exelastealer | 8217913720f79930ee8a7780ffc0c9b379cc69435074e9bfe35058452ac45f65

Analysis

max time kernel
95s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/12/2024, 01:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

NEVEROPEN.exe
Size

9.6MB
MD5

2b6ac351d80613b7e7bbf0d2ac64ff54
SHA1

179599a4723a174dd903383bd808afa685d0e54b
SHA256

8217913720f79930ee8a7780ffc0c9b379cc69435074e9bfe35058452ac45f65
SHA512

0249ae1429747c3cda570a3d501856dcdfcdbd9db88920b69f44ecb6224bfc8254c6e68687a6dc3407f1bcf0c7da8e202c20563f94f74a1610f380369a334ee1
SSDEEP

196608:x51Z3x3m/acemXyuSyTde8jDeNMHFJMIDJ+gsAGKkR5QdNzly10AAQo+:5ftByxjj44Fqy+gs1gjA

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2772	netsh.exe
1828	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2952	cmd.exe
1176	powershell.exe

Loads dropped DLL 32 IoCs

pid	Process
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe
3212	NEVEROPEN.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
20	discord.com
21	discord.com
22	discord.com
89	discord.com
102	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
14	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2232	cmd.exe
3924	ARP.EXE

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
4980	tasklist.exe
4476	tasklist.exe
4128	tasklist.exe
1260	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2544	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cce-46.dat	upx
behavioral2/memory/3212-50-0x00007FF989EC0000-0x00007FF98A32E000-memory.dmp	upx
behavioral2/files/0x0007000000023c9d-52.dat	upx
behavioral2/files/0x0007000000023cc6-57.dat	upx
behavioral2/memory/3212-58-0x00007FF99CC60000-0x00007FF99CC84000-memory.dmp	upx
behavioral2/files/0x0007000000023ca7-78.dat	upx
behavioral2/memory/3212-79-0x00007FF99FC10000-0x00007FF99FC1F000-memory.dmp	upx
behavioral2/files/0x0007000000023ca6-77.dat	upx
behavioral2/files/0x0007000000023ca5-76.dat	upx
behavioral2/files/0x0007000000023ca4-75.dat	upx
behavioral2/files/0x0007000000023ca3-74.dat	upx
behavioral2/files/0x0007000000023ca2-73.dat	upx
behavioral2/files/0x0007000000023ca1-72.dat	upx
behavioral2/files/0x0007000000023ca0-71.dat	upx
behavioral2/files/0x0007000000023c9f-70.dat	upx
behavioral2/files/0x0007000000023c9e-69.dat	upx
behavioral2/files/0x0007000000023c9c-68.dat	upx
behavioral2/files/0x0007000000023c9b-67.dat	upx
behavioral2/files/0x0007000000023c9a-66.dat	upx
behavioral2/files/0x0007000000023cd1-65.dat	upx
behavioral2/files/0x0007000000023cd0-64.dat	upx
behavioral2/files/0x0007000000023ccf-63.dat	upx
behavioral2/files/0x0007000000023ccc-62.dat	upx
behavioral2/files/0x0007000000023cc7-61.dat	upx
behavioral2/files/0x0007000000023cc5-60.dat	upx
behavioral2/memory/3212-83-0x00007FF99CE40000-0x00007FF99CE4D000-memory.dmp	upx
behavioral2/memory/3212-82-0x00007FF99CC40000-0x00007FF99CC59000-memory.dmp	upx
behavioral2/memory/3212-85-0x00007FF99CC20000-0x00007FF99CC39000-memory.dmp	upx
behavioral2/memory/3212-87-0x00007FF99CBF0000-0x00007FF99CC1D000-memory.dmp	upx
behavioral2/memory/3212-89-0x00007FF99CB10000-0x00007FF99CB2F000-memory.dmp	upx
behavioral2/memory/3212-91-0x00007FF998BC0000-0x00007FF998D31000-memory.dmp	upx
behavioral2/memory/3212-96-0x00007FF9991E0000-0x00007FF999298000-memory.dmp	upx
behavioral2/memory/3212-94-0x00007FF989EC0000-0x00007FF98A32E000-memory.dmp	upx
behavioral2/memory/3212-95-0x00007FF999DB0000-0x00007FF999DDE000-memory.dmp	upx
behavioral2/memory/3212-100-0x00007FF9986E0000-0x00007FF998A55000-memory.dmp	upx
behavioral2/memory/3212-99-0x00007FF99CC60000-0x00007FF99CC84000-memory.dmp	upx
behavioral2/memory/3212-103-0x00007FF999EE0000-0x00007FF999EF5000-memory.dmp	upx
behavioral2/files/0x0007000000023cc9-107.dat	upx
behavioral2/memory/3212-106-0x00007FF99CB00000-0x00007FF99CB10000-memory.dmp	upx
behavioral2/memory/3212-108-0x00007FF999460000-0x00007FF999474000-memory.dmp	upx
behavioral2/files/0x0007000000023cd3-111.dat	upx
behavioral2/memory/3212-114-0x00007FF9993F0000-0x00007FF999412000-memory.dmp	upx
behavioral2/memory/3212-113-0x00007FF99CB10000-0x00007FF99CB2F000-memory.dmp	upx
behavioral2/memory/3212-110-0x00007FF999440000-0x00007FF999454000-memory.dmp	upx
behavioral2/memory/3212-116-0x00007FF989DA0000-0x00007FF989EB8000-memory.dmp	upx
behavioral2/files/0x0007000000023ccb-117.dat	upx
behavioral2/memory/3212-120-0x00007FF999090000-0x00007FF9990AB000-memory.dmp	upx
behavioral2/memory/3212-119-0x00007FF999DB0000-0x00007FF999DDE000-memory.dmp	upx
behavioral2/files/0x0007000000023ca9-121.dat	upx
behavioral2/memory/3212-125-0x00007FF999070000-0x00007FF999086000-memory.dmp	upx
behavioral2/memory/3212-124-0x00007FF9991E0000-0x00007FF999298000-memory.dmp	upx
behavioral2/files/0x0007000000023cab-123.dat	upx
behavioral2/files/0x0007000000023caa-127.dat	upx
behavioral2/files/0x0007000000023cc4-133.dat	upx
behavioral2/memory/3212-141-0x00007FF999EE0000-0x00007FF999EF5000-memory.dmp	upx
behavioral2/memory/3212-140-0x00007FF998B90000-0x00007FF998BAE000-memory.dmp	upx
behavioral2/memory/3212-139-0x00007FF990150000-0x00007FF99019D000-memory.dmp	upx
behavioral2/memory/3212-137-0x00007FF998BB0000-0x00007FF998BBA000-memory.dmp	upx
behavioral2/memory/3212-136-0x00007FF998DB0000-0x00007FF998DC1000-memory.dmp	upx
behavioral2/memory/3212-135-0x00007FF998EF0000-0x00007FF998F09000-memory.dmp	upx
behavioral2/files/0x0007000000023cac-130.dat	upx
behavioral2/memory/3212-132-0x00007FF9986E0000-0x00007FF998A55000-memory.dmp	upx
behavioral2/files/0x0007000000023cc2-142.dat	upx
behavioral2/memory/3212-144-0x00007FF988E70000-0x00007FF9895FA000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2644	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
4220	cmd.exe
3404	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3620	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
1460	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3708	ipconfig.exe
3620	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
448	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1176	powershell.exe
1176	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2212	WMIC.exe
Token: SeSecurityPrivilege	2212	WMIC.exe
Token: SeTakeOwnershipPrivilege	2212	WMIC.exe
Token: SeLoadDriverPrivilege	2212	WMIC.exe
Token: SeSystemProfilePrivilege	2212	WMIC.exe
Token: SeSystemtimePrivilege	2212	WMIC.exe
Token: SeProfSingleProcessPrivilege	2212	WMIC.exe
Token: SeIncBasePriorityPrivilege	2212	WMIC.exe
Token: SeCreatePagefilePrivilege	2212	WMIC.exe
Token: SeBackupPrivilege	2212	WMIC.exe
Token: SeRestorePrivilege	2212	WMIC.exe
Token: SeShutdownPrivilege	2212	WMIC.exe
Token: SeDebugPrivilege	2212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2212	WMIC.exe
Token: SeRemoteShutdownPrivilege	2212	WMIC.exe
Token: SeUndockPrivilege	2212	WMIC.exe
Token: SeManageVolumePrivilege	2212	WMIC.exe
Token: 33	2212	WMIC.exe
Token: 34	2212	WMIC.exe
Token: 35	2212	WMIC.exe
Token: 36	2212	WMIC.exe
Token: SeDebugPrivilege	4980	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2212	WMIC.exe
Token: SeSecurityPrivilege	2212	WMIC.exe
Token: SeTakeOwnershipPrivilege	2212	WMIC.exe
Token: SeLoadDriverPrivilege	2212	WMIC.exe
Token: SeSystemProfilePrivilege	2212	WMIC.exe
Token: SeSystemtimePrivilege	2212	WMIC.exe
Token: SeProfSingleProcessPrivilege	2212	WMIC.exe
Token: SeIncBasePriorityPrivilege	2212	WMIC.exe
Token: SeCreatePagefilePrivilege	2212	WMIC.exe
Token: SeBackupPrivilege	2212	WMIC.exe
Token: SeRestorePrivilege	2212	WMIC.exe
Token: SeShutdownPrivilege	2212	WMIC.exe
Token: SeDebugPrivilege	2212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2212	WMIC.exe
Token: SeRemoteShutdownPrivilege	2212	WMIC.exe
Token: SeUndockPrivilege	2212	WMIC.exe
Token: SeManageVolumePrivilege	2212	WMIC.exe
Token: 33	2212	WMIC.exe
Token: 34	2212	WMIC.exe
Token: 35	2212	WMIC.exe
Token: 36	2212	WMIC.exe
Token: SeDebugPrivilege	4476	tasklist.exe
Token: SeDebugPrivilege	4128	tasklist.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeIncreaseQuotaPrivilege	1460	WMIC.exe
Token: SeSecurityPrivilege	1460	WMIC.exe
Token: SeTakeOwnershipPrivilege	1460	WMIC.exe
Token: SeLoadDriverPrivilege	1460	WMIC.exe
Token: SeSystemProfilePrivilege	1460	WMIC.exe
Token: SeSystemtimePrivilege	1460	WMIC.exe
Token: SeProfSingleProcessPrivilege	1460	WMIC.exe
Token: SeIncBasePriorityPrivilege	1460	WMIC.exe
Token: SeCreatePagefilePrivilege	1460	WMIC.exe
Token: SeBackupPrivilege	1460	WMIC.exe
Token: SeRestorePrivilege	1460	WMIC.exe
Token: SeShutdownPrivilege	1460	WMIC.exe
Token: SeDebugPrivilege	1460	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1460	WMIC.exe
Token: SeRemoteShutdownPrivilege	1460	WMIC.exe
Token: SeUndockPrivilege	1460	WMIC.exe
Token: SeManageVolumePrivilege	1460	WMIC.exe
Token: 33	1460	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1356 wrote to memory of 3212	1356	NEVEROPEN.exe	82
PID 1356 wrote to memory of 3212	1356	NEVEROPEN.exe	82
PID 3212 wrote to memory of 5012	3212	NEVEROPEN.exe	83
PID 3212 wrote to memory of 5012	3212	NEVEROPEN.exe	83
PID 3212 wrote to memory of 4700	3212	NEVEROPEN.exe	85
PID 3212 wrote to memory of 4700	3212	NEVEROPEN.exe	85
PID 3212 wrote to memory of 4480	3212	NEVEROPEN.exe	86
PID 3212 wrote to memory of 4480	3212	NEVEROPEN.exe	86
PID 4700 wrote to memory of 2212	4700	cmd.exe	89
PID 4700 wrote to memory of 2212	4700	cmd.exe	89
PID 4480 wrote to memory of 4980	4480	cmd.exe	90
PID 4480 wrote to memory of 4980	4480	cmd.exe	90
PID 3212 wrote to memory of 2544	3212	NEVEROPEN.exe	92
PID 3212 wrote to memory of 2544	3212	NEVEROPEN.exe	92
PID 2544 wrote to memory of 5000	2544	cmd.exe	94
PID 2544 wrote to memory of 5000	2544	cmd.exe	94
PID 3212 wrote to memory of 4604	3212	NEVEROPEN.exe	95
PID 3212 wrote to memory of 4604	3212	NEVEROPEN.exe	95
PID 3212 wrote to memory of 4600	3212	NEVEROPEN.exe	96
PID 3212 wrote to memory of 4600	3212	NEVEROPEN.exe	96
PID 4600 wrote to memory of 4476	4600	cmd.exe	99
PID 4600 wrote to memory of 4476	4600	cmd.exe	99
PID 4604 wrote to memory of 1992	4604	cmd.exe	100
PID 4604 wrote to memory of 1992	4604	cmd.exe	100
PID 3212 wrote to memory of 3584	3212	NEVEROPEN.exe	101
PID 3212 wrote to memory of 3584	3212	NEVEROPEN.exe	101
PID 3212 wrote to memory of 1696	3212	NEVEROPEN.exe	102
PID 3212 wrote to memory of 1696	3212	NEVEROPEN.exe	102
PID 3212 wrote to memory of 2940	3212	NEVEROPEN.exe	103
PID 3212 wrote to memory of 2940	3212	NEVEROPEN.exe	103
PID 3212 wrote to memory of 2952	3212	NEVEROPEN.exe	104
PID 3212 wrote to memory of 2952	3212	NEVEROPEN.exe	104
PID 2952 wrote to memory of 1176	2952	cmd.exe	109
PID 2952 wrote to memory of 1176	2952	cmd.exe	109
PID 3584 wrote to memory of 4888	3584	cmd.exe	110
PID 3584 wrote to memory of 4888	3584	cmd.exe	110
PID 2940 wrote to memory of 4128	2940	cmd.exe	111
PID 2940 wrote to memory of 4128	2940	cmd.exe	111
PID 1696 wrote to memory of 3576	1696	cmd.exe	112
PID 1696 wrote to memory of 3576	1696	cmd.exe	112
PID 4888 wrote to memory of 2624	4888	cmd.exe	113
PID 4888 wrote to memory of 2624	4888	cmd.exe	113
PID 3576 wrote to memory of 3956	3576	cmd.exe	114
PID 3576 wrote to memory of 3956	3576	cmd.exe	114
PID 3212 wrote to memory of 2232	3212	NEVEROPEN.exe	115
PID 3212 wrote to memory of 2232	3212	NEVEROPEN.exe	115
PID 3212 wrote to memory of 4220	3212	NEVEROPEN.exe	117
PID 3212 wrote to memory of 4220	3212	NEVEROPEN.exe	117
PID 2232 wrote to memory of 448	2232	cmd.exe	119
PID 2232 wrote to memory of 448	2232	cmd.exe	119
PID 4220 wrote to memory of 3404	4220	cmd.exe	120
PID 4220 wrote to memory of 3404	4220	cmd.exe	120
PID 2232 wrote to memory of 2932	2232	cmd.exe	122
PID 2232 wrote to memory of 2932	2232	cmd.exe	122
PID 2232 wrote to memory of 1460	2232	cmd.exe	123
PID 2232 wrote to memory of 1460	2232	cmd.exe	123
PID 2232 wrote to memory of 3764	2232	cmd.exe	124
PID 2232 wrote to memory of 3764	2232	cmd.exe	124
PID 3764 wrote to memory of 3640	3764	net.exe	125
PID 3764 wrote to memory of 3640	3764	net.exe	125
PID 2232 wrote to memory of 3980	2232	cmd.exe	126
PID 2232 wrote to memory of 3980	2232	cmd.exe	126
PID 3980 wrote to memory of 1244	3980	query.exe	127
PID 3980 wrote to memory of 1244	3980	query.exe	127

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
5000	attrib.exe

C:\Users\Admin\AppData\Local\Temp\NEVEROPEN.exe
"C:\Users\Admin\AppData\Local\Temp\NEVEROPEN.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Users\Admin\AppData\Local\Temp\NEVEROPEN.exe
  "C:\Users\Admin\AppData\Local\Temp\NEVEROPEN.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:5012
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4700
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4480
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4980
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2544
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:5000
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:1992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4600
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4888
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1696
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3576
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:3956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1176
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:2232
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:448
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2932
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious use of AdjustPrivilegeToken
      PID:1460
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3764
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:3640
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3980
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:1244
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:4260
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:3124
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:2656
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:2168
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:2732
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:4824
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:2708
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:1056
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:4444
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:1260
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:3708
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:5016
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:3924
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:3620
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:2644
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2772
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:4220
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:3404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2748
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2212
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1492
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\BlockDebug.docx

Filesize
13KB

MD5
4aa7720ad06cd3a44f6bb492f4054a5a

SHA1
7e6e8824e9112cb4725b5095bb5926e3cc01cfd5

SHA256
ac9be75c10452529b9507a9da9d23a38201ba470450694bf61018d891e0ce61a

SHA512
f9277b9d785caf0bd2ec6dfdb2e40e856e28937f5259e089b9b9e4698c385a3180d9ec5cb993fc4aa8edccb6a4e33142ec2c6df69da4ac52672c2142fb382a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ConnectComplete.txt

Filesize
498KB

MD5
7fd2a2352a376ca87b91e7ea583c0a4d

SHA1
f6353267667aa6c1076c50673c9fed1639eb151f

SHA256
1ad46f75ba025d9943bb373d7c5c3cb024edf74aa6871c5d742c284210230429

SHA512
728ea39f662cb87e67ed53f8bf1bcfcca430104d4da68abf88205670666b78846fd84e9a30e82601bf3feef3c3c8405840346dcbf171b7a580f13f0110f961e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\LockResume.mp3

Filesize
231KB

MD5
5f975c174d57a776fa604a32abdc71ca

SHA1
1915835aacf2fd27142af16a8d69395f1cdc5bd8

SHA256
3d27b340d908b3c464941b39d69f3573ad76ed5f2cf41eaea982897bcf89acd6

SHA512
5a2296783a6af36c623f4c5f0d710fe04103560b84a99c98e2cf61c2a02bb90fb9f1f1cdb2eb9936c459b16e795289f7e945904334cf53390cebc9f0332b79b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\RemoveExport.xlsx

Filesize
9KB

MD5
0af2e058940aa7c171cd01f0090c658e

SHA1
f4e660fadc93167bd337eb595f19a309d957a38f

SHA256
384561df972482e185feed13b22e5b492d292a43095a05b48432230eeb01374b

SHA512
da3d2fc617418eb5b5cbf581dc275c0e0efbaa39afb207645a498f0667fe761ff01a96b26f7feffce37929bb59065b925ea5fab480727985325cf14f7b8002ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\SelectLock.xlsx

Filesize
10KB

MD5
9b4d91b04967d5e5c8cb8d6e783f5563

SHA1
a3cc66ae5d1f985889317552580d924798133e0f

SHA256
423560167ed8da1e240a068cdb0d81fbbc70ace4d2a69af6d5a8ab4af387c0f4

SHA512
c9d3662cf35f37dcb432fc19d2cd6142fe7eedbd8cad33c1343cde58efd0295b7a3fc9d01d8bc82ca771302226677b00a1b010d44399eaab13a4df7ce06c72e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UnpublishStep.docx

Filesize
16KB

MD5
d289e28aabdb1a15ad99dfb03eae1a99

SHA1
74a5e6dad94b8a718e9a56f1f61227b664773393

SHA256
7f3107c234bae3103aaa2991d36b39ce37c4b5861e7242a41fcf028bfd503ec3

SHA512
351845c0348496dc569484b93baa4b2e32716a17201401e0f4f0c7a568e57bda7e57f7bc553b6b86314818931191fe0dd43f64883100ca2a296c18bfbfc33618

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\BackupFind.dotm

Filesize
717KB

MD5
37f16daed1b8abced7c927f2eef6dc0f

SHA1
cc8bb4e21eb766f23f90c8ae8bbf9327379bc240

SHA256
c8a211cfbea7b54ed2efbab3184048dbadba2eb63f2e27e9b7a35bce3e595cdd

SHA512
cc23fc0933a1246791598a05758cc4e25f8cd7b343aa18230ade8edc792d7c768b5a7d49cfd1aad3f3ccef69c30696694f23d77cf8655e2f9f5365707516cc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\BackupUninstall.vsdm

Filesize
499KB

MD5
79df37f116732888473c4cad1cc88adf

SHA1
65733332298fdb216a50144db8e87a0f6cf8ceb3

SHA256
e1b6b3c02128231e64154206570056ba27121d330146bb360ea259f7f5c8dc9f

SHA512
cef2a0b2bf9754bbc66b4280bc9604f5fd84e587fa0f0e21b2ddc8abc69091b9227aa6f6ce743ec346d5bfbc3799bc2ece2ca49ebac1bc6b368be8aed92ac2e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\BlockRedo.docx

Filesize
17KB

MD5
545180fb335bdb929848eda3b7a7869b

SHA1
66611d315a0e4d38d6a008bacdcdd427b33dddd5

SHA256
a08892d22f3074600647afe22f3a82c72d0b27865bd1279f7c3ac47ca14a2279

SHA512
02bae68737b05bd1468e6d148a433897cc675e396cd0d11babf1338e04d34cd0c09d7101be177ce3baac3119ee7caf56d035a9ee0aa0dece9dbd49753b29cd5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\CheckpointResize.doc

Filesize
780KB

MD5
bbd324ba50dcea4b20faddcdae44ba83

SHA1
7fc960e6cfc05e05a37e1562b87c6fd4d0e3e5e3

SHA256
f7af2ad24ba9e75b147d1f5fbbdfbaec78a2c030eea3500e153bc7521f259e02

SHA512
893397924f661ac60a8b0a56226f3bd5c45763759a30ba36aa7573dadc411941933d61a1d6ded27647666f6339743c34b91c8d526960bc2481ac4d0d5351c0fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ConnectEdit.csv

Filesize
748KB

MD5
a07627fa6887e1b95d2a9e383e7b9b40

SHA1
cb9a9e48caa58b0cca87974d94af90aebc543113

SHA256
5251b2ed85340c91bcf38b8261789225e4a5a2fa2007fa9df2370fa0c7b50b20

SHA512
7aa50d0e2ff8e3ab39ad67e579c7a2688c11928c843f2be11d3dcc3982b02f3aeddd891119c6c36a1f026ba976e3de970ac58fc7f5834557f7b8d7bf128530fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ConnectPing.docx

Filesize
16KB

MD5
59b9c65e630062098a9070253ed65e06

SHA1
7694d14cbd9e928fd4aec1a84c90e728ba45d1ad

SHA256
9ba05bd4c2d500b997d42b4328e382ca63b7f7a189da38ebeb39fb522810d0e0

SHA512
9b9330692aa2963c465c3ddd0d70e52f9381489a1536e2541ec27ef2ef7ece23525951c46f1a986de58732c1639bf2ceb66dadd5f75470689922b695ef36dc2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ConvertFromSwitch.doc

Filesize
592KB

MD5
e1e4cdebaf803c122801268d4ae48547

SHA1
73c2fb95b969359abc314dc25764663666fd1b6d

SHA256
05b4e9535d6e480144875d295befec4b0ba281324cfb633bb3f7a6bc889e86da

SHA512
0c9f1d4c99d876cb15ae5fb9c0a0addaf09729b1b47aed7633a4f76078e115ec79ccc13773628299dfdda746c5f12ac45c6e1a5a050342674d6edd0e5b55b93c

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\DebugUninstall.pdf

Filesize
655KB

MD5
f3b98e8c6122d212e7881073367237bb

SHA1
11d04ccd515e7f886f3ba279e5fe6c5cefef4965

SHA256
12ece6aab5ddd6c47c247d4138f48795ed0b1238f2a732cf77b1aa937c83a506

SHA512
09d65aa50083513c9f3c6724de848e2ae50c335ca630d0d0f968134e1e2043a09e6a015ed18819994ecce218c7bb3544847e8c82fefea17d27ff81efcebf99ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\InvokeConfirm.csv

Filesize
624KB

MD5
c4d6a98c42f52cab546be715e30d2cf6

SHA1
dc348ea76f36813bcdf399c503d1b9f3ad44f35a

SHA256
da3bd6edf65ec67feb73c36af327314acfaa642677a5f5a65deb73a1392cfb68

SHA512
866b13b00e454bad18ceea24e2de658e735937eb978ab8e0e52a2a64599a94b7c7dec9a85fcf9aebec1cf1e9568bd090385691fccd8811bedb7e0b7786666960

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\PushMove.docx

Filesize
13KB

MD5
3064b58d194605c847eaabb3f064ad89

SHA1
b7c0b16413ce01f1ab86950d590fe67d7c666da4

SHA256
fe3ea002eb4055851fee580e5271854ac5d579b5ec146ebac45472e8e1bcfd75

SHA512
04e80596c42aa6349be43f7e288889573cd395bff24c83491f74f4bec436e3d8f6501dde2516685e68b43d5d9c045fa4124000f8b63d525d616ac366b6f436a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RemoveOptimize.docx

Filesize
764KB

MD5
d8c57f77189060ab2eed928b839c5111

SHA1
c4aad4c62b3ec1d8669ee0918f316a944fad7a1e

SHA256
c550dea74b0c5e83c721a9fec3975619b85f893583a91b0f9de8a7d07c33c156

SHA512
a2dde41f5df819ba2288c8e4ee3f3f87ad79cdd41e4184c5cc0413f4de94e04632ac7a8e0986747db7bd82784a5ecf6aec461f0aff3fb48e5161b92b4db1fdd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ResizeMove.xls

Filesize
468KB

MD5
7b3f0980933d76fd430b3ee3becd518a

SHA1
2372422c437f466804e2aebe933e6137a0c115ba

SHA256
ac962bc42bd1add2449f439c79506277f12e3b293d94ff591fcbfba287c8b27c

SHA512
64e14ab382bf1fb51a5a22437a936629a0766880b2d09d07f99fb6a31717e27715c12f4c7fe1dc42170730ea55da2da44df2b5da2d53e1eb830177ed786ea179

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ShowRedo.csv

Filesize
811KB

MD5
58631b975f7d12ececb14c3de095f596

SHA1
f363d7f31508c703cd195e96f64116045fe7dccd

SHA256
9358736882d0b776162f30508f647707a50593138f69199896a18deb855a3d8b

SHA512
622cac40e1d127990eeed070a422cf45d951069c0904344a427b439b015ef5e26b0bad5be64d2a0a6c3a7d253dd45610fb04c12e292f68d786a5fd51c29f1745

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\DisconnectSync.zip

Filesize
381KB

MD5
fa811840d94fa1d97fdb8faf0693a3f7

SHA1
0858692fcd4453ba7008d6438cd6c06c0c8916d9

SHA256
ab7b482888e3399d9dea96e2afd1e344a687f993a9db3a48a63cb396ebe513a2

SHA512
4b4cd57d09ff32167e666d0434d370f6550d39b32daa8c9834800229c6f5a4f5dac10d07ef0f7b389af6d383bc9bfb0e5b4dbbae1bc9b5688e3fe48bb9630f2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\RenameOpen.jpg

Filesize
546KB

MD5
1b82725e121e010f37c077e4db1cacdf

SHA1
097c8b5a06955d2bca108df9f14ab37d86894971

SHA256
72b5f93b97201242c1a3300a698300cb3846422b6beba8be07aac50cc3bffe95

SHA512
9e04e9570e6305a53f93a971379a8a186f62eb696525a1d595edfa9e837009f560cef8f8e55af1dd0d80f2b493926cebce02ecf57966d1531778d0f27ffeaf96

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\StartOut.txt

Filesize
800KB

MD5
8df5477b0e0e9989391c60a173635ccd

SHA1
891869aee1d88910a320f43ed796386a16e5e54e

SHA256
36082410f0baf707bdba164d127de1bc1b0b3b14e34e5b5db2a916dcab87042e

SHA512
e16c509dbf2c8850cfe9b4ff4787873851c6a41f6cf1b554198dd36b380a358f08138f2ac8a5dd5162117abd8ea1e47455d2ab1df18c2a23d7ddd8a33212617d

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\SubmitDismount.txt

Filesize
336KB

MD5
26711b145988dd7388939eeda2aaac04

SHA1
3d11e477789efcde6e7265cd6bd907a883e933d0

SHA256
a620c1d6c81ea569c4fe14a2e26f9c12214f396ec277200b297fca193a5866ed

SHA512
9d4603f3c7dba985fcb884419ceacfec7ca8cfecac554c2b1c4049db0e02660adf9f806a2dc045daefc3eff1a22ec85fed5e633d701c1a4061d8e4b6909d2cd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\SwitchConvertTo.mp3

Filesize
456KB

MD5
d959e140459967738f267ec61278c370

SHA1
220bdb380dc21b0a30cfe3cb8e58377da875ab47

SHA256
be84a8de42b504406f8ad4fca2b45ff82ede011c37efdeaab4d6a0e13e9f6493

SHA512
63a820f3201798f727ac7531020ddcd6fb3f1069e804857d5098a0aa2eca72502ad28b8c68d1c8fa9150f2abe79e9d05bde4ccd84ce9e3ea08f4389d8579d37a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\ConvertFromLimit.xlsx

Filesize
630KB

MD5
6bfd3a9a39cab7e0faff58e1e519e039

SHA1
0b08f4de75a39f859dede9a2aade55b5f86cc841

SHA256
9835c58b7376f4193f0e8c46fbde9dc53b7e215519daf0931ad04bfd742d1a38

SHA512
4248fc6b39a23f16c2e1a76fc13eed4c04b115f1106d5a5bc769b7d0680e030dae939a4ef1ca62b23cff4f887fbe96889fc13c1f681d278c819f5f560fd9dd33

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\BackupUnregister.tiff

Filesize
237KB

MD5
24fac1043e8f24084257ab907b434996

SHA1
8d37e976cc5939d9b19256ee0a449db07500b279

SHA256
2170bde9273be67e91364a2bc6ceecd86dcf2c4ea86dddf6cb30d3e6a4908f80

SHA512
acbec155e87585d0d11e8679f7896496af1079eca3bad9f3e808f5672a521d6ebc8bb1ab4b87f49459c41b684c6a628d003af3d95402cef8912f6221b0c8c394

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\EditDisconnect.png

Filesize
93KB

MD5
718eda8f42c0dbbd0c63364cf0309659

SHA1
d639530a42f85459bf97f75365c7c31023315aaa

SHA256
14ac991e1c8ba6ba618e5b5268cfb432581efc00da946abccc14d04f79f98ee8

SHA512
fc15498d37853ee31e85fa3693376167f5d4258d5903d519f7538c6ec686e332b05a81a4e80038ac856d7f5ef8e1a0ae9c4c2846706eed8feb8b8b2defe8e597

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\ProtectBackup.eps

Filesize
130KB

MD5
93b28a39c2885e89868061675834d85c

SHA1
1b4f50be434e061855b507778a972953e016119d

SHA256
be88695064a9a4eb325d0650a720ae3284468deee15dc375fcd146de72b6bf7e

SHA512
0f158fa284c3805cd8566294947a109a8bff2c79468127d0133660e4138fc1fd910f32fa2fb6b3f2a82fbaed9b8a7650d4f177c9674887a64b75fc6cba78b162

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\WatchResume.jpg

Filesize
141KB

MD5
21e09d81e7e3557a7b3fc3cc19ddbcff

SHA1
fe16af6c1b15ccda7cbdf2da5b71732919e22549

SHA256
1cba2d72d914d8cbac81a418f18c374b09e56a07c3de478fb395fbcc9f622dab

SHA512
368b96517d03f4004be6d4305359ff0fcd6c5013d8754041473aa8426c0b9e90bbab8c630cfcc81a5adfbdd15653a385c31d215b4e9d50cb3c55d733c0615c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\_asyncio.pyd

Filesize
34KB

MD5
7d4f9a2b793e021f7e37b8448751ed4e

SHA1
0ea07b5024501aad5008655cfeae6d96b5da957a

SHA256
2293c1b6b0b901832a57a1c4dcb1265c9e92d21177195712c30632a7b63227d4

SHA512
af75452279c308c61c3e222a031a8201e47e8fe44c4e92cb7dab03d56c7e7e3e2a2c589f650c50e0b29e2df175d6f2ff50c8e5e589d17a124bf0a2e0d7886c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\_bz2.pyd

Filesize
46KB

MD5
6250a28b9d0bfefc1254bd78ece7ae9f

SHA1
4b07c8e18d23c8ae9d92d7b8d39ae20bc447aecd

SHA256
7d43f7105aa4f856239235c67f61044493ee6f95ddf04533189bf5ea98073f0b

SHA512
6d0aa5c3f8f5b268b94341dfdd5afbe48f91f9aac143bf59f7f5e8ba6f54205b85ec527c53498ed8860fdff6a8d08e48ec4e1652eeab2d3c89aaaf3a14fcaaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
7727212e7bdbf63b1a39fb7faad24265

SHA1
a8fdec19d6690081b2bf55247e8e17657a68ac97

SHA256
b0116303e1e903d6eb02a69d05879f38af1640813f4b110cb733ffff6e4e985c

SHA512
2b1a27642118dd228791d0d8ba307aa39ab2d9c7d3799cff9f3c0744fe270eeaefe5545a4fda6e74e86fee747e45bf5f6c9ac799950c2b483a16eb3ce85d816a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\_ctypes.pyd

Filesize
56KB

MD5
4b90108fabdd64577a84313c765a2946

SHA1
245f4628683a3e18bb6f0d1c88aa26fb959ed258

SHA256
e1b634628839a45ab08913463e07b6b6b7fd502396d768f43b21da2875b506a1

SHA512
91fa069d7cf61c57faad6355f6fd46d702576c4342460dadcedfdcbc07cd9d84486734f0561fa5e1e01668b384c3c07dd779b332f77d0bb6fbdbb8c0cb5091bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\_decimal.pyd

Filesize
103KB

MD5
20985dc78dbd1992382354af5ca28988

SHA1
385a3e7a7654e5e4c686399f3a72b235e941e311

SHA256
f3620cac68595b8a8495ab044f19a1c89012f50d2fe571b7a1721485f7ff2e43

SHA512
61b8ecd2d12b3f785773b98d4bf4af0eb6eb2c61fbea6effb77ec24b2127e888d0ea5fdd8cc298484e0f770d70c87907048fc382faace8e0ca6b49ab106c89f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\_hashlib.pyd

Filesize
33KB

MD5
3b5530f497ff7c127383d0029e680c35

SHA1
fb5dc554bb9ff49622184cc16883a7567115c7ca

SHA256
5971fcc9758b7f4a12cde2190a323f35a34ab7f97bd8c39cc8f3335223102573

SHA512
12ced7ddb0352f8eca3c3cb7c7c2faaf08e617b2dd278d20008051fb6b564b17c3e9ecfa8b0ffe7674154ad533dfbbf1e802accd5e1aef12ece01368da06e85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\_lzma.pyd

Filesize
84KB

MD5
8edbeeccb6f3dbb09389d99d45db5542

SHA1
f7e7af2851a5bf22de79a24fe594b5c0435fca8a

SHA256
90701973be6b23703e495f6a145bae251a7bb066d3c5f398ec42694fd06a069f

SHA512
2a8bf60f2280b9a947578bd7fd49c3ace8e010a3d4b38e370edb511ea0e125df688bbac369d6a3cec9d285a1fa2ad2dac18a0ef30fda46e49a9440418581e501

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\_multiprocessing.pyd

Filesize
25KB

MD5
4fbc5fd5da9da74c04fe0374387b34d3

SHA1
1e9c98db0486f98fb7d8eb9fa57a949494b649b5

SHA256
b2347790c87052623710382d3178887f68a79618d6da5174909f46b169236950

SHA512
ce87d4512c2ab7c1ad7986e8e1fe790615ae39c7667d234dfc09026ee7e1518b3bfbf7974612811db0c3e5654b35b54e118e23e624bebe027a51d2c8f2a4652a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\_overlapped.pyd

Filesize
30KB

MD5
5c1441f6ee11632183a83dac2d22853b

SHA1
eef732ff4bab9ea5c8fffb6a93c47cfc8e64dae2

SHA256
104e0b0e0e9fec9eb6438683296feeba298d5f23b02d2080577fc87ffec67acf

SHA512
e41d3433754a8a3d2c572bb7f3902c0d37cba2e6f3307f0e6dfed316a22b11ef7e52a73c30085fa89fcff603e4b76858abe761217c320e38fa2eb95d1777b595

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\_queue.pyd

Filesize
24KB

MD5
5c4c43763fb1a796134aa5734905c891

SHA1
44a5e1ae4806406a239129d77888bd87d291a410

SHA256
4edc80e7d331ba0e9338431d407157181190f995821d1cd24f7a7aa2422ece0c

SHA512
07bec7e4a85e76cfab2c21776b50ee2bd0454835fcb43b573dee757eca24cbeb4530784bae07de3be90820cee6d72023d9ded395d4f1a4931971db247dc1a71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\_socket.pyd

Filesize
41KB

MD5
53e72716073038c1dd1db65bfdb1254c

SHA1
7bf220a02a3b51aa51300b3a9ea7fa48358ca161

SHA256
e1fb6927ba2ed014d0ac750af0ee0bb3d49487dd6920848937259606e1e92e1d

SHA512
c10d91b6ec82402b0eb05dc31a4703c999f4988e88204b695e009fae5fdcc61e8a6dc4d2879ecf2babc030224048afd2f256b9e7f5c5b6f28762047813be0941

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\_sqlite3.pyd

Filesize
48KB

MD5
e7d68df8f65fbb0298a45519e2336f32

SHA1
ad3c84ad7eb75a61f287b1ba9fd2801567e39b6d

SHA256
2473ebaf52723c3751a12117ebbe974e50ecdaeb40b282a12ba4e6aa98492e79

SHA512
626204685e9b95310aba51be4a8abaf3b6e152fa35902f64f837303fc4011a4518ee393047ceb45bf377e9d965d169c92bfbb6673475150e159c59b7857ba03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\_ssl.pyd

Filesize
60KB

MD5
7e9d95ac47a2284706318656b4f711d3

SHA1
f085104709201c6e64635aeacf1da51599054e55

SHA256
38dcb3d0f217785b39c03d4c949dd1e04b70e9eade8a4ad83f026390684059c9

SHA512
294a5148d8fcddabd177b776617da7720d9876ac2a1cdf8dd7b9489f0f719600a634346cdfa07da66588de885b0a64d8cccde4d47edbf6305bd2af44ee209118

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\_uuid.pyd

Filesize
21KB

MD5
59cfd9669367517b384922b2485cb6a7

SHA1
1bd44298543204d61d4efd2cd3980ad01071360d

SHA256
e02bfad84786560b624efd56df55c88a4ffbd6c7cfc728bf68b6401aa10f849f

SHA512
d0dd041d8493c7c19db01ea8477981148726796ce2ab58d3193064123319bd5b68fd57871d1db0aaa08d07f78ab96a3d343051c33ffd406e96b921248ea32665

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\aiohttp\_helpers.cp310-win_amd64.pyd

Filesize
25KB

MD5
785031e18bb4c52889cb92a1b43af777

SHA1
fab7ee02bd57218ef6043455c3c275afa99b981f

SHA256
e3a028c10a2dbb4e9a8e04d35637d1e2aa7639c73ff9650f3218be455442b7dc

SHA512
525d0a8fc4074ae3f5c50e78445528fe90419af5cdcb7579f5d556f3616bbd9f632b184e3400e1cff551c7dc646c5e38c44b5575b323910264b83b4395906ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\aiohttp\_http_parser.cp310-win_amd64.pyd

Filesize
81KB

MD5
70e66a7159a10ad5673e5d91cb5b7c55

SHA1
158497a3d11a410f277e813a55ee1b64936d95c2

SHA256
60ceeb87549dc017bd151ae1b840e08386f3b9a65079356d108c85295c578510

SHA512
518d094ee366a54652ed001bd832d95365a99be30e3ccd45f2b19ce8611d4fcc8911172ccfac714496e2b553813f49e85cdda6c094e2e42bb96c078b3f072421

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\aiohttp\_http_writer.cp310-win_amd64.pyd

Filesize
24KB

MD5
633e3269e2c42ec6a4518864e799300b

SHA1
4abc0d717f537980efcbc5c847e0f00ff2727dfb

SHA256
7f33f7e480270df70363a8510ea2c68bc8d9d0b34d46f73759a7833b89df3129

SHA512
983c6eaa301876be356c15fa28e01815f75e8086d25c9a8db9110523217bcab58ffcbe28d24fd31fd3ac6b142862a9c6314427a58e96968e0c050bd84b46568c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\aiohttp\_websocket.cp310-win_amd64.pyd

Filesize
20KB

MD5
e64158ae2cf875156756f22ccd54b292

SHA1
346b3ebd5e7f270dddb1cae228fe56145f096193

SHA256
2f1d5c8eac0b485e38d8afefeb759586666ece4e963af9adcf0f1abfe99c56ce

SHA512
4a09d91700c7175d05dfa00dc81a99482ae2bfc80c60514ca33f6bd31998ba6eb8fa04c5ea1dae877e248df38a050b3d23a560a9a078747dc1d3ef06da13a8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\base_library.zip

Filesize
859KB

MD5
699b649fafc1acc8a7634e266bbf0ace

SHA1
af1f52e4a25cbedf30a2c521f7cb77583410553f

SHA256
3f60dee1b7f4a83845762f971095addac36dea72ba52086b30674be816b6dd82

SHA512
72bb0f6df7b43d3c355577f6d3eb8ffa44c992c500476b335e59573ad120c1c2fac86e81795e6100a5f58f40f9ea6fffb90ebb286ae409ef0ed61b934c6a179a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.1MB

MD5
27bfdc1a00eb382f490991a6507cc3f2

SHA1
162bc0ddf111968bfd69246660cf650f89b5b7bc

SHA256
788d5c28a70e2bc4e695c827aec70e0869ad7bfdd1f0f4f75231d6f8d83450c2

SHA512
6fcc538c0f901f8543cf296b981a68eb6271f72ddcd106b69b45e0ebd166a355299ce23e999aa855d23edd69f95f53b653f92772435a42c72001386cdb423899

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\frozenlist\_frozenlist.cp310-win_amd64.pyd

Filesize
36KB

MD5
219ad30aea7630a3696df28231405927

SHA1
ebaf69903305ea0803570cc2ff4cf43dd2bc812a

SHA256
06d38127de4cbd3243f861ea22897d490520e913f77011a37d915c4992433604

SHA512
72eb7323deb26931ea000690f85272ee71e19b2896af2b43ccd8bcfc3a299e0f8a7a3f1e339fbfe7c855e081cd94e21ae09ba3b8e2d16dbacddb838c31b4de13

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\libcrypto-1_1.dll

Filesize
1.1MB

MD5
86cfc84f8407ab1be6cc64a9702882ef

SHA1
86f3c502ed64df2a5e10b085103c2ffc9e3a4130

SHA256
11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307

SHA512
b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\libssl-1_1.dll

Filesize
203KB

MD5
6cd33578bc5629930329ca3303f0fae1

SHA1
f2f8e3248a72f98d27f0cfa0010e32175a18487f

SHA256
4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0

SHA512
c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\multidict\_multidict.cp310-win_amd64.pyd

Filesize
20KB

MD5
7f691747ce66d3ed05a7c2c53220c8b5

SHA1
1d3f247042030cf8cf7c859002941beba5d15776

SHA256
7d6472a0d7f1a0740c7fc0d0d0ea6f7c6e7cb2b11b8c623c46a6fae1adb4e228

SHA512
b01f0e91039fc5b2782caaa0b3d56d5d1fe9e94424cc536cde9eca73a76747736060042e345af9edc5ef5bf5c154705d2c2dddf35536f305306be25a955a9f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\propcache\_helpers_c.cp310-win_amd64.pyd

Filesize
32KB

MD5
fd362fc501ddbfa28004e0d5c8df6dd2

SHA1
7ddef836354bee5222c2bf65ed321e4e6254310a

SHA256
cc2d201dfa2dfa430505e88be8d61f69b275cb3eb27e7a32ebf2f95d890709b3

SHA512
a9d87b27454640b8f78e934baf0f8d4781739fc1bb6de2b82b9ad0e11df7aca5d291ea6395289e4313bf5ab89225db5ef3085c945e01dde81bc2a73ce6591761

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\pyexpat.pyd

Filesize
86KB

MD5
46331749084f98bcfe8631d74c5e038f

SHA1
5e5510f7a4d03f10d979e0d6a0d2a6f0e53ca347

SHA256
21cc4b9ccd69d08d7c1068b1f004ae9454f7ea0a322801860faf0e6f4a24a3df

SHA512
edd39ce2d927fb6700a86db07f4f56cab897ef91a320f3e5ecb542ea1be6888dd27a08008e5fa1df3765b0c82d1046a23c8d59e76d11f4e6449d4d6826879589

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\python3.DLL

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\python310.dll

Filesize
1.4MB

MD5
fc7bd515b12e537a39dc93a09b3eaad6

SHA1
96f5d4b0967372553cb106539c5566bc184f6167

SHA256
461e008b7cdf034f99a566671b87849772873a175aefec6ed00732976f5c4164

SHA512
a8433d5b403f898e4eeebd72fce08ebad066ca60aeb0b70e2ae78377babc2acbbae2ac91ab20f813cce4b1dc58c2ad6b3868f18cc8ac0fe7be2bff020eb73122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\select.pyd

Filesize
24KB

MD5
3797a47a60b606e25348c67043874fe8

SHA1
63a33fedffd52190236a6acd0fc5d9d491e3ac45

SHA256
312e9b01d1632840983e8533d1685a64fb87e4538f724a7a59a71b1ba148bbac

SHA512
3eb7599825b7b21aaab05e420dd16d4a8eaa21652d232f6e4ede213a232b701401556e44df73cfa20ae855d1adc28304b52d42367b74ebd8e96c2e3d9a9b93e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\sqlite3.dll

Filesize
608KB

MD5
6a3a34c9c67efd6c17d44292e8db8fad

SHA1
339b1e514d60d8370eaec1e2f2b71cead999f970

SHA256
7b0e840165d65f0f5285476467e4c154c4d936613966b84948110a4614b9cad9

SHA512
6f2a1b670d28762745f0d3b961a331cbbb0dec244f8798734b911b3a3bc9519c73a3b26f1e1117725f6f1e880e57cadb562a1450659bca1aae353f6b9575d7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\unicodedata.pyd

Filesize
287KB

MD5
fed35db31377d515d198e5e446498be2

SHA1
62e388d17e17208ea0e881ccd96c75b7b1fbc5f7

SHA256
af3cdc9a2a1d923be67244429867a3c5c70835249e3573a03b98d08d148fe24b

SHA512
0985528cb0289086ec895e21a8947e04f732d5660460f2e7fa8668bd441c891438781c808bcea9294f348720e3752c10ea65363371f7e75ea48600d016bab72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI13562\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
41KB

MD5
e6844c2869bc42b23ade1aa169c76523

SHA1
4a0dddab2a2d610be6d0e4557bbfeb18e79170dc

SHA256
32736cd10c9f711f1ddb23d2696a14a060fc855268f28538836500ce9c16ad3a

SHA512
86d880c4fc5481466bed61ab5a70c0b707e8d79a2517a8c97ff6aa3f9e4755aa60e5a13a7e7013b456ce593505e22f13ceafefc68fc7dd84135910a5e85138ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sxixfnbx.gff.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1176-202-0x00000245B6140000-0x00000245B6162000-memory.dmp

Filesize
136KB

Download
memory/3212-101-0x000002BE37820000-0x000002BE37B95000-memory.dmp

Filesize
3.5MB

Download
memory/3212-108-0x00007FF999460000-0x00007FF999474000-memory.dmp

Filesize
80KB

Download
memory/3212-144-0x00007FF988E70000-0x00007FF9895FA000-memory.dmp

Filesize
7.5MB

Download
memory/3212-145-0x00007FF998F20000-0x00007FF998F57000-memory.dmp

Filesize
220KB

Download
memory/3212-190-0x00007FF99A0C0000-0x00007FF99A0CD000-memory.dmp

Filesize
52KB

Download
memory/3212-189-0x00007FF9993F0000-0x00007FF999412000-memory.dmp

Filesize
136KB

Download
memory/3212-134-0x000002BE37820000-0x000002BE37B95000-memory.dmp

Filesize
3.5MB

Download
memory/3212-135-0x00007FF998EF0000-0x00007FF998F09000-memory.dmp

Filesize
100KB

Download
memory/3212-207-0x00007FF989DA0000-0x00007FF989EB8000-memory.dmp

Filesize
1.1MB

Download
memory/3212-208-0x00007FF999070000-0x00007FF999086000-memory.dmp

Filesize
88KB

Download
memory/3212-210-0x00007FF990150000-0x00007FF99019D000-memory.dmp

Filesize
308KB

Download
memory/3212-209-0x00007FF998EF0000-0x00007FF998F09000-memory.dmp

Filesize
100KB

Download
memory/3212-219-0x00007FF998B90000-0x00007FF998BAE000-memory.dmp

Filesize
120KB

Download
memory/3212-223-0x00007FF99CC40000-0x00007FF99CC59000-memory.dmp

Filesize
100KB

Download
memory/3212-247-0x00007FF998F20000-0x00007FF998F57000-memory.dmp

Filesize
220KB

Download
memory/3212-233-0x00007FF99CB00000-0x00007FF99CB10000-memory.dmp

Filesize
64KB

Download
memory/3212-249-0x00007FF988E70000-0x00007FF9895FA000-memory.dmp

Filesize
7.5MB

Download
memory/3212-232-0x00007FF999EE0000-0x00007FF999EF5000-memory.dmp

Filesize
84KB

Download
memory/3212-230-0x00007FF9991E0000-0x00007FF999298000-memory.dmp

Filesize
736KB

Download
memory/3212-229-0x00007FF999DB0000-0x00007FF999DDE000-memory.dmp

Filesize
184KB

Download
memory/3212-228-0x00007FF998BC0000-0x00007FF998D31000-memory.dmp

Filesize
1.4MB

Download
memory/3212-227-0x00007FF99CB10000-0x00007FF99CB2F000-memory.dmp

Filesize
124KB

Download
memory/3212-221-0x00007FF99CC60000-0x00007FF99CC84000-memory.dmp

Filesize
144KB

Download
memory/3212-220-0x00007FF989EC0000-0x00007FF98A32E000-memory.dmp

Filesize
4.4MB

Download
memory/3212-231-0x00007FF9986E0000-0x00007FF998A55000-memory.dmp

Filesize
3.5MB

Download
memory/3212-263-0x00007FF999EE0000-0x00007FF999EF5000-memory.dmp

Filesize
84KB

Download
memory/3212-260-0x00007FF999DB0000-0x00007FF999DDE000-memory.dmp

Filesize
184KB

Download
memory/3212-271-0x00007FF998EF0000-0x00007FF998F09000-memory.dmp

Filesize
100KB

Download
memory/3212-251-0x00007FF989EC0000-0x00007FF98A32E000-memory.dmp

Filesize
4.4MB

Download
memory/3212-280-0x00007FF989EC0000-0x00007FF98A32E000-memory.dmp

Filesize
4.4MB

Download
memory/3212-136-0x00007FF998DB0000-0x00007FF998DC1000-memory.dmp

Filesize
68KB

Download
memory/3212-137-0x00007FF998BB0000-0x00007FF998BBA000-memory.dmp

Filesize
40KB

Download
memory/3212-139-0x00007FF990150000-0x00007FF99019D000-memory.dmp

Filesize
308KB

Download
memory/3212-140-0x00007FF998B90000-0x00007FF998BAE000-memory.dmp

Filesize
120KB

Download
memory/3212-141-0x00007FF999EE0000-0x00007FF999EF5000-memory.dmp

Filesize
84KB

Download
memory/3212-124-0x00007FF9991E0000-0x00007FF999298000-memory.dmp

Filesize
736KB

Download
memory/3212-125-0x00007FF999070000-0x00007FF999086000-memory.dmp

Filesize
88KB

Download
memory/3212-119-0x00007FF999DB0000-0x00007FF999DDE000-memory.dmp

Filesize
184KB

Download
memory/3212-120-0x00007FF999090000-0x00007FF9990AB000-memory.dmp

Filesize
108KB

Download
memory/3212-116-0x00007FF989DA0000-0x00007FF989EB8000-memory.dmp

Filesize
1.1MB

Download
memory/3212-110-0x00007FF999440000-0x00007FF999454000-memory.dmp

Filesize
80KB

Download
memory/3212-113-0x00007FF99CB10000-0x00007FF99CB2F000-memory.dmp

Filesize
124KB

Download
memory/3212-114-0x00007FF9993F0000-0x00007FF999412000-memory.dmp

Filesize
136KB

Download
memory/3212-132-0x00007FF9986E0000-0x00007FF998A55000-memory.dmp

Filesize
3.5MB

Download
memory/3212-106-0x00007FF99CB00000-0x00007FF99CB10000-memory.dmp

Filesize
64KB

Download
memory/3212-103-0x00007FF999EE0000-0x00007FF999EF5000-memory.dmp

Filesize
84KB

Download
memory/3212-99-0x00007FF99CC60000-0x00007FF99CC84000-memory.dmp

Filesize
144KB

Download
memory/3212-100-0x00007FF9986E0000-0x00007FF998A55000-memory.dmp

Filesize
3.5MB

Download
memory/3212-95-0x00007FF999DB0000-0x00007FF999DDE000-memory.dmp

Filesize
184KB

Download
memory/3212-94-0x00007FF989EC0000-0x00007FF98A32E000-memory.dmp

Filesize
4.4MB

Download
memory/3212-96-0x00007FF9991E0000-0x00007FF999298000-memory.dmp

Filesize
736KB

Download
memory/3212-91-0x00007FF998BC0000-0x00007FF998D31000-memory.dmp

Filesize
1.4MB

Download
memory/3212-89-0x00007FF99CB10000-0x00007FF99CB2F000-memory.dmp

Filesize
124KB

Download
memory/3212-87-0x00007FF99CBF0000-0x00007FF99CC1D000-memory.dmp

Filesize
180KB

Download
memory/3212-85-0x00007FF99CC20000-0x00007FF99CC39000-memory.dmp

Filesize
100KB

Download
memory/3212-82-0x00007FF99CC40000-0x00007FF99CC59000-memory.dmp

Filesize
100KB

Download
memory/3212-83-0x00007FF99CE40000-0x00007FF99CE4D000-memory.dmp

Filesize
52KB

Download
memory/3212-79-0x00007FF99FC10000-0x00007FF99FC1F000-memory.dmp

Filesize
60KB

Download
memory/3212-58-0x00007FF99CC60000-0x00007FF99CC84000-memory.dmp

Filesize
144KB

Download
memory/3212-50-0x00007FF989EC0000-0x00007FF98A32E000-memory.dmp

Filesize
4.4MB

Download
memory/3212-554-0x00007FF9991E0000-0x00007FF999298000-memory.dmp

Filesize
736KB

Download
memory/3212-558-0x00007FF998BC0000-0x00007FF998D31000-memory.dmp

Filesize
1.4MB

Download
memory/3212-566-0x00007FF9993F0000-0x00007FF999412000-memory.dmp

Filesize
136KB

Download
memory/3212-574-0x00007FF990150000-0x00007FF99019D000-memory.dmp

Filesize
308KB

Download
memory/3212-577-0x00007FF99A0C0000-0x00007FF99A0CD000-memory.dmp

Filesize
52KB

Download
memory/3212-576-0x00007FF998F20000-0x00007FF998F57000-memory.dmp

Filesize
220KB

Download
memory/3212-575-0x00007FF988E70000-0x00007FF9895FA000-memory.dmp

Filesize
7.5MB

Download
memory/3212-573-0x00007FF9986E0000-0x00007FF998A55000-memory.dmp

Filesize
3.5MB

Download
memory/3212-572-0x00007FF998BB0000-0x00007FF998BBA000-memory.dmp

Filesize
40KB

Download
memory/3212-571-0x00007FF998DB0000-0x00007FF998DC1000-memory.dmp

Filesize
68KB

Download
memory/3212-570-0x00007FF998EF0000-0x00007FF998F09000-memory.dmp

Filesize
100KB

Download
memory/3212-569-0x00007FF999070000-0x00007FF999086000-memory.dmp

Filesize
88KB

Download
memory/3212-568-0x00007FF999090000-0x00007FF9990AB000-memory.dmp

Filesize
108KB

Download
memory/3212-567-0x00007FF989DA0000-0x00007FF989EB8000-memory.dmp

Filesize
1.1MB

Download
memory/3212-565-0x00007FF999440000-0x00007FF999454000-memory.dmp

Filesize
80KB

Download
memory/3212-564-0x00007FF999460000-0x00007FF999474000-memory.dmp

Filesize
80KB

Download
memory/3212-563-0x00007FF99CB00000-0x00007FF99CB10000-memory.dmp

Filesize
64KB

Download
memory/3212-562-0x00007FF999EE0000-0x00007FF999EF5000-memory.dmp

Filesize
84KB

Download
memory/3212-561-0x00007FF998B90000-0x00007FF998BAE000-memory.dmp

Filesize
120KB

Download
memory/3212-560-0x00007FF989EC0000-0x00007FF98A32E000-memory.dmp

Filesize
4.4MB

Download
memory/3212-559-0x00007FF999DB0000-0x00007FF999DDE000-memory.dmp

Filesize
184KB

Download
memory/3212-557-0x00007FF99CB10000-0x00007FF99CB2F000-memory.dmp

Filesize
124KB

Download
memory/3212-556-0x00007FF99CBF0000-0x00007FF99CC1D000-memory.dmp

Filesize
180KB

Download
memory/3212-555-0x00007FF99CC20000-0x00007FF99CC39000-memory.dmp

Filesize
100KB

Download
memory/3212-553-0x00007FF99CC40000-0x00007FF99CC59000-memory.dmp

Filesize
100KB

Download
memory/3212-552-0x00007FF99FC10000-0x00007FF99FC1F000-memory.dmp

Filesize
60KB

Download
memory/3212-551-0x00007FF99CC60000-0x00007FF99CC84000-memory.dmp

Filesize
144KB

Download
memory/3212-550-0x00007FF99CE40000-0x00007FF99CE4D000-memory.dmp

Filesize
52KB

Download