exelastealer | 5b7905a769e63cff95c5a11898ce070725463f7b1245e201c4c05ee7de75dae0

Analysis

max time kernel
66s
max time network
67s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2024 11:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ElectronV3.zip
Size

9.8MB
MD5

bb770bb4515d60daaaf26b168edc1cd9
SHA1

2715fcc006c9289ad4fd901ea6f4f847a7d31067
SHA256

5b7905a769e63cff95c5a11898ce070725463f7b1245e201c4c05ee7de75dae0
SHA512

2b75cb8573f840c2412a0e6ab14c482fcd355074f966f4d90c61421c70fce9ae4963834be8e42d2e1489b8e45b81e72f13fd23328abc39ac41e7e661ed39409d
SSDEEP

196608:wfEGWfgXw/1Did9R5QbhLLyNMUeamDtcC1fkgMisEAjWD0Kj:wf3oZS9whLeODeAkgMJdKj

Score

10^/10

exelastealer collection defense_evasion discovery evasion persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2372	netsh.exe
1792	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4960	cmd.exe
2984	powershell.exe

Deletes itself 1 IoCs

pid	Process
3292	ElectronV3.exe

Executes dropped EXE 2 IoCs

pid	Process
4368	ElectronV3.exe
3292	ElectronV3.exe

Loads dropped DLL 33 IoCs

pid	Process
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe
3292	ElectronV3.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
47	discord.com
48	discord.com
58	discord.com
46	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
41	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4268	cmd.exe
2224	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
3308	tasklist.exe
2440	tasklist.exe
4536	tasklist.exe
3256	tasklist.exe
4532	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4112	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023ca8-58.dat	upx
behavioral2/memory/3292-62-0x00007FFF755C0000-0x00007FFF75A2E000-memory.dmp	upx
behavioral2/files/0x0007000000023c72-64.dat	upx
behavioral2/memory/3292-70-0x00007FFF75590000-0x00007FFF755B4000-memory.dmp	upx
behavioral2/files/0x0007000000023ca2-69.dat	upx
behavioral2/memory/3292-72-0x00007FFF8A410000-0x00007FFF8A41F000-memory.dmp	upx
behavioral2/files/0x0007000000023ca1-73.dat	upx
behavioral2/files/0x0007000000023ca3-74.dat	upx
behavioral2/files/0x0007000000023ca6-75.dat	upx
behavioral2/files/0x0007000000023caa-77.dat	upx
behavioral2/files/0x0007000000023c79-89.dat	upx
behavioral2/files/0x0007000000023ca9-95.dat	upx
behavioral2/memory/3292-96-0x00007FFF8A360000-0x00007FFF8A36D000-memory.dmp	upx
behavioral2/files/0x0008000000023c68-97.dat	upx
behavioral2/memory/3292-100-0x00007FFF75520000-0x00007FFF7554D000-memory.dmp	upx
behavioral2/memory/3292-102-0x00007FFF75500000-0x00007FFF7551F000-memory.dmp	upx
behavioral2/memory/3292-104-0x00007FFF75380000-0x00007FFF754F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c7a-101.dat	upx
behavioral2/files/0x0007000000023c75-99.dat	upx
behavioral2/memory/3292-98-0x00007FFF75550000-0x00007FFF75569000-memory.dmp	upx
behavioral2/memory/3292-94-0x00007FFF75570000-0x00007FFF75589000-memory.dmp	upx
behavioral2/files/0x0007000000023c7c-92.dat	upx
behavioral2/files/0x0007000000023c7b-91.dat	upx
behavioral2/files/0x0007000000023c78-88.dat	upx
behavioral2/files/0x0007000000023c77-87.dat	upx
behavioral2/files/0x0007000000023c76-86.dat	upx
behavioral2/files/0x0007000000023c74-84.dat	upx
behavioral2/files/0x0007000000023c73-83.dat	upx
behavioral2/files/0x0008000000023c69-82.dat	upx
behavioral2/files/0x0009000000023c65-80.dat	upx
behavioral2/files/0x0009000000023c64-79.dat	upx
behavioral2/files/0x0007000000023cab-78.dat	upx
behavioral2/memory/3292-106-0x00007FFF75350000-0x00007FFF7537E000-memory.dmp	upx
behavioral2/memory/3292-111-0x00007FFF75290000-0x00007FFF75348000-memory.dmp	upx
behavioral2/memory/3292-113-0x00007FFF74F10000-0x00007FFF75285000-memory.dmp	upx
behavioral2/memory/3292-114-0x00007FFF75590000-0x00007FFF755B4000-memory.dmp	upx
behavioral2/memory/3292-110-0x00007FFF755C0000-0x00007FFF75A2E000-memory.dmp	upx
behavioral2/memory/3292-116-0x00007FFF74EF0000-0x00007FFF74F05000-memory.dmp	upx
behavioral2/memory/3292-119-0x00007FFF87230000-0x00007FFF87240000-memory.dmp	upx
behavioral2/memory/3292-118-0x00007FFF75570000-0x00007FFF75589000-memory.dmp	upx
behavioral2/files/0x0007000000023ca5-120.dat	upx
behavioral2/memory/3292-124-0x00007FFF74EB0000-0x00007FFF74EC4000-memory.dmp	upx
behavioral2/memory/3292-123-0x00007FFF74ED0000-0x00007FFF74EE4000-memory.dmp	upx
behavioral2/memory/3292-126-0x00007FFF74D90000-0x00007FFF74EA8000-memory.dmp	upx
behavioral2/files/0x0007000000023cad-127.dat	upx
behavioral2/memory/3292-130-0x00007FFF75500000-0x00007FFF7551F000-memory.dmp	upx
behavioral2/memory/3292-131-0x00007FFF74D70000-0x00007FFF74D87000-memory.dmp	upx
behavioral2/files/0x0007000000023cae-129.dat	upx
behavioral2/memory/3292-134-0x00007FFF74D40000-0x00007FFF74D62000-memory.dmp	upx
behavioral2/memory/3292-133-0x00007FFF75380000-0x00007FFF754F1000-memory.dmp	upx
behavioral2/files/0x0007000000023c7e-135.dat	upx
behavioral2/memory/3292-137-0x00007FFF75350000-0x00007FFF7537E000-memory.dmp	upx
behavioral2/memory/3292-138-0x00007FFF74D20000-0x00007FFF74D37000-memory.dmp	upx
behavioral2/files/0x0007000000023c80-140.dat	upx
behavioral2/memory/3292-142-0x00007FFF75290000-0x00007FFF75348000-memory.dmp	upx
behavioral2/files/0x0007000000023c7f-143.dat	upx
behavioral2/files/0x0007000000023c81-145.dat	upx
behavioral2/memory/3292-149-0x00007FFF74BC0000-0x00007FFF74BD1000-memory.dmp	upx
behavioral2/memory/3292-148-0x00007FFF74C50000-0x00007FFF74D1F000-memory.dmp	upx
behavioral2/memory/3292-155-0x00007FFF74EF0000-0x00007FFF74F05000-memory.dmp	upx
behavioral2/memory/3292-154-0x00007FFF86400000-0x00007FFF8640A000-memory.dmp	upx
behavioral2/memory/3292-153-0x00007FFF74BA0000-0x00007FFF74BBE000-memory.dmp	upx
behavioral2/memory/3292-152-0x00007FFF74BE0000-0x00007FFF74C2D000-memory.dmp	upx
behavioral2/memory/3292-151-0x00007FFF74C30000-0x00007FFF74C49000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3992	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral2/files/0x0008000000023c4f-2.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
392	cmd.exe
656	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2940	NETSTAT.EXE

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3276	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
2632	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3136	ipconfig.exe
2940	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2240	systeminfo.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5096	schtasks.exe
2444	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2984	powershell.exe
2984	powershell.exe
2984	powershell.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2896	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2896	7zFM.exe
Token: 35	2896	7zFM.exe
Token: SeSecurityPrivilege	2896	7zFM.exe
Token: SeIncreaseQuotaPrivilege	2632	WMIC.exe
Token: SeSecurityPrivilege	2632	WMIC.exe
Token: SeTakeOwnershipPrivilege	2632	WMIC.exe
Token: SeLoadDriverPrivilege	2632	WMIC.exe
Token: SeSystemProfilePrivilege	2632	WMIC.exe
Token: SeSystemtimePrivilege	2632	WMIC.exe
Token: SeProfSingleProcessPrivilege	2632	WMIC.exe
Token: SeIncBasePriorityPrivilege	2632	WMIC.exe
Token: SeCreatePagefilePrivilege	2632	WMIC.exe
Token: SeBackupPrivilege	2632	WMIC.exe
Token: SeRestorePrivilege	2632	WMIC.exe
Token: SeShutdownPrivilege	2632	WMIC.exe
Token: SeDebugPrivilege	2632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2632	WMIC.exe
Token: SeRemoteShutdownPrivilege	2632	WMIC.exe
Token: SeUndockPrivilege	2632	WMIC.exe
Token: SeManageVolumePrivilege	2632	WMIC.exe
Token: 33	2632	WMIC.exe
Token: 34	2632	WMIC.exe
Token: 35	2632	WMIC.exe
Token: 36	2632	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1816	WMIC.exe
Token: SeSecurityPrivilege	1816	WMIC.exe
Token: SeTakeOwnershipPrivilege	1816	WMIC.exe
Token: SeLoadDriverPrivilege	1816	WMIC.exe
Token: SeSystemProfilePrivilege	1816	WMIC.exe
Token: SeSystemtimePrivilege	1816	WMIC.exe
Token: SeProfSingleProcessPrivilege	1816	WMIC.exe
Token: SeIncBasePriorityPrivilege	1816	WMIC.exe
Token: SeCreatePagefilePrivilege	1816	WMIC.exe
Token: SeBackupPrivilege	1816	WMIC.exe
Token: SeRestorePrivilege	1816	WMIC.exe
Token: SeShutdownPrivilege	1816	WMIC.exe
Token: SeDebugPrivilege	1816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1816	WMIC.exe
Token: SeRemoteShutdownPrivilege	1816	WMIC.exe
Token: SeUndockPrivilege	1816	WMIC.exe
Token: SeManageVolumePrivilege	1816	WMIC.exe
Token: 33	1816	WMIC.exe
Token: 34	1816	WMIC.exe
Token: 35	1816	WMIC.exe
Token: 36	1816	WMIC.exe
Token: SeDebugPrivilege	3308	tasklist.exe
Token: SeIncreaseQuotaPrivilege	2632	WMIC.exe
Token: SeSecurityPrivilege	2632	WMIC.exe
Token: SeTakeOwnershipPrivilege	2632	WMIC.exe
Token: SeLoadDriverPrivilege	2632	WMIC.exe
Token: SeSystemProfilePrivilege	2632	WMIC.exe
Token: SeSystemtimePrivilege	2632	WMIC.exe
Token: SeProfSingleProcessPrivilege	2632	WMIC.exe
Token: SeIncBasePriorityPrivilege	2632	WMIC.exe
Token: SeCreatePagefilePrivilege	2632	WMIC.exe
Token: SeBackupPrivilege	2632	WMIC.exe
Token: SeRestorePrivilege	2632	WMIC.exe
Token: SeShutdownPrivilege	2632	WMIC.exe
Token: SeDebugPrivilege	2632	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2632	WMIC.exe
Token: SeRemoteShutdownPrivilege	2632	WMIC.exe
Token: SeUndockPrivilege	2632	WMIC.exe
Token: SeManageVolumePrivilege	2632	WMIC.exe
Token: 33	2632	WMIC.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
2896	7zFM.exe
2896	7zFM.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe

Suspicious use of SendNotifyMessage 41 IoCs

pid	Process
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe
3740	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 3292	4368	ElectronV3.exe	106
PID 4368 wrote to memory of 3292	4368	ElectronV3.exe	106
PID 3292 wrote to memory of 3020	3292	ElectronV3.exe	107
PID 3292 wrote to memory of 3020	3292	ElectronV3.exe	107
PID 3292 wrote to memory of 4124	3292	ElectronV3.exe	109
PID 3292 wrote to memory of 4124	3292	ElectronV3.exe	109
PID 3292 wrote to memory of 5012	3292	ElectronV3.exe	110
PID 3292 wrote to memory of 5012	3292	ElectronV3.exe	110
PID 3292 wrote to memory of 1504	3292	ElectronV3.exe	112
PID 3292 wrote to memory of 1504	3292	ElectronV3.exe	112
PID 3292 wrote to memory of 1396	3292	ElectronV3.exe	114
PID 3292 wrote to memory of 1396	3292	ElectronV3.exe	114
PID 4124 wrote to memory of 2632	4124	cmd.exe	118
PID 4124 wrote to memory of 2632	4124	cmd.exe	118
PID 5012 wrote to memory of 1816	5012	cmd.exe	117
PID 5012 wrote to memory of 1816	5012	cmd.exe	117
PID 1396 wrote to memory of 3308	1396	cmd.exe	119
PID 1396 wrote to memory of 3308	1396	cmd.exe	119
PID 3292 wrote to memory of 4240	3292	ElectronV3.exe	120
PID 3292 wrote to memory of 4240	3292	ElectronV3.exe	120
PID 4240 wrote to memory of 392	4240	cmd.exe	122
PID 4240 wrote to memory of 392	4240	cmd.exe	122
PID 3292 wrote to memory of 1376	3292	ElectronV3.exe	123
PID 3292 wrote to memory of 1376	3292	ElectronV3.exe	123
PID 3292 wrote to memory of 640	3292	ElectronV3.exe	124
PID 3292 wrote to memory of 640	3292	ElectronV3.exe	124
PID 640 wrote to memory of 2440	640	cmd.exe	127
PID 640 wrote to memory of 2440	640	cmd.exe	127
PID 1376 wrote to memory of 4100	1376	cmd.exe	128
PID 1376 wrote to memory of 4100	1376	cmd.exe	128
PID 3292 wrote to memory of 4112	3292	ElectronV3.exe	129
PID 3292 wrote to memory of 4112	3292	ElectronV3.exe	129
PID 4112 wrote to memory of 4768	4112	cmd.exe	131
PID 4112 wrote to memory of 4768	4112	cmd.exe	131
PID 3292 wrote to memory of 3984	3292	ElectronV3.exe	132
PID 3292 wrote to memory of 3984	3292	ElectronV3.exe	132
PID 3984 wrote to memory of 4456	3984	cmd.exe	134
PID 3984 wrote to memory of 4456	3984	cmd.exe	134
PID 3292 wrote to memory of 4404	3292	ElectronV3.exe	135
PID 3292 wrote to memory of 4404	3292	ElectronV3.exe	135
PID 4404 wrote to memory of 5096	4404	cmd.exe	137
PID 4404 wrote to memory of 5096	4404	cmd.exe	137
PID 3292 wrote to memory of 4484	3292	ElectronV3.exe	138
PID 3292 wrote to memory of 4484	3292	ElectronV3.exe	138
PID 4484 wrote to memory of 2444	4484	cmd.exe	140
PID 4484 wrote to memory of 2444	4484	cmd.exe	140
PID 3292 wrote to memory of 1700	3292	ElectronV3.exe	141
PID 3292 wrote to memory of 1700	3292	ElectronV3.exe	141
PID 3292 wrote to memory of 2904	3292	ElectronV3.exe	143
PID 3292 wrote to memory of 2904	3292	ElectronV3.exe	143
PID 1700 wrote to memory of 1120	1700	cmd.exe	145
PID 1700 wrote to memory of 1120	1700	cmd.exe	145
PID 2904 wrote to memory of 4536	2904	cmd.exe	146
PID 2904 wrote to memory of 4536	2904	cmd.exe	146
PID 3292 wrote to memory of 1368	3292	ElectronV3.exe	147
PID 3292 wrote to memory of 1368	3292	ElectronV3.exe	147
PID 3292 wrote to memory of 3656	3292	ElectronV3.exe	148
PID 3292 wrote to memory of 3656	3292	ElectronV3.exe	148
PID 3292 wrote to memory of 1532	3292	ElectronV3.exe	149
PID 3292 wrote to memory of 1532	3292	ElectronV3.exe	149
PID 3292 wrote to memory of 4960	3292	ElectronV3.exe	151
PID 3292 wrote to memory of 4960	3292	ElectronV3.exe	151
PID 1532 wrote to memory of 3256	1532	cmd.exe	156
PID 1532 wrote to memory of 3256	1532	cmd.exe	156

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4768	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\ElectronV3.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2896

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1988

C:\Users\Admin\Desktop\ElectronV3\ElectronV3.exe
"C:\Users\Admin\Desktop\ElectronV3\ElectronV3.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Users\Admin\Desktop\ElectronV3\ElectronV3.exe
  "C:\Users\Admin\Desktop\ElectronV3\ElectronV3.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3292
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:3020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4124
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:2632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get Manufacturer
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1816
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "gdb --version"
    3⤵
    PID:1504
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1396
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4240
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path Win32_ComputerSystem get Manufacturer
      4⤵
      PID:392
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1376
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:2440
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:4768
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /query /TN "ExelaUpdateService""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3984
  - - C:\Windows\system32\schtasks.exe
      schtasks /query /TN "ExelaUpdateService"
      4⤵
      PID:4456
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "ExelaUpdateService" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4484
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc hourly /mo 1 /rl highest /tn "ExelaUpdateService2" /tr "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1700
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:1120
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      PID:4536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:1368
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:5020
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1820
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:3656
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:112
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3256
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:4960
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:2984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:392
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:656
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:4268
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2240
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2884
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      PID:3276
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:4360
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4932
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:2444
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:4404
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:2676
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:3928
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:2500
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:320
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:2308
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:2904
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:4432
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:2496
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:1628
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:4532
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:3136
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:1748
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:2224
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:2940
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:3992
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2372
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4232
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4072
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4068

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ConnectTest.xlsx

Filesize
14KB

MD5
4ef41d19363c523835ae54a74e2207c1

SHA1
f6e914e68fc48950e1b4bb422885c2a7e58c6f42

SHA256
ee711455a42d7c866b26e6bbecc8513382abea237e0524eccc2ec9f0f64e239f

SHA512
0535e95c5516fb4e94ce2e0f4d2a596427d53041e4af964982b125abb36350dfa753df8ab4e0a5a490d8e31e0a95ffd3ab37730e0092fc5e1c3311425fc3480c

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\GetShow.xlsx

Filesize
12KB

MD5
1e29070ac600075173eca32a4656a77b

SHA1
3894303fb5d33838fab38ebffb74bb1d656693b5

SHA256
9de0c933a4a215a7145807e902449b9323eb52d6dda54a567092fe0284f9ea11

SHA512
ac2d4ced77f6eddbe68a1bfb4a6b07332ac7b9bd21f76ce3e55a5647df977ce681c1934d11f145691c18aae0380457a561115b205b5192610c2ca6cf0b38ea66

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\MoveUnblock.xlsx

Filesize
11KB

MD5
22f0ccbb1c90ec1c05f96954efd83a52

SHA1
e176d979719417cf2dda9e3efaf66ea7ad46b68f

SHA256
dac75c4f75a3219f90d1956e198b489993cd538d231326357dc3635c73cb9ac8

SHA512
dcd2c350f0eff25e668db191c8810fe5978013bd14f55b9f9b21a38efed12476a5354e25a33d90fab547ead5c1fdea209bbbcaa2339db8e0b357fa1badb6d4d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\OpenWrite.docx

Filesize
19KB

MD5
5baf6d7d11c2dbd5433dcd052757ce85

SHA1
552d4f0c4ec6c3eb64d214248e60cd0be371cddb

SHA256
cb0f96dcfa305d0e0bac1363d6cfb637be28cf78d00081970914a6f968d81c12

SHA512
88b756cb59f8b6b3ff0d50c11070454cc6e9be27b71546869140228fa89ffe8fa20df05b9414379f8bbaf151c7a4f305ac13be4e3ea692fc8c7bf5fd301006ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\DisableDeny.docx

Filesize
17KB

MD5
1f51c5715fdf20483ed5133f14972177

SHA1
7ff84c19ed89554898db56c77a9a640cc5c31679

SHA256
91869e87b6ec14192e9b15aa9c8a5466b304a39d81d17fb8b3fb8f729636c372

SHA512
5b82aaeaeaf4b214b01dd0121780fdbdddf2ce8f5f713719bba95d2f7020733857132c52a6bda3983ee98beaca314ebf05b88b1cfedcb6e0cd4bbe0206cd4002

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\DisconnectBackup.vssx

Filesize
604KB

MD5
28e1d15b806bc58c92198d9293eef2cd

SHA1
72c00b72bea32940d99fcf70291a4b2c6abc2acc

SHA256
7a9530b64b8de5045cf37ee7ff71cd1d4dbf7cd0ffecee26c75ceae6e12dc02b

SHA512
3d7963dd57fc13cf886f4d8822397a65809141068d44bd31b774887e7df9ae5791779a07810553512963f94cfd9cdb2d741caf4e4ecd8951b8462d0acead7008

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\EnterCompare.docx

Filesize
14KB

MD5
7280d0b1c384365258507a4cdb2fbfca

SHA1
cb0685200bb2bbd6ffc6474caf68e5ddd92eb3d3

SHA256
323c3a24a411cbcd6ae3ed39c9460c7a1a0a6e52e5614491a3359ec2dbbcb09c

SHA512
723106c9320548518bd2f0e3474a1adea0c12832f5ea8fc2e54861f2e3a8f532c5705f4c89dbc7ac39a8ea32b967dac0a3008f3169fd36d38f9a5516594289bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\LimitDismount.png

Filesize
829KB

MD5
5090056520f690c9e623ab21a701904c

SHA1
ff826f75720e72434daf0c02801b3d92319f6095

SHA256
18dbfcf720f29b70c8f25bbe6de53ed0fb9aae40658e60314cb3b0f11375af92

SHA512
820b46feba599f135edaba8b133704011407e6a39103e723f2b3747f2590edffacb08a13c53d50adca7f6a8e58fba413a1c1db80fd92b91d4f5eab87281552ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ResetSkip.jpg

Filesize
592KB

MD5
bd95c8c02a0d23b201b9262890ed2645

SHA1
144b0e43441d203a44505ef2084430425ce0ae40

SHA256
ad43fd87f2cdd679f73ef83ca190b2eca91e89e0e275a7dd50804c5cf7712d65

SHA512
1080eabe156b922d555e00dd2b23720f65e6309d8f0ace598113d05a9465857273ce5912680130a6a8af04d6dbe181a959b627a11cc09123532fdbfb07824b96

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\BackupAssert.AAC

Filesize
604KB

MD5
887137c151fdecc7a8bcdb1ee0ab4dd0

SHA1
8eec9fc7d705a2b53e535dc21ed99ba7853cfccb

SHA256
1b15b65aedf0f306c99ba65685f419206e68828b034ad604a8aa03f69d39e487

SHA512
5b0d72764ad4b0a77f00744c370fd190783ff8e44ab119d5d2ce3b0157b04b0180a956264a26b067e1d6f20db0df29712a26c6f5d9cb937d586c2f0ce7c67a5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\CopyBackup.mhtml

Filesize
402KB

MD5
6d71495fcc4d63e7174179d49acb39eb

SHA1
e0c8d37df7affdf2e5302c3826571204e7138ee8

SHA256
5dbdb1e4b986dee4277f42c81fb23e29d0a264af6ccd51f5d092d4b9466f8fd2

SHA512
af592a127d1e029e64c65f8434658794f8cc500235533af6e8071156ad53768f9ed1efe3ba7f8d131a25234c95c471b29d4b05fa711ce9edbc0612ab93a78bb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\EnableClose.xls

Filesize
954KB

MD5
58bdce0b88b549a4e6b1b5dd9577c3ca

SHA1
eabc9f5ca7331ef853c5a96a7e150cd25fe679a6

SHA256
b75bcf93c6d3ffe8a0543670e0a20a560e3d53a63b13b7bb9755d77e6bee1df8

SHA512
26f704690dc4b5029048250811fb10aace03e2818a5fc77c1d867dcc01b4aeed13f0a720df18a92fcba824627217e5141a590b801008021a3ec85669c66d873d

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\ExpandUninstall.xls

Filesize
308KB

MD5
aec243def7baf883899b410b8410c9e9

SHA1
11833680a48a54a52d773be05fc16e8a2a84bd95

SHA256
9a01f41727f96ea43287b90b38abad56b46227ba62a12a91313c975056579cb2

SHA512
bcf94ada539ed81d4364be0ec60174a04d6f8b60419401e76492d11162ff9d7de190d6d35baf264750f70361566a22b143cc38a7169d1806b82841d6a3eaf847

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\RevokePing.txt

Filesize
362KB

MD5
364af3f62fdde23f95b28282959a4d4b

SHA1
a827d61d6cdf30d3554ba97db537cb478edc453e

SHA256
a16480521d3d5b6e26ff57c5cd8bc7f00e29682064e0b33a3cd590e22d15a4f2

SHA512
f4a41a9d5740c2e776724c2a23acd57331ef0fe8c8671d6b2eb384c89b745a6cc74841dd6ae8ff355164482909c33f0000aff0e1e968716a63b0c723cc6141bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\StartRepair.mp4

Filesize
241KB

MD5
fed33184bbb93ab264774068704bf97a

SHA1
1aaca162cb2aea6d103620df528cc4fbf0fd8fc7

SHA256
727c66278adbcb8bf4772893a95ad1c160323bb760279e2d461ad04b90cff457

SHA512
7560be133ee375d44c7b32298457c2ef61b382e2373d96afb09a6f9f5a66236a4265e433056b5c950436b2c5a4a2267f875edac2584b003c814b3ab083f42e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\UnpublishEdit.png

Filesize
268KB

MD5
3bac60cd8c8af022534143c4a8058cf5

SHA1
a1b31629994baf3332fa5994a426cb5d4601af8f

SHA256
89c7a9325146e02fd319b84faab45aebf131dcacaf4116a9aa074c0e917bdf02

SHA512
331a869c02593a424482367e965ca09d2b527db8ec0259c0530296046b62640553431befd5e43f234d766403d83e67732ddae269b76035fc5c5cfb990eb148b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_asyncio.pyd

Filesize
34KB

MD5
7d4f9a2b793e021f7e37b8448751ed4e

SHA1
0ea07b5024501aad5008655cfeae6d96b5da957a

SHA256
2293c1b6b0b901832a57a1c4dcb1265c9e92d21177195712c30632a7b63227d4

SHA512
af75452279c308c61c3e222a031a8201e47e8fe44c4e92cb7dab03d56c7e7e3e2a2c589f650c50e0b29e2df175d6f2ff50c8e5e589d17a124bf0a2e0d7886c26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_brotli.cp310-win_amd64.pyd

Filesize
274KB

MD5
94c13e0636646019a4c7d405c2d919df

SHA1
8ed8519e9b310f59e5b40f3c8fb675791cae09f9

SHA256
10517c02bb69dafd60053152e65d00c02e24952f63ca230af807ec6b2053f2a6

SHA512
82fba52c4db4206f7a1ebb1a3ebf12fc60f3deff4763fd5a059b00f46aa7513279da994a815a0883ce3301c3cdd1d20923db21b926c43b2ee732c28852979945

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_bz2.pyd

Filesize
46KB

MD5
6250a28b9d0bfefc1254bd78ece7ae9f

SHA1
4b07c8e18d23c8ae9d92d7b8d39ae20bc447aecd

SHA256
7d43f7105aa4f856239235c67f61044493ee6f95ddf04533189bf5ea98073f0b

SHA512
6d0aa5c3f8f5b268b94341dfdd5afbe48f91f9aac143bf59f7f5e8ba6f54205b85ec527c53498ed8860fdff6a8d08e48ec4e1652eeab2d3c89aaaf3a14fcaaa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_cffi_backend.cp310-win_amd64.pyd

Filesize
71KB

MD5
7727212e7bdbf63b1a39fb7faad24265

SHA1
a8fdec19d6690081b2bf55247e8e17657a68ac97

SHA256
b0116303e1e903d6eb02a69d05879f38af1640813f4b110cb733ffff6e4e985c

SHA512
2b1a27642118dd228791d0d8ba307aa39ab2d9c7d3799cff9f3c0744fe270eeaefe5545a4fda6e74e86fee747e45bf5f6c9ac799950c2b483a16eb3ce85d816a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_ctypes.pyd

Filesize
56KB

MD5
4b90108fabdd64577a84313c765a2946

SHA1
245f4628683a3e18bb6f0d1c88aa26fb959ed258

SHA256
e1b634628839a45ab08913463e07b6b6b7fd502396d768f43b21da2875b506a1

SHA512
91fa069d7cf61c57faad6355f6fd46d702576c4342460dadcedfdcbc07cd9d84486734f0561fa5e1e01668b384c3c07dd779b332f77d0bb6fbdbb8c0cb5091bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_decimal.pyd

Filesize
103KB

MD5
20985dc78dbd1992382354af5ca28988

SHA1
385a3e7a7654e5e4c686399f3a72b235e941e311

SHA256
f3620cac68595b8a8495ab044f19a1c89012f50d2fe571b7a1721485f7ff2e43

SHA512
61b8ecd2d12b3f785773b98d4bf4af0eb6eb2c61fbea6effb77ec24b2127e888d0ea5fdd8cc298484e0f770d70c87907048fc382faace8e0ca6b49ab106c89f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_hashlib.pyd

Filesize
33KB

MD5
3b5530f497ff7c127383d0029e680c35

SHA1
fb5dc554bb9ff49622184cc16883a7567115c7ca

SHA256
5971fcc9758b7f4a12cde2190a323f35a34ab7f97bd8c39cc8f3335223102573

SHA512
12ced7ddb0352f8eca3c3cb7c7c2faaf08e617b2dd278d20008051fb6b564b17c3e9ecfa8b0ffe7674154ad533dfbbf1e802accd5e1aef12ece01368da06e85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_lzma.pyd

Filesize
84KB

MD5
8edbeeccb6f3dbb09389d99d45db5542

SHA1
f7e7af2851a5bf22de79a24fe594b5c0435fca8a

SHA256
90701973be6b23703e495f6a145bae251a7bb066d3c5f398ec42694fd06a069f

SHA512
2a8bf60f2280b9a947578bd7fd49c3ace8e010a3d4b38e370edb511ea0e125df688bbac369d6a3cec9d285a1fa2ad2dac18a0ef30fda46e49a9440418581e501

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_multiprocessing.pyd

Filesize
25KB

MD5
4fbc5fd5da9da74c04fe0374387b34d3

SHA1
1e9c98db0486f98fb7d8eb9fa57a949494b649b5

SHA256
b2347790c87052623710382d3178887f68a79618d6da5174909f46b169236950

SHA512
ce87d4512c2ab7c1ad7986e8e1fe790615ae39c7667d234dfc09026ee7e1518b3bfbf7974612811db0c3e5654b35b54e118e23e624bebe027a51d2c8f2a4652a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_overlapped.pyd

Filesize
30KB

MD5
5c1441f6ee11632183a83dac2d22853b

SHA1
eef732ff4bab9ea5c8fffb6a93c47cfc8e64dae2

SHA256
104e0b0e0e9fec9eb6438683296feeba298d5f23b02d2080577fc87ffec67acf

SHA512
e41d3433754a8a3d2c572bb7f3902c0d37cba2e6f3307f0e6dfed316a22b11ef7e52a73c30085fa89fcff603e4b76858abe761217c320e38fa2eb95d1777b595

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_queue.pyd

Filesize
24KB

MD5
5c4c43763fb1a796134aa5734905c891

SHA1
44a5e1ae4806406a239129d77888bd87d291a410

SHA256
4edc80e7d331ba0e9338431d407157181190f995821d1cd24f7a7aa2422ece0c

SHA512
07bec7e4a85e76cfab2c21776b50ee2bd0454835fcb43b573dee757eca24cbeb4530784bae07de3be90820cee6d72023d9ded395d4f1a4931971db247dc1a71e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_socket.pyd

Filesize
41KB

MD5
53e72716073038c1dd1db65bfdb1254c

SHA1
7bf220a02a3b51aa51300b3a9ea7fa48358ca161

SHA256
e1fb6927ba2ed014d0ac750af0ee0bb3d49487dd6920848937259606e1e92e1d

SHA512
c10d91b6ec82402b0eb05dc31a4703c999f4988e88204b695e009fae5fdcc61e8a6dc4d2879ecf2babc030224048afd2f256b9e7f5c5b6f28762047813be0941

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_sqlite3.pyd

Filesize
48KB

MD5
e7d68df8f65fbb0298a45519e2336f32

SHA1
ad3c84ad7eb75a61f287b1ba9fd2801567e39b6d

SHA256
2473ebaf52723c3751a12117ebbe974e50ecdaeb40b282a12ba4e6aa98492e79

SHA512
626204685e9b95310aba51be4a8abaf3b6e152fa35902f64f837303fc4011a4518ee393047ceb45bf377e9d965d169c92bfbb6673475150e159c59b7857ba03e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_ssl.pyd

Filesize
60KB

MD5
7e9d95ac47a2284706318656b4f711d3

SHA1
f085104709201c6e64635aeacf1da51599054e55

SHA256
38dcb3d0f217785b39c03d4c949dd1e04b70e9eade8a4ad83f026390684059c9

SHA512
294a5148d8fcddabd177b776617da7720d9876ac2a1cdf8dd7b9489f0f719600a634346cdfa07da66588de885b0a64d8cccde4d47edbf6305bd2af44ee209118

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\_uuid.pyd

Filesize
21KB

MD5
59cfd9669367517b384922b2485cb6a7

SHA1
1bd44298543204d61d4efd2cd3980ad01071360d

SHA256
e02bfad84786560b624efd56df55c88a4ffbd6c7cfc728bf68b6401aa10f849f

SHA512
d0dd041d8493c7c19db01ea8477981148726796ce2ab58d3193064123319bd5b68fd57871d1db0aaa08d07f78ab96a3d343051c33ffd406e96b921248ea32665

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\aiohttp\_helpers.cp310-win_amd64.pyd

Filesize
26KB

MD5
543e83e6396cae6570f30eb0b07dbd85

SHA1
330c63d832b06cd94de04cdb9c3777b5fc0daf9c

SHA256
37f70d7409d0ff362ba1fdfc7717ed220f6b03cdbf04665b9a29a164cadc6384

SHA512
b5a7549d92c93861ba68b72f3d9e02de4c09b7ae41fba204604910c4e05bc88b8e32c40ae999cf3ccaabb3c6aee4618d285dc060c9f08a9a70d0ee31f1ff4d51

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\aiohttp\_http_parser.cp310-win_amd64.pyd

Filesize
81KB

MD5
899af4aa2d81d3ef292518511b1dcec5

SHA1
a24d25f12b0e6cd68d4385f6227dcb686f223170

SHA256
533b97f4363ddd5a7d43cadd835404ff23b2ad9fe9a79fbed4b1ce9c12f0cebd

SHA512
cfec8c07c23a2a4ff29e366216494d48061be6c28ab0cde0fdaae04c648292170855491bee678116e9e76ccf3821781f776f03cf09896e5f0530c753999b0342

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\aiohttp\_http_writer.cp310-win_amd64.pyd

Filesize
24KB

MD5
d77dcee3f14c440a8759afa058a12f89

SHA1
e106cb383a0116079e64d881efd172f2c1e53da4

SHA256
dcb467aad3b7281c04489c2fcb499a8f63b081d1388a8fde482a3392667e6391

SHA512
5327cc895467061159891e85da61dc6c0287a6961d820878d88b23514a81fdb7e01103e025e8e0cb74d3918725d128427c06c4749e7d33ad883ac0ed99335a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\aiohttp\_websocket.cp310-win_amd64.pyd

Filesize
20KB

MD5
6d0b455fc452f5ab428cca27ba603e46

SHA1
d3ff9006c48217306808c2bf3ab1cc5ba0505369

SHA256
e8129a7262e537ce6377d6e58f047ec5c69216e4a7bee588d4c69578bb01be8b

SHA512
48873a1ee4871f0ad0d28aa0f58ed027cd11484caa232de8534260a2fd231a58bec939d851a5ee6bba788d939b696485136c3ee24e8b9f94db9803dcab6b169e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\base_library.zip

Filesize
859KB

MD5
0189692d9f872d9bdb85a250ad088b0c

SHA1
ad9955113bb6a5c2853902cee69861eca3e85ad0

SHA256
8d615201402f2d189b396b04f122e669d4933f5251a60bbf1bbe1f7179705c3a

SHA512
e7612a640f413f1a019d250bed32b100366daf54e033cb5283705758228dbb491578c1724b074a377487c22774f9ae72008ec452f2eef1ad95246168ae611cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\libcrypto-1_1.dll

Filesize
1.1MB

MD5
86cfc84f8407ab1be6cc64a9702882ef

SHA1
86f3c502ed64df2a5e10b085103c2ffc9e3a4130

SHA256
11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307

SHA512
b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\libssl-1_1.dll

Filesize
203KB

MD5
6cd33578bc5629930329ca3303f0fae1

SHA1
f2f8e3248a72f98d27f0cfa0010e32175a18487f

SHA256
4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0

SHA512
c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\multidict\_multidict.cp310-win_amd64.pyd

Filesize
20KB

MD5
7f691747ce66d3ed05a7c2c53220c8b5

SHA1
1d3f247042030cf8cf7c859002941beba5d15776

SHA256
7d6472a0d7f1a0740c7fc0d0d0ea6f7c6e7cb2b11b8c623c46a6fae1adb4e228

SHA512
b01f0e91039fc5b2782caaa0b3d56d5d1fe9e94424cc536cde9eca73a76747736060042e345af9edc5ef5bf5c154705d2c2dddf35536f305306be25a955a9f06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\pyexpat.pyd

Filesize
86KB

MD5
46331749084f98bcfe8631d74c5e038f

SHA1
5e5510f7a4d03f10d979e0d6a0d2a6f0e53ca347

SHA256
21cc4b9ccd69d08d7c1068b1f004ae9454f7ea0a322801860faf0e6f4a24a3df

SHA512
edd39ce2d927fb6700a86db07f4f56cab897ef91a320f3e5ecb542ea1be6888dd27a08008e5fa1df3765b0c82d1046a23c8d59e76d11f4e6449d4d6826879589

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\python3.DLL

Filesize
63KB

MD5
c17b7a4b853827f538576f4c3521c653

SHA1
6115047d02fbbad4ff32afb4ebd439f5d529485a

SHA256
d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68

SHA512
8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\python310.dll

Filesize
1.4MB

MD5
fc7bd515b12e537a39dc93a09b3eaad6

SHA1
96f5d4b0967372553cb106539c5566bc184f6167

SHA256
461e008b7cdf034f99a566671b87849772873a175aefec6ed00732976f5c4164

SHA512
a8433d5b403f898e4eeebd72fce08ebad066ca60aeb0b70e2ae78377babc2acbbae2ac91ab20f813cce4b1dc58c2ad6b3868f18cc8ac0fe7be2bff020eb73122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\select.pyd

Filesize
24KB

MD5
3797a47a60b606e25348c67043874fe8

SHA1
63a33fedffd52190236a6acd0fc5d9d491e3ac45

SHA256
312e9b01d1632840983e8533d1685a64fb87e4538f724a7a59a71b1ba148bbac

SHA512
3eb7599825b7b21aaab05e420dd16d4a8eaa21652d232f6e4ede213a232b701401556e44df73cfa20ae855d1adc28304b52d42367b74ebd8e96c2e3d9a9b93e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\sqlite3.dll

Filesize
608KB

MD5
6a3a34c9c67efd6c17d44292e8db8fad

SHA1
339b1e514d60d8370eaec1e2f2b71cead999f970

SHA256
7b0e840165d65f0f5285476467e4c154c4d936613966b84948110a4614b9cad9

SHA512
6f2a1b670d28762745f0d3b961a331cbbb0dec244f8798734b911b3a3bc9519c73a3b26f1e1117725f6f1e880e57cadb562a1450659bca1aae353f6b9575d7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\unicodedata.pyd

Filesize
287KB

MD5
fed35db31377d515d198e5e446498be2

SHA1
62e388d17e17208ea0e881ccd96c75b7b1fbc5f7

SHA256
af3cdc9a2a1d923be67244429867a3c5c70835249e3573a03b98d08d148fe24b

SHA512
0985528cb0289086ec895e21a8947e04f732d5660460f2e7fa8668bd441c891438781c808bcea9294f348720e3752c10ea65363371f7e75ea48600d016bab72a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\yarl\_helpers_c.cp310-win_amd64.pyd

Filesize
27KB

MD5
15591df44ee64cb8772f1a5583465094

SHA1
7c75d1f1e234e00d0023d803642d4fedce3b7b80

SHA256
1de4a743bf1182dcfd04942696201ad1a3babd9455adafa2283709a1f3dcbaf1

SHA512
6f65bfcfdb155841ebc58494f947218a17e06b370c39b289cb86aba6d8f0ce9aab71bb8fe74b3c37f4049f99b9097718c718a337a2da2a98d6445fa24c143a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI43682\yarl\_quoting_c.cp310-win_amd64.pyd

Filesize
41KB

MD5
e73b7c4ab697651094b83841e21370a0

SHA1
3093c418051c4d4e32ddb041ebcd7920cd77a191

SHA256
4ed26f8531dfb4a33d88ccb591a36fbbb25f28ce4720a92e840897316b01ac5d

SHA512
4846a981773c89bbdb5999e4472ec7f25d359e8bb16528a059b925078e0896d476e125b6cfede022a4ecce53cce30e001e2d1bcc90d03a0b2de29e6c6c8eba49

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jjy1byk3.tex.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\ElectronV3\ElectronV3.exe

Filesize
10.1MB

MD5
30e0c375ce957f3398f208d487a08950

SHA1
cc3137225c79532f95204d1eebad97b26e02f114

SHA256
dcb6c47949bacabd601226411736bca0a6a043475b366c77d17f997205600923

SHA512
d06ac050da037821d9226bca670652d23840795fbb32443eb83280577c1564e28ed03dc07acb70cf84d22597ee46eacf903138cc8092d76428e6b2d45bc371f0

Download Submit
memory/2984-223-0x000001F5DDB20000-0x000001F5DDB42000-memory.dmp

Filesize
136KB

Download
memory/3292-114-0x00007FFF75590000-0x00007FFF755B4000-memory.dmp

Filesize
144KB

Download
memory/3292-102-0x00007FFF75500000-0x00007FFF7551F000-memory.dmp

Filesize
124KB

Download
memory/3292-134-0x00007FFF74D40000-0x00007FFF74D62000-memory.dmp

Filesize
136KB

Download
memory/3292-137-0x00007FFF75350000-0x00007FFF7537E000-memory.dmp

Filesize
184KB

Download
memory/3292-138-0x00007FFF74D20000-0x00007FFF74D37000-memory.dmp

Filesize
92KB

Download
memory/3292-131-0x00007FFF74D70000-0x00007FFF74D87000-memory.dmp

Filesize
92KB

Download
memory/3292-142-0x00007FFF75290000-0x00007FFF75348000-memory.dmp

Filesize
736KB

Download
memory/3292-130-0x00007FFF75500000-0x00007FFF7551F000-memory.dmp

Filesize
124KB

Download
memory/3292-126-0x00007FFF74D90000-0x00007FFF74EA8000-memory.dmp

Filesize
1.1MB

Download
memory/3292-149-0x00007FFF74BC0000-0x00007FFF74BD1000-memory.dmp

Filesize
68KB

Download
memory/3292-148-0x00007FFF74C50000-0x00007FFF74D1F000-memory.dmp

Filesize
828KB

Download
memory/3292-147-0x000001FF8D440000-0x000001FF8D7B5000-memory.dmp

Filesize
3.5MB

Download
memory/3292-155-0x00007FFF74EF0000-0x00007FFF74F05000-memory.dmp

Filesize
84KB

Download
memory/3292-154-0x00007FFF86400000-0x00007FFF8640A000-memory.dmp

Filesize
40KB

Download
memory/3292-153-0x00007FFF74BA0000-0x00007FFF74BBE000-memory.dmp

Filesize
120KB

Download
memory/3292-152-0x00007FFF74BE0000-0x00007FFF74C2D000-memory.dmp

Filesize
308KB

Download
memory/3292-151-0x00007FFF74C30000-0x00007FFF74C49000-memory.dmp

Filesize
100KB

Download
memory/3292-156-0x00007FFF87230000-0x00007FFF87240000-memory.dmp

Filesize
64KB

Download
memory/3292-157-0x00007FFF74400000-0x00007FFF74B9A000-memory.dmp

Filesize
7.6MB

Download
memory/3292-150-0x00007FFF74F10000-0x00007FFF75285000-memory.dmp

Filesize
3.5MB

Download
memory/3292-158-0x00007FFF743C0000-0x00007FFF743F7000-memory.dmp

Filesize
220KB

Download
memory/3292-170-0x00007FFF74EB0000-0x00007FFF74EC4000-memory.dmp

Filesize
80KB

Download
memory/3292-175-0x00007FFF74D90000-0x00007FFF74EA8000-memory.dmp

Filesize
1.1MB

Download
memory/3292-210-0x00007FFF74D70000-0x00007FFF74D87000-memory.dmp

Filesize
92KB

Download
memory/3292-211-0x00007FFF863B0000-0x00007FFF863BD000-memory.dmp

Filesize
52KB

Download
memory/3292-123-0x00007FFF74ED0000-0x00007FFF74EE4000-memory.dmp

Filesize
80KB

Download
memory/3292-124-0x00007FFF74EB0000-0x00007FFF74EC4000-memory.dmp

Filesize
80KB

Download
memory/3292-228-0x00007FFF74D40000-0x00007FFF74D62000-memory.dmp

Filesize
136KB

Download
memory/3292-229-0x00007FFF74D20000-0x00007FFF74D37000-memory.dmp

Filesize
92KB

Download
memory/3292-230-0x00007FFF74C30000-0x00007FFF74C49000-memory.dmp

Filesize
100KB

Download
memory/3292-231-0x00007FFF74BE0000-0x00007FFF74C2D000-memory.dmp

Filesize
308KB

Download
memory/3292-260-0x00007FFF863B0000-0x00007FFF863BD000-memory.dmp

Filesize
52KB

Download
memory/3292-259-0x00007FFF743C0000-0x00007FFF743F7000-memory.dmp

Filesize
220KB

Download
memory/3292-240-0x00007FFF75380000-0x00007FFF754F1000-memory.dmp

Filesize
1.4MB

Download
memory/3292-233-0x00007FFF75590000-0x00007FFF755B4000-memory.dmp

Filesize
144KB

Download
memory/3292-245-0x00007FFF87230000-0x00007FFF87240000-memory.dmp

Filesize
64KB

Download
memory/3292-258-0x00007FFF74400000-0x00007FFF74B9A000-memory.dmp

Filesize
7.6MB

Download
memory/3292-244-0x00007FFF74EF0000-0x00007FFF74F05000-memory.dmp

Filesize
84KB

Download
memory/3292-239-0x00007FFF75500000-0x00007FFF7551F000-memory.dmp

Filesize
124KB

Download
memory/3292-232-0x00007FFF755C0000-0x00007FFF75A2E000-memory.dmp

Filesize
4.4MB

Download
memory/3292-118-0x00007FFF75570000-0x00007FFF75589000-memory.dmp

Filesize
100KB

Download
memory/3292-119-0x00007FFF87230000-0x00007FFF87240000-memory.dmp

Filesize
64KB

Download
memory/3292-116-0x00007FFF74EF0000-0x00007FFF74F05000-memory.dmp

Filesize
84KB

Download
memory/3292-110-0x00007FFF755C0000-0x00007FFF75A2E000-memory.dmp

Filesize
4.4MB

Download
memory/3292-112-0x000001FF8D440000-0x000001FF8D7B5000-memory.dmp

Filesize
3.5MB

Download
memory/3292-113-0x00007FFF74F10000-0x00007FFF75285000-memory.dmp

Filesize
3.5MB

Download
memory/3292-111-0x00007FFF75290000-0x00007FFF75348000-memory.dmp

Filesize
736KB

Download
memory/3292-106-0x00007FFF75350000-0x00007FFF7537E000-memory.dmp

Filesize
184KB

Download
memory/3292-94-0x00007FFF75570000-0x00007FFF75589000-memory.dmp

Filesize
100KB

Download
memory/3292-98-0x00007FFF75550000-0x00007FFF75569000-memory.dmp

Filesize
100KB

Download
memory/3292-104-0x00007FFF75380000-0x00007FFF754F1000-memory.dmp

Filesize
1.4MB

Download
memory/3292-133-0x00007FFF75380000-0x00007FFF754F1000-memory.dmp

Filesize
1.4MB

Download
memory/3292-100-0x00007FFF75520000-0x00007FFF7554D000-memory.dmp

Filesize
180KB

Download
memory/3292-96-0x00007FFF8A360000-0x00007FFF8A36D000-memory.dmp

Filesize
52KB

Download
memory/3292-72-0x00007FFF8A410000-0x00007FFF8A41F000-memory.dmp

Filesize
60KB

Download
memory/3292-70-0x00007FFF75590000-0x00007FFF755B4000-memory.dmp

Filesize
144KB

Download
memory/3292-62-0x00007FFF755C0000-0x00007FFF75A2E000-memory.dmp

Filesize
4.4MB

Download
memory/3292-492-0x00007FFF74400000-0x00007FFF74B9A000-memory.dmp

Filesize
7.6MB

Download
memory/3292-493-0x00007FFF743C0000-0x00007FFF743F7000-memory.dmp

Filesize
220KB

Download
memory/3292-494-0x00007FFF863B0000-0x00007FFF863BD000-memory.dmp

Filesize
52KB

Download
memory/3292-491-0x00007FFF74F10000-0x00007FFF75285000-memory.dmp

Filesize
3.5MB

Download
memory/3292-466-0x00007FFF86400000-0x00007FFF8640A000-memory.dmp

Filesize
40KB

Download
memory/3292-467-0x00007FFF75590000-0x00007FFF755B4000-memory.dmp

Filesize
144KB

Download
memory/3292-468-0x00007FFF8A410000-0x00007FFF8A41F000-memory.dmp

Filesize
60KB

Download
memory/3292-469-0x00007FFF75570000-0x00007FFF75589000-memory.dmp

Filesize
100KB

Download
memory/3292-470-0x00007FFF8A360000-0x00007FFF8A36D000-memory.dmp

Filesize
52KB

Download
memory/3292-471-0x00007FFF75550000-0x00007FFF75569000-memory.dmp

Filesize
100KB

Download
memory/3292-412-0x00007FFF74BE0000-0x00007FFF74C2D000-memory.dmp

Filesize
308KB

Download
memory/3292-390-0x00007FFF755C0000-0x00007FFF75A2E000-memory.dmp

Filesize
4.4MB

Download
memory/3292-411-0x00007FFF74C30000-0x00007FFF74C49000-memory.dmp

Filesize
100KB

Download
memory/3292-408-0x00007FFF74D40000-0x00007FFF74D62000-memory.dmp

Filesize
136KB

Download
memory/3292-402-0x00007FFF74EF0000-0x00007FFF74F05000-memory.dmp

Filesize
84KB

Download
memory/3292-401-0x00007FFF74F10000-0x00007FFF75285000-memory.dmp

Filesize
3.5MB

Download
memory/3292-400-0x00007FFF75290000-0x00007FFF75348000-memory.dmp

Filesize
736KB

Download
memory/3292-399-0x00007FFF75350000-0x00007FFF7537E000-memory.dmp

Filesize
184KB

Download
memory/3292-473-0x00007FFF75500000-0x00007FFF7551F000-memory.dmp

Filesize
124KB

Download
memory/3292-477-0x00007FFF74BE0000-0x00007FFF74C2D000-memory.dmp

Filesize
308KB

Download
memory/3292-490-0x00007FFF74BA0000-0x00007FFF74BBE000-memory.dmp

Filesize
120KB

Download
memory/3292-489-0x00007FFF74BC0000-0x00007FFF74BD1000-memory.dmp

Filesize
68KB

Download
memory/3292-488-0x00007FFF75290000-0x00007FFF75348000-memory.dmp

Filesize
736KB

Download
memory/3292-487-0x00007FFF74C50000-0x00007FFF74D1F000-memory.dmp

Filesize
828KB

Download
memory/3292-486-0x00007FFF74D20000-0x00007FFF74D37000-memory.dmp

Filesize
92KB

Download
memory/3292-485-0x00007FFF74D40000-0x00007FFF74D62000-memory.dmp

Filesize
136KB

Download
memory/3292-484-0x00007FFF74D70000-0x00007FFF74D87000-memory.dmp

Filesize
92KB

Download
memory/3292-483-0x00007FFF74D90000-0x00007FFF74EA8000-memory.dmp

Filesize
1.1MB

Download
memory/3292-482-0x00007FFF74ED0000-0x00007FFF74EE4000-memory.dmp

Filesize
80KB

Download
memory/3292-481-0x00007FFF74EB0000-0x00007FFF74EC4000-memory.dmp

Filesize
80KB

Download
memory/3292-480-0x00007FFF87230000-0x00007FFF87240000-memory.dmp

Filesize
64KB

Download
memory/3292-479-0x00007FFF74EF0000-0x00007FFF74F05000-memory.dmp

Filesize
84KB

Download
memory/3292-478-0x00007FFF755C0000-0x00007FFF75A2E000-memory.dmp

Filesize
4.4MB

Download
memory/3292-476-0x00007FFF74C30000-0x00007FFF74C49000-memory.dmp

Filesize
100KB

Download
memory/3292-475-0x00007FFF75350000-0x00007FFF7537E000-memory.dmp

Filesize
184KB

Download
memory/3292-474-0x00007FFF75380000-0x00007FFF754F1000-memory.dmp

Filesize
1.4MB

Download
memory/3292-472-0x00007FFF75520000-0x00007FFF7554D000-memory.dmp

Filesize
180KB

Download
memory/3740-382-0x0000020474FD0000-0x0000020474FD1000-memory.dmp

Filesize
4KB

Download
memory/3740-383-0x0000020474FD0000-0x0000020474FD1000-memory.dmp

Filesize
4KB

Download
memory/3740-384-0x0000020474FD0000-0x0000020474FD1000-memory.dmp

Filesize
4KB

Download
memory/3740-385-0x0000020474FD0000-0x0000020474FD1000-memory.dmp

Filesize
4KB

Download
memory/3740-386-0x0000020474FD0000-0x0000020474FD1000-memory.dmp

Filesize
4KB

Download
memory/3740-387-0x0000020474FD0000-0x0000020474FD1000-memory.dmp

Filesize
4KB

Download
memory/3740-388-0x0000020474FD0000-0x0000020474FD1000-memory.dmp

Filesize
4KB

Download
memory/3740-377-0x0000020474FD0000-0x0000020474FD1000-memory.dmp

Filesize
4KB

Download
memory/3740-378-0x0000020474FD0000-0x0000020474FD1000-memory.dmp

Filesize
4KB

Download
memory/3740-376-0x0000020474FD0000-0x0000020474FD1000-memory.dmp

Filesize
4KB

Download