exelastealer | ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b

Analysis

max time kernel
122s
max time network
129s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
Size

11.7MB
MD5

035bb3d1206866650a48cc1bfe456f82
SHA1

72aee7f14307c6ce2784eee53a7d89c58b57d22d
SHA256

ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b
SHA512

fad0d67f13ac311a32b243092a1e833172fa2551d33edd1d16a2b1f555f8ab208c76f6120a7ee1ad0ba6d81786f5893a8a90f4081bbcc7449670bb759856b497
SSDEEP

196608:qhbySceEMmMmhqe2SkL7si3E4azAbUEO7hDDJf6Wv/VCSFIkwo3EsruHkwoDCfPQ:jS+9Mmhqe2SkXsTtzAoEO7h3Jx/VVP+C

Score

10^/10

exelastealer collection discovery evasion persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Exela Stealer
Exela Stealer is an open source stealer originally written in .NET and later transitioned to Python that was first observed in August 2023.
stealer exelastealer
Exelastealer family
exelastealer
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Modifies Windows Firewall 2 TTPs 2 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2292	netsh.exe
1188	netsh.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
2792	cmd.exe
1552	powershell.exe

Loads dropped DLL 64 IoCs

pid	Process
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
5	discord.com
6	discord.com
7	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	ip-api.com

Network Service Discovery 1 TTPs 2 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2120	ARP.EXE
2804	cmd.exe

Enumerates processes with tasklist 1 TTPs 3 IoCs

discovery

Process Discovery

T1057

pid	Process
2404	tasklist.exe
1580	tasklist.exe
1264	tasklist.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000400000001c929-151.dat	upx
behavioral1/memory/2444-158-0x000007FEF6730000-0x000007FEF6B75000-memory.dmp	upx
behavioral1/files/0x000500000001a46b-181.dat	upx
behavioral1/memory/2444-186-0x000007FEF80E0000-0x000007FEF8107000-memory.dmp	upx
behavioral1/memory/2444-188-0x000007FEF80D0000-0x000007FEF80DF000-memory.dmp	upx
behavioral1/files/0x000400000001c919-187.dat	upx
behavioral1/files/0x000500000001a463-189.dat	upx
behavioral1/memory/2444-191-0x000007FEF80B0000-0x000007FEF80CC000-memory.dmp	upx
behavioral1/files/0x000500000001a471-192.dat	upx
behavioral1/memory/2444-194-0x000007FEF8080000-0x000007FEF80AE000-memory.dmp	upx
behavioral1/memory/2444-208-0x000007FEF8060000-0x000007FEF807A000-memory.dmp	upx
behavioral1/memory/2444-209-0x000007FEF8050000-0x000007FEF805D000-memory.dmp	upx
behavioral1/memory/2444-210-0x000007FEF8010000-0x000007FEF8045000-memory.dmp	upx
behavioral1/memory/2444-211-0x000007FEF7FE0000-0x000007FEF7FF1000-memory.dmp	upx
behavioral1/memory/2444-212-0x000007FEF60D0000-0x000007FEF643F000-memory.dmp	upx
behavioral1/memory/2444-213-0x000007FEF6730000-0x000007FEF6B75000-memory.dmp	upx
behavioral1/memory/2444-214-0x000007FEF80E0000-0x000007FEF8107000-memory.dmp	upx
behavioral1/memory/2444-215-0x000007FEF59D0000-0x000007FEF60C3000-memory.dmp	upx
behavioral1/memory/2444-216-0x000007FEF7FA0000-0x000007FEF7FD7000-memory.dmp	upx
behavioral1/memory/2444-217-0x000007FEF80B0000-0x000007FEF80CC000-memory.dmp	upx
behavioral1/memory/2444-222-0x000007FEF7F70000-0x000007FEF7F7C000-memory.dmp	upx
behavioral1/memory/2444-225-0x000007FEF8010000-0x000007FEF8045000-memory.dmp	upx
behavioral1/memory/2444-228-0x000007FEF7F40000-0x000007FEF7F4B000-memory.dmp	upx
behavioral1/memory/2444-227-0x000007FEF7FE0000-0x000007FEF7FF1000-memory.dmp	upx
behavioral1/memory/2444-226-0x000007FEF7F50000-0x000007FEF7F5C000-memory.dmp	upx
behavioral1/memory/2444-230-0x000007FEF7F30000-0x000007FEF7F3C000-memory.dmp	upx
behavioral1/memory/2444-229-0x000007FEF60D0000-0x000007FEF643F000-memory.dmp	upx
behavioral1/memory/2444-224-0x000007FEF7F60000-0x000007FEF7F6B000-memory.dmp	upx
behavioral1/memory/2444-235-0x000007FEF7F00000-0x000007FEF7F0C000-memory.dmp	upx
behavioral1/memory/2444-236-0x000007FEF7EE0000-0x000007FEF7EEB000-memory.dmp	upx
behavioral1/memory/2444-234-0x000007FEF7F10000-0x000007FEF7F1E000-memory.dmp	upx
behavioral1/memory/2444-233-0x000007FEF7F20000-0x000007FEF7F2C000-memory.dmp	upx
behavioral1/memory/2444-238-0x000007FEF7ED0000-0x000007FEF7EDC000-memory.dmp	upx
behavioral1/memory/2444-239-0x000007FEF7EC0000-0x000007FEF7ECC000-memory.dmp	upx
behavioral1/memory/2444-237-0x000007FEF7FA0000-0x000007FEF7FD7000-memory.dmp	upx
behavioral1/memory/2444-241-0x000007FEF7E90000-0x000007FEF7EA2000-memory.dmp	upx
behavioral1/memory/2444-242-0x000007FEF7E80000-0x000007FEF7E8C000-memory.dmp	upx
behavioral1/memory/2444-243-0x000007FEF7E60000-0x000007FEF7E7D000-memory.dmp	upx
behavioral1/memory/2444-244-0x000007FEF7310000-0x000007FEF7488000-memory.dmp	upx
behavioral1/memory/2444-240-0x000007FEF7EB0000-0x000007FEF7EBD000-memory.dmp	upx
behavioral1/memory/2444-232-0x000007FEF7EF0000-0x000007FEF7EFB000-memory.dmp	upx
behavioral1/memory/2444-231-0x000007FEF59D0000-0x000007FEF60C3000-memory.dmp	upx
behavioral1/memory/2444-223-0x000007FEF8050000-0x000007FEF805D000-memory.dmp	upx
behavioral1/memory/2444-245-0x000007FEF72E0000-0x000007FEF730D000-memory.dmp	upx
behavioral1/memory/2444-246-0x000007FEF6670000-0x000007FEF6726000-memory.dmp	upx
behavioral1/memory/2444-221-0x000007FEF8060000-0x000007FEF807A000-memory.dmp	upx
behavioral1/memory/2444-248-0x000007FEF6E40000-0x000007FEF6E56000-memory.dmp	upx
behavioral1/memory/2444-250-0x000007FEF6DE0000-0x000007FEF6DF2000-memory.dmp	upx
behavioral1/memory/2444-252-0x000007FEF6650000-0x000007FEF6664000-memory.dmp	upx
behavioral1/memory/2444-251-0x000007FEF7EC0000-0x000007FEF7ECC000-memory.dmp	upx
behavioral1/memory/2444-249-0x000007FEF7ED0000-0x000007FEF7EDC000-memory.dmp	upx
behavioral1/memory/2444-254-0x000007FEF6530000-0x000007FEF6642000-memory.dmp	upx
behavioral1/memory/2444-253-0x000007FEF7EB0000-0x000007FEF7EBD000-memory.dmp	upx
behavioral1/memory/2444-256-0x000007FEF6500000-0x000007FEF6522000-memory.dmp	upx
behavioral1/memory/2444-255-0x000007FEF7E90000-0x000007FEF7EA2000-memory.dmp	upx
behavioral1/memory/2444-258-0x000007FEF64E0000-0x000007FEF64F7000-memory.dmp	upx
behavioral1/memory/2444-260-0x000007FEF64C0000-0x000007FEF64D8000-memory.dmp	upx
behavioral1/memory/2444-262-0x000007FEF5980000-0x000007FEF59CC000-memory.dmp	upx
behavioral1/memory/2444-264-0x000007FEF64A0000-0x000007FEF64B1000-memory.dmp	upx
behavioral1/memory/2444-266-0x000007FEF6480000-0x000007FEF649E000-memory.dmp	upx
behavioral1/memory/2444-265-0x000007FEF6670000-0x000007FEF6726000-memory.dmp	upx
behavioral1/memory/2444-263-0x000007FEF72E0000-0x000007FEF730D000-memory.dmp	upx
behavioral1/memory/2444-261-0x000007FEF7310000-0x000007FEF7488000-memory.dmp	upx
behavioral1/memory/2444-259-0x000007FEF7E60000-0x000007FEF7E7D000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3068	sc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2684	cmd.exe
2144	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2080	NETSTAT.EXE

Collects information from the system 1 TTPs 1 IoCs

Uses WMIC.exe to find detailed system information.

Data from Local System

T1005

pid	Process
1180	WMIC.exe

Gathers network information 2 TTPs 2 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1344	ipconfig.exe
2080	NETSTAT.EXE

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2712	systeminfo.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1552	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2404	tasklist.exe
Token: SeDebugPrivilege	1580	tasklist.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeIncreaseQuotaPrivilege	1180	WMIC.exe
Token: SeSecurityPrivilege	1180	WMIC.exe
Token: SeTakeOwnershipPrivilege	1180	WMIC.exe
Token: SeLoadDriverPrivilege	1180	WMIC.exe
Token: SeSystemProfilePrivilege	1180	WMIC.exe
Token: SeSystemtimePrivilege	1180	WMIC.exe
Token: SeProfSingleProcessPrivilege	1180	WMIC.exe
Token: SeIncBasePriorityPrivilege	1180	WMIC.exe
Token: SeCreatePagefilePrivilege	1180	WMIC.exe
Token: SeBackupPrivilege	1180	WMIC.exe
Token: SeRestorePrivilege	1180	WMIC.exe
Token: SeShutdownPrivilege	1180	WMIC.exe
Token: SeDebugPrivilege	1180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1180	WMIC.exe
Token: SeRemoteShutdownPrivilege	1180	WMIC.exe
Token: SeUndockPrivilege	1180	WMIC.exe
Token: SeManageVolumePrivilege	1180	WMIC.exe
Token: 33	1180	WMIC.exe
Token: 34	1180	WMIC.exe
Token: 35	1180	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1180	WMIC.exe
Token: SeSecurityPrivilege	1180	WMIC.exe
Token: SeTakeOwnershipPrivilege	1180	WMIC.exe
Token: SeLoadDriverPrivilege	1180	WMIC.exe
Token: SeSystemProfilePrivilege	1180	WMIC.exe
Token: SeSystemtimePrivilege	1180	WMIC.exe
Token: SeProfSingleProcessPrivilege	1180	WMIC.exe
Token: SeIncBasePriorityPrivilege	1180	WMIC.exe
Token: SeCreatePagefilePrivilege	1180	WMIC.exe
Token: SeBackupPrivilege	1180	WMIC.exe
Token: SeRestorePrivilege	1180	WMIC.exe
Token: SeShutdownPrivilege	1180	WMIC.exe
Token: SeDebugPrivilege	1180	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1180	WMIC.exe
Token: SeRemoteShutdownPrivilege	1180	WMIC.exe
Token: SeUndockPrivilege	1180	WMIC.exe
Token: SeManageVolumePrivilege	1180	WMIC.exe
Token: 33	1180	WMIC.exe
Token: 34	1180	WMIC.exe
Token: 35	1180	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2504	WMIC.exe
Token: SeSecurityPrivilege	2504	WMIC.exe
Token: SeTakeOwnershipPrivilege	2504	WMIC.exe
Token: SeLoadDriverPrivilege	2504	WMIC.exe
Token: SeSystemProfilePrivilege	2504	WMIC.exe
Token: SeSystemtimePrivilege	2504	WMIC.exe
Token: SeProfSingleProcessPrivilege	2504	WMIC.exe
Token: SeIncBasePriorityPrivilege	2504	WMIC.exe
Token: SeCreatePagefilePrivilege	2504	WMIC.exe
Token: SeBackupPrivilege	2504	WMIC.exe
Token: SeRestorePrivilege	2504	WMIC.exe
Token: SeShutdownPrivilege	2504	WMIC.exe
Token: SeDebugPrivilege	2504	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2504	WMIC.exe
Token: SeRemoteShutdownPrivilege	2504	WMIC.exe
Token: SeUndockPrivilege	2504	WMIC.exe
Token: SeManageVolumePrivilege	2504	WMIC.exe
Token: 33	2504	WMIC.exe
Token: 34	2504	WMIC.exe
Token: 35	2504	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2504	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2864 wrote to memory of 2444	2864	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	30
PID 2864 wrote to memory of 2444	2864	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	30
PID 2864 wrote to memory of 2444	2864	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	30
PID 2444 wrote to memory of 1912	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	31
PID 2444 wrote to memory of 1912	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	31
PID 2444 wrote to memory of 1912	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	31
PID 2444 wrote to memory of 3048	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	33
PID 2444 wrote to memory of 3048	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	33
PID 2444 wrote to memory of 3048	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	33
PID 3048 wrote to memory of 2404	3048	cmd.exe	35
PID 3048 wrote to memory of 2404	3048	cmd.exe	35
PID 3048 wrote to memory of 2404	3048	cmd.exe	35
PID 2444 wrote to memory of 2876	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	37
PID 2444 wrote to memory of 2876	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	37
PID 2444 wrote to memory of 2876	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	37
PID 2444 wrote to memory of 3032	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	38
PID 2444 wrote to memory of 3032	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	38
PID 2444 wrote to memory of 3032	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	38
PID 2444 wrote to memory of 2740	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	40
PID 2444 wrote to memory of 2740	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	40
PID 2444 wrote to memory of 2740	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	40
PID 2444 wrote to memory of 2792	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	41
PID 2444 wrote to memory of 2792	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	41
PID 2444 wrote to memory of 2792	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	41
PID 3032 wrote to memory of 2068	3032	cmd.exe	45
PID 3032 wrote to memory of 2068	3032	cmd.exe	45
PID 3032 wrote to memory of 2068	3032	cmd.exe	45
PID 2792 wrote to memory of 1552	2792	cmd.exe	46
PID 2792 wrote to memory of 1552	2792	cmd.exe	46
PID 2792 wrote to memory of 1552	2792	cmd.exe	46
PID 2740 wrote to memory of 1580	2740	cmd.exe	47
PID 2740 wrote to memory of 1580	2740	cmd.exe	47
PID 2740 wrote to memory of 1580	2740	cmd.exe	47
PID 2876 wrote to memory of 2896	2876	cmd.exe	48
PID 2876 wrote to memory of 2896	2876	cmd.exe	48
PID 2876 wrote to memory of 2896	2876	cmd.exe	48
PID 2068 wrote to memory of 2828	2068	cmd.exe	49
PID 2068 wrote to memory of 2828	2068	cmd.exe	49
PID 2068 wrote to memory of 2828	2068	cmd.exe	49
PID 2896 wrote to memory of 1672	2896	cmd.exe	50
PID 2896 wrote to memory of 1672	2896	cmd.exe	50
PID 2896 wrote to memory of 1672	2896	cmd.exe	50
PID 2444 wrote to memory of 2804	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	51
PID 2444 wrote to memory of 2804	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	51
PID 2444 wrote to memory of 2804	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	51
PID 2444 wrote to memory of 2684	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	53
PID 2444 wrote to memory of 2684	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	53
PID 2444 wrote to memory of 2684	2444	ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe	53
PID 2804 wrote to memory of 2712	2804	cmd.exe	55
PID 2804 wrote to memory of 2712	2804	cmd.exe	55
PID 2804 wrote to memory of 2712	2804	cmd.exe	55
PID 2684 wrote to memory of 2144	2684	cmd.exe	56
PID 2684 wrote to memory of 2144	2684	cmd.exe	56
PID 2684 wrote to memory of 2144	2684	cmd.exe	56
PID 2804 wrote to memory of 2448	2804	cmd.exe	58
PID 2804 wrote to memory of 2448	2804	cmd.exe	58
PID 2804 wrote to memory of 2448	2804	cmd.exe	58
PID 2804 wrote to memory of 1180	2804	cmd.exe	59
PID 2804 wrote to memory of 1180	2804	cmd.exe	59
PID 2804 wrote to memory of 1180	2804	cmd.exe	59
PID 2804 wrote to memory of 1976	2804	cmd.exe	60
PID 2804 wrote to memory of 1976	2804	cmd.exe	60
PID 2804 wrote to memory of 1976	2804	cmd.exe	60
PID 1976 wrote to memory of 624	1976	net.exe	61

C:\Users\Admin\AppData\Local\Temp\ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
"C:\Users\Admin\AppData\Local\Temp\ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe
  "C:\Users\Admin\AppData\Local\Temp\ba1f4ed59f4c2b4c9cdef2abac2da32b3b3d7b30137b0772c425082f7d845a6b.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ver"
    3⤵
    PID:1912
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3048
  - - C:\Windows\system32\tasklist.exe
      tasklist
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2404
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:1672
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3032
  - - C:\Windows\system32\cmd.exe
      cmd.exe /c chcp
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2068
    - - C:\Windows\system32\chcp.com
        
        chcp
        5⤵
        
        PID:2828
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2740
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:1580
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:2792
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
    3⤵
    - Network Service Discovery
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:2712
  - - C:\Windows\system32\HOSTNAME.EXE
      hostname
      4⤵
      PID:2448
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic logicaldisk get caption,description,providername
      4⤵
      Collects information from the system
      Suspicious use of AdjustPrivilegeToken
      PID:1180
  - - C:\Windows\system32\net.exe
      net user
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user
        5⤵
        
        PID:624
  - - C:\Windows\system32\query.exe
      query user
      4⤵
      PID:3000
    - - C:\Windows\system32\quser.exe
        
        "C:\Windows\system32\quser.exe"
        5⤵
        
        PID:2960
  - - C:\Windows\system32\net.exe
      net localgroup
      4⤵
      PID:2984
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup
        5⤵
        
        PID:1632
  - - C:\Windows\system32\net.exe
      net localgroup administrators
      4⤵
      PID:576
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 localgroup administrators
        5⤵
        
        PID:584
  - - C:\Windows\system32\net.exe
      net user guest
      4⤵
      PID:1556
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user guest
        5⤵
        
        PID:1092
  - - C:\Windows\system32\net.exe
      net user administrator
      4⤵
      PID:2348
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 user administrator
        5⤵
        
        PID:2460
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic startup get caption,command
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2504
  - - C:\Windows\system32\tasklist.exe
      tasklist /svc
      4⤵
      Enumerates processes with tasklist
      PID:1264
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /all
      4⤵
      Gathers network information
      PID:1344
  - - C:\Windows\system32\ROUTE.EXE
      route print
      4⤵
      PID:2136
  - - C:\Windows\system32\ARP.EXE
      arp -a
      4⤵
      Network Service Discovery
      PID:2120
  - - C:\Windows\system32\NETSTAT.EXE
      netstat -ano
      4⤵
      System Network Connections Discovery
      Gathers network information
      PID:2080
  - - C:\Windows\system32\sc.exe
      sc query type= service state= all
      4⤵
      Launches sc.exe
      PID:3068
  - - C:\Windows\system32\netsh.exe
      netsh firewall show state
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:2292
  - - C:\Windows\system32\netsh.exe
      netsh firewall show config
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:1188
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profiles
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2144
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1832
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:1388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:2160
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:2552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

Process Discovery

T1057

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI28642\_bz2.pyd

Filesize
46KB

MD5
f36bb9c70a06233fdffeb34c15b21b7b

SHA1
c309aa20b6c0a731ad79c0cf1a00e726490eda4d

SHA256
59d95b9627ee5fa9d7597b09f4450a8f4298a93f22623a5d2701e71ae5f21bc5

SHA512
71651f4cae267306b1ec7a13f6e1687bb0169cbab16fd53fb9d0359d404f22c85bfc2576b3d9918ec2f48c410ecabf4416f01e6da628c44512fdcf27b6fe8b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\_ctypes.pyd

Filesize
56KB

MD5
efebdb8cee6251b5c6ec4126ff92588c

SHA1
e9815b928168ad158e27503701fea084b4826a42

SHA256
79be7658171bbcae42fd953972e881891231a2e048a5633038608884661e17e9

SHA512
f5ca29eff4dfb9e369c48270bdd5334f68868353697f4beea2b2e32cabd8a49e68912827bed54b9730ba0365c535bf1e6dc87528821ce32b3cb386e1fd767d6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\_lzma.pyd

Filesize
84KB

MD5
611cfeb961314e3a381090b94f6050f3

SHA1
a4b0d8eee3e5cc8f2f962e7338f8088e121affa2

SHA256
a3fde86adf05f3a50dc557153ad9ebcb4a4d0344c7eeae50d97d1adac6bbc92b

SHA512
7ae632f9b6ac504d44f61603d0ca5b7abc7fe92f5e488c95610c1fdb781e5cc9301f598224cfe45539560eb782ab40667b566d1dd27bbcc716967f9af9ffe482

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-core-console-l1-1-0.dll

Filesize
3KB

MD5
81ae27f88f23c7b17e08280154830f7f

SHA1
f12c43f90a4b77ab6feb88c657691d0de2d70584

SHA256
f9dec9220f00f69b7cd0c5b613158af3c650b623e870858093dec6e286d41eef

SHA512
1d93ddfd9a151bf697b5ecda9cb9111199864e5dc6a6e32b23bc5e317fb59292a9bae0444c9f7fd5a1d626b4512cb2d7b00a7a0d1ed93bd47a8335e871146eb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-core-datetime-l1-1-0.dll

Filesize
3KB

MD5
5692e5964db238e3025ce9c9377b24ab

SHA1
4d6bd300d7797c9283bad0179f94da6a60bad6fc

SHA256
252f2ad196dca86762dd9ae7c6745aeb78754e2fdaec8fcbf2ff33aef9ff9f06

SHA512
a562ac2653ca72b9fcf48516a4c9725575f65de1f4c7744ab501402763f4bd489fdea8f368b7190eef85159f7ad7d5cd9f61134a072f376d6080e518238ef9d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-core-debug-l1-1-0.dll

Filesize
3KB

MD5
300934913e875f317e5ce8724aa1ccc3

SHA1
db1b9397d805632b91fadf437e0b36edb03839a0

SHA256
870a5bdfd949a0f5f8096bec4d310e1829a437ae912c301e42c5e22b06fc027b

SHA512
2e36681c640376d42ddf9740d96184bedbc5f4c4d96a2a4de709ee28644507935e6a3cf23d7a3c7099cee077069c23101d54d53a328dd4b9336cb80d1f9db8d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
3KB

MD5
aaf6a51001cc24d194c3a02c65fa53b8

SHA1
0ee94b2321a074af86f3d0cac3663d4ea1a130ff

SHA256
08cef43b73545946e705a74db99e4b02cf05b106ebfba28ce1672e5090190392

SHA512
f01fa2325cfa4efff202cc4c6bb4c7778d13f582f122fbe65c1f24986c8de0f282fdb67d9662354f701c9aaf45bfbc9eb7745a77f0c05605c4491be9f427ee41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-core-file-l1-1-0.dll

Filesize
5KB

MD5
016784754dac85d5451bd8f3eeef7770

SHA1
52cf7b44dffea2438e99da7080b08de2fc5dd197

SHA256
d33062b09b528efeb08a78ee269ea1931f3e976c73a5b6a924433af41db1993e

SHA512
151c328f73846a0772e8a37cc96910b9a58ff0c6163903f06d061e699aff2be0414e133a017ffc524741e28659879abc17767b47d596a8d5bc1e22e3b9b6fbdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-core-file-l1-2-0.dll

Filesize
11KB

MD5
7959a39ba0002e9cb463660a83ac71b6

SHA1
0205c5928d6e80ce1c07e5351cb9a7014b608a06

SHA256
d62e00faeff0be510b34b774635a21e29d436d3726a2c3d8f836d976546ed223

SHA512
b0d2cef62dcb8abebfac51fef4c93388a28adf991d43fd10d3f03e42c483dc0f5788eb9c792104de2daa736646021fb8ed608f19664383120fe9f455ab38f369

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-core-file-l2-1-0.dll

Filesize
11KB

MD5
453f7069af5fa31b759ed43c39ab01d6

SHA1
36b91d4cd439ae172d7029fb91ad50e9d6f8c0be

SHA256
a6a3b09994ba3b8227549c75b6282fd4ba96411fe996b6907f1a236359f0567d

SHA512
88bac97e606dcc6f75ea621acd28e91785d2d81731357d4195d45e1c59efb6fdc559c695c15c460bf6f836fdbc5240646fa4f620935d1e095ebf2d166fc13a5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-core-handle-l1-1-0.dll

Filesize
3KB

MD5
6ad0517e62c5341df0231884f4b6571f

SHA1
6351894d76e87b186ae65342392c0bd361d854f2

SHA256
898dab58465b289daf5ed5b5bce86b707bef3172f393e4b45c29ec16ab488c39

SHA512
85701b7b274dd23b07d40ff0a8944d1602d626acb4b22f1c6dac5805eead08a92a937ae6b4eaf0d430d4e10527deb9ebf7f0e34a21ea1bb677da3ff54a1ef1b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-core-heap-l1-1-0.dll

Filesize
3KB

MD5
864a2919a9bbf4fa054a177e86aea136

SHA1
edb9ba0d89cfb2bb3efd9746667b0e9975e066f2

SHA256
7db8c081485807b86b87511cbc9e6a88d34c223029027f163495877acfe32902

SHA512
8b13a492158ee715ef65d6d06e23e87ded8bd6ab46d7d109c3d8798bc11cef66d61cd5b03e91d145af78f42d5e2eff1592a9059329384827e42b37f93a7a439a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
3KB

MD5
998b92d2c3c1cc61653e3fa75a26ce7a

SHA1
7dcf54fb952d66e4ad920c70e8d4f83879fd041e

SHA256
ee4f804ed0835b0b1647a20a1a678911e2a70ce47179b15b3397cfbe75ac15b8

SHA512
4d29d61586e3e783e48bd09f30ab3dda2f8159f9330bc140b060491ee077d771becbdeeeeb08410bc42871c25ca76447257846a1fcdba71e5a818de082eca6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
3KB

MD5
53e714236f779d3106d4f49a151cdcd3

SHA1
8752afda3cab85eb7801869ec00c27e16c7f6456

SHA256
24fabc5cfdb155d7c556883183e3d51a3d5503b6daa2400367a4c510542a7f44

SHA512
d1ae763716e505a58c5f8809c792b44bdcf7e54d439c7d206fb082ff353894ea41dd7814d70b187fe234218f33b29ee6068e249707fce0f6b003c79ab7772cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-core-localization-l1-2-0.dll

Filesize
13KB

MD5
b9a6b0e180a0d1411965ae694e472555

SHA1
ec82ae19cd3b59ec2fd9a1101d3ef85bc2ddd2d7

SHA256
63085f494965f578a908ebacaf77aec9a73fafdbae508605a6d1bb36287b8776

SHA512
e3814548c05c724399cc2fe8e46d139bdf815cf6c4b6d027e688e38c3dbf53624ba3030eaeead9a7c59a1d035e42d1c8ed5e3891131993fecb1ea1a0b2d66868

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-core-memory-l1-1-0.dll

Filesize
3KB

MD5
f98f0842d9e04c057acb239fd3cf81fc

SHA1
5926a47886ec4a1bd6118fdf2ff05f19f1699661

SHA256
e27414ecc3b37f532a6fb4a07052aa21d2b3c0e0da7f3a27d804a7b72a4003b9

SHA512
625c0e7e8ab20d294cc428f7ae844eb1d2f640ed093ce38798b2942f775a390a469c070376ab8e1125249731a1599344947814a2153bf7d57fcf2d7353be4827

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
3KB

MD5
2f1219518dbb892fd91a98fb63736af5

SHA1
7b160cbe276ea84e380913f84e0852043827756a

SHA256
ffb2c65e2f2c75a0d55621f087492dc70296703cdaec952169cad6c0b107ae42

SHA512
cd694795b33bf7a92312645d86c34ade5704b92ba5c70ce05f5b3e7918b2448ac85bc06e88d60fea79acd651648ababde0f066e90168677843dd6fc86c14fc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
3KB

MD5
e3785921b8dadba9ce206db20bf51985

SHA1
229a4e109112a7ea3b4288b69bb4fb66bb24a92b

SHA256
c70064d51d6fe51c02daea313a9d04450ae08607e72c15586f628f0a7988b3a5

SHA512
f5626212790f94c7af874be6c94cb1a4a58f13e50fa05802953215b6b78123e3bcbe9e67f8b39263d24dd6174b5173d693fe2caf31bda9c89d1e312fe9516a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
4KB

MD5
69558e08db154e4c69ed8f1e5efe01df

SHA1
6f753f62ce6bfb8a292fc5e2c1420a640fdebb2a

SHA256
e97c0583435d63e10705618316f3051546798ab263d9377a0e3e4c66d367538d

SHA512
4e5bd8d379e6c7ecd9625fbac7ef1c0b47568687501e8f0786898a653bf63f9679220bee8b0f4852341bd0360ed8854096f85a4fb18fb192ac7e29d03346ea37

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
11KB

MD5
d35b30b66a9435d059d88a90ea835146

SHA1
0f824be791122459f5a44748876277daeb6d14f5

SHA256
ab37eeb0f6af502e3d628db528caddddc41833b585019588e3b810df97f75aa8

SHA512
fc55f9987a3c1e4e7e17f94cd5d0c2d6e0b4fd468e16b46a5d10632962a9e7ea673cad45bbb531521f39efda5829be2ab8ae67e10306fa281d60d9e1c2e5ae61

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-core-timezone-l1-1-0.dll

Filesize
11KB

MD5
930d81eaba46d0d632f1cfd6f72c17a7

SHA1
f24e9d6b0325743fe87eb971e154564e6c7083d8

SHA256
efbdd887a5ff5cb5030ee76fbbfc4294ed1c39a7e4e1aacfab52da6e96b14d60

SHA512
1c504871cdab9dcf3c01333e6cc71110fcd4cdcb21fbcdd50d720000564f27874effccbb33676929c944bacebf4152e00722862a1de1c7a5557ed11d46983935

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-crt-conio-l1-1-0.dll

Filesize
12KB

MD5
21ab8a6f559d1e49c8ffa3cdaf037839

SHA1
87f2edace67ebe04ba869ba77c6f3014d9cb60c0

SHA256
30b677b95de5fcbaa2ae67088822a5feabdb63a53101cc44de83067018b457c8

SHA512
6f117397ee46519a5cf29d3c8a72503861a78a83ccbc56bd4447ab2f4693857147c35292c87cb5ba5efadde97bce3735aedb0275fcabea1006c1621945a44498

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-crt-environment-l1-1-0.dll

Filesize
11KB

MD5
f5f31dc3b928073274bcdf7b4d4136f9

SHA1
07624699fd428b5e60a5ffdafe3ad1b820aa2b8d

SHA256
5cde06aaddd28e0bb3afe756215d6ae5f2eb20b00413a6a1d2095d81493c5ddd

SHA512
9458453d9530f6652f3580e988ed0f8320268a2a1a4d4a017a00935f6133fc3e8f91e8bbba07b1f628eba1a3822e4a3c3a8b72c2861950e1ede9521dd04868b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
13KB

MD5
861a2fd3afb4557ba49a6d60a02c39bf

SHA1
03622632d5e810b87b806ddfc0ed6ea3d2171b96

SHA256
c1a072b49acb82640104aada665ff948415cc57dfcbc495d4d85b1f18d84a1a3

SHA512
ae20bb93d7661d47048042a3a21d95f0c1b20918f170fee77cd7de2b9367a3f819b39e45cb6c58689603f1670cf3c46cdf6453162f3d88871c794df13460f374

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-crt-heap-l1-1-0.dll

Filesize
11KB

MD5
156da44de8586202cd7badda883b5994

SHA1
de58f32e2172d31a55df26f0d9a0c5ac9880efdd

SHA256
6e0460ea48738b50c8628038368e4e4b425fb6aa5de76f7fe06f2473fabc0e9e

SHA512
a80a316db9fd3f6907e28771bd39c00244f510096eab3daf617c65962bb223c728505a40dc2c3f651cc49df5d7bfa6f660ea1f9889aeb2bcf9b93a2eb6c0503e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-crt-locale-l1-1-0.dll

Filesize
11KB

MD5
10c18ee8eb974e9f6382917ad3cd7d11

SHA1
3308cd7d9d29e42e137fd348b96545c206ea7096

SHA256
3a292b3ae218086edd2d136fcc9eb65e788caa6933c864908a07f004fecd9972

SHA512
a18769ce5ef8e0da4b9bf997d9c8800e9d715c54f603cac6534cadc0ade3f9c70a0e9fc2e607d1dfd6d7326f9fb4f519466cd0953591494d0376d1624d77f1de

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-crt-process-l1-1-0.dll

Filesize
12KB

MD5
9600008630390e2209199e7791185075

SHA1
7e85b6c55a2d17c0d9ffc96649a92f3e73d6757c

SHA256
0e16041aa9cff135af254e79d85b5f3944bf21e9448bc07f058894eb2013f724

SHA512
8690cde896e5731074c4a703ed0a26fe5fc136a13e57656c3a92ca5a6915ec741d587258e02e60cb4b1ccafd24e110c248641c06f8d839c0c1e235b0318491b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
15KB

MD5
1b923d7b425ee35cc865715e8ff2b920

SHA1
0302fe5cd576c9e28f1e9939ac04ac6ad89e371e

SHA256
fd40b4d21e907f8c168504bba248ca7eed4a84537ceec8a9903112e531b6a406

SHA512
62571b373b969889d07be3fc26146d93fed2955d6e9b336e4fc8f8759db98a8ec4154b6df5244c3b37cd3bfd7f153b2c6be7799845a02e0446c41a6898f82f31

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-crt-time-l1-1-0.dll

Filesize
13KB

MD5
1bf2af4deb96801edfde04a763ea4028

SHA1
f6a9a0a603b34d212620f8b513b48039e8576f47

SHA256
e4fd646a54d9a21c52c1480e5ae36bb519a7e2237a026725570776d61a43b5a1

SHA512
42fe94de60a8eb5f3b401047316440a4f36e3184f1cb9e22f750b37627ca2a6199fb55cb950b6e5cfebbe413554128723b17bc421301768ddf9636ad3c9d07d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\base_library.zip

Filesize
824KB

MD5
09f7062e078379845347034c2a63943e

SHA1
9683dd8ef7d72101674850f3db0e05c14039d5fd

SHA256
7c1c73de4909d11efb20028f4745a9c8494fb4ee8dcf2f049907115def3d2629

SHA512
a169825e9b0bb995a115134cf1f7b76a96b651acd472dc4ce8473900d8852fc93b9f87a26d2c64f7bb3dd76d5feb01eeb4af4945e0c0b95d5c9c97938fa85b34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\python3.DLL

Filesize
58KB

MD5
c9f0b55fce50c904dff9276014cef6d8

SHA1
9f9ae27df619b695827a5af29414b592fc584e43

SHA256
074b06ae1d0a0b5c26f0ce097c91e2f24a5d38b279849115495fc40c6c10117e

SHA512
8dd188003d8419a25de7fbb37b29a4bc57a6fd93f2d79b5327ad2897d4ae626d7427f4e6ac84463c158bcb18b6c1e02e83ed49f347389252477bbeeb864ac799

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\python38.dll

Filesize
1.4MB

MD5
e3303194004bea9dc78b59d0b4f77814

SHA1
1898e2dc3e70a46c83e826239606cbe51b0a0e3f

SHA256
137a3e5aa86afcb6e9678a8ca09034605a3d7419c263152eaf4f8b4db3edfb3a

SHA512
fd07419fd209f95a0890fe5c8287984c7ef2e862e8a9876ab6fd2544417a916feda5c8237dceca9ce3238e96fdfe0833365940c83f0dc02a9847b08d051572b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI28642\ucrtbase.dll

Filesize
975KB

MD5
9984c87858bb977fd6dcd516bf8c5029

SHA1
5dc5a8a81222fa43c7ed5151e562c03642ee3c59

SHA256
234f5ff004e1bc5a3c2e433502475104abaa9b66bf81123408f34c8cb7ef6f83

SHA512
b3c7e618d901ea90b6bc318240b47a6300d7325e27837d632e775c1ab2a063b6bd20411e5bb6a35837f16b49e878d1d946a12ac999707e8c1112a9ab324df99e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28642\VCRUNTIME140.dll

Filesize
93KB

MD5
4a365ffdbde27954e768358f4a4ce82e

SHA1
a1b31102eee1d2a4ed1290da2038b7b9f6a104a3

SHA256
6a0850419432735a98e56857d5cfce97e9d58a947a9863ca6afadd1c7bcab27c

SHA512
54e4b6287c4d5a165509047262873085f50953af63ca0dcb7649c22aba5b439ab117a7e0d6e7f0a3e51a23e28a255ffd1ca1ddce4b2ea7f87bca1c9b0dbe2722

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-crt-convert-l1-1-0.dll

Filesize
15KB

MD5
f5d4ef8a0c33cbf321dd51abafd5ffb2

SHA1
c85b87aa33f3fcee76facc1d0fec65f1cc5f1b55

SHA256
053e6f664d1aebe7fd120bf89056f2612b7667e1f71df0dddb504e04c58a508a

SHA512
9d85e5c320699c079df98695641f24d9baada5514435ae9b69c28ad3c3b5c29129cd46d0f8f2398fc94ade30777ed44ca5f75f6e78eb86d64ceb32c71046479c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-crt-math-l1-1-0.dll

Filesize
20KB

MD5
fd374a7f3079a4f7d96b4c8a1e71b1a3

SHA1
3f3c768239d26cf8c6f83af96131e7b8e85ed017

SHA256
f7117aa5df8fbfed9f625cbe11cd64fdac1220099484b3ae534107d02a99058d

SHA512
3f7d9d632e434ed01588c4eea69483197040588f09fdf0a9acb902ea59664ec2a0257723ab61fbe56545d14462be475919da8f072f5e1e720569cbb3a776110c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
17KB

MD5
d263b7ce85efdc007c40aabca5acb255

SHA1
b7fac5089b3990cddc2435138e89da2d5d515032

SHA256
37dfd6cd14f191e97e5f1674422e79febfcae062b4a56959f76ff63803e58a55

SHA512
6bc594fcb1ad5149f27c86674e78bae447e6d3f2e494e2749eaeb15af28a212dad075ec441541b490774770e77377e798a3dced94c1e9b9cfdc4f5c95bf936f6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28642\api-ms-win-crt-string-l1-1-0.dll

Filesize
17KB

MD5
1a3292019af01d7a6ed8bc52686840e6

SHA1
e1684c73ae12cd341250d544afcc539856c9bb43

SHA256
e01b24d0fe72ae8d2c76b287d1286741940b84808e4bf11514402a0a6d2706f9

SHA512
941c238c96de015d511bf691e878592ff8c71556ce95b3fba268bf9dc6a2e2ecde3c02b4dff66d3eeaf3b177624b193c42691c692e293982126ef70a10caf48b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28642\libffi-7.dll

Filesize
23KB

MD5
bfdf5ec44cb18cfd1e5e62c1dd9234b8

SHA1
c8f6ca25dac5f1ace786f38315f38f39d5da5a47

SHA256
4da81872062f20cb20228f211837984ee841ab230b0deb4ee8ecb4185d744c94

SHA512
b8d36d5e7f876d362056788b5175ba2af1a016a5330098c96657d376a9be7f91ca4729403bb531610b3a20b70d2d957262c1f492b80a59b25ed2ea81a15f3fad

Download Submit
memory/1552-329-0x000000001B370000-0x000000001B652000-memory.dmp

Filesize
2.9MB

Download
memory/1552-330-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/2444-244-0x000007FEF7310000-0x000007FEF7488000-memory.dmp

Filesize
1.5MB

Download
memory/2444-264-0x000007FEF64A0000-0x000007FEF64B1000-memory.dmp

Filesize
68KB

Download
memory/2444-194-0x000007FEF8080000-0x000007FEF80AE000-memory.dmp

Filesize
184KB

Download
memory/2444-191-0x000007FEF80B0000-0x000007FEF80CC000-memory.dmp

Filesize
112KB

Download
memory/2444-209-0x000007FEF8050000-0x000007FEF805D000-memory.dmp

Filesize
52KB

Download
memory/2444-210-0x000007FEF8010000-0x000007FEF8045000-memory.dmp

Filesize
212KB

Download
memory/2444-211-0x000007FEF7FE0000-0x000007FEF7FF1000-memory.dmp

Filesize
68KB

Download
memory/2444-212-0x000007FEF60D0000-0x000007FEF643F000-memory.dmp

Filesize
3.4MB

Download
memory/2444-213-0x000007FEF6730000-0x000007FEF6B75000-memory.dmp

Filesize
4.3MB

Download
memory/2444-214-0x000007FEF80E0000-0x000007FEF8107000-memory.dmp

Filesize
156KB

Download
memory/2444-215-0x000007FEF59D0000-0x000007FEF60C3000-memory.dmp

Filesize
6.9MB

Download
memory/2444-216-0x000007FEF7FA0000-0x000007FEF7FD7000-memory.dmp

Filesize
220KB

Download
memory/2444-217-0x000007FEF80B0000-0x000007FEF80CC000-memory.dmp

Filesize
112KB

Download
memory/2444-222-0x000007FEF7F70000-0x000007FEF7F7C000-memory.dmp

Filesize
48KB

Download
memory/2444-225-0x000007FEF8010000-0x000007FEF8045000-memory.dmp

Filesize
212KB

Download
memory/2444-228-0x000007FEF7F40000-0x000007FEF7F4B000-memory.dmp

Filesize
44KB

Download
memory/2444-227-0x000007FEF7FE0000-0x000007FEF7FF1000-memory.dmp

Filesize
68KB

Download
memory/2444-226-0x000007FEF7F50000-0x000007FEF7F5C000-memory.dmp

Filesize
48KB

Download
memory/2444-230-0x000007FEF7F30000-0x000007FEF7F3C000-memory.dmp

Filesize
48KB

Download
memory/2444-229-0x000007FEF60D0000-0x000007FEF643F000-memory.dmp

Filesize
3.4MB

Download
memory/2444-224-0x000007FEF7F60000-0x000007FEF7F6B000-memory.dmp

Filesize
44KB

Download
memory/2444-235-0x000007FEF7F00000-0x000007FEF7F0C000-memory.dmp

Filesize
48KB

Download
memory/2444-236-0x000007FEF7EE0000-0x000007FEF7EEB000-memory.dmp

Filesize
44KB

Download
memory/2444-234-0x000007FEF7F10000-0x000007FEF7F1E000-memory.dmp

Filesize
56KB

Download
memory/2444-233-0x000007FEF7F20000-0x000007FEF7F2C000-memory.dmp

Filesize
48KB

Download
memory/2444-238-0x000007FEF7ED0000-0x000007FEF7EDC000-memory.dmp

Filesize
48KB

Download
memory/2444-239-0x000007FEF7EC0000-0x000007FEF7ECC000-memory.dmp

Filesize
48KB

Download
memory/2444-237-0x000007FEF7FA0000-0x000007FEF7FD7000-memory.dmp

Filesize
220KB

Download
memory/2444-241-0x000007FEF7E90000-0x000007FEF7EA2000-memory.dmp

Filesize
72KB

Download
memory/2444-242-0x000007FEF7E80000-0x000007FEF7E8C000-memory.dmp

Filesize
48KB

Download
memory/2444-243-0x000007FEF7E60000-0x000007FEF7E7D000-memory.dmp

Filesize
116KB

Download
memory/2444-188-0x000007FEF80D0000-0x000007FEF80DF000-memory.dmp

Filesize
60KB

Download
memory/2444-240-0x000007FEF7EB0000-0x000007FEF7EBD000-memory.dmp

Filesize
52KB

Download
memory/2444-232-0x000007FEF7EF0000-0x000007FEF7EFB000-memory.dmp

Filesize
44KB

Download
memory/2444-231-0x000007FEF59D0000-0x000007FEF60C3000-memory.dmp

Filesize
6.9MB

Download
memory/2444-223-0x000007FEF8050000-0x000007FEF805D000-memory.dmp

Filesize
52KB

Download
memory/2444-245-0x000007FEF72E0000-0x000007FEF730D000-memory.dmp

Filesize
180KB

Download
memory/2444-246-0x000007FEF6670000-0x000007FEF6726000-memory.dmp

Filesize
728KB

Download
memory/2444-221-0x000007FEF8060000-0x000007FEF807A000-memory.dmp

Filesize
104KB

Download
memory/2444-248-0x000007FEF6E40000-0x000007FEF6E56000-memory.dmp

Filesize
88KB

Download
memory/2444-250-0x000007FEF6DE0000-0x000007FEF6DF2000-memory.dmp

Filesize
72KB

Download
memory/2444-252-0x000007FEF6650000-0x000007FEF6664000-memory.dmp

Filesize
80KB

Download
memory/2444-251-0x000007FEF7EC0000-0x000007FEF7ECC000-memory.dmp

Filesize
48KB

Download
memory/2444-249-0x000007FEF7ED0000-0x000007FEF7EDC000-memory.dmp

Filesize
48KB

Download
memory/2444-254-0x000007FEF6530000-0x000007FEF6642000-memory.dmp

Filesize
1.1MB

Download
memory/2444-253-0x000007FEF7EB0000-0x000007FEF7EBD000-memory.dmp

Filesize
52KB

Download
memory/2444-256-0x000007FEF6500000-0x000007FEF6522000-memory.dmp

Filesize
136KB

Download
memory/2444-255-0x000007FEF7E90000-0x000007FEF7EA2000-memory.dmp

Filesize
72KB

Download
memory/2444-258-0x000007FEF64E0000-0x000007FEF64F7000-memory.dmp

Filesize
92KB

Download
memory/2444-260-0x000007FEF64C0000-0x000007FEF64D8000-memory.dmp

Filesize
96KB

Download
memory/2444-262-0x000007FEF5980000-0x000007FEF59CC000-memory.dmp

Filesize
304KB

Download
memory/2444-208-0x000007FEF8060000-0x000007FEF807A000-memory.dmp

Filesize
104KB

Download
memory/2444-266-0x000007FEF6480000-0x000007FEF649E000-memory.dmp

Filesize
120KB

Download
memory/2444-265-0x000007FEF6670000-0x000007FEF6726000-memory.dmp

Filesize
728KB

Download
memory/2444-263-0x000007FEF72E0000-0x000007FEF730D000-memory.dmp

Filesize
180KB

Download
memory/2444-261-0x000007FEF7310000-0x000007FEF7488000-memory.dmp

Filesize
1.5MB

Download
memory/2444-259-0x000007FEF7E60000-0x000007FEF7E7D000-memory.dmp

Filesize
116KB

Download
memory/2444-257-0x000007FEF7E80000-0x000007FEF7E8C000-memory.dmp

Filesize
48KB

Download
memory/2444-247-0x000007FEF7EE0000-0x000007FEF7EEB000-memory.dmp

Filesize
44KB

Download
memory/2444-220-0x000007FEF7F80000-0x000007FEF7F8B000-memory.dmp

Filesize
44KB

Download
memory/2444-219-0x000007FEF8080000-0x000007FEF80AE000-memory.dmp

Filesize
184KB

Download
memory/2444-218-0x000007FEF7F90000-0x000007FEF7F9B000-memory.dmp

Filesize
44KB

Download
memory/2444-267-0x000007FEF6E40000-0x000007FEF6E56000-memory.dmp

Filesize
88KB

Download
memory/2444-268-0x000007FEF6DE0000-0x000007FEF6DF2000-memory.dmp

Filesize
72KB

Download
memory/2444-269-0x000007FEF6650000-0x000007FEF6664000-memory.dmp

Filesize
80KB

Download
memory/2444-278-0x000007FEF7FE0000-0x000007FEF7FF1000-memory.dmp

Filesize
68KB

Download
memory/2444-280-0x000007FEF59D0000-0x000007FEF60C3000-memory.dmp

Filesize
6.9MB

Download
memory/2444-293-0x000007FEF6530000-0x000007FEF6642000-memory.dmp

Filesize
1.1MB

Download
memory/2444-275-0x000007FEF8060000-0x000007FEF807A000-memory.dmp

Filesize
104KB

Download
memory/2444-281-0x000007FEF7FA0000-0x000007FEF7FD7000-memory.dmp

Filesize
220KB

Download
memory/2444-270-0x000007FEF6730000-0x000007FEF6B75000-memory.dmp

Filesize
4.3MB

Download
memory/2444-294-0x000007FEF6500000-0x000007FEF6522000-memory.dmp

Filesize
136KB

Download
memory/2444-295-0x000007FEF64E0000-0x000007FEF64F7000-memory.dmp

Filesize
92KB

Download
memory/2444-296-0x000007FEF64C0000-0x000007FEF64D8000-memory.dmp

Filesize
96KB

Download
memory/2444-297-0x000007FEF5980000-0x000007FEF59CC000-memory.dmp

Filesize
304KB

Download
memory/2444-298-0x000007FEF64A0000-0x000007FEF64B1000-memory.dmp

Filesize
68KB

Download
memory/2444-320-0x000007FEF5970000-0x000007FEF597D000-memory.dmp

Filesize
52KB

Download
memory/2444-186-0x000007FEF80E0000-0x000007FEF8107000-memory.dmp

Filesize
156KB

Download
memory/2444-158-0x000007FEF6730000-0x000007FEF6B75000-memory.dmp

Filesize
4.3MB

Download
memory/2444-335-0x000007FEF6730000-0x000007FEF6B75000-memory.dmp

Filesize
4.3MB

Download
memory/2444-358-0x000007FEF5970000-0x000007FEF597D000-memory.dmp

Filesize
52KB

Download
memory/2444-336-0x000007FEF80E0000-0x000007FEF8107000-memory.dmp

Filesize
156KB

Download
memory/2444-382-0x000007FEF6730000-0x000007FEF6B75000-memory.dmp

Filesize
4.3MB

Download
memory/2444-388-0x000007FEF8050000-0x000007FEF805D000-memory.dmp

Filesize
52KB

Download
memory/2444-401-0x000007FEF6530000-0x000007FEF6642000-memory.dmp

Filesize
1.1MB

Download
memory/2444-400-0x000007FEF6650000-0x000007FEF6664000-memory.dmp

Filesize
80KB

Download
memory/2444-399-0x000007FEF6DE0000-0x000007FEF6DF2000-memory.dmp

Filesize
72KB

Download
memory/2444-398-0x000007FEF6E40000-0x000007FEF6E56000-memory.dmp

Filesize
88KB

Download
memory/2444-397-0x000007FEF6670000-0x000007FEF6726000-memory.dmp

Filesize
728KB

Download
memory/2444-396-0x000007FEF72E0000-0x000007FEF730D000-memory.dmp

Filesize
180KB

Download
memory/2444-395-0x000007FEF7310000-0x000007FEF7488000-memory.dmp

Filesize
1.5MB

Download
memory/2444-394-0x000007FEF7E60000-0x000007FEF7E7D000-memory.dmp

Filesize
116KB

Download
memory/2444-393-0x000007FEF59D0000-0x000007FEF60C3000-memory.dmp

Filesize
6.9MB

Download
memory/2444-392-0x000007FEF60D0000-0x000007FEF643F000-memory.dmp

Filesize
3.4MB

Download
memory/2444-391-0x000007FEF7FA0000-0x000007FEF7FD7000-memory.dmp

Filesize
220KB

Download
memory/2444-390-0x000007FEF7FE0000-0x000007FEF7FF1000-memory.dmp

Filesize
68KB

Download
memory/2444-389-0x000007FEF8010000-0x000007FEF8045000-memory.dmp

Filesize
212KB

Download
memory/2444-387-0x000007FEF8060000-0x000007FEF807A000-memory.dmp

Filesize
104KB

Download
memory/2444-386-0x000007FEF8080000-0x000007FEF80AE000-memory.dmp

Filesize
184KB

Download
memory/2444-385-0x000007FEF80B0000-0x000007FEF80CC000-memory.dmp

Filesize
112KB

Download
memory/2444-384-0x000007FEF80D0000-0x000007FEF80DF000-memory.dmp

Filesize
60KB

Download
memory/2444-383-0x000007FEF80E0000-0x000007FEF8107000-memory.dmp

Filesize
156KB

Download
memory/2444-381-0x000007FEF5970000-0x000007FEF597D000-memory.dmp

Filesize
52KB

Download