe
Token: SeDebugPrivilege	6644	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6644	WMIC.exe
Token: SeRemoteShutdownPrivilege	6644	WMIC.exe
Token: SeUndockPrivilege	6644	WMIC.exe
Token: SeManageVolumePrivilege	6644	WMIC.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

msedge.exe7zG.exe

pid	process
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
6456	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe
5048	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 5048 wrote to memory of 2120	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2120	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 2112	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 4404	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 4404	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe
PID 5048 wrote to memory of 3984	5048	msedge.exe	msedge.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

7112 attrib.exe

pid	process
7112	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://easyupload.io/3t99y8
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a4b946f8,0x7ff9a4b94708,0x7ff9a4b94718
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:4060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:2888
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5876 /prefetch:1
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:5176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:1
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7100 /prefetch:1
  2⤵
  PID:5472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6472 /prefetch:1
  2⤵
  PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6028 /prefetch:8
  2⤵
  PID:5972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:5980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7460 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7500 /prefetch:1
  2⤵
  PID:6076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7720 /prefetch:1
  2⤵
  PID:5536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=7648 /prefetch:8
  2⤵
  PID:5396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7660 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8236 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8008 /prefetch:1
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,5232917490216586565,10383204963765589801,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8376 /prefetch:1
  2⤵
  PID:5864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3460

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2568

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap16275:82:7zEvent738
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6456

C:\Users\Admin\Downloads\ElectronV3\ElectronV3.exe
"C:\Users\Admin\Downloads\ElectronV3\ElectronV3.exe"
1⤵
- Executes dropped EXE
PID:6672
- C:\Users\Admin\Downloads\ElectronV3\ElectronV3.exe
  "C:\Users\Admin\Downloads\ElectronV3\ElectronV3.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:7000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:6100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:6384
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:6644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    PID:6400
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:6864
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:6480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:6476
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:6800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    PID:6904
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:6936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:6984
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:6520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:6996
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:6536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    PID:1376
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:7112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /query /TN "ExelaUpdateService""
    3⤵
    PID:7136
  - - C:\Windows\system32\schtasks.exe
      schtasks /query /TN "ExelaUpdateService"
      4⤵
      PID:6184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    PID:7128
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:4448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    PID:4520
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5412
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    PID:6124
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:1600
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    PID:6212
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:6332
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5048"
    3⤵
    PID:6840
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5048
      4⤵
      Kills process with taskkill
      PID:6784
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2120"
    3⤵
    PID:6896
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2120
      4⤵
      Kills process with taskkill
      PID:6956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2112"
    3⤵
    PID:6932
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2112
      4⤵
      Kills process with taskkill
      PID:6812
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4404"
    3⤵
    PID:6976
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4404
      4⤵
      Kills process with taskkill
      PID:6516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3984"
    3⤵
    PID:6528
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3984
      4⤵
      Kills process with taskkill
      PID:6572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1576"
    3⤵
    PID:5080
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1576
      4⤵
      Kills process with taskkill
      PID:7092
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4400"
    3⤵
    PID:7096
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4400
      4⤵
      Kills process with taskkill
      PID:1128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4060"
    3⤵
    PID:6184
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4060
      4⤵
      Kills process with taskkill
      PID:7140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2888"
    3⤵
    PID:5908
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 2888
      4⤵
      Kills process with taskkill
      PID:2028
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4264"
    3⤵
    PID:4904
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 4264
      4⤵
      Kills process with taskkill
      PID:6808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3444"
    3⤵
    PID:3560
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 3444
      4⤵
      Kills process with taskkill
      PID:4316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5176"
    3⤵
    PID:4892
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5176
      4⤵
      Kills process with taskkill
      PID:6860
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5264"
    3⤵
    PID:2776
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5264
      4⤵
      Kills process with taskkill
      PID:4572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5472"
    3⤵
    PID:6236
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5472
      4⤵
      Kills process with taskkill
      PID:1576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5776"
    3⤵
    PID:5084
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5776
      4⤵
      Kills process with taskkill
      PID:5816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5972"
    3⤵
    PID:5800
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5972
      4⤵
      Kills process with taskkill
      PID:2928
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5980"
    3⤵
    PID:2612
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5980
      4⤵
      Kills process with taskkill
      PID:6964
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5536"
    3⤵
    PID:6848
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5536
      4⤵
      Kills process with taskkill
      PID:1836
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5396"
    3⤵
    PID:404
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5396
      4⤵
      Kills process with taskkill
      PID:6004
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1828"
    3⤵
    PID:3756
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1828
      4⤵
      Kills process with taskkill
      PID:3100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5732"
    3⤵
    PID:5112
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5732
      4⤵
      Kills process with taskkill
      PID:3936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5864"
    3⤵
    PID:1944
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 5864
      4⤵
      Kills process with taskkill
      PID:1952
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:1936
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:5944
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:6056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:6168
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:6044
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:6428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:6176
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:5960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2616
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:5968
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:5564
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:4708
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:5252
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:6152
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:3536
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:5484
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:4344
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:4180
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:6424
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:5180
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:5420
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:5332
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:5348
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:1828
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:6472
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:6844
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:6804
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:6936
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:6648
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:6476
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:3704
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:6540
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:6572
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:6528
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:7112
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:5584
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:5416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
328B

MD5
59ab477d80fa849789a9d566f27cc275

SHA1
330d64d3f7472b8923c6bbacaf1770523bd70a46

SHA256
c2695ca505b0d13b32662d37eb8c0c08f287ea21e1eb6a1109cbb6e281d9fe70

SHA512
7c43a5b9afe8caf348163086a67096853bbbfa176fe24c857a141d70ab5676d37ed6c9a4e32e1d5d2136923324c5da59974c1366f72a597e56a824102df092ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
74043fb4e92aea8de938dfe8794f4e3f

SHA1
916fd37500dabc5c3f4fda0b4173e9abfc4a3152

SHA256
7c73793f7e35d89ca64450ffcd34867980efc1f964edd448e7f9c7e6ea4ef7e7

SHA512
af008d1d1c83a2734996371388c39fa4efeae30fdcd5f7a4ee2498e0d39cc6b35ff7b0b6b7e92b8a5a30991203827a9c5990c14287280e062fe18867ea4179f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a7bdc751c0d72737a34ec5484f924d50

SHA1
0cc7746513985813ece69a034fb8e824813554d9

SHA256
a61ec4a7df18eced1e84ce81e3a2dba8b9f12d918829958ce726c7c0446f064c

SHA512
ce54665eddaa5ebffc8b1eea7c25e92d2f078c96500302a532dedfb7a196c1a85848065fc62e3142ec01f15b91c80014e64583574d8c11ab3f5639323ce0e3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
11KB

MD5
ab15c46c1b0fda2aac7d8129a18a359b

SHA1
78197b325f8c4460451d4338e64082f79d8e1360

SHA256
ab9cdbf49cfef54a238b7f24ab5f6cc740d6c9066d71499e336cf39d33dc577a

SHA512
859f7abf981af1d9523312e043d3c2f2ca4553648967dad7b6428b689fc860d31d7fcaad4df240cb0e90e9441855d325c9c1e94d90e3e21ea7b1e87b530129bc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
b4c42fd4759b6c56539a6f4d92fe22dc

SHA1
608c13a9968b4d20d4bad58d31205ecf91fcedc6

SHA256
9c10b99831d64672b186d5962c98bd5c3344e5924f2b87cdc923d138a7c66f11

SHA512
2586f2191f0419a4d7b1f8403533238ef91edc14d2261cca6f42b67eb63cfa5c2abe37db11051203d1c7de088898bc463d1c266793c3f958136d6431b47e306e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
cf63bbb3058342893fe9021727982377

SHA1
bc4e0941a9b91b2ee4d1053d0e4d6044ea84a8b9

SHA256
57eb4f14484abcec282bf99d7752cc9c59c335e0c92002313eb1929b2c2cf794

SHA512
45cb74f8c30bee5ad36d5401d4d4f0b60afd689f6b7dbc29d5262fcd0791a51bab90671d1e1d75576e20051fc85ebc8a250e9dde1a9c943a6a609e25328b0a2c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581bef.TMP

Filesize
3KB

MD5
ce77178ba03a682015dd4b52e218f01c

SHA1
f12053bbb9a7fbbf98c5aaf83ecaa19fe2715965

SHA256
b1cb16c906287ead61f1800a0361c852c9d298c3eb29d7ba2acecedec5b7b324

SHA512
93f9f1be76e1585310506f0c3784c46a25086d8c361ff60ad980d258b4ddeff84352fc23055685a1e8757d2c9db7eff7c7f117697ff414f69dd3881d846b26d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
730cdaad390cb5bd5e2761163db0f004

SHA1
a6dbbec28f8c1226c77c587c9063cb8675060ec8

SHA256
3103f64958ecc9a622db45f14467757b657275306167d158300c1adafd4dc234

SHA512
8904253358746322397ca9d0ed5835a7dc03ea5fc7d53991551fa40d70909ab471edea6ba0af8a8b8c976154951c67b7752261af7c580f0dc8623572fb9a20a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4f5b2cca1786caf5b40d71d6f53f8415

SHA1
5d21546c78e6aec937cf990d160d0684b5414c39

SHA256
1cc5c00da03f8fc7e33e3f2e6f67786258179536e47da44c8cc7d5fb080085df

SHA512
49f31054f4ccbb9f15c8d74174901a5bb235e121361dd0d9ba0adda1564d2864c78850aac91ddc4dab3d46236bbc8b55cf8ab8390a919ab6a80acd0f8a7f1e35

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\VCRUNTIME140.dll

Filesize
94KB

MD5
11d9ac94e8cb17bd23dea89f8e757f18

SHA1
d4fb80a512486821ad320c4fd67abcae63005158

SHA256
e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

SHA512
aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_asyncio.pyd

Filesize
31KB

MD5
480d3f4496e16d54bb5313d206164134

SHA1
3db3a9f21be88e0b759855bf4f937d0bbfdf1734

SHA256
568fb5c3d9b170ce1081ad12818b9a12f44ab1577449425a3ef30c2efbee613d

SHA512
8e887e8de9c31dbb6d0a85b4d6d4157e917707e63ce5f119bb4b03cb28d41af90d087e3843f3a4c2509bca70cdac3941e00b8a5144ade8532a97166a5d0a7bd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_brotli.cp310-win_amd64.pyd

Filesize
274KB

MD5
94c13e0636646019a4c7d405c2d919df

SHA1
8ed8519e9b310f59e5b40f3c8fb675791cae09f9

SHA256
10517c02bb69dafd60053152e65d00c02e24952f63ca230af807ec6b2053f2a6

SHA512
82fba52c4db4206f7a1ebb1a3ebf12fc60f3deff4763fd5a059b00f46aa7513279da994a815a0883ce3301c3cdd1d20923db21b926c43b2ee732c28852979945

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_bz2.pyd

Filesize
43KB

MD5
39b487c3e69816bd473e93653dbd9b7f

SHA1
bdce6fde092a3f421193ddb65df893c40542a4e2

SHA256
a1629c455be2cf55e36021704716f4b16a96330fe993aae9e818f67c4026fcdc

SHA512
7543c1555e8897d15c952b89427e7d06c32e250223e85fafae570f8a0fa13c39fb6fc322d043324a31b2f2f08d2f36e0da59dfd741d09c035d0429173b6badc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
7727212e7bdbf63b1a39fb7faad24265

SHA1
a8fdec19d6690081b2bf55247e8e17657a68ac97

SHA256
b0116303e1e903d6eb02a69d05879f38af1640813f4b110cb733ffff6e4e985c

SHA512
2b1a27642118dd228791d0d8ba307aa39ab2d9c7d3799cff9f3c0744fe270eeaefe5545a4fda6e74e86fee747e45bf5f6c9ac799950c2b483a16eb3ce85d816a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_ctypes.pyd

Filesize
53KB

MD5
b1f12f4bfc0bd49a6646a0786bc5bc00

SHA1
acb7d8c665bb8ca93e5f21e178870e3d141d7cbc

SHA256
1fe61645ed626fc1dec56b2e90e8e551066a7ff86edbd67b41cb92211358f3d7

SHA512
a3fb041bd122638873c395b95f1a541007123f271572a8a988c9d01d2b2d7bb20d70e1d97fc3abffd28cb704990b41d8984974c344faea98dd0c6b07472b5731

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_decimal.pyd

Filesize
101KB

MD5
b7f498da5aec35140a6d928a8f792911

SHA1
95ab794a2d4cb8074a23d84b10cd62f7d12a4cd0

SHA256
b15f0dc3ce6955336162c9428077dcedfa1c52e60296251521819f3239c26ee8

SHA512
5fcb2d5325a6a4b7aff047091957ba7f13de548c5330f0149682d44140ac0af06837465871c598db71830fd3b2958220f80ae8744ef16fdb7336b3d6a5039e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_hashlib.pyd

Filesize
30KB

MD5
31dfa2caaee02cc38adf4897b192d6d1

SHA1
9be57a9bad1cb420675f5b9e04c48b76d18f4a19

SHA256
dc045ac7d4bde60b0f122d307fcd2bbaf5e1261a280c4fb67cfc43de5c0c2a0f

SHA512
3e58c083e1e3201a9fbbf6a4fcbc2b0273cf22badabab8701b10b3f8fdd20b11758cdcfead557420393948434e340aad751a4c7aa740097ab29d1773ea3a0100

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_lzma.pyd

Filesize
81KB

MD5
95badb08cd77e563c9753fadc39a34dd

SHA1
b3c3dfe64e89b5e7afb5f064bbf9d8d458f626a0

SHA256
5545627b465d780b6107680922ef44144a22939dd406deae44858b79747e301a

SHA512
eb36934b73f36ba2162e75f0866435f57088777dc40379f766366c26d40f185de5be3da55d17f5b82cb498025d8d90bc16152900502eb7f5de88bbef84ace2cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_multiprocessing.pyd

Filesize
22KB

MD5
28f6fcc0b7bb10a45ff1370c9e1b9561

SHA1
c7669f406b5ec2306a402e872dec17380219907a

SHA256
6dd33d49554ee61490725ea2c9129c15544791ab7a65fb523cc9b4f88d38744b

SHA512
2aef40344e80c3518afc07bf6ad4c96c4fff44434f8307e2efa544290d59504d7b014d7ea94af0377e342a632d6c4c74bfdf16d26f92ccc7062be618ea4dbee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_overlapped.pyd

Filesize
27KB

MD5
745706ab482fe9c9f92383292f121072

SHA1
439f00978795d0845aceaf007fd76ff5947567fd

SHA256
4d98e7d1b74bd209f8c66e1a276f60b470f6a5d6f519f76a91eb75be157a903d

SHA512
52fe3dfc45c380dfb1d9b6e453bdffcd92d57ad7b7312d0b9a86a76d437c512a17da33822f8e81760710d8ff4fd6a4b702d2abfffc600c9350d4d463451d38d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_queue.pyd

Filesize
21KB

MD5
18b8b2b0aefcee9527299c464b7f6d3d

SHA1
a565216faee2534bbda5b3f65aeb2eef5fd9bcda

SHA256
6f334fa1474116dd499a125f3b5ca4cd698039446faf50340f9a3f7af3adb8c2

SHA512
0b56e9d89f4dd3da830954b6561c49c06775854e0b27bc2b07ea8e9c79829d66dae186b95209c8c4cc7c3a7ba6b03cdf134b2e0036cea929e61d755d4709abcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_socket.pyd

Filesize
38KB

MD5
f675cf3cdd836cacfab9c89ab9f97108

SHA1
3e077bf518f7a4cb30ea4607338cff025d4d476e

SHA256
bb82a23d8dc6bf4c9aeb91d3f3bef069276ae3b14eeca100b988b85dd21e2dd3

SHA512
e2344b5f59bd0fad3570977edf0505aa2e05618e66d07c9f93b163fc151c4e1d6fbc0e25b7c989505c1270f8cd4840c6120a73a7ad64591ee3c4fb282375465e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_sqlite3.pyd

Filesize
45KB

MD5
1dbec8753e5cd062cd71a8bb294f28f9

SHA1
c32e9b577f588408a732047863e04a1db6ca231e

SHA256
6d95d41a36b5c9e3a895eff91149978aa383b6a8617d542accef2080737c3cad

SHA512
a1c95dbb1a9e2ffbcc9422f53780b35fbc77cb56ac3562afb8753161a233e5efa8da8ad67f5bde5a094beb8331d9dab5c3d5e673a8d09fd6d0383a8a6ffda087

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_ssl.pyd

Filesize
57KB

MD5
2edf5c4e534a45966a68033e7395f40d

SHA1
478ef27474eec0fd966d1663d2397e8fb47fec17

SHA256
7abc2b326f5b7c3011827eb7a5a4d896cc6b2619246826519b3f57d2bb99d3bd

SHA512
f83b698cfe702a15eb0267f254c593b90fa155ad2aefe75e5ba0ee5d4f38976882796cba2a027b42a910f244360177ac809891d505b3d0ae9276156b64850b6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\_uuid.pyd

Filesize
18KB

MD5
b3e7fc44f12d2db5bad6922e0b1d927f

SHA1
3fe8ef4b6fb0bc590a1c0c0f5710453e8e340f8f

SHA256
6b93290a74fb288489405044a7dee7cca7c25fa854be9112427930dd739ebace

SHA512
a0465a38aaac2d501e9a12a67d5d71c9eeeb425f535c473fc27ac13c2bb307641cc3cef540472f916e341d7bada80a84b99d78850d94c95ee14139f8540d0c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\base_library.zip

Filesize
858KB

MD5
d93f75d14e170056007e6dd1398ef121

SHA1
cd969062dbdb1ee74e3fba8adde46e91aab99e5d

SHA256
bcbbc49bb65a6c6a7dcf5b9063147880b25424ef8a40457141e02b0c07d5b1f7

SHA512
984a3b4706b231d7947233304fdb842f9b3f06a58ed7a2c26143eb5d9a12b7c827f65b7290ceff62c0234c41e476047a45a558ab22231673f3d4b14225406da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\libcrypto-1_1.dll

Filesize
1.1MB

MD5
700f32459dca0f54c982cd1c1ddd6b8b

SHA1
2538711c091ac3f572cb0f13539a68df0f228f28

SHA256
1de22bd1a0154d49f48b3fab94fb1fb1abd8bfed37d18e79a86ecd7cdab893c9

SHA512
99de1f5cb78c83fc6af0a475fb556f1ac58a1ba734efc69d507bf5dc1b0535a401d901324be845d7a59db021f8967cf33a7b105b2ddcb2e02a39dc0311e7c36d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\libssl-1_1.dll

Filesize
198KB

MD5
45498cefc9ead03a63c2822581cd11c6

SHA1
f96b6373237317e606b3715705a71db47e2cafad

SHA256
a84174a00dc98c98240ad5ee16c35e6ef932cebd5b8048ff418d3dd80f20deca

SHA512
4d3d8d33e7f3c2bf1cad3afbfba6ba53852d1314713ad60eeae1d51cc299a52b73da2c629273f9e0b7983ca01544c3645451cfa247911af4f81ca88a82cf6a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\pyexpat.pyd

Filesize
81KB

MD5
b4cf065f5e5b7a5bc2dd2b2e09bea305

SHA1
d289a500ffd399053767ee7339e48c161655b532

SHA256
9b5f407a2a1feaa76c6d3058a2f04c023b1c50b31d417bbfee69024098e4938b

SHA512
ddd9e216b11152d6a50481e06bb409335d36ce7fe63072aa0c7789c541593f2d7e8b4373be67a018c59f5e418e5a39a3ad729b732f11fa253f6275a64e125989

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\python3.DLL

Filesize
60KB

MD5
a5471f05fd616b0f8e582211ea470a15

SHA1
cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

SHA256
8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

SHA512
e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\python310.dll

Filesize
1.4MB

MD5
90d5b8ba675bbb23f01048712813c746

SHA1
f2906160f9fc2fa719fea7d37e145156742ea8a7

SHA256
3a7d497d779ff13082835834a1512b0c11185dd499ab86be830858e7f8aaeb3e

SHA512
872c2bf56c3fe180d9b4fb835a92e1dc188822e9d9183aab34b305408bb82fba1ead04711e8ad2bef1534e86cd49f2445d728851206d7899c1a7a83e5a62058e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\select.pyd

Filesize
21KB

MD5
740424368fb6339d67941015e7ac4096

SHA1
64f3fab24f469a027ddfcf0329eca121f4164e45

SHA256
a389eae40188282c91e0cdf38c79819f475375860225b6963deb11623485b76d

SHA512
6d17dc3f294f245b4ca2eca8e62f4c070c7b8a5325349bc25ebaeea291a5a5ebd268bd1321c08755141aa58de0f985adc67335b4f83bc1aeec4b398d0f538e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\sqlite3.dll

Filesize
605KB

MD5
7055e9008e847cb6015b1bb89f26c7ac

SHA1
c7c844cb46f8287a88bec3bd5d02647f5a07ae80

SHA256
2884d8e9007461ab6e8bbdd37c6bc4f6de472bbd52ec5b53e0a635075d86b871

SHA512
651b7b8c2518e4826d84c89be5052fd944f58f558c51cc905da181049850186d0a87fd2e05734fbe6a69618a6e48261a9fdd043ab17eb01620c6510e96d57008

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI66722\unicodedata.pyd

Filesize
285KB

MD5
0c26e9925bea49d7cf03cfc371283a9b

SHA1
89290d3e43e18165cb07a7a4f99855b9e8466b21

SHA256
13c2ea04a1d40588536f1d7027c8d0ea228a9fb328ca720d6c53b96a8e1ae724

SHA512
6a3cd4b48f7c0087f4a1bdc1241df71d56bd90226759481f17f56baa1b991d1af0ba5798a2b7ba57d9ffa9ec03a12bfac81df2fba88765bd369435ff21a941e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ra4lzefe.rcy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\ElectronV3.zip

Filesize
9.6MB

MD5
20e23e39f5bc2960dc22467843ef508f

SHA1
656e80a3f06734299f77b79ef7476f8a0e87b7f9

SHA256
17a1a20884741269ebf3bc8e594192d7a71550ff2db2e95d955f90a57e09a238

SHA512
5718e5bd95cf74a6fdf0c6699f32f0260995bcdb9d31cb0a3a66e32aaea58a2568a232176689365e0c2590c4f8e51ca8e521bd7eff5b23f1fac750f4ffbcada0

Download Submit
C:\Users\Admin\Downloads\ElectronV3\ElectronV3.exe

Filesize
9.9MB

MD5
fb378cce904aa88ef75e6b3e23d3570c

SHA1
fb0e5807e9f585d6a366b983aecedd33e4db5e1d

SHA256
7ccdd35fed305775ea2ce064c5358aaabc386db052d8d35ada9e49ccc2c779c5

SHA512
3ca77a7a3d6df9f17577344f1d35a67dd5800a9edac6d45d2a88801ebf913dcd6491c788045d82cce18c45a9885de88f36c2483805e445ba065f8157c8f1b31b

Download Submit
\??\pipe\LOCAL\crashpad_5048_GACESJWODRWUGOLJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/5968-547-0x0000028C6CDC0000-0x0000028C6CDE2000-memory.dmp

Filesize
136KB

Download
memory/7000-404-0x00007FF991CF0000-0x00007FF991DA6000-memory.dmp

Filesize
728KB

Download
memory/7000-430-0x00007FF98CC70000-0x00007FF98D40A000-memory.dmp

Filesize
7.6MB

Download
memory/7000-394-0x00007FF9A4BD0000-0x00007FF9A4BDD000-memory.dmp

Filesize
52KB

Download
memory/7000-396-0x00007FF9A1210000-0x00007FF9A1229000-memory.dmp

Filesize
100KB

Download
memory/7000-398-0x00007FF996100000-0x00007FF99612C000-memory.dmp

Filesize
176KB

Download
memory/7000-399-0x00007FF9960E0000-0x00007FF9960FE000-memory.dmp

Filesize
120KB

Download
memory/7000-400-0x00007FF990790000-0x00007FF9908FD000-memory.dmp

Filesize
1.4MB

Download
memory/7000-401-0x00007FF98FF20000-0x00007FF990385000-memory.dmp

Filesize
4.4MB

Download
memory/7000-402-0x00007FF9960B0000-0x00007FF9960DE000-memory.dmp

Filesize
184KB

Download
memory/7000-403-0x00007FF98FBA0000-0x00007FF98FF14000-memory.dmp

Filesize
3.5MB

Download
memory/7000-390-0x00007FF9A4DC0000-0x00007FF9A4DCF000-memory.dmp

Filesize
60KB

Download
memory/7000-405-0x0000010B53AC0000-0x0000010B53E34000-memory.dmp

Filesize
3.5MB

Download
memory/7000-407-0x00007FF996090000-0x00007FF9960A4000-memory.dmp

Filesize
80KB

Download
memory/7000-406-0x00007FF9A44D0000-0x00007FF9A44F4000-memory.dmp

Filesize
144KB

Download
memory/7000-410-0x00007FF9A44B0000-0x00007FF9A44C9000-memory.dmp

Filesize
100KB

Download
memory/7000-411-0x00007FF996050000-0x00007FF996065000-memory.dmp

Filesize
84KB

Download
memory/7000-409-0x00007FF996070000-0x00007FF996084000-memory.dmp

Filesize
80KB

Download
memory/7000-408-0x00007FF9A44A0000-0x00007FF9A44B0000-memory.dmp

Filesize
64KB

Download
memory/7000-412-0x00007FF990670000-0x00007FF990788000-memory.dmp

Filesize
1.1MB

Download
memory/7000-414-0x00007FF996030000-0x00007FF996047000-memory.dmp

Filesize
92KB

Download
memory/7000-413-0x00007FF996100000-0x00007FF99612C000-memory.dmp

Filesize
176KB

Download
memory/7000-415-0x00007FF9960E0000-0x00007FF9960FE000-memory.dmp

Filesize
120KB

Download
memory/7000-417-0x00007FF991E00000-0x00007FF991E22000-memory.dmp

Filesize
136KB

Download
memory/7000-416-0x00007FF990790000-0x00007FF9908FD000-memory.dmp

Filesize
1.4MB

Download
memory/7000-418-0x00007FF996010000-0x00007FF996027000-memory.dmp

Filesize
92KB

Download
memory/7000-421-0x00007FF9905A0000-0x00007FF99066F000-memory.dmp

Filesize
828KB

Download
memory/7000-420-0x00007FF9960B0000-0x00007FF9960DE000-memory.dmp

Filesize
184KB

Download
memory/7000-429-0x00007FF996090000-0x00007FF9960A4000-memory.dmp

Filesize
80KB

Download
memory/7000-425-0x00007FF990550000-0x00007FF99059D000-memory.dmp

Filesize
308KB

Download
memory/7000-424-0x00007FF992EA0000-0x00007FF992EB9000-memory.dmp

Filesize
100KB

Download
memory/7000-423-0x0000010B53AC0000-0x0000010B53E34000-memory.dmp

Filesize
3.5MB

Download
memory/7000-392-0x00007FF9A44B0000-0x00007FF9A44C9000-memory.dmp

Filesize
100KB

Download
memory/7000-428-0x00007FF991DE0000-0x00007FF991DF1000-memory.dmp

Filesize
68KB

Download
memory/7000-427-0x00007FF990530000-0x00007FF99054E000-memory.dmp

Filesize
120KB

Download
memory/7000-426-0x00007FF9A4470000-0x00007FF9A447A000-memory.dmp

Filesize
40KB

Download
memory/7000-422-0x00007FF991CF0000-0x00007FF991DA6000-memory.dmp

Filesize
728KB

Download
memory/7000-419-0x00007FF98FBA0000-0x00007FF98FF14000-memory.dmp

Filesize
3.5MB

Download
memory/7000-431-0x00007FF98FB60000-0x00007FF98FB97000-memory.dmp

Filesize
220KB

Download
memory/7000-444-0x00007FF996050000-0x00007FF996065000-memory.dmp

Filesize
84KB

Download
memory/7000-448-0x00007FF990670000-0x00007FF990788000-memory.dmp

Filesize
1.1MB

Download
memory/7000-461-0x00007FF996030000-0x00007FF996047000-memory.dmp

Filesize
92KB

Download
memory/7000-469-0x00007FF98FF20000-0x00007FF990385000-memory.dmp

Filesize
4.4MB

Download
memory/7000-497-0x00007FF996010000-0x00007FF996027000-memory.dmp

Filesize
92KB

Download
memory/7000-496-0x00007FF98FB60000-0x00007FF98FB97000-memory.dmp

Filesize
220KB

Download
memory/7000-495-0x00007FF98CC70000-0x00007FF98D40A000-memory.dmp

Filesize
7.6MB

Download
memory/7000-489-0x00007FF9905A0000-0x00007FF99066F000-memory.dmp

Filesize
828KB

Download
memory/7000-482-0x00007FF9A44A0000-0x00007FF9A44B0000-memory.dmp

Filesize
64KB

Download
memory/7000-481-0x00007FF996090000-0x00007FF9960A4000-memory.dmp

Filesize
80KB

Download
memory/7000-470-0x00007FF9A44D0000-0x00007FF9A44F4000-memory.dmp

Filesize
144KB

Download
memory/7000-544-0x00007FF9AB130000-0x00007FF9AB13D000-memory.dmp

Filesize
52KB

Download
memory/7000-368-0x00007FF9A44D0000-0x00007FF9A44F4000-memory.dmp

Filesize
144KB

Download
memory/7000-360-0x00007FF98FF20000-0x00007FF990385000-memory.dmp

Filesize
4.4MB

Download
memory/7000-589-0x00007FF9AB130000-0x00007FF9AB13D000-memory.dmp

Filesize
52KB

Download
memory/7000-588-0x00007FF98FB60000-0x00007FF98FB97000-memory.dmp

Filesize
220KB

Download
memory/7000-569-0x00007FF990790000-0x00007FF9908FD000-memory.dmp

Filesize
1.4MB

Download
memory/7000-568-0x00007FF9960E0000-0x00007FF9960FE000-memory.dmp

Filesize
120KB

Download
memory/7000-562-0x00007FF9A44D0000-0x00007FF9A44F4000-memory.dmp

Filesize
144KB

Download
memory/7000-587-0x00007FF98CC70000-0x00007FF98D40A000-memory.dmp

Filesize
7.6MB

Download
memory/7000-583-0x00007FF990550000-0x00007FF99059D000-memory.dmp

Filesize
308KB

Download
memory/7000-582-0x00007FF992EA0000-0x00007FF992EB9000-memory.dmp

Filesize
100KB

Download
memory/7000-580-0x00007FF996010000-0x00007FF996027000-memory.dmp

Filesize
92KB

Download
memory/7000-579-0x00007FF991E00000-0x00007FF991E22000-memory.dmp

Filesize
136KB

Download
memory/7000-573-0x00007FF996090000-0x00007FF9960A4000-memory.dmp

Filesize
80KB

Download
memory/7000-561-0x00007FF98FF20000-0x00007FF990385000-memory.dmp

Filesize
4.4MB

Download