asyncrat | 1ab7fef81e4a5325f70a7eb8f1e551edaa6344d16eb1aeca68974d89bb4e40db

Resubmissions

11/03/2025, 16:25

250311-txbamsxq12 10

10/03/2025, 16:59

250310-vhtzwastaz 10

Analysis

max time kernel
91s
max time network
95s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
11/03/2025, 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

archive.rar
Size

11.6MB
MD5

88f853c79f8978c740a39b6ffeafdde3
SHA1

2f142b3c96ef3b8d6b7705055a504fd0d4ed66a1
SHA256

1ab7fef81e4a5325f70a7eb8f1e551edaa6344d16eb1aeca68974d89bb4e40db
SHA512

fb3fc9b6b1e35dc812b2e328c46e177da57649be2679f02fc02addcf1f552aeb2dac5f900b4eb0cfbdfba2c8c378ba340882f9b32a016caedbc87b6c594dce8c
SSDEEP

196608:/q710W0isAdLeCKHnNUdTp5S4OhUIyFaEkFNEDMYaHUgRhBJwYpSOc0VsG:AfdyTHN6pdZIyIXGDMN3jTprZ

Score

10^/10

asyncrat exelastealer default collection defense_evasion discovery persistence privilege_escalation pyinstaller rat spyware stealer upx

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

2.58.56.179:2035

Mutex

r4ttlesn4ke_ufog3f8u3egef978

Attributes

delay
1
install
true
install_file
Chrome.exe
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x001900000002af2f-16.dat	family_asyncrat

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
844	netsh.exe
3776	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3872	powershell.exe
2248	cmd.exe

Deletes itself 1 IoCs

pid	Process
1552	Exela.exe

Executes dropped EXE 12 IoCs

pid	Process
4888	chrome.exe
5080	chrome.exe
1040	Chrome.exe
1020	cloudflare_whitelist.exe
4448	ef.exe
4224	chrome.exe
1060	Exela.exe
1552	Exela.exe
5576	Exela.exe
5080	Exela.exe
912	verif.exe
5148	verif.exe

Loads dropped DLL 64 IoCs

pid	Process
1020	cloudflare_whitelist.exe
1020	cloudflare_whitelist.exe
1020	cloudflare_whitelist.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
1552	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe
5080	Exela.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service

T1102

flow	ioc
3	discord.com
7	discord.com
8	discord.com
11	api.gofile.io
28	api.gofile.io

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
3	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2492	cmd.exe
5016	ARP.EXE

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3364	tasklist.exe
1788	tasklist.exe
500	tasklist.exe
3448	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2996	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002afd2-164.dat	upx
behavioral1/memory/1552-167-0x00007FFF15D00000-0x00007FFF16166000-memory.dmp	upx
behavioral1/memory/1552-204-0x00007FFF2FC70000-0x00007FFF2FC7F000-memory.dmp	upx
behavioral1/memory/1552-208-0x00007FFF28E50000-0x00007FFF28E7C000-memory.dmp	upx
behavioral1/memory/1552-209-0x00007FFF28E30000-0x00007FFF28E4F000-memory.dmp	upx
behavioral1/memory/1552-210-0x00007FFF15B80000-0x00007FFF15CFD000-memory.dmp	upx
behavioral1/memory/1552-211-0x00007FFF28E00000-0x00007FFF28E2E000-memory.dmp	upx
behavioral1/memory/1552-212-0x00007FFF15AC0000-0x00007FFF15B78000-memory.dmp	upx
behavioral1/memory/1552-207-0x00007FFF2B750000-0x00007FFF2B768000-memory.dmp	upx
behavioral1/memory/1552-206-0x00007FFF2FAB0000-0x00007FFF2FABD000-memory.dmp	upx
behavioral1/memory/1552-205-0x00007FFF2B900000-0x00007FFF2B919000-memory.dmp	upx
behavioral1/memory/1552-214-0x00007FFF15D00000-0x00007FFF16166000-memory.dmp	upx
behavioral1/memory/1552-216-0x00007FFF22520000-0x00007FFF22534000-memory.dmp	upx
behavioral1/memory/1552-215-0x00007FFF15740000-0x00007FFF15AB5000-memory.dmp	upx
behavioral1/memory/1552-203-0x00007FFF28E80000-0x00007FFF28EA4000-memory.dmp	upx
behavioral1/memory/1552-220-0x00007FFF21340000-0x00007FFF21355000-memory.dmp	upx
behavioral1/memory/1552-219-0x00007FFF22500000-0x00007FFF22514000-memory.dmp	upx
behavioral1/memory/1552-218-0x00007FFF2B900000-0x00007FFF2B919000-memory.dmp	upx
behavioral1/memory/1552-217-0x00007FFF2CD40000-0x00007FFF2CD50000-memory.dmp	upx
behavioral1/memory/1552-221-0x00007FFF21240000-0x00007FFF21262000-memory.dmp	upx
behavioral1/memory/1552-223-0x00007FFF15620000-0x00007FFF15738000-memory.dmp	upx
behavioral1/memory/1552-222-0x00007FFF28E30000-0x00007FFF28E4F000-memory.dmp	upx
behavioral1/memory/1552-224-0x00007FFF15B80000-0x00007FFF15CFD000-memory.dmp	upx
behavioral1/memory/1552-225-0x00007FFF21200000-0x00007FFF2121B000-memory.dmp	upx
behavioral1/memory/1552-228-0x00007FFF15550000-0x00007FFF1561F000-memory.dmp	upx
behavioral1/memory/1552-227-0x00007FFF15AC0000-0x00007FFF15B78000-memory.dmp	upx
behavioral1/memory/1552-234-0x00007FFF15500000-0x00007FFF1554D000-memory.dmp	upx
behavioral1/memory/1552-233-0x00007FFF1B6F0000-0x00007FFF1B722000-memory.dmp	upx
behavioral1/memory/1552-236-0x00007FFF208B0000-0x00007FFF208CE000-memory.dmp	upx
behavioral1/memory/1552-235-0x00007FFF22520000-0x00007FFF22534000-memory.dmp	upx
behavioral1/memory/1552-232-0x00007FFF208D0000-0x00007FFF208E1000-memory.dmp	upx
behavioral1/memory/1552-237-0x00007FFF14D00000-0x00007FFF154FC000-memory.dmp	upx
behavioral1/memory/1552-231-0x00007FFF211E0000-0x00007FFF211F8000-memory.dmp	upx
behavioral1/memory/1552-230-0x00007FFF15740000-0x00007FFF15AB5000-memory.dmp	upx
behavioral1/memory/1552-226-0x00007FFF28E00000-0x00007FFF28E2E000-memory.dmp	upx
behavioral1/files/0x001c00000002afc7-176.dat	upx
behavioral1/files/0x001900000002af4e-174.dat	upx
behavioral1/memory/1552-238-0x00007FFF21340000-0x00007FFF21355000-memory.dmp	upx
behavioral1/memory/1552-239-0x00007FFF14CC0000-0x00007FFF14CF7000-memory.dmp	upx
behavioral1/memory/1552-285-0x00007FFF21240000-0x00007FFF21262000-memory.dmp	upx
behavioral1/memory/1552-286-0x00007FFF32190000-0x00007FFF3219D000-memory.dmp	upx
behavioral1/memory/1552-302-0x00007FFF15620000-0x00007FFF15738000-memory.dmp	upx
behavioral1/memory/1552-303-0x00007FFF21200000-0x00007FFF2121B000-memory.dmp	upx
behavioral1/memory/1552-304-0x00007FFF15550000-0x00007FFF1561F000-memory.dmp	upx
behavioral1/memory/1552-306-0x00007FFF1B6F0000-0x00007FFF1B722000-memory.dmp	upx
behavioral1/memory/1552-305-0x00007FFF211E0000-0x00007FFF211F8000-memory.dmp	upx
behavioral1/memory/1552-316-0x00007FFF15500000-0x00007FFF1554D000-memory.dmp	upx
behavioral1/memory/1552-562-0x00007FFF211E0000-0x00007FFF211F8000-memory.dmp	upx
behavioral1/memory/1552-569-0x00007FFF14CC0000-0x00007FFF14CF7000-memory.dmp	upx
behavioral1/memory/1552-588-0x00007FFF14D00000-0x00007FFF154FC000-memory.dmp	upx
behavioral1/memory/1552-553-0x00007FFF15740000-0x00007FFF15AB5000-memory.dmp	upx
behavioral1/memory/1552-555-0x00007FFF2CD40000-0x00007FFF2CD50000-memory.dmp	upx
behavioral1/memory/1552-554-0x00007FFF22520000-0x00007FFF22534000-memory.dmp	upx
behavioral1/memory/1552-552-0x00007FFF15AC0000-0x00007FFF15B78000-memory.dmp	upx
behavioral1/memory/1552-550-0x00007FFF15B80000-0x00007FFF15CFD000-memory.dmp	upx
behavioral1/memory/1552-551-0x00007FFF28E00000-0x00007FFF28E2E000-memory.dmp	upx
behavioral1/memory/1552-549-0x00007FFF28E30000-0x00007FFF28E4F000-memory.dmp	upx
behavioral1/memory/1552-543-0x00007FFF28E80000-0x00007FFF28EA4000-memory.dmp	upx
behavioral1/memory/1552-542-0x00007FFF15D00000-0x00007FFF16166000-memory.dmp	upx
behavioral1/memory/1552-908-0x00007FFF22520000-0x00007FFF22534000-memory.dmp	upx
behavioral1/memory/1552-896-0x00007FFF15D00000-0x00007FFF16166000-memory.dmp	upx
behavioral1/memory/5080-1012-0x00007FFF185D0000-0x00007FFF18A36000-memory.dmp	upx
behavioral1/memory/5080-1014-0x00007FFF2C0A0000-0x00007FFF2C0AF000-memory.dmp	upx
behavioral1/memory/5080-1013-0x00007FFF18580000-0x00007FFF185A4000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2260	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001a00000002af2a-74.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1432	cmd.exe
1680	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4344	NETSTAT.EXE

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4844	WMIC.exe

Delays execution with timeout.exe 2 IoCs

defense_evasion

pid	Process
864	timeout.exe
396	timeout.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4124	ipconfig.exe
4344	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2320	systeminfo.exe

Kills process with taskkill 2 IoCs

defense_evasion

pid	Process
1792	taskkill.exe
4588	taskkill.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings	taskmgr.exe
Key created	\REGISTRY\USER\S-1-5-21-501547156-4130638328-323075719-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.WindowsTerminal_8wekyb3d8bbwe\StartTerminalOnLoginTask	taskmgr.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3120	schtasks.exe
2744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
4888	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
5080	chrome.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
3872	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3764	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	3764	7zFM.exe
Token: 35	3764	7zFM.exe
Token: SeSecurityPrivilege	3764	7zFM.exe
Token: SeSecurityPrivilege	3764	7zFM.exe
Token: SeDebugPrivilege	4888	chrome.exe
Token: SeDebugPrivilege	5080	chrome.exe
Token: SeDebugPrivilege	1040	Chrome.exe
Token: SeDebugPrivilege	1676	taskmgr.exe
Token: SeSystemProfilePrivilege	1676	taskmgr.exe
Token: SeCreateGlobalPrivilege	1676	taskmgr.exe
Token: SeIncreaseQuotaPrivilege	568	WMIC.exe
Token: SeSecurityPrivilege	568	WMIC.exe
Token: SeTakeOwnershipPrivilege	568	WMIC.exe
Token: SeLoadDriverPrivilege	568	WMIC.exe
Token: SeSystemProfilePrivilege	568	WMIC.exe
Token: SeSystemtimePrivilege	568	WMIC.exe
Token: SeProfSingleProcessPrivilege	568	WMIC.exe
Token: SeIncBasePriorityPrivilege	568	WMIC.exe
Token: SeCreatePagefilePrivilege	568	WMIC.exe
Token: SeBackupPrivilege	568	WMIC.exe
Token: SeRestorePrivilege	568	WMIC.exe
Token: SeShutdownPrivilege	568	WMIC.exe
Token: SeDebugPrivilege	568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	568	WMIC.exe
Token: SeRemoteShutdownPrivilege	568	WMIC.exe
Token: SeUndockPrivilege	568	WMIC.exe
Token: SeManageVolumePrivilege	568	WMIC.exe
Token: 33	568	WMIC.exe
Token: 34	568	WMIC.exe
Token: 35	568	WMIC.exe
Token: 36	568	WMIC.exe
Token: SeIncreaseQuotaPrivilege	568	WMIC.exe
Token: SeSecurityPrivilege	568	WMIC.exe
Token: SeTakeOwnershipPrivilege	568	WMIC.exe
Token: SeLoadDriverPrivilege	568	WMIC.exe
Token: SeSystemProfilePrivilege	568	WMIC.exe
Token: SeSystemtimePrivilege	568	WMIC.exe
Token: SeProfSingleProcessPrivilege	568	WMIC.exe
Token: SeIncBasePriorityPrivilege	568	WMIC.exe
Token: SeCreatePagefilePrivilege	568	WMIC.exe
Token: SeBackupPrivilege	568	WMIC.exe
Token: SeRestorePrivilege	568	WMIC.exe
Token: SeShutdownPrivilege	568	WMIC.exe
Token: SeDebugPrivilege	568	WMIC.exe
Token: SeSystemEnvironmentPrivilege	568	WMIC.exe
Token: SeRemoteShutdownPrivilege	568	WMIC.exe
Token: SeUndockPrivilege	568	WMIC.exe
Token: SeManageVolumePrivilege	568	WMIC.exe
Token: 33	568	WMIC.exe
Token: 34	568	WMIC.exe
Token: 35	568	WMIC.exe
Token: 36	568	WMIC.exe
Token: SeDebugPrivilege	500	tasklist.exe
Token: SeDebugPrivilege	1792	taskkill.exe
Token: SeDebugPrivilege	3448	tasklist.exe
Token: SeDebugPrivilege	4588	taskkill.exe
Token: SeDebugPrivilege	3364	tasklist.exe
Token: SeDebugPrivilege	3872	powershell.exe
Token: SeIncreaseQuotaPrivilege	4844	WMIC.exe
Token: SeSecurityPrivilege	4844	WMIC.exe
Token: SeTakeOwnershipPrivilege	4844	WMIC.exe
Token: SeLoadDriverPrivilege	4844	WMIC.exe
Token: SeSystemProfilePrivilege	4844	WMIC.exe
Token: SeSystemtimePrivilege	4844	WMIC.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
3764	7zFM.exe
3764	7zFM.exe
3764	7zFM.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2500	firefox.exe
2500	firefox.exe
2500	firefox.exe
2500	firefox.exe
2500	firefox.exe
2500	firefox.exe
2500	firefox.exe
2500	firefox.exe
2500	firefox.exe
2500	firefox.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
1676	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe
2244	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1020	cloudflare_whitelist.exe
2500	firefox.exe
5344	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4888 wrote to memory of 1460	4888	chrome.exe	84
PID 4888 wrote to memory of 1460	4888	chrome.exe	84
PID 4888 wrote to memory of 1628	4888	chrome.exe	85
PID 4888 wrote to memory of 1628	4888	chrome.exe	85
PID 1628 wrote to memory of 864	1628	cmd.exe	88
PID 1628 wrote to memory of 864	1628	cmd.exe	88
PID 1460 wrote to memory of 3120	1460	cmd.exe	89
PID 1460 wrote to memory of 3120	1460	cmd.exe	89
PID 5080 wrote to memory of 1952	5080	chrome.exe	91
PID 5080 wrote to memory of 1952	5080	chrome.exe	91
PID 1952 wrote to memory of 2744	1952	cmd.exe	93
PID 1952 wrote to memory of 2744	1952	cmd.exe	93
PID 5080 wrote to memory of 4744	5080	chrome.exe	94
PID 5080 wrote to memory of 4744	5080	chrome.exe	94
PID 4744 wrote to memory of 396	4744	cmd.exe	96
PID 4744 wrote to memory of 396	4744	cmd.exe	96
PID 4744 wrote to memory of 1040	4744	cmd.exe	97
PID 4744 wrote to memory of 1040	4744	cmd.exe	97
PID 4448 wrote to memory of 4224	4448	ef.exe	104
PID 4448 wrote to memory of 4224	4448	ef.exe	104
PID 1060 wrote to memory of 1552	1060	Exela.exe	106
PID 1060 wrote to memory of 1552	1060	Exela.exe	106
PID 1552 wrote to memory of 4088	1552	Exela.exe	107
PID 1552 wrote to memory of 4088	1552	Exela.exe	107
PID 1552 wrote to memory of 2800	1552	Exela.exe	109
PID 1552 wrote to memory of 2800	1552	Exela.exe	109
PID 1552 wrote to memory of 1144	1552	Exela.exe	110
PID 1552 wrote to memory of 1144	1552	Exela.exe	110
PID 2800 wrote to memory of 568	2800	cmd.exe	154
PID 2800 wrote to memory of 568	2800	cmd.exe	154
PID 1144 wrote to memory of 500	1144	cmd.exe	114
PID 1144 wrote to memory of 500	1144	cmd.exe	114
PID 1552 wrote to memory of 1572	1552	Exela.exe	116
PID 1552 wrote to memory of 1572	1552	Exela.exe	116
PID 1572 wrote to memory of 1792	1572	cmd.exe	118
PID 1572 wrote to memory of 1792	1572	cmd.exe	118
PID 1552 wrote to memory of 2996	1552	Exela.exe	119
PID 1552 wrote to memory of 2996	1552	Exela.exe	119
PID 2996 wrote to memory of 1548	2996	cmd.exe	121
PID 2996 wrote to memory of 1548	2996	cmd.exe	121
PID 1552 wrote to memory of 4712	1552	Exela.exe	122
PID 1552 wrote to memory of 4712	1552	Exela.exe	122
PID 1552 wrote to memory of 2572	1552	Exela.exe	123
PID 1552 wrote to memory of 2572	1552	Exela.exe	123
PID 2572 wrote to memory of 3448	2572	cmd.exe	126
PID 2572 wrote to memory of 3448	2572	cmd.exe	126
PID 4712 wrote to memory of 4684	4712	cmd.exe	127
PID 4712 wrote to memory of 4684	4712	cmd.exe	127
PID 1552 wrote to memory of 3724	1552	Exela.exe	128
PID 1552 wrote to memory of 3724	1552	Exela.exe	128
PID 3724 wrote to memory of 4588	3724	cmd.exe	130
PID 3724 wrote to memory of 4588	3724	cmd.exe	130
PID 1552 wrote to memory of 4752	1552	Exela.exe	131
PID 1552 wrote to memory of 4752	1552	Exela.exe	131
PID 1552 wrote to memory of 4756	1552	Exela.exe	132
PID 1552 wrote to memory of 4756	1552	Exela.exe	132
PID 1552 wrote to memory of 2072	1552	Exela.exe	133
PID 1552 wrote to memory of 2072	1552	Exela.exe	133
PID 1552 wrote to memory of 2248	1552	Exela.exe	135
PID 1552 wrote to memory of 2248	1552	Exela.exe	135
PID 4756 wrote to memory of 1852	4756	cmd.exe	139
PID 4756 wrote to memory of 1852	4756	cmd.exe	139
PID 1852 wrote to memory of 4192	1852	cmd.exe	140
PID 1852 wrote to memory of 4192	1852	cmd.exe	140

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1548	attrib.exe

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\archive.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3764

C:\Users\Admin\Desktop\chrome.exe
"C:\Users\Admin\Desktop\chrome.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Chrome" /tr '"C:\Users\Admin\AppData\Roaming\Chrome.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1460
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Chrome" /tr '"C:\Users\Admin\AppData\Roaming\Chrome.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:3120
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp2C6A.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1628
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:864

C:\Users\Admin\Desktop\chrome.exe
"C:\Users\Admin\Desktop\chrome.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Chrome" /tr '"C:\Users\Admin\AppData\Roaming\Chrome.exe"' & exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\system32\schtasks.exe
    schtasks /create /f /sc onlogon /rl highest /tn "Chrome" /tr '"C:\Users\Admin\AppData\Roaming\Chrome.exe"'
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2744
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3A45.tmp.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\system32\timeout.exe
    timeout 3
    3⤵
    - Delays execution with timeout.exe
    PID:396
- - C:\Users\Admin\AppData\Roaming\Chrome.exe
    "C:\Users\Admin\AppData\Roaming\Chrome.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1040

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1676

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4656

C:\Users\Admin\Desktop\cloudflare_whitelist.exe
"C:\Users\Admin\Desktop\cloudflare_whitelist.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:1020

C:\Users\Admin\Desktop\ef.exe
"C:\Users\Admin\Desktop\ef.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Users\Admin\AppData\Local\Temp\chrome.exe
  "C:\Users\Admin\AppData\Local\Temp\chrome.exe"
  2⤵
  - Executes dropped EXE
  PID:4224

C:\Users\Admin\Desktop\Exela.exe
"C:\Users\Admin\Desktop\Exela.exe"
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1060
- C:\Users\Admin\Desktop\Exela.exe
  "C:\Users\Admin\Desktop\Exela.exe"
  2⤵
  - Deletes itself
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:4088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2800
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1144
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:500
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /IM "taskmgr.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM "taskmgr.exe"
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1792
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:2996
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
      4⤵
      Views/modifies file attributes
      PID:1548
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4712
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
      4⤵
      PID:4684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3448
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1040"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /PID 1040
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4588
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    PID:4752
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      PID:3384
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2340
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4756
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:4192
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:2072
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:3364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:2248
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3872
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1432
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1680
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    PID:2492
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2320
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:4928
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious use of AdjustPrivilegeToken
      PID:4844
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      PID:568
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:4820
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:1008
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:4584
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:584
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:1940
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:5080
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:2376
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:3404
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:1648
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:2160
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:688
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      PID:1924
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:1788
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:4124
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:3612
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:5016
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:4344
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:2260
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:844
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:3776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1080
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:3188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:3004
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:692

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2244

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4228
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  PID:2500
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1988 -parentBuildID 20240401114208 -prefsHandle 1888 -prefMapHandle 1900 -prefsLen 27661 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {060b718f-4a14-4e55-b35a-1c4a5a2fc9e3} 2500 "\\.\pipe\gecko-crash-server-pipe.2500" gpu
    3⤵
    PID:5072
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2392 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2372 -prefsLen 27539 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b71e8c6c-b1cf-44f4-b437-6fb4b6cfcb86} 2500 "\\.\pipe\gecko-crash-server-pipe.2500" socket
    3⤵
    PID:3120
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3160 -childID 1 -isForBrowser -prefsHandle 3196 -prefMapHandle 3192 -prefsLen 27680 -prefMapSize 244658 -jsInitHandle 1172 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4937a2e7-4bd8-45bf-808e-023be360f835} 2500 "\\.\pipe\gecko-crash-server-pipe.2500" tab
    3⤵
    PID:3868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2704 -childID 2 -isForBrowser -prefsHandle 3512 -prefMapHandle 3536 -prefsLen 32913 -prefMapSize 244658 -jsInitHandle 1172 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12757684-7fbf-487d-af17-348ffdd19c1a} 2500 "\\.\pipe\gecko-crash-server-pipe.2500" tab
    3⤵
    PID:836
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4740 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4700 -prefMapHandle 4728 -prefsLen 32913 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {67fc1bc8-c9b4-4eb5-b6f6-bd49f8269886} 2500 "\\.\pipe\gecko-crash-server-pipe.2500" utility
    3⤵
    - Checks processor information in registry
    PID:4564
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5484 -childID 3 -isForBrowser -prefsHandle 5476 -prefMapHandle 5472 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1172 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2491bddf-f36c-4a84-8760-1e186856a626} 2500 "\\.\pipe\gecko-crash-server-pipe.2500" tab
    3⤵
    PID:5652
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5624 -childID 4 -isForBrowser -prefsHandle 5704 -prefMapHandle 5700 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1172 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9866e592-5e45-4d89-861f-caad887a5546} 2500 "\\.\pipe\gecko-crash-server-pipe.2500" tab
    3⤵
    PID:5664
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5608 -childID 5 -isForBrowser -prefsHandle 5852 -prefMapHandle 5860 -prefsLen 27226 -prefMapSize 244658 -jsInitHandle 1172 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89f1c22f-3599-4ad8-98be-94d108017593} 2500 "\\.\pipe\gecko-crash-server-pipe.2500" tab
    3⤵
    PID:5676

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Exela.exe
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Exela.exe"
1⤵
- Executes dropped EXE
PID:5576
- C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Exela.exe
  "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Exela.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:5080
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:2188

C:\Users\Admin\Desktop\verif.exe
"C:\Users\Admin\Desktop\verif.exe"
1⤵
- Executes dropped EXE
PID:912

C:\Users\Admin\Desktop\verif.exe
"C:\Users\Admin\Desktop\verif.exe"
1⤵
- Executes dropped EXE
PID:5148

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:5344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Peripheral Device Discovery

T1120

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\chrome.exe.log

Filesize
425B

MD5
de75c43a265d0848584ae05945570edf

SHA1
69f95177914f8d8b2f278a91f585a0024b8dffd3

SHA256
d9bdf6a2bfdd9b2b5c8593de17ade3d8d317dad331aa6ca0da7483dd06db1140

SHA512
365f29c693dd7aa2ade092d765a96f20bf1f7fa93bca7f3b25aeddf5700817b9fd388e8f7d9f1b781c8a876739b06ad16d61e7ed08a1c85ac4be4686a38c63bc

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ebb956d0.default-release\activity-stream.discovery_stream.json.tmp

Filesize
24KB

MD5
8ae4e0f576b305b9ba7ff8f5f5d972ea

SHA1
37b0e812b48b46fab8a2d7364a0c6c7801c99c03

SHA256
65bb9c5c5bc21cbca908c3842c4fa541cd566f9ab026c3bd97cceea3a9048382

SHA512
024ddfeeddf0e47f97f8cf9a0701bde6dab664e236a10c9b5386a1dd03041c45a8bfa0cef62dcc5678c30f2f6ebb97bc462c054bb359f7ff62450d57b6daa851

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
23KB

MD5
5726af350fb53362b67f203382fd2eaa

SHA1
11f6367d87b92d6c13deed8bc641422d0bcea990

SHA256
5423fff1b9a87ffaf764d572000f10ff80994fc8662eeef2e2c55d90f03de93b

SHA512
db9afd3bb5a52e8412fd1c6481dcc707269a04655b2528ce2c05282e7f34768e133a393302263ee99c6432ee622f0953360f33b010d5cdb4149422154d36ece7

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\AddPush.xlsx

Filesize
16KB

MD5
cf80a01e2825c4d400bc7f004bf7d813

SHA1
d329ce4ea4e64aff8de904ab2546bd902f874860

SHA256
e99517edd9671af918661306fdebdfd0aae504dbd9cac45021d6a73d06d1eb82

SHA512
b72df8074d67618355ec708f03a1af812978d4466ae2d51bdbe707342b7828d8072aaa22c2a56c5c0a0448b6851ff16e26d9f731caca1b1d735b6e08474ea3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ApproveRequest.docx

Filesize
13KB

MD5
039d097914f363c282ec10bbf2ae890f

SHA1
be8222f946fd75d65b4e2222080ee56aeedcb007

SHA256
427d9542f789aaa9ff05953e6ed9b9eded58d7aa6efc0bdd3fc6be58a888c79c

SHA512
e268ec5d23894f8ab4c00239c76f79b154c452347d450e8969160d3089bcb37973b9d882f81f5e79864a625bb9d13538136bf54407377a3e97d15c5e2de7b5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ApproveSearch.xlsx

Filesize
10KB

MD5
e4bd7e41bc1a07816ecfadec149adeb0

SHA1
6d20a969f2d94994f40a63e39f9f1b315180c4bd

SHA256
a3966140234a04e8cd0469855d801ab3d46a979f8ff3a74d965f946b1dd9de63

SHA512
69c00150accf02b859ab911e8ce231ec21573354a58e75c8cd28f5d42be24c934400836d0e11bba51a971702dc904fd1d79ba931393425d71c1c1ae255c5e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ClearOptimize.xls

Filesize
944KB

MD5
05d95e1b517fff0895b7993c48f2aff5

SHA1
fe1899052fcac855006b7b26f59f20c712b93be9

SHA256
0590cde3399e3179e4b5935ff23c7f84a0e43ba02959fadf22c6c55f95b23a40

SHA512
8a20f8d39799695cbd7da6de72e4340fd9c66a160c14e334f5c157889f85a25a19430980879439ff2d92821dd5b147fd4d0e07b90bf6355595cee06d6807e359

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\ConvertToPing.jpeg

Filesize
758KB

MD5
e3febc248bcb64f6a941f90cbd06ca87

SHA1
d655608a872823214174a0c84a504f5fdf023499

SHA256
b18cc8aa1626a05f4903934c7b6a02395da5981e9f4873a89de0f9f725c63080

SHA512
ba72f9515551db630f159bb95c954ba65e33b0e89c9541711ac9478ed00afd42dfcfd9985900135d28e65e67e4115b323581f371a4fb0d57d1ae099d7b3be278

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\DisableOut.xlsx

Filesize
14KB

MD5
9971dfdc884c95f722aa7278eea89d98

SHA1
64b4362097034afeb05822dab20d20e0c7920f21

SHA256
acb82f317d03b19d66463416562bda5f5b42be654b5a3e2c65f63c8d4d667dc2

SHA512
914e1a8ec523292b61fb481da37a5371f3c97900403ceb197f8d6e2f3fcf103d53f50410a1a1b4a18fd5fe6093c432a8b510babc3109adff208e8f602a7c75ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\GroupUnregister.docx

Filesize
18KB

MD5
85b1c55c3444499d4ee509d653c1dfef

SHA1
4665272ef50e7f241d836e446529d65f44da2886

SHA256
f9be6e17c62ee1bf414d2bce94d5d3d6327d9b43dd34c61846fc6c1ca9375080

SHA512
9607104d9f92000fdbd06381b35d4981c20c11caecc84dbbdbdf50472a6a81b62329e0f87f598dd0998a19a46be6d87b879d07b57b4ced40c867de53021dbd07

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\RevokeResize.docx

Filesize
13KB

MD5
95d4573169eb793e9cd7459caf371510

SHA1
d690b0d30955acb80781fbab72b827038c4087c9

SHA256
0341c6ce419cdbda377fefbe716dae3c87a1516a66ba735d3ce67ded34d8cd6c

SHA512
40f43c1a5386ad920fd84115e1ed07c5bef14a1edb09521221ca3cee4f8f06826527d201997d817156ed4428ad4fc83dc0ada3aa2fb580818185d776ea8b7f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\TracePublish.mp4

Filesize
480KB

MD5
1469a5da6790649d1aa5bd98b09341cd

SHA1
31ba43b7efbc927dfffc165fb10efbb31fc010a4

SHA256
c0d22188f2db1a0c3c509dc7a73e012a193bd57bddba142b33276cc87ff5d49f

SHA512
aae751b662840d9b2c875589a3bc1255d2a61c2241f833320d2b471ec84aacde771567016bb2fec852746b7782618cf4139ae21aa34b156471d9ed0d73b98481

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UpdateWrite.doc

Filesize
789KB

MD5
e08b76712bd19029a4d35dae6def6744

SHA1
5d679b310938c3716a3dddaf3f336e07f8888ba5

SHA256
989b92839a6573b620145f4306b1740ad10cdbea16d031d912ab55da43397db8

SHA512
6198398598467bc7c2d856934aad96d9544102602f06c9de2180644ba362f195350eed9a3b51aee11de88502fd53f35e2d5ef15a1db0139d869869cd2e2d3628

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\CheckpointSync.docx

Filesize
12KB

MD5
a9f20ba5c1e3666e9df8074449217252

SHA1
abc15dc1fcde30f2fcbea1b7bbed906596324c78

SHA256
64d2c1493927f7116127d16b26050d71b5c1f2618007fa4ad157ee7a9121a494

SHA512
38d3437db3a90d8267c1770d71b36a0972364b828b85698ae36fc6aeb97c1c284793849701b0324b013f88f44dbf4815f250d4892e4199437362c11306ff56c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\CopyDisconnect.pdf

Filesize
867KB

MD5
491ff5ed14e70473594e4208f6dff0c8

SHA1
626a6d4d178d5243f58a43e69631a9e68dae191e

SHA256
86dfcf384ac425cea8b35b1cd7cdd0120e5c49794e5073cf9ec6b9b432c25101

SHA512
e7d085687748650e86b9afe4e1988621589f2a36550980abd5a7dee37d1810fd95fb4706bf284ed1c75d9579f527bb79f751546b0628ae314560a19672f336ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\DismountSkip.csv

Filesize
428KB

MD5
56bc7332821f91eafec2c90a43965873

SHA1
b9be7343af0c6bfc647b34b8e0e3b1a978026b9a

SHA256
332ca367c3368af51db70b30bd77856d62b089ae553835f34d077e409d7db815

SHA512
46d90eb903af82535d1228fa0e82c053a33d2af1b034917ac584e96eb632db8a8cc70bf5d726ac7c61dfe19fc9ff42b720ccf86e594037369e22acdf44a91851

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\GrantClose.xlsx

Filesize
407KB

MD5
23858a59962e9cdabffc90e1093705f8

SHA1
daeca2820e382edd77c08b2d98852b7826673a0f

SHA256
4853f9a27e2b8e62dd4943a1ceb4ff99dc3cdb420500a4fcb75732698bbd75a9

SHA512
9d0c4fff32546a6a2e6aa0efa2913aa1f2e41952ab05b602cc6169b780ba886f34769a8c479eda3b5fde6c454484da4a20dfb385f8302c3c63b25db96dfb043f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\InvokeEdit.pdf

Filesize
1013KB

MD5
784d6ea6a2ad079987a155a136ed1c3b

SHA1
0c8fb3a024374905bbda3d23500c9d5107d95566

SHA256
2386f31bb3c35595f82bcca4f0d2c9303fb1065d1a40facdde33cac3828c016e

SHA512
74a76a44ce54afe082fdf24edbfa1eddba4bd4a44a2f9fd006f627c0148cff876d89d249a7519b5410cee56f1bceec8af2e57a50aef8e4aa37334a261f5b2054

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\PushWatch.docx

Filesize
17KB

MD5
f1af2b7446d5c53a4bb389abf37171eb

SHA1
a2b07d9cc696b8b7f6af49c990b2b9ce89ccb03d

SHA256
9c487c17ea0a07bfa49b5e1183ef10b7076a299b49645bc7840dc5e3bc932c90

SHA512
91addfdb579e887160ec5f9bf25d6afffcc8e614319d9475c1f2134c35d3879ba480b6ed36b86971d434e20befc1e814bbc1e4cb0d7a9117a26198bf38315762

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ReadFind.csv

Filesize
470KB

MD5
56cb3e94026cf94406b7750867a299e7

SHA1
b8bbe0571f35868455bcb8b73839fd2f0377c4c3

SHA256
f63d1061b5d378de252896337c58c7c8615d254a5f051350749f2812eaba77a1

SHA512
f9645bf67b18840b41f5fe93e414bf8145b411bf3d9ef9be021f4832e609e8f00a84e7eeea1e1219a8188ff5fa1e7fd8adb608055d7cde31bbe43e94502d5dca

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\RedoPublish.xls

Filesize
595KB

MD5
c9df1dcc7500ace58ab14f121b99407d

SHA1
ce8a242debe481a5e94e47b89c5db2ef780a0c38

SHA256
d6903a39569cf2daa9784aec317650e5ecd76478ec68125d5d76a78ba7f56ee9

SHA512
123a8e9b662c49b772912abba3c29f3c4b10febd061f12d53f84b89235d4d0bc508b2dfbfc9662a1db3cfb3dbef57328506a2cafa192a7680159a9afd3c1b1c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ResetDismount.txt

Filesize
804KB

MD5
e461f8dd49888dd4fcbf7384a4dc9d2b

SHA1
8a07122be959080425e150c11a0987ac7d7a867e

SHA256
54ff6cb8328bbd1b268b7bd250957fb7e877630d9ec6b2f2f1cef67dc77f5dc3

SHA512
5458639a3f85aaa954c38c8c0a1916dd749fd48e49a39567c6751287f34cbcc447389cbe6cf5941202d1c0f2d271f8152ab8a3fb1e43ab4fbcbf1498cb5d1984

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ResumeDebug.txt

Filesize
1.4MB

MD5
1175cd82b3ace681ae18c4a8ee8a0b78

SHA1
9a11d4b49d1079447571878ccb148967a9fba95f

SHA256
8636e3324b74c247b9cbe5a6e5da9ba3b4c9c76ae82103a9361d7f1fcde83d8d

SHA512
344bdd80f56689d24c837513fd26ea787908818137016a2d0c4746f816a99f5325d6e39f4ba572a1ae8f12d6ba4eb4c0899f4d03adbc6c5935db13b07e57b412

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ShowUnlock.docx

Filesize
783KB

MD5
5c874d92dfadc2f4c317a8ed7bbd77f6

SHA1
d627cc01363df09a8ee3bfd033b2cac5b3e86fa2

SHA256
7275a4b5609b3e7b9e87a0de83ac4d69ae0d3958ccfd526b127c05d0061d8a1c

SHA512
b7cc545e24f3a0f897b40e0e743a002fb7ab4fccaa6fb3cb67032ab89a5800d0397aa189152ca69abb12ed8fcb32bf738cf6ea6a0fbee9765ad238baa08debe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\WriteSend.doc

Filesize
929KB

MD5
3dcda7d10004f5063a2644323cf85cdd

SHA1
cc2e58a7a5d0a4b41cabc55725836370e866cb46

SHA256
d5e4e13c31a218bcf8202e62501e4024a76ca9a56c6247b6162af6c27ae99a5e

SHA512
4b6fc848bba9d8e4423142e7ff6eb675ec2a814c886b5fa79368758b85b2aa6d2a1f5253a07a14a43468d67f5302bc7eb7cbcbe16879176a1e599103a7e267c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\BlockBackup.TTS

Filesize
309KB

MD5
6077b5d8dadb0396cffa7878cc9e59b6

SHA1
760508737ad8b5bd24f5596cb32d30786c38fea1

SHA256
72e2325b21c8deee5994e07fb7cef42c0deee29d1840acc2044174dad2227740

SHA512
c0c689ed909c376b73f6d1f4d3dd0c5e4ab44e7f45ebe2ede8ce3ff73d2219b165bb58e3714a9496da1ef4beee1e6fdea1d9decb0325a813a2d2f3b613d0ea47

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ConfirmGroup.xls

Filesize
710KB

MD5
a9bd107de0cef5f24ed2a9258889a102

SHA1
709387b6cbe6cb6c330cd17dffbfd48345744b4e

SHA256
1488389b8ae7bac1aad7ff82eca62c990c12999b901895f1cf1814226e19e912

SHA512
45932876d297cd060a5993f05eac66ac29c0b7a3f284b49a9b9315ce57efd631ed6506f84fe29a47a5cd8d930acddbb6d934fc70753efc736b8ce6cec9ec3baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ReadInitialize.txt

Filesize
593KB

MD5
7bccf254040592369e75377731fdd9c8

SHA1
1d9afdda585e22e828070238e9e6e03b0938b199

SHA256
1dcd49e088e1860f71150d23afefcecf095072c40561dab0939d2559c3b375c6

SHA512
5b8a2a16f095404e75ac797539e006e9e5d42b88d3ea22ab86eda60b0d65336844d64471bfc00f50285f3ccd83daeb249ed89bd7ef6856684af9454247fae1cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\RenameHide.csv

Filesize
326KB

MD5
1e6eb9b43c5aa3d08739f3832caaf7f5

SHA1
222c8c75f3c46cd94cdcac681d23368716783fb9

SHA256
cdb11f3435c300b85ac7ea279993861d2ab22560c3478f9ab172da9df82ab0c2

SHA512
130c1f313257b5aae54807c93e0c75b967bd3b09928aed09cf521fe6728667ed668ef6c276a07f0f8f731d84c59477c5a47e6ae02d7ee003199d7e84b8e15737

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ResumeStop.mp3

Filesize
844KB

MD5
dadf8596fbd155ae6cdc71ee836e39da

SHA1
b0fb8e5bdaafd3d01dc7a9283b1282b56bd9ae1d

SHA256
c9ffd7df4cffe8f9fab63b6cd50ac2662f456d6c5fc7a062bdbca82836dedaa0

SHA512
d2961a77072c14ac79f3aaa2c2b763a444c0b3b4282a2daa70f70a7e88a00a57785940fc6d66119b213d2754973b116b708833d4572dc5faa4d9db0324a89fca

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\BackupComplete.txt

Filesize
290KB

MD5
9805c3b2b0b917358ead52a1980aafad

SHA1
865fba6355b18ac5cc0a2380d66d492d0fe52916

SHA256
abe90a36c9de68048ff64d42e0e6255785c2a275ea4f22d4049a4a11fbbfadf3

SHA512
51e8c7ddc69e84974f63f9de276524205f793f3c405cd15bb0c56032a5472101c3643fea8dd25cf3f8c75c5fc2eee644d44dfe89f3c9231f2588fe7ce68741b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\HideBackup.edrwx

Filesize
494KB

MD5
999a8087a4fd5dad0a7548faa20fec44

SHA1
1e6238e711781d8fb835d1bf0beab227ece3be02

SHA256
834df254d7244f8cb70c303345fd22c358d70574d6f2264f62d6a6656397ab4c

SHA512
4d206406ec957b6e2eab3221608043f0692adfea8ef6240fa2a6674d2098bb42327f7def7a0b6a18e5341683fd57f6e39fec28afc5e8b32c55a412603793983d

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\OpenGrant.csv

Filesize
460KB

MD5
2e46d0755988861997175b0d4952c744

SHA1
3bb027ceafde9698b1d09a37aa32d1f098b8c169

SHA256
3237756774c5de864e29785dcc5041a8dec8b1e7d0341c0851faed76bce45683

SHA512
b84584d5dbb0f2da891064353c4ff9a135c8676346121c27af7371e527f0afb9afaea7e5688563f8ed7e758a76daf78db797bced4dd72f59a7393b2055651a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\RequestConvertTo.jpg

Filesize
273KB

MD5
7727e12461ba9e50e98d56a294d79715

SHA1
879886126b24d1e855ed75e2eea101befccd0046

SHA256
6bbedec986dc902f7ea1a4833e1576689d5e682b833cd5b2778d5622a7836f0a

SHA512
6e83c2f8fdce7c60dc080d5af93fd2b14a34e402e3b00a1c91d311621f76fb73274408d32fc344cada639c50d5d11a60ac98ac6c849f72d5ff4498705aa2f99d

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\CheckpointRepair.jpeg

Filesize
514KB

MD5
75e81805e65c790dce75b204db6bf728

SHA1
c6ffdecceff1a43c9977a1060e97ba9d4cc8281e

SHA256
d71e806db64936843680f374c9a7bb6f0bdb5e95260fc9635c342737a5e48cdc

SHA512
4a51f8a155c1a1eace9d19cc0a5e8ff42cf1d9a2aa80e78701f8c066397737d3167174b93a4029c251cefea5c8feb0392a4fb25fd3113309f90f31e0b7006d86

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\ConfirmRename.jpeg

Filesize
350KB

MD5
859c0b5c1d7beebfdabf5ee5add14120

SHA1
dcf4355ecded18f763b36e4e7f7b04a659ac01c1

SHA256
85a532d0daa61005beb469a5f8302cf35bfb522635756ebc35dabcee90c18043

SHA512
ca57dcbe9662a3ea71d99097d673a4812ae9839fc5c4ea7c2ebef9a9468804d32c09c8ee8362b1a54aa62706003c1c56a5605230ee8be18a849899ca24a128b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\ConvertFromAssert.png

Filesize
231KB

MD5
5dfd6e5517626153b517a50a191fcef0

SHA1
b9e3f0abb21cee93cb9149a41eb580b7e60e2315

SHA256
d2ce6fdb8a2b567f2453a51477ae4497b71a50f297ce4ab263eb1947ef15bc3a

SHA512
db4b2fbd2d642498bbed10e838fb21837c98e330ab69a66a60652fde5e803477ed8aa8eee856ec6329d2322bc2db4b343cbf501728572e7cef01f0a0dcce6aaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\EnableMerge.jpg

Filesize
290KB

MD5
824dbf3afc49cd759c23b81ca826950e

SHA1
44d4498f24135becd60ac3a758357e0681ecd6ca

SHA256
b00921104b574adc040e8a6adc83adc857652caf493881bd6d7959676855ef1e

SHA512
b055ca5a715d8fcacc0260f7b93e2ba5179e7dc6e04102aa14a326ff1dc447eb283a4dbec0c837b8bf4fc5266efe838927b2ee57c407c087eadfaab4e052b93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\GroupSplit.png

Filesize
425KB

MD5
d829ca014916bd6312a1d5d5bb54fc6b

SHA1
cbc28026f7039ca56dac93d6cebadfe4fdb13d69

SHA256
bfd1479a3bc1c8aad83ddf3538a510fbda66ee6ffca75d76bef7d536267629ba

SHA512
83b05d49d3958ba052c1439b6e0c68eb63e780ac042ed9fd1a98d51116bb580a0e9ba6195ce0a7c42eb6d6c639aec2c01ed095bd9b5c78dfed83ad2c84e1542d

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\MountBackup.bmp

Filesize
648KB

MD5
19cfd8dde06ddf18e552549fc4fcfa01

SHA1
a7dc10098d9018aab646bc1ad1706126fd7ae665

SHA256
06a4bc0472ee2a8790ca7911c0413c38cb2739241118504cd3724ade0e168c1d

SHA512
6ed73c45cf8a62470a4229fced10e4458b90128315f6994c022e8d58ed1e6302823b52b8f8288b058772b363ab9715585e1311f32c3d159553846176a33234ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\RegisterRemove.png

Filesize
499KB

MD5
2324cb54eb7b5a040596b9af6a11599b

SHA1
46bf6846f41fcc85c18933cd6a3d539533d2b45a

SHA256
7621e6beb5cfbf4ba879f1f0e1cf53ec9c295e80cca808a360f75dbe53d2b7ee

SHA512
2d95b93f81718009861d01aba017ed6e623592099728c5921b5d83bfc69bbe290ab663f027e3da32b0ef196e8b9ce50d0c6b29850fb1f37e5262f30ca1860746

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\StepMerge.jpeg

Filesize
604KB

MD5
e56f26d943c6653e7e24158bebc34e56

SHA1
f77b09b00c42134ff64ec61dc476114b895e119e

SHA256
b6ee0e1c8fa139cf24c49863ee85870f0d5d2007ad3ee05cef38027131526653

SHA512
bcb1572cbd7140ed57001b76254fca271a438cc8db312298544d59f8d38e28b714138310d4bb60e3d56ab89f0d3f86cfc92ada6bcd009b4ece1fb101597df810

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\SubmitRemove.png

Filesize
589KB

MD5
eb09bf2fe7ceafba235edc3fcad3a691

SHA1
78723887acae130b5f95584d7e7bbf0b1da1cf4e

SHA256
a17a9355c4c1c97afd3524d067e573caa1c5d1a9e09db0e774044492dc59f653

SHA512
463a35184eada4fca9cd15aee5feb1d83ea4ca2da64f9d429c5c3622e3e97e141937dcb42da595085562937a415c0738bc4c4717eed4b6d4dcbbd735e0ffaa62

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\UndoComplete.jpg

Filesize
380KB

MD5
31ac17a5f2278526f3ac4a76adb16179

SHA1
01b1a375cc393f3809030c8cff8951c05b5dfeab

SHA256
1e138f80b9eceee034a25ec72065af6bc7829afa1f4c87ecd968d1e4564876a0

SHA512
b230f0398598be426f35de1870e802a66f0f9933ad390868ac5aee5a5fd943016c1dd3d8dc5f7b7e969d81fefa5c4c58182ac8c2ee094d6865765459baa17c4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\VCRUNTIME140.dll

Filesize
95KB

MD5
f34eb034aa4a9735218686590cba2e8b

SHA1
2bc20acdcb201676b77a66fa7ec6b53fa2644713

SHA256
9d2b40f0395cc5d1b4d5ea17b84970c29971d448c37104676db577586d4ad1b1

SHA512
d27d5e65e8206bd7923cf2a3c4384fec0fc59e8bc29e25f8c03d039f3741c01d1a8c82979d7b88c10b209db31fbbec23909e976b3ee593dc33481f0050a445af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\_ctypes.pyd

Filesize
58KB

MD5
81313d2ce8fc6244113f81e69019c4c5

SHA1
4cb3cd0811e9a0a5dc02a0e182d9158d6d02e540

SHA256
f3500c6201277b711123c5d82e58ea9002eef4a4f3e3781460c744b74796cebe

SHA512
86ae6627dd7d29e8a2c8a90c4f763bcd9559bb03f1a191ab49de048a775f3858015cda5a3ff9c1f168f81674e307defbe3d375117525b7f8d30a30b3abbb3cc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
e8b9d74bfd1f6d1cc1d99b24f44da796

SHA1
a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452

SHA256
b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59

SHA512
b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
cfe0c1dfde224ea5fed9bd5ff778a6e0

SHA1
5150e7edd1293e29d2e4d6bb68067374b8a07ce6

SHA256
0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e

SHA512
b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-debug-l1-1-0.dll

Filesize
21KB

MD5
33bbece432f8da57f17bf2e396ebaa58

SHA1
890df2dddfdf3eeccc698312d32407f3e2ec7eb1

SHA256
7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e

SHA512
619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
21KB

MD5
eb0978a9213e7f6fdd63b2967f02d999

SHA1
9833f4134f7ac4766991c918aece900acfbf969f

SHA256
ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e

SHA512
6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
efad0ee0136532e8e8402770a64c71f9

SHA1
cda3774fe9781400792d8605869f4e6b08153e55

SHA256
3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed

SHA512
69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-handle-l1-1-0.dll

Filesize
21KB

MD5
e89cdcd4d95cda04e4abba8193a5b492

SHA1
5c0aee81f32d7f9ec9f0650239ee58880c9b0337

SHA256
1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238

SHA512
55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-heap-l1-1-0.dll

Filesize
21KB

MD5
accc640d1b06fb8552fe02f823126ff5

SHA1
82ccc763d62660bfa8b8a09e566120d469f6ab67

SHA256
332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f

SHA512
6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
c6024cc04201312f7688a021d25b056d

SHA1
48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd

SHA256
8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500

SHA512
d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
21KB

MD5
1f2a00e72bc8fa2bd887bdb651ed6de5

SHA1
04d92e41ce002251cc09c297cf2b38c4263709ea

SHA256
9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142

SHA512
8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
3c38aac78b7ce7f94f4916372800e242

SHA1
c793186bcf8fdb55a1b74568102b4e073f6971d6

SHA256
3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d

SHA512
c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
321a3ca50e80795018d55a19bf799197

SHA1
df2d3c95fb4cbb298d255d342f204121d9d7ef7f

SHA256
5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f

SHA512
3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
0462e22f779295446cd0b63e61142ca5

SHA1
616a325cd5b0971821571b880907ce1b181126ae

SHA256
0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e

SHA512
07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
c3632083b312c184cbdd96551fed5519

SHA1
a93e8e0af42a144009727d2decb337f963a9312e

SHA256
be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125

SHA512
8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-profile-l1-1-0.dll

Filesize
21KB

MD5
f3ff2d544f5cd9e66bfb8d170b661673

SHA1
9e18107cfcd89f1bbb7fdaf65234c1dc8e614add

SHA256
e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f

SHA512
184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
21KB

MD5
a0c2dbe0f5e18d1add0d1ba22580893b

SHA1
29624df37151905467a223486500ed75617a1dfd

SHA256
3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f

SHA512
3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-string-l1-1-0.dll

Filesize
21KB

MD5
2666581584ba60d48716420a6080abda

SHA1
c103f0ea32ebbc50f4c494bce7595f2b721cb5ad

SHA256
27e9d3e7c8756e4512932d674a738bf4c2969f834d65b2b79c342a22f662f328

SHA512
befed15f11a0550d2859094cc15526b791dadea12c2e7ceb35916983fb7a100d89d638fb1704975464302fae1e1a37f36e01e4bef5bc4924ab8f3fd41e60bd0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
225d9f80f669ce452ca35e47af94893f

SHA1
37bd0ffc8e820247bd4db1c36c3b9f9f686bbd50

SHA256
61c0ebe60ce6ebabcb927ddff837a9bf17e14cd4b4c762ab709e630576ec7232

SHA512
2f71a3471a9868f4d026c01e4258aff7192872590f5e5c66aabd3c088644d28629ba8835f3a4a23825631004b1afd440efe7161bb9fc7d7c69e0ee204813ca7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
1281e9d1750431d2fe3b480a8175d45c

SHA1
bc982d1c750b88dcb4410739e057a86ff02d07ef

SHA256
433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa

SHA512
a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
fd46c3f6361e79b8616f56b22d935a53

SHA1
107f488ad966633579d8ec5eb1919541f07532ce

SHA256
0dc92e8830bc84337dcae19ef03a84ef5279cf7d4fdc2442c1bc25320369f9df

SHA512
3360b2e2a25d545ccd969f305c4668c6cda443bbdbd8a8356ffe9fbc2f70d90cf4540f2f28c9ed3eea6c9074f94e69746e7705e6254827e6a4f158a75d81065b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
0f129611a4f1e7752f3671c9aa6ea736

SHA1
40c07a94045b17dae8a02c1d2b49301fad231152

SHA256
2e1f090aba941b9d2d503e4cd735c958df7bb68f1e9bdc3f47692e1571aaac2f

SHA512
6abc0f4878bb302713755a188f662c6fe162ea6267e5e1c497c9ba9fddbdaea4db050e322cb1c77d6638ecf1dad940b9ebc92c43acaa594040ee58d313cbcfae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\api-ms-win-crt-conio-l1-1-0.dll

Filesize
21KB

MD5
d4fba5a92d68916ec17104e09d1d9d12

SHA1
247dbc625b72ffb0bf546b17fb4de10cad38d495

SHA256
93619259328a264287aee7c5b88f7f0ee32425d7323ce5dc5a2ef4fe3bed90d5

SHA512
d5a535f881c09f37e0adf3b58d41e123f527d081a1ebecd9a927664582ae268341771728dc967c30908e502b49f6f853eeaebb56580b947a629edc6bce2340d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\base_library.zip

Filesize
859KB

MD5
3ae8624c9c1224f10a3135a7039c951f

SHA1
08c18204e598708ba5ea59e928ef80ca4485b592

SHA256
64dfc4067a99c71094b4a9aa8e50344e7d42ea9a0d376cbcd419c04e53384285

SHA512
c47ea6b8e004c27fa29e84f6363f97e775c83a239eb3ae75dedca79e69db02b431a586877ee8f948f83b522b00c20e6b1d5864628c2aef9e33e0be95fe6e3254

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\libffi-7.dll

Filesize
23KB

MD5
d50ebf567149ead9d88933561cb87d09

SHA1
171df40e4187ebbfdf9aa1d76a33f769fb8a35ed

SHA256
6aa8e12ce7c8ad52dd2e3fabeb38a726447849669c084ea63d8e322a193033af

SHA512
7bcc9d6d3a097333e1e4b2b23c81ea1b5db7dbdc5d9d62ebaffb0fdfb6cfe86161520ac14dc835d1939be22b9f342531f48da70f765a60b8e2c3d7b9983021de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\python3.dll

Filesize
64KB

MD5
24f4d5a96cd4110744766ea2da1b8ffa

SHA1
b12a2205d3f70f5c636418811ab2f8431247da15

SHA256
73b0f3952be222ce676672603ae3848ee6e8e479782bd06745116712a4834c53

SHA512
bd2f27441fe5c25c30bab22c967ef32306bcea2f6be6f4a5da8bbb5b54d3d5f59da1ffcb55172d2413fe0235dd7702d734654956e142e9a0810160b8c16225f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\python310.dll

Filesize
1.4MB

MD5
259f0b7b6eed52d7766fa294ee0db193

SHA1
f158995508e460c47748666219a54ee575973397

SHA256
9b88ca9240770931a2041e6d05ad4508b391859f8ed3603303935dcc1e55c406

SHA512
7efd3402d4cbd1146444fdab5eeb4a8aab6fec04b718761da3e0fd417d67e9576fc354737b3453f9e9c12210f1930e6eadd7c0570242b0c8a548fdb92051360c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI10602\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vxbdwy5d.xy0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2C6A.tmp.bat

Filesize
150B

MD5
fbc0d4518ae4e2a3b0e061bcdeaf6aa0

SHA1
29d9fb07b8ac4d5da0a82671ae8cecb3cce7139d

SHA256
7212e015e653c9316277f07a61e5131068bce77c877ae56db985abffd93592fa

SHA512
bc22054cfb7b2100cdaf1208b8474feb6e0bdfe0ddd21843d048b70a38cecb814dced6ff1f724ad924b880fbc6583dfe2a2769ecdea797012b6d3f0712dd9fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3A45.tmp.bat

Filesize
150B

MD5
e236e5e148f8c24f7d52f31e46ce43eb

SHA1
0d1089e2d6adafefa6418f14b7d2dec2aca865f8

SHA256
a0d7164e43ea295a0252c0bb110314f4b5b77dda3882f2ef530a4395464f2c2b

SHA512
d7767a03626732a548c013764b5e58db9ed47845dbce3d31366ec2033ce522476cf4840c204caf65a882038c421207de53d87b60881d16cd67eca2ec01cac80a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
6846bd709785cca2495ea4729585f6f2

SHA1
eb000d9ecdc0af64a1e436a701cc39c9101f1c3c

SHA256
e33cc2de06298738911cd1dc84476a1f7ddbc07a3abd75b5a49ea60e26649106

SHA512
6f12491d1d7ed52dcae04b92b8186eaedf81c05a6e59224089313af6cc4f1a82d362d60f36ff7a3c3f5b64f4dd9466b7ba3722ee76e258a827a0115668ebec11

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
98d0c61ec769d507f19a37c548a9e7f8

SHA1
3a8bd0900834865fb3a126e3f9b873ca5cbafba2

SHA256
468eedce5867c536f5e0d4b8105de2f651ff9c20c485f80ca1f2192f3884de4d

SHA512
7e75a6740d50ae184609a27573693eb1802a03de42fbe93d6235d61e5b9490c16d81d8de614566b96992d98ab2121aa3e78e3d2d32375170cda83b75eb6b8a46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
63766489feadd109f9417134eeb58518

SHA1
ae0dc558ad67583d4216c7abb127ec2689bc4ff3

SHA256
5324d683f165aea172aab9d9569795220ffd4ba59c03d01ad7195c12fbef464b

SHA512
13c9d5ef9723f519494528f03ffa3235822662ba9a24c7652ab2d8f7c13287c4b51302717dcd77e0dd1cf951650ba44a6ced170834fd68b4b2150a09383ca7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\datareporting\glean\pending_pings\0c112922-d98d-485b-8d43-31f0e023548b

Filesize
671B

MD5
d970063d34a93f70d3d3f5b3e80b8d12

SHA1
0760c7dfcfa909405262fb1e7d9679ac464b5e00

SHA256
b982d3d308151802593f5540b6bf489689bc26339ab3902c06a8a82d4cd6995f

SHA512
7cca461f7b75cad9c88101a16f9d6ce9c9b4c60d8d18491863ec18fd8ee7f526ee6911f2f852a77f45d136ed4bb718fa8b0882ac05fa581c7187866b6c1b2459

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\datareporting\glean\pending_pings\4ce30d39-f67c-4ac2-bc0a-e1ccf7032944

Filesize
26KB

MD5
ca2df41670ee8866c8940b2be6d1e45a

SHA1
9db7b61ce9eeca9b62c6065e9290c5a18e80d9ab

SHA256
d1e2985db6bee18da6b3f9087d50b5a7cbfbba6ef30ca65f6ed74f824736364a

SHA512
98ca873dc86911c65abb44ee9e8be73fa51ea3eee45423df04dc6e8a3c58cb789e4f69ee312a18ed96afb953fd121a934576129aaca17f57b2e2696eb67ac323

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\datareporting\glean\pending_pings\59cdf03c-aeef-42e4-a8be-f4b28e02b501

Filesize
982B

MD5
db4f0c56e8ee9838550d57fd29ea5be2

SHA1
4934fbb124cb3072a455c7ce7745bd71beb84bee

SHA256
106bbe0fce62a4cf35cf91d0d7e7202aa7934226b2fb629236b6a7b9c326b7c0

SHA512
9e5ac61e40aea293283ba08e77bc8b86640c6059ed6577205f5e0ea15f369b899b19bd3bf5d295dbe5da463dae4b97aab299329aeeca4d3a5e044ac166f9e546

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ebb956d0.default-release\prefs.js

Filesize
10KB

MD5
beecf13f9bea9a2f4e74fae4673f7228

SHA1
de3aa48dc85dab372c8952a50bae01947d146577

SHA256
1dbc79abc88a3b73264ddcbf1ae1db85f80473be09e84be93dafc49d1e289538

SHA512
c83dd188e860658f8d94032c91e5baf77c15f4e8ae2d936bc90a3757b6eb6b60551f8c34c01bcf71ba0748dc21c09196d3dba235c44b77bc6c109321671bb7a5

Download Submit
C:\Users\Admin\Desktop\Exela.exe

Filesize
10.7MB

MD5
0489da91d3268410bb8d82602e3e8cf0

SHA1
005fd8cfce34f5fc1763cc0aa16e59c39384e9c7

SHA256
ff34ad9f57f38b0c38847235ba4296f5e75da20cda43355b887ab5ccbaaa2cc7

SHA512
23cef165b84a5a105bda73e7c4e123ad4ca55e6f12cb4d4ca520ccb689c9df87a1ab48984b7c139633cbe707c83642701b61535558dccb69e4500d9e506cbc6e

Download Submit
C:\Users\Admin\Desktop\chrome.exe

Filesize
48KB

MD5
560316acf1e4be6ee63f609da37e71b5

SHA1
5f22dcf7736356e24b92397162acb723010914fb

SHA256
44d97fbdb694ca55e3beec4ec031ef5162018bdbaff6a968ac25a21e078511b0

SHA512
38d185d48cf537162ef8302df31cdf723d7407765f21284492345cae914d38ec9e3a6cfee0080b5ff9ebef29f7ac54a505ea2e6fea5d65a60c4e6e1e67fb3361

Download Submit
C:\Users\Admin\Desktop\cloudflare_whitelist.exe

Filesize
371KB

MD5
413edd6588c2ee8ba41daad8b96e1a76

SHA1
a58a01a183af99c57a0019093cd24f2c2a88c222

SHA256
5c214b2fbf24154ab23870ffe97b0a31d47b9093e4ad4a003652a62ffafa6a74

SHA512
a45c1cc176a6ea535923f478412dd35404877eac815d4471831b8fda2c0d4a699d1e25fc28614e9b63bd8faa09c5ca2c11cc543b0037667a9c97b1fa13b08db8

Download Submit
C:\Users\Admin\Desktop\ef.exe

Filesize
54KB

MD5
0ed9406036832e40f6ace06478acdf44

SHA1
9a3ca883ec34bdfd1c21c61c6ca6d03c5365fa6e

SHA256
452e3305df1bf06c79301b9b87de1ec82561a793c4ef4ea5a02803123891b9f6

SHA512
9de32c71a4657d3e9ebd01fd1d933fd44b23c99809bbd0c8c423dcf8436d8c3f81e390ec34df8fb2e5a3a28974c864750ceaeb65693c04b1c5a1f8134eca69a5

Download Submit
C:\Users\Admin\Desktop\libsodium.dll

Filesize
341KB

MD5
638fdeedeb1dfc9ba4f7c4d7a96b9559

SHA1
3ec89ef6cab0904c0f3a0122cf715b7cc2855956

SHA256
011e5b5b576fe13b4c11a8358fc81d4c70a6a5163c0be97b4113ffde133cf0cb

SHA512
2b31f05ac56d071ba1555d0a387b0fed74341a8a6324ab53ce8a4dfafa1b72e6b2aedb98997c9a7490b9fd072e46ba1e95ae85150c2f1bfdd6882f87e7edc2f8

Download Submit
C:\Users\Admin\Desktop\sqlite3.dll

Filesize
1.0MB

MD5
abd499b6a9fe8fca0eec593ae58cdc29

SHA1
40b6dca224ea6aced518f884612abf71aea769a7

SHA256
cc4b95f75d37b642e3bc89e57b50df40519ed9ee7e3b45eb2b061ca6a63b221d

SHA512
b5d5b84e16a99824cadcc25649ee39cd0728380adeacb93d75365bf37367002fc741b286754c0c9173a0b27bc8d1d77e2ba7c6979c2592756bec6c08696b1479

Download Submit
C:\Users\Admin\Desktop\vcruntime140.dll

Filesize
117KB

MD5
943fc74c2e39fe803d828ccfa7e62409

SHA1
4e55d591111316027ae4402dfdfcf8815d541727

SHA256
da72e6677bd1bcd01c453c1998aaa19aeaf6659f4774cf6848409da8232a95b2

SHA512
96e9f32e89aee6faea6e5a3edc411f467f13b35ee42dd6f071723daeba57f611dbd4ff2735be26bb94223b5ec4ee1dffedf8dc744b936c32a27d17b471e37dcf

Download Submit
memory/1552-220-0x00007FFF21340000-0x00007FFF21355000-memory.dmp

Filesize
84KB

Download
memory/1552-210-0x00007FFF15B80000-0x00007FFF15CFD000-memory.dmp

Filesize
1.5MB

Download
memory/1552-286-0x00007FFF32190000-0x00007FFF3219D000-memory.dmp

Filesize
52KB

Download
memory/1552-896-0x00007FFF15D00000-0x00007FFF16166000-memory.dmp

Filesize
4.4MB

Download
memory/1552-239-0x00007FFF14CC0000-0x00007FFF14CF7000-memory.dmp

Filesize
220KB

Download
memory/1552-302-0x00007FFF15620000-0x00007FFF15738000-memory.dmp

Filesize
1.1MB

Download
memory/1552-303-0x00007FFF21200000-0x00007FFF2121B000-memory.dmp

Filesize
108KB

Download
memory/1552-304-0x00007FFF15550000-0x00007FFF1561F000-memory.dmp

Filesize
828KB

Download
memory/1552-306-0x00007FFF1B6F0000-0x00007FFF1B722000-memory.dmp

Filesize
200KB

Download
memory/1552-305-0x00007FFF211E0000-0x00007FFF211F8000-memory.dmp

Filesize
96KB

Download
memory/1552-316-0x00007FFF15500000-0x00007FFF1554D000-memory.dmp

Filesize
308KB

Download
memory/1552-908-0x00007FFF22520000-0x00007FFF22534000-memory.dmp

Filesize
80KB

Download
memory/1552-167-0x00007FFF15D00000-0x00007FFF16166000-memory.dmp

Filesize
4.4MB

Download
memory/1552-204-0x00007FFF2FC70000-0x00007FFF2FC7F000-memory.dmp

Filesize
60KB

Download
memory/1552-208-0x00007FFF28E50000-0x00007FFF28E7C000-memory.dmp

Filesize
176KB

Download
memory/1552-209-0x00007FFF28E30000-0x00007FFF28E4F000-memory.dmp

Filesize
124KB

Download
memory/1552-285-0x00007FFF21240000-0x00007FFF21262000-memory.dmp

Filesize
136KB

Download
memory/1552-211-0x00007FFF28E00000-0x00007FFF28E2E000-memory.dmp

Filesize
184KB

Download
memory/1552-212-0x00007FFF15AC0000-0x00007FFF15B78000-memory.dmp

Filesize
736KB

Download
memory/1552-213-0x0000021360E30000-0x00000213611A5000-memory.dmp

Filesize
3.5MB

Download
memory/1552-238-0x00007FFF21340000-0x00007FFF21355000-memory.dmp

Filesize
84KB

Download
memory/1552-226-0x00007FFF28E00000-0x00007FFF28E2E000-memory.dmp

Filesize
184KB

Download
memory/1552-562-0x00007FFF211E0000-0x00007FFF211F8000-memory.dmp

Filesize
96KB

Download
memory/1552-569-0x00007FFF14CC0000-0x00007FFF14CF7000-memory.dmp

Filesize
220KB

Download
memory/1552-588-0x00007FFF14D00000-0x00007FFF154FC000-memory.dmp

Filesize
8.0MB

Download
memory/1552-230-0x00007FFF15740000-0x00007FFF15AB5000-memory.dmp

Filesize
3.5MB

Download
memory/1552-553-0x00007FFF15740000-0x00007FFF15AB5000-memory.dmp

Filesize
3.5MB

Download
memory/1552-555-0x00007FFF2CD40000-0x00007FFF2CD50000-memory.dmp

Filesize
64KB

Download
memory/1552-554-0x00007FFF22520000-0x00007FFF22534000-memory.dmp

Filesize
80KB

Download
memory/1552-552-0x00007FFF15AC0000-0x00007FFF15B78000-memory.dmp

Filesize
736KB

Download
memory/1552-550-0x00007FFF15B80000-0x00007FFF15CFD000-memory.dmp

Filesize
1.5MB

Download
memory/1552-551-0x00007FFF28E00000-0x00007FFF28E2E000-memory.dmp

Filesize
184KB

Download
memory/1552-549-0x00007FFF28E30000-0x00007FFF28E4F000-memory.dmp

Filesize
124KB

Download
memory/1552-543-0x00007FFF28E80000-0x00007FFF28EA4000-memory.dmp

Filesize
144KB

Download
memory/1552-542-0x00007FFF15D00000-0x00007FFF16166000-memory.dmp

Filesize
4.4MB

Download
memory/1552-231-0x00007FFF211E0000-0x00007FFF211F8000-memory.dmp

Filesize
96KB

Download
memory/1552-237-0x00007FFF14D00000-0x00007FFF154FC000-memory.dmp

Filesize
8.0MB

Download
memory/1552-232-0x00007FFF208D0000-0x00007FFF208E1000-memory.dmp

Filesize
68KB

Download
memory/1552-235-0x00007FFF22520000-0x00007FFF22534000-memory.dmp

Filesize
80KB

Download
memory/1552-236-0x00007FFF208B0000-0x00007FFF208CE000-memory.dmp

Filesize
120KB

Download
memory/1552-233-0x00007FFF1B6F0000-0x00007FFF1B722000-memory.dmp

Filesize
200KB

Download
memory/1552-234-0x00007FFF15500000-0x00007FFF1554D000-memory.dmp

Filesize
308KB

Download
memory/1552-229-0x0000021360E30000-0x00000213611A5000-memory.dmp

Filesize
3.5MB

Download
memory/1552-227-0x00007FFF15AC0000-0x00007FFF15B78000-memory.dmp

Filesize
736KB

Download
memory/1552-228-0x00007FFF15550000-0x00007FFF1561F000-memory.dmp

Filesize
828KB

Download
memory/1552-225-0x00007FFF21200000-0x00007FFF2121B000-memory.dmp

Filesize
108KB

Download
memory/1552-224-0x00007FFF15B80000-0x00007FFF15CFD000-memory.dmp

Filesize
1.5MB

Download
memory/1552-222-0x00007FFF28E30000-0x00007FFF28E4F000-memory.dmp

Filesize
124KB

Download
memory/1552-223-0x00007FFF15620000-0x00007FFF15738000-memory.dmp

Filesize
1.1MB

Download
memory/1552-221-0x00007FFF21240000-0x00007FFF21262000-memory.dmp

Filesize
136KB

Download
memory/1552-217-0x00007FFF2CD40000-0x00007FFF2CD50000-memory.dmp

Filesize
64KB

Download
memory/1552-218-0x00007FFF2B900000-0x00007FFF2B919000-memory.dmp

Filesize
100KB

Download
memory/1552-219-0x00007FFF22500000-0x00007FFF22514000-memory.dmp

Filesize
80KB

Download
memory/1552-203-0x00007FFF28E80000-0x00007FFF28EA4000-memory.dmp

Filesize
144KB

Download
memory/1552-215-0x00007FFF15740000-0x00007FFF15AB5000-memory.dmp

Filesize
3.5MB

Download
memory/1552-216-0x00007FFF22520000-0x00007FFF22534000-memory.dmp

Filesize
80KB

Download
memory/1552-214-0x00007FFF15D00000-0x00007FFF16166000-memory.dmp

Filesize
4.4MB

Download
memory/1552-205-0x00007FFF2B900000-0x00007FFF2B919000-memory.dmp

Filesize
100KB

Download
memory/1552-206-0x00007FFF2FAB0000-0x00007FFF2FABD000-memory.dmp

Filesize
52KB

Download
memory/1552-207-0x00007FFF2B750000-0x00007FFF2B768000-memory.dmp

Filesize
96KB

Download
memory/1676-38-0x0000024FD5EB0000-0x0000024FD5EB1000-memory.dmp

Filesize
4KB

Download
memory/1676-37-0x0000024FD5EB0000-0x0000024FD5EB1000-memory.dmp

Filesize
4KB

Download
memory/1676-39-0x0000024FD5EB0000-0x0000024FD5EB1000-memory.dmp

Filesize
4KB

Download
memory/1676-45-0x0000024FD5EB0000-0x0000024FD5EB1000-memory.dmp

Filesize
4KB

Download
memory/1676-43-0x0000024FD5EB0000-0x0000024FD5EB1000-memory.dmp

Filesize
4KB

Download
memory/1676-44-0x0000024FD5EB0000-0x0000024FD5EB1000-memory.dmp

Filesize
4KB

Download
memory/1676-46-0x0000024FD5EB0000-0x0000024FD5EB1000-memory.dmp

Filesize
4KB

Download
memory/1676-49-0x0000024FD5EB0000-0x0000024FD5EB1000-memory.dmp

Filesize
4KB

Download
memory/1676-48-0x0000024FD5EB0000-0x0000024FD5EB1000-memory.dmp

Filesize
4KB

Download
memory/1676-47-0x0000024FD5EB0000-0x0000024FD5EB1000-memory.dmp

Filesize
4KB

Download
memory/2244-319-0x0000020096280000-0x0000020096281000-memory.dmp

Filesize
4KB

Download
memory/2244-324-0x0000020096280000-0x0000020096281000-memory.dmp

Filesize
4KB

Download
memory/2244-320-0x0000020096280000-0x0000020096281000-memory.dmp

Filesize
4KB

Download
memory/2244-328-0x0000020096280000-0x0000020096281000-memory.dmp

Filesize
4KB

Download
memory/2244-327-0x0000020096280000-0x0000020096281000-memory.dmp

Filesize
4KB

Download
memory/2244-326-0x0000020096280000-0x0000020096281000-memory.dmp

Filesize
4KB

Download
memory/2244-325-0x0000020096280000-0x0000020096281000-memory.dmp

Filesize
4KB

Download
memory/2244-323-0x0000020096280000-0x0000020096281000-memory.dmp

Filesize
4KB

Download
memory/2244-321-0x0000020096280000-0x0000020096281000-memory.dmp

Filesize
4KB

Download
memory/3872-296-0x000001FDF4690000-0x000001FDF46B2000-memory.dmp

Filesize
136KB

Download
memory/4448-60-0x0000000000F90000-0x0000000000FA4000-memory.dmp

Filesize
80KB

Download
memory/4888-19-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/4888-20-0x00007FFF1AB50000-0x00007FFF1B612000-memory.dmp

Filesize
10.8MB

Download
memory/4888-25-0x00007FFF1AB50000-0x00007FFF1B612000-memory.dmp

Filesize
10.8MB

Download
memory/4888-18-0x00007FFF1AB53000-0x00007FFF1AB55000-memory.dmp

Filesize
8KB

Download
memory/5080-1026-0x00007FFF17F00000-0x00007FFF18275000-memory.dmp

Filesize
3.5MB

Download
memory/5080-1044-0x00007FFF17C40000-0x00007FFF17C58000-memory.dmp

Filesize
96KB

Download
memory/5080-1015-0x00007FFF18560000-0x00007FFF18579000-memory.dmp

Filesize
100KB

Download
memory/5080-1016-0x00007FFF2BBC0000-0x00007FFF2BBCD000-memory.dmp

Filesize
52KB

Download
memory/5080-1017-0x00007FFF18540000-0x00007FFF18558000-memory.dmp

Filesize
96KB

Download
memory/5080-1018-0x00007FFF18510000-0x00007FFF1853C000-memory.dmp

Filesize
176KB

Download
memory/5080-1019-0x00007FFF184F0000-0x00007FFF1850F000-memory.dmp

Filesize
124KB

Download
memory/5080-1020-0x00007FFF18370000-0x00007FFF184ED000-memory.dmp

Filesize
1.5MB

Download
memory/5080-1021-0x00007FFF18340000-0x00007FFF1836E000-memory.dmp

Filesize
184KB

Download
memory/5080-1014-0x00007FFF2C0A0000-0x00007FFF2C0AF000-memory.dmp

Filesize
60KB

Download
memory/5080-1025-0x00007FFF18580000-0x00007FFF185A4000-memory.dmp

Filesize
144KB

Download
memory/5080-1024-0x00007FFF18280000-0x00007FFF18338000-memory.dmp

Filesize
736KB

Download
memory/5080-1023-0x00000222CAF20000-0x00000222CB295000-memory.dmp

Filesize
3.5MB

Download
memory/5080-1029-0x00007FFF21330000-0x00007FFF21340000-memory.dmp

Filesize
64KB

Download
memory/5080-1028-0x00007FFF2C0A0000-0x00007FFF2C0AF000-memory.dmp

Filesize
60KB

Download
memory/5080-1033-0x00007FFF17EA0000-0x00007FFF17EB5000-memory.dmp

Filesize
84KB

Download
memory/5080-1032-0x00007FFF2BBC0000-0x00007FFF2BBCD000-memory.dmp

Filesize
52KB

Download
memory/5080-1035-0x00007FFF17E70000-0x00007FFF17E92000-memory.dmp

Filesize
136KB

Download
memory/5080-1039-0x00007FFF17D30000-0x00007FFF17D4B000-memory.dmp

Filesize
108KB

Download
memory/5080-1041-0x00007FFF17C60000-0x00007FFF17D2F000-memory.dmp

Filesize
828KB

Download
memory/5080-1045-0x00007FFF18280000-0x00007FFF18338000-memory.dmp

Filesize
736KB

Download
memory/5080-1013-0x00007FFF18580000-0x00007FFF185A4000-memory.dmp

Filesize
144KB

Download
memory/5080-1047-0x00007FFF17BF0000-0x00007FFF17C3D000-memory.dmp

Filesize
308KB

Download
memory/5080-1050-0x00007FFF17EE0000-0x00007FFF17EF4000-memory.dmp

Filesize
80KB

Download
memory/5080-1052-0x00007FFF17B70000-0x00007FFF17B8E000-memory.dmp

Filesize
120KB

Download
memory/5080-1051-0x00007FFF21330000-0x00007FFF21340000-memory.dmp

Filesize
64KB

Download
memory/5080-1053-0x00007FFF12570000-0x00007FFF12D6C000-memory.dmp

Filesize
8.0MB

Download
memory/5080-1049-0x00007FFF17BD0000-0x00007FFF17BE1000-memory.dmp

Filesize
68KB

Download
memory/5080-1048-0x00007FFF17B90000-0x00007FFF17BC2000-memory.dmp

Filesize
200KB

Download
memory/5080-1054-0x00007FFF17EA0000-0x00007FFF17EB5000-memory.dmp

Filesize
84KB

Download
memory/5080-1046-0x00007FFF17F00000-0x00007FFF18275000-memory.dmp

Filesize
3.5MB

Download
memory/5080-1043-0x00000222CAF20000-0x00000222CB295000-memory.dmp

Filesize
3.5MB

Download
memory/5080-1042-0x00007FFF18340000-0x00007FFF1836E000-memory.dmp

Filesize
184KB

Download
memory/5080-1040-0x00007FFF18370000-0x00007FFF184ED000-memory.dmp

Filesize
1.5MB

Download
memory/5080-1038-0x00007FFF184F0000-0x00007FFF1850F000-memory.dmp

Filesize
124KB

Download
memory/5080-1037-0x00007FFF17D50000-0x00007FFF17E68000-memory.dmp

Filesize
1.1MB

Download
memory/5080-1036-0x00007FFF18510000-0x00007FFF1853C000-memory.dmp

Filesize
176KB

Download
memory/5080-1034-0x00007FFF18540000-0x00007FFF18558000-memory.dmp

Filesize
96KB

Download
memory/5080-1031-0x00007FFF17EC0000-0x00007FFF17ED4000-memory.dmp

Filesize
80KB

Download
memory/5080-1030-0x00007FFF18560000-0x00007FFF18579000-memory.dmp

Filesize
100KB

Download
memory/5080-1027-0x00007FFF17EE0000-0x00007FFF17EF4000-memory.dmp

Filesize
80KB

Download
memory/5080-1022-0x00007FFF185D0000-0x00007FFF18A36000-memory.dmp

Filesize
4.4MB

Download
memory/5080-1012-0x00007FFF185D0000-0x00007FFF18A36000-memory.dmp

Filesize
4.4MB

Download