exelastealer | hxxps://www[.]mediafire[.]com/file/tp50tuigtmer22d/Exela[.]exe/file

Analysis

max time kernel
107s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
26/01/2025, 22:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://www.mediafire.com/file/tp50tuigtmer22d/Exela.exe/file

Score

10^/10

exelastealer collection defense_evasion discovery persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Downloads MZ/PE file 1 IoCs

flow	pid	Process
97	3212	msedge.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4980	netsh.exe
4008	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2228	cmd.exe
3420	powershell.exe

Executes dropped EXE 4 IoCs

pid	Process
3008	Exela.exe
4376	Exela.exe
4716	Exela.exe
4996	Exela.exe

Loads dropped DLL 64 IoCs

pid	Process
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4716	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4996	Exela.exe
4716	Exela.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
146	discord.com
147	discord.com
148	discord.com
161	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
137	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3056	cmd.exe
60	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
1860	tasklist.exe
1664	tasklist.exe
5000	tasklist.exe
4060	tasklist.exe
3240	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
4644	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0007000000023da5-361.dat	upx
behavioral1/memory/4716-378-0x00007FFF22360000-0x00007FFF22950000-memory.dmp	upx
behavioral1/memory/4716-422-0x00007FFF239E0000-0x00007FFF23A04000-memory.dmp	upx
behavioral1/memory/4716-421-0x00007FFF37FA0000-0x00007FFF37FAF000-memory.dmp	upx
behavioral1/memory/4996-425-0x00007FFF21C20000-0x00007FFF21C39000-memory.dmp	upx
behavioral1/memory/4996-427-0x00007FFF21C00000-0x00007FFF21C19000-memory.dmp	upx
behavioral1/memory/4996-432-0x00007FFF21A20000-0x00007FFF21B96000-memory.dmp	upx
behavioral1/memory/4996-434-0x00007FFF213E0000-0x00007FFF214AD000-memory.dmp	upx
behavioral1/memory/4716-438-0x00007FFF213A0000-0x00007FFF213B9000-memory.dmp	upx
behavioral1/memory/4716-441-0x00007FFF21340000-0x00007FFF21363000-memory.dmp	upx
behavioral1/memory/4716-444-0x00007FFF21180000-0x00007FFF211B3000-memory.dmp	upx
behavioral1/memory/4996-445-0x00007FFF214B0000-0x00007FFF219D9000-memory.dmp	upx
behavioral1/memory/4716-456-0x00007FFF20990000-0x00007FFF209AB000-memory.dmp	upx
behavioral1/memory/4716-455-0x00007FFF213C0000-0x00007FFF213D9000-memory.dmp	upx
behavioral1/memory/4716-454-0x00007FFF209B0000-0x00007FFF20ACC000-memory.dmp	upx
behavioral1/memory/4716-457-0x00007FFF20970000-0x00007FFF20989000-memory.dmp	upx
behavioral1/memory/4716-463-0x00007FFF21180000-0x00007FFF211B3000-memory.dmp	upx
behavioral1/memory/4716-466-0x00007FFF1D920000-0x00007FFF1E11B000-memory.dmp	upx
behavioral1/memory/4716-482-0x00007FFF20920000-0x00007FFF2096D000-memory.dmp	upx
behavioral1/memory/4996-488-0x00007FFF1D120000-0x00007FFF1D91B000-memory.dmp	upx
behavioral1/memory/4996-491-0x00007FFF204E0000-0x00007FFF20517000-memory.dmp	upx
behavioral1/memory/4716-490-0x00007FFF1D920000-0x00007FFF1E11B000-memory.dmp	upx
behavioral1/memory/4996-485-0x00007FFF20520000-0x00007FFF2053E000-memory.dmp	upx
behavioral1/memory/4716-484-0x00007FFF208C0000-0x00007FFF208F2000-memory.dmp	upx
behavioral1/memory/4996-483-0x00007FFF20540000-0x00007FFF20572000-memory.dmp	upx
behavioral1/memory/4996-481-0x00007FFF205A0000-0x00007FFF205ED000-memory.dmp	upx
behavioral1/memory/4996-480-0x00007FFF20580000-0x00007FFF20591000-memory.dmp	upx
behavioral1/memory/4996-479-0x00007FFF205F0000-0x00007FFF20609000-memory.dmp	upx
behavioral1/memory/4716-478-0x00007FFF20990000-0x00007FFF209AB000-memory.dmp	upx
behavioral1/memory/4996-510-0x00007FFF205F0000-0x00007FFF20609000-memory.dmp	upx
behavioral1/memory/4996-525-0x00007FFF219E0000-0x00007FFF21A13000-memory.dmp	upx
behavioral1/memory/4996-523-0x00007FFF21BA0000-0x00007FFF21BC3000-memory.dmp	upx
behavioral1/memory/4996-522-0x00007FFF21C00000-0x00007FFF21C19000-memory.dmp	upx
behavioral1/memory/4996-521-0x00007FFF21C20000-0x00007FFF21C39000-memory.dmp	upx
behavioral1/memory/4996-520-0x00007FFF35850000-0x00007FFF3585D000-memory.dmp	upx
behavioral1/memory/4996-515-0x00007FFF1D120000-0x00007FFF1D91B000-memory.dmp	upx
behavioral1/memory/4996-514-0x00007FFF20520000-0x00007FFF2053E000-memory.dmp	upx
behavioral1/memory/4996-513-0x00007FFF20540000-0x00007FFF20572000-memory.dmp	upx
behavioral1/memory/4996-512-0x00007FFF20580000-0x00007FFF20591000-memory.dmp	upx
behavioral1/memory/4996-511-0x00007FFF205A0000-0x00007FFF205ED000-memory.dmp	upx
behavioral1/memory/4996-509-0x00007FFF20610000-0x00007FFF2062B000-memory.dmp	upx
behavioral1/memory/4996-508-0x00007FFF20630000-0x00007FFF2074C000-memory.dmp	upx
behavioral1/memory/4996-507-0x00007FFF20750000-0x00007FFF20772000-memory.dmp	upx
behavioral1/memory/4996-506-0x00007FFF20780000-0x00007FFF20794000-memory.dmp	upx
behavioral1/memory/4996-505-0x00007FFF20800000-0x00007FFF20814000-memory.dmp	upx
behavioral1/memory/4996-504-0x00007FFF20820000-0x00007FFF20832000-memory.dmp	upx
behavioral1/memory/4996-503-0x00007FFF20840000-0x00007FFF20855000-memory.dmp	upx
behavioral1/memory/4996-502-0x00007FFF213E0000-0x00007FFF214AD000-memory.dmp	upx
behavioral1/memory/4996-489-0x00007FFF21C70000-0x00007FFF22260000-memory.dmp	upx
behavioral1/memory/4996-524-0x00007FFF21A20000-0x00007FFF21B96000-memory.dmp	upx
behavioral1/memory/4996-519-0x00007FFF21BD0000-0x00007FFF21BFD000-memory.dmp	upx
behavioral1/memory/4996-518-0x00007FFF21C40000-0x00007FFF21C64000-memory.dmp	upx
behavioral1/memory/4996-517-0x00007FFF35D20000-0x00007FFF35D2F000-memory.dmp	upx
behavioral1/memory/4996-501-0x00007FFF214B0000-0x00007FFF219D9000-memory.dmp	upx
behavioral1/memory/4716-477-0x00007FFF209B0000-0x00007FFF20ACC000-memory.dmp	upx
behavioral1/memory/4996-476-0x00007FFF20610000-0x00007FFF2062B000-memory.dmp	upx
behavioral1/memory/4996-475-0x00007FFF20630000-0x00007FFF2074C000-memory.dmp	upx
behavioral1/memory/4996-474-0x00007FFF20750000-0x00007FFF20772000-memory.dmp	upx
behavioral1/memory/4996-473-0x00007FFF20780000-0x00007FFF20794000-memory.dmp	upx
behavioral1/memory/4996-472-0x00007FFF20800000-0x00007FFF20814000-memory.dmp	upx
behavioral1/memory/4996-471-0x00007FFF20820000-0x00007FFF20832000-memory.dmp	upx
behavioral1/memory/4996-470-0x00007FFF20840000-0x00007FFF20855000-memory.dmp	upx
behavioral1/memory/4716-469-0x00007FFF20860000-0x00007FFF20897000-memory.dmp	upx
behavioral1/memory/4716-468-0x00007FFF20AD0000-0x00007FFF20AF2000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1544	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0008000000023cfa-168.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2284	cmd.exe
4532	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3468	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
3872	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
812	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2852	ipconfig.exe
3468	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3892	systeminfo.exe

Kills process with taskkill 9 IoCs

defense_evasion

pid	Process
4856	taskkill.exe
4108	taskkill.exe
2832	taskkill.exe
4724	taskkill.exe
3392	taskkill.exe
1556	taskkill.exe
3880	taskkill.exe
2948	taskkill.exe
1228	taskkill.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 852302.crdownload:SmartScreen	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
3212	msedge.exe
3212	msedge.exe
3200	msedge.exe
3200	msedge.exe
5092	identity_helper.exe
5092	identity_helper.exe
5000	msedge.exe
5000	msedge.exe
3420	powershell.exe
3420	powershell.exe
3420	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	812	WMIC.exe
Token: SeSecurityPrivilege	812	WMIC.exe
Token: SeTakeOwnershipPrivilege	812	WMIC.exe
Token: SeLoadDriverPrivilege	812	WMIC.exe
Token: SeSystemProfilePrivilege	812	WMIC.exe
Token: SeSystemtimePrivilege	812	WMIC.exe
Token: SeProfSingleProcessPrivilege	812	WMIC.exe
Token: SeIncBasePriorityPrivilege	812	WMIC.exe
Token: SeCreatePagefilePrivilege	812	WMIC.exe
Token: SeBackupPrivilege	812	WMIC.exe
Token: SeRestorePrivilege	812	WMIC.exe
Token: SeShutdownPrivilege	812	WMIC.exe
Token: SeDebugPrivilege	812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	812	WMIC.exe
Token: SeRemoteShutdownPrivilege	812	WMIC.exe
Token: SeUndockPrivilege	812	WMIC.exe
Token: SeManageVolumePrivilege	812	WMIC.exe
Token: 33	812	WMIC.exe
Token: 34	812	WMIC.exe
Token: 35	812	WMIC.exe
Token: 36	812	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2780	WMIC.exe
Token: SeSecurityPrivilege	2780	WMIC.exe
Token: SeTakeOwnershipPrivilege	2780	WMIC.exe
Token: SeLoadDriverPrivilege	2780	WMIC.exe
Token: SeSystemProfilePrivilege	2780	WMIC.exe
Token: SeSystemtimePrivilege	2780	WMIC.exe
Token: SeProfSingleProcessPrivilege	2780	WMIC.exe
Token: SeIncBasePriorityPrivilege	2780	WMIC.exe
Token: SeCreatePagefilePrivilege	2780	WMIC.exe
Token: SeBackupPrivilege	2780	WMIC.exe
Token: SeRestorePrivilege	2780	WMIC.exe
Token: SeShutdownPrivilege	2780	WMIC.exe
Token: SeDebugPrivilege	2780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2780	WMIC.exe
Token: SeRemoteShutdownPrivilege	2780	WMIC.exe
Token: SeUndockPrivilege	2780	WMIC.exe
Token: SeManageVolumePrivilege	2780	WMIC.exe
Token: 33	2780	WMIC.exe
Token: 34	2780	WMIC.exe
Token: 35	2780	WMIC.exe
Token: 36	2780	WMIC.exe
Token: SeDebugPrivilege	1664	tasklist.exe
Token: SeIncreaseQuotaPrivilege	812	WMIC.exe
Token: SeSecurityPrivilege	812	WMIC.exe
Token: SeTakeOwnershipPrivilege	812	WMIC.exe
Token: SeLoadDriverPrivilege	812	WMIC.exe
Token: SeSystemProfilePrivilege	812	WMIC.exe
Token: SeSystemtimePrivilege	812	WMIC.exe
Token: SeProfSingleProcessPrivilege	812	WMIC.exe
Token: SeIncBasePriorityPrivilege	812	WMIC.exe
Token: SeCreatePagefilePrivilege	812	WMIC.exe
Token: SeBackupPrivilege	812	WMIC.exe
Token: SeRestorePrivilege	812	WMIC.exe
Token: SeShutdownPrivilege	812	WMIC.exe
Token: SeDebugPrivilege	812	WMIC.exe
Token: SeSystemEnvironmentPrivilege	812	WMIC.exe
Token: SeRemoteShutdownPrivilege	812	WMIC.exe
Token: SeUndockPrivilege	812	WMIC.exe
Token: SeManageVolumePrivilege	812	WMIC.exe
Token: 33	812	WMIC.exe
Token: 34	812	WMIC.exe
Token: 35	812	WMIC.exe
Token: 36	812	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 3708	3200	msedge.exe	83
PID 3200 wrote to memory of 3708	3200	msedge.exe	83
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 372	3200	msedge.exe	85
PID 3200 wrote to memory of 3212	3200	msedge.exe	86
PID 3200 wrote to memory of 3212	3200	msedge.exe	86
PID 3200 wrote to memory of 3448	3200	msedge.exe	87
PID 3200 wrote to memory of 3448	3200	msedge.exe	87
PID 3200 wrote to memory of 3448	3200	msedge.exe	87
PID 3200 wrote to memory of 3448	3200	msedge.exe	87
PID 3200 wrote to memory of 3448	3200	msedge.exe	87
PID 3200 wrote to memory of 3448	3200	msedge.exe	87
PID 3200 wrote to memory of 3448	3200	msedge.exe	87
PID 3200 wrote to memory of 3448	3200	msedge.exe	87
PID 3200 wrote to memory of 3448	3200	msedge.exe	87
PID 3200 wrote to memory of 3448	3200	msedge.exe	87
PID 3200 wrote to memory of 3448	3200	msedge.exe	87
PID 3200 wrote to memory of 3448	3200	msedge.exe	87
PID 3200 wrote to memory of 3448	3200	msedge.exe	87
PID 3200 wrote to memory of 3448	3200	msedge.exe	87
PID 3200 wrote to memory of 3448	3200	msedge.exe	87
PID 3200 wrote to memory of 3448	3200	msedge.exe	87
PID 3200 wrote to memory of 3448	3200	msedge.exe	87
PID 3200 wrote to memory of 3448	3200	msedge.exe	87
PID 3200 wrote to memory of 3448	3200	msedge.exe	87
PID 3200 wrote to memory of 3448	3200	msedge.exe	87

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3528	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.mediafire.com/file/tp50tuigtmer22d/Exela.exe/file
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff276546f8,0x7fff27654708,0x7fff27654718
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,14436185589228477239,13949726441588292122,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,14436185589228477239,13949726441588292122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2268 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,14436185589228477239,13949726441588292122,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:3448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14436185589228477239,13949726441588292122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14436185589228477239,13949726441588292122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,14436185589228477239,13949726441588292122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,14436185589228477239,13949726441588292122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14436185589228477239,13949726441588292122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5756 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14436185589228477239,13949726441588292122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:1
  2⤵
  PID:4416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,14436185589228477239,13949726441588292122,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3492 /prefetch:8
  2⤵
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14436185589228477239,13949726441588292122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,14436185589228477239,13949726441588292122,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14436185589228477239,13949726441588292122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4196 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14436185589228477239,13949726441588292122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6196 /prefetch:1
  2⤵
  PID:3504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14436185589228477239,13949726441588292122,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,14436185589228477239,13949726441588292122,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,14436185589228477239,13949726441588292122,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5000 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5000
- C:\Users\Admin\Downloads\Exela.exe
  "C:\Users\Admin\Downloads\Exela.exe"
  2⤵
  - Executes dropped EXE
  PID:3008
- - C:\Users\Admin\Downloads\Exela.exe
    "C:\Users\Admin\Downloads\Exela.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:744
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:4276
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
      4⤵
      PID:3016
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "gdb --version"
      4⤵
      PID:3424
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:2152
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
      4⤵
      PID:2476
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        5⤵
        
        PID:2084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:4312
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:4860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:2004
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:5000
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:4644
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Views/modifies file attributes
        
        PID:3528
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
      4⤵
      PID:2084
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:3016
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        5⤵
        
        PID:4832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:3892
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:4060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3200"
      4⤵
      PID:4568
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3200
        5⤵
        Kills process with taskkill
        
        PID:4856
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3708"
      4⤵
      PID:1676
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3708
        5⤵
        Kills process with taskkill
        
        PID:4108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 372"
      4⤵
      PID:3424
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 372
        5⤵
        Kills process with taskkill
        
        PID:3880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3212"
      4⤵
      PID:512
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3212
        5⤵
        Kills process with taskkill
        
        PID:2948
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3448"
      4⤵
      PID:4744
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3448
        5⤵
        Kills process with taskkill
        
        PID:1228
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5016"
      4⤵
      PID:3456
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5016
        5⤵
        Kills process with taskkill
        
        PID:2832
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4416"
      4⤵
      PID:1936
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4416
        5⤵
        Kills process with taskkill
        
        PID:4724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3112"
      4⤵
      PID:3680
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3112
        5⤵
        Kills process with taskkill
        
        PID:3392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4652"
      4⤵
      PID:2552
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4652
        5⤵
        Kills process with taskkill
        
        PID:1556
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:3448
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:60
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:2128
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:3468
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:4640
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:4440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:3760
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3240
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:3420
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2284
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4532
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      PID:3056
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:3892
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:3624
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        
        PID:3872
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:2488
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:4904
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:1504
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:2552
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:3764
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:2184
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:4428
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:2860
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:4488
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:804
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:1844
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:1744
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:916
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:1860
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:2852
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:4640
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:60
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:3468
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:1544
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4980
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4008
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:4612
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2436
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3136
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:3628
- C:\Users\Admin\Downloads\Exela.exe
  "C:\Users\Admin\Downloads\Exela.exe"
  2⤵
  - Executes dropped EXE
  PID:4376
- - C:\Users\Admin\Downloads\Exela.exe
    "C:\Users\Admin\Downloads\Exela.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:4660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
07ce0e1966302084a469721cf15f9188

SHA1
386522217c3910aa951e0a455fb58554cbf1f03c

SHA256
ca4bdd4044dc336f6f646d5663410944d95a0135aa48199195eee86cd4faee0c

SHA512
39c54ae6356f921913dbf0d3b6762d59d93aaec3966edc8882d6a2cca22d0e48202e5cfcae74f825aa20b9cb00a04db84446b9c848d232676d875bd33c1fd753

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
72141fa9ec215e8d1dfa7bffddb70e79

SHA1
b601f178c6d44f0a98851d1fb8b91b814683cb84

SHA256
8ce343a0215a0e48b067665ae7fb6dc53b2e0dd31a20b743464269650a9ba94f

SHA512
9b5b94401488270deed3d81700ce114055592ac20ba1db5d01b208a83a07835e8ff6078bb7c7eada3cce413716266db0aa7a4a986e8bfebbdab3a6f35b1e99cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
50fe8cf5f80e089a38f7f7472f627be6

SHA1
03656eccfe2bc1fccad405c368f71e6edea0a0f2

SHA256
22f550d2e8ca691b8d54280a50efa0851a51e763c06291243fae553661f06455

SHA512
344c91ecc7815480a8fe7a32e5dd476ebf840695cb40575c99cbfa688412fc241af692419b01f522aa7a27232b60b20e18c51f8ffbcab876abe2d2d3b34fd72f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
da69ee5e9fb486ac23e253383750de20

SHA1
5895611f2e935f3575f237421b41e56407c11f97

SHA256
3cac5a80edaabe05ace9f0219322037f9bdf348a1358e45386878296489c1342

SHA512
ae77ff4b8629f934d07da76259976146ab6d0ff7ee31effa727a1e3c12fae85692d24bd1c0ecc9521732279d85cfa7de0150d0381f576cc30ebca14c2245e8c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9c707455486f9bfab69b42998e62582e

SHA1
d902306811f5d89e238ddae94071a43f34e00f8c

SHA256
473511e71988aeb53e07278e433ac5e3ac9e24aebbf27c802460fec7b60cf337

SHA512
0798df025795bce784aad6e8acee7bbe9dc8332a90c3b0afe5f13876c10336a316bfbf2d3fca596c2cc2df241bd19ebe323d252b53c83aa29eb32bb83d16b38d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
38bcac90d0aaed5add28b3951a90d167

SHA1
4ec80b02e27a923efb416c5512d7ef3bca47eae0

SHA256
46c73190fdc93fa33fb5d85cb44fbcebe4a782f3aa227f23a7f0d0f8d8cfc5f2

SHA512
144648fa24d0ce2da0a10f1e9ea5abff7eeb8f7edcc2ac55d520b214e1157739d9524a5ee8a54a43c14b6a69d74772e193c5a1f5cec11cd4252d8bcb3ca56f02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a7c9dce47dce5290c0083ea11089bb7d

SHA1
62a2e9cc400c9a8d80ee3783b8d605d244418fe8

SHA256
6cbe0b65c58d6e30fe3d28cc47b16f84457f31b39b96f9bf083df7034db2d152

SHA512
f1f20a4af290072a5af58cf06a079883ecfe01c531fb044bb571c727bb51327c6cec1fff300c18112008d8319b7451be741d9dc8a2638ad2e7774b838334261f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\BackupClear.cab

Filesize
860KB

MD5
35d1b4dd001cbca9b7bc4cc45181dd01

SHA1
f31211ac1b5213b21f455983f9c9621d9d291898

SHA256
2be21fff4f6a9389ac186e604c9a8388a62be024239d3bcb9e96ca811a46523f

SHA512
51dbddb473564f91b5b7465dc338278c9156f62d32bd7a0cdc52d26090e265196339b9add20d294dcc0a80a4f51da9e70ec590f258964e5d349f73d2038a6a84

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\FormatRepair.png

Filesize
528KB

MD5
46bd93740394f4ff2e1a892ca71fed27

SHA1
5d14f5e3471602a2bbd4daa92c983fc4c6808098

SHA256
ed464da1758beea7206c5028da4a847b08a9337e2aaeb2fb8e7c773a0c81c4b9

SHA512
42396919f68391fcc48c40a87452a3b4bc9cba40e4ca4a9a4fdce2f74a4a8f1991f7e9f9ec8eea4290b0b0e674eac958153fa0af91c48158b399a65ac580159d

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ReceiveStop.xlsx

Filesize
12KB

MD5
1eb75ec8811b167f77d41f7575080e40

SHA1
e8b522c9124cdd2d7045cdac20c3ba84b0ebc875

SHA256
15af5c650b0022040fc2f5b5ab24135a9c4f3c144927b4dea760e2130fbf3c82

SHA512
54519e8726c30a7e465b1fb0d8724db697d55ca66ddb0a7541cbf2a778de030a0d7a2cfa2d69225379094e3ca26340f1d32390195f5e570a0309d6c3a4bde2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ResolveUse.docx

Filesize
16KB

MD5
2fb65dd646a8a5f554fb0a28d52a02d0

SHA1
6d4886ace445b1eedffe7c4393a9b8b6b0979310

SHA256
ab1234f7783a4b6c770ee9e37275c85aa507ca8d1481b6be3c042c7b9afd8fd4

SHA512
9d06521394d3df79ef1ee4be195c49ded417e28c4d89f68d8da83bb28de037de2079eea392eb5bb3eac2c346d8d4dc00cad02def66752cb5ba7ebd00da24589e

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\SubmitExpand.docx

Filesize
18KB

MD5
401ca81b730032ed05d574ac2e125b37

SHA1
e3c539b6028cab8fd8b1a8f6e00e78b805939923

SHA256
44545f4cd6dacc1fc7ef67bb182d54d5a4506b67e5680334315069d98b821b56

SHA512
8f0d5cb3754f6d0db3b4a3069440646a0a608aa0a48470efd0f9da87aa2a999e24d429c952f2f15abae4c40f2a7b0f9112b1b721d30bdc093574ba12db3f4e74

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ClearMerge.docx

Filesize
16KB

MD5
8d263a897caa1efdc587cfa4818683c4

SHA1
7319210e21f35848c0a569b16666b45190826dcc

SHA256
86ca53e2d4f0ce8215db09a8766120b45e4722e7bf5c5eb01d203f3efd2f8ab8

SHA512
8307e5082ef3afde78fe3cf2de1d05ff5dc1a30927ad0325e5e18e9248434ae4fedf30fb5ce147a284ce4e484305a8078c6a6188abd2d1e2836bc91bf03a8dba

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\EditPublish.docx

Filesize
17KB

MD5
0072d43ba6d0f5a4943682b969207ea2

SHA1
4054776d23b15416fd1397b9e4822402bf99ec56

SHA256
50b11b07649c38f731eb235f8bf01f6c7ed45db216599a773f5c8c7e1630e67f

SHA512
09e65cbc4081ab866c0f4b106b0a790699992cb4a70fb3b228974a2bb04e8149152e561ae5a61886e09121d4a5e0b49497b7561f4adabe6d4db8eac6f52fa135

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\EnterInstall.csv

Filesize
436KB

MD5
7a41d4208961b43a2d6c907c09bf2a89

SHA1
b5de7a85be86f6852667b1ced0894310dc055d9e

SHA256
ec5be20c93acc964a790c54431b028063491d85d5097ca6ca16cb5e367966bd6

SHA512
7318fd5f6e5b1b1504f4248712745e593046f0def8f718cb43ea2664b4a365ffa93e8b06d5467dcb8704f430b6a25b0e352fa21e8ac9530923c20c1ec67dcfcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ExitUnregister.pdf

Filesize
446KB

MD5
01c9b86f91facd58b49770241ec17a4c

SHA1
c13c660fb895c2dbfdcc3aceb1852924a5da7daa

SHA256
b5dd84e500fd01125f924a9b6dfd0fabdb64e5b7f931bbce2830c9e487681bd3

SHA512
177a5da24891e0f3ed2c8b58060ef204fb0f1a7cd1e18298ef56301ee82c19898c8795df82a7456d8ec0fc44b517affe7a97042d4d6d4ab723597dc09ae747cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RegisterReset.docx

Filesize
13KB

MD5
a71256a0585077d9a807777e30a3719c

SHA1
caae6e2819736aa0605159181436064e3680e22b

SHA256
78e916b449c7686728b97627979c985dba9d425001d53b12689b0576f9efabfc

SHA512
105243bbd079c1023235edaad321dd087a5a87c83069fb1c3ab8972775ea846637dfa0737cc8e0624b54be2e6dd5c9bc7970419f8452e430a9ee3ab612dc0d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\SendBackup.xml

Filesize
238KB

MD5
381751be053c2b1bad06dfcdc5423c6d

SHA1
765ea3070ce604c4627f0f95bac046cd557ef9ca

SHA256
16c0552431b75f8c3d7e028c21a97883c2b452dbf6345fdb9dfdb15872c50dee

SHA512
7efc1adbcd1a5f9ae7113ba11c99012260ffaf7eca2c9e1f469f170bd88285ef96ff318805daca1f0cfa6b44c921e4fe714ba7730d8e2c5036f358b18cc166dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\SetPush.xlsx

Filesize
11KB

MD5
f70376329247cbcd807d81b546c63008

SHA1
b12d84bf5d86a5b48527ee608ca89cce07cf61f7

SHA256
1b7534499fbd045b16870b69698e6467564129b4c2e50fcbad4620eb2ed8c5fc

SHA512
cdccedd27a8ca3497dfd347388114df41512ed75c6928acfe5d6225472d4dfa332948f4135066c369febbd500152c4fa42f89ffabfefe664ea0fbf65de633448

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\BackupRequest.svg

Filesize
615KB

MD5
1a3597280a514a18a70e05241e1fb4b1

SHA1
bd56f09010deac0423f7c2fed91101bd716118f4

SHA256
38dabb8fd8dc3361ccb3da79d691a48b969d258971a4f09d3ee7a07cba7a5c0f

SHA512
7180727bf619b6d64441a564efc243458d4c5505d0a6f70f10c164a0fff52f243ed2228483995efb6c314f547ca5910b4082aa2c9be98e234e5153d99fee5f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\OpenBackup.vdw

Filesize
514KB

MD5
94d3d06d4fcaeb2340f05b7a0180cf9c

SHA1
2d6dd46ddbec19c1d265dd2836245ee46549a5c4

SHA256
83d86f338f2513b9dd11805cfccce623fba193b7c7979d189e3cbedba0e58885

SHA512
bf01ad76d362b1e61067a493da1dd283292e33a49c661091668130784675a4c0453e99307fa7eb8d79e5bc42a056cff56344ac445b4d8b8f8be13af32eb50653

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\TestRedo.mp3

Filesize
817KB

MD5
0a319546f75ccd8141d8d8fd17f5c361

SHA1
6a9d67959237015efc52fd3f6aa7116089b41b3a

SHA256
9368f1f52b13ba90021081d42e62ed0d6f99915fbd7c7f4176294a6790782f3f

SHA512
3768dec09dfbe0bed5ef39eaf087920afb9741dfb2c674cd3bf0b87320a7c6bcd0744ef66a19832f588eb5ec65d12321fdc992842e884f07362776bd9d384c49

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\DisconnectSend.csv

Filesize
517KB

MD5
586cb630391a9c3f981b5c95c93b59fd

SHA1
e90b2498d884185c9c846091bc4a3b3bf94a50fb

SHA256
86315d7acc44ffde4b9c15bb214bb9d172339456d735c0c828da9990b58680ce

SHA512
1bd337d0a7695234e61bf3876880e0e0f7286caddcd3a8f00b452381eef4457c7ac8976c2ee8b3644a2ea6bec2f0472507c8e5401e832b7958f134ceec53450b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\MergeResize.mp4

Filesize
1.1MB

MD5
8c28b52909428de39ef8731df192dc89

SHA1
7fcba9cc0b5537536378ae53768575900566da2a

SHA256
3c9393a20c7ad0873dfca94c97a73a0d5146545991f9fc0cfce3a69ad3d330b4

SHA512
c0bdc03994dd1d62fb63c7c4f43a74056aba6a41abf8467a0414fe7dfa2ea7a31184eb59ef512c8043d9926cd58a564559bdbe6789b3a4a40bc6b194465d9131

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\ReadGet.jpg

Filesize
976KB

MD5
f563c8ca31b01ff288e3d6ba2fe88e09

SHA1
99a281296fb2457bade749f9f4fc9f6126a26c32

SHA256
64bbea4e1b83664814d3391c27629d8bea0ef5459977c86568a00e1487fa945a

SHA512
d977a8be67ebd6bbf448e7818ace29289db5c6bdc15e612e7336b6d0a563055d615ddb021d363d9a2cf58223e516a8a74eee7c3460d9ff01de25acc1fd2c5bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\RegisterInvoke.png

Filesize
862KB

MD5
3cbf651076ec2921cd7ac39b8f8f1096

SHA1
c4796878217b6e4f98006c1d6478f3afa71ff5b4

SHA256
b86f6eacd882f409b5cb7669fba30cc6222b04194c2b816b0d0ee8b0ebcad08d

SHA512
4d83c7969e3b034f4940901bfdb5f1f807e7a10a1b08bddd40571b4499d0257d18a04b0048e19bee8986784770db9e7cfc377a8f3e6a8aaa5d9a77609346b71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\DebugBackup.jpg

Filesize
992KB

MD5
8108d8e8551ac27a65a5bce83e5a200b

SHA1
02eb00a87a8727b7215227293245186f5bed1200

SHA256
de611a185193f99b0b3ad8b5d5cd486530ed65367339b0ea4e67cb2373ca338c

SHA512
05d592c0ab400ff05b80a2f9e09d0048fb87116f4c2f302a61b9beeb81b802a682d58506315077e1099b2ff4b5e7515ed51637429275b5555602accd41d0fcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\WaitSet.png

Filesize
794KB

MD5
aca4cc520560406497d61bbf72efc587

SHA1
6fa9619bfa9cf08cc5c78e2323e64fd1ac187f7d

SHA256
7b902dbc4411666e87d4e308f6330aa67b36fa5fd461f8f45b58205269c22fce

SHA512
80892b11d52753d400413270bd17b06b2fb1e843d9d1eabebd4d8eb512b5df15f9748e77fd56dfe00da7bb9e81090f72da9e57207c0d0fbc86bb292762f5d28f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\_ctypes.pyd

Filesize
58KB

MD5
7c1116e1656d8ab1192d927e8dd9607e

SHA1
5df70de7ed358a5cf95d3ef16bdd53db74c1e2f0

SHA256
a0ab67ea3f27337ed0873d07901eff16f0e6eb58fa7436bb0bde15a35516acc3

SHA512
004bdff5a4d76ad0d7ca3b000615de904660abccc737b3aadfee5488155e3f55612aed2bc7c1e14db07e7e784f35b779abcfe5217ea972a1bc6dd0bafad04699

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
3c38aac78b7ce7f94f4916372800e242

SHA1
c793186bcf8fdb55a1b74568102b4e073f6971d6

SHA256
3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d

SHA512
c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
321a3ca50e80795018d55a19bf799197

SHA1
df2d3c95fb4cbb298d255d342f204121d9d7ef7f

SHA256
5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f

SHA512
3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
0462e22f779295446cd0b63e61142ca5

SHA1
616a325cd5b0971821571b880907ce1b181126ae

SHA256
0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e

SHA512
07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c3632083b312c184cbdd96551fed5519

SHA1
a93e8e0af42a144009727d2decb337f963a9312e

SHA256
be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125

SHA512
8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
f3ff2d544f5cd9e66bfb8d170b661673

SHA1
9e18107cfcd89f1bbb7fdaf65234c1dc8e614add

SHA256
e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f

SHA512
184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
a0c2dbe0f5e18d1add0d1ba22580893b

SHA1
29624df37151905467a223486500ed75617a1dfd

SHA256
3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f

SHA512
3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
2666581584ba60d48716420a6080abda

SHA1
c103f0ea32ebbc50f4c494bce7595f2b721cb5ad

SHA256
27e9d3e7c8756e4512932d674a738bf4c2969f834d65b2b79c342a22f662f328

SHA512
befed15f11a0550d2859094cc15526b791dadea12c2e7ceb35916983fb7a100d89d638fb1704975464302fae1e1a37f36e01e4bef5bc4924ab8f3fd41e60bd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
225d9f80f669ce452ca35e47af94893f

SHA1
37bd0ffc8e820247bd4db1c36c3b9f9f686bbd50

SHA256
61c0ebe60ce6ebabcb927ddff837a9bf17e14cd4b4c762ab709e630576ec7232

SHA512
2f71a3471a9868f4d026c01e4258aff7192872590f5e5c66aabd3c088644d28629ba8835f3a4a23825631004b1afd440efe7161bb9fc7d7c69e0ee204813ca7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
1281e9d1750431d2fe3b480a8175d45c

SHA1
bc982d1c750b88dcb4410739e057a86ff02d07ef

SHA256
433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa

SHA512
a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
fd46c3f6361e79b8616f56b22d935a53

SHA1
107f488ad966633579d8ec5eb1919541f07532ce

SHA256
0dc92e8830bc84337dcae19ef03a84ef5279cf7d4fdc2442c1bc25320369f9df

SHA512
3360b2e2a25d545ccd969f305c4668c6cda443bbdbd8a8356ffe9fbc2f70d90cf4540f2f28c9ed3eea6c9074f94e69746e7705e6254827e6a4f158a75d81065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\base_library.zip

Filesize
1.4MB

MD5
b8c83ea24ecac970730a1821796e4554

SHA1
e2d7fd9659a042ae7e8772798da4e486e4b5cbb6

SHA256
0ca9f36dd9ade9b208a1ac5a2f33cdd4d6abb99378bbfdfddf7be20d62b3f6f2

SHA512
9e03b9d6e05da7c530319e9b0689c6cef03c518efbb30cd9535f73b98bd0dbdbf8d7670201456c673fa95342bb657ded95c5f16b842bd1958360439f10dd6471

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\libffi-8.dll

Filesize
29KB

MD5
0d1c6b92d091cef3142e32ac4e0cc12e

SHA1
440dad5af38035cb0984a973e1f266deff2bd7fc

SHA256
11ee9c7fb70c3756c0392843245935517171b95cc5ba0d696b2c1742c8d46fb6

SHA512
5d514ecab93941e83c008f0e9749f99e330949580884bf4850b11cac08fe1ac4ac50033e8888045fe4a9d8b4d2e3ea667b39be18f77266d00f8d7d6797260233

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\python3.dll

Filesize
65KB

MD5
35da4143951c5354262a28dee569b7b2

SHA1
b07cb6b28c08c012eecb9fd7d74040163cdf4e0e

SHA256
920350a7c24c46339754e38d0db34ab558e891da0b3a389d5230a0d379bee802

SHA512
2976667732f9ee797b7049d86fd9beeb05409adb7b89e3f5b1c875c72a4076cf65c762632b7230d7f581c052fce65bb91c1614c9e3a52a738051c3bc3d167a23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\python311.dll

Filesize
1.6MB

MD5
476ab587f630eb4f9c21e88a065828b0

SHA1
d563e0d67658861a5c8d462fcfa675a6840b2758

SHA256
7cf19201904e4e7db4e5e44cd92d223fb94ddd43da04a03d11e388bf41686b8b

SHA512
3d67e49a09777e6fab36c37cf3a7c2768382eb1c850638b0064e2b00479f74251bb70290fe62971944344ee88b7803ee1697a374a62c7f7c45a556c820800676

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI30082\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qipx4kab.iu4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 852302.crdownload

Filesize
12.0MB

MD5
3ce806a8c31f9b2aace5f94ba0af1dab

SHA1
3825fc38e5db71ed45b05b4c1c948ee7c6a26b3b

SHA256
662fca620891daff924f0c9d8e76bed9552c92da6753649d7e315c1f80c19524

SHA512
516423024a494aeb07d025a633736d55c364cf233b6c6bc64d9b343615d971b8706c38f166d0e6cb643dbfc10cbd13e1d8ccdc3f81cc976b3f5390ea53ed0de6

Download Submit
memory/3420-608-0x0000022A42630000-0x0000022A42652000-memory.dmp

Filesize
136KB

Download
memory/4716-446-0x000001E4A5810000-0x000001E4A5D39000-memory.dmp

Filesize
5.2MB

Download
memory/4716-463-0x00007FFF21180000-0x00007FFF211B3000-memory.dmp

Filesize
204KB

Download
memory/4716-477-0x00007FFF209B0000-0x00007FFF20ACC000-memory.dmp

Filesize
1.1MB

Download
memory/4716-913-0x00007FFF239E0000-0x00007FFF23A04000-memory.dmp

Filesize
144KB

Download
memory/4716-914-0x00007FFF356A0000-0x00007FFF356AD000-memory.dmp

Filesize
52KB

Download
memory/4716-915-0x00007FFF20860000-0x00007FFF20897000-memory.dmp

Filesize
220KB

Download
memory/4716-916-0x00007FFF3DD80000-0x00007FFF3DD8D000-memory.dmp

Filesize
52KB

Download
memory/4716-918-0x00007FFF209B0000-0x00007FFF20ACC000-memory.dmp

Filesize
1.1MB

Download
memory/4716-919-0x00007FFF213C0000-0x00007FFF213D9000-memory.dmp

Filesize
100KB

Download
memory/4716-920-0x00007FFF37FA0000-0x00007FFF37FAF000-memory.dmp

Filesize
60KB

Download
memory/4716-469-0x00007FFF20860000-0x00007FFF20897000-memory.dmp

Filesize
220KB

Download
memory/4716-468-0x00007FFF20AD0000-0x00007FFF20AF2000-memory.dmp

Filesize
136KB

Download
memory/4716-467-0x00007FFF210B0000-0x00007FFF2117D000-memory.dmp

Filesize
820KB

Download
memory/4716-465-0x00007FFF20B80000-0x00007FFF210A9000-memory.dmp

Filesize
5.2MB

Download
memory/4716-462-0x00007FFF208A0000-0x00007FFF208BE000-memory.dmp

Filesize
120KB

Download
memory/4716-461-0x00007FFF21340000-0x00007FFF21363000-memory.dmp

Filesize
140KB

Download
memory/4716-460-0x00007FFF208C0000-0x00007FFF208F2000-memory.dmp

Filesize
200KB

Download
memory/4716-459-0x00007FFF20900000-0x00007FFF20911000-memory.dmp

Filesize
68KB

Download
memory/4716-458-0x00007FFF20920000-0x00007FFF2096D000-memory.dmp

Filesize
308KB

Download
memory/4716-453-0x00007FFF20B60000-0x00007FFF20B75000-memory.dmp

Filesize
84KB

Download
memory/4716-452-0x00007FFF20AD0000-0x00007FFF20AF2000-memory.dmp

Filesize
136KB

Download
memory/4716-451-0x00007FFF20B00000-0x00007FFF20B14000-memory.dmp

Filesize
80KB

Download
memory/4716-450-0x00007FFF20B20000-0x00007FFF20B34000-memory.dmp

Filesize
80KB

Download
memory/4716-449-0x00007FFF20B40000-0x00007FFF20B52000-memory.dmp

Filesize
72KB

Download
memory/4716-448-0x00007FFF20B80000-0x00007FFF210A9000-memory.dmp

Filesize
5.2MB

Download
memory/4716-447-0x00007FFF210B0000-0x00007FFF2117D000-memory.dmp

Filesize
820KB

Download
memory/4716-921-0x00007FFF210B0000-0x00007FFF2117D000-memory.dmp

Filesize
820KB

Download
memory/4716-922-0x00007FFF21370000-0x00007FFF2139D000-memory.dmp

Filesize
180KB

Download
memory/4716-442-0x00007FFF211C0000-0x00007FFF21336000-memory.dmp

Filesize
1.5MB

Download
memory/4716-440-0x00007FFF21370000-0x00007FFF2139D000-memory.dmp

Filesize
180KB

Download
memory/4716-923-0x00007FFF21340000-0x00007FFF21363000-memory.dmp

Filesize
140KB

Download
memory/4716-437-0x00007FFF356A0000-0x00007FFF356AD000-memory.dmp

Filesize
52KB

Download
memory/4716-436-0x00007FFF213C0000-0x00007FFF213D9000-memory.dmp

Filesize
100KB

Download
memory/4716-435-0x00007FFF22360000-0x00007FFF22950000-memory.dmp

Filesize
5.9MB

Download
memory/4716-924-0x00007FFF211C0000-0x00007FFF21336000-memory.dmp

Filesize
1.5MB

Download
memory/4716-925-0x00007FFF21180000-0x00007FFF211B3000-memory.dmp

Filesize
204KB

Download
memory/4716-926-0x00007FFF20B60000-0x00007FFF20B75000-memory.dmp

Filesize
84KB

Download
memory/4716-917-0x00007FFF213A0000-0x00007FFF213B9000-memory.dmp

Filesize
100KB

Download
memory/4716-912-0x00007FFF22360000-0x00007FFF22950000-memory.dmp

Filesize
5.9MB

Download
memory/4716-378-0x00007FFF22360000-0x00007FFF22950000-memory.dmp

Filesize
5.9MB

Download
memory/4716-422-0x00007FFF239E0000-0x00007FFF23A04000-memory.dmp

Filesize
144KB

Download
memory/4716-421-0x00007FFF37FA0000-0x00007FFF37FAF000-memory.dmp

Filesize
60KB

Download
memory/4716-438-0x00007FFF213A0000-0x00007FFF213B9000-memory.dmp

Filesize
100KB

Download
memory/4716-441-0x00007FFF21340000-0x00007FFF21363000-memory.dmp

Filesize
140KB

Download
memory/4716-444-0x00007FFF21180000-0x00007FFF211B3000-memory.dmp

Filesize
204KB

Download
memory/4716-456-0x00007FFF20990000-0x00007FFF209AB000-memory.dmp

Filesize
108KB

Download
memory/4716-455-0x00007FFF213C0000-0x00007FFF213D9000-memory.dmp

Filesize
100KB

Download
memory/4716-454-0x00007FFF209B0000-0x00007FFF20ACC000-memory.dmp

Filesize
1.1MB

Download
memory/4716-457-0x00007FFF20970000-0x00007FFF20989000-memory.dmp

Filesize
100KB

Download
memory/4716-464-0x000001E4A5810000-0x000001E4A5D39000-memory.dmp

Filesize
5.2MB

Download
memory/4716-466-0x00007FFF1D920000-0x00007FFF1E11B000-memory.dmp

Filesize
8.0MB

Download
memory/4716-482-0x00007FFF20920000-0x00007FFF2096D000-memory.dmp

Filesize
308KB

Download
memory/4716-490-0x00007FFF1D920000-0x00007FFF1E11B000-memory.dmp

Filesize
8.0MB

Download
memory/4716-660-0x00007FFF21180000-0x00007FFF211B3000-memory.dmp

Filesize
204KB

Download
memory/4716-651-0x00007FFF22360000-0x00007FFF22950000-memory.dmp

Filesize
5.9MB

Download
memory/4716-614-0x00007FFF239E0000-0x00007FFF23A04000-memory.dmp

Filesize
144KB

Download
memory/4716-613-0x00007FFF22360000-0x00007FFF22950000-memory.dmp

Filesize
5.9MB

Download
memory/4716-621-0x00007FFF211C0000-0x00007FFF21336000-memory.dmp

Filesize
1.5MB

Download
memory/4716-625-0x00007FFF20B60000-0x00007FFF20B75000-memory.dmp

Filesize
84KB

Download
memory/4716-626-0x00007FFF20B40000-0x00007FFF20B52000-memory.dmp

Filesize
72KB

Download
memory/4716-632-0x00007FFF20970000-0x00007FFF20989000-memory.dmp

Filesize
100KB

Download
memory/4716-633-0x00007FFF20920000-0x00007FFF2096D000-memory.dmp

Filesize
308KB

Download
memory/4716-637-0x00007FFF1D920000-0x00007FFF1E11B000-memory.dmp

Filesize
8.0MB

Download
memory/4716-639-0x00007FFF3DD80000-0x00007FFF3DD8D000-memory.dmp

Filesize
52KB

Download
memory/4716-638-0x00007FFF20860000-0x00007FFF20897000-memory.dmp

Filesize
220KB

Download
memory/4716-478-0x00007FFF20990000-0x00007FFF209AB000-memory.dmp

Filesize
108KB

Download
memory/4716-484-0x00007FFF208C0000-0x00007FFF208F2000-memory.dmp

Filesize
200KB

Download
memory/4716-596-0x00007FFF3DD80000-0x00007FFF3DD8D000-memory.dmp

Filesize
52KB

Download
memory/4996-503-0x00007FFF20840000-0x00007FFF20855000-memory.dmp

Filesize
84KB

Download
memory/4996-443-0x00007FFF219E0000-0x00007FFF21A13000-memory.dmp

Filesize
204KB

Download
memory/4996-483-0x00007FFF20540000-0x00007FFF20572000-memory.dmp

Filesize
200KB

Download
memory/4996-395-0x00007FFF21C70000-0x00007FFF22260000-memory.dmp

Filesize
5.9MB

Download
memory/4996-479-0x00007FFF205F0000-0x00007FFF20609000-memory.dmp

Filesize
100KB

Download
memory/4996-485-0x00007FFF20520000-0x00007FFF2053E000-memory.dmp

Filesize
120KB

Download
memory/4996-510-0x00007FFF205F0000-0x00007FFF20609000-memory.dmp

Filesize
100KB

Download
memory/4996-489-0x00007FFF21C70000-0x00007FFF22260000-memory.dmp

Filesize
5.9MB

Download
memory/4996-523-0x00007FFF21BA0000-0x00007FFF21BC3000-memory.dmp

Filesize
140KB

Download
memory/4996-522-0x00007FFF21C00000-0x00007FFF21C19000-memory.dmp

Filesize
100KB

Download
memory/4996-521-0x00007FFF21C20000-0x00007FFF21C39000-memory.dmp

Filesize
100KB

Download
memory/4996-520-0x00007FFF35850000-0x00007FFF3585D000-memory.dmp

Filesize
52KB

Download
memory/4996-515-0x00007FFF1D120000-0x00007FFF1D91B000-memory.dmp

Filesize
8.0MB

Download
memory/4996-514-0x00007FFF20520000-0x00007FFF2053E000-memory.dmp

Filesize
120KB

Download
memory/4996-513-0x00007FFF20540000-0x00007FFF20572000-memory.dmp

Filesize
200KB

Download
memory/4996-512-0x00007FFF20580000-0x00007FFF20591000-memory.dmp

Filesize
68KB

Download
memory/4996-511-0x00007FFF205A0000-0x00007FFF205ED000-memory.dmp

Filesize
308KB

Download
memory/4996-509-0x00007FFF20610000-0x00007FFF2062B000-memory.dmp

Filesize
108KB

Download
memory/4996-508-0x00007FFF20630000-0x00007FFF2074C000-memory.dmp

Filesize
1.1MB

Download
memory/4996-491-0x00007FFF204E0000-0x00007FFF20517000-memory.dmp

Filesize
220KB

Download
memory/4996-488-0x00007FFF1D120000-0x00007FFF1D91B000-memory.dmp

Filesize
8.0MB

Download
memory/4996-507-0x00007FFF20750000-0x00007FFF20772000-memory.dmp

Filesize
136KB

Download
memory/4996-506-0x00007FFF20780000-0x00007FFF20794000-memory.dmp

Filesize
80KB

Download
memory/4996-501-0x00007FFF214B0000-0x00007FFF219D9000-memory.dmp

Filesize
5.2MB

Download
memory/4996-505-0x00007FFF20800000-0x00007FFF20814000-memory.dmp

Filesize
80KB

Download
memory/4996-504-0x00007FFF20820000-0x00007FFF20832000-memory.dmp

Filesize
72KB

Download
memory/4996-481-0x00007FFF205A0000-0x00007FFF205ED000-memory.dmp

Filesize
308KB

Download
memory/4996-480-0x00007FFF20580000-0x00007FFF20591000-memory.dmp

Filesize
68KB

Download
memory/4996-525-0x00007FFF219E0000-0x00007FFF21A13000-memory.dmp

Filesize
204KB

Download
memory/4996-445-0x00007FFF214B0000-0x00007FFF219D9000-memory.dmp

Filesize
5.2MB

Download
memory/4996-524-0x00007FFF21A20000-0x00007FFF21B96000-memory.dmp

Filesize
1.5MB

Download
memory/4996-519-0x00007FFF21BD0000-0x00007FFF21BFD000-memory.dmp

Filesize
180KB

Download
memory/4996-518-0x00007FFF21C40000-0x00007FFF21C64000-memory.dmp

Filesize
144KB

Download
memory/4996-434-0x00007FFF213E0000-0x00007FFF214AD000-memory.dmp

Filesize
820KB

Download
memory/4996-432-0x00007FFF21A20000-0x00007FFF21B96000-memory.dmp

Filesize
1.5MB

Download
memory/4996-427-0x00007FFF21C00000-0x00007FFF21C19000-memory.dmp

Filesize
100KB

Download
memory/4996-425-0x00007FFF21C20000-0x00007FFF21C39000-memory.dmp

Filesize
100KB

Download
memory/4996-423-0x00007FFF21C40000-0x00007FFF21C64000-memory.dmp

Filesize
144KB

Download
memory/4996-424-0x00007FFF35D20000-0x00007FFF35D2F000-memory.dmp

Filesize
60KB

Download
memory/4996-426-0x00007FFF35850000-0x00007FFF3585D000-memory.dmp

Filesize
52KB

Download
memory/4996-428-0x00007FFF21C70000-0x00007FFF22260000-memory.dmp

Filesize
5.9MB

Download
memory/4996-429-0x00007FFF219E0000-0x00007FFF21A13000-memory.dmp

Filesize
204KB

Download
memory/4996-430-0x00007FFF21BD0000-0x00007FFF21BFD000-memory.dmp

Filesize
180KB

Download
memory/4996-431-0x00007FFF21BA0000-0x00007FFF21BC3000-memory.dmp

Filesize
140KB

Download
memory/4996-433-0x00007FFF214B0000-0x00007FFF219D9000-memory.dmp

Filesize
5.2MB

Download
memory/4996-439-0x00007FFF21C20000-0x00007FFF21C39000-memory.dmp

Filesize
100KB

Download
memory/4996-502-0x00007FFF213E0000-0x00007FFF214AD000-memory.dmp

Filesize
820KB

Download
memory/4996-517-0x00007FFF35D20000-0x00007FFF35D2F000-memory.dmp

Filesize
60KB

Download
memory/4996-470-0x00007FFF20840000-0x00007FFF20855000-memory.dmp

Filesize
84KB

Download
memory/4996-471-0x00007FFF20820000-0x00007FFF20832000-memory.dmp

Filesize
72KB

Download
memory/4996-472-0x00007FFF20800000-0x00007FFF20814000-memory.dmp

Filesize
80KB

Download
memory/4996-473-0x00007FFF20780000-0x00007FFF20794000-memory.dmp

Filesize
80KB

Download
memory/4996-474-0x00007FFF20750000-0x00007FFF20772000-memory.dmp

Filesize
136KB

Download
memory/4996-475-0x00007FFF20630000-0x00007FFF2074C000-memory.dmp

Filesize
1.1MB

Download
memory/4996-476-0x00007FFF20610000-0x00007FFF2062B000-memory.dmp

Filesize
108KB

Download